4 files changed, 96 insertions, 16 deletions
diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in
index 71f96bab1..5549aca11 100644
--- a/src/lib/Makefile.in
+++ b/src/lib/Makefile.in
@@ -2,12 +2,14 @@ PREFIX=@prefix@
 VERSION=@PACKAGE_VERSION@
 NAME=@PACKAGE_NAME@
 HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
+HAVE_GCOV=@HAVE_GCOV@
+EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
 LDFLAGS:=-pic -Wl,-z,relro -Wl,-z,now 
 all: $(OBJS)
@@ -15,7 +17,7 @@ all: $(OBJS)
 %.o : %.c $(H_FILE_LIST)
        $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
-clean:; rm -f $(OBJS)
+clean:; rm -f $(OBJS) *.gcov *.gcda *.gcno
 distclean: clean
        rm -fr Makefile
diff --git a/src/lib/common.c b/src/lib/common.c
index 8ea926df1..2f2340963 100644
--- a/src/lib/common.c
+++ b/src/lib/common.c
@@ -199,3 +199,88 @@ char *pid_proc_cmdline(const pid_t pid) {
        }
        return rv;
 }
+// return 1 if firejail --x11 on command line
+int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid) {
+        // if comm is not firejail return 0
+        char *comm = pid_proc_comm(pid);
+        if (strcmp(comm, "firejail") != 0) {
+                free(comm);
+                return 0;
+        }
+        free(comm);
+        // open /proc/pid/cmdline file
+        char *fname;
+        int fd;
+        if (asprintf(&fname, "/proc/%d/cmdline", pid) == -1)
+                return 0;
+        if ((fd = open(fname, O_RDONLY)) < 0) {
+                free(fname);
+                return 0;
+        }
+        free(fname);
+        // read file
+        unsigned char buffer[BUFLEN];
+        ssize_t len;
+        if ((len = read(fd, buffer, sizeof(buffer) - 1)) <= 0) {
+                close(fd);
+                return 0;
+        }
+        buffer[len] = '\0';
+        close(fd);
+        // skip the first argument
+        int i;
+        for (i = 0; buffer[i] != '\0'; i++);
+        // parse remaining command line options
+        while (1) {
+                // extract argument
+                i++;
+                if (i >= len)
+                        break;
+                char *arg = (char *)buffer + i;
+                // detect the last command line option
+                if (strcmp(arg, "--") == 0)
+                        break;
+                if (strncmp(arg, "--", 2) != 0)
+                        break;
+                
+                if (strcmp(arg, "--x11=xorg") == 0)
+                        return 0;
+                
+                // check x11 xpra or xephyr
+                if (strncmp(arg, "--x11", 5) == 0)
+                        return 1;
+                i += strlen(arg);
+        }
+        return 0;
+}
+// return 1 if /proc is mounted hidepid, or if /proc/mouns access is denied
+#define BUFLEN 4096
+int pid_hidepid(void) {
+        FILE *fp = fopen("/proc/mounts", "r");
+        if (!fp)
+                return 1;
+                
+        char buf[BUFLEN];
+        while (fgets(buf, BUFLEN, fp)) {
+                if (strstr(buf, "proc /proc proc")) {
+                        fclose(fp);
+                        // check hidepid
+                        if (strstr(buf, "hidepid=2") || strstr(buf, "hidepid=1"))
+                                return 1;
+                        return 0;
+                }
+        }
+        
+        fclose(fp);
+        return 0;
+}
diff --git a/src/lib/libnetlink.c b/src/lib/libnetlink.c
index 07457eefe..836cf417d 100644
--- a/src/lib/libnetlink.c
+++ b/src/lib/libnetlink.c
@@ -723,7 +723,7 @@ int rta_addattr32(struct rtattr *rta, int maxlen, int type, __u32 data)
        int len = RTA_LENGTH(4);
        struct rtattr *subrta;
-        if (RTA_ALIGN(rta->rta_len) + len > maxlen) {
+        if ((int) (RTA_ALIGN(rta->rta_len) + len) > maxlen) {
                fprintf(stderr,"rta_addattr32: Error! max allowed bound %d exceeded\n",maxlen);
                return -1;
        }
@@ -741,7 +741,7 @@ int rta_addattr_l(struct rtattr *rta, int maxlen, int type,
        struct rtattr *subrta;
        int len = RTA_LENGTH(alen);
-        if (RTA_ALIGN(rta->rta_len) + RTA_ALIGN(len) > maxlen) {
+        if ((int) (RTA_ALIGN(rta->rta_len) + RTA_ALIGN(len)) > maxlen) {
                fprintf(stderr,"rta_addattr_l: Error! max allowed bound %d exceeded\n",maxlen);
                return -1;
        }
diff --git a/src/lib/pid.c b/src/lib/pid.c
index d1ade389e..ed583c51d 100644
--- a/src/lib/pid.c
+++ b/src/lib/pid.c
@@ -29,7 +29,6 @@
 //Process pids[max_pids];
 Process *pids = NULL;
 int max_pids=32769;
-#define PIDS_BUFLEN 4096
 // get the memory associated with this pid
 void pid_getmem(unsigned pid, unsigned *rss, unsigned *shared) {
@@ -340,18 +339,12 @@ void pid_read(pid_t mon_pid) {
                                        exit(1);
                                }
-                                if (mon_pid == 0 && strncmp(ptr, "firejail", 8) == 0) {
+                                if ((strncmp(ptr, "firejail", 8) == 0) && (mon_pid == 0 || mon_pid == pid)) {
-                                        pids[pid].level = 1;
+                                        if (pid_proc_cmdline_x11_xpra_xephyr(pid))
-                                }
+                                                pids[pid].level = -1;
-                                else if (mon_pid == pid && strncmp(ptr, "firejail", 8) == 0) {
+                                        else
-                                        pids[pid].level = 1;
+                                                pids[pid].level = 1;
                                }
-//                              else if (mon_pid == 0 && strncmp(ptr, "lxc-execute", 11) == 0) {
-//                                      pids[pid].level = 1;
-//                              }
-//                              else if (mon_pid == pid && strncmp(ptr, "lxc-execute", 11) == 0) {
-//                                      pids[pid].level = 1;
-//                              }
                                else
                                        pids[pid].level = -1;
                        }

diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in index 71f96bab1..5549aca11 100644 --- a/src/lib/Makefile.in +++ b/src/lib/Makefile.in
@@ -2,12 +2,14 @@ PREFIX=@prefix@
2	VERSION=@PACKAGE_VERSION@	2	VERSION=@PACKAGE_VERSION@
3	NAME=@PACKAGE_NAME@	3	NAME=@PACKAGE_NAME@
4	HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@	4	HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
		5	HAVE_GCOV=@HAVE_GCOV@
		6	EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
5		7
6	H_FILE_LIST = $(sort $(wildcard *.[h]))	8	H_FILE_LIST = $(sort $(wildcard *.[h]))
7	C_FILE_LIST = $(sort $(wildcard *.c))	9	C_FILE_LIST = $(sort $(wildcard *.c))
8	OBJS = $(C_FILE_LIST:.c=.o)	10	OBJS = $(C_FILE_LIST:.c=.o)
9	BINOBJS = $(foreach file, $(OBJS), $file)	11	BINOBJS = $(foreach file, $(OBJS), $file)
10	CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security	12	CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
11	LDFLAGS:=-pic -Wl,-z,relro -Wl,-z,now	13	LDFLAGS:=-pic -Wl,-z,relro -Wl,-z,now
12		14
13	all: $(OBJS)	15	all: $(OBJS)
@@ -15,7 +17,7 @@ all: $(OBJS)
15	%.o : %.c $(H_FILE_LIST)	17	%.o : %.c $(H_FILE_LIST)
16	$(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@	18	$(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@
17		19
18	clean:; rm -f $(OBJS)	20	clean:; rm -f $(OBJS) .gcov .gcda *.gcno
19		21
20	distclean: clean	22	distclean: clean
21	rm -fr Makefile	23	rm -fr Makefile


diff --git a/src/lib/common.c b/src/lib/common.c index 8ea926df1..2f2340963 100644 --- a/src/lib/common.c +++ b/src/lib/common.c
@@ -199,3 +199,88 @@ char *pid_proc_cmdline(const pid_t pid) {
199	}	199	}
200	return rv;	200	return rv;
201	}	201	}
		202
		203	// return 1 if firejail --x11 on command line
		204	int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid) {
		205	// if comm is not firejail return 0
		206	char *comm = pid_proc_comm(pid);
		207	if (strcmp(comm, "firejail") != 0) {
		208	free(comm);
		209	return 0;
		210	}
		211	free(comm);
		212
		213	// open /proc/pid/cmdline file
		214	char *fname;
		215	int fd;
		216	if (asprintf(&fname, "/proc/%d/cmdline", pid) == -1)
		217	return 0;
		218	if ((fd = open(fname, O_RDONLY)) < 0) {
		219	free(fname);
		220	return 0;
		221	}
		222	free(fname);
		223
		224	// read file
		225	unsigned char buffer[BUFLEN];
		226	ssize_t len;
		227	if ((len = read(fd, buffer, sizeof(buffer) - 1)) <= 0) {
		228	close(fd);
		229	return 0;
		230	}
		231	buffer[len] = '\0';
		232	close(fd);
		233
		234	// skip the first argument
		235	int i;
		236	for (i = 0; buffer[i] != '\0'; i++);
		237
		238	// parse remaining command line options
		239	while (1) {
		240	// extract argument
		241	i++;
		242	if (i >= len)
		243	break;
		244	char arg = (char )buffer + i;
		245
		246	// detect the last command line option
		247	if (strcmp(arg, "--") == 0)
		248	break;
		249	if (strncmp(arg, "--", 2) != 0)
		250	break;
		251
		252	if (strcmp(arg, "--x11=xorg") == 0)
		253	return 0;
		254
		255	// check x11 xpra or xephyr
		256	if (strncmp(arg, "--x11", 5) == 0)
		257	return 1;
		258	i += strlen(arg);
		259	}
		260	return 0;
		261	}
		262
		263	// return 1 if /proc is mounted hidepid, or if /proc/mouns access is denied
		264	#define BUFLEN 4096
		265	int pid_hidepid(void) {
		266	FILE *fp = fopen("/proc/mounts", "r");
		267	if (!fp)
		268	return 1;
		269
		270	char buf[BUFLEN];
		271	while (fgets(buf, BUFLEN, fp)) {
		272	if (strstr(buf, "proc /proc proc")) {
		273	fclose(fp);
		274	// check hidepid
		275	if (strstr(buf, "hidepid=2") \|\| strstr(buf, "hidepid=1"))
		276	return 1;
		277	return 0;
		278	}
		279	}
		280
		281	fclose(fp);
		282	return 0;
		283	}
		284
		285
		286


diff --git a/src/lib/libnetlink.c b/src/lib/libnetlink.c index 07457eefe..836cf417d 100644 --- a/src/lib/libnetlink.c +++ b/src/lib/libnetlink.c
@@ -723,7 +723,7 @@ int rta_addattr32(struct rtattr *rta, int maxlen, int type, __u32 data)
723	int len = RTA_LENGTH(4);	723	int len = RTA_LENGTH(4);
724	struct rtattr *subrta;	724	struct rtattr *subrta;
725		725
726	if (RTA_ALIGN(rta->rta_len) + len > maxlen) {	726	if ((int) (RTA_ALIGN(rta->rta_len) + len) > maxlen) {
727	fprintf(stderr,"rta_addattr32: Error! max allowed bound %d exceeded\n",maxlen);	727	fprintf(stderr,"rta_addattr32: Error! max allowed bound %d exceeded\n",maxlen);
728	return -1;	728	return -1;
729	}	729	}
@@ -741,7 +741,7 @@ int rta_addattr_l(struct rtattr *rta, int maxlen, int type,
741	struct rtattr *subrta;	741	struct rtattr *subrta;
742	int len = RTA_LENGTH(alen);	742	int len = RTA_LENGTH(alen);
743		743
744	if (RTA_ALIGN(rta->rta_len) + RTA_ALIGN(len) > maxlen) {	744	if ((int) (RTA_ALIGN(rta->rta_len) + RTA_ALIGN(len)) > maxlen) {
745	fprintf(stderr,"rta_addattr_l: Error! max allowed bound %d exceeded\n",maxlen);	745	fprintf(stderr,"rta_addattr_l: Error! max allowed bound %d exceeded\n",maxlen);
746	return -1;	746	return -1;
747	}	747	}


diff --git a/src/lib/pid.c b/src/lib/pid.c index d1ade389e..ed583c51d 100644 --- a/src/lib/pid.c +++ b/src/lib/pid.c
@@ -29,7 +29,6 @@
29	//Process pids[max_pids];	29	//Process pids[max_pids];
30	Process *pids = NULL;	30	Process *pids = NULL;
31	int max_pids=32769;	31	int max_pids=32769;
32	#define PIDS_BUFLEN 4096
33		32
34	// get the memory associated with this pid	33	// get the memory associated with this pid
35	void pid_getmem(unsigned pid, unsigned rss, unsigned shared) {	34	void pid_getmem(unsigned pid, unsigned rss, unsigned shared) {
@@ -340,18 +339,12 @@ void pid_read(pid_t mon_pid) {
340	exit(1);	339	exit(1);
341	}	340	}
342		341
343	if (mon_pid == 0 && strncmp(ptr, "firejail", 8) == 0) {	342	if ((strncmp(ptr, "firejail", 8) == 0) && (mon_pid == 0 \|\| mon_pid == pid)) {
344	pids[pid].level = 1;	343	if (pid_proc_cmdline_x11_xpra_xephyr(pid))
345	}	344	pids[pid].level = -1;
346	else if (mon_pid == pid && strncmp(ptr, "firejail", 8) == 0) {	345	else
347	pids[pid].level = 1;	346	pids[pid].level = 1;
348	}	347	}
349	// else if (mon_pid == 0 && strncmp(ptr, "lxc-execute", 11) == 0) {
350	// pids[pid].level = 1;
351	// }
352	// else if (mon_pid == pid && strncmp(ptr, "lxc-execute", 11) == 0) {
353	// pids[pid].level = 1;
354	// }
355	else	348	else
356	pids[pid].level = -1;	349	pids[pid].level = -1;
357	}	350	}