diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 3 | ||||
-rw-r--r-- | src/firejail/main.c | 8 | ||||
-rw-r--r-- | src/firejail/run_files.c | 20 |
3 files changed, 19 insertions, 12 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index c5004ef8a..aec320c1f 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -907,7 +907,8 @@ void delete_bandwidth_run_file(pid_t pid); | |||
907 | void set_name_run_file(pid_t pid); | 907 | void set_name_run_file(pid_t pid); |
908 | void set_x11_run_file(pid_t pid, int display); | 908 | void set_x11_run_file(pid_t pid, int display); |
909 | void set_profile_run_file(pid_t pid, const char *fname); | 909 | void set_profile_run_file(pid_t pid, const char *fname); |
910 | int set_sandbox_run_file(pid_t pid, pid_t child); | 910 | void set_sandbox_run_file(pid_t pid, pid_t child); |
911 | void release_sandbox_run_file_lock(void); | ||
911 | 912 | ||
912 | // dbus.c | 913 | // dbus.c |
913 | int dbus_check_name(const char *name); | 914 | int dbus_check_name(const char *name); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 6466be7d4..539760535 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -190,6 +190,8 @@ static void myexit(int rv) { | |||
190 | } | 190 | } |
191 | 191 | ||
192 | static void my_handler(int s) { | 192 | static void my_handler(int s) { |
193 | release_sandbox_run_file_lock(); | ||
194 | |||
193 | fmessage("\nParent received signal %d, shutting down the child process...\n", s); | 195 | fmessage("\nParent received signal %d, shutting down the child process...\n", s); |
194 | logsignal(s); | 196 | logsignal(s); |
195 | 197 | ||
@@ -961,7 +963,6 @@ int main(int argc, char **argv, char **envp) { | |||
961 | int prog_index = -1; // index in argv where the program command starts | 963 | int prog_index = -1; // index in argv where the program command starts |
962 | int lockfd_network = -1; | 964 | int lockfd_network = -1; |
963 | int lockfd_directory = -1; | 965 | int lockfd_directory = -1; |
964 | int lockfd_sandboxfile = -1; | ||
965 | int custom_profile = 0; // custom profile loaded | 966 | int custom_profile = 0; // custom profile loaded |
966 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) | 967 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) |
967 | int arg_netlock = 0; | 968 | int arg_netlock = 0; |
@@ -2997,7 +2998,7 @@ int main(int argc, char **argv, char **envp) { | |||
2997 | EUID_USER(); | 2998 | EUID_USER(); |
2998 | 2999 | ||
2999 | // sandbox pidfile | 3000 | // sandbox pidfile |
3000 | lockfd_sandboxfile = set_sandbox_run_file(getpid(), child); | 3001 | set_sandbox_run_file(getpid(), child); |
3001 | 3002 | ||
3002 | if (!arg_command && !arg_quiet) { | 3003 | if (!arg_command && !arg_quiet) { |
3003 | fmessage("Parent pid %u, child pid %u\n", sandbox_pid, child); | 3004 | fmessage("Parent pid %u, child pid %u\n", sandbox_pid, child); |
@@ -3222,8 +3223,7 @@ int main(int argc, char **argv, char **envp) { | |||
3222 | // end of signal-safe code | 3223 | // end of signal-safe code |
3223 | //***************************** | 3224 | //***************************** |
3224 | 3225 | ||
3225 | // release lock | 3226 | release_sandbox_run_file_lock(); |
3226 | close(lockfd_sandboxfile); | ||
3227 | 3227 | ||
3228 | if (WIFEXITED(status)){ | 3228 | if (WIFEXITED(status)){ |
3229 | myexit(WEXITSTATUS(status)); | 3229 | myexit(WEXITSTATUS(status)); |
diff --git a/src/firejail/run_files.c b/src/firejail/run_files.c index 8b8bbae12..6724e2cd8 100644 --- a/src/firejail/run_files.c +++ b/src/firejail/run_files.c | |||
@@ -164,7 +164,8 @@ void set_profile_run_file(pid_t pid, const char *fname) { | |||
164 | free(runfile); | 164 | free(runfile); |
165 | } | 165 | } |
166 | 166 | ||
167 | int set_sandbox_run_file(pid_t pid, pid_t child) { | 167 | static int sandbox_run_file_fd = -1; |
168 | void set_sandbox_run_file(pid_t pid, pid_t child) { | ||
168 | char *runfile; | 169 | char *runfile; |
169 | if (asprintf(&runfile, "%s/%d", RUN_FIREJAIL_SANDBOX_DIR, pid) == -1) | 170 | if (asprintf(&runfile, "%s/%d", RUN_FIREJAIL_SANDBOX_DIR, pid) == -1) |
170 | errExit("asprintf"); | 171 | errExit("asprintf"); |
@@ -172,8 +173,8 @@ int set_sandbox_run_file(pid_t pid, pid_t child) { | |||
172 | EUID_ROOT(); | 173 | EUID_ROOT(); |
173 | // the file is deleted first | 174 | // the file is deleted first |
174 | // this file should be opened with O_CLOEXEC set | 175 | // this file should be opened with O_CLOEXEC set |
175 | int fd = open(runfile, O_CREAT | O_WRONLY | O_TRUNC | O_CLOEXEC, S_IRUSR | S_IWUSR); | 176 | sandbox_run_file_fd = open(runfile, O_CREAT | O_WRONLY | O_TRUNC | O_CLOEXEC, S_IRUSR | S_IWUSR); |
176 | if (fd < 0) { | 177 | if (sandbox_run_file_fd < 0) { |
177 | fprintf(stderr, "Error: cannot create %s\n", runfile); | 178 | fprintf(stderr, "Error: cannot create %s\n", runfile); |
178 | exit(1); | 179 | exit(1); |
179 | } | 180 | } |
@@ -185,7 +186,7 @@ int set_sandbox_run_file(pid_t pid, pid_t child) { | |||
185 | size_t len = strlen(buf); | 186 | size_t len = strlen(buf); |
186 | size_t done = 0; | 187 | size_t done = 0; |
187 | while (done != len) { | 188 | while (done != len) { |
188 | ssize_t rv = write(fd, buf + done, len - done); | 189 | ssize_t rv = write(sandbox_run_file_fd, buf + done, len - done); |
189 | if (rv < 0) | 190 | if (rv < 0) |
190 | errExit("write"); | 191 | errExit("write"); |
191 | done += rv; | 192 | done += rv; |
@@ -193,14 +194,19 @@ int set_sandbox_run_file(pid_t pid, pid_t child) { | |||
193 | 194 | ||
194 | // set exclusive lock on the file | 195 | // set exclusive lock on the file |
195 | // the lock is never inherited, and is released if this process dies ungracefully | 196 | // the lock is never inherited, and is released if this process dies ungracefully |
196 | struct flock sandboxlock = { | 197 | struct flock sandbox_lock = { |
197 | .l_type = F_WRLCK, | 198 | .l_type = F_WRLCK, |
198 | .l_whence = SEEK_SET, | 199 | .l_whence = SEEK_SET, |
199 | .l_start = 0, | 200 | .l_start = 0, |
200 | .l_len = 0, | 201 | .l_len = 0, |
201 | }; | 202 | }; |
202 | if (fcntl(fd, F_SETLK, &sandboxlock) < 0) | 203 | if (fcntl(sandbox_run_file_fd, F_SETLK, &sandbox_lock) < 0) |
203 | errExit("fcntl"); | 204 | errExit("fcntl"); |
205 | } | ||
206 | |||
207 | void release_sandbox_run_file_lock(void) { | ||
208 | assert(sandbox_run_file_fd > -1); | ||
204 | 209 | ||
205 | return fd; | 210 | close(sandbox_run_file_fd); |
211 | sandbox_run_file_fd = -1; | ||
206 | } | 212 | } |