diff options
Diffstat (limited to 'src/firejail/main.c')
-rw-r--r-- | src/firejail/main.c | 57 |
1 files changed, 40 insertions, 17 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index b5a97c71e..e210ceb31 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -54,9 +54,9 @@ Config cfg; // configuration | |||
54 | int arg_private = 0; // mount private /home and /tmp directoryu | 54 | int arg_private = 0; // mount private /home and /tmp directoryu |
55 | int arg_private_template = 0; // mount private /home using a template | 55 | int arg_private_template = 0; // mount private /home using a template |
56 | int arg_debug = 0; // print debug messages | 56 | int arg_debug = 0; // print debug messages |
57 | int arg_debug_check_filename; // print debug messages for filename checking | 57 | int arg_debug_check_filename = 0; // print debug messages for filename checking |
58 | int arg_debug_blacklists; // print debug messages for blacklists | 58 | int arg_debug_blacklists = 0; // print debug messages for blacklists |
59 | int arg_debug_whitelists; // print debug messages for whitelists | 59 | int arg_debug_whitelists = 0; // print debug messages for whitelists |
60 | int arg_nonetwork = 0; // --net=none | 60 | int arg_nonetwork = 0; // --net=none |
61 | int arg_command = 0; // -c | 61 | int arg_command = 0; // -c |
62 | int arg_overlay = 0; // overlay option | 62 | int arg_overlay = 0; // overlay option |
@@ -404,8 +404,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
404 | #ifdef HAVE_SECCOMP | 404 | #ifdef HAVE_SECCOMP |
405 | else if (strcmp(argv[i], "--debug-syscalls") == 0) { | 405 | else if (strcmp(argv[i], "--debug-syscalls") == 0) { |
406 | if (checkcfg(CFG_SECCOMP)) { | 406 | if (checkcfg(CFG_SECCOMP)) { |
407 | syscall_print(); | 407 | int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-syscalls"); |
408 | exit(0); | 408 | exit(rv); |
409 | } | 409 | } |
410 | else { | 410 | else { |
411 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); | 411 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); |
@@ -414,7 +414,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
414 | } | 414 | } |
415 | else if (strcmp(argv[i], "--debug-errnos") == 0) { | 415 | else if (strcmp(argv[i], "--debug-errnos") == 0) { |
416 | if (checkcfg(CFG_SECCOMP)) { | 416 | if (checkcfg(CFG_SECCOMP)) { |
417 | errno_print(); | 417 | int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-errnos"); |
418 | exit(rv); | ||
418 | } | 419 | } |
419 | else { | 420 | else { |
420 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); | 421 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); |
@@ -438,8 +439,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
438 | exit(0); | 439 | exit(0); |
439 | } | 440 | } |
440 | else if (strcmp(argv[i], "--debug-protocols") == 0) { | 441 | else if (strcmp(argv[i], "--debug-protocols") == 0) { |
441 | protocol_list(); | 442 | int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-protocols"); |
442 | exit(0); | 443 | exit(rv); |
443 | } | 444 | } |
444 | else if (strncmp(argv[i], "--protocol.print=", 17) == 0) { | 445 | else if (strncmp(argv[i], "--protocol.print=", 17) == 0) { |
445 | if (checkcfg(CFG_SECCOMP)) { | 446 | if (checkcfg(CFG_SECCOMP)) { |
@@ -498,27 +499,32 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
498 | exit(0); | 499 | exit(0); |
499 | } | 500 | } |
500 | else if (strcmp(argv[i], "--list") == 0) { | 501 | else if (strcmp(argv[i], "--list") == 0) { |
501 | list(); | 502 | int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); |
502 | exit(0); | 503 | exit(rv); |
503 | } | 504 | } |
504 | else if (strcmp(argv[i], "--tree") == 0) { | 505 | else if (strcmp(argv[i], "--tree") == 0) { |
505 | tree(); | 506 | int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); |
506 | exit(0); | 507 | exit(rv); |
507 | } | 508 | } |
508 | else if (strcmp(argv[i], "--top") == 0) { | 509 | else if (strcmp(argv[i], "--top") == 0) { |
509 | top(); | 510 | int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--top"); |
510 | exit(0); | 511 | exit(rv); |
511 | } | 512 | } |
512 | #ifdef HAVE_NETWORK | 513 | #ifdef HAVE_NETWORK |
513 | else if (strcmp(argv[i], "--netstats") == 0) { | 514 | else if (strcmp(argv[i], "--netstats") == 0) { |
514 | if (checkcfg(CFG_NETWORK)) { | 515 | if (checkcfg(CFG_NETWORK)) { |
515 | netstats(); | 516 | struct stat s; |
517 | int rv; | ||
518 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) | ||
519 | rv = sbox_run(SBOX_ROOT | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--netstats"); | ||
520 | else | ||
521 | rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--netstats"); | ||
522 | exit(rv); | ||
516 | } | 523 | } |
517 | else { | 524 | else { |
518 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | 525 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); |
519 | exit(1); | 526 | exit(1); |
520 | } | 527 | } |
521 | exit(0); | ||
522 | } | 528 | } |
523 | #endif | 529 | #endif |
524 | #ifdef HAVE_FILE_TRANSFER | 530 | #ifdef HAVE_FILE_TRANSFER |
@@ -1112,7 +1118,16 @@ int main(int argc, char **argv) { | |||
1112 | #ifdef HAVE_SECCOMP | 1118 | #ifdef HAVE_SECCOMP |
1113 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { | 1119 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { |
1114 | if (checkcfg(CFG_SECCOMP)) { | 1120 | if (checkcfg(CFG_SECCOMP)) { |
1115 | protocol_store(argv[i] + 11); | 1121 | if (cfg.protocol) { |
1122 | if (!arg_quiet) | ||
1123 | fprintf(stderr, "Warning: a protocol list is present, the new list \"%s\" will not be installed\n", argv[i] + 11); | ||
1124 | } | ||
1125 | else { | ||
1126 | // store list | ||
1127 | cfg.protocol = strdup(argv[i] + 11); | ||
1128 | if (!cfg.protocol) | ||
1129 | errExit("strdup"); | ||
1130 | } | ||
1116 | } | 1131 | } |
1117 | else { | 1132 | else { |
1118 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); | 1133 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); |
@@ -1605,6 +1620,14 @@ int main(int argc, char **argv) { | |||
1605 | return 1; | 1620 | return 1; |
1606 | } | 1621 | } |
1607 | 1622 | ||
1623 | // don't allow "--chroot=/" | ||
1624 | char *rpath = realpath(cfg.chrootdir, NULL); | ||
1625 | if (rpath == NULL || strcmp(rpath, "/") == 0) { | ||
1626 | fprintf(stderr, "Error: invalid chroot directory\n"); | ||
1627 | exit(1); | ||
1628 | } | ||
1629 | free(rpath); | ||
1630 | |||
1608 | // check chroot directory structure | 1631 | // check chroot directory structure |
1609 | if (fs_check_chroot_dir(cfg.chrootdir)) { | 1632 | if (fs_check_chroot_dir(cfg.chrootdir)) { |
1610 | fprintf(stderr, "Error: invalid chroot\n"); | 1633 | fprintf(stderr, "Error: invalid chroot\n"); |