diff options
-rw-r--r-- | src/firejail/firejail.h | 8 | ||||
-rw-r--r-- | src/firejail/main.c | 3 | ||||
-rw-r--r-- | src/firejail/sbox.c | 14 |
3 files changed, 15 insertions, 10 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 56dbd6868..b8126cfe7 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -688,11 +688,13 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar | |||
688 | #define PATH_FIREMON (PREFIX "/bin/firemon") | 688 | #define PATH_FIREMON (PREFIX "/bin/firemon") |
689 | #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp") | 689 | #define PATH_FSECCOMP (LIBDIR "/firejail/fseccomp") |
690 | // bitmapped filters for sbox_run | 690 | // bitmapped filters for sbox_run |
691 | #define SBOX_ROOT (1 << 0) | 691 | #define SBOX_ROOT (1 << 0) // run the sandbox as root |
692 | #define SBOX_USER (1 << 1) | 692 | #define SBOX_USER (1 << 1) // run the sandbox as a regular user |
693 | #define SBOX_SECCOMP (1 << 2) | 693 | #define SBOX_SECCOMP (1 << 2) // install seccomp |
694 | #define SBOX_CAPS_NONE (1 << 3) // drop all capabilities | 694 | #define SBOX_CAPS_NONE (1 << 3) // drop all capabilities |
695 | #define SBOX_CAPS_NETWORK (1 << 4) // caps filter for programs running network programs | 695 | #define SBOX_CAPS_NETWORK (1 << 4) // caps filter for programs running network programs |
696 | #define SBOX_ALLOW_STDIN (1 << 5) // don't close stdin | ||
697 | |||
696 | // run sbox | 698 | // run sbox |
697 | int sbox_run(unsigned filter, int num, ...); | 699 | int sbox_run(unsigned filter, int num, ...); |
698 | 700 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index b6f3a7f59..f01094af9 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -507,7 +507,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
507 | exit(rv); | 507 | exit(rv); |
508 | } | 508 | } |
509 | else if (strcmp(argv[i], "--top") == 0) { | 509 | else if (strcmp(argv[i], "--top") == 0) { |
510 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--top"); | 510 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, |
511 | 2, PATH_FIREMON, "--top"); | ||
511 | exit(rv); | 512 | exit(rv); |
512 | } | 513 | } |
513 | #ifdef HAVE_NETWORK | 514 | #ifdef HAVE_NETWORK |
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 3d4eef3aa..bca72c14a 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -141,14 +141,16 @@ int sbox_run(unsigned filter, int num, ...) { | |||
141 | int max = 20; // getdtablesize() is overkill for a firejail process | 141 | int max = 20; // getdtablesize() is overkill for a firejail process |
142 | for (i = 3; i < max; i++) | 142 | for (i = 3; i < max; i++) |
143 | close(i); // close open files | 143 | close(i); // close open files |
144 | if ((filter & SBOX_ALLOW_STDIN) == 0) { | ||
144 | int fd = open("/dev/null",O_RDWR, 0); | 145 | int fd = open("/dev/null",O_RDWR, 0); |
145 | if (fd != -1) { | 146 | if (fd != -1) { |
146 | dup2 (fd, STDIN_FILENO); | 147 | dup2 (fd, STDIN_FILENO); |
147 | if (fd > 2) | 148 | if (fd > 2) |
148 | close (fd); | 149 | close (fd); |
150 | } | ||
151 | else // the user could run the sandbox without /dev/null | ||
152 | close(STDIN_FILENO); | ||
149 | } | 153 | } |
150 | else // the user could run the sandbox without /dev/null | ||
151 | close(STDIN_FILENO); | ||
152 | umask(027); | 154 | umask(027); |
153 | 155 | ||
154 | // apply filters | 156 | // apply filters |