diff options
author | netblue30 <netblue30@yahoo.com> | 2016-11-26 10:25:06 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-11-26 10:25:06 -0500 |
commit | fa79162b5eada1d0b9daa11ca327d65b42ed1b71 (patch) | |
tree | cf3ffcb86bf930bbb03c6ac3f57e1677eeaa1ea6 /src | |
parent | ssh fix (diff) | |
download | firejail-fa79162b5eada1d0b9daa11ca327d65b42ed1b71.tar.gz firejail-fa79162b5eada1d0b9daa11ca327d65b42ed1b71.tar.zst firejail-fa79162b5eada1d0b9daa11ca327d65b42ed1b71.zip |
fixes
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/checkcfg.c | 4 | ||||
-rw-r--r-- | src/firejail/ls.c | 31 | ||||
-rw-r--r-- | src/firejail/main.c | 9 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 10 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 43 | ||||
-rw-r--r-- | src/firemon/x11.c | 21 | ||||
-rw-r--r-- | src/libtracelog/libtracelog.c | 10 |
7 files changed, 68 insertions, 60 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 78c0e5c60..963d95bed 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -185,6 +185,8 @@ int checkcfg(int val) { | |||
185 | exit(1); | 185 | exit(1); |
186 | } | 186 | } |
187 | 187 | ||
188 | if (netfilter_default) | ||
189 | goto errout; | ||
188 | netfilter_default = strdup(fname); | 190 | netfilter_default = strdup(fname); |
189 | if (!netfilter_default) | 191 | if (!netfilter_default) |
190 | errExit("strdup"); | 192 | errExit("strdup"); |
@@ -216,6 +218,8 @@ int checkcfg(int val) { | |||
216 | 218 | ||
217 | // Xephyr command extra parameters | 219 | // Xephyr command extra parameters |
218 | else if (strncmp(ptr, "xephyr-extra-params ", 19) == 0) { | 220 | else if (strncmp(ptr, "xephyr-extra-params ", 19) == 0) { |
221 | if (*xephyr_extra_params != '\0') | ||
222 | goto errout; | ||
219 | xephyr_extra_params = strdup(ptr + 19); | 223 | xephyr_extra_params = strdup(ptr + 19); |
220 | if (!xephyr_extra_params) | 224 | if (!xephyr_extra_params) |
221 | errExit("strdup"); | 225 | errExit("strdup"); |
diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 86c3a6079..5444ad9c2 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c | |||
@@ -258,42 +258,35 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
258 | // drop privileges | 258 | // drop privileges |
259 | drop_privs(0); | 259 | drop_privs(0); |
260 | 260 | ||
261 | // check access | ||
261 | if (access(fname1, R_OK) == -1) { | 262 | if (access(fname1, R_OK) == -1) { |
262 | fprintf(stderr, "Error: Cannot access %s\n", fname1); | 263 | fprintf(stderr, "Error: Cannot access %s\n", fname1); |
263 | exit(1); | 264 | exit(1); |
264 | } | 265 | } |
266 | char *rp = realpath(fname1, NULL); | ||
267 | if (!rp) { | ||
268 | fprintf(stderr, "Error: Cannot access %s\n", fname1); | ||
269 | exit(1); | ||
270 | } | ||
271 | if (arg_debug) | ||
272 | printf("realpath %s\n", rp); | ||
273 | |||
265 | 274 | ||
266 | // list directory contents | 275 | // list directory contents |
267 | struct stat s; | 276 | struct stat s; |
268 | if (stat(fname1, &s) == -1) { | 277 | if (stat(rp, &s) == -1) { |
269 | fprintf(stderr, "Error: Cannot access %s\n", fname1); | 278 | fprintf(stderr, "Error: Cannot access %s\n", rp); |
270 | exit(1); | 279 | exit(1); |
271 | } | 280 | } |
272 | if (S_ISDIR(s.st_mode)) { | 281 | if (S_ISDIR(s.st_mode)) { |
273 | char *rp = realpath(fname1, NULL); | ||
274 | if (!rp) { | ||
275 | fprintf(stderr, "Error: Cannot access %s\n", fname1); | ||
276 | exit(1); | ||
277 | } | ||
278 | if (arg_debug) | ||
279 | printf("realpath %s\n", rp); | ||
280 | |||
281 | char *dir; | 282 | char *dir; |
282 | if (asprintf(&dir, "%s/", rp) == -1) | 283 | if (asprintf(&dir, "%s/", rp) == -1) |
283 | errExit("asprintf"); | 284 | errExit("asprintf"); |
284 | 285 | ||
285 | print_directory(dir); | 286 | print_directory(dir); |
286 | free(rp); | ||
287 | free(dir); | 287 | free(dir); |
288 | } | 288 | } |
289 | else { | 289 | else { |
290 | char *rp = realpath(fname1, NULL); | ||
291 | if (!rp) { | ||
292 | fprintf(stderr, "Error: Cannot access %s\n", fname1); | ||
293 | exit(1); | ||
294 | } | ||
295 | if (arg_debug) | ||
296 | printf("realpath %s\n", rp); | ||
297 | char *split = strrchr(rp, '/'); | 290 | char *split = strrchr(rp, '/'); |
298 | if (split) { | 291 | if (split) { |
299 | *split = '\0'; | 292 | *split = '\0'; |
@@ -302,8 +295,8 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
302 | printf("path %s, file %s\n", rp, rp2); | 295 | printf("path %s, file %s\n", rp, rp2); |
303 | print_file_or_dir(rp, rp2, 1); | 296 | print_file_or_dir(rp, rp2, 1); |
304 | } | 297 | } |
305 | free(rp); | ||
306 | } | 298 | } |
299 | free(rp); | ||
307 | } | 300 | } |
308 | 301 | ||
309 | // get file from sandbox and store it in the current directory | 302 | // get file from sandbox and store it in the current directory |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 111a1d751..0929347b7 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -2064,8 +2064,7 @@ int main(int argc, char **argv) { | |||
2064 | // command | 2064 | // command |
2065 | //************************************* | 2065 | //************************************* |
2066 | else if (strcmp(argv[i], "--audit") == 0) { | 2066 | else if (strcmp(argv[i], "--audit") == 0) { |
2067 | if (asprintf(&arg_audit_prog, "%s/firejail/faudit", LIBDIR) == -1) | 2067 | arg_audit_prog = LIBDIR "/firejail/faudit"; |
2068 | errExit("asprintf"); | ||
2069 | arg_audit = 1; | 2068 | arg_audit = 1; |
2070 | } | 2069 | } |
2071 | else if (strncmp(argv[i], "--audit=", 8) == 0) { | 2070 | else if (strncmp(argv[i], "--audit=", 8) == 0) { |
@@ -2076,6 +2075,12 @@ int main(int argc, char **argv) { | |||
2076 | arg_audit_prog = strdup(argv[i] + 8); | 2075 | arg_audit_prog = strdup(argv[i] + 8); |
2077 | if (!arg_audit_prog) | 2076 | if (!arg_audit_prog) |
2078 | errExit("strdup"); | 2077 | errExit("strdup"); |
2078 | |||
2079 | struct stat s; | ||
2080 | if (stat(arg_audit_prog, &s) != 0) { | ||
2081 | fprintf(stderr, "Error: cannot find the audit program %s\n", arg_audit_prog); | ||
2082 | exit(1); | ||
2083 | } | ||
2079 | arg_audit = 1; | 2084 | arg_audit = 1; |
2080 | } | 2085 | } |
2081 | else if (strcmp(argv[i], "--appimage") == 0) | 2086 | else if (strcmp(argv[i], "--appimage") == 0) |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index ad77caeb2..0a6777fef 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -236,12 +236,15 @@ static int monitor_application(pid_t app_pid) { | |||
236 | 236 | ||
237 | // todo: make this generic | 237 | // todo: make this generic |
238 | // Dillo browser leaves a dpid process running, we need to shut it down | 238 | // Dillo browser leaves a dpid process running, we need to shut it down |
239 | int found = 0; | ||
239 | if (strcmp(cfg.command_name, "dillo") == 0) { | 240 | if (strcmp(cfg.command_name, "dillo") == 0) { |
240 | char *pidname = pid_proc_comm(pid); | 241 | char *pidname = pid_proc_comm(pid); |
241 | if (pidname && strcmp(pidname, "dpid") == 0) | 242 | if (pidname && strcmp(pidname, "dpid") == 0) |
242 | break; | 243 | found = 1; |
243 | free(pidname); | 244 | free(pidname); |
244 | } | 245 | } |
246 | if (found) | ||
247 | break; | ||
245 | 248 | ||
246 | monitored_pid = pid; | 249 | monitored_pid = pid; |
247 | break; | 250 | break; |
@@ -283,11 +286,6 @@ void start_application(void) { | |||
283 | //**************************************** | 286 | //**************************************** |
284 | if (arg_audit) { | 287 | if (arg_audit) { |
285 | assert(arg_audit_prog); | 288 | assert(arg_audit_prog); |
286 | struct stat s; | ||
287 | if (stat(arg_audit_prog, &s) != 0) { | ||
288 | fprintf(stderr, "Error: cannot find the audit program\n"); | ||
289 | exit(1); | ||
290 | } | ||
291 | execl(arg_audit_prog, arg_audit_prog, NULL); | 289 | execl(arg_audit_prog, arg_audit_prog, NULL); |
292 | } | 290 | } |
293 | //**************************************** | 291 | //**************************************** |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 4678f366b..dd133b2ba 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -52,44 +52,53 @@ char *seccomp_check_list(const char *str) { | |||
52 | 52 | ||
53 | int seccomp_load(const char *fname) { | 53 | int seccomp_load(const char *fname) { |
54 | assert(fname); | 54 | assert(fname); |
55 | |||
56 | // open filter file | ||
57 | int fd = open(fname, O_RDONLY); | ||
58 | if (fd == -1) | ||
59 | goto errexit; | ||
55 | 60 | ||
56 | // check file | 61 | // calculate the number of entries |
57 | struct stat s; | 62 | int size = lseek(fd, 0, SEEK_END); |
58 | if (stat(fname, &s) == -1) { | 63 | if (size == -1) |
59 | fprintf(stderr, "Error: cannot read protocol filter file\n"); | 64 | goto errexit; |
60 | exit(1); | 65 | if (lseek(fd, 0 , SEEK_SET) == -1) |
61 | } | 66 | goto errexit; |
62 | int size = s.st_size; | ||
63 | unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter); | 67 | unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter); |
64 | //printf("size %d, entries %d\n", s.st_size, entries); | 68 | if (arg_debug) |
69 | printf("reading %d seccomp entries from %s\n", entries, fname); | ||
65 | 70 | ||
66 | // read filter | 71 | // read filter |
67 | struct sock_filter filter[entries]; | 72 | struct sock_filter *filter = malloc(size); |
73 | if (filter == NULL) | ||
74 | goto errexit; | ||
68 | memset(&filter[0], 0, sizeof(filter)); | 75 | memset(&filter[0], 0, sizeof(filter)); |
69 | int src = open(fname, O_RDONLY); | ||
70 | int rd = 0; | 76 | int rd = 0; |
71 | while (rd < size) { | 77 | while (rd < size) { |
72 | int rv = read(src, (unsigned char *) filter + rd, size - rd); | 78 | int rv = read(fd, (unsigned char *) filter + rd, size - rd); |
73 | if (rv == -1) { | 79 | if (rv == -1) |
74 | fprintf(stderr, "Error: cannot read %s file\n", fname); | 80 | goto errexit; |
75 | exit(1); | ||
76 | } | ||
77 | rd += rv; | 81 | rd += rv; |
78 | } | 82 | } |
79 | close(src); | 83 | |
84 | // close file | ||
85 | close(fd); | ||
80 | 86 | ||
81 | // install filter | 87 | // install filter |
82 | struct sock_fprog prog = { | 88 | struct sock_fprog prog = { |
83 | .len = entries, | 89 | .len = entries, |
84 | .filter = filter, | 90 | .filter = filter, |
85 | }; | 91 | }; |
86 | |||
87 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { | 92 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { |
88 | fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); | 93 | fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); |
89 | return 1; | 94 | return 1; |
90 | } | 95 | } |
91 | 96 | ||
92 | return 0; | 97 | return 0; |
98 | |||
99 | errexit: | ||
100 | fprintf(stderr, "Error: cannot read %s\n", fname); | ||
101 | exit(1); | ||
93 | } | 102 | } |
94 | 103 | ||
95 | // i386 filter installed on amd64 architectures | 104 | // i386 filter installed on amd64 architectures |
diff --git a/src/firemon/x11.c b/src/firemon/x11.c index b0efb090a..73dc310d3 100644 --- a/src/firemon/x11.c +++ b/src/firemon/x11.c | |||
@@ -37,20 +37,17 @@ void x11(pid_t pid, int print_procs) { | |||
37 | if (asprintf(&x11file, "/run/firejail/x11/%d", i) == -1) | 37 | if (asprintf(&x11file, "/run/firejail/x11/%d", i) == -1) |
38 | errExit("asprintf"); | 38 | errExit("asprintf"); |
39 | 39 | ||
40 | struct stat s; | 40 | FILE *fp = fopen(x11file, "r"); |
41 | if (stat(x11file, &s) == 0) { | 41 | if (!fp) { |
42 | FILE *fp = fopen(x11file, "r"); | 42 | free(x11file); |
43 | if (!fp) { | 43 | continue; |
44 | free(x11file); | ||
45 | continue; | ||
46 | } | ||
47 | int display; | ||
48 | int rv = fscanf(fp, "%d", &display); | ||
49 | if (rv == 1) | ||
50 | printf(" DISPLAY :%d\n", display); | ||
51 | fclose(fp); | ||
52 | } | 44 | } |
53 | 45 | ||
46 | int display; | ||
47 | int rv = fscanf(fp, "%d", &display); | ||
48 | if (rv == 1) | ||
49 | printf(" DISPLAY :%d\n", display); | ||
50 | fclose(fp); | ||
54 | free(x11file); | 51 | free(x11file); |
55 | } | 52 | } |
56 | } | 53 | } |
diff --git a/src/libtracelog/libtracelog.c b/src/libtracelog/libtracelog.c index ff884c7d7..ca496d41c 100644 --- a/src/libtracelog/libtracelog.c +++ b/src/libtracelog/libtracelog.c | |||
@@ -163,9 +163,9 @@ static char *storage_find(const char *str) { | |||
163 | #define RUN_FSLOGGER_FILE "/run/firejail/mnt/fslogger" | 163 | #define RUN_FSLOGGER_FILE "/run/firejail/mnt/fslogger" |
164 | #define MAXBUF 4096 | 164 | #define MAXBUF 4096 |
165 | static int blacklist_loaded = 0; | 165 | static int blacklist_loaded = 0; |
166 | static char *sandbox_pid_str = 0; | 166 | static char *sandbox_pid_str = NULL; |
167 | static char *sandbox_name_str = NULL; | 167 | static char *sandbox_name_str = NULL; |
168 | void load_blacklist(void) { | 168 | static void load_blacklist(void) { |
169 | if (blacklist_loaded) | 169 | if (blacklist_loaded) |
170 | return; | 170 | return; |
171 | 171 | ||
@@ -184,13 +184,15 @@ void load_blacklist(void) { | |||
184 | char *ptr = strchr(buf, '\n'); | 184 | char *ptr = strchr(buf, '\n'); |
185 | if (ptr) | 185 | if (ptr) |
186 | *ptr = '\0'; | 186 | *ptr = '\0'; |
187 | sandbox_pid_str = strdup(buf + 13); | 187 | if (sandbox_pid_str == NULL) |
188 | sandbox_pid_str = strdup(buf + 13); | ||
188 | } | 189 | } |
189 | else if (strncmp(buf, "sandbox name: ", 14) == 0) { | 190 | else if (strncmp(buf, "sandbox name: ", 14) == 0) { |
190 | char *ptr = strchr(buf, '\n'); | 191 | char *ptr = strchr(buf, '\n'); |
191 | if (ptr) | 192 | if (ptr) |
192 | *ptr = '\0'; | 193 | *ptr = '\0'; |
193 | sandbox_name_str = strdup(buf + 14); | 194 | if (sandbox_name_str == NULL); |
195 | sandbox_name_str = strdup(buf + 14); | ||
194 | } | 196 | } |
195 | else if (strncmp(buf, "blacklist ", 10) == 0) { | 197 | else if (strncmp(buf, "blacklist ", 10) == 0) { |
196 | char *ptr = strchr(buf, '\n'); | 198 | char *ptr = strchr(buf, '\n'); |