diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/checkcfg.c | 9 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 34 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 14 | ||||
-rw-r--r-- | src/include/syscall.h | 34 |
5 files changed, 77 insertions, 15 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 476ecbe10..67bcd996a 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -92,6 +92,15 @@ int checkcfg(int val) { | |||
92 | else | 92 | else |
93 | goto errout; | 93 | goto errout; |
94 | } | 94 | } |
95 | // join | ||
96 | else if (strncmp(ptr, "join ", 5) == 0) { | ||
97 | if (strcmp(ptr + 5, "yes") == 0) | ||
98 | cfg_val[CFG_JOIN] = 1; | ||
99 | else if (strcmp(ptr + 5, "no") == 0) | ||
100 | cfg_val[CFG_JOIN] = 0; | ||
101 | else | ||
102 | goto errout; | ||
103 | } | ||
95 | // x11 | 104 | // x11 |
96 | else if (strncmp(ptr, "x11 ", 4) == 0) { | 105 | else if (strncmp(ptr, "x11 ", 4) == 0) { |
97 | if (strcmp(ptr + 4, "yes") == 0) | 106 | if (strcmp(ptr + 4, "yes") == 0) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index f85560588..dbb6c4d16 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -686,6 +686,7 @@ enum { | |||
686 | CFG_FOLLOW_SYMLINK_PRIVATE_BIN, | 686 | CFG_FOLLOW_SYMLINK_PRIVATE_BIN, |
687 | CFG_DISABLE_MNT, | 687 | CFG_DISABLE_MNT, |
688 | CFG_CACHE_TMPFS, | 688 | CFG_CACHE_TMPFS, |
689 | CFG_JOIN, | ||
689 | CFG_MAX // this should always be the last entry | 690 | CFG_MAX // this should always be the last entry |
690 | }; | 691 | }; |
691 | extern char *xephyr_screen; | 692 | extern char *xephyr_screen; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index db9a9c8cb..3dcc5c62d 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -615,23 +615,27 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
615 | } | 615 | } |
616 | #endif | 616 | #endif |
617 | else if (strncmp(argv[i], "--join=", 7) == 0) { | 617 | else if (strncmp(argv[i], "--join=", 7) == 0) { |
618 | logargs(argc, argv); | 618 | if (checkcfg(CFG_JOIN) || getuid() == 0) { |
619 | 619 | logargs(argc, argv); | |
620 | if (arg_shell_none) { | 620 | |
621 | if (argc <= (i+1)) { | 621 | if (arg_shell_none) { |
622 | fprintf(stderr, "Error: --shell=none set, but no command specified\n"); | 622 | if (argc <= (i+1)) { |
623 | exit(1); | 623 | fprintf(stderr, "Error: --shell=none set, but no command specified\n"); |
624 | exit(1); | ||
625 | } | ||
626 | cfg.original_program_index = i + 1; | ||
624 | } | 627 | } |
625 | cfg.original_program_index = i + 1; | 628 | |
629 | if (!cfg.shell && !arg_shell_none) | ||
630 | cfg.shell = guess_shell(); | ||
631 | |||
632 | // join sandbox by pid or by name | ||
633 | pid_t pid = read_pid(argv[i] + 7); | ||
634 | join(pid, argc, argv, i + 1); | ||
635 | exit(0); | ||
626 | } | 636 | } |
627 | 637 | else | |
628 | if (!cfg.shell && !arg_shell_none) | 638 | exit_err_feature("join"); |
629 | cfg.shell = guess_shell(); | ||
630 | |||
631 | // join sandbox by pid or by name | ||
632 | pid_t pid = read_pid(argv[i] + 7); | ||
633 | join(pid, argc, argv, i + 1); | ||
634 | exit(0); | ||
635 | 639 | ||
636 | } | 640 | } |
637 | else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { | 641 | else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index f26f8b06a..d1557e8b2 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -742,6 +742,20 @@ int sandbox(void* sandbox_arg) { | |||
742 | else { | 742 | else { |
743 | // private-tmp is implemented as a whitelist | 743 | // private-tmp is implemented as a whitelist |
744 | EUID_USER(); | 744 | EUID_USER(); |
745 | // check XAUTHORITY file, KDE keeps it under /tmp | ||
746 | char *xauth = getenv("XAUTHORITY"); | ||
747 | if (xauth) { | ||
748 | char *rp = realpath(xauth, NULL); | ||
749 | if (rp && strncmp(rp, "/tmp/", 5) == 0) { | ||
750 | char *cmd; | ||
751 | if (asprintf(&cmd, "whitelist %s", rp) == -1) | ||
752 | errExit("asprintf"); | ||
753 | profile_add(cmd); // profile_add does not duplicate the string | ||
754 | } | ||
755 | if (rp) | ||
756 | free(rp); | ||
757 | } | ||
758 | // whitelist x11 directory | ||
745 | profile_add("whitelist /tmp/.X11-unix"); | 759 | profile_add("whitelist /tmp/.X11-unix"); |
746 | EUID_ROOT(); | 760 | EUID_ROOT(); |
747 | } | 761 | } |
diff --git a/src/include/syscall.h b/src/include/syscall.h index c49760703..8852fcbd5 100644 --- a/src/include/syscall.h +++ b/src/include/syscall.h | |||
@@ -1076,6 +1076,11 @@ | |||
1076 | {"preadv", __NR_preadv}, | 1076 | {"preadv", __NR_preadv}, |
1077 | #endif | 1077 | #endif |
1078 | #endif | 1078 | #endif |
1079 | #ifdef SYS_preadv2 | ||
1080 | #ifdef __NR_preadv2 | ||
1081 | {"preadv2", __NR_preadv2}, | ||
1082 | #endif | ||
1083 | #endif | ||
1079 | #ifdef SYS_prlimit64 | 1084 | #ifdef SYS_prlimit64 |
1080 | #ifdef __NR_prlimit64 | 1085 | #ifdef __NR_prlimit64 |
1081 | {"prlimit64", __NR_prlimit64}, | 1086 | {"prlimit64", __NR_prlimit64}, |
@@ -1126,6 +1131,11 @@ | |||
1126 | {"pwritev", __NR_pwritev}, | 1131 | {"pwritev", __NR_pwritev}, |
1127 | #endif | 1132 | #endif |
1128 | #endif | 1133 | #endif |
1134 | #ifdef SYS_pwritev2 | ||
1135 | #ifdef __NR_pwritev2 | ||
1136 | {"pwritev2", __NR_pwritev2}, | ||
1137 | #endif | ||
1138 | #endif | ||
1129 | #ifdef SYS_query_module | 1139 | #ifdef SYS_query_module |
1130 | #ifdef __NR_query_module | 1140 | #ifdef __NR_query_module |
1131 | {"query_module", __NR_query_module}, | 1141 | {"query_module", __NR_query_module}, |
@@ -1892,6 +1902,7 @@ | |||
1892 | #endif | 1902 | #endif |
1893 | #endif | 1903 | #endif |
1894 | #endif | 1904 | #endif |
1905 | //#endif | ||
1895 | #if defined __x86_64__ && defined __LP64__ | 1906 | #if defined __x86_64__ && defined __LP64__ |
1896 | #ifdef SYS__sysctl | 1907 | #ifdef SYS__sysctl |
1897 | #ifdef __NR__sysctl | 1908 | #ifdef __NR__sysctl |
@@ -2828,6 +2839,11 @@ | |||
2828 | {"preadv", __NR_preadv}, | 2839 | {"preadv", __NR_preadv}, |
2829 | #endif | 2840 | #endif |
2830 | #endif | 2841 | #endif |
2842 | #ifdef SYS_preadv2 | ||
2843 | #ifdef __NR_preadv2 | ||
2844 | {"preadv2", __NR_preadv2}, | ||
2845 | #endif | ||
2846 | #endif | ||
2831 | #ifdef SYS_prlimit64 | 2847 | #ifdef SYS_prlimit64 |
2832 | #ifdef __NR_prlimit64 | 2848 | #ifdef __NR_prlimit64 |
2833 | {"prlimit64", __NR_prlimit64}, | 2849 | {"prlimit64", __NR_prlimit64}, |
@@ -2868,6 +2884,11 @@ | |||
2868 | {"pwritev", __NR_pwritev}, | 2884 | {"pwritev", __NR_pwritev}, |
2869 | #endif | 2885 | #endif |
2870 | #endif | 2886 | #endif |
2887 | #ifdef SYS_pwritev2 | ||
2888 | #ifdef __NR_pwritev2 | ||
2889 | {"pwritev2", __NR_pwritev2}, | ||
2890 | #endif | ||
2891 | #endif | ||
2871 | #ifdef SYS_query_module | 2892 | #ifdef SYS_query_module |
2872 | #ifdef __NR_query_module | 2893 | #ifdef __NR_query_module |
2873 | {"query_module", __NR_query_module}, | 2894 | {"query_module", __NR_query_module}, |
@@ -3529,6 +3550,7 @@ | |||
3529 | #endif | 3550 | #endif |
3530 | #endif | 3551 | #endif |
3531 | #endif | 3552 | #endif |
3553 | //#endif | ||
3532 | #if defined __x86_64__ && defined __ILP32__ | 3554 | #if defined __x86_64__ && defined __ILP32__ |
3533 | #ifdef SYS_accept | 3555 | #ifdef SYS_accept |
3534 | #ifdef __NR_accept | 3556 | #ifdef __NR_accept |
@@ -4430,6 +4452,11 @@ | |||
4430 | {"preadv", __NR_preadv}, | 4452 | {"preadv", __NR_preadv}, |
4431 | #endif | 4453 | #endif |
4432 | #endif | 4454 | #endif |
4455 | #ifdef SYS_preadv2 | ||
4456 | #ifdef __NR_preadv2 | ||
4457 | {"preadv2", __NR_preadv2}, | ||
4458 | #endif | ||
4459 | #endif | ||
4433 | #ifdef SYS_prlimit64 | 4460 | #ifdef SYS_prlimit64 |
4434 | #ifdef __NR_prlimit64 | 4461 | #ifdef __NR_prlimit64 |
4435 | {"prlimit64", __NR_prlimit64}, | 4462 | {"prlimit64", __NR_prlimit64}, |
@@ -4470,6 +4497,11 @@ | |||
4470 | {"pwritev", __NR_pwritev}, | 4497 | {"pwritev", __NR_pwritev}, |
4471 | #endif | 4498 | #endif |
4472 | #endif | 4499 | #endif |
4500 | #ifdef SYS_pwritev2 | ||
4501 | #ifdef __NR_pwritev2 | ||
4502 | {"pwritev2", __NR_pwritev2}, | ||
4503 | #endif | ||
4504 | #endif | ||
4473 | #ifdef SYS_quotactl | 4505 | #ifdef SYS_quotactl |
4474 | #ifdef __NR_quotactl | 4506 | #ifdef __NR_quotactl |
4475 | {"quotactl", __NR_quotactl}, | 4507 | {"quotactl", __NR_quotactl}, |
@@ -5111,3 +5143,5 @@ | |||
5111 | #endif | 5143 | #endif |
5112 | #endif | 5144 | #endif |
5113 | #endif | 5145 | #endif |
5146 | //#endif | ||
5147 | |||