diff options
Diffstat (limited to 'src/firejail/main.c')
-rw-r--r-- | src/firejail/main.c | 139 |
1 files changed, 41 insertions, 98 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index aa855b7eb..b25bad9f2 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -111,6 +111,7 @@ int arg_allow_debuggers = 0; // allow debuggers | |||
111 | int arg_x11_block = 0; // block X11 | 111 | int arg_x11_block = 0; // block X11 |
112 | int arg_x11_xorg = 0; // use X11 security extention | 112 | int arg_x11_xorg = 0; // use X11 security extention |
113 | int arg_allusers = 0; // all user home directories visible | 113 | int arg_allusers = 0; // all user home directories visible |
114 | int arg_machineid = 0; // preserve /etc/machine-id | ||
114 | 115 | ||
115 | int login_shell = 0; | 116 | int login_shell = 0; |
116 | 117 | ||
@@ -750,42 +751,6 @@ static void delete_x11_file(pid_t pid) { | |||
750 | free(fname); | 751 | free(fname); |
751 | } | 752 | } |
752 | 753 | ||
753 | static void detect_quiet(int argc, char **argv) { | ||
754 | int i; | ||
755 | |||
756 | // detect --quiet | ||
757 | for (i = 1; i < argc; i++) { | ||
758 | if (strcmp(argv[i], "--quiet") == 0) { | ||
759 | arg_quiet = 1; | ||
760 | break; | ||
761 | } | ||
762 | |||
763 | // detect end of firejail params | ||
764 | if (strcmp(argv[i], "--") == 0) | ||
765 | break; | ||
766 | if (strncmp(argv[i], "--", 2) != 0) | ||
767 | break; | ||
768 | } | ||
769 | } | ||
770 | |||
771 | static void detect_allow_debuggers(int argc, char **argv) { | ||
772 | int i; | ||
773 | |||
774 | // detect --allow-debuggers | ||
775 | for (i = 1; i < argc; i++) { | ||
776 | if (strcmp(argv[i], "--allow-debuggers") == 0) { | ||
777 | arg_allow_debuggers = 1; | ||
778 | break; | ||
779 | } | ||
780 | |||
781 | // detect end of firejail params | ||
782 | if (strcmp(argv[i], "--") == 0) | ||
783 | break; | ||
784 | if (strncmp(argv[i], "--", 2) != 0) | ||
785 | break; | ||
786 | } | ||
787 | } | ||
788 | |||
789 | char *guess_shell(void) { | 754 | char *guess_shell(void) { |
790 | char *shell = NULL; | 755 | char *shell = NULL; |
791 | // shells in order of preference | 756 | // shells in order of preference |
@@ -805,6 +770,25 @@ char *guess_shell(void) { | |||
805 | return shell; | 770 | return shell; |
806 | } | 771 | } |
807 | 772 | ||
773 | static int check_arg(int argc, char **argv, const char *argument) { | ||
774 | int i; | ||
775 | int found = 0; | ||
776 | for (i = 1; i < argc; i++) { | ||
777 | if (strcmp(argv[i], argument) == 0) { | ||
778 | found = 1; | ||
779 | break; | ||
780 | } | ||
781 | |||
782 | // detect end of firejail params | ||
783 | if (strcmp(argv[i], "--") == 0) | ||
784 | break; | ||
785 | if (strncmp(argv[i], "--", 2) != 0) | ||
786 | break; | ||
787 | } | ||
788 | |||
789 | return found; | ||
790 | } | ||
791 | |||
808 | //******************************************* | 792 | //******************************************* |
809 | // Main program | 793 | // Main program |
810 | //******************************************* | 794 | //******************************************* |
@@ -821,8 +805,10 @@ int main(int argc, char **argv) { | |||
821 | // build /run/firejail directory structure | 805 | // build /run/firejail directory structure |
822 | preproc_build_firejail_dir(); | 806 | preproc_build_firejail_dir(); |
823 | 807 | ||
824 | detect_quiet(argc, argv); | 808 | if (check_arg(argc, argv, "--quiet")) |
825 | detect_allow_debuggers(argc, argv); | 809 | arg_quiet = 1; |
810 | if (check_arg(argc, argv, "--allow-debuggers")) | ||
811 | arg_allow_debuggers = 1; | ||
826 | 812 | ||
827 | // drop permissions by default and rise them when required | 813 | // drop permissions by default and rise them when required |
828 | EUID_INIT(); | 814 | EUID_INIT(); |
@@ -844,78 +830,32 @@ int main(int argc, char **argv) { | |||
844 | EUID_USER(); | 830 | EUID_USER(); |
845 | if (rv == 0) { | 831 | if (rv == 0) { |
846 | // if --force option is passed to the program, disregard the existing sandbox | 832 | // if --force option is passed to the program, disregard the existing sandbox |
847 | int found = 0; | 833 | if (check_arg(argc, argv, "--force")) |
848 | for (i = 1; i < argc; i++) { | 834 | option_force = 1; |
849 | if (strcmp(argv[i], "--force") == 0 || | 835 | else { |
850 | strcmp(argv[i], "--list") == 0 || | 836 | if (check_arg(argc, argv, "--version")) { |
851 | strcmp(argv[i], "--netstats") == 0 || | 837 | printf("firejail version %s\n", VERSION); |
852 | strcmp(argv[i], "--tree") == 0 || | 838 | exit(0); |
853 | strcmp(argv[i], "--top") == 0 || | ||
854 | strncmp(argv[i], "--ls=", 5) == 0 || | ||
855 | strncmp(argv[i], "--get=", 6) == 0 || | ||
856 | strcmp(argv[i], "--debug-caps") == 0 || | ||
857 | strcmp(argv[i], "--debug-errnos") == 0 || | ||
858 | strcmp(argv[i], "--debug-syscalls") == 0 || | ||
859 | strcmp(argv[i], "--debug-protocols") == 0 || | ||
860 | strcmp(argv[i], "--help") == 0 || | ||
861 | strcmp(argv[i], "--version") == 0 || | ||
862 | strcmp(argv[i], "--overlay-clean") == 0 || | ||
863 | strncmp(argv[i], "--dns.print=", 12) == 0 || | ||
864 | strncmp(argv[i], "--bandwidth=", 12) == 0 || | ||
865 | strncmp(argv[i], "--caps.print=", 13) == 0 || | ||
866 | strncmp(argv[i], "--cpu.print=", 12) == 0 || | ||
867 | //******************************************************************************** | ||
868 | // todo: fix the following problems | ||
869 | strncmp(argv[i], "--join=", 7) == 0 || | ||
870 | //[netblue@debian Downloads]$ firejail --join=896 | ||
871 | //Switching to pid 897, the first child process inside the sandbox | ||
872 | //Error: seccomp file not found | ||
873 | //******************************************************************************** | ||
874 | |||
875 | strncmp(argv[i], "--join-filesystem=", 18) == 0 || | ||
876 | strncmp(argv[i], "--join-network=", 15) == 0 || | ||
877 | strncmp(argv[i], "--fs.print=", 11) == 0 || | ||
878 | strncmp(argv[i], "--protocol.print=", 17) == 0 || | ||
879 | strncmp(argv[i], "--seccomp.print", 15) == 0 || | ||
880 | strncmp(argv[i], "--shutdown=", 11) == 0) { | ||
881 | found = 1; | ||
882 | break; | ||
883 | } | 839 | } |
884 | 840 | ||
885 | // detect end of firejail params | ||
886 | if (strcmp(argv[i], "--") == 0) | ||
887 | break; | ||
888 | if (strncmp(argv[i], "--", 2) != 0) | ||
889 | break; | ||
890 | } | ||
891 | |||
892 | if (found == 0) { | ||
893 | // start the program directly without sandboxing | 841 | // start the program directly without sandboxing |
894 | run_no_sandbox(argc, argv); | 842 | run_no_sandbox(argc, argv); |
895 | // it will never get here! | 843 | // it will never get here! |
896 | assert(0); | 844 | assert(0); |
897 | } | 845 | } |
898 | else | ||
899 | option_force = 1; | ||
900 | } | 846 | } |
901 | } | 847 | } |
902 | 848 | ||
903 | // check root/suid | 849 | // check root/suid |
904 | EUID_ROOT(); | 850 | EUID_ROOT(); |
905 | if (geteuid()) { | 851 | if (geteuid()) { |
906 | // detect --version | 852 | // only --version is supported without SUID support |
907 | for (i = 1; i < argc; i++) { | 853 | if (check_arg(argc, argv, "--version")) { |
908 | if (strcmp(argv[i], "--version") == 0) { | 854 | printf("firejail version %s\n", VERSION); |
909 | printf("firejail version %s\n", VERSION); | 855 | exit(0); |
910 | exit(0); | ||
911 | } | ||
912 | |||
913 | // detect end of firejail params | ||
914 | if (strcmp(argv[i], "--") == 0) | ||
915 | break; | ||
916 | if (strncmp(argv[i], "--", 2) != 0) | ||
917 | break; | ||
918 | } | 856 | } |
857 | |||
858 | fprintf(stderr, "Error: cannot rise privileges\n"); | ||
919 | exit(1); | 859 | exit(1); |
920 | } | 860 | } |
921 | EUID_USER(); | 861 | EUID_USER(); |
@@ -1520,6 +1460,9 @@ int main(int argc, char **argv) { | |||
1520 | else if (strcmp(argv[i], "--writable-var") == 0) { | 1460 | else if (strcmp(argv[i], "--writable-var") == 0) { |
1521 | arg_writable_var = 1; | 1461 | arg_writable_var = 1; |
1522 | } | 1462 | } |
1463 | else if (strcmp(argv[i], "--machine-id") == 0) { | ||
1464 | arg_machineid = 1; | ||
1465 | } | ||
1523 | else if (strcmp(argv[i], "--private") == 0) { | 1466 | else if (strcmp(argv[i], "--private") == 0) { |
1524 | arg_private = 1; | 1467 | arg_private = 1; |
1525 | } | 1468 | } |