postmortem: playing around

author: netblue30 <netblue30@yahoo.com> 2019-12-15 14:19:58 -0500
committer: netblue30 <netblue30@yahoo.com> 2019-12-15 14:19:58 -0500
commit: a6b675f56ad9e70421cc34fca90142e9f42604b1 (patch)
tree: ae8ebeef5122061007b593fea7b2dcc7031f1f89 /src
parent: small fix (diff)
download: firejail-a6b675f56ad9e70421cc34fca90142e9f42604b1.tar.gz
firejail-a6b675f56ad9e70421cc34fca90142e9f42604b1.tar.zst
firejail-a6b675f56ad9e70421cc34fca90142e9f42604b1.zip
1 files changed, 60 insertions, 0 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index e711a59fb..179f8ddf9 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -145,6 +145,14 @@ int arg_nou2f = 0; // --nou2f
 int arg_deterministic_exit_code = 0;    // always exit with first child's exit status
 int login_shell = 0;
+//**********************************************************************************
+// work in progress!!!
+//**********************************************************************************
+//#define POSTMORTEM
+#ifdef POSTMORTEM
+#include <grp.h>
+pid_t pm_child = 0;
+#endif
 int parent_to_child_fds[2];
 int child_to_parent_fds[2];
@@ -178,6 +186,20 @@ static void myexit(int rv) {
 static void my_handler(int s) {
        fmessage("\nParent received signal %d, shutting down the child process...\n", s);
        logsignal(s);
+#ifdef POSTMORTEM
+printf("attempt to kill %d\n", pm_child);
+        if (pm_child) {
+                if (waitpid(pm_child, NULL, WNOHANG) == 0) {
+                        if (has_handler(pm_child, s)) // signals are not delivered if there is no handler yet
+                                kill(pm_child, s);
+                        else
+                                kill(pm_child, SIGKILL);
+                        waitpid(pm_child, NULL, 0);
+                }
+        }
+#endif
        if (waitpid(child, NULL, WNOHANG) == 0) {
                if (has_handler(child, s)) // signals are not delivered if there is no handler yet
                        kill(child, s);
@@ -2728,6 +2750,44 @@ int main(int argc, char **argv) {
        }
        EUID_USER();
+#ifdef POSTMORTEM
+        pm_child = fork();
+        if (pm_child == -1)
+                fprintf(stderr, "Error: cannot start POSTMORTEM process\n");
+        else if (pm_child == 0) {
+                // running --join as root
+                EUID_ROOT();
+                int rv = setgroups(0, NULL);
+                rv |= setuid(0);
+                rv |= setgid(0);
+                if (rv) {
+                        fprintf(stderr, "Error: cannot start POSTMORTEM process\n");
+                        exit(1);
+                }
+                prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
+/*problem???*/  sleep(1); // we need to give the sandbox some time to start the namespaces
+                char *joincmd;
+                if (asprintf(&joincmd, "--join-network=%d", child) == -1)
+                        errExit("asprintf");
+                // we join only the network ns, the filesystem is intact so we can find tcpdump
+                char *arg[] =  {
+                        "/usr/bin/firejail",
+                        joincmd,
+                        "/usr/sbin/tcpdump",
+                        "-n",
+                        "-q",
+                        NULL
+                };
+                execvp(arg[0], arg);
+                assert(0);
+printf("**********************************\n");
+                exit(1);
+        }
+#endif
        int status = 0;
        //*****************************
        // following code is signal-safe
author	netblue30 <netblue30@yahoo.com>	2019-12-15 14:19:58 -0500
committer	netblue30 <netblue30@yahoo.com>	2019-12-15 14:19:58 -0500
commit	a6b675f56ad9e70421cc34fca90142e9f42604b1 (patch)
tree	ae8ebeef5122061007b593fea7b2dcc7031f1f89 /src
parent	small fix (diff)
download	firejail-a6b675f56ad9e70421cc34fca90142e9f42604b1.tar.gz firejail-a6b675f56ad9e70421cc34fca90142e9f42604b1.tar.zst firejail-a6b675f56ad9e70421cc34fca90142e9f42604b1.zip

diff --git a/src/firejail/main.c b/src/firejail/main.c index e711a59fb..179f8ddf9 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -145,6 +145,14 @@ int arg_nou2f = 0; // --nou2f
145	int arg_deterministic_exit_code = 0; // always exit with first child's exit status	145	int arg_deterministic_exit_code = 0; // always exit with first child's exit status
146	int login_shell = 0;	146	int login_shell = 0;
147		147
		148	//**********************************************************************************
		149	// work in progress!!!
		150	//**********************************************************************************
		151	//#define POSTMORTEM
		152	#ifdef POSTMORTEM
		153	#include <grp.h>
		154	pid_t pm_child = 0;
		155	#endif
148		156
149	int parent_to_child_fds[2];	157	int parent_to_child_fds[2];
150	int child_to_parent_fds[2];	158	int child_to_parent_fds[2];
@@ -178,6 +186,20 @@ static void myexit(int rv) {
178	static void my_handler(int s) {	186	static void my_handler(int s) {
179	fmessage("\nParent received signal %d, shutting down the child process...\n", s);	187	fmessage("\nParent received signal %d, shutting down the child process...\n", s);
180	logsignal(s);	188	logsignal(s);
		189
		190	#ifdef POSTMORTEM
		191	printf("attempt to kill %d\n", pm_child);
		192	if (pm_child) {
		193	if (waitpid(pm_child, NULL, WNOHANG) == 0) {
		194	if (has_handler(pm_child, s)) // signals are not delivered if there is no handler yet
		195	kill(pm_child, s);
		196	else
		197	kill(pm_child, SIGKILL);
		198	waitpid(pm_child, NULL, 0);
		199	}
		200	}
		201	#endif
		202
181	if (waitpid(child, NULL, WNOHANG) == 0) {	203	if (waitpid(child, NULL, WNOHANG) == 0) {
182	if (has_handler(child, s)) // signals are not delivered if there is no handler yet	204	if (has_handler(child, s)) // signals are not delivered if there is no handler yet
183	kill(child, s);	205	kill(child, s);
@@ -2728,6 +2750,44 @@ int main(int argc, char **argv) {
2728	}	2750	}
2729	EUID_USER();	2751	EUID_USER();
2730		2752
		2753
		2754	#ifdef POSTMORTEM
		2755	pm_child = fork();
		2756	if (pm_child == -1)
		2757	fprintf(stderr, "Error: cannot start POSTMORTEM process\n");
		2758	else if (pm_child == 0) {
		2759	// running --join as root
		2760	EUID_ROOT();
		2761	int rv = setgroups(0, NULL);
		2762	rv \|= setuid(0);
		2763	rv \|= setgid(0);
		2764	if (rv) {
		2765	fprintf(stderr, "Error: cannot start POSTMORTEM process\n");
		2766	exit(1);
		2767	}
		2768
		2769	prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
		2770	/problem???/ sleep(1); // we need to give the sandbox some time to start the namespaces
		2771	char *joincmd;
		2772	if (asprintf(&joincmd, "--join-network=%d", child) == -1)
		2773	errExit("asprintf");
		2774
		2775	// we join only the network ns, the filesystem is intact so we can find tcpdump
		2776	char *arg[] = {
		2777	"/usr/bin/firejail",
		2778	joincmd,
		2779	"/usr/sbin/tcpdump",
		2780	"-n",
		2781	"-q",
		2782	NULL
		2783	};
		2784	execvp(arg[0], arg);
		2785	assert(0);
		2786	printf("**********************************\n");
		2787	exit(1);
		2788	}
		2789	#endif
		2790
2731	int status = 0;	2791	int status = 0;
2732	//*****************************	2792	//*****************************
2733	// following code is signal-safe	2793	// following code is signal-safe