diff options
-rw-r--r-- | src/firejail/join.c | 92 |
1 files changed, 25 insertions, 67 deletions
diff --git a/src/firejail/join.c b/src/firejail/join.c index 632715fea..37bac7e65 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -122,7 +122,7 @@ static void extract_caps_seccomp(pid_t pid) { | |||
122 | break; | 122 | break; |
123 | } | 123 | } |
124 | else if (strncmp(buf, "CapBnd:", 7) == 0) { | 124 | else if (strncmp(buf, "CapBnd:", 7) == 0) { |
125 | char *ptr = buf + 8; | 125 | char *ptr = buf + 7; |
126 | unsigned long long val; | 126 | unsigned long long val; |
127 | sscanf(ptr, "%llx", &val); | 127 | sscanf(ptr, "%llx", &val); |
128 | apply_caps = 1; | 128 | apply_caps = 1; |
@@ -295,9 +295,8 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
295 | // set seccomp filter | 295 | // set seccomp filter |
296 | if (apply_seccomp == 1) // not available for uid 0 | 296 | if (apply_seccomp == 1) // not available for uid 0 |
297 | seccomp_set(); | 297 | seccomp_set(); |
298 | |||
299 | #endif | 298 | #endif |
300 | 299 | ||
301 | // fix qt 4.8 | 300 | // fix qt 4.8 |
302 | if (setenv("QT_X11_NO_MITSHM", "1", 1) < 0) | 301 | if (setenv("QT_X11_NO_MITSHM", "1", 1) < 0) |
303 | errExit("setenv"); | 302 | errExit("setenv"); |
@@ -314,6 +313,11 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
314 | else | 313 | else |
315 | drop_privs(arg_nogroups); // nogroups not available for uid 0 | 314 | drop_privs(arg_nogroups); // nogroups not available for uid 0 |
316 | 315 | ||
316 | // user namespace resets capabilities | ||
317 | // set caps filter | ||
318 | if (apply_caps == 1) // not available for uid 0 | ||
319 | caps_set(caps); | ||
320 | |||
317 | // set prompt color to green | 321 | // set prompt color to green |
318 | //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' | 322 | //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' |
319 | if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) | 323 | if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) |
@@ -333,77 +337,31 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
333 | // run cmdline trough shell | 337 | // run cmdline trough shell |
334 | if (cfg.command_line == NULL) { | 338 | if (cfg.command_line == NULL) { |
335 | assert(cfg.shell); | 339 | assert(cfg.shell); |
340 | cfg.command_line = cfg.shell; | ||
341 | cfg.window_title = cfg.shell; | ||
342 | } | ||
336 | 343 | ||
337 | // replace the process with a shell | 344 | int cwd = 0; |
338 | execlp(cfg.shell, cfg.shell, NULL); | 345 | if (cfg.cwd) { |
339 | 346 | if (chdir(cfg.cwd) == 0) | |
340 | // it should never get here | 347 | cwd = 1; |
341 | errExit("execlp"); | ||
342 | } | 348 | } |
343 | else { | ||
344 | // run the command supplied by the user | ||
345 | int cwd = 0; | ||
346 | if (cfg.cwd) { | ||
347 | if (chdir(cfg.cwd) == 0) | ||
348 | cwd = 1; | ||
349 | } | ||
350 | |||
351 | if (!cwd) { | ||
352 | if (chdir("/") < 0) | ||
353 | errExit("chdir"); | ||
354 | if (cfg.homedir) { | ||
355 | struct stat s; | ||
356 | if (stat(cfg.homedir, &s) == 0) { | ||
357 | if (chdir(cfg.homedir) < 0) | ||
358 | errExit("chdir"); | ||
359 | } | ||
360 | } | ||
361 | } | ||
362 | 349 | ||
363 | if (arg_shell_none) { | 350 | if (!cwd) { |
364 | if (arg_debug) { | 351 | if (chdir("/") < 0) |
365 | int i; | 352 | errExit("chdir"); |
366 | for (i = cfg.original_program_index; i < cfg.original_argc; i++) { | 353 | if (cfg.homedir) { |
367 | if (cfg.original_argv[i] == NULL) | 354 | struct stat s; |
368 | break; | 355 | if (stat(cfg.homedir, &s) == 0) { |
369 | printf("execvp argument %d: %s\n", i - cfg.original_program_index, cfg.original_argv[i]); | 356 | /* coverity[toctou] */ |
370 | } | 357 | if (chdir(cfg.homedir) < 0) |
371 | } | 358 | errExit("chdir"); |
372 | |||
373 | if (cfg.original_program_index == 0) { | ||
374 | fprintf(stderr, "Error: --shell=none configured, but no program specified\n"); | ||
375 | exit(1); | ||
376 | } | ||
377 | |||
378 | if (!arg_command && !arg_quiet) | ||
379 | printf("Child process initialized\n"); | ||
380 | |||
381 | execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); | ||
382 | exit(1); | ||
383 | } else { | ||
384 | assert(cfg.shell); | ||
385 | |||
386 | char *arg[5]; | ||
387 | arg[0] = cfg.shell; | ||
388 | arg[1] = "-c"; | ||
389 | if (arg_debug) | ||
390 | printf("Starting %s\n", cfg.command_line); | ||
391 | if (!arg_doubledash) { | ||
392 | arg[2] = cfg.command_line; | ||
393 | arg[3] = NULL; | ||
394 | } | 359 | } |
395 | else { | ||
396 | arg[2] = "--"; | ||
397 | arg[3] = cfg.command_line; | ||
398 | arg[4] = NULL; | ||
399 | } | ||
400 | execvp(arg[0], arg); | ||
401 | |||
402 | // it should never get here | ||
403 | errExit("execvp"); | ||
404 | } | 360 | } |
405 | } | 361 | } |
406 | 362 | ||
363 | start_application(); | ||
364 | |||
407 | // it will never get here!!! | 365 | // it will never get here!!! |
408 | } | 366 | } |
409 | 367 | ||