diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/join.c | 62 | ||||
-rw-r--r-- | src/firejail/util.c | 63 |
3 files changed, 63 insertions, 64 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index fdbeb4691..464e8c07c 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -426,6 +426,7 @@ void usage(void); | |||
426 | 426 | ||
427 | // join.c | 427 | // join.c |
428 | void join(pid_t pid, int argc, char **argv, int index); | 428 | void join(pid_t pid, int argc, char **argv, int index); |
429 | int invalid_sandbox(const pid_t pid); | ||
429 | pid_t switch_to_child(pid_t pid); | 430 | pid_t switch_to_child(pid_t pid); |
430 | 431 | ||
431 | // shutdown.c | 432 | // shutdown.c |
@@ -491,7 +492,6 @@ unsigned extract_timeout(const char *str); | |||
491 | void disable_file_or_dir(const char *fname); | 492 | void disable_file_or_dir(const char *fname); |
492 | void disable_file_path(const char *path, const char *file); | 493 | void disable_file_path(const char *path, const char *file); |
493 | int safe_fd(const char *path, int flags); | 494 | int safe_fd(const char *path, int flags); |
494 | int invalid_sandbox(const pid_t pid); | ||
495 | int has_handler(pid_t pid, int signal); | 495 | int has_handler(pid_t pid, int signal); |
496 | void enter_network_namespace(pid_t pid); | 496 | void enter_network_namespace(pid_t pid); |
497 | 497 | ||
diff --git a/src/firejail/join.c b/src/firejail/join.c index 46dae0271..a8dc56b3a 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -255,6 +255,68 @@ static void extract_umask(pid_t pid) { | |||
255 | fclose(fp); | 255 | fclose(fp); |
256 | } | 256 | } |
257 | 257 | ||
258 | // return 1 if the sandbox identified by pid is not fully set up yet or if | ||
259 | // it is no firejail sandbox at all, return 0 if the sandbox is complete | ||
260 | int invalid_sandbox(const pid_t pid) { | ||
261 | // check if a file "ready-for-join" exists | ||
262 | char *fname; | ||
263 | if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_READY_FOR_JOIN) == -1) | ||
264 | errExit("asprintf"); | ||
265 | EUID_ROOT(); | ||
266 | FILE *fp = fopen(fname, "re"); | ||
267 | EUID_USER(); | ||
268 | free(fname); | ||
269 | if (!fp) | ||
270 | return 1; | ||
271 | // regular file owned by root | ||
272 | int fd = fileno(fp); | ||
273 | if (fd == -1) | ||
274 | errExit("fileno"); | ||
275 | struct stat s; | ||
276 | if (fstat(fd, &s) == -1) | ||
277 | errExit("fstat"); | ||
278 | if (!S_ISREG(s.st_mode) || s.st_uid != 0) { | ||
279 | fclose(fp); | ||
280 | return 1; | ||
281 | } | ||
282 | // check if it is non-empty | ||
283 | char buf[BUFLEN]; | ||
284 | if (fgets(buf, BUFLEN, fp) == NULL) { | ||
285 | fclose(fp); | ||
286 | return 1; | ||
287 | } | ||
288 | fclose(fp); | ||
289 | // confirm "ready" string was written | ||
290 | if (strncmp(buf, "ready\n", 6) != 0) | ||
291 | return 1; | ||
292 | |||
293 | // walk down the process tree a few nodes, there should be no firejail leaf | ||
294 | #define MAXNODES 5 | ||
295 | pid_t current = pid, next; | ||
296 | int i; | ||
297 | for (i = 0; i < MAXNODES; i++) { | ||
298 | if (find_child(current, &next) == 1) { | ||
299 | // found a leaf | ||
300 | EUID_ROOT(); | ||
301 | char *comm = pid_proc_comm(current); | ||
302 | EUID_USER(); | ||
303 | if (!comm) { | ||
304 | fprintf(stderr, "Error: cannot read /proc file\n"); | ||
305 | exit(1); | ||
306 | } | ||
307 | if (strcmp(comm, "firejail") == 0) { | ||
308 | free(comm); | ||
309 | return 1; | ||
310 | } | ||
311 | free(comm); | ||
312 | break; | ||
313 | } | ||
314 | current = next; | ||
315 | } | ||
316 | |||
317 | return 0; | ||
318 | } | ||
319 | |||
258 | pid_t switch_to_child(pid_t pid) { | 320 | pid_t switch_to_child(pid_t pid) { |
259 | EUID_ROOT(); | 321 | EUID_ROOT(); |
260 | errno = 0; | 322 | errno = 0; |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 4634993df..032b9a003 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -1200,69 +1200,6 @@ errexit: | |||
1200 | exit(1); | 1200 | exit(1); |
1201 | } | 1201 | } |
1202 | 1202 | ||
1203 | |||
1204 | // return 1 if the sandbox identified by pid is not fully set up yet or if | ||
1205 | // it is no firejail sandbox at all, return 0 if the sandbox is complete | ||
1206 | int invalid_sandbox(const pid_t pid) { | ||
1207 | // check if a file "ready-for-join" exists | ||
1208 | char *fname; | ||
1209 | if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_READY_FOR_JOIN) == -1) | ||
1210 | errExit("asprintf"); | ||
1211 | EUID_ROOT(); | ||
1212 | FILE *fp = fopen(fname, "re"); | ||
1213 | EUID_USER(); | ||
1214 | free(fname); | ||
1215 | if (!fp) | ||
1216 | return 1; | ||
1217 | // regular file owned by root | ||
1218 | int fd = fileno(fp); | ||
1219 | if (fd == -1) | ||
1220 | errExit("fileno"); | ||
1221 | struct stat s; | ||
1222 | if (fstat(fd, &s) == -1) | ||
1223 | errExit("fstat"); | ||
1224 | if (!S_ISREG(s.st_mode) || s.st_uid != 0) { | ||
1225 | fclose(fp); | ||
1226 | return 1; | ||
1227 | } | ||
1228 | // check if it is non-empty | ||
1229 | char buf[BUFLEN]; | ||
1230 | if (fgets(buf, BUFLEN, fp) == NULL) { | ||
1231 | fclose(fp); | ||
1232 | return 1; | ||
1233 | } | ||
1234 | fclose(fp); | ||
1235 | // confirm "ready" string was written | ||
1236 | if (strncmp(buf, "ready\n", 6) != 0) | ||
1237 | return 1; | ||
1238 | |||
1239 | // walk down the process tree a few nodes, there should be no firejail leaf | ||
1240 | #define MAXNODES 5 | ||
1241 | pid_t current = pid, next; | ||
1242 | int i; | ||
1243 | for (i = 0; i < MAXNODES; i++) { | ||
1244 | if (find_child(current, &next) == 1) { | ||
1245 | // found a leaf | ||
1246 | EUID_ROOT(); | ||
1247 | char *comm = pid_proc_comm(current); | ||
1248 | EUID_USER(); | ||
1249 | if (!comm) { | ||
1250 | fprintf(stderr, "Error: cannot read /proc file\n"); | ||
1251 | exit(1); | ||
1252 | } | ||
1253 | if (strcmp(comm, "firejail") == 0) { | ||
1254 | free(comm); | ||
1255 | return 1; | ||
1256 | } | ||
1257 | free(comm); | ||
1258 | break; | ||
1259 | } | ||
1260 | current = next; | ||
1261 | } | ||
1262 | |||
1263 | return 0; | ||
1264 | } | ||
1265 | |||
1266 | int has_handler(pid_t pid, int signal) { | 1203 | int has_handler(pid_t pid, int signal) { |
1267 | if (signal > 0 && signal <= SIGRTMAX) { | 1204 | if (signal > 0 && signal <= SIGRTMAX) { |
1268 | char *fname; | 1205 | char *fname; |