diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/no_sandbox.c | 62 |
1 files changed, 55 insertions, 7 deletions
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index cc7f6d234..9672d003e 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -23,16 +23,64 @@ | |||
23 | #include <unistd.h> | 23 | #include <unistd.h> |
24 | #include <grp.h> | 24 | #include <grp.h> |
25 | 25 | ||
26 | #define MAX_BUF 4096 | ||
27 | |||
28 | int is_container(const char *str) { | ||
29 | assert(str); | ||
30 | if (strcmp(str, "lxc") == 0 || | ||
31 | strcmp(str, "docker") == 0 || | ||
32 | strcmp(str, "lxc-libvirt") == 0 || | ||
33 | strcmp(str, "systemd-nspawn") == 0 || | ||
34 | strcmp(str, "rkt") == 0) | ||
35 | return 1; | ||
36 | return 0; | ||
37 | |||
38 | |||
39 | } | ||
40 | |||
26 | // returns 1 if we are running under LXC | 41 | // returns 1 if we are running under LXC |
27 | int check_namespace_virt(void) { | 42 | int check_namespace_virt(void) { |
28 | char *container = getenv("container"); | 43 | EUID_ASSERT(); |
29 | if (container && | 44 | |
30 | (strcmp(container, "lxc") == 0 || | 45 | // check container environment variable |
31 | strcmp(container, "docker") == 0 || | 46 | char *str = getenv("container"); |
32 | strcmp(container, "lxc-libvirt") == 0 || | 47 | if (str && is_container(str)) |
33 | strcmp(container, "systemd-nspawn") == 0 || | ||
34 | strcmp(container, "rkt") == 0)) | ||
35 | return 1; | 48 | return 1; |
49 | |||
50 | // check PID 1 container environment variable | ||
51 | EUID_ROOT(); | ||
52 | FILE *fp = fopen("/proc/1/environ", "r"); | ||
53 | if (fp) { | ||
54 | int c = 0; | ||
55 | while (c != EOF) { | ||
56 | // read one line | ||
57 | char buf[MAX_BUF]; | ||
58 | int i = 0; | ||
59 | while ((c = fgetc(fp)) != EOF) { | ||
60 | if (c == 0) | ||
61 | break; | ||
62 | buf[i] = (char) c; | ||
63 | if (++i == (MAX_BUF - 1)) | ||
64 | break; | ||
65 | } | ||
66 | buf[i] = '\0'; | ||
67 | |||
68 | // check env var name | ||
69 | if (strncmp(buf, "container=", 10) == 0) { | ||
70 | // found it | ||
71 | if (is_container(buf + 10)) { | ||
72 | fclose(fp); | ||
73 | EUID_USER(); | ||
74 | return 1; | ||
75 | } | ||
76 | } | ||
77 | // printf("i %d c %d, buf #%s#\n", i, c, buf); | ||
78 | } | ||
79 | |||
80 | fclose(fp); | ||
81 | } | ||
82 | |||
83 | EUID_USER(); | ||
36 | return 0; | 84 | return 0; |
37 | } | 85 | } |
38 | 86 | ||