diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/cgroup.c | 108 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 1 | ||||
-rw-r--r-- | src/firejail/firejail.h | 7 | ||||
-rw-r--r-- | src/firejail/join.c | 23 | ||||
-rw-r--r-- | src/firejail/main.c | 18 | ||||
-rw-r--r-- | src/firejail/profile.c | 15 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 3 |
7 files changed, 0 insertions, 175 deletions
diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c deleted file mode 100644 index c8cb96f98..000000000 --- a/src/firejail/cgroup.c +++ /dev/null | |||
@@ -1,108 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2022 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firejail.h" | ||
21 | #include "../include/gcov_wrapper.h" | ||
22 | #include <sys/wait.h> | ||
23 | #include <errno.h> | ||
24 | |||
25 | #define MAXBUF 4096 | ||
26 | |||
27 | void save_cgroup(void) { | ||
28 | if (cfg.cgroup == NULL) | ||
29 | return; | ||
30 | |||
31 | FILE *fp = fopen(RUN_CGROUP_CFG, "wxe"); | ||
32 | if (fp) { | ||
33 | fprintf(fp, "%s", cfg.cgroup); | ||
34 | fflush(0); | ||
35 | SET_PERMS_STREAM(fp, 0, 0, 0644); | ||
36 | if (fclose(fp)) | ||
37 | goto errout; | ||
38 | } | ||
39 | else | ||
40 | goto errout; | ||
41 | |||
42 | return; | ||
43 | |||
44 | errout: | ||
45 | fprintf(stderr, "Error: cannot save cgroup\n"); | ||
46 | exit(1); | ||
47 | } | ||
48 | |||
49 | static int is_cgroup_path(const char *fname) { | ||
50 | // path starts with /sys/fs/cgroup | ||
51 | if (strncmp(fname, "/sys/fs/cgroup", 14) != 0) | ||
52 | return 0; | ||
53 | |||
54 | // no .. traversal | ||
55 | char *ptr = strstr(fname, ".."); | ||
56 | if (ptr) | ||
57 | return 0; | ||
58 | |||
59 | return 1; | ||
60 | } | ||
61 | |||
62 | void check_cgroup_file(const char *fname) { | ||
63 | assert(fname); | ||
64 | invalid_filename(fname, 0); // no globbing | ||
65 | |||
66 | if (!is_cgroup_path(fname)) | ||
67 | goto errout; | ||
68 | |||
69 | const char *base = gnu_basename(fname); | ||
70 | if (strcmp(base, "tasks") != 0 && // cgroup v1 | ||
71 | strcmp(base, "cgroup.procs") != 0) | ||
72 | goto errout; | ||
73 | |||
74 | if (access(fname, W_OK) == 0) | ||
75 | return; | ||
76 | |||
77 | errout: | ||
78 | fprintf(stderr, "Error: invalid cgroup\n"); | ||
79 | exit(1); | ||
80 | } | ||
81 | |||
82 | static void do_set_cgroup(const char *fname, pid_t pid) { | ||
83 | FILE *fp = fopen(fname, "ae"); | ||
84 | if (!fp) { | ||
85 | fwarning("cannot open %s for writing: %s\n", fname, strerror(errno)); | ||
86 | return; | ||
87 | } | ||
88 | |||
89 | int rv = fprintf(fp, "%d\n", pid); | ||
90 | (void) rv; | ||
91 | fclose(fp); | ||
92 | } | ||
93 | |||
94 | void set_cgroup(const char *fname, pid_t pid) { | ||
95 | pid_t child = fork(); | ||
96 | if (child < 0) | ||
97 | errExit("fork"); | ||
98 | if (child == 0) { | ||
99 | drop_privs(0); | ||
100 | |||
101 | do_set_cgroup(fname, pid); | ||
102 | |||
103 | __gcov_flush(); | ||
104 | |||
105 | _exit(0); | ||
106 | } | ||
107 | waitpid(child, NULL, 0); | ||
108 | } | ||
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index e1acaf632..33260ce94 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -100,7 +100,6 @@ int checkcfg(int val) { | |||
100 | PARSE_YESNO(CFG_X11, "x11") | 100 | PARSE_YESNO(CFG_X11, "x11") |
101 | PARSE_YESNO(CFG_APPARMOR, "apparmor") | 101 | PARSE_YESNO(CFG_APPARMOR, "apparmor") |
102 | PARSE_YESNO(CFG_BIND, "bind") | 102 | PARSE_YESNO(CFG_BIND, "bind") |
103 | PARSE_YESNO(CFG_CGROUP, "cgroup") | ||
104 | PARSE_YESNO(CFG_NAME_CHANGE, "name-change") | 103 | PARSE_YESNO(CFG_NAME_CHANGE, "name-change") |
105 | PARSE_YESNO(CFG_USERNS, "userns") | 104 | PARSE_YESNO(CFG_USERNS, "userns") |
106 | PARSE_YESNO(CFG_CHROOT, "chroot") | 105 | PARSE_YESNO(CFG_CHROOT, "chroot") |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7e1d45c01..7930778ca 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -211,7 +211,6 @@ typedef struct config_t { | |||
211 | // cpu affinity, nice and control groups | 211 | // cpu affinity, nice and control groups |
212 | uint32_t cpus; | 212 | uint32_t cpus; |
213 | int nice; | 213 | int nice; |
214 | char *cgroup; | ||
215 | 214 | ||
216 | // command line | 215 | // command line |
217 | char *command_line; | 216 | char *command_line; |
@@ -669,11 +668,6 @@ void set_cpu_affinity(void); | |||
669 | void save_cpu(void); | 668 | void save_cpu(void); |
670 | void cpu_print_filter(pid_t pid) __attribute__((noreturn)); | 669 | void cpu_print_filter(pid_t pid) __attribute__((noreturn)); |
671 | 670 | ||
672 | // cgroup.c | ||
673 | void save_cgroup(void); | ||
674 | void check_cgroup_file(const char *fname); | ||
675 | void set_cgroup(const char *fname, pid_t pid); | ||
676 | |||
677 | // output.c | 671 | // output.c |
678 | void check_output(int argc, char **argv); | 672 | void check_output(int argc, char **argv); |
679 | 673 | ||
@@ -830,7 +824,6 @@ enum { | |||
830 | CFG_BROWSER_ALLOW_DRM, | 824 | CFG_BROWSER_ALLOW_DRM, |
831 | CFG_APPARMOR, | 825 | CFG_APPARMOR, |
832 | CFG_DBUS, | 826 | CFG_DBUS, |
833 | CFG_CGROUP, | ||
834 | CFG_NAME_CHANGE, | 827 | CFG_NAME_CHANGE, |
835 | CFG_SECCOMP_ERROR_ACTION, | 828 | CFG_SECCOMP_ERROR_ACTION, |
836 | // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv | 829 | // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv |
diff --git a/src/firejail/join.c b/src/firejail/join.c index 5acdcb060..7e05fc785 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -204,24 +204,6 @@ static void extract_cpu(ProcessHandle sandbox) { | |||
204 | fclose(fp); | 204 | fclose(fp); |
205 | } | 205 | } |
206 | 206 | ||
207 | static void extract_cgroup(ProcessHandle sandbox) { | ||
208 | int fd = process_rootfs_open(sandbox, RUN_CGROUP_CFG); | ||
209 | if (fd < 0) | ||
210 | return; // not configured | ||
211 | |||
212 | FILE *fp = fdopen(fd, "r"); | ||
213 | if (!fp) | ||
214 | errExit("fdopen"); | ||
215 | |||
216 | char buf[BUFLEN]; | ||
217 | if (fgets(buf, BUFLEN, fp)) { | ||
218 | cfg.cgroup = strdup(buf); | ||
219 | if (!cfg.cgroup) | ||
220 | errExit("strdup"); | ||
221 | } | ||
222 | fclose(fp); | ||
223 | } | ||
224 | |||
225 | static void extract_umask(ProcessHandle sandbox) { | 207 | static void extract_umask(ProcessHandle sandbox) { |
226 | int fd = process_rootfs_open(sandbox, RUN_UMASK_FILE); | 208 | int fd = process_rootfs_open(sandbox, RUN_UMASK_FILE); |
227 | if (fd < 0) { | 209 | if (fd < 0) { |
@@ -437,16 +419,11 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
437 | extract_nonewprivs(sandbox); // redundant on Linux >= 4.10; duplicated in function extract_caps | 419 | extract_nonewprivs(sandbox); // redundant on Linux >= 4.10; duplicated in function extract_caps |
438 | extract_caps(sandbox); | 420 | extract_caps(sandbox); |
439 | extract_cpu(sandbox); | 421 | extract_cpu(sandbox); |
440 | extract_cgroup(sandbox); | ||
441 | extract_nogroups(sandbox); | 422 | extract_nogroups(sandbox); |
442 | extract_user_namespace(sandbox); | 423 | extract_user_namespace(sandbox); |
443 | extract_umask(sandbox); | 424 | extract_umask(sandbox); |
444 | } | 425 | } |
445 | 426 | ||
446 | // set cgroup | ||
447 | if (cfg.cgroup) // not available for uid 0 | ||
448 | set_cgroup(cfg.cgroup, getpid()); | ||
449 | |||
450 | // join namespaces | 427 | // join namespaces |
451 | EUID_ROOT(); | 428 | EUID_ROOT(); |
452 | if (arg_join_network) { | 429 | if (arg_join_network) { |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 7081e067f..8bfff4e68 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1012,7 +1012,6 @@ int main(int argc, char **argv, char **envp) { | |||
1012 | int lockfd_network = -1; | 1012 | int lockfd_network = -1; |
1013 | int lockfd_directory = -1; | 1013 | int lockfd_directory = -1; |
1014 | int lockfd_sandboxfile = -1; | 1014 | int lockfd_sandboxfile = -1; |
1015 | int option_cgroup = 0; | ||
1016 | int custom_profile = 0; // custom profile loaded | 1015 | int custom_profile = 0; // custom profile loaded |
1017 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) | 1016 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) |
1018 | int arg_netlock = 0; | 1017 | int arg_netlock = 0; |
@@ -1566,23 +1565,6 @@ int main(int argc, char **argv, char **envp) { | |||
1566 | cfg.nice = 0; | 1565 | cfg.nice = 0; |
1567 | arg_nice = 1; | 1566 | arg_nice = 1; |
1568 | } | 1567 | } |
1569 | else if (strncmp(argv[i], "--cgroup=", 9) == 0) { | ||
1570 | if (checkcfg(CFG_CGROUP)) { | ||
1571 | if (option_cgroup) { | ||
1572 | fprintf(stderr, "Error: only one cgroup can be defined\n"); | ||
1573 | exit(1); | ||
1574 | } | ||
1575 | cfg.cgroup = strdup(argv[i] + 9); | ||
1576 | if (!cfg.cgroup) | ||
1577 | errExit("strdup"); | ||
1578 | |||
1579 | check_cgroup_file(cfg.cgroup); | ||
1580 | set_cgroup(cfg.cgroup, getpid()); | ||
1581 | option_cgroup = 1; | ||
1582 | } | ||
1583 | else | ||
1584 | exit_err_feature("cgroup"); | ||
1585 | } | ||
1586 | 1568 | ||
1587 | //************************************* | 1569 | //************************************* |
1588 | // filesystem | 1570 | // filesystem |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 5bc77263a..daa0a2e92 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1144,21 +1144,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1144 | return 0; | 1144 | return 0; |
1145 | } | 1145 | } |
1146 | 1146 | ||
1147 | // cgroup | ||
1148 | if (strncmp(ptr, "cgroup ", 7) == 0) { | ||
1149 | if (checkcfg(CFG_CGROUP)) { | ||
1150 | cfg.cgroup = strdup(ptr + 7); | ||
1151 | if (!cfg.cgroup) | ||
1152 | errExit("strdup"); | ||
1153 | |||
1154 | check_cgroup_file(cfg.cgroup); | ||
1155 | set_cgroup(cfg.cgroup, getpid()); | ||
1156 | } | ||
1157 | else | ||
1158 | warning_feature_disabled("cgroup"); | ||
1159 | return 0; | ||
1160 | } | ||
1161 | |||
1162 | // writable-etc | 1147 | // writable-etc |
1163 | if (strcmp(ptr, "writable-etc") == 0) { | 1148 | if (strcmp(ptr, "writable-etc") == 0) { |
1164 | if (cfg.etc_private_keep) { | 1149 | if (cfg.etc_private_keep) { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 635137feb..4ad9eb678 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -1150,9 +1150,6 @@ int sandbox(void* sandbox_arg) { | |||
1150 | // save cpu affinity mask to CPU_CFG file | 1150 | // save cpu affinity mask to CPU_CFG file |
1151 | save_cpu(); | 1151 | save_cpu(); |
1152 | 1152 | ||
1153 | // save cgroup in CGROUP_CFG file | ||
1154 | save_cgroup(); | ||
1155 | |||
1156 | // set seccomp | 1153 | // set seccomp |
1157 | // install protocol filter | 1154 | // install protocol filter |
1158 | #ifdef SYS_socket | 1155 | #ifdef SYS_socket |