diff options
-rw-r--r-- | src/fcopy/main.c | 6 | ||||
-rw-r--r-- | src/firejail/main.c | 4 | ||||
-rw-r--r-- | src/firejail/sbox.c | 1 | ||||
-rw-r--r-- | src/fldd/main.c | 6 | ||||
-rw-r--r-- | src/fnet/main.c | 16 | ||||
-rw-r--r-- | src/fnetfilter/main.c | 6 | ||||
-rw-r--r-- | src/fsec-optimize/fsec_optimize.h | 1 | ||||
-rw-r--r-- | src/fsec-optimize/main.c | 5 | ||||
-rw-r--r-- | src/fsec-print/fsec_print.h | 1 | ||||
-rw-r--r-- | src/fsec-print/main.c | 5 | ||||
-rw-r--r-- | src/fseccomp/fseccomp.h | 1 | ||||
-rw-r--r-- | src/fseccomp/main.c | 15 | ||||
-rw-r--r-- | src/include/common.h | 3 |
13 files changed, 58 insertions, 12 deletions
diff --git a/src/fcopy/main.c b/src/fcopy/main.c index 83d9c17e6..bda7e2f1b 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c | |||
@@ -23,6 +23,7 @@ | |||
23 | #include <ftw.h> | 23 | #include <ftw.h> |
24 | #include <errno.h> | 24 | #include <errno.h> |
25 | #include <pwd.h> | 25 | #include <pwd.h> |
26 | #include <sys/prctl.h> | ||
26 | 27 | ||
27 | #if HAVE_SELINUX | 28 | #if HAVE_SELINUX |
28 | #include <sys/stat.h> | 29 | #include <sys/stat.h> |
@@ -411,6 +412,11 @@ int main(int argc, char **argv) { | |||
411 | exit(1); | 412 | exit(1); |
412 | } | 413 | } |
413 | 414 | ||
415 | #ifdef WARN_DUMPABLE | ||
416 | if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN")) | ||
417 | fprintf(stderr, "Error fcopy: I am dumpable\n"); | ||
418 | #endif | ||
419 | |||
414 | // trim trailing chars | 420 | // trim trailing chars |
415 | if (src[strlen(src) - 1] == '/') | 421 | if (src[strlen(src) - 1] == '/') |
416 | src[strlen(src) - 1] = '\0'; | 422 | src[strlen(src) - 1] = '\0'; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 79e39b669..4aa5311a2 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1275,6 +1275,10 @@ int main(int argc, char **argv, char **envp) { | |||
1275 | } | 1275 | } |
1276 | EUID_ASSERT(); | 1276 | EUID_ASSERT(); |
1277 | 1277 | ||
1278 | #ifdef WARN_DUMPABLE | ||
1279 | if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid()) | ||
1280 | fprintf(stderr, "Error: Firejail is dumpable\n"); | ||
1281 | #endif | ||
1278 | 1282 | ||
1279 | // check for force-nonewprivs in /etc/firejail/firejail.config file | 1283 | // check for force-nonewprivs in /etc/firejail/firejail.config file |
1280 | if (checkcfg(CFG_FORCE_NONEWPRIVS)) | 1284 | if (checkcfg(CFG_FORCE_NONEWPRIVS)) |
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 99f11a246..cf3d3aeed 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -48,6 +48,7 @@ static int sbox_do_exec_v(unsigned filtermask, char * const arg[]) { | |||
48 | if (cfg.seccomp_error_action) | 48 | if (cfg.seccomp_error_action) |
49 | if (asprintf(&new_environment[env_index++], "FIREJAIL_SECCOMP_ERROR_ACTION=%s", cfg.seccomp_error_action) == -1) | 49 | if (asprintf(&new_environment[env_index++], "FIREJAIL_SECCOMP_ERROR_ACTION=%s", cfg.seccomp_error_action) == -1) |
50 | errExit("asprintf"); | 50 | errExit("asprintf"); |
51 | new_environment[env_index++] = "FIREJAIL_PLUGIN="; // always set | ||
51 | 52 | ||
52 | if (filtermask & SBOX_STDIN_FROM_FILE) { | 53 | if (filtermask & SBOX_STDIN_FROM_FILE) { |
53 | int fd; | 54 | int fd; |
diff --git a/src/fldd/main.c b/src/fldd/main.c index dd22e601e..567f6c566 100644 --- a/src/fldd/main.c +++ b/src/fldd/main.c | |||
@@ -24,6 +24,7 @@ | |||
24 | #include <fcntl.h> | 24 | #include <fcntl.h> |
25 | #include <sys/mman.h> | 25 | #include <sys/mman.h> |
26 | #include <sys/mount.h> | 26 | #include <sys/mount.h> |
27 | #include <sys/prctl.h> | ||
27 | #include <sys/stat.h> | 28 | #include <sys/stat.h> |
28 | #include <sys/types.h> | 29 | #include <sys/types.h> |
29 | #include <unistd.h> | 30 | #include <unistd.h> |
@@ -302,6 +303,11 @@ printf("\n"); | |||
302 | return 0; | 303 | return 0; |
303 | } | 304 | } |
304 | 305 | ||
306 | #ifdef WARN_DUMPABLE | ||
307 | if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN")) | ||
308 | fprintf(stderr, "Error fldd: I am dumpable\n"); | ||
309 | #endif | ||
310 | |||
305 | // check program access | 311 | // check program access |
306 | if (access(argv[1], R_OK)) { | 312 | if (access(argv[1], R_OK)) { |
307 | fprintf(stderr, "Error fldd: cannot access %s\n", argv[1]); | 313 | fprintf(stderr, "Error fldd: cannot access %s\n", argv[1]); |
diff --git a/src/fnet/main.c b/src/fnet/main.c index 95e12164e..22879b8ce 100644 --- a/src/fnet/main.c +++ b/src/fnet/main.c | |||
@@ -21,6 +21,7 @@ | |||
21 | #include <sys/types.h> | 21 | #include <sys/types.h> |
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <sys/utsname.h> | 23 | #include <sys/utsname.h> |
24 | #include <sys/prctl.h> | ||
24 | 25 | ||
25 | int arg_quiet = 0; | 26 | int arg_quiet = 0; |
26 | 27 | ||
@@ -64,16 +65,19 @@ printf("\n"); | |||
64 | usage(); | 65 | usage(); |
65 | return 1; | 66 | return 1; |
66 | } | 67 | } |
67 | |||
68 | char *quiet = getenv("FIREJAIL_QUIET"); | ||
69 | if (quiet && strcmp(quiet, "yes") == 0) | ||
70 | arg_quiet = 1; | ||
71 | |||
72 | if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) { | 68 | if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) { |
73 | usage(); | 69 | usage(); |
74 | return 0; | 70 | return 0; |
75 | } | 71 | } |
76 | else if (argc == 3 && strcmp(argv[1], "ifup") == 0) { | 72 | #ifdef WARN_DUMPABLE |
73 | if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN")) | ||
74 | fprintf(stderr, "Error fnet: I am dumpable\n"); | ||
75 | #endif | ||
76 | char *quiet = getenv("FIREJAIL_QUIET"); | ||
77 | if (quiet && strcmp(quiet, "yes") == 0) | ||
78 | arg_quiet = 1; | ||
79 | |||
80 | if (argc == 3 && strcmp(argv[1], "ifup") == 0) { | ||
77 | net_if_up(argv[2]); | 81 | net_if_up(argv[2]); |
78 | } | 82 | } |
79 | else if (argc == 2 && strcmp(argv[1], "printif") == 0) { | 83 | else if (argc == 2 && strcmp(argv[1], "printif") == 0) { |
diff --git a/src/fnetfilter/main.c b/src/fnetfilter/main.c index 8124beb1a..bac60cbec 100644 --- a/src/fnetfilter/main.c +++ b/src/fnetfilter/main.c | |||
@@ -18,6 +18,7 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "../include/common.h" | 20 | #include "../include/common.h" |
21 | #include <sys/prctl.h> | ||
21 | 22 | ||
22 | #define MAXBUF 4098 | 23 | #define MAXBUF 4098 |
23 | #define MAXARGS 16 | 24 | #define MAXARGS 16 |
@@ -180,7 +181,10 @@ printf("\n"); | |||
180 | usage(); | 181 | usage(); |
181 | return 1; | 182 | return 1; |
182 | } | 183 | } |
183 | 184 | #ifdef WARN_DUMPABLE | |
185 | if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN")) | ||
186 | fprintf(stderr, "Error fnetfilter: I am dumpable\n"); | ||
187 | #endif | ||
184 | char *destfile = (argc == 3)? argv[2]: argv[1]; | 188 | char *destfile = (argc == 3)? argv[2]: argv[1]; |
185 | char *command = (argc == 3)? argv[1]: NULL; | 189 | char *command = (argc == 3)? argv[1]: NULL; |
186 | //printf("command %s\n", command); | 190 | //printf("command %s\n", command); |
diff --git a/src/fsec-optimize/fsec_optimize.h b/src/fsec-optimize/fsec_optimize.h index 211111641..034fde2ac 100644 --- a/src/fsec-optimize/fsec_optimize.h +++ b/src/fsec-optimize/fsec_optimize.h | |||
@@ -22,6 +22,7 @@ | |||
22 | #include "../include/common.h" | 22 | #include "../include/common.h" |
23 | #include "../include/seccomp.h" | 23 | #include "../include/seccomp.h" |
24 | #include <sys/mman.h> | 24 | #include <sys/mman.h> |
25 | #include <sys/prctl.h> | ||
25 | 26 | ||
26 | // optimize.c | 27 | // optimize.c |
27 | struct sock_filter *duplicate(struct sock_filter *filter, int entries); | 28 | struct sock_filter *duplicate(struct sock_filter *filter, int entries); |
diff --git a/src/fsec-optimize/main.c b/src/fsec-optimize/main.c index 416d85b88..4da110583 100644 --- a/src/fsec-optimize/main.c +++ b/src/fsec-optimize/main.c | |||
@@ -44,6 +44,11 @@ printf("\n"); | |||
44 | return 0; | 44 | return 0; |
45 | } | 45 | } |
46 | 46 | ||
47 | #ifdef WARN_DUMPABLE | ||
48 | if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN")) | ||
49 | fprintf(stderr, "Error fsec-optimize: I am dumpable\n"); | ||
50 | #endif | ||
51 | |||
47 | char *fname = argv[1]; | 52 | char *fname = argv[1]; |
48 | 53 | ||
49 | // open input file | 54 | // open input file |
diff --git a/src/fsec-print/fsec_print.h b/src/fsec-print/fsec_print.h index 337199288..9d17e3f18 100644 --- a/src/fsec-print/fsec_print.h +++ b/src/fsec-print/fsec_print.h | |||
@@ -23,6 +23,7 @@ | |||
23 | #include "../include/seccomp.h" | 23 | #include "../include/seccomp.h" |
24 | #include "../include/syscall.h" | 24 | #include "../include/syscall.h" |
25 | #include <sys/mman.h> | 25 | #include <sys/mman.h> |
26 | #include <sys/prctl.h> | ||
26 | 27 | ||
27 | // print.c | 28 | // print.c |
28 | void print(struct sock_filter *filter, int entries); | 29 | void print(struct sock_filter *filter, int entries); |
diff --git a/src/fsec-print/main.c b/src/fsec-print/main.c index ade45c881..858289767 100644 --- a/src/fsec-print/main.c +++ b/src/fsec-print/main.c | |||
@@ -61,6 +61,11 @@ printf("\n"); | |||
61 | return 0; | 61 | return 0; |
62 | } | 62 | } |
63 | 63 | ||
64 | #ifdef WARN_DUMPABLE | ||
65 | if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN")) | ||
66 | fprintf(stderr, "Error fsec-print: I am dumpable\n"); | ||
67 | #endif | ||
68 | |||
64 | char *fname = argv[1]; | 69 | char *fname = argv[1]; |
65 | 70 | ||
66 | // open input file | 71 | // open input file |
diff --git a/src/fseccomp/fseccomp.h b/src/fseccomp/fseccomp.h index e8dd083b6..e40999938 100644 --- a/src/fseccomp/fseccomp.h +++ b/src/fseccomp/fseccomp.h | |||
@@ -23,6 +23,7 @@ | |||
23 | #include <stdlib.h> | 23 | #include <stdlib.h> |
24 | #include <string.h> | 24 | #include <string.h> |
25 | #include <assert.h> | 25 | #include <assert.h> |
26 | #include <sys/prctl.h> | ||
26 | #include "../include/common.h" | 27 | #include "../include/common.h" |
27 | #include "../include/syscall.h" | 28 | #include "../include/syscall.h" |
28 | 29 | ||
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index 892a88e25..6b7800f35 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c | |||
@@ -64,6 +64,15 @@ printf("\n"); | |||
64 | usage(); | 64 | usage(); |
65 | return 1; | 65 | return 1; |
66 | } | 66 | } |
67 | if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) { | ||
68 | usage(); | ||
69 | return 0; | ||
70 | } | ||
71 | |||
72 | #ifdef WARN_DUMPABLE | ||
73 | if (prctl(PR_GET_DUMPABLE, 0, 0, 0, 0) == 1 && getuid() && getenv("FIREJAIL_PLUGIN")) | ||
74 | fprintf(stderr, "Error fseccomp: I am dumpable\n"); | ||
75 | #endif | ||
67 | 76 | ||
68 | char *quiet = getenv("FIREJAIL_QUIET"); | 77 | char *quiet = getenv("FIREJAIL_QUIET"); |
69 | if (quiet && strcmp(quiet, "yes") == 0) | 78 | if (quiet && strcmp(quiet, "yes") == 0) |
@@ -81,11 +90,7 @@ printf("\n"); | |||
81 | } | 90 | } |
82 | } | 91 | } |
83 | 92 | ||
84 | if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) { | 93 | if (argc == 2 && strcmp(argv[1], "debug-syscalls") == 0) |
85 | usage(); | ||
86 | return 0; | ||
87 | } | ||
88 | else if (argc == 2 && strcmp(argv[1], "debug-syscalls") == 0) | ||
89 | syscall_print(); | 94 | syscall_print(); |
90 | else if (argc == 2 && strcmp(argv[1], "debug-syscalls32") == 0) | 95 | else if (argc == 2 && strcmp(argv[1], "debug-syscalls32") == 0) |
91 | syscall_print_32(); | 96 | syscall_print_32(); |
diff --git a/src/include/common.h b/src/include/common.h index c65ba0d55..025f3c247 100644 --- a/src/include/common.h +++ b/src/include/common.h | |||
@@ -34,6 +34,9 @@ | |||
34 | 34 | ||
35 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) | 35 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) |
36 | 36 | ||
37 | // check if processes run with dumpable flag set | ||
38 | #define WARN_DUMPABLE | ||
39 | |||
37 | // macro to print ip addresses in a printf statement | 40 | // macro to print ip addresses in a printf statement |
38 | #define PRINT_IP(A) \ | 41 | #define PRINT_IP(A) \ |
39 | ((int) (((A) >> 24) & 0xFF)), ((int) (((A) >> 16) & 0xFF)), ((int) (((A) >> 8) & 0xFF)), ((int) ( (A) & 0xFF)) | 42 | ((int) (((A) >> 24) & 0xFF)), ((int) (((A) >> 16) & 0xFF)), ((int) (((A) >> 8) & 0xFF)), ((int) ( (A) & 0xFF)) |