7 files changed, 49 insertions, 4 deletions
diff --git a/src/firejail/caps.c b/src/firejail/caps.c
index 896293fd1..6b934bda6 100644
--- a/src/firejail/caps.c
+++ b/src/firejail/caps.c
@@ -373,7 +373,9 @@ static uint64_t extract_caps(int pid) {
                exit(1);
        }
+        EUID_ROOT();    // grsecurity
        FILE *fp = fopen(file, "r");
+        EUID_USER();    // grsecurity
        if (!fp) {
                printf("Error: cannot open %s\n", file);
                free(file);
@@ -417,7 +419,9 @@ void caps_print_filter(pid_t pid) {
        EUID_ASSERT();
        
        // if the pid is that of a firejail  process, use the pid of the first child process
+        EUID_ROOT();    // grsecurity
        char *comm = pid_proc_comm(pid);
+        EUID_USER();    // grsecurity
        if (comm) {
                if (strcmp(comm, "firejail") == 0) {
                        pid_t child;
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c
index 0e38696ac..9c3558362 100644
--- a/src/firemon/firemon.c
+++ b/src/firemon/firemon.c
@@ -23,7 +23,8 @@
 #include <sys/ioctl.h>
 #include <sys/prctl.h>
 #include <grp.h>
+#include <sys/stat.h>
+ 
 static int arg_route = 0;
 static int arg_arp = 0;
@@ -111,6 +112,12 @@ int main(int argc, char **argv) {
        unsigned pid = 0;
        int i;
+        struct stat s;
+        if (getuid() != 0 &&stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+                fprintf(stderr, "Error: on Grsecurity systems only root user can run this program\n");
+                exit(1);
+        }
+        
        // handle CTRL-C
        signal (SIGINT, my_handler);
        signal (SIGTERM, my_handler);
diff --git a/src/firemon/usage.c b/src/firemon/usage.c
index 926e1c89f..74a2a61f0 100644
--- a/src/firemon/usage.c
+++ b/src/firemon/usage.c
@@ -24,7 +24,8 @@ void usage(void) {
        printf("Usage: firemon [OPTIONS] [PID]\n\n");
        printf("Monitor processes started in a Firejail sandbox. Without any PID specified,\n");
        printf("all processes started by Firejail are monitored. Descendants of these processes\n");
-        printf("are also being monitored.\n\n");
+        printf("are also being monitored. On Grsecurity systems only root user\n");
+        printf("can run this program.\n\n");
        printf("Options:\n");
        printf("\t--arp - print ARP table for each sandbox.\n\n");
        printf("\t--caps - print capabilities configuration for each sandbox.\n\n");
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 24dbff67a..2f3fb6d01 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -118,7 +118,7 @@ The filter is applied to all processes started in the sandbox.
 .br
 Example:
 .br
-$ sudo firejail \-\-caps "/etc/init.d/nginx start && sleep inf"
+$ sudo firejail \-\-caps /etc/init.d/nginx start
 .TP
 \fB\-\-caps.drop=all
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index 906b5cd9a..ef99b0927 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -6,7 +6,8 @@ firemon [OPTIONS] [PID]
 .SH DESCRIPTION
 Firemon monitors programs started in a Firejail sandbox.
 Without a PID specified, all processes started by Firejail are monitored. Descendants of
-these processes are also being monitored.
+these processes are also being monitored. On Grsecurity systems only root user
+can run this program.
 .SH OPTIONS
 .TP
 \fB\-\-arp
diff --git a/test/caps-print.exp b/test/caps-print.exp
new file mode 100755
index 000000000..39e5ec50a
--- /dev/null
+++ b/test/caps-print.exp
@@ -0,0 +1,29 @@
+#!/usr/bin/expect -f
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --name=test\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 2
+spawn $env(SHELL)
+send -- "firejail --caps.print=test\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "setgid              - disabled"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "setuid              - disabled"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "net_raw             - disabled"
+}
+sleep 1
+puts "\nall done\n"
diff --git a/test/test.sh b/test/test.sh
index 2dcb89f2a..99ca4287d 100755
--- a/test/test.sh
+++ b/test/test.sh
@@ -6,6 +6,9 @@
 ./fscheck.sh
+echo "TESTING: caps.print (caps-print.exp)
+./caps-print.exp
 echo "TESTING: sound (sound.exp)"
 ./sound.exp

diff --git a/src/firejail/caps.c b/src/firejail/caps.c index 896293fd1..6b934bda6 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c
@@ -373,7 +373,9 @@ static uint64_t extract_caps(int pid) {
373	exit(1);	373	exit(1);
374	}	374	}
375		375
		376	EUID_ROOT(); // grsecurity
376	FILE *fp = fopen(file, "r");	377	FILE *fp = fopen(file, "r");
		378	EUID_USER(); // grsecurity
377	if (!fp) {	379	if (!fp) {
378	printf("Error: cannot open %s\n", file);	380	printf("Error: cannot open %s\n", file);
379	free(file);	381	free(file);
@@ -417,7 +419,9 @@ void caps_print_filter(pid_t pid) {
417	EUID_ASSERT();	419	EUID_ASSERT();
418		420
419	// if the pid is that of a firejail process, use the pid of the first child process	421	// if the pid is that of a firejail process, use the pid of the first child process
		422	EUID_ROOT(); // grsecurity
420	char *comm = pid_proc_comm(pid);	423	char *comm = pid_proc_comm(pid);
		424	EUID_USER(); // grsecurity
421	if (comm) {	425	if (comm) {
422	if (strcmp(comm, "firejail") == 0) {	426	if (strcmp(comm, "firejail") == 0) {
423	pid_t child;	427	pid_t child;


diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index 0e38696ac..9c3558362 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c
@@ -23,7 +23,8 @@
23	#include <sys/ioctl.h>	23	#include <sys/ioctl.h>
24	#include <sys/prctl.h>	24	#include <sys/prctl.h>
25	#include <grp.h>	25	#include <grp.h>
26		26	#include <sys/stat.h>
		27
27		28
28	static int arg_route = 0;	29	static int arg_route = 0;
29	static int arg_arp = 0;	30	static int arg_arp = 0;
@@ -111,6 +112,12 @@ int main(int argc, char **argv) {
111	unsigned pid = 0;	112	unsigned pid = 0;
112	int i;	113	int i;
113		114
		115	struct stat s;
		116	if (getuid() != 0 &&stat("/proc/sys/kernel/grsecurity", &s) == 0) {
		117	fprintf(stderr, "Error: on Grsecurity systems only root user can run this program\n");
		118	exit(1);
		119	}
		120
114	// handle CTRL-C	121	// handle CTRL-C
115	signal (SIGINT, my_handler);	122	signal (SIGINT, my_handler);
116	signal (SIGTERM, my_handler);	123	signal (SIGTERM, my_handler);


diff --git a/src/firemon/usage.c b/src/firemon/usage.c index 926e1c89f..74a2a61f0 100644 --- a/src/firemon/usage.c +++ b/src/firemon/usage.c
@@ -24,7 +24,8 @@ void usage(void) {
24	printf("Usage: firemon [OPTIONS] [PID]\n\n");	24	printf("Usage: firemon [OPTIONS] [PID]\n\n");
25	printf("Monitor processes started in a Firejail sandbox. Without any PID specified,\n");	25	printf("Monitor processes started in a Firejail sandbox. Without any PID specified,\n");
26	printf("all processes started by Firejail are monitored. Descendants of these processes\n");	26	printf("all processes started by Firejail are monitored. Descendants of these processes\n");
27	printf("are also being monitored.\n\n");	27	printf("are also being monitored. On Grsecurity systems only root user\n");
		28	printf("can run this program.\n\n");
28	printf("Options:\n");	29	printf("Options:\n");
29	printf("\t--arp - print ARP table for each sandbox.\n\n");	30	printf("\t--arp - print ARP table for each sandbox.\n\n");
30	printf("\t--caps - print capabilities configuration for each sandbox.\n\n");	31	printf("\t--caps - print capabilities configuration for each sandbox.\n\n");


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 24dbff67a..2f3fb6d01 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -118,7 +118,7 @@ The filter is applied to all processes started in the sandbox.
118	.br	118	.br
119	Example:	119	Example:
120	.br	120	.br
121	$ sudo firejail \-\-caps "/etc/init.d/nginx start && sleep inf"	121	$ sudo firejail \-\-caps /etc/init.d/nginx start
122		122
123	.TP	123	.TP
124	\fB\-\-caps.drop=all	124	\fB\-\-caps.drop=all


diff --git a/src/man/firemon.txt b/src/man/firemon.txt index 906b5cd9a..ef99b0927 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt
@@ -6,7 +6,8 @@ firemon [OPTIONS] [PID]
6	.SH DESCRIPTION	6	.SH DESCRIPTION
7	Firemon monitors programs started in a Firejail sandbox.	7	Firemon monitors programs started in a Firejail sandbox.
8	Without a PID specified, all processes started by Firejail are monitored. Descendants of	8	Without a PID specified, all processes started by Firejail are monitored. Descendants of
9	these processes are also being monitored.	9	these processes are also being monitored. On Grsecurity systems only root user
		10	can run this program.
10	.SH OPTIONS	11	.SH OPTIONS
11	.TP	12	.TP
12	\fB\-\-arp	13	\fB\-\-arp


diff --git a/test/caps-print.exp b/test/caps-print.exp new file mode 100755 index 000000000..39e5ec50a --- /dev/null +++ b/test/caps-print.exp
@@ -0,0 +1,29 @@
		1	#!/usr/bin/expect -f
		2
		3	set timeout 10
		4	spawn $env(SHELL)
		5	match_max 100000
		6
		7	send -- "firejail --name=test\r"
		8	expect {
		9	timeout {puts "TESTING ERROR 0\n";exit}
		10	"Child process initialized"
		11	}
		12	sleep 2
		13
		14	spawn $env(SHELL)
		15	send -- "firejail --caps.print=test\r"
		16	expect {
		17	timeout {puts "TESTING ERROR 1\n";exit}
		18	"setgid - disabled"
		19	}
		20	expect {
		21	timeout {puts "TESTING ERROR 2\n";exit}
		22	"setuid - disabled"
		23	}
		24	expect {
		25	timeout {puts "TESTING ERROR 3\n";exit}
		26	"net_raw - disabled"
		27	}
		28	sleep 1
		29	puts "\nall done\n"


diff --git a/test/test.sh b/test/test.sh index 2dcb89f2a..99ca4287d 100755 --- a/test/test.sh +++ b/test/test.sh
@@ -6,6 +6,9 @@
6		6
7	./fscheck.sh	7	./fscheck.sh
8		8
		9	echo "TESTING: caps.print (caps-print.exp)
		10	./caps-print.exp
		11
9	echo "TESTING: sound (sound.exp)"	12	echo "TESTING: sound (sound.exp)"
10	./sound.exp	13	./sound.exp
11		14