aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/firejail/bandwidth.c21
-rw-r--r--src/firejail/firejail.h16
-rw-r--r--src/firejail/fs_dev.c2
-rw-r--r--src/firejail/join.c2
-rw-r--r--src/firejail/main.c114
-rw-r--r--src/firejail/preproc.c2
-rw-r--r--src/firejail/profile.c23
-rw-r--r--src/firejail/run_files.c133
-rw-r--r--src/firejail/shutdown.c2
9 files changed, 174 insertions, 141 deletions
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
index 542faa06e..0045b444f 100644
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@@ -141,22 +141,6 @@ static void bandwidth_create_run_file(pid_t pid) {
141 free(fname); 141 free(fname);
142} 142}
143 143
144// delete bandwidth file
145void bandwidth_del_run_file(pid_t pid) {
146 char *fname;
147 if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1)
148 errExit("asprintf");
149 unlink(fname);
150 free(fname);
151}
152
153void network_del_run_file(pid_t pid) {
154 char *fname;
155 if (asprintf(&fname, "%s/%d-netmap", RUN_FIREJAIL_NETWORK_DIR, (int) pid) == -1)
156 errExit("asprintf");
157 unlink(fname);
158 free(fname);
159}
160 144
161void network_set_run_file(pid_t pid) { 145void network_set_run_file(pid_t pid) {
162 char *fname; 146 char *fname;
@@ -268,9 +252,8 @@ void bandwidth_remove(pid_t pid, const char *dev) {
268 } 252 }
269 253
270 // remove the file if there are no entries in the list 254 // remove the file if there are no entries in the list
271 if (ifbw == NULL) { 255 if (ifbw == NULL)
272 bandwidth_del_run_file(pid); 256 delete_bandwidth_run_file(pid);
273 }
274} 257}
275 258
276// add interface to run file 259// add interface to run file
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index ca3b73ffc..ca3cf18ac 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -22,6 +22,7 @@
22#include "../include/common.h" 22#include "../include/common.h"
23#include "../include/euid_common.h" 23#include "../include/euid_common.h"
24#include <stdarg.h> 24#include <stdarg.h>
25#include <sys/stat.h>
25 26
26// debug restricted shell 27// debug restricted shell
27//#define DEBUG_RESTRICTED_SHELL 28//#define DEBUG_RESTRICTED_SHELL
@@ -35,7 +36,8 @@
35#define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network" 36#define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network"
36#define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth" 37#define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth"
37#define RUN_FIREJAIL_PROFILE_DIR "/run/firejail/profile" 38#define RUN_FIREJAIL_PROFILE_DIR "/run/firejail/profile"
38#define RUN_NETWORK_LOCK_FILE "/run/firejail/firejail.lock" 39#define RUN_NETWORK_LOCK_FILE "/run/firejail/firejail-network.lock"
40#define RUN_DIRECTORY_LOCK_FILE "/run/firejail/firejail-run.lock"
39#define RUN_RO_DIR "/run/firejail/firejail.ro.dir" 41#define RUN_RO_DIR "/run/firejail/firejail.ro.dir"
40#define RUN_RO_FILE "/run/firejail/firejail.ro.file" 42#define RUN_RO_FILE "/run/firejail/firejail.ro.file"
41#define RUN_MNT_DIR "/run/firejail/mnt" // a tmpfs is mounted on this directory before any of the files below are created 43#define RUN_MNT_DIR "/run/firejail/mnt" // a tmpfs is mounted on this directory before any of the files below are created
@@ -303,7 +305,6 @@ static inline int any_interface_configured(void) {
303 else 305 else
304 return 0; 306 return 0;
305} 307}
306void clear_run_files(pid_t pid);
307 308
308extern int arg_private; // mount private /home 309extern int arg_private; // mount private /home
309extern int arg_private_template; // private /home template 310extern int arg_private_template; // private /home template
@@ -393,7 +394,6 @@ extern char *fullargv[MAX_ARGS];
393extern int fullargc; 394extern int fullargc;
394 395
395// main.c 396// main.c
396void set_x11_file(pid_t pid, int display);
397void check_user_namespace(void); 397void check_user_namespace(void);
398char *guess_shell(void); 398char *guess_shell(void);
399 399
@@ -617,9 +617,7 @@ void netns(const char *nsname);
617void netns_mounts(const char *nsname); 617void netns_mounts(const char *nsname);
618 618
619// bandwidth.c 619// bandwidth.c
620void bandwidth_del_run_file(pid_t pid);
621void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up); 620void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up);
622void network_del_run_file(pid_t pid);
623void network_set_run_file(pid_t pid); 621void network_set_run_file(pid_t pid);
624 622
625// fs_etc.c 623// fs_etc.c
@@ -791,9 +789,15 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
791// run sbox 789// run sbox
792int sbox_run(unsigned filter, int num, ...); 790int sbox_run(unsigned filter, int num, ...);
793 791
794
795// git.c 792// git.c
796void git_install(); 793void git_install();
797void git_uninstall(); 794void git_uninstall();
798 795
796// run_files.c
797void delete_run_files(pid_t pid);
798void delete_bandwidth_run_file(pid_t pid);
799void set_name_run_file(pid_t pid);
800void set_x11_run_file(pid_t pid, int display);
801void set_profile_run_file(pid_t pid, const char *fname);
802
799#endif 803#endif
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 947f12472..6eac78d96 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -146,7 +146,7 @@ static void create_link(const char *oldpath, const char *newpath) {
146 exit(1); 146 exit(1);
147 } 147 }
148 148
149 if (chown(newpath, 0, 0) < 0); 149 if (chown(newpath, 0, 0) < 0) {;}
150 150
151 fs_logger2("create", newpath); 151 fs_logger2("create", newpath);
152 return; 152 return;
diff --git a/src/firejail/join.c b/src/firejail/join.c
index a21293214..12ee4a9a0 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -64,7 +64,7 @@ static void extract_x11_display(pid_t pid) {
64 64
65 // store the display number for join process in /run/firejail/x11 65 // store the display number for join process in /run/firejail/x11
66 EUID_ROOT(); 66 EUID_ROOT();
67 set_x11_file(getpid(), display); 67 set_x11_run_file(getpid(), display);
68 EUID_USER(); 68 EUID_USER();
69} 69}
70 70
diff --git a/src/firejail/main.c b/src/firejail/main.c
index e8556de2d..dad9befd3 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -132,22 +132,9 @@ static pid_t child = 0;
132pid_t sandbox_pid; 132pid_t sandbox_pid;
133unsigned long long start_timestamp; 133unsigned long long start_timestamp;
134 134
135static void set_name_file(pid_t pid);
136static void delete_name_file(pid_t pid);
137static void delete_profile_file(pid_t pid);
138static void delete_x11_file(pid_t pid);
139
140void clear_run_files(pid_t pid) {
141 bandwidth_del_run_file(pid); // bandwidth file
142 network_del_run_file(pid); // network map file
143 delete_name_file(pid);
144 delete_profile_file(pid);
145 delete_x11_file(pid);
146}
147
148static void clear_atexit(void) { 135static void clear_atexit(void) {
149 EUID_ROOT(); 136 EUID_ROOT();
150 clear_run_files(getpid()); 137 delete_run_files(getpid());
151} 138}
152 139
153static void myexit(int rv) { 140static void myexit(int rv) {
@@ -158,7 +145,7 @@ static void myexit(int rv) {
158 145
159 // delete sandbox files in shared memory 146 // delete sandbox files in shared memory
160 EUID_ROOT(); 147 EUID_ROOT();
161 clear_run_files(sandbox_pid); 148 delete_run_files(sandbox_pid);
162 appimage_clear(); 149 appimage_clear();
163 flush_stdin(); 150 flush_stdin();
164 exit(rv); 151 exit(rv);
@@ -755,68 +742,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
755 742
756} 743}
757 744
758static void set_name_file(pid_t pid) {
759 char *fname;
760 if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, pid) == -1)
761 errExit("asprintf");
762
763 // the file is deleted first
764 FILE *fp = fopen(fname, "w");
765 if (!fp) {
766 fprintf(stderr, "Error: cannot create %s\n", fname);
767 exit(1);
768 }
769 fprintf(fp, "%s\n", cfg.name);
770
771 // mode and ownership
772 SET_PERMS_STREAM(fp, 0, 0, 0644);
773 fclose(fp);
774}
775
776static void delete_name_file(pid_t pid) {
777 char *fname;
778 if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, pid) == -1)
779 errExit("asprintf");
780 int rv = unlink(fname);
781 (void) rv;
782 free(fname);
783}
784 745
785static void delete_profile_file(pid_t pid) {
786 char *fname;
787 if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_PROFILE_DIR, pid) == -1)
788 errExit("asprintf");
789 int rv = unlink(fname);
790 (void) rv;
791 free(fname);
792}
793
794void set_x11_file(pid_t pid, int display) {
795 char *fname;
796 if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1)
797 errExit("asprintf");
798
799 // the file is deleted first
800 FILE *fp = fopen(fname, "w");
801 if (!fp) {
802 fprintf(stderr, "Error: cannot create %s\n", fname);
803 exit(1);
804 }
805 fprintf(fp, "%d\n", display);
806
807 // mode and ownership
808 SET_PERMS_STREAM(fp, 0, 0, 0644);
809 fclose(fp);
810}
811
812static void delete_x11_file(pid_t pid) {
813 char *fname;
814 if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1)
815 errExit("asprintf");
816 int rv = unlink(fname);
817 (void) rv;
818 free(fname);
819}
820 746
821char *guess_shell(void) { 747char *guess_shell(void) {
822 char *shell = NULL; 748 char *shell = NULL;
@@ -898,7 +824,8 @@ static void run_builder(int argc, char **argv) {
898int main(int argc, char **argv) { 824int main(int argc, char **argv) {
899 int i; 825 int i;
900 int prog_index = -1; // index in argv where the program command starts 826 int prog_index = -1; // index in argv where the program command starts
901 int lockfd = -1; 827 int lockfd_network = -1;
828 int lockfd_directory = -1;
902 int option_cgroup = 0; 829 int option_cgroup = 0;
903 int option_force = 0; 830 int option_force = 0;
904 int custom_profile = 0; // custom profile loaded 831 int custom_profile = 0; // custom profile loaded
@@ -1002,10 +929,7 @@ int main(int argc, char **argv) {
1002 929
1003 // check firejail directories 930 // check firejail directories
1004 EUID_ROOT(); 931 EUID_ROOT();
1005 bandwidth_del_run_file(sandbox_pid); 932 delete_run_files(sandbox_pid);
1006 network_del_run_file(sandbox_pid);
1007 delete_name_file(sandbox_pid);
1008 delete_x11_file(sandbox_pid);
1009 933
1010 EUID_USER(); 934 EUID_USER();
1011 935
@@ -2470,11 +2394,11 @@ int main(int argc, char **argv) {
2470 // check and assign an IP address - for macvlan it will be done again in the sandbox! 2394 // check and assign an IP address - for macvlan it will be done again in the sandbox!
2471 if (any_bridge_configured()) { 2395 if (any_bridge_configured()) {
2472 EUID_ROOT(); 2396 EUID_ROOT();
2473 lockfd = open(RUN_NETWORK_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); 2397 lockfd_network = open(RUN_NETWORK_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR);
2474 if (lockfd != -1) { 2398 if (lockfd_network != -1) {
2475 int rv = fchown(lockfd, 0, 0); 2399 int rv = fchown(lockfd_network, 0, 0);
2476 (void) rv; 2400 (void) rv;
2477 flock(lockfd, LOCK_EX); 2401 flock(lockfd_network, LOCK_EX);
2478 } 2402 }
2479 2403
2480 check_network(&cfg.bridge0); 2404 check_network(&cfg.bridge0);
@@ -2503,13 +2427,21 @@ int main(int argc, char **argv) {
2503 } 2427 }
2504 2428
2505 2429
2506 // set name file 2430 // set name and x11 run files
2507 EUID_ROOT(); 2431 EUID_ROOT();
2432 lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR);
2433 if (lockfd_directory != -1) {
2434 int rv = fchown(lockfd_directory, 0, 0);
2435 (void) rv;
2436 flock(lockfd_directory, LOCK_EX);
2437 }
2508 if (cfg.name) 2438 if (cfg.name)
2509 set_name_file(sandbox_pid); 2439 set_name_run_file(sandbox_pid);
2510 int display = x11_display(); 2440 int display = x11_display();
2511 if (display > 0) 2441 if (display > 0)
2512 set_x11_file(sandbox_pid, display); 2442 set_x11_run_file(sandbox_pid, display);
2443 flock(lockfd_directory, LOCK_UN);
2444 close(lockfd_directory);
2513 EUID_USER(); 2445 EUID_USER();
2514 2446
2515 // clone environment 2447 // clone environment
@@ -2650,9 +2582,9 @@ int main(int argc, char **argv) {
2650 close(parent_to_child_fds[1]); 2582 close(parent_to_child_fds[1]);
2651 2583
2652 EUID_ROOT(); 2584 EUID_ROOT();
2653 if (lockfd != -1) { 2585 if (lockfd_network != -1) {
2654 flock(lockfd, LOCK_UN); 2586 flock(lockfd_network, LOCK_UN);
2655 close(lockfd); 2587 close(lockfd_network);
2656 } 2588 }
2657 2589
2658 // handle CTRL-C in parent 2590 // handle CTRL-C in parent
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index d13209873..1f4cf9e54 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -173,7 +173,7 @@ void preproc_clean_run(void) {
173 if (pid < start_pid) 173 if (pid < start_pid)
174 continue; 174 continue;
175 if (pidarr[pid] == 0) 175 if (pidarr[pid] == 0)
176 clear_run_files(pid); 176 delete_run_files(pid);
177 } 177 }
178 closedir(dir); 178 closedir(dir);
179 179
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 77308b7ac..5566b9860 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1241,27 +1241,8 @@ void profile_read(const char *fname) {
1241 } 1241 }
1242 1242
1243 // save the name of the file for --profile.print option 1243 // save the name of the file for --profile.print option
1244 if (include_level == 0) { 1244 if (include_level == 0)
1245 char *runfile; 1245 set_profile_run_file(getpid(), fname);
1246 if (asprintf(&runfile, "%s/%d", RUN_FIREJAIL_PROFILE_DIR, getpid()) == -1)
1247 errExit("asprintf");
1248
1249 EUID_ROOT();
1250 // the file is deleted first
1251 FILE *fp = fopen(runfile, "w");
1252 if (!fp) {
1253 fprintf(stderr, "Error: cannot create %s\n", runfile);
1254 exit(1);
1255 }
1256 fprintf(fp, "%s\n", fname);
1257
1258 // mode and ownership
1259 SET_PERMS_STREAM(fp, 0, 0, 0644);
1260 fclose(fp);
1261 EUID_USER();
1262 free(runfile);
1263 }
1264
1265 1246
1266 int msg_printed = 0; 1247 int msg_printed = 0;
1267 1248
diff --git a/src/firejail/run_files.c b/src/firejail/run_files.c
new file mode 100644
index 000000000..42303c07b
--- /dev/null
+++ b/src/firejail/run_files.c
@@ -0,0 +1,133 @@
1/*
2 * Copyright (C) 2014-2018 Firejail Authors
3 *
4 * This file is part of firejail project
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License along
17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19 */
20
21#include "firejail.h"
22#include "../include/pid.h"
23
24static void delete_x11_run_file(pid_t pid) {
25 char *fname;
26 if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1)
27 errExit("asprintf");
28 int rv = unlink(fname);
29 (void) rv;
30 free(fname);
31}
32
33static void delete_profile_run_file(pid_t pid) {
34 char *fname;
35 if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_PROFILE_DIR, pid) == -1)
36 errExit("asprintf");
37 int rv = unlink(fname);
38 (void) rv;
39 free(fname);
40}
41
42static void delete_name_run_file(pid_t pid) {
43 char *fname;
44 if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, pid) == -1)
45 errExit("asprintf");
46 int rv = unlink(fname);
47 (void) rv;
48 free(fname);
49}
50
51void delete_bandwidth_run_file(pid_t pid) {
52 char *fname;
53 if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1)
54 errExit("asprintf");
55 unlink(fname);
56 free(fname);
57}
58
59static void delete_network_run_file(pid_t pid) {
60 char *fname;
61 if (asprintf(&fname, "%s/%d-netmap", RUN_FIREJAIL_NETWORK_DIR, (int) pid) == -1)
62 errExit("asprintf");
63 unlink(fname);
64 free(fname);
65}
66
67
68
69void delete_run_files(pid_t pid) {
70 delete_bandwidth_run_file(pid);
71 delete_network_run_file(pid);
72 delete_name_run_file(pid);
73 delete_profile_run_file(pid);
74 delete_x11_run_file(pid);
75}
76
77void set_name_run_file(pid_t pid) {
78 char *fname;
79 if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, pid) == -1)
80 errExit("asprintf");
81
82 // the file is deleted first
83 FILE *fp = fopen(fname, "w");
84 if (!fp) {
85 fprintf(stderr, "Error: cannot create %s\n", fname);
86 exit(1);
87 }
88 fprintf(fp, "%s\n", cfg.name);
89
90 // mode and ownership
91 SET_PERMS_STREAM(fp, 0, 0, 0644);
92 fclose(fp);
93}
94
95
96void set_x11_run_file(pid_t pid, int display) {
97 char *fname;
98 if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_X11_DIR, pid) == -1)
99 errExit("asprintf");
100
101 // the file is deleted first
102 FILE *fp = fopen(fname, "w");
103 if (!fp) {
104 fprintf(stderr, "Error: cannot create %s\n", fname);
105 exit(1);
106 }
107 fprintf(fp, "%d\n", display);
108
109 // mode and ownership
110 SET_PERMS_STREAM(fp, 0, 0, 0644);
111 fclose(fp);
112}
113
114void set_profile_run_file(pid_t pid, const char *fname) {
115 char *runfile;
116 if (asprintf(&runfile, "%s/%d", RUN_FIREJAIL_PROFILE_DIR, pid) == -1)
117 errExit("asprintf");
118
119 EUID_ROOT();
120 // the file is deleted first
121 FILE *fp = fopen(runfile, "w");
122 if (!fp) {
123 fprintf(stderr, "Error: cannot create %s\n", runfile);
124 exit(1);
125 }
126 fprintf(fp, "%s\n", fname);
127
128 // mode and ownership
129 SET_PERMS_STREAM(fp, 0, 0, 0644);
130 fclose(fp);
131 EUID_USER();
132 free(runfile);
133}
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c
index 12dfdf450..be20cd353 100644
--- a/src/firejail/shutdown.c
+++ b/src/firejail/shutdown.c
@@ -103,5 +103,5 @@ void shut(pid_t pid) {
103 } 103 }
104 } 104 }
105 105
106 clear_run_files(parent); 106 delete_run_files(parent);
107} 107}
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-21 09:01:08 +0000