1 files changed, 113 insertions, 0 deletions
diff --git a/src/jailcheck/noexec.c b/src/jailcheck/noexec.c
new file mode 100644
index 000000000..7f994d6a1
--- /dev/null
+++ b/src/jailcheck/noexec.c
@@ -0,0 +1,113 @@
+/*
+ * Copyright (C) 2014-2021 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "jailcheck.h"
+#include <sys/wait.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+static unsigned char *execfile = NULL;
+static int execfile_len = 0;
+void noexec_setup(void) {
+        // grab a copy of myself
+        char *self = realpath("/proc/self/exe", NULL);
+        if (self) {
+                struct stat s;
+                if (access(self, X_OK) == 0 && stat(self, &s) == 0) {
+                        assert(s.st_size);
+                        execfile = malloc(s.st_size);
+                        int fd = open(self, O_RDONLY);
+                        if (fd == -1)
+                                errExit("open");
+                        int len = 0;
+                        do {
+                                int rv = read(fd, execfile + len, s.st_size - len);
+                                if (rv == -1)
+                                        errExit("read");
+                                if (rv == 0) {
+                                        // something went wrong!
+                                        free(execfile);
+                                        execfile = NULL;
+                                        printf("Warning: I cannot grab a copy of myself, skipping noexec test...\n");
+                                        break;
+                                }
+                                len += rv;
+                        }
+                        while (len < s.st_size);
+                        execfile_len = s.st_size;
+                        close(fd);
+                }
+        }
+}
+void noexec_test(const char *path) {
+        assert(user_uid);
+        // I am root in sandbox mount namespace
+        if (!execfile)
+                return;
+        char *fname;
+        if (asprintf(&fname, "%s/jailcheck-noexec-%d", path, getpid()) == -1)
+                errExit("asprintf");
+        pid_t child = fork();
+        if (child == -1)
+                errExit("fork");
+        if (child == 0) { // child
+                // drop privileges
+                if (setgid(user_gid) != 0)
+                        errExit("setgid");
+                if (setuid(user_uid) != 0)
+                        errExit("setuid");
+                int fd = open(fname, O_CREAT | O_TRUNC | O_WRONLY, 0700);
+                if (fd == -1) {
+                        printf("   I cannot create files in %s, skipping noexec...\n", path);
+                        exit(1);
+                }
+                int len = 0;
+                while (len < execfile_len) {
+                        int rv = write(fd, execfile + len, execfile_len - len);
+                        if (rv == -1 || rv == 0) {
+                                printf("   I cannot create files in %s, skipping noexec....\n", path);
+                                exit(1);
+                        }
+                        len += rv;
+                }
+                fchmod(fd, 0700);
+                close(fd);
+                char *arg;
+                if (asprintf(&arg, "--hello=%s", path) == -1)
+                        errExit("asprintf");
+                int rv = execl(fname, fname, arg, NULL);
+                (void) rv; // if we get here execl failed
+                exit(0);
+        }
+        int status;
+        wait(&status);
+        int rv = unlink(fname);
+        (void) rv;
+}
+\ No newline at end of file

diff --git a/src/jailcheck/noexec.c b/src/jailcheck/noexec.c new file mode 100644 index 000000000..7f994d6a1 --- /dev/null +++ b/src/jailcheck/noexec.c
@@ -0,0 +1,113 @@
	1	/*
	2	* Copyright (C) 2014-2021 Firejail Authors
	3	*
	4	* This file is part of firejail project
	5	*
	6	* This program is free software; you can redistribute it and/or modify
	7	* it under the terms of the GNU General Public License as published by
	8	* the Free Software Foundation; either version 2 of the License, or
	9	* (at your option) any later version.
	10	*
	11	* This program is distributed in the hope that it will be useful,
	12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	14	* GNU General Public License for more details.
	15	*
	16	* You should have received a copy of the GNU General Public License along
	17	* with this program; if not, write to the Free Software Foundation, Inc.,
	18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
	19	*/
	20	#include "jailcheck.h"
	21	#include <sys/wait.h>
	22	#include <sys/stat.h>
	23	#include <fcntl.h>
	24
	25	static unsigned char *execfile = NULL;
	26	static int execfile_len = 0;
	27
	28	void noexec_setup(void) {
	29	// grab a copy of myself
	30	char *self = realpath("/proc/self/exe", NULL);
	31	if (self) {
	32	struct stat s;
	33	if (access(self, X_OK) == 0 && stat(self, &s) == 0) {
	34	assert(s.st_size);
	35	execfile = malloc(s.st_size);
	36
	37	int fd = open(self, O_RDONLY);
	38	if (fd == -1)
	39	errExit("open");
	40	int len = 0;
	41	do {
	42	int rv = read(fd, execfile + len, s.st_size - len);
	43	if (rv == -1)
	44	errExit("read");
	45	if (rv == 0) {
	46	// something went wrong!
	47	free(execfile);
	48	execfile = NULL;
	49	printf("Warning: I cannot grab a copy of myself, skipping noexec test...\n");
	50	break;
	51	}
	52	len += rv;
	53	}
	54	while (len < s.st_size);
	55	execfile_len = s.st_size;
	56	close(fd);
	57	}
	58	}
	59	}
	60
	61
	62	void noexec_test(const char *path) {
	63	assert(user_uid);
	64
	65	// I am root in sandbox mount namespace
	66	if (!execfile)
	67	return;
	68
	69	char *fname;
	70	if (asprintf(&fname, "%s/jailcheck-noexec-%d", path, getpid()) == -1)
	71	errExit("asprintf");
	72
	73	pid_t child = fork();
	74	if (child == -1)
	75	errExit("fork");
	76
	77	if (child == 0) { // child
	78	// drop privileges
	79	if (setgid(user_gid) != 0)
	80	errExit("setgid");
	81	if (setuid(user_uid) != 0)
	82	errExit("setuid");
	83	int fd = open(fname, O_CREAT \| O_TRUNC \| O_WRONLY, 0700);
	84	if (fd == -1) {
	85	printf(" I cannot create files in %s, skipping noexec...\n", path);
	86	exit(1);
	87	}
	88
	89	int len = 0;
	90	while (len < execfile_len) {
	91	int rv = write(fd, execfile + len, execfile_len - len);
	92	if (rv == -1 \|\| rv == 0) {
	93	printf(" I cannot create files in %s, skipping noexec....\n", path);
	94	exit(1);
	95	}
	96	len += rv;
	97	}
	98	fchmod(fd, 0700);
	99	close(fd);
	100
	101	char *arg;
	102	if (asprintf(&arg, "--hello=%s", path) == -1)
	103	errExit("asprintf");
	104	int rv = execl(fname, fname, arg, NULL);
	105	(void) rv; // if we get here execl failed
	106	exit(0);
	107	}
	108
	109	int status;
	110	wait(&status);
	111	int rv = unlink(fname);
	112	(void) rv;
	113	} \ No newline at end of file