diff options
-rw-r--r-- | src/firejail/main.c | 13 | ||||
-rw-r--r-- | src/firemon/arp.c | 3 | ||||
-rw-r--r-- | src/firemon/caps.c | 3 | ||||
-rw-r--r-- | src/firemon/cgroup.c | 3 | ||||
-rw-r--r-- | src/firemon/cpu.c | 3 | ||||
-rw-r--r-- | src/firemon/firemon.c | 11 | ||||
-rw-r--r-- | src/firemon/firemon.h | 1 | ||||
-rw-r--r-- | src/firemon/list.c | 3 | ||||
-rw-r--r-- | src/firemon/netstats.c | 3 | ||||
-rw-r--r-- | src/firemon/route.c | 3 | ||||
-rw-r--r-- | src/firemon/seccomp.c | 3 | ||||
-rw-r--r-- | src/firemon/top.c | 3 | ||||
-rw-r--r-- | src/firemon/tree.c | 3 | ||||
-rw-r--r-- | src/firemon/x11.c | 3 |
14 files changed, 4 insertions, 54 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index 3f005b547..e100e1f2c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -499,15 +499,15 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
499 | exit(0); | 499 | exit(0); |
500 | } | 500 | } |
501 | else if (strcmp(argv[i], "--list") == 0) { | 501 | else if (strcmp(argv[i], "--list") == 0) { |
502 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); | 502 | int rv = sbox_run(SBOX_ROOT| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); |
503 | exit(rv); | 503 | exit(rv); |
504 | } | 504 | } |
505 | else if (strcmp(argv[i], "--tree") == 0) { | 505 | else if (strcmp(argv[i], "--tree") == 0) { |
506 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); | 506 | int rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); |
507 | exit(rv); | 507 | exit(rv); |
508 | } | 508 | } |
509 | else if (strcmp(argv[i], "--top") == 0) { | 509 | else if (strcmp(argv[i], "--top") == 0) { |
510 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, | 510 | int rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, |
511 | 2, PATH_FIREMON, "--top"); | 511 | 2, PATH_FIREMON, "--top"); |
512 | exit(rv); | 512 | exit(rv); |
513 | } | 513 | } |
@@ -515,12 +515,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
515 | else if (strcmp(argv[i], "--netstats") == 0) { | 515 | else if (strcmp(argv[i], "--netstats") == 0) { |
516 | if (checkcfg(CFG_NETWORK)) { | 516 | if (checkcfg(CFG_NETWORK)) { |
517 | struct stat s; | 517 | struct stat s; |
518 | int rv; | 518 | int rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, |
519 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) | ||
520 | rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, | ||
521 | 2, PATH_FIREMON, "--netstats"); | ||
522 | else | ||
523 | rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, | ||
524 | 2, PATH_FIREMON, "--netstats"); | 519 | 2, PATH_FIREMON, "--netstats"); |
525 | exit(rv); | 520 | exit(rv); |
526 | } | 521 | } |
diff --git a/src/firemon/arp.c b/src/firemon/arp.c index 7cb8ff4c3..d204a0c3a 100644 --- a/src/firemon/arp.c +++ b/src/firemon/arp.c | |||
@@ -73,9 +73,6 @@ static void print_arp(const char *fname) { | |||
73 | } | 73 | } |
74 | 74 | ||
75 | void arp(pid_t pid) { | 75 | void arp(pid_t pid) { |
76 | if (getuid() == 0) | ||
77 | firemon_drop_privs(); | ||
78 | |||
79 | pid_read(pid); | 76 | pid_read(pid); |
80 | 77 | ||
81 | // print processes | 78 | // print processes |
diff --git a/src/firemon/caps.c b/src/firemon/caps.c index 5cd9b5d0d..49c7b204b 100644 --- a/src/firemon/caps.c +++ b/src/firemon/caps.c | |||
@@ -49,9 +49,6 @@ static void print_caps(int pid) { | |||
49 | } | 49 | } |
50 | 50 | ||
51 | void caps(pid_t pid) { | 51 | void caps(pid_t pid) { |
52 | if (getuid() == 0) | ||
53 | firemon_drop_privs(); | ||
54 | |||
55 | pid_read(pid); // include all processes | 52 | pid_read(pid); // include all processes |
56 | 53 | ||
57 | // print processes | 54 | // print processes |
diff --git a/src/firemon/cgroup.c b/src/firemon/cgroup.c index 0b93390ae..ec2d350af 100644 --- a/src/firemon/cgroup.c +++ b/src/firemon/cgroup.c | |||
@@ -45,9 +45,6 @@ static void print_cgroup(int pid) { | |||
45 | } | 45 | } |
46 | 46 | ||
47 | void cgroup(pid_t pid) { | 47 | void cgroup(pid_t pid) { |
48 | if (getuid() == 0) | ||
49 | firemon_drop_privs(); | ||
50 | |||
51 | pid_read(pid); | 48 | pid_read(pid); |
52 | 49 | ||
53 | // print processes | 50 | // print processes |
diff --git a/src/firemon/cpu.c b/src/firemon/cpu.c index 06658f58c..20fba33d6 100644 --- a/src/firemon/cpu.c +++ b/src/firemon/cpu.c | |||
@@ -49,9 +49,6 @@ static void print_cpu(int pid) { | |||
49 | } | 49 | } |
50 | 50 | ||
51 | void cpu(pid_t pid) { | 51 | void cpu(pid_t pid) { |
52 | if (getuid() == 0) | ||
53 | firemon_drop_privs(); | ||
54 | |||
55 | pid_read(pid); | 52 | pid_read(pid); |
56 | 53 | ||
57 | // print processes | 54 | // print processes |
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index 3140c5f70..950311c00 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c | |||
@@ -62,17 +62,6 @@ int find_child(int id) { | |||
62 | return -1; | 62 | return -1; |
63 | } | 63 | } |
64 | 64 | ||
65 | // drop privileges | ||
66 | void firemon_drop_privs(void) { | ||
67 | // drop privileges | ||
68 | if (setgroups(0, NULL) < 0) | ||
69 | errExit("setgroups"); | ||
70 | if (setgid(getgid()) < 0) | ||
71 | errExit("setgid/getgid"); | ||
72 | if (setuid(getuid()) < 0) | ||
73 | errExit("setuid/getuid"); | ||
74 | } | ||
75 | |||
76 | // sleep and wait for a key to be pressed | 65 | // sleep and wait for a key to be pressed |
77 | void firemon_sleep(int st) { | 66 | void firemon_sleep(int st) { |
78 | if (terminal_set == 0) { | 67 | if (terminal_set == 0) { |
diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h index 522ece077..a873430a3 100644 --- a/src/firemon/firemon.h +++ b/src/firemon/firemon.h | |||
@@ -38,7 +38,6 @@ static inline void firemon_clrscr(void) { | |||
38 | // firemon.c | 38 | // firemon.c |
39 | extern int arg_nowrap; | 39 | extern int arg_nowrap; |
40 | int find_child(int id); | 40 | int find_child(int id); |
41 | void firemon_drop_privs(void); | ||
42 | void firemon_sleep(int st); | 41 | void firemon_sleep(int st); |
43 | 42 | ||
44 | 43 | ||
diff --git a/src/firemon/list.c b/src/firemon/list.c index 901627c2a..acff13a28 100644 --- a/src/firemon/list.c +++ b/src/firemon/list.c | |||
@@ -20,9 +20,6 @@ | |||
20 | #include "firemon.h" | 20 | #include "firemon.h" |
21 | 21 | ||
22 | void list(void) { | 22 | void list(void) { |
23 | if (getuid() == 0) | ||
24 | firemon_drop_privs(); | ||
25 | |||
26 | pid_read(0); // include all processes | 23 | pid_read(0); // include all processes |
27 | 24 | ||
28 | // print processes | 25 | // print processes |
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c index 0ff0dd33d..3c020d630 100644 --- a/src/firemon/netstats.c +++ b/src/firemon/netstats.c | |||
@@ -170,9 +170,6 @@ static void print_proc(int index, int itv, int col) { | |||
170 | } | 170 | } |
171 | 171 | ||
172 | void netstats(void) { | 172 | void netstats(void) { |
173 | if (getuid() == 0) | ||
174 | firemon_drop_privs(); | ||
175 | |||
176 | pid_read(0); // include all processes | 173 | pid_read(0); // include all processes |
177 | 174 | ||
178 | printf("Displaying network statistics only for sandboxes using a new network namespace.\n"); | 175 | printf("Displaying network statistics only for sandboxes using a new network namespace.\n"); |
diff --git a/src/firemon/route.c b/src/firemon/route.c index 398965671..ac8000b6a 100644 --- a/src/firemon/route.c +++ b/src/firemon/route.c | |||
@@ -182,9 +182,6 @@ static void print_route(const char *fname) { | |||
182 | } | 182 | } |
183 | 183 | ||
184 | void route(pid_t pid) { | 184 | void route(pid_t pid) { |
185 | if (getuid() == 0) | ||
186 | firemon_drop_privs(); | ||
187 | |||
188 | pid_read(pid); | 185 | pid_read(pid); |
189 | 186 | ||
190 | // print processes | 187 | // print processes |
diff --git a/src/firemon/seccomp.c b/src/firemon/seccomp.c index 71771c72d..d4c248f8b 100644 --- a/src/firemon/seccomp.c +++ b/src/firemon/seccomp.c | |||
@@ -49,9 +49,6 @@ static void print_seccomp(int pid) { | |||
49 | } | 49 | } |
50 | 50 | ||
51 | void seccomp(pid_t pid) { | 51 | void seccomp(pid_t pid) { |
52 | if (getuid() == 0) | ||
53 | firemon_drop_privs(); | ||
54 | |||
55 | pid_read(pid); // include all processes | 52 | pid_read(pid); // include all processes |
56 | 53 | ||
57 | // print processes | 54 | // print processes |
diff --git a/src/firemon/top.c b/src/firemon/top.c index a6da6f64e..b804761dd 100644 --- a/src/firemon/top.c +++ b/src/firemon/top.c | |||
@@ -232,9 +232,6 @@ void head_print(int col, int row) { | |||
232 | } | 232 | } |
233 | 233 | ||
234 | void top(void) { | 234 | void top(void) { |
235 | if (getuid() == 0) | ||
236 | firemon_drop_privs(); | ||
237 | |||
238 | while (1) { | 235 | while (1) { |
239 | // clear linked list | 236 | // clear linked list |
240 | head_clear(); | 237 | head_clear(); |
diff --git a/src/firemon/tree.c b/src/firemon/tree.c index b05eb92f9..a4b92a11f 100644 --- a/src/firemon/tree.c +++ b/src/firemon/tree.c | |||
@@ -20,9 +20,6 @@ | |||
20 | #include "firemon.h" | 20 | #include "firemon.h" |
21 | 21 | ||
22 | void tree(pid_t pid) { | 22 | void tree(pid_t pid) { |
23 | if (getuid() == 0) | ||
24 | firemon_drop_privs(); | ||
25 | |||
26 | pid_read(pid); // include all processes | 23 | pid_read(pid); // include all processes |
27 | 24 | ||
28 | // print processes | 25 | // print processes |
diff --git a/src/firemon/x11.c b/src/firemon/x11.c index e30c2d78b..c7fe4c616 100644 --- a/src/firemon/x11.c +++ b/src/firemon/x11.c | |||
@@ -23,9 +23,6 @@ | |||
23 | #include <unistd.h> | 23 | #include <unistd.h> |
24 | 24 | ||
25 | void x11(pid_t pid) { | 25 | void x11(pid_t pid) { |
26 | if (getuid() == 0) | ||
27 | firemon_drop_privs(); | ||
28 | |||
29 | pid_read(pid); | 26 | pid_read(pid); |
30 | 27 | ||
31 | // print processes | 28 | // print processes |