priv tweaks

author: smitsohu <smitsohu@gmail.com> 2018-04-22 13:24:01 +0200
committer: smitsohu <smitsohu@gmail.com> 2018-04-22 13:24:01 +0200
commit: 3f2ac1d5cd873c57042ea6f8d88c74e24e9dee37 (patch)
tree: 928955bbbb561ce98b92212e46fe6bb3b8e31f57 /src
parent: output formatting (diff)
download: firejail-3f2ac1d5cd873c57042ea6f8d88c74e24e9dee37.tar.gz
firejail-3f2ac1d5cd873c57042ea6f8d88c74e24e9dee37.tar.zst
firejail-3f2ac1d5cd873c57042ea6f8d88c74e24e9dee37.zip
3 files changed, 12 insertions, 3 deletions
diff --git a/src/firejail/env.c b/src/firejail/env.c
index 73d68724e..cc63bd542 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -101,9 +101,7 @@ void env_ibus_load(void) {
                                *ptr = '\0';
                        if (arg_debug)
                                printf("%s\n", buf);
-                        EUID_USER();
                        env_store(buf, SETENV);
-                        EUID_ROOT();
                }
                fclose(fp);
diff --git a/src/firejail/join.c b/src/firejail/join.c
index c303d3fb8..d4a2389c6 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -292,6 +292,8 @@ void join(pid_t pid, int argc, char **argv, int index) {
                }
                prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
+                EUID_USER();
                if (chdir("/") < 0)
                        errExit("chdir");
                if (homedir) {
@@ -308,6 +310,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
                        set_cpu_affinity();
                // set caps filter
+                EUID_ROOT();
                if (apply_caps == 1)    // not available for uid 0
                        caps_set(caps);
 #ifdef HAVE_SECCOMP
@@ -347,6 +350,8 @@ void join(pid_t pid, int argc, char **argv, int index) {
                }
                // set environment, add x11 display
+                EUID_USER();
                env_defaults();
                if (display) {
                        char *display_str;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index e0cecda1b..e1959a453 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -669,7 +669,9 @@ int sandbox(void* sandbox_arg) {
                // do nothing - there are problems with ibus version 1.5.11
        }
        else
+                EUID_USER();
                env_ibus_load();
+                EUID_ROOT();
        //****************************
        // fs pre-processing:
@@ -925,6 +927,8 @@ int sandbox(void* sandbox_arg) {
        // set application environment
        //****************************
        prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
+        EUID_USER();
        int cwd = 0;
        if (cfg.cwd) {
                if (chdir(cfg.cwd) == 0)
@@ -951,7 +955,7 @@ int sandbox(void* sandbox_arg) {
                }
        }
+        EUID_ROOT();
        // set nice
        if (arg_nice) {
                errno = 0;
@@ -980,7 +984,9 @@ int sandbox(void* sandbox_arg) {
        // set cpu affinity
        if (cfg.cpus) {
                save_cpu(); // save cpu affinity mask to CPU_CFG file
+                EUID_USER();
                set_cpu_affinity();
+                EUID_ROOT();
        }
        // save cgroup in CGROUP_CFG file
author	smitsohu <smitsohu@gmail.com>	2018-04-22 13:24:01 +0200
committer	smitsohu <smitsohu@gmail.com>	2018-04-22 13:24:01 +0200
commit	3f2ac1d5cd873c57042ea6f8d88c74e24e9dee37 (patch)
tree	928955bbbb561ce98b92212e46fe6bb3b8e31f57 /src
parent	output formatting (diff)
download	firejail-3f2ac1d5cd873c57042ea6f8d88c74e24e9dee37.tar.gz firejail-3f2ac1d5cd873c57042ea6f8d88c74e24e9dee37.tar.zst firejail-3f2ac1d5cd873c57042ea6f8d88c74e24e9dee37.zip

diff --git a/src/firejail/env.c b/src/firejail/env.c index 73d68724e..cc63bd542 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c
@@ -101,9 +101,7 @@ void env_ibus_load(void) {
101	*ptr = '\0';	101	*ptr = '\0';
102	if (arg_debug)	102	if (arg_debug)
103	printf("%s\n", buf);	103	printf("%s\n", buf);
104	EUID_USER();
105	env_store(buf, SETENV);	104	env_store(buf, SETENV);
106	EUID_ROOT();
107	}	105	}
108		106
109	fclose(fp);	107	fclose(fp);


diff --git a/src/firejail/join.c b/src/firejail/join.c index c303d3fb8..d4a2389c6 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c
@@ -292,6 +292,8 @@ void join(pid_t pid, int argc, char **argv, int index) {
292	}	292	}
293		293
294	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died	294	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
		295
		296	EUID_USER();
295	if (chdir("/") < 0)	297	if (chdir("/") < 0)
296	errExit("chdir");	298	errExit("chdir");
297	if (homedir) {	299	if (homedir) {
@@ -308,6 +310,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
308	set_cpu_affinity();	310	set_cpu_affinity();
309		311
310	// set caps filter	312	// set caps filter
		313	EUID_ROOT();
311	if (apply_caps == 1) // not available for uid 0	314	if (apply_caps == 1) // not available for uid 0
312	caps_set(caps);	315	caps_set(caps);
313	#ifdef HAVE_SECCOMP	316	#ifdef HAVE_SECCOMP
@@ -347,6 +350,8 @@ void join(pid_t pid, int argc, char **argv, int index) {
347	}	350	}
348		351
349	// set environment, add x11 display	352	// set environment, add x11 display
		353	EUID_USER();
		354
350	env_defaults();	355	env_defaults();
351	if (display) {	356	if (display) {
352	char *display_str;	357	char *display_str;


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index e0cecda1b..e1959a453 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -669,7 +669,9 @@ int sandbox(void* sandbox_arg) {
669	// do nothing - there are problems with ibus version 1.5.11	669	// do nothing - there are problems with ibus version 1.5.11
670	}	670	}
671	else	671	else
		672	EUID_USER();
672	env_ibus_load();	673	env_ibus_load();
		674	EUID_ROOT();
673		675
674	//****************************	676	//****************************
675	// fs pre-processing:	677	// fs pre-processing:
@@ -925,6 +927,8 @@ int sandbox(void* sandbox_arg) {
925	// set application environment	927	// set application environment
926	//****************************	928	//****************************
927	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died	929	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
		930
		931	EUID_USER();
928	int cwd = 0;	932	int cwd = 0;
929	if (cfg.cwd) {	933	if (cfg.cwd) {
930	if (chdir(cfg.cwd) == 0)	934	if (chdir(cfg.cwd) == 0)
@@ -951,7 +955,7 @@ int sandbox(void* sandbox_arg) {
951	}	955	}
952	}	956	}
953		957
954		958	EUID_ROOT();
955	// set nice	959	// set nice
956	if (arg_nice) {	960	if (arg_nice) {
957	errno = 0;	961	errno = 0;
@@ -980,7 +984,9 @@ int sandbox(void* sandbox_arg) {
980	// set cpu affinity	984	// set cpu affinity
981	if (cfg.cpus) {	985	if (cfg.cpus) {
982	save_cpu(); // save cpu affinity mask to CPU_CFG file	986	save_cpu(); // save cpu affinity mask to CPU_CFG file
		987	EUID_USER();
983	set_cpu_affinity();	988	set_cpu_affinity();
		989	EUID_ROOT();
984	}	990	}
985		991
986	// save cgroup in CGROUP_CFG file	992	// save cgroup in CGROUP_CFG file