diff options
| author |  netblue30 <netblue30@yahoo.com> | 2016-06-02 13:39:20 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2016-06-02 13:39:20 -0400 |
| commit | 28641d918e696b03f5c0c4deecac458986f35dec (patch) | |
| tree | 1d0e1b0affd23022bbb5c7a5d2e1cc584445cfed /src | |
| parent | fixed globbing dot files (diff) | |
| download | firejail-28641d918e696b03f5c0c4deecac458986f35dec.tar.gz firejail-28641d918e696b03f5c0c4deecac458986f35dec.tar.zst firejail-28641d918e696b03f5c0c4deecac458986f35dec.zip | |
lxc fixes
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/firejail.h | 1 | ||||
| -rw-r--r-- | src/firejail/main.c | 120 | ||||
| -rw-r--r-- | src/firejail/no_sandbox.c | 13 |
3 files changed, 77 insertions, 57 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 661073730..b0a3ac90d 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -483,6 +483,7 @@ void fs_check_etc_list(void); | |||
| 483 | void fs_private_etc_list(void); | 483 | void fs_private_etc_list(void); |
| 484 | 484 | ||
| 485 | // no_sandbox.c | 485 | // no_sandbox.c |
| 486 | int check_namespace_virt(void); | ||
| 486 | int check_kernel_procs(void); | 487 | int check_kernel_procs(void); |
| 487 | void run_no_sandbox(int argc, char **argv); | 488 | void run_no_sandbox(int argc, char **argv); |
| 488 | 489 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index 607637802..0c843de9c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -725,65 +725,71 @@ int main(int argc, char **argv) { | |||
| 725 | } | 725 | } |
| 726 | 726 | ||
| 727 | // check if we already have a sandbox running | 727 | // check if we already have a sandbox running |
| 728 | EUID_ROOT(); | 728 | // If LXC is detected, start firejail sandbox |
| 729 | int rv = check_kernel_procs(); | 729 | // otherwise try to detect a PID namespace by looking under /proc for specific kernel processes and: |
| 730 | EUID_USER(); | 730 | // - if --force flag is set, start firejail sandbox |
| 731 | if (rv == 0) { | 731 | // -- if --force flag is not set, start the application in a /bin/bash shell |
| 732 | // if --force option is passed to the program, disregard the existing sandbox | 732 | if (check_namespace_virt() == 0) { |
| 733 | int found = 0; | 733 | EUID_ROOT(); |
| 734 | for (i = 1; i < argc; i++) { | 734 | int rv = check_kernel_procs(); |
| 735 | if (strcmp(argv[i], "--force") == 0 || | 735 | EUID_USER(); |
| 736 | strcmp(argv[i], "--list") == 0 || | 736 | if (rv == 0) { |
| 737 | strcmp(argv[i], "--netstats") == 0 || | 737 | // if --force option is passed to the program, disregard the existing sandbox |
| 738 | strcmp(argv[i], "--tree") == 0 || | 738 | int found = 0; |
| 739 | strcmp(argv[i], "--top") == 0 || | 739 | for (i = 1; i < argc; i++) { |
| 740 | strncmp(argv[i], "--ls=", 5) == 0 || | 740 | if (strcmp(argv[i], "--force") == 0 || |
| 741 | strncmp(argv[i], "--get=", 6) == 0 || | 741 | strcmp(argv[i], "--list") == 0 || |
| 742 | strcmp(argv[i], "--debug-caps") == 0 || | 742 | strcmp(argv[i], "--netstats") == 0 || |
| 743 | strcmp(argv[i], "--debug-errnos") == 0 || | 743 | strcmp(argv[i], "--tree") == 0 || |
| 744 | strcmp(argv[i], "--debug-syscalls") == 0 || | 744 | strcmp(argv[i], "--top") == 0 || |
| 745 | strcmp(argv[i], "--debug-protocols") == 0 || | 745 | strncmp(argv[i], "--ls=", 5) == 0 || |
| 746 | strcmp(argv[i], "--help") == 0 || | 746 | strncmp(argv[i], "--get=", 6) == 0 || |
| 747 | strcmp(argv[i], "--version") == 0 || | 747 | strcmp(argv[i], "--debug-caps") == 0 || |
| 748 | strncmp(argv[i], "--dns.print=", 12) == 0 || | 748 | strcmp(argv[i], "--debug-errnos") == 0 || |
| 749 | strncmp(argv[i], "--bandwidth=", 12) == 0 || | 749 | strcmp(argv[i], "--debug-syscalls") == 0 || |
| 750 | strncmp(argv[i], "--caps.print=", 13) == 0 || | 750 | strcmp(argv[i], "--debug-protocols") == 0 || |
| 751 | strncmp(argv[i], "--cpu.print=", 12) == 0 || | 751 | strcmp(argv[i], "--help") == 0 || |
| 752 | //******************************************************************************** | 752 | strcmp(argv[i], "--version") == 0 || |
| 753 | // todo: fix the following problems | 753 | strncmp(argv[i], "--dns.print=", 12) == 0 || |
| 754 | strncmp(argv[i], "--join=", 7) == 0 || | 754 | strncmp(argv[i], "--bandwidth=", 12) == 0 || |
| 755 | //[netblue@debian Downloads]$ firejail --join=896 | 755 | strncmp(argv[i], "--caps.print=", 13) == 0 || |
| 756 | //Switching to pid 897, the first child process inside the sandbox | 756 | strncmp(argv[i], "--cpu.print=", 12) == 0 || |
| 757 | //Error: seccomp file not found | 757 | //******************************************************************************** |
| 758 | //******************************************************************************** | 758 | // todo: fix the following problems |
| 759 | 759 | strncmp(argv[i], "--join=", 7) == 0 || | |
| 760 | strncmp(argv[i], "--join-filesystem=", 18) == 0 || | 760 | //[netblue@debian Downloads]$ firejail --join=896 |
| 761 | strncmp(argv[i], "--join-network=", 15) == 0 || | 761 | //Switching to pid 897, the first child process inside the sandbox |
| 762 | strncmp(argv[i], "--fs.print=", 11) == 0 || | 762 | //Error: seccomp file not found |
| 763 | strncmp(argv[i], "--protocol.print=", 17) == 0 || | 763 | //******************************************************************************** |
| 764 | strncmp(argv[i], "--seccomp.print", 15) == 0 || | 764 | |
| 765 | strncmp(argv[i], "--shutdown=", 11) == 0) { | 765 | strncmp(argv[i], "--join-filesystem=", 18) == 0 || |
| 766 | found = 1; | 766 | strncmp(argv[i], "--join-network=", 15) == 0 || |
| 767 | break; | 767 | strncmp(argv[i], "--fs.print=", 11) == 0 || |
| 768 | } | 768 | strncmp(argv[i], "--protocol.print=", 17) == 0 || |
| 769 | 769 | strncmp(argv[i], "--seccomp.print", 15) == 0 || | |
| 770 | // detect end of firejail params | 770 | strncmp(argv[i], "--shutdown=", 11) == 0) { |
| 771 | if (strcmp(argv[i], "--") == 0) | 771 | found = 1; |
| 772 | break; | 772 | break; |
| 773 | if (strncmp(argv[i], "--", 2) != 0) | 773 | } |
| 774 | break; | 774 | |
| 775 | } | 775 | // detect end of firejail params |
| 776 | 776 | if (strcmp(argv[i], "--") == 0) | |
| 777 | if (found == 0) { | 777 | break; |
| 778 | // start the program directly without sandboxing | 778 | if (strncmp(argv[i], "--", 2) != 0) |
| 779 | run_no_sandbox(argc, argv); | 779 | break; |
| 780 | // it will never get here! | 780 | } |
| 781 | assert(0); | 781 | |
| 782 | if (found == 0) { | ||
| 783 | // start the program directly without sandboxing | ||
| 784 | run_no_sandbox(argc, argv); | ||
| 785 | // it will never get here! | ||
| 786 | assert(0); | ||
| 787 | } | ||
| 788 | else | ||
| 789 | option_force = 1; | ||
| 782 | } | 790 | } |
| 783 | else | ||
| 784 | option_force = 1; | ||
| 785 | } | 791 | } |
| 786 | 792 | ||
| 787 | // check root/suid | 793 | // check root/suid |
| 788 | EUID_ROOT(); | 794 | EUID_ROOT(); |
| 789 | if (geteuid()) { | 795 | if (geteuid()) { |
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index a9242f035..cc7f6d234 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
| @@ -23,6 +23,19 @@ | |||
| 23 | #include <unistd.h> | 23 | #include <unistd.h> |
| 24 | #include <grp.h> | 24 | #include <grp.h> |
| 25 | 25 | ||
| 26 | // returns 1 if we are running under LXC | ||
| 27 | int check_namespace_virt(void) { | ||
| 28 | char *container = getenv("container"); | ||
| 29 | if (container && | ||
| 30 | (strcmp(container, "lxc") == 0 || | ||
| 31 | strcmp(container, "docker") == 0 || | ||
| 32 | strcmp(container, "lxc-libvirt") == 0 || | ||
| 33 | strcmp(container, "systemd-nspawn") == 0 || | ||
| 34 | strcmp(container, "rkt") == 0)) | ||
| 35 | return 1; | ||
| 36 | return 0; | ||
| 37 | } | ||
| 38 | |||
| 26 | // check process space for kernel processes | 39 | // check process space for kernel processes |
| 27 | // return 1 if found, 0 if not found | 40 | // return 1 if found, 0 if not found |
| 28 | int check_kernel_procs(void) { | 41 | int check_kernel_procs(void) { |