diff options
Diffstat (limited to 'src/firejail/main.c')
-rw-r--r-- | src/firejail/main.c | 88 |
1 files changed, 9 insertions, 79 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index 1554209b9..6466be7d4 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -105,7 +105,6 @@ char *arg_netfilter_file = NULL; // netfilter file | |||
105 | char *arg_netfilter6_file = NULL; // netfilter6 file | 105 | char *arg_netfilter6_file = NULL; // netfilter6 file |
106 | char *arg_netns = NULL; // "ip netns"-created network namespace to use | 106 | char *arg_netns = NULL; // "ip netns"-created network namespace to use |
107 | int arg_doubledash = 0; // double dash | 107 | int arg_doubledash = 0; // double dash |
108 | int arg_shell_none = 1; // run the program directly without a shell | ||
109 | int arg_private_dev = 0; // private dev directory | 108 | int arg_private_dev = 0; // private dev directory |
110 | int arg_keep_dev_shm = 0; // preserve /dev/shm | 109 | int arg_keep_dev_shm = 0; // preserve /dev/shm |
111 | int arg_private_etc = 0; // private etc directory | 110 | int arg_private_etc = 0; // private etc directory |
@@ -799,8 +798,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
799 | if (argc <= (i+1)) | 798 | if (argc <= (i+1)) |
800 | just_run_the_shell = 1; | 799 | just_run_the_shell = 1; |
801 | cfg.original_program_index = i + 1; | 800 | cfg.original_program_index = i + 1; |
802 | if (!cfg.shell) | ||
803 | cfg.shell = cfg.usershell; | ||
804 | 801 | ||
805 | // join sandbox by pid or by name | 802 | // join sandbox by pid or by name |
806 | pid_t pid = require_pid(argv[i] + 7); | 803 | pid_t pid = require_pid(argv[i] + 7); |
@@ -821,10 +818,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
821 | just_run_the_shell = 1; | 818 | just_run_the_shell = 1; |
822 | cfg.original_program_index = i + 1; | 819 | cfg.original_program_index = i + 1; |
823 | 820 | ||
824 | if (!cfg.shell) | ||
825 | cfg.shell = cfg.usershell; | ||
826 | |||
827 | printf("***** %d\n", just_run_the_shell); | ||
828 | // try to join by name only | 821 | // try to join by name only |
829 | pid_t pid; | 822 | pid_t pid; |
830 | if (!read_pid(argv[i] + 16, &pid)) { | 823 | if (!read_pid(argv[i] + 16, &pid)) { |
@@ -847,9 +840,6 @@ printf("***** %d\n", just_run_the_shell); | |||
847 | exit(1); | 840 | exit(1); |
848 | } | 841 | } |
849 | 842 | ||
850 | if (!cfg.shell) | ||
851 | cfg.shell = cfg.usershell; | ||
852 | |||
853 | // join sandbox by pid or by name | 843 | // join sandbox by pid or by name |
854 | pid_t pid = require_pid(argv[i] + 15); | 844 | pid_t pid = require_pid(argv[i] + 15); |
855 | join(pid, argc, argv, i + 1); | 845 | join(pid, argc, argv, i + 1); |
@@ -867,9 +857,6 @@ printf("***** %d\n", just_run_the_shell); | |||
867 | exit(1); | 857 | exit(1); |
868 | } | 858 | } |
869 | 859 | ||
870 | if (!cfg.shell) | ||
871 | cfg.shell = cfg.usershell; | ||
872 | |||
873 | // join sandbox by pid or by name | 860 | // join sandbox by pid or by name |
874 | pid_t pid = require_pid(argv[i] + 18); | 861 | pid_t pid = require_pid(argv[i] + 18); |
875 | join(pid, argc, argv, i + 1); | 862 | join(pid, argc, argv, i + 1); |
@@ -2685,45 +2672,9 @@ int main(int argc, char **argv, char **envp) { | |||
2685 | else if (strncmp(argv[i], "--oom=", 6) == 0) { | 2672 | else if (strncmp(argv[i], "--oom=", 6) == 0) { |
2686 | // already handled | 2673 | // already handled |
2687 | } | 2674 | } |
2688 | else if (strcmp(argv[i], "--shell=none") == 0) { | ||
2689 | fprintf(stderr, "Warning: --shell=none is done by default; the command will be deprecated\n"); | ||
2690 | if (cfg.shell) { | ||
2691 | fprintf(stderr, "Error: a shell was already specified\n"); | ||
2692 | return 1; | ||
2693 | } | ||
2694 | } | ||
2695 | else if (strncmp(argv[i], "--shell=", 8) == 0) { | 2675 | else if (strncmp(argv[i], "--shell=", 8) == 0) { |
2696 | if (arg_shell_none) { | 2676 | fprintf(stderr, "Warning: --shell feature has been deprecated\n"); |
2697 | fprintf(stderr, "Error: --shell=none was already specified.\n"); | 2677 | exit(1); |
2698 | return 1; | ||
2699 | } | ||
2700 | invalid_filename(argv[i] + 8, 0); // no globbing | ||
2701 | |||
2702 | if (cfg.shell) { | ||
2703 | fprintf(stderr, "Error: only one user shell can be specified\n"); | ||
2704 | return 1; | ||
2705 | } | ||
2706 | cfg.shell = argv[i] + 8; | ||
2707 | |||
2708 | if (is_dir(cfg.shell) || strstr(cfg.shell, "..")) { | ||
2709 | fprintf(stderr, "Error: invalid shell\n"); | ||
2710 | exit(1); | ||
2711 | } | ||
2712 | |||
2713 | // access call checks as real UID/GID, not as effective UID/GID | ||
2714 | if(cfg.chrootdir) { | ||
2715 | char *shellpath; | ||
2716 | if (asprintf(&shellpath, "%s%s", cfg.chrootdir, cfg.shell) == -1) | ||
2717 | errExit("asprintf"); | ||
2718 | if (access(shellpath, X_OK)) { | ||
2719 | fprintf(stderr, "Error: cannot access shell file in chroot\n"); | ||
2720 | exit(1); | ||
2721 | } | ||
2722 | free(shellpath); | ||
2723 | } else if (access(cfg.shell, X_OK)) { | ||
2724 | fprintf(stderr, "Error: cannot access shell file\n"); | ||
2725 | exit(1); | ||
2726 | } | ||
2727 | } | 2678 | } |
2728 | else if (strcmp(argv[i], "-c") == 0) { | 2679 | else if (strcmp(argv[i], "-c") == 0) { |
2729 | arg_command = 1; | 2680 | arg_command = 1; |
@@ -2785,9 +2736,6 @@ int main(int argc, char **argv, char **envp) { | |||
2785 | cfg.command_name = strdup(argv[i]); | 2736 | cfg.command_name = strdup(argv[i]); |
2786 | if (!cfg.command_name) | 2737 | if (!cfg.command_name) |
2787 | errExit("strdup"); | 2738 | errExit("strdup"); |
2788 | |||
2789 | // disable shell=* for appimages | ||
2790 | arg_shell_none = 0; | ||
2791 | } | 2739 | } |
2792 | else | 2740 | else |
2793 | extract_command_name(i, argv); | 2741 | extract_command_name(i, argv); |
@@ -2814,12 +2762,6 @@ int main(int argc, char **argv, char **envp) { | |||
2814 | } | 2762 | } |
2815 | } | 2763 | } |
2816 | 2764 | ||
2817 | // prog_index could still be -1 if no program was specified | ||
2818 | if (prog_index == -1 && arg_shell_none) { | ||
2819 | just_run_the_shell = 1; | ||
2820 | if (!cfg.shell) | ||
2821 | cfg.shell = cfg.usershell; | ||
2822 | } | ||
2823 | 2765 | ||
2824 | // check trace configuration | 2766 | // check trace configuration |
2825 | if (arg_trace && arg_tracelog) { | 2767 | if (arg_trace && arg_tracelog) { |
@@ -2863,27 +2805,18 @@ int main(int argc, char **argv, char **envp) { | |||
2863 | free(msg); | 2805 | free(msg); |
2864 | } | 2806 | } |
2865 | 2807 | ||
2866 | // guess shell if unspecified | ||
2867 | if (!arg_shell_none && !cfg.shell) { | ||
2868 | cfg.shell = cfg.usershell; | ||
2869 | if (!cfg.shell) { | ||
2870 | fprintf(stderr, "Error: unable to guess your shell, please set explicitly by using --shell option.\n"); | ||
2871 | exit(1); | ||
2872 | } | ||
2873 | if (arg_debug) | ||
2874 | printf("Autoselecting %s as shell\n", cfg.shell); | ||
2875 | } | ||
2876 | |||
2877 | // build the sandbox command | 2808 | // build the sandbox command |
2878 | if (prog_index == -1 && cfg.shell) { | 2809 | if (prog_index == -1) { |
2879 | assert(cfg.command_line == NULL); // runs cfg.shell | 2810 | just_run_the_shell = 1; |
2811 | |||
2812 | assert(cfg.command_line == NULL); // runs the user shell | ||
2880 | if (arg_appimage) { | 2813 | if (arg_appimage) { |
2881 | fprintf(stderr, "Error: no appimage archive specified\n"); | 2814 | fprintf(stderr, "Error: no appimage archive specified\n"); |
2882 | exit(1); | 2815 | exit(1); |
2883 | } | 2816 | } |
2884 | 2817 | ||
2885 | cfg.window_title = cfg.shell; | 2818 | cfg.window_title = cfg.usershell; |
2886 | cfg.command_name = cfg.shell; | 2819 | cfg.command_name = cfg.usershell; |
2887 | } | 2820 | } |
2888 | else if (arg_appimage) { | 2821 | else if (arg_appimage) { |
2889 | if (arg_debug) | 2822 | if (arg_debug) |
@@ -2907,11 +2840,8 @@ int main(int argc, char **argv, char **envp) { | |||
2907 | 2840 | ||
2908 | // load the profile | 2841 | // load the profile |
2909 | if (!arg_noprofile && !custom_profile) { | 2842 | if (!arg_noprofile && !custom_profile) { |
2910 | if (arg_appimage) { | 2843 | if (arg_appimage) |
2911 | custom_profile = appimage_find_profile(cfg.command_name); | 2844 | custom_profile = appimage_find_profile(cfg.command_name); |
2912 | // disable shell=* for appimages | ||
2913 | arg_shell_none = 0; | ||
2914 | } | ||
2915 | else | 2845 | else |
2916 | custom_profile = profile_find_firejail(cfg.command_name, 1); | 2846 | custom_profile = profile_find_firejail(cfg.command_name, 1); |
2917 | } | 2847 | } |