1 files changed, 78 insertions, 0 deletions
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c
index 23906ae48..1802ad5e1 100644
--- a/src/firejail/cpu.c
+++ b/src/firejail/cpu.c
@@ -139,3 +139,81 @@ void set_cpu_affinity(void) {
                                printf("CPU affinity not set\n");
                }
 }
+static void print_cpu(int pid) {
+        char *file;
+        if (asprintf(&file, "/proc/%d/status", pid) == -1) {
+                errExit("asprintf");
+                exit(1);
+        }
+        EUID_ROOT();    // grsecurity
+        FILE *fp = fopen(file, "r");
+        EUID_USER();    // grsecurity
+        if (!fp) {
+                printf("  Error: cannot open %s\n", file);
+                free(file);
+                return;
+        }
+#define MAXBUF 4096     
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                if (strncmp(buf, "Cpus_allowed_list:", 18) == 0) {
+                        printf("  %s", buf);
+                        fflush(0);
+                        free(file);
+                        fclose(fp);
+                        return;
+                }
+        }
+        fclose(fp);
+        free(file);
+}
+void cpu_print_filter_name(const char *name) {
+        EUID_ASSERT();
+        if (!name || strlen(name) == 0) {
+                fprintf(stderr, "Error: invalid sandbox name\n");
+                exit(1);
+        }
+        pid_t pid;
+        if (name2pid(name, &pid)) {
+                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
+                exit(1);
+        }
+        cpu_print_filter(pid);
+}
+void cpu_print_filter(pid_t pid) {
+        EUID_ASSERT();
+        
+        // if the pid is that of a firejail  process, use the pid of the first child process
+        EUID_ROOT();    // grsecurity
+        char *comm = pid_proc_comm(pid);
+        EUID_USER();    // grsecurity
+        if (comm) {
+                if (strcmp(comm, "firejail") == 0) {
+                        pid_t child;
+                        if (find_child(pid, &child) == 0) {
+                                pid = child;
+                        }
+                }
+                free(comm);
+        }
+        // check privileges for non-root users
+        uid_t uid = getuid();
+        if (uid != 0) {
+                uid_t sandbox_uid = pid_get_uid(pid);
+                if (uid != sandbox_uid) {
+                        fprintf(stderr, "Error: permission denied.\n");
+                        exit(1);
+                }
+        }
+        print_cpu(pid);
+        exit(0);
+}

diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c index 23906ae48..1802ad5e1 100644 --- a/src/firejail/cpu.c +++ b/src/firejail/cpu.c
@@ -139,3 +139,81 @@ void set_cpu_affinity(void) {
139	printf("CPU affinity not set\n");	139	printf("CPU affinity not set\n");
140	}	140	}
141	}	141	}
		142
		143	static void print_cpu(int pid) {
		144	char *file;
		145	if (asprintf(&file, "/proc/%d/status", pid) == -1) {
		146	errExit("asprintf");
		147	exit(1);
		148	}
		149
		150	EUID_ROOT(); // grsecurity
		151	FILE *fp = fopen(file, "r");
		152	EUID_USER(); // grsecurity
		153	if (!fp) {
		154	printf(" Error: cannot open %s\n", file);
		155	free(file);
		156	return;
		157	}
		158
		159	#define MAXBUF 4096
		160	char buf[MAXBUF];
		161	while (fgets(buf, MAXBUF, fp)) {
		162	if (strncmp(buf, "Cpus_allowed_list:", 18) == 0) {
		163	printf(" %s", buf);
		164	fflush(0);
		165	free(file);
		166	fclose(fp);
		167	return;
		168	}
		169	}
		170	fclose(fp);
		171	free(file);
		172	}
		173
		174	void cpu_print_filter_name(const char *name) {
		175	EUID_ASSERT();
		176	if (!name \|\| strlen(name) == 0) {
		177	fprintf(stderr, "Error: invalid sandbox name\n");
		178	exit(1);
		179	}
		180	pid_t pid;
		181	if (name2pid(name, &pid)) {
		182	fprintf(stderr, "Error: cannot find sandbox %s\n", name);
		183	exit(1);
		184	}
		185
		186	cpu_print_filter(pid);
		187	}
		188
		189	void cpu_print_filter(pid_t pid) {
		190	EUID_ASSERT();
		191
		192	// if the pid is that of a firejail process, use the pid of the first child process
		193	EUID_ROOT(); // grsecurity
		194	char *comm = pid_proc_comm(pid);
		195	EUID_USER(); // grsecurity
		196	if (comm) {
		197	if (strcmp(comm, "firejail") == 0) {
		198	pid_t child;
		199	if (find_child(pid, &child) == 0) {
		200	pid = child;
		201	}
		202	}
		203	free(comm);
		204	}
		205
		206	// check privileges for non-root users
		207	uid_t uid = getuid();
		208	if (uid != 0) {
		209	uid_t sandbox_uid = pid_get_uid(pid);
		210	if (uid != sandbox_uid) {
		211	fprintf(stderr, "Error: permission denied.\n");
		212	exit(1);
		213	}
		214	}
		215
		216	print_cpu(pid);
		217	exit(0);
		218	}
		219