diff options
Diffstat (limited to 'src/firejail')
58 files changed, 303 insertions, 103 deletions
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index bb5b29d79..479473572 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/appimage_size.c b/src/firejail/appimage_size.c index 43ca501da..4f8c7a7aa 100644 --- a/src/firejail/appimage_size.c +++ b/src/firejail/appimage_size.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/arp.c b/src/firejail/arp.c index c259fc0ad..cbd80dee0 100644 --- a/src/firejail/arp.c +++ b/src/firejail/arp.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index a085f2c27..fa9d3a940 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/caps.c b/src/firejail/caps.c index 5e02b99c2..c5c06c675 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c index 38b3c32d3..f1e16187f 100644 --- a/src/firejail/cgroup.c +++ b/src/firejail/cgroup.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -18,6 +18,7 @@ | |||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include "../include/gcov_wrapper.h" | ||
21 | #include <sys/wait.h> | 22 | #include <sys/wait.h> |
22 | #include <errno.h> | 23 | #include <errno.h> |
23 | 24 | ||
@@ -122,6 +123,9 @@ void set_cgroup(const char *fname, pid_t pid) { | |||
122 | drop_privs(0); | 123 | drop_privs(0); |
123 | 124 | ||
124 | do_set_cgroup(fname, pid); | 125 | do_set_cgroup(fname, pid); |
126 | |||
127 | __gcov_flush(); | ||
128 | |||
125 | _exit(0); | 129 | _exit(0); |
126 | } | 130 | } |
127 | waitpid(child, NULL, 0); | 131 | waitpid(child, NULL, 0); |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index e5d837bbb..6fc70318b 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c index 9425638ea..551948318 100644 --- a/src/firejail/chroot.c +++ b/src/firejail/chroot.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c index 2fa68a55d..6f7739da0 100644 --- a/src/firejail/cmdline.c +++ b/src/firejail/cmdline.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c index fe7258fb0..1ec510456 100644 --- a/src/firejail/cpu.c +++ b/src/firejail/cpu.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c index 735ff54fa..66738bd4b 100644 --- a/src/firejail/dbus.c +++ b/src/firejail/dbus.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -297,11 +297,12 @@ void dbus_proxy_start(void) { | |||
297 | if (dbus_proxy_pid == -1) | 297 | if (dbus_proxy_pid == -1) |
298 | errExit("fork"); | 298 | errExit("fork"); |
299 | if (dbus_proxy_pid == 0) { | 299 | if (dbus_proxy_pid == 0) { |
300 | int i; | 300 | // close open files |
301 | for (i = STDERR_FILENO + 1; i < FIREJAIL_MAX_FD; i++) { | 301 | int keep[2]; |
302 | if (i != status_pipe[1] && i != args_pipe[0]) | 302 | keep[0] = status_pipe[1]; |
303 | close(i); // close open files | 303 | keep[1] = args_pipe[0]; |
304 | } | 304 | close_all(keep, ARRAY_SIZE(keep)); |
305 | |||
305 | if (arg_dbus_log_file != NULL) { | 306 | if (arg_dbus_log_file != NULL) { |
306 | int output_fd = creat(arg_dbus_log_file, 0666); | 307 | int output_fd = creat(arg_dbus_log_file, 0666); |
307 | if (output_fd < 0) | 308 | if (output_fd < 0) |
diff --git a/src/firejail/dhcp.c b/src/firejail/dhcp.c index ec482e2ea..fb66d74ff 100644 --- a/src/firejail/dhcp.c +++ b/src/firejail/dhcp.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/env.c b/src/firejail/env.c index 4c0d729a1..963288459 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index bc4cfe3fc..f1fa66707 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -161,6 +161,7 @@ typedef struct config_t { | |||
161 | 161 | ||
162 | #define MAX_PROFILE_IGNORE 32 | 162 | #define MAX_PROFILE_IGNORE 32 |
163 | char *profile_ignore[MAX_PROFILE_IGNORE]; | 163 | char *profile_ignore[MAX_PROFILE_IGNORE]; |
164 | char *keep_fd; // inherit file descriptors to sandbox | ||
164 | char *chrootdir; // chroot directory | 165 | char *chrootdir; // chroot directory |
165 | char *home_private; // private home directory | 166 | char *home_private; // private home directory |
166 | char *home_private_keep; // keep list for private home directory | 167 | char *home_private_keep; // keep list for private home directory |
@@ -352,6 +353,7 @@ extern int arg_nou2f; // --nou2f | |||
352 | extern int arg_noinput; // --noinput | 353 | extern int arg_noinput; // --noinput |
353 | extern int arg_deterministic_exit_code; // always exit with first child's exit status | 354 | extern int arg_deterministic_exit_code; // always exit with first child's exit status |
354 | extern int arg_deterministic_shutdown; // shut down the sandbox if first child dies | 355 | extern int arg_deterministic_shutdown; // shut down the sandbox if first child dies |
356 | extern int arg_keep_fd_all; // inherit all file descriptors to sandbox | ||
355 | 357 | ||
356 | typedef enum { | 358 | typedef enum { |
357 | DBUS_POLICY_ALLOW, // Allow unrestricted access to the bus | 359 | DBUS_POLICY_ALLOW, // Allow unrestricted access to the bus |
@@ -551,6 +553,7 @@ int remount_by_fd(int dst, unsigned long mountflags); | |||
551 | int bind_mount_by_fd(int src, int dst); | 553 | int bind_mount_by_fd(int src, int dst); |
552 | int bind_mount_path_to_fd(const char *srcname, int dst); | 554 | int bind_mount_path_to_fd(const char *srcname, int dst); |
553 | int bind_mount_fd_to_path(int src, const char *destname); | 555 | int bind_mount_fd_to_path(int src, const char *destname); |
556 | void close_all(int *keep_list, size_t sz); | ||
554 | int has_handler(pid_t pid, int signal); | 557 | int has_handler(pid_t pid, int signal); |
555 | void enter_network_namespace(pid_t pid); | 558 | void enter_network_namespace(pid_t pid); |
556 | int read_pid(const char *name, pid_t *pid); | 559 | int read_pid(const char *name, pid_t *pid); |
@@ -707,6 +710,7 @@ void env_ibus_load(void); | |||
707 | void fs_whitelist(void); | 710 | void fs_whitelist(void); |
708 | 711 | ||
709 | // pulseaudio.c | 712 | // pulseaudio.c |
713 | void pipewire_disable(void); | ||
710 | void pulseaudio_init(void); | 714 | void pulseaudio_init(void); |
711 | void pulseaudio_disable(void); | 715 | void pulseaudio_disable(void); |
712 | 716 | ||
@@ -881,7 +885,6 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc, | |||
881 | #define SBOX_CAPS_HIDEPID (1 << 7) // hidepid caps filter for running firemon | 885 | #define SBOX_CAPS_HIDEPID (1 << 7) // hidepid caps filter for running firemon |
882 | #define SBOX_CAPS_NET_SERVICE (1 << 8) // caps filter for programs running network services | 886 | #define SBOX_CAPS_NET_SERVICE (1 << 8) // caps filter for programs running network services |
883 | #define SBOX_KEEP_FDS (1 << 9) // keep file descriptors open | 887 | #define SBOX_KEEP_FDS (1 << 9) // keep file descriptors open |
884 | #define FIREJAIL_MAX_FD 20 // getdtablesize() is overkill for a firejail process | ||
885 | 888 | ||
886 | // run sbox | 889 | // run sbox |
887 | int sbox_run(unsigned filter, int num, ...); | 890 | int sbox_run(unsigned filter, int num, ...); |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index f62e6404e..04ea715cd 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 4c9dac0c2..2b0b3003e 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 694d0a379..a6fbbb89a 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 76054b485..786e0d360 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -142,7 +142,7 @@ errexit: | |||
142 | static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) { | 142 | static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) { |
143 | assert(fname); | 143 | assert(fname); |
144 | 144 | ||
145 | if (*fname == '~' || *fname == '/' || strncmp(fname, "..", 2) == 0) { | 145 | if (*fname == '~' || *fname == '/' || strstr(fname, "..")) { |
146 | fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname); | 146 | fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname); |
147 | exit(1); | 147 | exit(1); |
148 | } | 148 | } |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index b410ba68e..b1cb9d927 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index 8b7e94f51..dca394865 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 03af7f8fb..194a980f4 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c index a347b380c..aefd38e3c 100644 --- a/src/firejail/fs_lib2.c +++ b/src/firejail/fs_lib2.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/fs_logger.c b/src/firejail/fs_logger.c index 604e297b1..06f03dac5 100644 --- a/src/firejail/fs_logger.c +++ b/src/firejail/fs_logger.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index 4983db0a0..30dbd8e9b 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/fs_overlayfs.c b/src/firejail/fs_overlayfs.c index fe3761cb6..167a7e28b 100644 --- a/src/firejail/fs_overlayfs.c +++ b/src/firejail/fs_overlayfs.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 17a7b3d23..4cecea9ce 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index e19d0df96..9523875d7 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 7afebed1f..c515b59f5 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -337,21 +337,34 @@ static void tmpfs_topdirs(const TopDir *topdirs) { | |||
337 | // fix pam-tmpdir (#2685) | 337 | // fix pam-tmpdir (#2685) |
338 | const char *env = env_get("TMP"); | 338 | const char *env = env_get("TMP"); |
339 | if (env) { | 339 | if (env) { |
340 | char *pamtmpdir; | 340 | // we allow TMP env set as /tmp/user/$UID and /tmp/$UID - see #4151 |
341 | if (asprintf(&pamtmpdir, "/tmp/user/%u", getuid()) == -1) | 341 | char *pamtmpdir1; |
342 | if (asprintf(&pamtmpdir1, "/tmp/user/%u", getuid()) == -1) | ||
342 | errExit("asprintf"); | 343 | errExit("asprintf"); |
343 | if (strcmp(env, pamtmpdir) == 0) { | 344 | char *pamtmpdir2; |
345 | if (asprintf(&pamtmpdir2, "/tmp/%u", getuid()) == -1) | ||
346 | errExit("asprintf"); | ||
347 | if (strcmp(env, pamtmpdir1) == 0) { | ||
344 | // create empty user-owned /tmp/user/$UID directory | 348 | // create empty user-owned /tmp/user/$UID directory |
345 | EUID_ROOT(); | 349 | EUID_ROOT(); |
346 | mkdir_attr("/tmp/user", 0711, 0, 0); | 350 | mkdir_attr("/tmp/user", 0755, 0, 0); |
347 | selinux_relabel_path("/tmp/user", "/tmp/user"); | 351 | selinux_relabel_path("/tmp/user", "/tmp/user"); |
348 | fs_logger("mkdir /tmp/user"); | 352 | fs_logger("mkdir /tmp/user"); |
349 | mkdir_attr(pamtmpdir, 0700, getuid(), 0); | 353 | mkdir_attr(pamtmpdir1, 0700, getuid(), 0); |
350 | selinux_relabel_path(pamtmpdir, pamtmpdir); | 354 | selinux_relabel_path(pamtmpdir1, pamtmpdir1); |
351 | fs_logger2("mkdir", pamtmpdir); | 355 | fs_logger2("mkdir", pamtmpdir1); |
356 | EUID_USER(); | ||
357 | } | ||
358 | else if (strcmp(env, pamtmpdir2) == 0) { | ||
359 | // create empty user-owned /tmp/$UID directory | ||
360 | EUID_ROOT(); | ||
361 | mkdir_attr(pamtmpdir2, 0700, getuid(), 0); | ||
362 | selinux_relabel_path(pamtmpdir2, pamtmpdir2); | ||
363 | fs_logger2("mkdir", pamtmpdir2); | ||
352 | EUID_USER(); | 364 | EUID_USER(); |
353 | } | 365 | } |
354 | free(pamtmpdir); | 366 | free(pamtmpdir1); |
367 | free(pamtmpdir2); | ||
355 | } | 368 | } |
356 | } | 369 | } |
357 | 370 | ||
diff --git a/src/firejail/ids.c b/src/firejail/ids.c index a9ff59be4..fdb78d6e6 100644 --- a/src/firejail/ids.c +++ b/src/firejail/ids.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/join.c b/src/firejail/join.c index 0e76fd944..b62a1ca9d 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -569,11 +569,6 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
569 | dbus_set_system_bus_env(); | 569 | dbus_set_system_bus_env(); |
570 | #endif | 570 | #endif |
571 | 571 | ||
572 | // set nice and rlimits | ||
573 | if (arg_nice) | ||
574 | set_nice(cfg.nice); | ||
575 | set_rlimits(); | ||
576 | |||
577 | start_application(0, shfd, NULL); | 572 | start_application(0, shfd, NULL); |
578 | 573 | ||
579 | __builtin_unreachable(); | 574 | __builtin_unreachable(); |
diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 53e918dde..7207d1087 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/macros.c b/src/firejail/macros.c index cd29d8f85..11385143a 100644 --- a/src/firejail/macros.c +++ b/src/firejail/macros.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -314,9 +314,9 @@ void invalid_filename(const char *fname, int globbing) { | |||
314 | 314 | ||
315 | char *reject; | 315 | char *reject; |
316 | if (globbing) | 316 | if (globbing) |
317 | reject = "\\&!\"'<>%^{};,"; // file globbing ('*?[]') is allowed | 317 | reject = "\\&!\"<>%^{};,"; // file globbing ('*?[]') is allowed |
318 | else | 318 | else |
319 | reject = "\\&!?\"'<>%^{};,*[]"; | 319 | reject = "\\&!?\"<>%^{};,*[]"; |
320 | char *c = strpbrk(ptr, reject); | 320 | char *c = strpbrk(ptr, reject); |
321 | if (c) { | 321 | if (c) { |
322 | fprintf(stderr, "Error: \"%s\" is an invalid filename: rejected character: \"%c\"\n", fname, *c); | 322 | fprintf(stderr, "Error: \"%s\" is an invalid filename: rejected character: \"%c\"\n", fname, *c); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index b33db36f1..d614ae1ac 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -149,6 +149,7 @@ int arg_nou2f = 0; // --nou2f | |||
149 | int arg_noinput = 0; // --noinput | 149 | int arg_noinput = 0; // --noinput |
150 | int arg_deterministic_exit_code = 0; // always exit with first child's exit status | 150 | int arg_deterministic_exit_code = 0; // always exit with first child's exit status |
151 | int arg_deterministic_shutdown = 0; // shut down the sandbox if first child dies | 151 | int arg_deterministic_shutdown = 0; // shut down the sandbox if first child dies |
152 | int arg_keep_fd_all = 0; // inherit all file descriptors to sandbox | ||
152 | DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user | 153 | DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user |
153 | DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system | 154 | DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system |
154 | const char *arg_dbus_log_file = NULL; | 155 | const char *arg_dbus_log_file = NULL; |
@@ -408,9 +409,22 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
408 | } | 409 | } |
409 | #endif | 410 | #endif |
410 | #ifdef HAVE_NETWORK | 411 | #ifdef HAVE_NETWORK |
412 | else if (strcmp(argv[i], "--nettrace") == 0) { | ||
413 | if (checkcfg(CFG_NETWORK)) { | ||
414 | netfilter_trace(0); | ||
415 | } | ||
416 | else | ||
417 | exit_err_feature("networking"); | ||
418 | exit(0); | ||
419 | } | ||
411 | else if (strncmp(argv[i], "--nettrace=", 11) == 0) { | 420 | else if (strncmp(argv[i], "--nettrace=", 11) == 0) { |
412 | pid_t pid = require_pid(argv[i] + 11); | 421 | if (checkcfg(CFG_NETWORK)) { |
413 | netfilter_trace(pid); | 422 | pid_t pid = require_pid(argv[i] + 11); |
423 | netfilter_trace(pid); | ||
424 | } | ||
425 | else | ||
426 | exit_err_feature("networking"); | ||
427 | exit(0); | ||
414 | } | 428 | } |
415 | else if (strncmp(argv[i], "--bandwidth=", 12) == 0) { | 429 | else if (strncmp(argv[i], "--bandwidth=", 12) == 0) { |
416 | if (checkcfg(CFG_NETWORK)) { | 430 | if (checkcfg(CFG_NETWORK)) { |
@@ -1862,6 +1876,14 @@ int main(int argc, char **argv, char **envp) { | |||
1862 | } | 1876 | } |
1863 | profile_add_ignore(argv[i] + 9); | 1877 | profile_add_ignore(argv[i] + 9); |
1864 | } | 1878 | } |
1879 | else if (strncmp(argv[i], "--keep-fd=", 10) == 0) { | ||
1880 | if (strcmp(argv[i] + 10, "all") == 0) | ||
1881 | arg_keep_fd_all = 1; | ||
1882 | else { | ||
1883 | const char *add = argv[i] + 10; | ||
1884 | profile_list_augment(&cfg.keep_fd, add); | ||
1885 | } | ||
1886 | } | ||
1865 | #ifdef HAVE_CHROOT | 1887 | #ifdef HAVE_CHROOT |
1866 | else if (strncmp(argv[i], "--chroot=", 9) == 0) { | 1888 | else if (strncmp(argv[i], "--chroot=", 9) == 0) { |
1867 | if (checkcfg(CFG_CHROOT)) { | 1889 | if (checkcfg(CFG_CHROOT)) { |
@@ -2307,11 +2329,20 @@ int main(int argc, char **argv, char **envp) { | |||
2307 | continue; | 2329 | continue; |
2308 | } | 2330 | } |
2309 | #ifdef HAVE_NETWORK | 2331 | #ifdef HAVE_NETWORK |
2310 | else if (strcmp(argv[i], "--netlock") == 0) | 2332 | else if (strcmp(argv[i], "--netlock") == 0) { |
2311 | arg_netlock = 1; | 2333 | if (checkcfg(CFG_NETWORK)) |
2334 | arg_netlock = 1; | ||
2335 | else | ||
2336 | exit_err_feature("networking"); | ||
2337 | } | ||
2312 | else if (strncmp(argv[i], "--netlock=", 10) == 0) { | 2338 | else if (strncmp(argv[i], "--netlock=", 10) == 0) { |
2313 | pid_t pid = require_pid(argv[i] + 10); | 2339 | if (checkcfg(CFG_NETWORK)) { |
2314 | netfilter_netlock(pid); | 2340 | pid_t pid = require_pid(argv[i] + 10); |
2341 | netfilter_netlock(pid); | ||
2342 | } | ||
2343 | else | ||
2344 | exit_err_feature("networking"); | ||
2345 | exit(0); | ||
2315 | } | 2346 | } |
2316 | else if (strncmp(argv[i], "--interface=", 12) == 0) { | 2347 | else if (strncmp(argv[i], "--interface=", 12) == 0) { |
2317 | if (checkcfg(CFG_NETWORK)) { | 2348 | if (checkcfg(CFG_NETWORK)) { |
@@ -3150,13 +3181,18 @@ int main(int argc, char **argv, char **envp) { | |||
3150 | } | 3181 | } |
3151 | } | 3182 | } |
3152 | 3183 | ||
3153 | // add render group | 3184 | // add render/vglusers group |
3154 | if (!arg_no3d) { | 3185 | if (!arg_no3d) { |
3155 | g = get_group_id("render"); | 3186 | g = get_group_id("render"); |
3156 | if (g) { | 3187 | if (g) { |
3157 | sprintf(ptr, "%d %d 1\n", g, g); | 3188 | sprintf(ptr, "%d %d 1\n", g, g); |
3158 | ptr += strlen(ptr); | 3189 | ptr += strlen(ptr); |
3159 | } | 3190 | } |
3191 | g = get_group_id("vglusers"); | ||
3192 | if (g) { | ||
3193 | sprintf(ptr, "%d %d 1\n", g, g); | ||
3194 | ptr += strlen(ptr); | ||
3195 | } | ||
3160 | } | 3196 | } |
3161 | 3197 | ||
3162 | // add lp group | 3198 | // add lp group |
diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c index ee437e10b..7d30d21d9 100644 --- a/src/firejail/mountinfo.c +++ b/src/firejail/mountinfo.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index 82bf25e78..939ab29fa 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -93,7 +93,10 @@ void netfilter_netlock(pid_t pid) { | |||
93 | void netfilter_trace(pid_t pid) { | 93 | void netfilter_trace(pid_t pid) { |
94 | EUID_ASSERT(); | 94 | EUID_ASSERT(); |
95 | 95 | ||
96 | enter_network_namespace(pid); | 96 | // a pid of 0 means the main system network namespace |
97 | if (pid) | ||
98 | enter_network_namespace(pid); | ||
99 | |||
97 | char *cmd; | 100 | char *cmd; |
98 | if (asprintf(&cmd, "%s/firejail/fnettrace", LIBDIR) == -1) | 101 | if (asprintf(&cmd, "%s/firejail/fnettrace", LIBDIR) == -1) |
99 | errExit("asprintf"); | 102 | errExit("asprintf"); |
diff --git a/src/firejail/netns.c b/src/firejail/netns.c index b5d6fb636..c72c009ae 100644 --- a/src/firejail/netns.c +++ b/src/firejail/netns.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2020-2021 Firejail Authors | 2 | * Copyright (C) 2020-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/network.c b/src/firejail/network.c index 289e164c6..e631745fb 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index d3e75bbed..dd66ecc55 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 0e5562d90..c57d397ef 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/output.c b/src/firejail/output.c index ce10ab157..f9df9f3d4 100644 --- a/src/firejail/output.c +++ b/src/firejail/output.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/paths.c b/src/firejail/paths.c index d58a9d272..6d62c9004 100644 --- a/src/firejail/paths.c +++ b/src/firejail/paths.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index 1aafd1ca2..da50e9a82 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 92dbecac1..794668dc6 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -290,6 +290,15 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
290 | return 0; | 290 | return 0; |
291 | } | 291 | } |
292 | 292 | ||
293 | if (strncmp(ptr, "keep-fd ", 8) == 0) { | ||
294 | if (strcmp(ptr + 8, "all") == 0) | ||
295 | arg_keep_fd_all = 1; | ||
296 | else { | ||
297 | const char *add = ptr + 8; | ||
298 | profile_list_augment(&cfg.keep_fd, add); | ||
299 | } | ||
300 | return 0; | ||
301 | } | ||
293 | if (strncmp(ptr, "xephyr-screen ", 14) == 0) { | 302 | if (strncmp(ptr, "xephyr-screen ", 14) == 0) { |
294 | #ifdef HAVE_X11 | 303 | #ifdef HAVE_X11 |
295 | if (checkcfg(CFG_X11)) { | 304 | if (checkcfg(CFG_X11)) { |
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index f21f8c96e..37e541f50 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index f8d4c2f3c..320668bf9 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -25,6 +25,7 @@ | |||
25 | #include <dirent.h> | 25 | #include <dirent.h> |
26 | #include <errno.h> | 26 | #include <errno.h> |
27 | #include <sys/wait.h> | 27 | #include <sys/wait.h> |
28 | #include <glob.h> | ||
28 | 29 | ||
29 | #include <fcntl.h> | 30 | #include <fcntl.h> |
30 | #ifndef O_PATH | 31 | #ifndef O_PATH |
@@ -33,6 +34,59 @@ | |||
33 | 34 | ||
34 | #define PULSE_CLIENT_SYSCONF "/etc/pulse/client.conf" | 35 | #define PULSE_CLIENT_SYSCONF "/etc/pulse/client.conf" |
35 | 36 | ||
37 | |||
38 | |||
39 | static void disable_rundir_pipewire(const char *path) { | ||
40 | assert(path); | ||
41 | |||
42 | // globbing for path/pipewire-* | ||
43 | char *pattern; | ||
44 | if (asprintf(&pattern, "%s/pipewire-*", path) == -1) | ||
45 | errExit("asprintf"); | ||
46 | |||
47 | glob_t globbuf; | ||
48 | int globerr = glob(pattern, GLOB_NOCHECK | GLOB_NOSORT, NULL, &globbuf); | ||
49 | if (globerr) { | ||
50 | fprintf(stderr, "Error: failed to glob pattern %s\n", pattern); | ||
51 | exit(1); | ||
52 | } | ||
53 | |||
54 | size_t i; | ||
55 | for (i = 0; i < globbuf.gl_pathc; i++) { | ||
56 | char *dir = globbuf.gl_pathv[i]; | ||
57 | assert(dir); | ||
58 | |||
59 | // don't disable symlinks - disable_file_or_dir will bind-mount an empty directory on top of it! | ||
60 | if (is_link(dir)) | ||
61 | continue; | ||
62 | disable_file_or_dir(dir); | ||
63 | } | ||
64 | globfree(&globbuf); | ||
65 | free(pattern); | ||
66 | } | ||
67 | |||
68 | |||
69 | |||
70 | // disable pipewire socket | ||
71 | void pipewire_disable(void) { | ||
72 | if (arg_debug) | ||
73 | printf("disable pipewire\n"); | ||
74 | // blacklist user config directory | ||
75 | disable_file_path(cfg.homedir, ".config/pipewire"); | ||
76 | |||
77 | // blacklist pipewire in XDG_RUNTIME_DIR | ||
78 | const char *name = env_get("XDG_RUNTIME_DIR"); | ||
79 | if (name) | ||
80 | disable_rundir_pipewire(name); | ||
81 | |||
82 | // try the default location anyway | ||
83 | char *path; | ||
84 | if (asprintf(&path, "/run/user/%d", getuid()) == -1) | ||
85 | errExit("asprintf"); | ||
86 | disable_rundir_pipewire(path); | ||
87 | free(path); | ||
88 | } | ||
89 | |||
36 | // disable pulseaudio socket | 90 | // disable pulseaudio socket |
37 | void pulseaudio_disable(void) { | 91 | void pulseaudio_disable(void) { |
38 | if (arg_debug) | 92 | if (arg_debug) |
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 59077dada..447d7b663 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c index ed66903b5..c1340cae1 100644 --- a/src/firejail/restricted_shell.c +++ b/src/firejail/restricted_shell.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c index f177f4b89..b10d2c528 100644 --- a/src/firejail/rlimit.c +++ b/src/firejail/rlimit.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/run_files.c b/src/firejail/run_files.c index c28c3e01b..c971a4f53 100644 --- a/src/firejail/run_files.c +++ b/src/firejail/run_files.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c index 14667d9eb..e2847aea6 100644 --- a/src/firejail/run_symlink.c +++ b/src/firejail/run_symlink.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 53b1e6914..96407d081 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -404,7 +404,6 @@ static void print_time(void) { | |||
404 | fmessage("Child process initialized in %.02f ms\n", delta); | 404 | fmessage("Child process initialized in %.02f ms\n", delta); |
405 | } | 405 | } |
406 | 406 | ||
407 | |||
408 | // check execute permissions for the program | 407 | // check execute permissions for the program |
409 | // this is done typically by the shell | 408 | // this is done typically by the shell |
410 | // we are here because of --shell=none | 409 | // we are here because of --shell=none |
@@ -461,10 +460,42 @@ static int ok_to_run(const char *program) { | |||
461 | return 0; | 460 | return 0; |
462 | } | 461 | } |
463 | 462 | ||
463 | static void close_file_descriptors(void) { | ||
464 | if (arg_keep_fd_all) | ||
465 | return; | ||
466 | |||
467 | if (arg_debug) | ||
468 | printf("Closing non-standard file descriptors\n"); | ||
469 | |||
470 | if (!cfg.keep_fd) { | ||
471 | close_all(NULL, 0); | ||
472 | return; | ||
473 | } | ||
474 | |||
475 | size_t sz = 0; | ||
476 | int *keep = str_to_int_array(cfg.keep_fd, &sz); | ||
477 | if (!keep) { | ||
478 | fprintf(stderr, "Error: invalid keep-fd option\n"); | ||
479 | exit(1); | ||
480 | } | ||
481 | close_all(keep, sz); | ||
482 | free(keep); | ||
483 | } | ||
484 | |||
485 | |||
464 | void start_application(int no_sandbox, int fd, char *set_sandbox_status) { | 486 | void start_application(int no_sandbox, int fd, char *set_sandbox_status) { |
465 | // set environment | 487 | if (no_sandbox == 0) { |
466 | if (no_sandbox == 0) | 488 | close_file_descriptors(); |
489 | |||
490 | // set nice and rlimits | ||
491 | if (arg_nice) | ||
492 | set_nice(cfg.nice); | ||
493 | set_rlimits(); | ||
494 | |||
467 | env_defaults(); | 495 | env_defaults(); |
496 | } | ||
497 | |||
498 | // set environment | ||
468 | env_apply_all(); | 499 | env_apply_all(); |
469 | 500 | ||
470 | // restore original umask | 501 | // restore original umask |
@@ -1018,6 +1049,9 @@ int sandbox(void* sandbox_arg) { | |||
1018 | // disable pulseaudio | 1049 | // disable pulseaudio |
1019 | pulseaudio_disable(); | 1050 | pulseaudio_disable(); |
1020 | 1051 | ||
1052 | // disable pipewire | ||
1053 | pipewire_disable(); | ||
1054 | |||
1021 | // disable /dev/snd | 1055 | // disable /dev/snd |
1022 | fs_dev_disable_sound(); | 1056 | fs_dev_disable_sound(); |
1023 | } | 1057 | } |
@@ -1252,12 +1286,6 @@ int sandbox(void* sandbox_arg) { | |||
1252 | #ifdef HAVE_APPARMOR | 1286 | #ifdef HAVE_APPARMOR |
1253 | set_apparmor(); | 1287 | set_apparmor(); |
1254 | #endif | 1288 | #endif |
1255 | |||
1256 | // set nice and rlimits | ||
1257 | if (arg_nice) | ||
1258 | set_nice(cfg.nice); | ||
1259 | set_rlimits(); | ||
1260 | |||
1261 | start_application(0, -1, set_sandbox_status); | 1289 | start_application(0, -1, set_sandbox_status); |
1262 | } | 1290 | } |
1263 | 1291 | ||
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 37111324a..a37943940 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -23,6 +23,7 @@ | |||
23 | #include <unistd.h> | 23 | #include <unistd.h> |
24 | #include <net/if.h> | 24 | #include <net/if.h> |
25 | #include <stdarg.h> | 25 | #include <stdarg.h> |
26 | #include <sys/resource.h> | ||
26 | #include <sys/wait.h> | 27 | #include <sys/wait.h> |
27 | #include "../include/seccomp.h" | 28 | #include "../include/seccomp.h" |
28 | 29 | ||
@@ -72,11 +73,8 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char * | |||
72 | } | 73 | } |
73 | 74 | ||
74 | // close all other file descriptors | 75 | // close all other file descriptors |
75 | if ((filtermask & SBOX_KEEP_FDS) == 0) { | 76 | if ((filtermask & SBOX_KEEP_FDS) == 0) |
76 | int i; | 77 | close_all(NULL, 0); |
77 | for (i = 3; i < FIREJAIL_MAX_FD; i++) | ||
78 | close(i); // close open files | ||
79 | } | ||
80 | 78 | ||
81 | umask(027); | 79 | umask(027); |
82 | 80 | ||
@@ -206,6 +204,11 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char * | |||
206 | if (filtermask & SBOX_USER) | 204 | if (filtermask & SBOX_USER) |
207 | drop_privs(1); | 205 | drop_privs(1); |
208 | else if (filtermask & SBOX_ROOT) { | 206 | else if (filtermask & SBOX_ROOT) { |
207 | // https://seclists.org/oss-sec/2021/q4/43 | ||
208 | struct rlimit tozero = { .rlim_cur = 0, .rlim_max = 0 }; | ||
209 | if (setrlimit(RLIMIT_CORE, &tozero)) | ||
210 | errExit("setrlimit"); | ||
211 | |||
209 | // elevate privileges in order to get grsecurity working | 212 | // elevate privileges in order to get grsecurity working |
210 | if (setreuid(0, 0)) | 213 | if (setreuid(0, 0)) |
211 | errExit("setreuid"); | 214 | errExit("setreuid"); |
@@ -292,7 +295,8 @@ int sbox_run_v(unsigned filtermask, char * const arg[]) { | |||
292 | if (waitpid(child, &status, 0) == -1 ) { | 295 | if (waitpid(child, &status, 0) == -1 ) { |
293 | errExit("waitpid"); | 296 | errExit("waitpid"); |
294 | } | 297 | } |
295 | if (WIFEXITED(status) && WEXITSTATUS(status) != 0) { | 298 | if (WIFSIGNALED(status) || |
299 | (WIFEXITED(status) && WEXITSTATUS(status) != 0)) { | ||
296 | fprintf(stderr, "Error: failed to run %s, exiting...\n", arg[0]); | 300 | fprintf(stderr, "Error: failed to run %s, exiting...\n", arg[0]); |
297 | exit(1); | 301 | exit(1); |
298 | } | 302 | } |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index e02be29f1..0cd6ac7ec 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/selinux.c b/src/firejail/selinux.c index fa59882ed..0348cef4b 100644 --- a/src/firejail/selinux.c +++ b/src/firejail/selinux.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2020-2021 Firejail and systemd authors | 2 | * Copyright (C) 2020-2022 Firejail and systemd authors |
3 | * | 3 | * |
4 | * This file is part of firejail project, from systemd selinux-util.c | 4 | * This file is part of firejail project, from systemd selinux-util.c |
5 | * | 5 | * |
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c index d1be6eed4..44fdd58ab 100644 --- a/src/firejail/shutdown.c +++ b/src/firejail/shutdown.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index b993cb80c..c903841c5 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -119,6 +119,7 @@ static char *usage_str = | |||
119 | " --join-or-start=name|pid - join the sandbox or start a new one.\n" | 119 | " --join-or-start=name|pid - join the sandbox or start a new one.\n" |
120 | " --keep-config-pulse - disable automatic ~/.config/pulse init.\n" | 120 | " --keep-config-pulse - disable automatic ~/.config/pulse init.\n" |
121 | " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n" | 121 | " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n" |
122 | " --keep-fd - inherit open file descriptors to sandbox.\n" | ||
122 | " --keep-var-tmp - /var/tmp directory is untouched.\n" | 123 | " --keep-var-tmp - /var/tmp directory is untouched.\n" |
123 | " --list - list all sandboxes.\n" | 124 | " --list - list all sandboxes.\n" |
124 | #ifdef HAVE_FILE_TRANSFER | 125 | #ifdef HAVE_FILE_TRANSFER |
@@ -161,6 +162,7 @@ static char *usage_str = | |||
161 | " --nogroups - disable supplementary groups.\n" | 162 | " --nogroups - disable supplementary groups.\n" |
162 | " --noinput - disable input devices.\n" | 163 | " --noinput - disable input devices.\n" |
163 | " --nonewprivs - sets the NO_NEW_PRIVS prctl.\n" | 164 | " --nonewprivs - sets the NO_NEW_PRIVS prctl.\n" |
165 | " --noprinters - disable printers.\n" | ||
164 | " --noprofile - do not use a security profile.\n" | 166 | " --noprofile - do not use a security profile.\n" |
165 | #ifdef HAVE_USERNS | 167 | #ifdef HAVE_USERNS |
166 | " --noroot - install a user namespace with only the current user.\n" | 168 | " --noroot - install a user namespace with only the current user.\n" |
diff --git a/src/firejail/util.c b/src/firejail/util.c index c1c31b43c..79ebfa1dd 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |
@@ -209,6 +209,8 @@ static void clean_supplementary_groups(gid_t gid) { | |||
209 | if (!arg_no3d) { | 209 | if (!arg_no3d) { |
210 | copy_group_ifcont("render", groups, ngroups, | 210 | copy_group_ifcont("render", groups, ngroups, |
211 | new_groups, &new_ngroups, MAX_GROUPS); | 211 | new_groups, &new_ngroups, MAX_GROUPS); |
212 | copy_group_ifcont("vglusers", groups, ngroups, | ||
213 | new_groups, &new_ngroups, MAX_GROUPS); | ||
212 | } | 214 | } |
213 | 215 | ||
214 | if (!arg_noprinters) { | 216 | if (!arg_noprinters) { |
@@ -1398,6 +1400,52 @@ int bind_mount_path_to_fd(const char *srcname, int dst) { | |||
1398 | return rv; | 1400 | return rv; |
1399 | } | 1401 | } |
1400 | 1402 | ||
1403 | void close_all(int *keep_list, size_t sz) { | ||
1404 | DIR *dir; | ||
1405 | if (!(dir = opendir("/proc/self/fd"))) { | ||
1406 | // sleep 2 seconds and try again | ||
1407 | sleep(2); | ||
1408 | if (!(dir = opendir("/proc/self/fd"))) { | ||
1409 | fprintf(stderr, "Error: cannot open /proc/self/fd directory\n"); | ||
1410 | exit(1); | ||
1411 | } | ||
1412 | } | ||
1413 | struct dirent *entry; | ||
1414 | while ((entry = readdir(dir)) != NULL) { | ||
1415 | if (strcmp(entry->d_name, ".") == 0 || | ||
1416 | strcmp(entry->d_name, "..") == 0) | ||
1417 | continue; | ||
1418 | |||
1419 | int fd = atoi(entry->d_name); | ||
1420 | |||
1421 | // don't close standard streams | ||
1422 | if (fd == STDIN_FILENO || | ||
1423 | fd == STDOUT_FILENO || | ||
1424 | fd == STDERR_FILENO) | ||
1425 | continue; | ||
1426 | |||
1427 | if (fd == dirfd(dir)) | ||
1428 | continue; // just postponed | ||
1429 | |||
1430 | // dont't close file descriptors in keep list | ||
1431 | int keep = 0; | ||
1432 | if (keep_list) { | ||
1433 | size_t i; | ||
1434 | for (i = 0; i < sz; i++) { | ||
1435 | if (keep_list[i] == fd) { | ||
1436 | keep = 1; | ||
1437 | break; | ||
1438 | } | ||
1439 | } | ||
1440 | } | ||
1441 | if (keep) | ||
1442 | continue; | ||
1443 | |||
1444 | close(fd); | ||
1445 | } | ||
1446 | closedir(dir); | ||
1447 | } | ||
1448 | |||
1401 | int has_handler(pid_t pid, int signal) { | 1449 | int has_handler(pid_t pid, int signal) { |
1402 | if (signal > 0 && signal <= SIGRTMAX) { | 1450 | if (signal > 0 && signal <= SIGRTMAX) { |
1403 | char *fname; | 1451 | char *fname; |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 896aa2fd3..f173b6672 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -1,5 +1,5 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2021 Firejail Authors | 2 | * Copyright (C) 2014-2022 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
5 | * | 5 | * |