aboutsummaryrefslogtreecommitdiffstats
path: root/src/firejail/main.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/firejail/main.c')
-rw-r--r--src/firejail/main.c88
1 files changed, 9 insertions, 79 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 1554209b9..6466be7d4 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -105,7 +105,6 @@ char *arg_netfilter_file = NULL; // netfilter file
105char *arg_netfilter6_file = NULL; // netfilter6 file 105char *arg_netfilter6_file = NULL; // netfilter6 file
106char *arg_netns = NULL; // "ip netns"-created network namespace to use 106char *arg_netns = NULL; // "ip netns"-created network namespace to use
107int arg_doubledash = 0; // double dash 107int arg_doubledash = 0; // double dash
108int arg_shell_none = 1; // run the program directly without a shell
109int arg_private_dev = 0; // private dev directory 108int arg_private_dev = 0; // private dev directory
110int arg_keep_dev_shm = 0; // preserve /dev/shm 109int arg_keep_dev_shm = 0; // preserve /dev/shm
111int arg_private_etc = 0; // private etc directory 110int arg_private_etc = 0; // private etc directory
@@ -799,8 +798,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
799 if (argc <= (i+1)) 798 if (argc <= (i+1))
800 just_run_the_shell = 1; 799 just_run_the_shell = 1;
801 cfg.original_program_index = i + 1; 800 cfg.original_program_index = i + 1;
802 if (!cfg.shell)
803 cfg.shell = cfg.usershell;
804 801
805 // join sandbox by pid or by name 802 // join sandbox by pid or by name
806 pid_t pid = require_pid(argv[i] + 7); 803 pid_t pid = require_pid(argv[i] + 7);
@@ -821,10 +818,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
821 just_run_the_shell = 1; 818 just_run_the_shell = 1;
822 cfg.original_program_index = i + 1; 819 cfg.original_program_index = i + 1;
823 820
824 if (!cfg.shell)
825 cfg.shell = cfg.usershell;
826
827printf("***** %d\n", just_run_the_shell);
828 // try to join by name only 821 // try to join by name only
829 pid_t pid; 822 pid_t pid;
830 if (!read_pid(argv[i] + 16, &pid)) { 823 if (!read_pid(argv[i] + 16, &pid)) {
@@ -847,9 +840,6 @@ printf("***** %d\n", just_run_the_shell);
847 exit(1); 840 exit(1);
848 } 841 }
849 842
850 if (!cfg.shell)
851 cfg.shell = cfg.usershell;
852
853 // join sandbox by pid or by name 843 // join sandbox by pid or by name
854 pid_t pid = require_pid(argv[i] + 15); 844 pid_t pid = require_pid(argv[i] + 15);
855 join(pid, argc, argv, i + 1); 845 join(pid, argc, argv, i + 1);
@@ -867,9 +857,6 @@ printf("***** %d\n", just_run_the_shell);
867 exit(1); 857 exit(1);
868 } 858 }
869 859
870 if (!cfg.shell)
871 cfg.shell = cfg.usershell;
872
873 // join sandbox by pid or by name 860 // join sandbox by pid or by name
874 pid_t pid = require_pid(argv[i] + 18); 861 pid_t pid = require_pid(argv[i] + 18);
875 join(pid, argc, argv, i + 1); 862 join(pid, argc, argv, i + 1);
@@ -2685,45 +2672,9 @@ int main(int argc, char **argv, char **envp) {
2685 else if (strncmp(argv[i], "--oom=", 6) == 0) { 2672 else if (strncmp(argv[i], "--oom=", 6) == 0) {
2686 // already handled 2673 // already handled
2687 } 2674 }
2688 else if (strcmp(argv[i], "--shell=none") == 0) {
2689 fprintf(stderr, "Warning: --shell=none is done by default; the command will be deprecated\n");
2690 if (cfg.shell) {
2691 fprintf(stderr, "Error: a shell was already specified\n");
2692 return 1;
2693 }
2694 }
2695 else if (strncmp(argv[i], "--shell=", 8) == 0) { 2675 else if (strncmp(argv[i], "--shell=", 8) == 0) {
2696 if (arg_shell_none) { 2676 fprintf(stderr, "Warning: --shell feature has been deprecated\n");
2697 fprintf(stderr, "Error: --shell=none was already specified.\n"); 2677 exit(1);
2698 return 1;
2699 }
2700 invalid_filename(argv[i] + 8, 0); // no globbing
2701
2702 if (cfg.shell) {
2703 fprintf(stderr, "Error: only one user shell can be specified\n");
2704 return 1;
2705 }
2706 cfg.shell = argv[i] + 8;
2707
2708 if (is_dir(cfg.shell) || strstr(cfg.shell, "..")) {
2709 fprintf(stderr, "Error: invalid shell\n");
2710 exit(1);
2711 }
2712
2713 // access call checks as real UID/GID, not as effective UID/GID
2714 if(cfg.chrootdir) {
2715 char *shellpath;
2716 if (asprintf(&shellpath, "%s%s", cfg.chrootdir, cfg.shell) == -1)
2717 errExit("asprintf");
2718 if (access(shellpath, X_OK)) {
2719 fprintf(stderr, "Error: cannot access shell file in chroot\n");
2720 exit(1);
2721 }
2722 free(shellpath);
2723 } else if (access(cfg.shell, X_OK)) {
2724 fprintf(stderr, "Error: cannot access shell file\n");
2725 exit(1);
2726 }
2727 } 2678 }
2728 else if (strcmp(argv[i], "-c") == 0) { 2679 else if (strcmp(argv[i], "-c") == 0) {
2729 arg_command = 1; 2680 arg_command = 1;
@@ -2785,9 +2736,6 @@ int main(int argc, char **argv, char **envp) {
2785 cfg.command_name = strdup(argv[i]); 2736 cfg.command_name = strdup(argv[i]);
2786 if (!cfg.command_name) 2737 if (!cfg.command_name)
2787 errExit("strdup"); 2738 errExit("strdup");
2788
2789 // disable shell=* for appimages
2790 arg_shell_none = 0;
2791 } 2739 }
2792 else 2740 else
2793 extract_command_name(i, argv); 2741 extract_command_name(i, argv);
@@ -2814,12 +2762,6 @@ int main(int argc, char **argv, char **envp) {
2814 } 2762 }
2815 } 2763 }
2816 2764
2817 // prog_index could still be -1 if no program was specified
2818 if (prog_index == -1 && arg_shell_none) {
2819 just_run_the_shell = 1;
2820 if (!cfg.shell)
2821 cfg.shell = cfg.usershell;
2822 }
2823 2765
2824 // check trace configuration 2766 // check trace configuration
2825 if (arg_trace && arg_tracelog) { 2767 if (arg_trace && arg_tracelog) {
@@ -2863,27 +2805,18 @@ int main(int argc, char **argv, char **envp) {
2863 free(msg); 2805 free(msg);
2864 } 2806 }
2865 2807
2866 // guess shell if unspecified
2867 if (!arg_shell_none && !cfg.shell) {
2868 cfg.shell = cfg.usershell;
2869 if (!cfg.shell) {
2870 fprintf(stderr, "Error: unable to guess your shell, please set explicitly by using --shell option.\n");
2871 exit(1);
2872 }
2873 if (arg_debug)
2874 printf("Autoselecting %s as shell\n", cfg.shell);
2875 }
2876
2877 // build the sandbox command 2808 // build the sandbox command
2878 if (prog_index == -1 && cfg.shell) { 2809 if (prog_index == -1) {
2879 assert(cfg.command_line == NULL); // runs cfg.shell 2810 just_run_the_shell = 1;
2811
2812 assert(cfg.command_line == NULL); // runs the user shell
2880 if (arg_appimage) { 2813 if (arg_appimage) {
2881 fprintf(stderr, "Error: no appimage archive specified\n"); 2814 fprintf(stderr, "Error: no appimage archive specified\n");
2882 exit(1); 2815 exit(1);
2883 } 2816 }
2884 2817
2885 cfg.window_title = cfg.shell; 2818 cfg.window_title = cfg.usershell;
2886 cfg.command_name = cfg.shell; 2819 cfg.command_name = cfg.usershell;
2887 } 2820 }
2888 else if (arg_appimage) { 2821 else if (arg_appimage) {
2889 if (arg_debug) 2822 if (arg_debug)
@@ -2907,11 +2840,8 @@ int main(int argc, char **argv, char **envp) {
2907 2840
2908 // load the profile 2841 // load the profile
2909 if (!arg_noprofile && !custom_profile) { 2842 if (!arg_noprofile && !custom_profile) {
2910 if (arg_appimage) { 2843 if (arg_appimage)
2911 custom_profile = appimage_find_profile(cfg.command_name); 2844 custom_profile = appimage_find_profile(cfg.command_name);
2912 // disable shell=* for appimages
2913 arg_shell_none = 0;
2914 }
2915 else 2845 else
2916 custom_profile = profile_find_firejail(cfg.command_name, 1); 2846 custom_profile = profile_find_firejail(cfg.command_name, 1);
2917 } 2847 }
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-08 21:23:59 +0000