diff options
Diffstat (limited to 'src/firejail/sandbox.c')
-rw-r--r-- | src/firejail/sandbox.c | 51 |
1 files changed, 23 insertions, 28 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 0965b1017..ef09a790c 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -20,6 +20,7 @@ | |||
20 | 20 | ||
21 | #include "firejail.h" | 21 | #include "firejail.h" |
22 | #include "../include/seccomp.h" | 22 | #include "../include/seccomp.h" |
23 | #include <sys/mman.h> | ||
23 | #include <sys/mount.h> | 24 | #include <sys/mount.h> |
24 | #include <sys/wait.h> | 25 | #include <sys/wait.h> |
25 | #include <sys/stat.h> | 26 | #include <sys/stat.h> |
@@ -204,16 +205,17 @@ static void save_umask(void) { | |||
204 | } | 205 | } |
205 | } | 206 | } |
206 | 207 | ||
207 | static FILE *create_ready_for_join_file(void) { | 208 | static char *create_join_file(void) { |
208 | FILE *fp = fopen(RUN_READY_FOR_JOIN, "wxe"); | 209 | int fd = open(RUN_JOIN_FILE, O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); |
209 | if (fp) { | 210 | if (fd == -1) |
210 | ASSERT_PERMS_STREAM(fp, 0, 0, 0644); | 211 | errExit("open"); |
211 | return fp; | 212 | if (ftruncate(fd, 1) == -1) |
212 | } | 213 | errExit("ftruncate"); |
213 | else { | 214 | char *rv = mmap(NULL, 1, PROT_WRITE, MAP_SHARED, fd, 0); |
214 | fprintf(stderr, "Error: cannot create %s\n", RUN_READY_FOR_JOIN); | 215 | if (rv == MAP_FAILED) |
215 | exit(1); | 216 | errExit("mmap"); |
216 | } | 217 | close(fd); |
218 | return rv; | ||
217 | } | 219 | } |
218 | 220 | ||
219 | static void sandbox_if_up(Bridge *br) { | 221 | static void sandbox_if_up(Bridge *br) { |
@@ -472,7 +474,7 @@ static int ok_to_run(const char *program) { | |||
472 | return 0; | 474 | return 0; |
473 | } | 475 | } |
474 | 476 | ||
475 | void start_application(int no_sandbox, FILE *fp) { | 477 | void start_application(int no_sandbox, char *set_sandbox_status) { |
476 | // set environment | 478 | // set environment |
477 | if (no_sandbox == 0) { | 479 | if (no_sandbox == 0) { |
478 | env_defaults(); | 480 | env_defaults(); |
@@ -492,16 +494,14 @@ void start_application(int no_sandbox, FILE *fp) { | |||
492 | if (arg_audit) { | 494 | if (arg_audit) { |
493 | assert(arg_audit_prog); | 495 | assert(arg_audit_prog); |
494 | 496 | ||
495 | if (fp) { | ||
496 | fprintf(fp, "ready\n"); | ||
497 | fclose(fp); | ||
498 | } | ||
499 | #ifdef HAVE_GCOV | 497 | #ifdef HAVE_GCOV |
500 | __gcov_dump(); | 498 | __gcov_dump(); |
501 | #endif | 499 | #endif |
502 | #ifdef HAVE_SECCOMP | 500 | #ifdef HAVE_SECCOMP |
503 | seccomp_install_filters(); | 501 | seccomp_install_filters(); |
504 | #endif | 502 | #endif |
503 | if (set_sandbox_status) | ||
504 | *set_sandbox_status = SANDBOX_DONE; | ||
505 | execl(arg_audit_prog, arg_audit_prog, NULL); | 505 | execl(arg_audit_prog, arg_audit_prog, NULL); |
506 | 506 | ||
507 | perror("execl"); | 507 | perror("execl"); |
@@ -530,16 +530,14 @@ void start_application(int no_sandbox, FILE *fp) { | |||
530 | 530 | ||
531 | int rv = ok_to_run(cfg.original_argv[cfg.original_program_index]); | 531 | int rv = ok_to_run(cfg.original_argv[cfg.original_program_index]); |
532 | 532 | ||
533 | if (fp) { | ||
534 | fprintf(fp, "ready\n"); | ||
535 | fclose(fp); | ||
536 | } | ||
537 | #ifdef HAVE_GCOV | 533 | #ifdef HAVE_GCOV |
538 | __gcov_dump(); | 534 | __gcov_dump(); |
539 | #endif | 535 | #endif |
540 | #ifdef HAVE_SECCOMP | 536 | #ifdef HAVE_SECCOMP |
541 | seccomp_install_filters(); | 537 | seccomp_install_filters(); |
542 | #endif | 538 | #endif |
539 | if (set_sandbox_status) | ||
540 | *set_sandbox_status = SANDBOX_DONE; | ||
543 | if (rv) | 541 | if (rv) |
544 | execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); | 542 | execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); |
545 | else | 543 | else |
@@ -591,16 +589,14 @@ void start_application(int no_sandbox, FILE *fp) { | |||
591 | if (!arg_command && !arg_quiet) | 589 | if (!arg_command && !arg_quiet) |
592 | print_time(); | 590 | print_time(); |
593 | 591 | ||
594 | if (fp) { | ||
595 | fprintf(fp, "ready\n"); | ||
596 | fclose(fp); | ||
597 | } | ||
598 | #ifdef HAVE_GCOV | 592 | #ifdef HAVE_GCOV |
599 | __gcov_dump(); | 593 | __gcov_dump(); |
600 | #endif | 594 | #endif |
601 | #ifdef HAVE_SECCOMP | 595 | #ifdef HAVE_SECCOMP |
602 | seccomp_install_filters(); | 596 | seccomp_install_filters(); |
603 | #endif | 597 | #endif |
598 | if (set_sandbox_status) | ||
599 | *set_sandbox_status = SANDBOX_DONE; | ||
604 | execvp(arg[0], arg); | 600 | execvp(arg[0], arg); |
605 | } | 601 | } |
606 | 602 | ||
@@ -1162,11 +1158,10 @@ int sandbox(void* sandbox_arg) { | |||
1162 | set_caps(); | 1158 | set_caps(); |
1163 | 1159 | ||
1164 | //**************************************** | 1160 | //**************************************** |
1165 | // communicate progress of sandbox set up | 1161 | // relay status information to join option |
1166 | // to --join | ||
1167 | //**************************************** | 1162 | //**************************************** |
1168 | 1163 | ||
1169 | FILE *rj = create_ready_for_join_file(); | 1164 | char *set_sandbox_status = create_join_file(); |
1170 | 1165 | ||
1171 | //**************************************** | 1166 | //**************************************** |
1172 | // create a new user namespace | 1167 | // create a new user namespace |
@@ -1248,10 +1243,10 @@ int sandbox(void* sandbox_arg) { | |||
1248 | set_nice(cfg.nice); | 1243 | set_nice(cfg.nice); |
1249 | set_rlimits(); | 1244 | set_rlimits(); |
1250 | 1245 | ||
1251 | start_application(0, rj); | 1246 | start_application(0, set_sandbox_status); |
1252 | } | 1247 | } |
1253 | 1248 | ||
1254 | fclose(rj); | 1249 | munmap(set_sandbox_status, 1); |
1255 | 1250 | ||
1256 | int status = monitor_application(app_pid); // monitor application | 1251 | int status = monitor_application(app_pid); // monitor application |
1257 | flush_stdin(); | 1252 | flush_stdin(); |