diff options
Diffstat (limited to 'src/lib')
-rw-r--r-- | src/lib/Makefile.in | 6 | ||||
-rw-r--r-- | src/lib/common.c | 85 | ||||
-rw-r--r-- | src/lib/libnetlink.c | 4 | ||||
-rw-r--r-- | src/lib/pid.c | 17 |
4 files changed, 96 insertions, 16 deletions
diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in index 71f96bab1..5549aca11 100644 --- a/src/lib/Makefile.in +++ b/src/lib/Makefile.in | |||
@@ -2,12 +2,14 @@ PREFIX=@prefix@ | |||
2 | VERSION=@PACKAGE_VERSION@ | 2 | VERSION=@PACKAGE_VERSION@ |
3 | NAME=@PACKAGE_NAME@ | 3 | NAME=@PACKAGE_NAME@ |
4 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | 4 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ |
5 | HAVE_GCOV=@HAVE_GCOV@ | ||
6 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | ||
5 | 7 | ||
6 | H_FILE_LIST = $(sort $(wildcard *.[h])) | 8 | H_FILE_LIST = $(sort $(wildcard *.[h])) |
7 | C_FILE_LIST = $(sort $(wildcard *.c)) | 9 | C_FILE_LIST = $(sort $(wildcard *.c)) |
8 | OBJS = $(C_FILE_LIST:.c=.o) | 10 | OBJS = $(C_FILE_LIST:.c=.o) |
9 | BINOBJS = $(foreach file, $(OBJS), $file) | 11 | BINOBJS = $(foreach file, $(OBJS), $file) |
10 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security | 12 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security |
11 | LDFLAGS:=-pic -Wl,-z,relro -Wl,-z,now | 13 | LDFLAGS:=-pic -Wl,-z,relro -Wl,-z,now |
12 | 14 | ||
13 | all: $(OBJS) | 15 | all: $(OBJS) |
@@ -15,7 +17,7 @@ all: $(OBJS) | |||
15 | %.o : %.c $(H_FILE_LIST) | 17 | %.o : %.c $(H_FILE_LIST) |
16 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ | 18 | $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ |
17 | 19 | ||
18 | clean:; rm -f $(OBJS) | 20 | clean:; rm -f $(OBJS) *.gcov *.gcda *.gcno |
19 | 21 | ||
20 | distclean: clean | 22 | distclean: clean |
21 | rm -fr Makefile | 23 | rm -fr Makefile |
diff --git a/src/lib/common.c b/src/lib/common.c index 8ea926df1..2f2340963 100644 --- a/src/lib/common.c +++ b/src/lib/common.c | |||
@@ -199,3 +199,88 @@ char *pid_proc_cmdline(const pid_t pid) { | |||
199 | } | 199 | } |
200 | return rv; | 200 | return rv; |
201 | } | 201 | } |
202 | |||
203 | // return 1 if firejail --x11 on command line | ||
204 | int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid) { | ||
205 | // if comm is not firejail return 0 | ||
206 | char *comm = pid_proc_comm(pid); | ||
207 | if (strcmp(comm, "firejail") != 0) { | ||
208 | free(comm); | ||
209 | return 0; | ||
210 | } | ||
211 | free(comm); | ||
212 | |||
213 | // open /proc/pid/cmdline file | ||
214 | char *fname; | ||
215 | int fd; | ||
216 | if (asprintf(&fname, "/proc/%d/cmdline", pid) == -1) | ||
217 | return 0; | ||
218 | if ((fd = open(fname, O_RDONLY)) < 0) { | ||
219 | free(fname); | ||
220 | return 0; | ||
221 | } | ||
222 | free(fname); | ||
223 | |||
224 | // read file | ||
225 | unsigned char buffer[BUFLEN]; | ||
226 | ssize_t len; | ||
227 | if ((len = read(fd, buffer, sizeof(buffer) - 1)) <= 0) { | ||
228 | close(fd); | ||
229 | return 0; | ||
230 | } | ||
231 | buffer[len] = '\0'; | ||
232 | close(fd); | ||
233 | |||
234 | // skip the first argument | ||
235 | int i; | ||
236 | for (i = 0; buffer[i] != '\0'; i++); | ||
237 | |||
238 | // parse remaining command line options | ||
239 | while (1) { | ||
240 | // extract argument | ||
241 | i++; | ||
242 | if (i >= len) | ||
243 | break; | ||
244 | char *arg = (char *)buffer + i; | ||
245 | |||
246 | // detect the last command line option | ||
247 | if (strcmp(arg, "--") == 0) | ||
248 | break; | ||
249 | if (strncmp(arg, "--", 2) != 0) | ||
250 | break; | ||
251 | |||
252 | if (strcmp(arg, "--x11=xorg") == 0) | ||
253 | return 0; | ||
254 | |||
255 | // check x11 xpra or xephyr | ||
256 | if (strncmp(arg, "--x11", 5) == 0) | ||
257 | return 1; | ||
258 | i += strlen(arg); | ||
259 | } | ||
260 | return 0; | ||
261 | } | ||
262 | |||
263 | // return 1 if /proc is mounted hidepid, or if /proc/mouns access is denied | ||
264 | #define BUFLEN 4096 | ||
265 | int pid_hidepid(void) { | ||
266 | FILE *fp = fopen("/proc/mounts", "r"); | ||
267 | if (!fp) | ||
268 | return 1; | ||
269 | |||
270 | char buf[BUFLEN]; | ||
271 | while (fgets(buf, BUFLEN, fp)) { | ||
272 | if (strstr(buf, "proc /proc proc")) { | ||
273 | fclose(fp); | ||
274 | // check hidepid | ||
275 | if (strstr(buf, "hidepid=2") || strstr(buf, "hidepid=1")) | ||
276 | return 1; | ||
277 | return 0; | ||
278 | } | ||
279 | } | ||
280 | |||
281 | fclose(fp); | ||
282 | return 0; | ||
283 | } | ||
284 | |||
285 | |||
286 | |||
diff --git a/src/lib/libnetlink.c b/src/lib/libnetlink.c index 07457eefe..836cf417d 100644 --- a/src/lib/libnetlink.c +++ b/src/lib/libnetlink.c | |||
@@ -723,7 +723,7 @@ int rta_addattr32(struct rtattr *rta, int maxlen, int type, __u32 data) | |||
723 | int len = RTA_LENGTH(4); | 723 | int len = RTA_LENGTH(4); |
724 | struct rtattr *subrta; | 724 | struct rtattr *subrta; |
725 | 725 | ||
726 | if (RTA_ALIGN(rta->rta_len) + len > maxlen) { | 726 | if ((int) (RTA_ALIGN(rta->rta_len) + len) > maxlen) { |
727 | fprintf(stderr,"rta_addattr32: Error! max allowed bound %d exceeded\n",maxlen); | 727 | fprintf(stderr,"rta_addattr32: Error! max allowed bound %d exceeded\n",maxlen); |
728 | return -1; | 728 | return -1; |
729 | } | 729 | } |
@@ -741,7 +741,7 @@ int rta_addattr_l(struct rtattr *rta, int maxlen, int type, | |||
741 | struct rtattr *subrta; | 741 | struct rtattr *subrta; |
742 | int len = RTA_LENGTH(alen); | 742 | int len = RTA_LENGTH(alen); |
743 | 743 | ||
744 | if (RTA_ALIGN(rta->rta_len) + RTA_ALIGN(len) > maxlen) { | 744 | if ((int) (RTA_ALIGN(rta->rta_len) + RTA_ALIGN(len)) > maxlen) { |
745 | fprintf(stderr,"rta_addattr_l: Error! max allowed bound %d exceeded\n",maxlen); | 745 | fprintf(stderr,"rta_addattr_l: Error! max allowed bound %d exceeded\n",maxlen); |
746 | return -1; | 746 | return -1; |
747 | } | 747 | } |
diff --git a/src/lib/pid.c b/src/lib/pid.c index d1ade389e..ed583c51d 100644 --- a/src/lib/pid.c +++ b/src/lib/pid.c | |||
@@ -29,7 +29,6 @@ | |||
29 | //Process pids[max_pids]; | 29 | //Process pids[max_pids]; |
30 | Process *pids = NULL; | 30 | Process *pids = NULL; |
31 | int max_pids=32769; | 31 | int max_pids=32769; |
32 | #define PIDS_BUFLEN 4096 | ||
33 | 32 | ||
34 | // get the memory associated with this pid | 33 | // get the memory associated with this pid |
35 | void pid_getmem(unsigned pid, unsigned *rss, unsigned *shared) { | 34 | void pid_getmem(unsigned pid, unsigned *rss, unsigned *shared) { |
@@ -340,18 +339,12 @@ void pid_read(pid_t mon_pid) { | |||
340 | exit(1); | 339 | exit(1); |
341 | } | 340 | } |
342 | 341 | ||
343 | if (mon_pid == 0 && strncmp(ptr, "firejail", 8) == 0) { | 342 | if ((strncmp(ptr, "firejail", 8) == 0) && (mon_pid == 0 || mon_pid == pid)) { |
344 | pids[pid].level = 1; | 343 | if (pid_proc_cmdline_x11_xpra_xephyr(pid)) |
345 | } | 344 | pids[pid].level = -1; |
346 | else if (mon_pid == pid && strncmp(ptr, "firejail", 8) == 0) { | 345 | else |
347 | pids[pid].level = 1; | 346 | pids[pid].level = 1; |
348 | } | 347 | } |
349 | // else if (mon_pid == 0 && strncmp(ptr, "lxc-execute", 11) == 0) { | ||
350 | // pids[pid].level = 1; | ||
351 | // } | ||
352 | // else if (mon_pid == pid && strncmp(ptr, "lxc-execute", 11) == 0) { | ||
353 | // pids[pid].level = 1; | ||
354 | // } | ||
355 | else | 348 | else |
356 | pids[pid].level = -1; | 349 | pids[pid].level = -1; |
357 | } | 350 | } |