diff options
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/join.c | 77 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 52 | ||||
-rw-r--r-- | src/firejail/util.c | 10 |
4 files changed, 71 insertions, 69 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 01ddf2a14..5291361c8 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -521,6 +521,7 @@ void logsignal(int s); | |||
521 | void logmsg(const char *msg); | 521 | void logmsg(const char *msg); |
522 | void logargs(int argc, char **argv) ; | 522 | void logargs(int argc, char **argv) ; |
523 | void logerr(const char *msg); | 523 | void logerr(const char *msg); |
524 | void set_nice(int inc); | ||
524 | int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); | 525 | int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); |
525 | void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); | 526 | void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); |
526 | void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); | 527 | void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); |
diff --git a/src/firejail/join.c b/src/firejail/join.c index 3372c8dc1..46dae0271 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -100,9 +100,6 @@ static void extract_command(int argc, char **argv, int index) { | |||
100 | 100 | ||
101 | // build command | 101 | // build command |
102 | build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, index); | 102 | build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, index); |
103 | |||
104 | if (arg_debug) | ||
105 | printf("Extracted command #%s#\n", cfg.command_line); | ||
106 | } | 103 | } |
107 | 104 | ||
108 | static void extract_nogroups(pid_t pid) { | 105 | static void extract_nogroups(pid_t pid) { |
@@ -290,11 +287,8 @@ pid_t switch_to_child(pid_t pid) { | |||
290 | 287 | ||
291 | void join(pid_t pid, int argc, char **argv, int index) { | 288 | void join(pid_t pid, int argc, char **argv, int index) { |
292 | EUID_ASSERT(); | 289 | EUID_ASSERT(); |
293 | char *homedir = cfg.homedir; | ||
294 | pid_t parent = pid; | ||
295 | |||
296 | extract_command(argc, argv, index); | ||
297 | 290 | ||
291 | pid_t parent = pid; | ||
298 | // in case the pid is that of a firejail process, use the pid of the first child process | 292 | // in case the pid is that of a firejail process, use the pid of the first child process |
299 | pid = switch_to_child(pid); | 293 | pid = switch_to_child(pid); |
300 | 294 | ||
@@ -374,19 +368,15 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
374 | EUID_USER(); | 368 | EUID_USER(); |
375 | if (chdir("/") < 0) | 369 | if (chdir("/") < 0) |
376 | errExit("chdir"); | 370 | errExit("chdir"); |
377 | if (homedir) { | 371 | if (cfg.homedir) { |
378 | struct stat s; | 372 | struct stat s; |
379 | if (stat(homedir, &s) == 0) { | 373 | if (stat(cfg.homedir, &s) == 0) { |
380 | /* coverity[toctou] */ | 374 | /* coverity[toctou] */ |
381 | if (chdir(homedir) < 0) | 375 | if (chdir(cfg.homedir) < 0) |
382 | errExit("chdir"); | 376 | errExit("chdir"); |
383 | } | 377 | } |
384 | } | 378 | } |
385 | 379 | ||
386 | // set cpu affinity | ||
387 | if (cfg.cpus) // not available for uid 0 | ||
388 | set_cpu_affinity(); | ||
389 | |||
390 | // set caps filter | 380 | // set caps filter |
391 | EUID_ROOT(); | 381 | EUID_ROOT(); |
392 | if (apply_caps == 1) // not available for uid 0 | 382 | if (apply_caps == 1) // not available for uid 0 |
@@ -417,33 +407,6 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
417 | } | 407 | } |
418 | 408 | ||
419 | EUID_USER(); | 409 | EUID_USER(); |
420 | // set nice | ||
421 | if (arg_nice) { | ||
422 | errno = 0; | ||
423 | int rv = nice(cfg.nice); | ||
424 | (void) rv; | ||
425 | if (errno) { | ||
426 | fwarning("cannot set nice value\n"); | ||
427 | errno = 0; | ||
428 | } | ||
429 | } | ||
430 | |||
431 | // set environment, add x11 display | ||
432 | env_defaults(); | ||
433 | if (display) { | ||
434 | char *display_str; | ||
435 | if (asprintf(&display_str, ":%d", display) == -1) | ||
436 | errExit("asprintf"); | ||
437 | setenv("DISPLAY", display_str, 1); | ||
438 | free(display_str); | ||
439 | } | ||
440 | |||
441 | if (cfg.command_line == NULL) { | ||
442 | assert(cfg.shell); | ||
443 | cfg.command_line = cfg.shell; | ||
444 | cfg.window_title = cfg.shell; | ||
445 | } | ||
446 | |||
447 | int cwd = 0; | 410 | int cwd = 0; |
448 | if (cfg.cwd) { | 411 | if (cfg.cwd) { |
449 | if (chdir(cfg.cwd) == 0) | 412 | if (chdir(cfg.cwd) == 0) |
@@ -463,8 +426,38 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
463 | } | 426 | } |
464 | } | 427 | } |
465 | 428 | ||
429 | // drop privileges | ||
466 | drop_privs(arg_nogroups); | 430 | drop_privs(arg_nogroups); |
467 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died | 431 | |
432 | // kill the child in case the parent died | ||
433 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); | ||
434 | |||
435 | extract_command(argc, argv, index); | ||
436 | if (cfg.command_line == NULL) { | ||
437 | assert(cfg.shell); | ||
438 | cfg.command_line = cfg.shell; | ||
439 | cfg.window_title = cfg.shell; | ||
440 | } | ||
441 | if (arg_debug) | ||
442 | printf("Extracted command #%s#\n", cfg.command_line); | ||
443 | |||
444 | // set cpu affinity | ||
445 | if (cfg.cpus) // not available for uid 0 | ||
446 | set_cpu_affinity(); | ||
447 | |||
448 | // set nice value | ||
449 | if (arg_nice) | ||
450 | set_nice(cfg.nice); | ||
451 | |||
452 | // add x11 display | ||
453 | if (display) { | ||
454 | char *display_str; | ||
455 | if (asprintf(&display_str, ":%d", display) == -1) | ||
456 | errExit("asprintf"); | ||
457 | setenv("DISPLAY", display_str, 1); | ||
458 | free(display_str); | ||
459 | } | ||
460 | |||
468 | start_application(0, NULL); | 461 | start_application(0, NULL); |
469 | 462 | ||
470 | // it will never get here!!! | 463 | // it will never get here!!! |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 9bb8e545c..2b5d30158 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -1038,17 +1038,6 @@ int sandbox(void* sandbox_arg) { | |||
1038 | } | 1038 | } |
1039 | } | 1039 | } |
1040 | 1040 | ||
1041 | // set nice | ||
1042 | if (arg_nice) { | ||
1043 | errno = 0; | ||
1044 | int rv = nice(cfg.nice); | ||
1045 | (void) rv; | ||
1046 | if (errno) { | ||
1047 | fwarning("cannot set nice value\n"); | ||
1048 | errno = 0; | ||
1049 | } | ||
1050 | } | ||
1051 | |||
1052 | EUID_ROOT(); | 1041 | EUID_ROOT(); |
1053 | // clean /tmp/.X11-unix sockets | 1042 | // clean /tmp/.X11-unix sockets |
1054 | fs_x11(); | 1043 | fs_x11(); |
@@ -1067,17 +1056,11 @@ int sandbox(void* sandbox_arg) { | |||
1067 | // set capabilities | 1056 | // set capabilities |
1068 | set_caps(); | 1057 | set_caps(); |
1069 | 1058 | ||
1070 | // set cpu affinity | 1059 | // save cpu affinity mask to CPU_CFG file |
1071 | if (cfg.cpus) { | 1060 | save_cpu(); |
1072 | save_cpu(); // save cpu affinity mask to CPU_CFG file | ||
1073 | EUID_USER(); | ||
1074 | set_cpu_affinity(); | ||
1075 | EUID_ROOT(); | ||
1076 | } | ||
1077 | 1061 | ||
1078 | // save cgroup in CGROUP_CFG file | 1062 | // save cgroup in CGROUP_CFG file |
1079 | if (cfg.cgroup) | 1063 | save_cgroup(); |
1080 | save_cgroup(); | ||
1081 | 1064 | ||
1082 | // set seccomp | 1065 | // set seccomp |
1083 | #ifdef HAVE_SECCOMP | 1066 | #ifdef HAVE_SECCOMP |
@@ -1125,7 +1108,7 @@ int sandbox(void* sandbox_arg) { | |||
1125 | // to --join | 1108 | // to --join |
1126 | //**************************************** | 1109 | //**************************************** |
1127 | 1110 | ||
1128 | FILE *fp = create_ready_for_join_file(); | 1111 | FILE *rj = create_ready_for_join_file(); |
1129 | 1112 | ||
1130 | //**************************************** | 1113 | //**************************************** |
1131 | // create a new user namespace | 1114 | // create a new user namespace |
@@ -1175,10 +1158,23 @@ int sandbox(void* sandbox_arg) { | |||
1175 | } | 1158 | } |
1176 | 1159 | ||
1177 | //**************************************** | 1160 | //**************************************** |
1178 | // drop privileges, fork the application and monitor it | 1161 | // drop privileges |
1179 | //**************************************** | 1162 | //**************************************** |
1180 | drop_privs(arg_nogroups); | 1163 | drop_privs(arg_nogroups); |
1181 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the sandbox in case the parent died | 1164 | |
1165 | // kill the sandbox in case the parent died | ||
1166 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); | ||
1167 | |||
1168 | //**************************************** | ||
1169 | // set cpu affinity | ||
1170 | //**************************************** | ||
1171 | |||
1172 | if (cfg.cpus) | ||
1173 | set_cpu_affinity(); | ||
1174 | |||
1175 | //**************************************** | ||
1176 | // fork the application and monitor it | ||
1177 | //**************************************** | ||
1182 | pid_t app_pid = fork(); | 1178 | pid_t app_pid = fork(); |
1183 | if (app_pid == -1) | 1179 | if (app_pid == -1) |
1184 | errExit("fork"); | 1180 | errExit("fork"); |
@@ -1196,13 +1192,15 @@ int sandbox(void* sandbox_arg) { | |||
1196 | printf("AppArmor enabled\n"); | 1192 | printf("AppArmor enabled\n"); |
1197 | } | 1193 | } |
1198 | #endif | 1194 | #endif |
1199 | // set rlimits | 1195 | // set nice and rlimits |
1196 | if (arg_nice) | ||
1197 | set_nice(cfg.nice); | ||
1200 | set_rlimits(); | 1198 | set_rlimits(); |
1201 | // start app | 1199 | |
1202 | start_application(0, fp); | 1200 | start_application(0, rj); |
1203 | } | 1201 | } |
1204 | 1202 | ||
1205 | fclose(fp); | 1203 | fclose(rj); |
1206 | 1204 | ||
1207 | int status = monitor_application(app_pid); // monitor application | 1205 | int status = monitor_application(app_pid); // monitor application |
1208 | flush_stdin(); | 1206 | flush_stdin(); |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 46b392eed..3e2cd13d5 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -250,6 +250,16 @@ void logerr(const char *msg) { | |||
250 | closelog(); | 250 | closelog(); |
251 | } | 251 | } |
252 | 252 | ||
253 | |||
254 | void set_nice(int inc) { | ||
255 | errno = 0; | ||
256 | int rv = nice(inc); | ||
257 | (void) rv; | ||
258 | if (errno) | ||
259 | fwarning("cannot set nice value\n"); | ||
260 | } | ||
261 | |||
262 | |||
253 | static int copy_file_by_fd(int src, int dst) { | 263 | static int copy_file_by_fd(int src, int dst) { |
254 | assert(src >= 0); | 264 | assert(src >= 0); |
255 | assert(dst >= 0); | 265 | assert(dst >= 0); |