aboutsummaryrefslogtreecommitdiffstats
path: root/src/firejail/sandbox.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/firejail/sandbox.c')
-rw-r--r--src/firejail/sandbox.c51
1 files changed, 23 insertions, 28 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 0965b1017..ef09a790c 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -20,6 +20,7 @@
20 20
21#include "firejail.h" 21#include "firejail.h"
22#include "../include/seccomp.h" 22#include "../include/seccomp.h"
23#include <sys/mman.h>
23#include <sys/mount.h> 24#include <sys/mount.h>
24#include <sys/wait.h> 25#include <sys/wait.h>
25#include <sys/stat.h> 26#include <sys/stat.h>
@@ -204,16 +205,17 @@ static void save_umask(void) {
204 } 205 }
205} 206}
206 207
207static FILE *create_ready_for_join_file(void) { 208static char *create_join_file(void) {
208 FILE *fp = fopen(RUN_READY_FOR_JOIN, "wxe"); 209 int fd = open(RUN_JOIN_FILE, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
209 if (fp) { 210 if (fd == -1)
210 ASSERT_PERMS_STREAM(fp, 0, 0, 0644); 211 errExit("open");
211 return fp; 212 if (ftruncate(fd, 1) == -1)
212 } 213 errExit("ftruncate");
213 else { 214 char *rv = mmap(NULL, 1, PROT_WRITE, MAP_SHARED, fd, 0);
214 fprintf(stderr, "Error: cannot create %s\n", RUN_READY_FOR_JOIN); 215 if (rv == MAP_FAILED)
215 exit(1); 216 errExit("mmap");
216 } 217 close(fd);
218 return rv;
217} 219}
218 220
219static void sandbox_if_up(Bridge *br) { 221static void sandbox_if_up(Bridge *br) {
@@ -472,7 +474,7 @@ static int ok_to_run(const char *program) {
472 return 0; 474 return 0;
473} 475}
474 476
475void start_application(int no_sandbox, FILE *fp) { 477void start_application(int no_sandbox, char *set_sandbox_status) {
476 // set environment 478 // set environment
477 if (no_sandbox == 0) { 479 if (no_sandbox == 0) {
478 env_defaults(); 480 env_defaults();
@@ -492,16 +494,14 @@ void start_application(int no_sandbox, FILE *fp) {
492 if (arg_audit) { 494 if (arg_audit) {
493 assert(arg_audit_prog); 495 assert(arg_audit_prog);
494 496
495 if (fp) {
496 fprintf(fp, "ready\n");
497 fclose(fp);
498 }
499#ifdef HAVE_GCOV 497#ifdef HAVE_GCOV
500 __gcov_dump(); 498 __gcov_dump();
501#endif 499#endif
502#ifdef HAVE_SECCOMP 500#ifdef HAVE_SECCOMP
503 seccomp_install_filters(); 501 seccomp_install_filters();
504#endif 502#endif
503 if (set_sandbox_status)
504 *set_sandbox_status = SANDBOX_DONE;
505 execl(arg_audit_prog, arg_audit_prog, NULL); 505 execl(arg_audit_prog, arg_audit_prog, NULL);
506 506
507 perror("execl"); 507 perror("execl");
@@ -530,16 +530,14 @@ void start_application(int no_sandbox, FILE *fp) {
530 530
531 int rv = ok_to_run(cfg.original_argv[cfg.original_program_index]); 531 int rv = ok_to_run(cfg.original_argv[cfg.original_program_index]);
532 532
533 if (fp) {
534 fprintf(fp, "ready\n");
535 fclose(fp);
536 }
537#ifdef HAVE_GCOV 533#ifdef HAVE_GCOV
538 __gcov_dump(); 534 __gcov_dump();
539#endif 535#endif
540#ifdef HAVE_SECCOMP 536#ifdef HAVE_SECCOMP
541 seccomp_install_filters(); 537 seccomp_install_filters();
542#endif 538#endif
539 if (set_sandbox_status)
540 *set_sandbox_status = SANDBOX_DONE;
543 if (rv) 541 if (rv)
544 execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); 542 execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]);
545 else 543 else
@@ -591,16 +589,14 @@ void start_application(int no_sandbox, FILE *fp) {
591 if (!arg_command && !arg_quiet) 589 if (!arg_command && !arg_quiet)
592 print_time(); 590 print_time();
593 591
594 if (fp) {
595 fprintf(fp, "ready\n");
596 fclose(fp);
597 }
598#ifdef HAVE_GCOV 592#ifdef HAVE_GCOV
599 __gcov_dump(); 593 __gcov_dump();
600#endif 594#endif
601#ifdef HAVE_SECCOMP 595#ifdef HAVE_SECCOMP
602 seccomp_install_filters(); 596 seccomp_install_filters();
603#endif 597#endif
598 if (set_sandbox_status)
599 *set_sandbox_status = SANDBOX_DONE;
604 execvp(arg[0], arg); 600 execvp(arg[0], arg);
605 } 601 }
606 602
@@ -1162,11 +1158,10 @@ int sandbox(void* sandbox_arg) {
1162 set_caps(); 1158 set_caps();
1163 1159
1164 //**************************************** 1160 //****************************************
1165 // communicate progress of sandbox set up 1161 // relay status information to join option
1166 // to --join
1167 //**************************************** 1162 //****************************************
1168 1163
1169 FILE *rj = create_ready_for_join_file(); 1164 char *set_sandbox_status = create_join_file();
1170 1165
1171 //**************************************** 1166 //****************************************
1172 // create a new user namespace 1167 // create a new user namespace
@@ -1248,10 +1243,10 @@ int sandbox(void* sandbox_arg) {
1248 set_nice(cfg.nice); 1243 set_nice(cfg.nice);
1249 set_rlimits(); 1244 set_rlimits();
1250 1245
1251 start_application(0, rj); 1246 start_application(0, set_sandbox_status);
1252 } 1247 }
1253 1248
1254 fclose(rj); 1249 munmap(set_sandbox_status, 1);
1255 1250
1256 int status = monitor_application(app_pid); // monitor application 1251 int status = monitor_application(app_pid); // monitor application
1257 flush_stdin(); 1252 flush_stdin();
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-26 15:20:26 +0000