diff options
| author |  netblue30 <netblue30@yahoo.com> | 2016-03-17 13:09:03 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2016-03-17 13:09:03 -0400 |
| commit | 46f2bd2531324174f4e6e2f88c361cbddf5055ce (patch) | |
| tree | e625bcfa7468a23aa568831f66f2c0441f1632d3 /src | |
| parent | overlayfs work, fixed hedgwoars profile (diff) | |
| download | firejail-46f2bd2531324174f4e6e2f88c361cbddf5055ce.tar.gz firejail-46f2bd2531324174f4e6e2f88c361cbddf5055ce.tar.zst firejail-46f2bd2531324174f4e6e2f88c361cbddf5055ce.zip | |
various fixes
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/bandwidth.c | 4 | ||||
| -rw-r--r-- | src/firejail/caps.c | 2 | ||||
| -rw-r--r-- | src/firejail/main.c | 30 | ||||
| -rw-r--r-- | src/firejail/sandbox.c | 8 | ||||
| -rw-r--r-- | src/firejail/seccomp.c | 6 |
5 files changed, 37 insertions, 13 deletions
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index 0be23b9bc..10032b87a 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c | |||
| @@ -341,6 +341,7 @@ void bandwidth_shm_set(pid_t pid, const char *dev, int down, int up) { | |||
| 341 | // command execution | 341 | // command execution |
| 342 | //*********************************** | 342 | //*********************************** |
| 343 | void bandwidth_name(const char *name, const char *command, const char *dev, int down, int up) { | 343 | void bandwidth_name(const char *name, const char *command, const char *dev, int down, int up) { |
| 344 | EUID_ASSERT(); | ||
| 344 | if (!name || strlen(name) == 0) { | 345 | if (!name || strlen(name) == 0) { |
| 345 | fprintf(stderr, "Error: invalid sandbox name\n"); | 346 | fprintf(stderr, "Error: invalid sandbox name\n"); |
| 346 | exit(1); | 347 | exit(1); |
| @@ -355,6 +356,7 @@ void bandwidth_name(const char *name, const char *command, const char *dev, int | |||
| 355 | } | 356 | } |
| 356 | 357 | ||
| 357 | void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up) { | 358 | void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up) { |
| 359 | EUID_ASSERT(); | ||
| 358 | //************************ | 360 | //************************ |
| 359 | // verify sandbox | 361 | // verify sandbox |
| 360 | //************************ | 362 | //************************ |
| @@ -388,6 +390,8 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in | |||
| 388 | fprintf(stderr, "Error: cannot join the network namespace\n"); | 390 | fprintf(stderr, "Error: cannot join the network namespace\n"); |
| 389 | exit(1); | 391 | exit(1); |
| 390 | } | 392 | } |
| 393 | |||
| 394 | EUID_ROOT(); | ||
| 391 | if (join_namespace(child, "net")) { | 395 | if (join_namespace(child, "net")) { |
| 392 | fprintf(stderr, "Error: cannot join the network namespace\n"); | 396 | fprintf(stderr, "Error: cannot join the network namespace\n"); |
| 393 | exit(1); | 397 | exit(1); |
diff --git a/src/firejail/caps.c b/src/firejail/caps.c index de7c93b48..896293fd1 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c | |||
| @@ -439,8 +439,6 @@ void caps_print_filter(pid_t pid) { | |||
| 439 | } | 439 | } |
| 440 | 440 | ||
| 441 | uint64_t caps = extract_caps(pid); | 441 | uint64_t caps = extract_caps(pid); |
| 442 | drop_privs(1); | ||
| 443 | |||
| 444 | int i; | 442 | int i; |
| 445 | uint64_t mask; | 443 | uint64_t mask; |
| 446 | int elems = sizeof(capslist) / sizeof(capslist[0]); | 444 | int elems = sizeof(capslist) / sizeof(capslist[0]); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 476f9c39c..02a55ac70 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -343,7 +343,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
| 343 | 343 | ||
| 344 | // extract pid or sandbox name | 344 | // extract pid or sandbox name |
| 345 | pid_t pid; | 345 | pid_t pid; |
| 346 | EUID_ROOT(); | ||
| 347 | if (read_pid(argv[i] + 12, &pid) == 0) | 346 | if (read_pid(argv[i] + 12, &pid) == 0) |
| 348 | bandwidth_pid(pid, cmd, dev, down, up); | 347 | bandwidth_pid(pid, cmd, dev, down, up); |
| 349 | else | 348 | else |
| @@ -669,10 +668,35 @@ int main(int argc, char **argv) { | |||
| 669 | int found = 0; | 668 | int found = 0; |
| 670 | for (i = 1; i < argc; i++) { | 669 | for (i = 1; i < argc; i++) { |
| 671 | if (strcmp(argv[i], "--force") == 0 || | 670 | if (strcmp(argv[i], "--force") == 0 || |
| 672 | strcmp(argv[i], "--netstats") == 0 || | ||
| 673 | strcmp(argv[i], "--list") == 0 || | 671 | strcmp(argv[i], "--list") == 0 || |
| 672 | strcmp(argv[i], "--netstats") == 0 || | ||
| 674 | strcmp(argv[i], "--tree") == 0 || | 673 | strcmp(argv[i], "--tree") == 0 || |
| 675 | strcmp(argv[i], "--top") == 0) { | 674 | strcmp(argv[i], "--top") == 0 || |
| 675 | strncmp(argv[i], "--ls=", 5) == 0 || | ||
| 676 | strncmp(argv[i], "--get=", 6) == 0 || | ||
| 677 | strcmp(argv[i], "--debug-caps") == 0 || | ||
| 678 | strcmp(argv[i], "--debug-errnos") == 0 || | ||
| 679 | strcmp(argv[i], "--debug-syscalls") == 0 || | ||
| 680 | strcmp(argv[i], "--debug-protocols") == 0 || | ||
| 681 | strcmp(argv[i], "--help") == 0 || | ||
| 682 | strcmp(argv[i], "--version") == 0 || | ||
| 683 | strncmp(argv[i], "--dns.print=", 12) == 0 || | ||
| 684 | strncmp(argv[i], "--bandwidth=", 12) == 0 || | ||
| 685 | strncmp(argv[i], "--caps.print=", 13) == 0 || | ||
| 686 | //******************************************************************************** | ||
| 687 | // todo: fix the following problems | ||
| 688 | strncmp(argv[i], "--join=", 7) == 0 || | ||
| 689 | //[netblue@debian Downloads]$ firejail --join=896 | ||
| 690 | //Switching to pid 897, the first child process inside the sandbox | ||
| 691 | //Error: seccomp file not found | ||
| 692 | //******************************************************************************** | ||
| 693 | |||
| 694 | strncmp(argv[i], "--join-filesystem=", 18) == 0 || | ||
| 695 | strncmp(argv[i], "--join-network=", 15) == 0 || | ||
| 696 | strncmp(argv[i], "--fs.print=", 11) == 0 || | ||
| 697 | strncmp(argv[i], "--protocol.print=", 17) == 0 || | ||
| 698 | strncmp(argv[i], "--seccomp.print", 15) == 0 || | ||
| 699 | strncmp(argv[i], "--shutdown=", 11) == 0) { | ||
| 676 | found = 1; | 700 | found = 1; |
| 677 | break; | 701 | break; |
| 678 | } | 702 | } |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 5bd86019a..c371f4c75 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -604,7 +604,7 @@ int sandbox(void* sandbox_arg) { | |||
| 604 | // set security filters | 604 | // set security filters |
| 605 | //**************************** | 605 | //**************************** |
| 606 | // set capabilities | 606 | // set capabilities |
| 607 | if (!arg_noroot) | 607 | // if (!arg_noroot) |
| 608 | set_caps(); | 608 | set_caps(); |
| 609 | 609 | ||
| 610 | // set rlimits | 610 | // set rlimits |
| @@ -646,8 +646,7 @@ int sandbox(void* sandbox_arg) { | |||
| 646 | if (arg_noroot) { | 646 | if (arg_noroot) { |
| 647 | int rv = unshare(CLONE_NEWUSER); | 647 | int rv = unshare(CLONE_NEWUSER); |
| 648 | if (rv == -1) { | 648 | if (rv == -1) { |
| 649 | fprintf(stderr, "Warning: cannot mount a new user namespace, going forward without it\n"); | 649 | fprintf(stderr, "Warning: cannot mount a new user namespace, going forward without it...\n"); |
| 650 | perror("unshare"); | ||
| 651 | drop_privs(arg_nogroups); | 650 | drop_privs(arg_nogroups); |
| 652 | arg_noroot = 0; | 651 | arg_noroot = 0; |
| 653 | } | 652 | } |
| @@ -667,12 +666,11 @@ int sandbox(void* sandbox_arg) { | |||
| 667 | // somehow, the new user namespace resets capabilities; | 666 | // somehow, the new user namespace resets capabilities; |
| 668 | // we need to do them again | 667 | // we need to do them again |
| 669 | if (arg_noroot) { | 668 | if (arg_noroot) { |
| 670 | set_caps(); | ||
| 671 | if (arg_debug) | 669 | if (arg_debug) |
| 672 | printf("noroot user namespace installed\n"); | 670 | printf("noroot user namespace installed\n"); |
| 671 | set_caps(); | ||
| 673 | } | 672 | } |
| 674 | 673 | ||
| 675 | |||
| 676 | //**************************************** | 674 | //**************************************** |
| 677 | // fork the application and monitor it | 675 | // fork the application and monitor it |
| 678 | //**************************************** | 676 | //**************************************** |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index a5a77abab..d29184b7c 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
| @@ -261,7 +261,7 @@ static void filter_end_whitelist(void) { | |||
| 261 | } | 261 | } |
| 262 | 262 | ||
| 263 | 263 | ||
| 264 | // save seccomp filter in /tmp/firejail/mnt/seccomp | 264 | // save seccomp filter in /run/firejail/mnt/seccomp |
| 265 | static void write_seccomp_file(void) { | 265 | static void write_seccomp_file(void) { |
| 266 | fs_build_mnt_dir(); | 266 | fs_build_mnt_dir(); |
| 267 | assert(sfilter); | 267 | assert(sfilter); |
| @@ -283,10 +283,10 @@ static void write_seccomp_file(void) { | |||
| 283 | errExit("chown"); | 283 | errExit("chown"); |
| 284 | } | 284 | } |
| 285 | 285 | ||
| 286 | // read seccomp filter from /tmp/firejail/mnt/seccomp | 286 | // read seccomp filter from /run/firejail/mnt/seccomp |
| 287 | static void read_seccomp_file(const char *fname) { | 287 | static void read_seccomp_file(const char *fname) { |
| 288 | assert(sfilter == NULL && sfilter_index == 0); | 288 | assert(sfilter == NULL && sfilter_index == 0); |
| 289 | 289 | printf("***%s***\n", fname); | |
| 290 | // check file | 290 | // check file |
| 291 | struct stat s; | 291 | struct stat s; |
| 292 | if (stat(fname, &s) == -1) { | 292 | if (stat(fname, &s) == -1) { |