diff options
Diffstat (limited to 'src/firejail/main.c')
| -rw-r--r-- | src/firejail/main.c | 57 |
1 files changed, 40 insertions, 17 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index b5a97c71e..e210ceb31 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -54,9 +54,9 @@ Config cfg; // configuration | |||
| 54 | int arg_private = 0; // mount private /home and /tmp directoryu | 54 | int arg_private = 0; // mount private /home and /tmp directoryu |
| 55 | int arg_private_template = 0; // mount private /home using a template | 55 | int arg_private_template = 0; // mount private /home using a template |
| 56 | int arg_debug = 0; // print debug messages | 56 | int arg_debug = 0; // print debug messages |
| 57 | int arg_debug_check_filename; // print debug messages for filename checking | 57 | int arg_debug_check_filename = 0; // print debug messages for filename checking |
| 58 | int arg_debug_blacklists; // print debug messages for blacklists | 58 | int arg_debug_blacklists = 0; // print debug messages for blacklists |
| 59 | int arg_debug_whitelists; // print debug messages for whitelists | 59 | int arg_debug_whitelists = 0; // print debug messages for whitelists |
| 60 | int arg_nonetwork = 0; // --net=none | 60 | int arg_nonetwork = 0; // --net=none |
| 61 | int arg_command = 0; // -c | 61 | int arg_command = 0; // -c |
| 62 | int arg_overlay = 0; // overlay option | 62 | int arg_overlay = 0; // overlay option |
| @@ -404,8 +404,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
| 404 | #ifdef HAVE_SECCOMP | 404 | #ifdef HAVE_SECCOMP |
| 405 | else if (strcmp(argv[i], "--debug-syscalls") == 0) { | 405 | else if (strcmp(argv[i], "--debug-syscalls") == 0) { |
| 406 | if (checkcfg(CFG_SECCOMP)) { | 406 | if (checkcfg(CFG_SECCOMP)) { |
| 407 | syscall_print(); | 407 | int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-syscalls"); |
| 408 | exit(0); | 408 | exit(rv); |
| 409 | } | 409 | } |
| 410 | else { | 410 | else { |
| 411 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); | 411 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); |
| @@ -414,7 +414,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
| 414 | } | 414 | } |
| 415 | else if (strcmp(argv[i], "--debug-errnos") == 0) { | 415 | else if (strcmp(argv[i], "--debug-errnos") == 0) { |
| 416 | if (checkcfg(CFG_SECCOMP)) { | 416 | if (checkcfg(CFG_SECCOMP)) { |
| 417 | errno_print(); | 417 | int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-errnos"); |
| 418 | exit(rv); | ||
| 418 | } | 419 | } |
| 419 | else { | 420 | else { |
| 420 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); | 421 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); |
| @@ -438,8 +439,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
| 438 | exit(0); | 439 | exit(0); |
| 439 | } | 440 | } |
| 440 | else if (strcmp(argv[i], "--debug-protocols") == 0) { | 441 | else if (strcmp(argv[i], "--debug-protocols") == 0) { |
| 441 | protocol_list(); | 442 | int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-protocols"); |
| 442 | exit(0); | 443 | exit(rv); |
| 443 | } | 444 | } |
| 444 | else if (strncmp(argv[i], "--protocol.print=", 17) == 0) { | 445 | else if (strncmp(argv[i], "--protocol.print=", 17) == 0) { |
| 445 | if (checkcfg(CFG_SECCOMP)) { | 446 | if (checkcfg(CFG_SECCOMP)) { |
| @@ -498,27 +499,32 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
| 498 | exit(0); | 499 | exit(0); |
| 499 | } | 500 | } |
| 500 | else if (strcmp(argv[i], "--list") == 0) { | 501 | else if (strcmp(argv[i], "--list") == 0) { |
| 501 | list(); | 502 | int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); |
| 502 | exit(0); | 503 | exit(rv); |
| 503 | } | 504 | } |
| 504 | else if (strcmp(argv[i], "--tree") == 0) { | 505 | else if (strcmp(argv[i], "--tree") == 0) { |
| 505 | tree(); | 506 | int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); |
| 506 | exit(0); | 507 | exit(rv); |
| 507 | } | 508 | } |
| 508 | else if (strcmp(argv[i], "--top") == 0) { | 509 | else if (strcmp(argv[i], "--top") == 0) { |
| 509 | top(); | 510 | int rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--top"); |
| 510 | exit(0); | 511 | exit(rv); |
| 511 | } | 512 | } |
| 512 | #ifdef HAVE_NETWORK | 513 | #ifdef HAVE_NETWORK |
| 513 | else if (strcmp(argv[i], "--netstats") == 0) { | 514 | else if (strcmp(argv[i], "--netstats") == 0) { |
| 514 | if (checkcfg(CFG_NETWORK)) { | 515 | if (checkcfg(CFG_NETWORK)) { |
| 515 | netstats(); | 516 | struct stat s; |
| 517 | int rv; | ||
| 518 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) | ||
| 519 | rv = sbox_run(SBOX_ROOT | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--netstats"); | ||
| 520 | else | ||
| 521 | rv = sbox_run(SBOX_USER | SBOX_CAPS | SBOX_SECCOMP, 2, PATH_FIREMON, "--netstats"); | ||
| 522 | exit(rv); | ||
| 516 | } | 523 | } |
| 517 | else { | 524 | else { |
| 518 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | 525 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); |
| 519 | exit(1); | 526 | exit(1); |
| 520 | } | 527 | } |
| 521 | exit(0); | ||
| 522 | } | 528 | } |
| 523 | #endif | 529 | #endif |
| 524 | #ifdef HAVE_FILE_TRANSFER | 530 | #ifdef HAVE_FILE_TRANSFER |
| @@ -1112,7 +1118,16 @@ int main(int argc, char **argv) { | |||
| 1112 | #ifdef HAVE_SECCOMP | 1118 | #ifdef HAVE_SECCOMP |
| 1113 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { | 1119 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { |
| 1114 | if (checkcfg(CFG_SECCOMP)) { | 1120 | if (checkcfg(CFG_SECCOMP)) { |
| 1115 | protocol_store(argv[i] + 11); | 1121 | if (cfg.protocol) { |
| 1122 | if (!arg_quiet) | ||
| 1123 | fprintf(stderr, "Warning: a protocol list is present, the new list \"%s\" will not be installed\n", argv[i] + 11); | ||
| 1124 | } | ||
| 1125 | else { | ||
| 1126 | // store list | ||
| 1127 | cfg.protocol = strdup(argv[i] + 11); | ||
| 1128 | if (!cfg.protocol) | ||
| 1129 | errExit("strdup"); | ||
| 1130 | } | ||
| 1116 | } | 1131 | } |
| 1117 | else { | 1132 | else { |
| 1118 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); | 1133 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); |
| @@ -1605,6 +1620,14 @@ int main(int argc, char **argv) { | |||
| 1605 | return 1; | 1620 | return 1; |
| 1606 | } | 1621 | } |
| 1607 | 1622 | ||
| 1623 | // don't allow "--chroot=/" | ||
| 1624 | char *rpath = realpath(cfg.chrootdir, NULL); | ||
| 1625 | if (rpath == NULL || strcmp(rpath, "/") == 0) { | ||
| 1626 | fprintf(stderr, "Error: invalid chroot directory\n"); | ||
| 1627 | exit(1); | ||
| 1628 | } | ||
| 1629 | free(rpath); | ||
| 1630 | |||
| 1608 | // check chroot directory structure | 1631 | // check chroot directory structure |
| 1609 | if (fs_check_chroot_dir(cfg.chrootdir)) { | 1632 | if (fs_check_chroot_dir(cfg.chrootdir)) { |
| 1610 | fprintf(stderr, "Error: invalid chroot\n"); | 1633 | fprintf(stderr, "Error: invalid chroot\n"); |