hardening: run more code unprivileged

author: smitsohu <smitsohu@gmail.com> 2019-03-20 15:27:34 +0100
committer: smitsohu <smitsohu@gmail.com> 2019-03-20 15:27:34 +0100
commit: ce7b289b099746a98be4d57304fc130c14537411 (patch)
tree: 2a0bd9f0b528b5df3aaad0a88a4e600b6b86583c /src
parent: security: too early to register signal handler (diff)
download: firejail-ce7b289b099746a98be4d57304fc130c14537411.tar.gz
firejail-ce7b289b099746a98be4d57304fc130c14537411.tar.zst
firejail-ce7b289b099746a98be4d57304fc130c14537411.zip
4 files changed, 71 insertions, 69 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 01ddf2a14..5291361c8 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -521,6 +521,7 @@ void logsignal(int s);
 void logmsg(const char *msg);
 void logargs(int argc, char **argv) ;
 void logerr(const char *msg);
+void set_nice(int inc);
 int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
 void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
 void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 3372c8dc1..46dae0271 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -100,9 +100,6 @@ static void extract_command(int argc, char **argv, int index) {
        // build command
        build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, index);
-        if (arg_debug)
-                printf("Extracted command #%s#\n", cfg.command_line);
 }
 static void extract_nogroups(pid_t pid) {
@@ -290,11 +287,8 @@ pid_t switch_to_child(pid_t pid) {
 void join(pid_t pid, int argc, char **argv, int index) {
        EUID_ASSERT();
-        char *homedir = cfg.homedir;
-        pid_t parent = pid;
-        extract_command(argc, argv, index);
+        pid_t parent = pid;
        // in case the pid is that of a firejail process, use the pid of the first child process
        pid = switch_to_child(pid);
@@ -374,19 +368,15 @@ void join(pid_t pid, int argc, char **argv, int index) {
                EUID_USER();
                if (chdir("/") < 0)
                        errExit("chdir");
-                if (homedir) {
+                if (cfg.homedir) {
                        struct stat s;
-                        if (stat(homedir, &s) == 0) {
+                        if (stat(cfg.homedir, &s) == 0) {
                                /* coverity[toctou] */
-                                if (chdir(homedir) < 0)
+                                if (chdir(cfg.homedir) < 0)
                                        errExit("chdir");
                        }
                }
-                // set cpu affinity
-                if (cfg.cpus)   // not available for uid 0
-                        set_cpu_affinity();
                // set caps filter
                EUID_ROOT();
                if (apply_caps == 1)    // not available for uid 0
@@ -417,33 +407,6 @@ void join(pid_t pid, int argc, char **argv, int index) {
                }
                EUID_USER();
-                // set nice
-                if (arg_nice) {
-                        errno = 0;
-                        int rv = nice(cfg.nice);
-                        (void) rv;
-                        if (errno) {
-                                fwarning("cannot set nice value\n");
-                                errno = 0;
-                        }
-                }
-                // set environment, add x11 display
-                env_defaults();
-                if (display) {
-                        char *display_str;
-                        if (asprintf(&display_str, ":%d", display) == -1)
-                                errExit("asprintf");
-                        setenv("DISPLAY", display_str, 1);
-                        free(display_str);
-                }
-                if (cfg.command_line == NULL) {
-                        assert(cfg.shell);
-                        cfg.command_line = cfg.shell;
-                        cfg.window_title = cfg.shell;
-                }
                int cwd = 0;
                if (cfg.cwd) {
                        if (chdir(cfg.cwd) == 0)
@@ -463,8 +426,38 @@ void join(pid_t pid, int argc, char **argv, int index) {
                        }
                }
+                // drop privileges
                drop_privs(arg_nogroups);
-                prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
+                // kill the child in case the parent died
+                prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+                extract_command(argc, argv, index);
+                if (cfg.command_line == NULL) {
+                        assert(cfg.shell);
+                        cfg.command_line = cfg.shell;
+                        cfg.window_title = cfg.shell;
+                }
+                if (arg_debug)
+                        printf("Extracted command #%s#\n", cfg.command_line);
+                // set cpu affinity
+                if (cfg.cpus)   // not available for uid 0
+                        set_cpu_affinity();
+                // set nice value
+                if (arg_nice)
+                        set_nice(cfg.nice);
+                // add x11 display
+                if (display) {
+                        char *display_str;
+                        if (asprintf(&display_str, ":%d", display) == -1)
+                                errExit("asprintf");
+                        setenv("DISPLAY", display_str, 1);
+                        free(display_str);
+                }
                start_application(0, NULL);
                // it will never get here!!!
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 9bb8e545c..2b5d30158 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1038,17 +1038,6 @@ int sandbox(void* sandbox_arg) {
                }
        }
-        // set nice
-        if (arg_nice) {
-                errno = 0;
-                int rv = nice(cfg.nice);
-                (void) rv;
-                if (errno) {
-                        fwarning("cannot set nice value\n");
-                        errno = 0;
-                }
-        }
        EUID_ROOT();
        // clean /tmp/.X11-unix sockets
        fs_x11();
@@ -1067,17 +1056,11 @@ int sandbox(void* sandbox_arg) {
        // set capabilities
        set_caps();
-        // set cpu affinity
+        // save cpu affinity mask to CPU_CFG file
-        if (cfg.cpus) {
+        save_cpu();
-                save_cpu(); // save cpu affinity mask to CPU_CFG file
-                EUID_USER();
-                set_cpu_affinity();
-                EUID_ROOT();
-        }
        // save cgroup in CGROUP_CFG file
-        if (cfg.cgroup)
+        save_cgroup();
-                save_cgroup();
        // set seccomp
 #ifdef HAVE_SECCOMP
@@ -1125,7 +1108,7 @@ int sandbox(void* sandbox_arg) {
        // to --join
        //****************************************
-        FILE *fp = create_ready_for_join_file();
+        FILE *rj = create_ready_for_join_file();
        //****************************************
        // create a new user namespace
@@ -1175,10 +1158,23 @@ int sandbox(void* sandbox_arg) {
        }
        //****************************************
-        // drop privileges, fork the application and monitor it
+        // drop privileges
        //****************************************
        drop_privs(arg_nogroups);
-        prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the sandbox in case the parent died
+        // kill the sandbox in case the parent died
+        prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+        //****************************************
+        // set cpu affinity
+        //****************************************
+        if (cfg.cpus)
+                set_cpu_affinity();
+        //****************************************
+        // fork the application and monitor it
+        //****************************************
        pid_t app_pid = fork();
        if (app_pid == -1)
                errExit("fork");
@@ -1196,13 +1192,15 @@ int sandbox(void* sandbox_arg) {
                                printf("AppArmor enabled\n");
                }
 #endif
-                // set rlimits
+                // set nice and rlimits
+                if (arg_nice)
+                        set_nice(cfg.nice);
                set_rlimits();
-                // start app
-                start_application(0, fp);
+                start_application(0, rj);
        }
-        fclose(fp);
+        fclose(rj);
        int status = monitor_application(app_pid);      // monitor application
        flush_stdin();
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 46b392eed..3e2cd13d5 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -250,6 +250,16 @@ void logerr(const char *msg) {
        closelog();
 }
+void set_nice(int inc) {
+        errno = 0;
+        int rv = nice(inc);
+        (void) rv;
+        if (errno)
+                fwarning("cannot set nice value\n");
+}
 static int copy_file_by_fd(int src, int dst) {
        assert(src >= 0);
        assert(dst >= 0);
author	smitsohu <smitsohu@gmail.com>	2019-03-20 15:27:34 +0100
committer	smitsohu <smitsohu@gmail.com>	2019-03-20 15:27:34 +0100
commit	ce7b289b099746a98be4d57304fc130c14537411 (patch)
tree	2a0bd9f0b528b5df3aaad0a88a4e600b6b86583c /src
parent	security: too early to register signal handler (diff)
download	firejail-ce7b289b099746a98be4d57304fc130c14537411.tar.gz firejail-ce7b289b099746a98be4d57304fc130c14537411.tar.zst firejail-ce7b289b099746a98be4d57304fc130c14537411.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 01ddf2a14..5291361c8 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -521,6 +521,7 @@ void logsignal(int s);
521	void logmsg(const char *msg);	521	void logmsg(const char *msg);
522	void logargs(int argc, char **argv) ;	522	void logargs(int argc, char **argv) ;
523	void logerr(const char *msg);	523	void logerr(const char *msg);
		524	void set_nice(int inc);
524	int copy_file(const char srcname, const char destname, uid_t uid, gid_t gid, mode_t mode);	525	int copy_file(const char srcname, const char destname, uid_t uid, gid_t gid, mode_t mode);
525	void copy_file_as_user(const char srcname, const char destname, uid_t uid, gid_t gid, mode_t mode);	526	void copy_file_as_user(const char srcname, const char destname, uid_t uid, gid_t gid, mode_t mode);
526	void copy_file_from_user_to_root(const char srcname, const char destname, uid_t uid, gid_t gid, mode_t mode);	527	void copy_file_from_user_to_root(const char srcname, const char destname, uid_t uid, gid_t gid, mode_t mode);


diff --git a/src/firejail/join.c b/src/firejail/join.c index 3372c8dc1..46dae0271 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c
@@ -100,9 +100,6 @@ static void extract_command(int argc, char **argv, int index) {
100		100
101	// build command	101	// build command
102	build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, index);	102	build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, index);
103
104	if (arg_debug)
105	printf("Extracted command #%s#\n", cfg.command_line);
106	}	103	}
107		104
108	static void extract_nogroups(pid_t pid) {	105	static void extract_nogroups(pid_t pid) {
@@ -290,11 +287,8 @@ pid_t switch_to_child(pid_t pid) {
290		287
291	void join(pid_t pid, int argc, char **argv, int index) {	288	void join(pid_t pid, int argc, char **argv, int index) {
292	EUID_ASSERT();	289	EUID_ASSERT();
293	char *homedir = cfg.homedir;
294	pid_t parent = pid;
295
296	extract_command(argc, argv, index);
297		290
		291	pid_t parent = pid;
298	// in case the pid is that of a firejail process, use the pid of the first child process	292	// in case the pid is that of a firejail process, use the pid of the first child process
299	pid = switch_to_child(pid);	293	pid = switch_to_child(pid);
300		294
@@ -374,19 +368,15 @@ void join(pid_t pid, int argc, char **argv, int index) {
374	EUID_USER();	368	EUID_USER();
375	if (chdir("/") < 0)	369	if (chdir("/") < 0)
376	errExit("chdir");	370	errExit("chdir");
377	if (homedir) {	371	if (cfg.homedir) {
378	struct stat s;	372	struct stat s;
379	if (stat(homedir, &s) == 0) {	373	if (stat(cfg.homedir, &s) == 0) {
380	/* coverity[toctou] */	374	/* coverity[toctou] */
381	if (chdir(homedir) < 0)	375	if (chdir(cfg.homedir) < 0)
382	errExit("chdir");	376	errExit("chdir");
383	}	377	}
384	}	378	}
385		379
386	// set cpu affinity
387	if (cfg.cpus) // not available for uid 0
388	set_cpu_affinity();
389
390	// set caps filter	380	// set caps filter
391	EUID_ROOT();	381	EUID_ROOT();
392	if (apply_caps == 1) // not available for uid 0	382	if (apply_caps == 1) // not available for uid 0
@@ -417,33 +407,6 @@ void join(pid_t pid, int argc, char **argv, int index) {
417	}	407	}
418		408
419	EUID_USER();	409	EUID_USER();
420	// set nice
421	if (arg_nice) {
422	errno = 0;
423	int rv = nice(cfg.nice);
424	(void) rv;
425	if (errno) {
426	fwarning("cannot set nice value\n");
427	errno = 0;
428	}
429	}
430
431	// set environment, add x11 display
432	env_defaults();
433	if (display) {
434	char *display_str;
435	if (asprintf(&display_str, ":%d", display) == -1)
436	errExit("asprintf");
437	setenv("DISPLAY", display_str, 1);
438	free(display_str);
439	}
440
441	if (cfg.command_line == NULL) {
442	assert(cfg.shell);
443	cfg.command_line = cfg.shell;
444	cfg.window_title = cfg.shell;
445	}
446
447	int cwd = 0;	410	int cwd = 0;
448	if (cfg.cwd) {	411	if (cfg.cwd) {
449	if (chdir(cfg.cwd) == 0)	412	if (chdir(cfg.cwd) == 0)
@@ -463,8 +426,38 @@ void join(pid_t pid, int argc, char **argv, int index) {
463	}	426	}
464	}	427	}
465		428
		429	// drop privileges
466	drop_privs(arg_nogroups);	430	drop_privs(arg_nogroups);
467	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died	431
		432	// kill the child in case the parent died
		433	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
		434
		435	extract_command(argc, argv, index);
		436	if (cfg.command_line == NULL) {
		437	assert(cfg.shell);
		438	cfg.command_line = cfg.shell;
		439	cfg.window_title = cfg.shell;
		440	}
		441	if (arg_debug)
		442	printf("Extracted command #%s#\n", cfg.command_line);
		443
		444	// set cpu affinity
		445	if (cfg.cpus) // not available for uid 0
		446	set_cpu_affinity();
		447
		448	// set nice value
		449	if (arg_nice)
		450	set_nice(cfg.nice);
		451
		452	// add x11 display
		453	if (display) {
		454	char *display_str;
		455	if (asprintf(&display_str, ":%d", display) == -1)
		456	errExit("asprintf");
		457	setenv("DISPLAY", display_str, 1);
		458	free(display_str);
		459	}
		460
468	start_application(0, NULL);	461	start_application(0, NULL);
469		462
470	// it will never get here!!!	463	// it will never get here!!!


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 9bb8e545c..2b5d30158 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -1038,17 +1038,6 @@ int sandbox(void* sandbox_arg) {
1038	}	1038	}
1039	}	1039	}
1040		1040
1041	// set nice
1042	if (arg_nice) {
1043	errno = 0;
1044	int rv = nice(cfg.nice);
1045	(void) rv;
1046	if (errno) {
1047	fwarning("cannot set nice value\n");
1048	errno = 0;
1049	}
1050	}
1051
1052	EUID_ROOT();	1041	EUID_ROOT();
1053	// clean /tmp/.X11-unix sockets	1042	// clean /tmp/.X11-unix sockets
1054	fs_x11();	1043	fs_x11();
@@ -1067,17 +1056,11 @@ int sandbox(void* sandbox_arg) {
1067	// set capabilities	1056	// set capabilities
1068	set_caps();	1057	set_caps();
1069		1058
1070	// set cpu affinity	1059	// save cpu affinity mask to CPU_CFG file
1071	if (cfg.cpus) {	1060	save_cpu();
1072	save_cpu(); // save cpu affinity mask to CPU_CFG file
1073	EUID_USER();
1074	set_cpu_affinity();
1075	EUID_ROOT();
1076	}
1077		1061
1078	// save cgroup in CGROUP_CFG file	1062	// save cgroup in CGROUP_CFG file
1079	if (cfg.cgroup)	1063	save_cgroup();
1080	save_cgroup();
1081		1064
1082	// set seccomp	1065	// set seccomp
1083	#ifdef HAVE_SECCOMP	1066	#ifdef HAVE_SECCOMP
@@ -1125,7 +1108,7 @@ int sandbox(void* sandbox_arg) {
1125	// to --join	1108	// to --join
1126	//****************************************	1109	//****************************************
1127		1110
1128	FILE *fp = create_ready_for_join_file();	1111	FILE *rj = create_ready_for_join_file();
1129		1112
1130	//****************************************	1113	//****************************************
1131	// create a new user namespace	1114	// create a new user namespace
@@ -1175,10 +1158,23 @@ int sandbox(void* sandbox_arg) {
1175	}	1158	}
1176		1159
1177	//****************************************	1160	//****************************************
1178	// drop privileges, fork the application and monitor it	1161	// drop privileges
1179	//****************************************	1162	//****************************************
1180	drop_privs(arg_nogroups);	1163	drop_privs(arg_nogroups);
1181	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the sandbox in case the parent died	1164
		1165	// kill the sandbox in case the parent died
		1166	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
		1167
		1168	//****************************************
		1169	// set cpu affinity
		1170	//****************************************
		1171
		1172	if (cfg.cpus)
		1173	set_cpu_affinity();
		1174
		1175	//****************************************
		1176	// fork the application and monitor it
		1177	//****************************************
1182	pid_t app_pid = fork();	1178	pid_t app_pid = fork();
1183	if (app_pid == -1)	1179	if (app_pid == -1)
1184	errExit("fork");	1180	errExit("fork");
@@ -1196,13 +1192,15 @@ int sandbox(void* sandbox_arg) {
1196	printf("AppArmor enabled\n");	1192	printf("AppArmor enabled\n");
1197	}	1193	}
1198	#endif	1194	#endif
1199	// set rlimits	1195	// set nice and rlimits
		1196	if (arg_nice)
		1197	set_nice(cfg.nice);
1200	set_rlimits();	1198	set_rlimits();
1201	// start app	1199
1202	start_application(0, fp);	1200	start_application(0, rj);
1203	}	1201	}
1204		1202
1205	fclose(fp);	1203	fclose(rj);
1206		1204
1207	int status = monitor_application(app_pid); // monitor application	1205	int status = monitor_application(app_pid); // monitor application
1208	flush_stdin();	1206	flush_stdin();


diff --git a/src/firejail/util.c b/src/firejail/util.c index 46b392eed..3e2cd13d5 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c
@@ -250,6 +250,16 @@ void logerr(const char *msg) {
250	closelog();	250	closelog();
251	}	251	}
252		252
		253
		254	void set_nice(int inc) {
		255	errno = 0;
		256	int rv = nice(inc);
		257	(void) rv;
		258	if (errno)
		259	fwarning("cannot set nice value\n");
		260	}
		261
		262
253	static int copy_file_by_fd(int src, int dst) {	263	static int copy_file_by_fd(int src, int dst) {
254	assert(src >= 0);	264	assert(src >= 0);
255	assert(dst >= 0);	265	assert(dst >= 0);