diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/main.c | 128 |
1 files changed, 52 insertions, 76 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index e100e1f2c..3c061e607 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -158,21 +158,37 @@ static void my_handler(int s){ | |||
158 | myexit(1); | 158 | myexit(1); |
159 | } | 159 | } |
160 | 160 | ||
161 | // return 1 if error, 0 if a valid pid was found | 161 | static pid_t extract_pid(const char *name) { |
162 | static inline int read_pid(char *str, pid_t *pid) { | 162 | EUID_ASSERT(); |
163 | if (!name || strlen(name) == 0) { | ||
164 | fprintf(stderr, "Error: invalid sandbox name\n"); | ||
165 | exit(1); | ||
166 | } | ||
167 | |||
168 | pid_t pid; | ||
169 | EUID_ROOT(); | ||
170 | if (name2pid(name, &pid)) { | ||
171 | fprintf(stderr, "Error: cannot find sandbox %s\n", name); | ||
172 | exit(1); | ||
173 | } | ||
174 | EUID_USER(); | ||
175 | return pid; | ||
176 | } | ||
177 | |||
178 | |||
179 | static pid_t read_pid(const char *str) { | ||
163 | char *endptr; | 180 | char *endptr; |
164 | errno = 0; | 181 | errno = 0; |
165 | long int pidtmp = strtol(str, &endptr, 10); | 182 | long int pidtmp = strtol(str, &endptr, 10); |
166 | if ((errno == ERANGE && (pidtmp == LONG_MAX || pidtmp == LONG_MIN)) | 183 | if ((errno == ERANGE && (pidtmp == LONG_MAX || pidtmp == LONG_MIN)) |
167 | || (errno != 0 && pidtmp == 0)) { | 184 | || (errno != 0 && pidtmp == 0)) { |
168 | return 1; | 185 | return extract_pid(str); |
169 | } | 186 | } |
170 | // endptr points to '\0' char in str if the entire string is valid | 187 | // endptr points to '\0' char in str if the entire string is valid |
171 | if (endptr == NULL || endptr[0]!='\0') { | 188 | if (endptr == NULL || endptr[0]!='\0') { |
172 | return 1; | 189 | return extract_pid(str); |
173 | } | 190 | } |
174 | *pid = (pid_t)pidtmp; | 191 | return (pid_t)pidtmp; |
175 | return 0; | ||
176 | } | 192 | } |
177 | 193 | ||
178 | // init configuration | 194 | // init configuration |
@@ -385,11 +401,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
385 | } | 401 | } |
386 | 402 | ||
387 | // extract pid or sandbox name | 403 | // extract pid or sandbox name |
388 | pid_t pid; | 404 | pid_t pid = read_pid(argv[i] + 12); |
389 | if (read_pid(argv[i] + 12, &pid) == 0) | 405 | bandwidth_pid(pid, cmd, dev, down, up); |
390 | bandwidth_pid(pid, cmd, dev, down, up); | ||
391 | else | ||
392 | bandwidth_name(argv[i] + 12, cmd, dev, down, up); | ||
393 | } | 406 | } |
394 | else { | 407 | else { |
395 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | 408 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); |
@@ -426,11 +439,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
426 | else if (strncmp(argv[i], "--seccomp.print=", 16) == 0) { | 439 | else if (strncmp(argv[i], "--seccomp.print=", 16) == 0) { |
427 | if (checkcfg(CFG_SECCOMP)) { | 440 | if (checkcfg(CFG_SECCOMP)) { |
428 | // print seccomp filter for a sandbox specified by pid or by name | 441 | // print seccomp filter for a sandbox specified by pid or by name |
429 | pid_t pid; | 442 | pid_t pid = read_pid(argv[i] + 16); |
430 | if (read_pid(argv[i] + 16, &pid) == 0) | 443 | seccomp_print_filter(pid); |
431 | seccomp_print_filter(pid); | ||
432 | else | ||
433 | seccomp_print_filter_name(argv[i] + 16); | ||
434 | } | 444 | } |
435 | else { | 445 | else { |
436 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); | 446 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); |
@@ -445,11 +455,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
445 | else if (strncmp(argv[i], "--protocol.print=", 17) == 0) { | 455 | else if (strncmp(argv[i], "--protocol.print=", 17) == 0) { |
446 | if (checkcfg(CFG_SECCOMP)) { | 456 | if (checkcfg(CFG_SECCOMP)) { |
447 | // print seccomp filter for a sandbox specified by pid or by name | 457 | // print seccomp filter for a sandbox specified by pid or by name |
448 | pid_t pid; | 458 | pid_t pid = read_pid(argv[i] + 17); |
449 | if (read_pid(argv[i] + 17, &pid) == 0) | 459 | protocol_print_filter(pid); |
450 | protocol_print_filter(pid); | ||
451 | else | ||
452 | protocol_print_filter_name(argv[i] + 17); | ||
453 | } | 460 | } |
454 | else { | 461 | else { |
455 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); | 462 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); |
@@ -460,38 +467,26 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
460 | #endif | 467 | #endif |
461 | else if (strncmp(argv[i], "--cpu.print=", 12) == 0) { | 468 | else if (strncmp(argv[i], "--cpu.print=", 12) == 0) { |
462 | // join sandbox by pid or by name | 469 | // join sandbox by pid or by name |
463 | pid_t pid; | 470 | pid_t pid = read_pid(argv[i] + 12); |
464 | if (read_pid(argv[i] + 12, &pid) == 0) | 471 | cpu_print_filter(pid); |
465 | cpu_print_filter(pid); | ||
466 | else | ||
467 | cpu_print_filter_name(argv[i] + 12); | ||
468 | exit(0); | 472 | exit(0); |
469 | } | 473 | } |
470 | else if (strncmp(argv[i], "--caps.print=", 13) == 0) { | 474 | else if (strncmp(argv[i], "--caps.print=", 13) == 0) { |
471 | // join sandbox by pid or by name | 475 | // join sandbox by pid or by name |
472 | pid_t pid; | 476 | pid_t pid = read_pid(argv[i] + 13); |
473 | if (read_pid(argv[i] + 13, &pid) == 0) | 477 | caps_print_filter(pid); |
474 | caps_print_filter(pid); | ||
475 | else | ||
476 | caps_print_filter_name(argv[i] + 13); | ||
477 | exit(0); | 478 | exit(0); |
478 | } | 479 | } |
479 | else if (strncmp(argv[i], "--fs.print=", 11) == 0) { | 480 | else if (strncmp(argv[i], "--fs.print=", 11) == 0) { |
480 | // join sandbox by pid or by name | 481 | // join sandbox by pid or by name |
481 | pid_t pid; | 482 | pid_t pid = read_pid(argv[i] + 11); |
482 | if (read_pid(argv[i] + 11, &pid) == 0) | 483 | fs_logger_print_log(pid); |
483 | fs_logger_print_log(pid); | ||
484 | else | ||
485 | fs_logger_print_log_name(argv[i] + 11); | ||
486 | exit(0); | 484 | exit(0); |
487 | } | 485 | } |
488 | else if (strncmp(argv[i], "--dns.print=", 12) == 0) { | 486 | else if (strncmp(argv[i], "--dns.print=", 12) == 0) { |
489 | // join sandbox by pid or by name | 487 | // join sandbox by pid or by name |
490 | pid_t pid; | 488 | pid_t pid = read_pid(argv[i] + 12); |
491 | if (read_pid(argv[i] + 12, &pid) == 0) | 489 | net_dns_print(pid); |
492 | net_dns_print(pid); | ||
493 | else | ||
494 | net_dns_print_name(argv[i] + 12); | ||
495 | exit(0); | 490 | exit(0); |
496 | } | 491 | } |
497 | else if (strcmp(argv[i], "--debug-caps") == 0) { | 492 | else if (strcmp(argv[i], "--debug-caps") == 0) { |
@@ -543,11 +538,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
543 | } | 538 | } |
544 | 539 | ||
545 | // get file | 540 | // get file |
546 | pid_t pid; | 541 | pid_t pid = read_pid(argv[i] + 6); |
547 | if (read_pid(argv[i] + 6, &pid) == 0) | 542 | sandboxfs(SANDBOX_FS_GET, pid, path, NULL); |
548 | sandboxfs(SANDBOX_FS_GET, pid, path, NULL); | ||
549 | else | ||
550 | sandboxfs_name(SANDBOX_FS_GET, argv[i] + 6, path, NULL); | ||
551 | exit(0); | 543 | exit(0); |
552 | } | 544 | } |
553 | else { | 545 | else { |
@@ -578,11 +570,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
578 | } | 570 | } |
579 | 571 | ||
580 | // get file | 572 | // get file |
581 | pid_t pid; | 573 | pid_t pid = read_pid(argv[i] + 6); |
582 | if (read_pid(argv[i] + 6, &pid) == 0) | 574 | sandboxfs(SANDBOX_FS_PUT, pid, path1, path2); |
583 | sandboxfs(SANDBOX_FS_PUT, pid, path1, path2); | ||
584 | else | ||
585 | sandboxfs_name(SANDBOX_FS_PUT, argv[i] + 6, path1, path2); | ||
586 | exit(0); | 575 | exit(0); |
587 | } | 576 | } |
588 | else { | 577 | else { |
@@ -607,11 +596,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
607 | } | 596 | } |
608 | 597 | ||
609 | // list directory contents | 598 | // list directory contents |
610 | pid_t pid; | 599 | pid_t pid = read_pid(argv[i] + 5); |
611 | if (read_pid(argv[i] + 5, &pid) == 0) | 600 | sandboxfs(SANDBOX_FS_LS, pid, path, NULL); |
612 | sandboxfs(SANDBOX_FS_LS, pid, path, NULL); | ||
613 | else | ||
614 | sandboxfs_name(SANDBOX_FS_LS, argv[i] + 5, path, NULL); | ||
615 | exit(0); | 601 | exit(0); |
616 | } | 602 | } |
617 | else { | 603 | else { |
@@ -635,11 +621,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
635 | cfg.shell = guess_shell(); | 621 | cfg.shell = guess_shell(); |
636 | 622 | ||
637 | // join sandbox by pid or by name | 623 | // join sandbox by pid or by name |
638 | pid_t pid; | 624 | pid_t pid = read_pid(argv[i] + 7); |
639 | if (read_pid(argv[i] + 7, &pid) == 0) | 625 | join(pid, argc, argv, i + 1); |
640 | join(pid, argc, argv, i + 1); | ||
641 | else | ||
642 | join_name(argv[i] + 7, argc, argv, i + 1); | ||
643 | exit(0); | 626 | exit(0); |
644 | 627 | ||
645 | } | 628 | } |
@@ -656,6 +639,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
656 | cfg.original_program_index = i + 1; | 639 | cfg.original_program_index = i + 1; |
657 | } | 640 | } |
658 | 641 | ||
642 | #if 0 // todo: redo it | ||
659 | // try to join by name only | 643 | // try to join by name only |
660 | pid_t pid; | 644 | pid_t pid; |
661 | if (!name2pid(argv[i] + 16, &pid)) { | 645 | if (!name2pid(argv[i] + 16, &pid)) { |
@@ -665,6 +649,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
665 | join(pid, argc, argv, i + 1); | 649 | join(pid, argc, argv, i + 1); |
666 | exit(0); | 650 | exit(0); |
667 | } | 651 | } |
652 | #endif | ||
668 | // if there no such sandbox continue argument processing | 653 | // if there no such sandbox continue argument processing |
669 | } | 654 | } |
670 | #ifdef HAVE_NETWORK | 655 | #ifdef HAVE_NETWORK |
@@ -681,11 +666,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
681 | cfg.shell = guess_shell(); | 666 | cfg.shell = guess_shell(); |
682 | 667 | ||
683 | // join sandbox by pid or by name | 668 | // join sandbox by pid or by name |
684 | pid_t pid; | 669 | pid_t pid = read_pid(argv[i] + 15); |
685 | if (read_pid(argv[i] + 15, &pid) == 0) | 670 | join(pid, argc, argv, i + 1); |
686 | join(pid, argc, argv, i + 1); | ||
687 | else | ||
688 | join_name(argv[i] + 15, argc, argv, i + 1); | ||
689 | } | 671 | } |
690 | else { | 672 | else { |
691 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | 673 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); |
@@ -707,22 +689,16 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
707 | cfg.shell = guess_shell(); | 689 | cfg.shell = guess_shell(); |
708 | 690 | ||
709 | // join sandbox by pid or by name | 691 | // join sandbox by pid or by name |
710 | pid_t pid; | 692 | pid_t pid = read_pid(argv[i] + 18); |
711 | if (read_pid(argv[i] + 18, &pid) == 0) | 693 | join(pid, argc, argv, i + 1); |
712 | join(pid, argc, argv, i + 1); | ||
713 | else | ||
714 | join_name(argv[i] + 18, argc, argv, i + 1); | ||
715 | exit(0); | 694 | exit(0); |
716 | } | 695 | } |
717 | else if (strncmp(argv[i], "--shutdown=", 11) == 0) { | 696 | else if (strncmp(argv[i], "--shutdown=", 11) == 0) { |
718 | logargs(argc, argv); | 697 | logargs(argc, argv); |
719 | 698 | ||
720 | // shutdown sandbox by pid or by name | 699 | // shutdown sandbox by pid or by name |
721 | pid_t pid; | 700 | pid_t pid = read_pid(argv[i] + 11); |
722 | if (read_pid(argv[i] + 11, &pid) == 0) | 701 | shut(pid); |
723 | shut(pid); | ||
724 | else | ||
725 | shut_name(argv[i] + 11); | ||
726 | exit(0); | 702 | exit(0); |
727 | } | 703 | } |
728 | 704 | ||