diff options
Diffstat (limited to 'src/firejail/cgroup.c')
-rw-r--r-- | src/firejail/cgroup.c | 118 |
1 files changed, 118 insertions, 0 deletions
diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c new file mode 100644 index 000000000..7366a6699 --- /dev/null +++ b/src/firejail/cgroup.c | |||
@@ -0,0 +1,118 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014, 2015 netblue30 (netblue30@yahoo.com) | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firejail.h" | ||
21 | #include <sys/stat.h> | ||
22 | |||
23 | #define MAXBUF 4096 | ||
24 | |||
25 | void save_cgroup(void) { | ||
26 | if (cfg.cgroup == NULL) | ||
27 | return; | ||
28 | |||
29 | char *fname; | ||
30 | if (asprintf(&fname, "%s/cgroup", MNT_DIR) == -1) | ||
31 | errExit(fname); | ||
32 | |||
33 | FILE *fp = fopen(fname, "w"); | ||
34 | if (fp) { | ||
35 | fprintf(fp, "%s", cfg.cgroup); | ||
36 | fflush(0); | ||
37 | fclose(fp); | ||
38 | if (chown(fname, 0, 0) < 0) | ||
39 | errExit("chown"); | ||
40 | } | ||
41 | else { | ||
42 | fprintf(stderr, "Error: cannot save cgroup\n"); | ||
43 | free(fname); | ||
44 | exit(1); | ||
45 | } | ||
46 | |||
47 | free(fname); | ||
48 | } | ||
49 | |||
50 | void load_cgroup(const char *fname) { | ||
51 | if (!fname) | ||
52 | return; | ||
53 | |||
54 | FILE *fp = fopen(fname, "r"); | ||
55 | if (fp) { | ||
56 | char buf[MAXBUF]; | ||
57 | if (fgets(buf, MAXBUF, fp)) { | ||
58 | cfg.cgroup = strdup(buf); | ||
59 | if (!cfg.cgroup) | ||
60 | errExit("strdup"); | ||
61 | } | ||
62 | else | ||
63 | goto errout; | ||
64 | |||
65 | fclose(fp); | ||
66 | return; | ||
67 | } | ||
68 | errout: | ||
69 | fprintf(stderr, "Warrning: cannot load control group\n"); | ||
70 | if (fp) | ||
71 | fclose(fp); | ||
72 | } | ||
73 | |||
74 | |||
75 | void set_cgroup(const char *path) { | ||
76 | // path starts with /sys/fs/cgroup | ||
77 | if (strncmp(path, "/sys/fs/cgroup", 14) != 0) | ||
78 | goto errout; | ||
79 | |||
80 | // path ends in tasks | ||
81 | char *ptr = strstr(path, "tasks"); | ||
82 | if (!ptr) | ||
83 | goto errout; | ||
84 | if (*(ptr + 5) != '\0') | ||
85 | goto errout; | ||
86 | |||
87 | // no .. traversal | ||
88 | ptr = strstr(path, ".."); | ||
89 | if (ptr) | ||
90 | goto errout; | ||
91 | |||
92 | // tasks file exists | ||
93 | struct stat s; | ||
94 | if (stat(path, &s) == -1) | ||
95 | goto errout; | ||
96 | |||
97 | // task file belongs to the user running the sandbox | ||
98 | if (s.st_uid != getuid() && s.st_gid != getgid()) | ||
99 | goto errout2; | ||
100 | |||
101 | // add the task to cgroup | ||
102 | /* coverity[toctou] */ | ||
103 | FILE *fp = fopen(path, "a"); | ||
104 | if (!fp) | ||
105 | goto errout; | ||
106 | pid_t pid = getpid(); | ||
107 | int rv = fprintf(fp, "%d\n", pid); | ||
108 | (void) rv; | ||
109 | fclose(fp); | ||
110 | return; | ||
111 | |||
112 | errout: | ||
113 | fprintf(stderr, "Error: invalid cgroup\n"); | ||
114 | exit(1); | ||
115 | errout2: | ||
116 | fprintf(stderr, "Error: you don't have permissions to use this control group\n"); | ||
117 | exit(1); | ||
118 | } | ||