diff options
Diffstat (limited to 'src/firejail/sbox.c')
-rw-r--r-- | src/firejail/sbox.c | 52 |
1 files changed, 26 insertions, 26 deletions
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 9640ef9ed..6cd58d78e 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -39,28 +39,28 @@ static struct sock_filter filter[] = { | |||
39 | #endif | 39 | #endif |
40 | 40 | ||
41 | // syscall list | 41 | // syscall list |
42 | #ifdef SYS_mount | 42 | #ifdef SYS_mount |
43 | BLACKLIST(SYS_mount), // mount/unmount filesystems | 43 | BLACKLIST(SYS_mount), // mount/unmount filesystems |
44 | #endif | 44 | #endif |
45 | #ifdef SYS_umount2 | 45 | #ifdef SYS_umount2 |
46 | BLACKLIST(SYS_umount2), | 46 | BLACKLIST(SYS_umount2), |
47 | #endif | 47 | #endif |
48 | #ifdef SYS_ptrace | 48 | #ifdef SYS_ptrace |
49 | BLACKLIST(SYS_ptrace), // trace processes | 49 | BLACKLIST(SYS_ptrace), // trace processes |
50 | #endif | 50 | #endif |
51 | #ifdef SYS_kexec_file_load | 51 | #ifdef SYS_kexec_file_load |
52 | BLACKLIST(SYS_kexec_file_load), | 52 | BLACKLIST(SYS_kexec_file_load), |
53 | #endif | 53 | #endif |
54 | #ifdef SYS_kexec_load | 54 | #ifdef SYS_kexec_load |
55 | BLACKLIST(SYS_kexec_load), // loading a different kernel | 55 | BLACKLIST(SYS_kexec_load), // loading a different kernel |
56 | #endif | 56 | #endif |
57 | #ifdef SYS_name_to_handle_at | 57 | #ifdef SYS_name_to_handle_at |
58 | BLACKLIST(SYS_name_to_handle_at), | 58 | BLACKLIST(SYS_name_to_handle_at), |
59 | #endif | 59 | #endif |
60 | #ifdef SYS_open_by_handle_at | 60 | #ifdef SYS_open_by_handle_at |
61 | BLACKLIST(SYS_open_by_handle_at), // open by handle | 61 | BLACKLIST(SYS_open_by_handle_at), // open by handle |
62 | #endif | 62 | #endif |
63 | #ifdef SYS_init_module | 63 | #ifdef SYS_init_module |
64 | BLACKLIST(SYS_init_module), // kernel module handling | 64 | BLACKLIST(SYS_init_module), // kernel module handling |
65 | #endif | 65 | #endif |
66 | #ifdef SYS_finit_module // introduced in 2013 | 66 | #ifdef SYS_finit_module // introduced in 2013 |
@@ -69,31 +69,31 @@ static struct sock_filter filter[] = { | |||
69 | #ifdef SYS_create_module | 69 | #ifdef SYS_create_module |
70 | BLACKLIST(SYS_create_module), | 70 | BLACKLIST(SYS_create_module), |
71 | #endif | 71 | #endif |
72 | #ifdef SYS_delete_module | 72 | #ifdef SYS_delete_module |
73 | BLACKLIST(SYS_delete_module), | 73 | BLACKLIST(SYS_delete_module), |
74 | #endif | 74 | #endif |
75 | #ifdef SYS_iopl | 75 | #ifdef SYS_iopl |
76 | BLACKLIST(SYS_iopl), // io permissions | 76 | BLACKLIST(SYS_iopl), // io permissions |
77 | #endif | 77 | #endif |
78 | #ifdef SYS_ioperm | 78 | #ifdef SYS_ioperm |
79 | BLACKLIST(SYS_ioperm), | 79 | BLACKLIST(SYS_ioperm), |
80 | #endif | 80 | #endif |
81 | #ifdef SYS_iopl | 81 | #ifdef SYS_iopl |
82 | BLACKLIST(SYS_iopl), // io permissions | 82 | BLACKLIST(SYS_iopl), // io permissions |
83 | #endif | 83 | #endif |
84 | #ifdef SYS_ioprio_set | 84 | #ifdef SYS_ioprio_set |
85 | BLACKLIST(SYS_ioprio_set), | 85 | BLACKLIST(SYS_ioprio_set), |
86 | #endif | 86 | #endif |
87 | #ifdef SYS_ni_syscall // new io permissions call on arm devices | 87 | #ifdef SYS_ni_syscall // new io permissions call on arm devices |
88 | BLACKLIST(SYS_ni_syscall), | 88 | BLACKLIST(SYS_ni_syscall), |
89 | #endif | 89 | #endif |
90 | #ifdef SYS_swapon | 90 | #ifdef SYS_swapon |
91 | BLACKLIST(SYS_swapon), // swap on/off | 91 | BLACKLIST(SYS_swapon), // swap on/off |
92 | #endif | 92 | #endif |
93 | #ifdef SYS_swapoff | 93 | #ifdef SYS_swapoff |
94 | BLACKLIST(SYS_swapoff), | 94 | BLACKLIST(SYS_swapoff), |
95 | #endif | 95 | #endif |
96 | #ifdef SYS_syslog | 96 | #ifdef SYS_syslog |
97 | BLACKLIST(SYS_syslog), // kernel printk control | 97 | BLACKLIST(SYS_syslog), // kernel printk control |
98 | #endif | 98 | #endif |
99 | RETURN_ALLOW | 99 | RETURN_ALLOW |
@@ -113,7 +113,7 @@ typedef struct sbox_config { | |||
113 | 113 | ||
114 | int sbox_run(unsigned filter, int num, ...) { | 114 | int sbox_run(unsigned filter, int num, ...) { |
115 | EUID_ROOT(); | 115 | EUID_ROOT(); |
116 | 116 | ||
117 | int i; | 117 | int i; |
118 | va_list valist; | 118 | va_list valist; |
119 | va_start(valist, num); | 119 | va_start(valist, num); |
@@ -124,7 +124,7 @@ int sbox_run(unsigned filter, int num, ...) { | |||
124 | arg[i] = va_arg(valist, char*); | 124 | arg[i] = va_arg(valist, char*); |
125 | arg[i] = NULL; | 125 | arg[i] = NULL; |
126 | va_end(valist); | 126 | va_end(valist); |
127 | 127 | ||
128 | if (arg_debug) { | 128 | if (arg_debug) { |
129 | printf("sbox run: "); | 129 | printf("sbox run: "); |
130 | for (i = 0; i <= num; i++) | 130 | for (i = 0; i <= num; i++) |
@@ -138,7 +138,7 @@ int sbox_run(unsigned filter, int num, ...) { | |||
138 | if (child == 0) { | 138 | if (child == 0) { |
139 | // clean the new process | 139 | // clean the new process |
140 | clearenv(); | 140 | clearenv(); |
141 | 141 | ||
142 | if (filter & SBOX_STDIN_FROM_FILE) { | 142 | if (filter & SBOX_STDIN_FROM_FILE) { |
143 | int fd; | 143 | int fd; |
144 | if((fd = open(SBOX_STDIN_FILE, O_RDONLY)) == -1) { | 144 | if((fd = open(SBOX_STDIN_FILE, O_RDONLY)) == -1) { |
@@ -154,7 +154,7 @@ int sbox_run(unsigned filter, int num, ...) { | |||
154 | else // the user could run the sandbox without /dev/null | 154 | else // the user could run the sandbox without /dev/null |
155 | close(STDIN_FILENO); | 155 | close(STDIN_FILENO); |
156 | } | 156 | } |
157 | 157 | ||
158 | // close all other file descriptors | 158 | // close all other file descriptors |
159 | int max = 20; // getdtablesize() is overkill for a firejail process | 159 | int max = 20; // getdtablesize() is overkill for a firejail process |
160 | for (i = 3; i < max; i++) | 160 | for (i = 3; i < max; i++) |
@@ -163,10 +163,10 @@ int sbox_run(unsigned filter, int num, ...) { | |||
163 | if (arg_debug) { | 163 | if (arg_debug) { |
164 | printf("sbox file descriptors:\n"); | 164 | printf("sbox file descriptors:\n"); |
165 | int rv = system("ls -l /proc/self/fd"); | 165 | int rv = system("ls -l /proc/self/fd"); |
166 | (void) rv; | 166 | (void) rv; |
167 | } | 167 | } |
168 | 168 | ||
169 | umask(027); | 169 | umask(027); |
170 | 170 | ||
171 | // apply filters | 171 | // apply filters |
172 | if (filter & SBOX_CAPS_NONE) { | 172 | if (filter & SBOX_CAPS_NONE) { |
@@ -178,7 +178,7 @@ int sbox_run(unsigned filter, int num, ...) { | |||
178 | set |= ((uint64_t) 1) << CAP_NET_RAW; | 178 | set |= ((uint64_t) 1) << CAP_NET_RAW; |
179 | caps_set(set); | 179 | caps_set(set); |
180 | #endif | 180 | #endif |
181 | } | 181 | } |
182 | 182 | ||
183 | if (filter & SBOX_SECCOMP) { | 183 | if (filter & SBOX_SECCOMP) { |
184 | if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { | 184 | if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { |
@@ -200,11 +200,11 @@ int sbox_run(unsigned filter, int num, ...) { | |||
200 | drop_privs(1); | 200 | drop_privs(1); |
201 | 201 | ||
202 | clearenv(); | 202 | clearenv(); |
203 | 203 | ||
204 | // --quiet is passed as an environment variable | 204 | // --quiet is passed as an environment variable |
205 | if (arg_quiet) | 205 | if (arg_quiet) |
206 | setenv("FIREJAIL_QUIET", "yes", 1); | 206 | setenv("FIREJAIL_QUIET", "yes", 1); |
207 | 207 | ||
208 | if (arg[0]) // get rid of scan-build warning | 208 | if (arg[0]) // get rid of scan-build warning |
209 | execvp(arg[0], arg); | 209 | execvp(arg[0], arg); |
210 | else | 210 | else |
@@ -221,6 +221,6 @@ int sbox_run(unsigned filter, int num, ...) { | |||
221 | fprintf(stderr, "Error: failed to run %s\n", arg[0]); | 221 | fprintf(stderr, "Error: failed to run %s\n", arg[0]); |
222 | exit(1); | 222 | exit(1); |
223 | } | 223 | } |
224 | 224 | ||
225 | return status; | 225 | return status; |
226 | } | 226 | } |