diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/fs.c | 5 | ||||
-rw-r--r-- | src/firejail/fs_etc.c | 51 | ||||
-rw-r--r-- | src/firejail/main.c | 139 | ||||
-rw-r--r-- | src/firejail/no_sandbox.c | 97 | ||||
-rw-r--r-- | src/firejail/profile.c | 7 | ||||
-rw-r--r-- | src/firejail/rlimit.c | 12 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 9 | ||||
-rw-r--r-- | src/firejail/usage.c | 3 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 4 | ||||
-rw-r--r-- | src/man/firejail.txt | 10 |
11 files changed, 163 insertions, 176 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index d172efce1..368e0d88d 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -78,6 +78,7 @@ | |||
78 | #define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname" | 78 | #define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname" |
79 | #define RUN_HOSTS_FILE "/run/firejail/mnt/hosts" | 79 | #define RUN_HOSTS_FILE "/run/firejail/mnt/hosts" |
80 | #define RUN_RESOLVCONF_FILE "/run/firejail/mnt/resolv.conf" | 80 | #define RUN_RESOLVCONF_FILE "/run/firejail/mnt/resolv.conf" |
81 | #define RUN_MACHINEID "/run/firejail/mnt/machine-id" | ||
81 | #define RUN_LDPRELOAD_FILE "/run/firejail/mnt/ld.so.preload" | 82 | #define RUN_LDPRELOAD_FILE "/run/firejail/mnt/ld.so.preload" |
82 | #define RUN_UTMP_FILE "/run/firejail/mnt/utmp" | 83 | #define RUN_UTMP_FILE "/run/firejail/mnt/utmp" |
83 | #define RUN_PASSWD_FILE "/run/firejail/mnt/passwd" | 84 | #define RUN_PASSWD_FILE "/run/firejail/mnt/passwd" |
@@ -342,6 +343,7 @@ extern int arg_allow_debuggers; // allow debuggers | |||
342 | extern int arg_x11_block; // block X11 | 343 | extern int arg_x11_block; // block X11 |
343 | extern int arg_x11_xorg; // use X11 security extention | 344 | extern int arg_x11_xorg; // use X11 security extention |
344 | extern int arg_allusers; // all user home directories visible | 345 | extern int arg_allusers; // all user home directories visible |
346 | extern int arg_machineid; // preserve /etc/machine-id | ||
345 | 347 | ||
346 | extern int login_shell; | 348 | extern int login_shell; |
347 | extern int parent_to_child_fds[2]; | 349 | extern int parent_to_child_fds[2]; |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index ffad961c3..905d2903d 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -662,7 +662,8 @@ void fs_basic_fs(void) { | |||
662 | fs_var_lib(); | 662 | fs_var_lib(); |
663 | fs_var_cache(); | 663 | fs_var_cache(); |
664 | fs_var_utmp(); | 664 | fs_var_utmp(); |
665 | 665 | fs_machineid(); | |
666 | |||
666 | // don't leak user information | 667 | // don't leak user information |
667 | restrict_users(); | 668 | restrict_users(); |
668 | 669 | ||
@@ -945,6 +946,7 @@ void fs_overlayfs(void) { | |||
945 | fs_var_lib(); | 946 | fs_var_lib(); |
946 | fs_var_cache(); | 947 | fs_var_cache(); |
947 | fs_var_utmp(); | 948 | fs_var_utmp(); |
949 | fs_machineid(); | ||
948 | 950 | ||
949 | // don't leak user information | 951 | // don't leak user information |
950 | restrict_users(); | 952 | restrict_users(); |
@@ -1126,6 +1128,7 @@ void fs_chroot(const char *rootdir) { | |||
1126 | fs_var_lib(); | 1128 | fs_var_lib(); |
1127 | fs_var_cache(); | 1129 | fs_var_cache(); |
1128 | fs_var_utmp(); | 1130 | fs_var_utmp(); |
1131 | fs_machineid(); | ||
1129 | 1132 | ||
1130 | // don't leak user information | 1133 | // don't leak user information |
1131 | restrict_users(); | 1134 | restrict_users(); |
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 9a28ac601..a04bf6725 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -23,6 +23,57 @@ | |||
23 | #include <sys/types.h> | 23 | #include <sys/types.h> |
24 | #include <unistd.h> | 24 | #include <unistd.h> |
25 | 25 | ||
26 | // spoof /etc/machine_id | ||
27 | void fs_machineid(void) { | ||
28 | union machineid_t { | ||
29 | uint8_t u8[16]; | ||
30 | uint32_t u32[4]; | ||
31 | } mid; | ||
32 | |||
33 | // if --machine-id flag is active, do nothing | ||
34 | if (arg_machineid) | ||
35 | return; | ||
36 | |||
37 | // init random number generator | ||
38 | srand(time(NULL)); | ||
39 | |||
40 | // generate random id | ||
41 | mid.u32[0] = rand(); | ||
42 | mid.u32[1] = rand(); | ||
43 | mid.u32[2] = rand(); | ||
44 | mid.u32[3] = rand(); | ||
45 | |||
46 | // UUID version 4 and DCE variant | ||
47 | mid.u8[6] = (mid.u8[6] & 0x0F) | 0x40; | ||
48 | mid.u8[8] = (mid.u8[8] & 0x3F) | 0x80; | ||
49 | |||
50 | // write it in a file | ||
51 | FILE *fp = fopen(RUN_MACHINEID, "w"); | ||
52 | if (!fp) | ||
53 | errExit("fopen"); | ||
54 | fprintf(fp, "%08x%08x%08x%08x\n", mid.u32[0], mid.u32[1], mid.u32[2], mid.u32[3]); | ||
55 | fclose(fp); | ||
56 | if (set_perms(RUN_MACHINEID, 0, 0, 0444)) | ||
57 | errExit("set_perms"); | ||
58 | |||
59 | |||
60 | struct stat s; | ||
61 | // mount-bind | ||
62 | if (stat("/etc/machine-id", &s) == 0) { | ||
63 | if (arg_debug) | ||
64 | printf("installing a new /etc/machine-id\n"); | ||
65 | |||
66 | if (mount(RUN_MACHINEID, "/etc/machine-id", "none", MS_BIND, "mode=444,gid=0")) | ||
67 | errExit("mount"); | ||
68 | } | ||
69 | //#if 0 // todo: investigate | ||
70 | if (stat("/var/lib/dbus/machine-id", &s) == 0) { | ||
71 | if (mount(RUN_MACHINEID, "/etc/machine-id", "none", MS_BIND, "mode=444,gid=0")) | ||
72 | errExit("mount"); | ||
73 | } | ||
74 | //#endif | ||
75 | } | ||
76 | |||
26 | // return 0 if file not found, 1 if found | 77 | // return 0 if file not found, 1 if found |
27 | static int check_dir_or_file(const char *fname) { | 78 | static int check_dir_or_file(const char *fname) { |
28 | assert(fname); | 79 | assert(fname); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index aa855b7eb..b25bad9f2 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -111,6 +111,7 @@ int arg_allow_debuggers = 0; // allow debuggers | |||
111 | int arg_x11_block = 0; // block X11 | 111 | int arg_x11_block = 0; // block X11 |
112 | int arg_x11_xorg = 0; // use X11 security extention | 112 | int arg_x11_xorg = 0; // use X11 security extention |
113 | int arg_allusers = 0; // all user home directories visible | 113 | int arg_allusers = 0; // all user home directories visible |
114 | int arg_machineid = 0; // preserve /etc/machine-id | ||
114 | 115 | ||
115 | int login_shell = 0; | 116 | int login_shell = 0; |
116 | 117 | ||
@@ -750,42 +751,6 @@ static void delete_x11_file(pid_t pid) { | |||
750 | free(fname); | 751 | free(fname); |
751 | } | 752 | } |
752 | 753 | ||
753 | static void detect_quiet(int argc, char **argv) { | ||
754 | int i; | ||
755 | |||
756 | // detect --quiet | ||
757 | for (i = 1; i < argc; i++) { | ||
758 | if (strcmp(argv[i], "--quiet") == 0) { | ||
759 | arg_quiet = 1; | ||
760 | break; | ||
761 | } | ||
762 | |||
763 | // detect end of firejail params | ||
764 | if (strcmp(argv[i], "--") == 0) | ||
765 | break; | ||
766 | if (strncmp(argv[i], "--", 2) != 0) | ||
767 | break; | ||
768 | } | ||
769 | } | ||
770 | |||
771 | static void detect_allow_debuggers(int argc, char **argv) { | ||
772 | int i; | ||
773 | |||
774 | // detect --allow-debuggers | ||
775 | for (i = 1; i < argc; i++) { | ||
776 | if (strcmp(argv[i], "--allow-debuggers") == 0) { | ||
777 | arg_allow_debuggers = 1; | ||
778 | break; | ||
779 | } | ||
780 | |||
781 | // detect end of firejail params | ||
782 | if (strcmp(argv[i], "--") == 0) | ||
783 | break; | ||
784 | if (strncmp(argv[i], "--", 2) != 0) | ||
785 | break; | ||
786 | } | ||
787 | } | ||
788 | |||
789 | char *guess_shell(void) { | 754 | char *guess_shell(void) { |
790 | char *shell = NULL; | 755 | char *shell = NULL; |
791 | // shells in order of preference | 756 | // shells in order of preference |
@@ -805,6 +770,25 @@ char *guess_shell(void) { | |||
805 | return shell; | 770 | return shell; |
806 | } | 771 | } |
807 | 772 | ||
773 | static int check_arg(int argc, char **argv, const char *argument) { | ||
774 | int i; | ||
775 | int found = 0; | ||
776 | for (i = 1; i < argc; i++) { | ||
777 | if (strcmp(argv[i], argument) == 0) { | ||
778 | found = 1; | ||
779 | break; | ||
780 | } | ||
781 | |||
782 | // detect end of firejail params | ||
783 | if (strcmp(argv[i], "--") == 0) | ||
784 | break; | ||
785 | if (strncmp(argv[i], "--", 2) != 0) | ||
786 | break; | ||
787 | } | ||
788 | |||
789 | return found; | ||
790 | } | ||
791 | |||
808 | //******************************************* | 792 | //******************************************* |
809 | // Main program | 793 | // Main program |
810 | //******************************************* | 794 | //******************************************* |
@@ -821,8 +805,10 @@ int main(int argc, char **argv) { | |||
821 | // build /run/firejail directory structure | 805 | // build /run/firejail directory structure |
822 | preproc_build_firejail_dir(); | 806 | preproc_build_firejail_dir(); |
823 | 807 | ||
824 | detect_quiet(argc, argv); | 808 | if (check_arg(argc, argv, "--quiet")) |
825 | detect_allow_debuggers(argc, argv); | 809 | arg_quiet = 1; |
810 | if (check_arg(argc, argv, "--allow-debuggers")) | ||
811 | arg_allow_debuggers = 1; | ||
826 | 812 | ||
827 | // drop permissions by default and rise them when required | 813 | // drop permissions by default and rise them when required |
828 | EUID_INIT(); | 814 | EUID_INIT(); |
@@ -844,78 +830,32 @@ int main(int argc, char **argv) { | |||
844 | EUID_USER(); | 830 | EUID_USER(); |
845 | if (rv == 0) { | 831 | if (rv == 0) { |
846 | // if --force option is passed to the program, disregard the existing sandbox | 832 | // if --force option is passed to the program, disregard the existing sandbox |
847 | int found = 0; | 833 | if (check_arg(argc, argv, "--force")) |
848 | for (i = 1; i < argc; i++) { | 834 | option_force = 1; |
849 | if (strcmp(argv[i], "--force") == 0 || | 835 | else { |
850 | strcmp(argv[i], "--list") == 0 || | 836 | if (check_arg(argc, argv, "--version")) { |
851 | strcmp(argv[i], "--netstats") == 0 || | 837 | printf("firejail version %s\n", VERSION); |
852 | strcmp(argv[i], "--tree") == 0 || | 838 | exit(0); |
853 | strcmp(argv[i], "--top") == 0 || | ||
854 | strncmp(argv[i], "--ls=", 5) == 0 || | ||
855 | strncmp(argv[i], "--get=", 6) == 0 || | ||
856 | strcmp(argv[i], "--debug-caps") == 0 || | ||
857 | strcmp(argv[i], "--debug-errnos") == 0 || | ||
858 | strcmp(argv[i], "--debug-syscalls") == 0 || | ||
859 | strcmp(argv[i], "--debug-protocols") == 0 || | ||
860 | strcmp(argv[i], "--help") == 0 || | ||
861 | strcmp(argv[i], "--version") == 0 || | ||
862 | strcmp(argv[i], "--overlay-clean") == 0 || | ||
863 | strncmp(argv[i], "--dns.print=", 12) == 0 || | ||
864 | strncmp(argv[i], "--bandwidth=", 12) == 0 || | ||
865 | strncmp(argv[i], "--caps.print=", 13) == 0 || | ||
866 | strncmp(argv[i], "--cpu.print=", 12) == 0 || | ||
867 | //******************************************************************************** | ||
868 | // todo: fix the following problems | ||
869 | strncmp(argv[i], "--join=", 7) == 0 || | ||
870 | //[netblue@debian Downloads]$ firejail --join=896 | ||
871 | //Switching to pid 897, the first child process inside the sandbox | ||
872 | //Error: seccomp file not found | ||
873 | //******************************************************************************** | ||
874 | |||
875 | strncmp(argv[i], "--join-filesystem=", 18) == 0 || | ||
876 | strncmp(argv[i], "--join-network=", 15) == 0 || | ||
877 | strncmp(argv[i], "--fs.print=", 11) == 0 || | ||
878 | strncmp(argv[i], "--protocol.print=", 17) == 0 || | ||
879 | strncmp(argv[i], "--seccomp.print", 15) == 0 || | ||
880 | strncmp(argv[i], "--shutdown=", 11) == 0) { | ||
881 | found = 1; | ||
882 | break; | ||
883 | } | 839 | } |
884 | 840 | ||
885 | // detect end of firejail params | ||
886 | if (strcmp(argv[i], "--") == 0) | ||
887 | break; | ||
888 | if (strncmp(argv[i], "--", 2) != 0) | ||
889 | break; | ||
890 | } | ||
891 | |||
892 | if (found == 0) { | ||
893 | // start the program directly without sandboxing | 841 | // start the program directly without sandboxing |
894 | run_no_sandbox(argc, argv); | 842 | run_no_sandbox(argc, argv); |
895 | // it will never get here! | 843 | // it will never get here! |
896 | assert(0); | 844 | assert(0); |
897 | } | 845 | } |
898 | else | ||
899 | option_force = 1; | ||
900 | } | 846 | } |
901 | } | 847 | } |
902 | 848 | ||
903 | // check root/suid | 849 | // check root/suid |
904 | EUID_ROOT(); | 850 | EUID_ROOT(); |
905 | if (geteuid()) { | 851 | if (geteuid()) { |
906 | // detect --version | 852 | // only --version is supported without SUID support |
907 | for (i = 1; i < argc; i++) { | 853 | if (check_arg(argc, argv, "--version")) { |
908 | if (strcmp(argv[i], "--version") == 0) { | 854 | printf("firejail version %s\n", VERSION); |
909 | printf("firejail version %s\n", VERSION); | 855 | exit(0); |
910 | exit(0); | ||
911 | } | ||
912 | |||
913 | // detect end of firejail params | ||
914 | if (strcmp(argv[i], "--") == 0) | ||
915 | break; | ||
916 | if (strncmp(argv[i], "--", 2) != 0) | ||
917 | break; | ||
918 | } | 856 | } |
857 | |||
858 | fprintf(stderr, "Error: cannot rise privileges\n"); | ||
919 | exit(1); | 859 | exit(1); |
920 | } | 860 | } |
921 | EUID_USER(); | 861 | EUID_USER(); |
@@ -1520,6 +1460,9 @@ int main(int argc, char **argv) { | |||
1520 | else if (strcmp(argv[i], "--writable-var") == 0) { | 1460 | else if (strcmp(argv[i], "--writable-var") == 0) { |
1521 | arg_writable_var = 1; | 1461 | arg_writable_var = 1; |
1522 | } | 1462 | } |
1463 | else if (strcmp(argv[i], "--machine-id") == 0) { | ||
1464 | arg_machineid = 1; | ||
1465 | } | ||
1523 | else if (strcmp(argv[i], "--private") == 0) { | 1466 | else if (strcmp(argv[i], "--private") == 0) { |
1524 | arg_private = 1; | 1467 | arg_private = 1; |
1525 | } | 1468 | } |
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 8af555ea2..c56d90994 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -165,84 +165,28 @@ void run_no_sandbox(int argc, char **argv) { | |||
165 | // process limited subset of options | 165 | // process limited subset of options |
166 | int i; | 166 | int i; |
167 | for (i = 0; i < argc; i++) { | 167 | for (i = 0; i < argc; i++) { |
168 | if (strcmp(argv[i], "--csh") == 0) { | 168 | if (strcmp(argv[i], "--debug") == 0) |
169 | if (arg_shell_none) { | 169 | arg_debug = 1; |
170 | fprintf(stderr, "Error: --shell=none was already specified.\n"); | 170 | else if (strcmp(argv[i], "--csh") == 0 || |
171 | exit(1); | 171 | strcmp(argv[i], "--zsh") == 0 || |
172 | } | 172 | strcmp(argv[i], "--shell=none") == 0 || |
173 | if (cfg.shell) { | 173 | strncmp(argv[i], "--shell=", 8) == 0) |
174 | fprintf(stderr, "Error: only one default user shell can be specified\n"); | 174 | fprintf(stderr, "Warning: shell-related command line options are disregarded - using SHELL environment variable"); |
175 | exit(1); | ||
176 | } | ||
177 | cfg.shell = "/bin/csh"; | ||
178 | } | ||
179 | else if (strcmp(argv[i], "--zsh") == 0) { | ||
180 | if (arg_shell_none) { | ||
181 | fprintf(stderr, "Error: --shell=none was already specified.\n"); | ||
182 | exit(1); | ||
183 | } | ||
184 | if (cfg.shell) { | ||
185 | fprintf(stderr, "Error: only one default user shell can be specified\n"); | ||
186 | exit(1); | ||
187 | } | ||
188 | cfg.shell = "/bin/zsh"; | ||
189 | } | ||
190 | else if (strcmp(argv[i], "--shell=none") == 0) { | ||
191 | arg_shell_none = 1; | ||
192 | if (cfg.shell) { | ||
193 | fprintf(stderr, "Error: a shell was already specified\n"); | ||
194 | exit(1); | ||
195 | } | ||
196 | } | ||
197 | else if (strncmp(argv[i], "--shell=", 8) == 0) { | ||
198 | if (arg_shell_none) { | ||
199 | fprintf(stderr, "Error: --shell=none was already specified.\n"); | ||
200 | exit(1); | ||
201 | } | ||
202 | invalid_filename(argv[i] + 8); | ||
203 | |||
204 | if (cfg.shell) { | ||
205 | fprintf(stderr, "Error: only one user shell can be specified\n"); | ||
206 | exit(1); | ||
207 | } | ||
208 | cfg.shell = argv[i] + 8; | ||
209 | |||
210 | if (is_dir(cfg.shell) || strstr(cfg.shell, "..")) { | ||
211 | fprintf(stderr, "Error: invalid shell\n"); | ||
212 | exit(1); | ||
213 | } | ||
214 | |||
215 | // access call checks as real UID/GID, not as effective UID/GID | ||
216 | if(cfg.chrootdir) { | ||
217 | char *shellpath; | ||
218 | if (asprintf(&shellpath, "%s%s", cfg.chrootdir, cfg.shell) == -1) | ||
219 | errExit("asprintf"); | ||
220 | if (access(shellpath, R_OK)) { | ||
221 | fprintf(stderr, "Error: cannot access shell file in chroot\n"); | ||
222 | exit(1); | ||
223 | } | ||
224 | free(shellpath); | ||
225 | } else if (access(cfg.shell, R_OK)) { | ||
226 | fprintf(stderr, "Error: cannot access shell file\n"); | ||
227 | exit(1); | ||
228 | } | ||
229 | } | ||
230 | } | 175 | } |
231 | 176 | ||
232 | // use $SHELL to get shell used in sandbox | 177 | // use $SHELL to get shell used in sandbox |
233 | if (!arg_shell_none && !cfg.shell) { | 178 | char *shell = getenv("SHELL"); |
234 | char *shell = getenv("SHELL"); | 179 | if (shell && access(shell, R_OK) == 0) |
235 | if (shell && access(shell, R_OK) == 0) | 180 | cfg.shell = shell; |
236 | cfg.shell = shell; | 181 | |
237 | } | ||
238 | // guess shell otherwise | 182 | // guess shell otherwise |
239 | if (!arg_shell_none && !cfg.shell) { | 183 | if (!cfg.shell) { |
240 | cfg.shell = guess_shell(); | 184 | cfg.shell = guess_shell(); |
241 | if (arg_debug) | 185 | if (arg_debug) |
242 | printf("Autoselecting %s as shell\n", cfg.shell); | 186 | printf("Autoselecting %s as shell\n", cfg.shell); |
243 | } | 187 | } |
244 | if (!arg_shell_none && !cfg.shell) { | 188 | if (!cfg.shell) { |
245 | fprintf(stderr, "Error: unable to guess your shell, please set explicitly by using --shell option.\n"); | 189 | fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n"); |
246 | exit(1); | 190 | exit(1); |
247 | } | 191 | } |
248 | 192 | ||
@@ -266,13 +210,11 @@ void run_no_sandbox(int argc, char **argv) { | |||
266 | } | 210 | } |
267 | } | 211 | } |
268 | 212 | ||
269 | if (!arg_shell_none) { | 213 | if (prog_index == 0) { |
270 | if (prog_index == 0) { | 214 | cfg.command_line = cfg.shell; |
271 | cfg.command_line = cfg.shell; | 215 | cfg.window_title = cfg.shell; |
272 | cfg.window_title = cfg.shell; | 216 | } else { |
273 | } else { | 217 | build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); |
274 | build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); | ||
275 | } | ||
276 | } | 218 | } |
277 | 219 | ||
278 | cfg.original_argv = argv; | 220 | cfg.original_argv = argv; |
@@ -287,5 +229,6 @@ void run_no_sandbox(int argc, char **argv) { | |||
287 | fprintf(stderr, "Warning: an existing sandbox was detected. " | 229 | fprintf(stderr, "Warning: an existing sandbox was detected. " |
288 | "%s will run without any additional sandboxing features\n", command); | 230 | "%s will run without any additional sandboxing features\n", command); |
289 | 231 | ||
232 | arg_quiet = 1; | ||
290 | start_application(); | 233 | start_application(); |
291 | } | 234 | } |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 3697b54b9..da3daf95a 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -650,6 +650,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
650 | return 0; | 650 | return 0; |
651 | } | 651 | } |
652 | 652 | ||
653 | if (strcmp(ptr, "machine-id") == 0) { | ||
654 | arg_machineid = 1; | ||
655 | return 0; | ||
656 | } | ||
653 | // writable-var | 657 | // writable-var |
654 | if (strcmp(ptr, "writable-var") == 0) { | 658 | if (strcmp(ptr, "writable-var") == 0) { |
655 | arg_writable_var = 1; | 659 | arg_writable_var = 1; |
@@ -1049,6 +1053,9 @@ void profile_read(const char *fname) { | |||
1049 | // else { | 1053 | // else { |
1050 | // free(ptr); | 1054 | // free(ptr); |
1051 | // } | 1055 | // } |
1056 | #ifdef HAVE_GCOV | ||
1057 | __gcov_flush(); | ||
1058 | #endif | ||
1052 | } | 1059 | } |
1053 | fclose(fp); | 1060 | fclose(fp); |
1054 | } | 1061 | } |
diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c index a774fd6f5..47dd846d2 100644 --- a/src/firejail/rlimit.c +++ b/src/firejail/rlimit.c | |||
@@ -27,6 +27,9 @@ void set_rlimits(void) { | |||
27 | if (arg_rlimit_nofile) { | 27 | if (arg_rlimit_nofile) { |
28 | rl.rlim_cur = (rlim_t) cfg.rlimit_nofile; | 28 | rl.rlim_cur = (rlim_t) cfg.rlimit_nofile; |
29 | rl.rlim_max = (rlim_t) cfg.rlimit_nofile; | 29 | rl.rlim_max = (rlim_t) cfg.rlimit_nofile; |
30 | #ifdef HAVE_GCOV // gcov-instrumented programs might crash at this point | ||
31 | __gcov_dump(); | ||
32 | #endif | ||
30 | if (setrlimit(RLIMIT_NOFILE, &rl) == -1) | 33 | if (setrlimit(RLIMIT_NOFILE, &rl) == -1) |
31 | errExit("setrlimit"); | 34 | errExit("setrlimit"); |
32 | if (arg_debug) | 35 | if (arg_debug) |
@@ -36,6 +39,9 @@ void set_rlimits(void) { | |||
36 | if (arg_rlimit_nproc) { | 39 | if (arg_rlimit_nproc) { |
37 | rl.rlim_cur = (rlim_t) cfg.rlimit_nproc; | 40 | rl.rlim_cur = (rlim_t) cfg.rlimit_nproc; |
38 | rl.rlim_max = (rlim_t) cfg.rlimit_nproc; | 41 | rl.rlim_max = (rlim_t) cfg.rlimit_nproc; |
42 | #ifdef HAVE_GCOV | ||
43 | __gcov_dump(); | ||
44 | #endif | ||
39 | if (setrlimit(RLIMIT_NPROC, &rl) == -1) | 45 | if (setrlimit(RLIMIT_NPROC, &rl) == -1) |
40 | errExit("setrlimit"); | 46 | errExit("setrlimit"); |
41 | if (arg_debug) | 47 | if (arg_debug) |
@@ -45,6 +51,9 @@ void set_rlimits(void) { | |||
45 | if (arg_rlimit_fsize) { | 51 | if (arg_rlimit_fsize) { |
46 | rl.rlim_cur = (rlim_t) cfg.rlimit_fsize; | 52 | rl.rlim_cur = (rlim_t) cfg.rlimit_fsize; |
47 | rl.rlim_max = (rlim_t) cfg.rlimit_fsize; | 53 | rl.rlim_max = (rlim_t) cfg.rlimit_fsize; |
54 | #ifdef HAVE_GCOV | ||
55 | __gcov_dump(); | ||
56 | #endif | ||
48 | if (setrlimit(RLIMIT_FSIZE, &rl) == -1) | 57 | if (setrlimit(RLIMIT_FSIZE, &rl) == -1) |
49 | errExit("setrlimit"); | 58 | errExit("setrlimit"); |
50 | if (arg_debug) | 59 | if (arg_debug) |
@@ -54,6 +63,9 @@ void set_rlimits(void) { | |||
54 | if (arg_rlimit_sigpending) { | 63 | if (arg_rlimit_sigpending) { |
55 | rl.rlim_cur = (rlim_t) cfg.rlimit_sigpending; | 64 | rl.rlim_cur = (rlim_t) cfg.rlimit_sigpending; |
56 | rl.rlim_max = (rlim_t) cfg.rlimit_sigpending; | 65 | rl.rlim_max = (rlim_t) cfg.rlimit_sigpending; |
66 | #ifdef HAVE_GCOV | ||
67 | __gcov_dump(); | ||
68 | #endif | ||
57 | if (setrlimit(RLIMIT_SIGPENDING, &rl) == -1) | 69 | if (setrlimit(RLIMIT_SIGPENDING, &rl) == -1) |
58 | errExit("setrlimit"); | 70 | errExit("setrlimit"); |
59 | if (arg_debug) | 71 | if (arg_debug) |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 68b8f554d..50fcd6ed0 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -286,6 +286,9 @@ void start_application(void) { | |||
286 | //**************************************** | 286 | //**************************************** |
287 | if (arg_audit) { | 287 | if (arg_audit) { |
288 | assert(arg_audit_prog); | 288 | assert(arg_audit_prog); |
289 | #ifdef HAVE_GCOV | ||
290 | __gcov_dump(); | ||
291 | #endif | ||
289 | execl(arg_audit_prog, arg_audit_prog, NULL); | 292 | execl(arg_audit_prog, arg_audit_prog, NULL); |
290 | } | 293 | } |
291 | //**************************************** | 294 | //**************************************** |
@@ -309,6 +312,9 @@ void start_application(void) { | |||
309 | if (!arg_command && !arg_quiet) | 312 | if (!arg_command && !arg_quiet) |
310 | printf("Child process initialized\n"); | 313 | printf("Child process initialized\n"); |
311 | 314 | ||
315 | #ifdef HAVE_GCOV | ||
316 | __gcov_dump(); | ||
317 | #endif | ||
312 | execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); | 318 | execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]); |
313 | exit(1); | 319 | exit(1); |
314 | } | 320 | } |
@@ -356,6 +362,9 @@ void start_application(void) { | |||
356 | 362 | ||
357 | if (!arg_command && !arg_quiet) | 363 | if (!arg_command && !arg_quiet) |
358 | printf("Child process initialized\n"); | 364 | printf("Child process initialized\n"); |
365 | #ifdef HAVE_GCOV | ||
366 | __gcov_dump(); | ||
367 | #endif | ||
359 | execvp(arg[0], arg); | 368 | execvp(arg[0], arg); |
360 | } | 369 | } |
361 | 370 | ||
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index c8bed06e3..db3c25a5a 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -94,6 +94,9 @@ void usage(void) { | |||
94 | printf(" --ls=name|pid dir_or_filename - list files in sandbox container.\n"); | 94 | printf(" --ls=name|pid dir_or_filename - list files in sandbox container.\n"); |
95 | #ifdef HAVE_NETWORK | 95 | #ifdef HAVE_NETWORK |
96 | printf(" --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n"); | 96 | printf(" --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n"); |
97 | #endif | ||
98 | printf(" --machine-id - preserve /etc/machine-id\n"); | ||
99 | #ifdef HAVE_NETWORK | ||
97 | printf(" --mtu=number - set interface MTU.\n"); | 100 | printf(" --mtu=number - set interface MTU.\n"); |
98 | #endif | 101 | #endif |
99 | printf(" --name=name - set sandbox name.\n"); | 102 | printf(" --name=name - set sandbox name.\n"); |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 007374c75..fa522c154 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -447,6 +447,10 @@ iprange 192.168.1.150,192.168.1.160 | |||
447 | Assign MAC addresses to the last network interface defined by a net command. | 447 | Assign MAC addresses to the last network interface defined by a net command. |
448 | 448 | ||
449 | .TP | 449 | .TP |
450 | \fBmachine-id | ||
451 | Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox. | ||
452 | |||
453 | .TP | ||
450 | \fBmtu number | 454 | \fBmtu number |
451 | Assign a MTU value to the last network interface defined by a net command. | 455 | Assign a MTU value to the last network interface defined by a net command. |
452 | 456 | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 450f30c68..fdeb9ea3f 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -666,6 +666,16 @@ Example: | |||
666 | $ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox | 666 | $ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox |
667 | 667 | ||
668 | .TP | 668 | .TP |
669 | \fB\-\-machine-id | ||
670 | Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox. | ||
671 | .br | ||
672 | |||
673 | .br | ||
674 | Example: | ||
675 | .br | ||
676 | $ firejail \-\-machine-id | ||
677 | |||
678 | .TP | ||
669 | \fB\-\-mtu=number | 679 | \fB\-\-mtu=number |
670 | Assign a MTU value to the last network interface defined by a \-\-net option. | 680 | Assign a MTU value to the last network interface defined by a \-\-net option. |
671 | .br | 681 | .br |