aboutsummaryrefslogtreecommitdiffstats
path: root/src/firejail/main.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/firejail/main.c')
-rw-r--r--src/firejail/main.c139
1 files changed, 41 insertions, 98 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index aa855b7eb..b25bad9f2 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -111,6 +111,7 @@ int arg_allow_debuggers = 0; // allow debuggers
111int arg_x11_block = 0; // block X11 111int arg_x11_block = 0; // block X11
112int arg_x11_xorg = 0; // use X11 security extention 112int arg_x11_xorg = 0; // use X11 security extention
113int arg_allusers = 0; // all user home directories visible 113int arg_allusers = 0; // all user home directories visible
114int arg_machineid = 0; // preserve /etc/machine-id
114 115
115int login_shell = 0; 116int login_shell = 0;
116 117
@@ -750,42 +751,6 @@ static void delete_x11_file(pid_t pid) {
750 free(fname); 751 free(fname);
751} 752}
752 753
753static void detect_quiet(int argc, char **argv) {
754 int i;
755
756 // detect --quiet
757 for (i = 1; i < argc; i++) {
758 if (strcmp(argv[i], "--quiet") == 0) {
759 arg_quiet = 1;
760 break;
761 }
762
763 // detect end of firejail params
764 if (strcmp(argv[i], "--") == 0)
765 break;
766 if (strncmp(argv[i], "--", 2) != 0)
767 break;
768 }
769}
770
771static void detect_allow_debuggers(int argc, char **argv) {
772 int i;
773
774 // detect --allow-debuggers
775 for (i = 1; i < argc; i++) {
776 if (strcmp(argv[i], "--allow-debuggers") == 0) {
777 arg_allow_debuggers = 1;
778 break;
779 }
780
781 // detect end of firejail params
782 if (strcmp(argv[i], "--") == 0)
783 break;
784 if (strncmp(argv[i], "--", 2) != 0)
785 break;
786 }
787}
788
789char *guess_shell(void) { 754char *guess_shell(void) {
790 char *shell = NULL; 755 char *shell = NULL;
791 // shells in order of preference 756 // shells in order of preference
@@ -805,6 +770,25 @@ char *guess_shell(void) {
805 return shell; 770 return shell;
806} 771}
807 772
773static int check_arg(int argc, char **argv, const char *argument) {
774 int i;
775 int found = 0;
776 for (i = 1; i < argc; i++) {
777 if (strcmp(argv[i], argument) == 0) {
778 found = 1;
779 break;
780 }
781
782 // detect end of firejail params
783 if (strcmp(argv[i], "--") == 0)
784 break;
785 if (strncmp(argv[i], "--", 2) != 0)
786 break;
787 }
788
789 return found;
790}
791
808//******************************************* 792//*******************************************
809// Main program 793// Main program
810//******************************************* 794//*******************************************
@@ -821,8 +805,10 @@ int main(int argc, char **argv) {
821 // build /run/firejail directory structure 805 // build /run/firejail directory structure
822 preproc_build_firejail_dir(); 806 preproc_build_firejail_dir();
823 807
824 detect_quiet(argc, argv); 808 if (check_arg(argc, argv, "--quiet"))
825 detect_allow_debuggers(argc, argv); 809 arg_quiet = 1;
810 if (check_arg(argc, argv, "--allow-debuggers"))
811 arg_allow_debuggers = 1;
826 812
827 // drop permissions by default and rise them when required 813 // drop permissions by default and rise them when required
828 EUID_INIT(); 814 EUID_INIT();
@@ -844,78 +830,32 @@ int main(int argc, char **argv) {
844 EUID_USER(); 830 EUID_USER();
845 if (rv == 0) { 831 if (rv == 0) {
846 // if --force option is passed to the program, disregard the existing sandbox 832 // if --force option is passed to the program, disregard the existing sandbox
847 int found = 0; 833 if (check_arg(argc, argv, "--force"))
848 for (i = 1; i < argc; i++) { 834 option_force = 1;
849 if (strcmp(argv[i], "--force") == 0 || 835 else {
850 strcmp(argv[i], "--list") == 0 || 836 if (check_arg(argc, argv, "--version")) {
851 strcmp(argv[i], "--netstats") == 0 || 837 printf("firejail version %s\n", VERSION);
852 strcmp(argv[i], "--tree") == 0 || 838 exit(0);
853 strcmp(argv[i], "--top") == 0 ||
854 strncmp(argv[i], "--ls=", 5) == 0 ||
855 strncmp(argv[i], "--get=", 6) == 0 ||
856 strcmp(argv[i], "--debug-caps") == 0 ||
857 strcmp(argv[i], "--debug-errnos") == 0 ||
858 strcmp(argv[i], "--debug-syscalls") == 0 ||
859 strcmp(argv[i], "--debug-protocols") == 0 ||
860 strcmp(argv[i], "--help") == 0 ||
861 strcmp(argv[i], "--version") == 0 ||
862 strcmp(argv[i], "--overlay-clean") == 0 ||
863 strncmp(argv[i], "--dns.print=", 12) == 0 ||
864 strncmp(argv[i], "--bandwidth=", 12) == 0 ||
865 strncmp(argv[i], "--caps.print=", 13) == 0 ||
866 strncmp(argv[i], "--cpu.print=", 12) == 0 ||
867 //********************************************************************************
868 // todo: fix the following problems
869 strncmp(argv[i], "--join=", 7) == 0 ||
870 //[netblue@debian Downloads]$ firejail --join=896
871 //Switching to pid 897, the first child process inside the sandbox
872 //Error: seccomp file not found
873 //********************************************************************************
874
875 strncmp(argv[i], "--join-filesystem=", 18) == 0 ||
876 strncmp(argv[i], "--join-network=", 15) == 0 ||
877 strncmp(argv[i], "--fs.print=", 11) == 0 ||
878 strncmp(argv[i], "--protocol.print=", 17) == 0 ||
879 strncmp(argv[i], "--seccomp.print", 15) == 0 ||
880 strncmp(argv[i], "--shutdown=", 11) == 0) {
881 found = 1;
882 break;
883 } 839 }
884 840
885 // detect end of firejail params
886 if (strcmp(argv[i], "--") == 0)
887 break;
888 if (strncmp(argv[i], "--", 2) != 0)
889 break;
890 }
891
892 if (found == 0) {
893 // start the program directly without sandboxing 841 // start the program directly without sandboxing
894 run_no_sandbox(argc, argv); 842 run_no_sandbox(argc, argv);
895 // it will never get here! 843 // it will never get here!
896 assert(0); 844 assert(0);
897 } 845 }
898 else
899 option_force = 1;
900 } 846 }
901 } 847 }
902 848
903 // check root/suid 849 // check root/suid
904 EUID_ROOT(); 850 EUID_ROOT();
905 if (geteuid()) { 851 if (geteuid()) {
906 // detect --version 852 // only --version is supported without SUID support
907 for (i = 1; i < argc; i++) { 853 if (check_arg(argc, argv, "--version")) {
908 if (strcmp(argv[i], "--version") == 0) { 854 printf("firejail version %s\n", VERSION);
909 printf("firejail version %s\n", VERSION); 855 exit(0);
910 exit(0);
911 }
912
913 // detect end of firejail params
914 if (strcmp(argv[i], "--") == 0)
915 break;
916 if (strncmp(argv[i], "--", 2) != 0)
917 break;
918 } 856 }
857
858 fprintf(stderr, "Error: cannot rise privileges\n");
919 exit(1); 859 exit(1);
920 } 860 }
921 EUID_USER(); 861 EUID_USER();
@@ -1520,6 +1460,9 @@ int main(int argc, char **argv) {
1520 else if (strcmp(argv[i], "--writable-var") == 0) { 1460 else if (strcmp(argv[i], "--writable-var") == 0) {
1521 arg_writable_var = 1; 1461 arg_writable_var = 1;
1522 } 1462 }
1463 else if (strcmp(argv[i], "--machine-id") == 0) {
1464 arg_machineid = 1;
1465 }
1523 else if (strcmp(argv[i], "--private") == 0) { 1466 else if (strcmp(argv[i], "--private") == 0) {
1524 arg_private = 1; 1467 arg_private = 1;
1525 } 1468 }
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-21 09:46:26 +0000