diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 14 | ||||
-rw-r--r-- | src/firejail/profile.c | 14 | ||||
-rw-r--r-- | src/firejail/util.c | 41 | ||||
-rw-r--r-- | src/man/firejail.txt | 2 |
5 files changed, 64 insertions, 8 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 622be4d97..c84965074 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -498,6 +498,7 @@ int macro_id(const char *name); | |||
498 | void errLogExit(char* fmt, ...) __attribute__((noreturn)); | 498 | void errLogExit(char* fmt, ...) __attribute__((noreturn)); |
499 | void fwarning(char* fmt, ...); | 499 | void fwarning(char* fmt, ...); |
500 | void fmessage(char* fmt, ...); | 500 | void fmessage(char* fmt, ...); |
501 | long long unsigned parse_arg_size(char *str); | ||
501 | void drop_privs(int nogroups); | 502 | void drop_privs(int nogroups); |
502 | int mkpath_as_root(const char* path); | 503 | int mkpath_as_root(const char* path); |
503 | void extract_command_name(int index, char **argv); | 504 | void extract_command_name(int index, char **argv); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 02366a08c..b376095f1 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1496,8 +1496,11 @@ int main(int argc, char **argv, char **envp) { | |||
1496 | arg_rlimit_nproc = 1; | 1496 | arg_rlimit_nproc = 1; |
1497 | } | 1497 | } |
1498 | else if (strncmp(argv[i], "--rlimit-fsize=", 15) == 0) { | 1498 | else if (strncmp(argv[i], "--rlimit-fsize=", 15) == 0) { |
1499 | check_unsigned(argv[i] + 15, "Error: invalid rlimit"); | 1499 | cfg.rlimit_fsize = parse_arg_size(argv[i] + 15); |
1500 | sscanf(argv[i] + 15, "%llu", &cfg.rlimit_fsize); | 1500 | if (cfg.rlimit_fsize == 0) { |
1501 | perror("Error: invalid rlimit-fsize. Only use positive numbers and k, m or g suffix."); | ||
1502 | exit(1); | ||
1503 | } | ||
1501 | arg_rlimit_fsize = 1; | 1504 | arg_rlimit_fsize = 1; |
1502 | } | 1505 | } |
1503 | else if (strncmp(argv[i], "--rlimit-sigpending=", 20) == 0) { | 1506 | else if (strncmp(argv[i], "--rlimit-sigpending=", 20) == 0) { |
@@ -1506,8 +1509,11 @@ int main(int argc, char **argv, char **envp) { | |||
1506 | arg_rlimit_sigpending = 1; | 1509 | arg_rlimit_sigpending = 1; |
1507 | } | 1510 | } |
1508 | else if (strncmp(argv[i], "--rlimit-as=", 12) == 0) { | 1511 | else if (strncmp(argv[i], "--rlimit-as=", 12) == 0) { |
1509 | check_unsigned(argv[i] + 12, "Error: invalid rlimit"); | 1512 | cfg.rlimit_as = parse_arg_size(argv[i] + 12); |
1510 | sscanf(argv[i] + 12, "%llu", &cfg.rlimit_as); | 1513 | if (cfg.rlimit_as == 0) { |
1514 | perror("Error: invalid rlimit-as. Only use positive numbers and k, m or g suffix."); | ||
1515 | exit(1); | ||
1516 | } | ||
1511 | arg_rlimit_as = 1; | 1517 | arg_rlimit_as = 1; |
1512 | } | 1518 | } |
1513 | else if (strncmp(argv[i], "--ipc-namespace", 15) == 0) | 1519 | else if (strncmp(argv[i], "--ipc-namespace", 15) == 0) |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 807a77bd7..5b1478918 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1510,8 +1510,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1510 | arg_rlimit_nproc = 1; | 1510 | arg_rlimit_nproc = 1; |
1511 | } | 1511 | } |
1512 | else if (strncmp(ptr, "rlimit-fsize ", 13) == 0) { | 1512 | else if (strncmp(ptr, "rlimit-fsize ", 13) == 0) { |
1513 | check_unsigned(ptr + 13, "Error: invalid rlimit in profile file: "); | 1513 | cfg.rlimit_fsize = parse_arg_size(ptr + 13); |
1514 | sscanf(ptr + 13, "%llu", &cfg.rlimit_fsize); | 1514 | if (cfg.rlimit_fsize == 0) { |
1515 | perror("Error: invalid rlimit-fsize in profile file. Only use positive numbers and k, m or g suffix."); | ||
1516 | exit(1); | ||
1517 | } | ||
1515 | arg_rlimit_fsize = 1; | 1518 | arg_rlimit_fsize = 1; |
1516 | } | 1519 | } |
1517 | else if (strncmp(ptr, "rlimit-sigpending ", 18) == 0) { | 1520 | else if (strncmp(ptr, "rlimit-sigpending ", 18) == 0) { |
@@ -1520,8 +1523,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1520 | arg_rlimit_sigpending = 1; | 1523 | arg_rlimit_sigpending = 1; |
1521 | } | 1524 | } |
1522 | else if (strncmp(ptr, "rlimit-as ", 10) == 0) { | 1525 | else if (strncmp(ptr, "rlimit-as ", 10) == 0) { |
1523 | check_unsigned(ptr + 10, "Error: invalid rlimit in profile file: "); | 1526 | cfg.rlimit_as = parse_arg_size(ptr + 10); |
1524 | sscanf(ptr + 10, "%llu", &cfg.rlimit_as); | 1527 | if (cfg.rlimit_as == 0) { |
1528 | perror("Error: invalid rlimit-as in profile file. Only use positive numbers and k, m or g suffix."); | ||
1529 | exit(1); | ||
1530 | } | ||
1525 | arg_rlimit_as = 1; | 1531 | arg_rlimit_as = 1; |
1526 | } | 1532 | } |
1527 | else { | 1533 | else { |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 47c367aad..68b76b8e8 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -31,6 +31,9 @@ | |||
31 | #include <sys/wait.h> | 31 | #include <sys/wait.h> |
32 | #include <limits.h> | 32 | #include <limits.h> |
33 | 33 | ||
34 | #include <string.h> | ||
35 | #include <ctype.h> | ||
36 | |||
34 | #include <fcntl.h> | 37 | #include <fcntl.h> |
35 | #ifndef O_PATH | 38 | #ifndef O_PATH |
36 | #define O_PATH 010000000 | 39 | #define O_PATH 010000000 |
@@ -50,6 +53,44 @@ | |||
50 | #define EMPTY_STRING ("") | 53 | #define EMPTY_STRING ("") |
51 | 54 | ||
52 | 55 | ||
56 | long long unsigned parse_arg_size(char *str) { | ||
57 | long long unsigned result = 0; | ||
58 | int len = strlen(str); | ||
59 | sscanf(str, "%llu", &result); | ||
60 | |||
61 | char suffix = *(str + len - 1); | ||
62 | if (!isdigit(suffix) && (suffix == 'k' || suffix == 'm' || suffix == 'g')) { | ||
63 | len -= 1; | ||
64 | } | ||
65 | |||
66 | /* checks for is value valid positive number */ | ||
67 | for (int i = 0; i < len; i++) { | ||
68 | if (!isdigit(*(str+i))) { | ||
69 | return 0; | ||
70 | } | ||
71 | } | ||
72 | |||
73 | if (isdigit(suffix)) | ||
74 | return result; | ||
75 | |||
76 | switch (suffix) { | ||
77 | case 'k': | ||
78 | result *= 1024; | ||
79 | break; | ||
80 | case 'm': | ||
81 | result *= 1024 * 1024; | ||
82 | break; | ||
83 | case 'g': | ||
84 | result *= 1024 * 1024 * 1024; | ||
85 | break; | ||
86 | default: | ||
87 | result = 0; | ||
88 | break; | ||
89 | } | ||
90 | |||
91 | return result; | ||
92 | } | ||
93 | |||
53 | // send the error to /var/log/auth.log and exit after a small delay | 94 | // send the error to /var/log/auth.log and exit after a small delay |
54 | void errLogExit(char* fmt, ...) { | 95 | void errLogExit(char* fmt, ...) { |
55 | va_list args; | 96 | va_list args; |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 4a2e520c5..d18811316 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -2129,6 +2129,7 @@ $ firejail --read-only=~/test --read-write=~/test/a | |||
2129 | .TP | 2129 | .TP |
2130 | \fB\-\-rlimit-as=number | 2130 | \fB\-\-rlimit-as=number |
2131 | Set the maximum size of the process's virtual memory (address space) in bytes. | 2131 | Set the maximum size of the process's virtual memory (address space) in bytes. |
2132 | Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024). | ||
2132 | 2133 | ||
2133 | .TP | 2134 | .TP |
2134 | \fB\-\-rlimit-cpu=number | 2135 | \fB\-\-rlimit-cpu=number |
@@ -2142,6 +2143,7 @@ track of CPU seconds for each process independently. | |||
2142 | .TP | 2143 | .TP |
2143 | \fB\-\-rlimit-fsize=number | 2144 | \fB\-\-rlimit-fsize=number |
2144 | Set the maximum file size that can be created by a process. | 2145 | Set the maximum file size that can be created by a process. |
2146 | Use k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base 1024). | ||
2145 | .TP | 2147 | .TP |
2146 | \fB\-\-rlimit-nofile=number | 2148 | \fB\-\-rlimit-nofile=number |
2147 | Set the maximum number of files that can be opened by a process. | 2149 | Set the maximum number of files that can be opened by a process. |