8 files changed, 171 insertions, 166 deletions
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c
index 23906ae48..1802ad5e1 100644
--- a/src/firejail/cpu.c
+++ b/src/firejail/cpu.c
@@ -139,3 +139,81 @@ void set_cpu_affinity(void) {
                                printf("CPU affinity not set\n");
                }
 }
+static void print_cpu(int pid) {
+        char *file;
+        if (asprintf(&file, "/proc/%d/status", pid) == -1) {
+                errExit("asprintf");
+                exit(1);
+        }
+        EUID_ROOT();    // grsecurity
+        FILE *fp = fopen(file, "r");
+        EUID_USER();    // grsecurity
+        if (!fp) {
+                printf("  Error: cannot open %s\n", file);
+                free(file);
+                return;
+        }
+#define MAXBUF 4096     
+        char buf[MAXBUF];
+        while (fgets(buf, MAXBUF, fp)) {
+                if (strncmp(buf, "Cpus_allowed_list:", 18) == 0) {
+                        printf("  %s", buf);
+                        fflush(0);
+                        free(file);
+                        fclose(fp);
+                        return;
+                }
+        }
+        fclose(fp);
+        free(file);
+}
+void cpu_print_filter_name(const char *name) {
+        EUID_ASSERT();
+        if (!name || strlen(name) == 0) {
+                fprintf(stderr, "Error: invalid sandbox name\n");
+                exit(1);
+        }
+        pid_t pid;
+        if (name2pid(name, &pid)) {
+                fprintf(stderr, "Error: cannot find sandbox %s\n", name);
+                exit(1);
+        }
+        cpu_print_filter(pid);
+}
+void cpu_print_filter(pid_t pid) {
+        EUID_ASSERT();
+        
+        // if the pid is that of a firejail  process, use the pid of the first child process
+        EUID_ROOT();    // grsecurity
+        char *comm = pid_proc_comm(pid);
+        EUID_USER();    // grsecurity
+        if (comm) {
+                if (strcmp(comm, "firejail") == 0) {
+                        pid_t child;
+                        if (find_child(pid, &child) == 0) {
+                                pid = child;
+                        }
+                }
+                free(comm);
+        }
+        // check privileges for non-root users
+        uid_t uid = getuid();
+        if (uid != 0) {
+                uid_t sandbox_uid = pid_get_uid(pid);
+                if (uid != sandbox_uid) {
+                        fprintf(stderr, "Error: permission denied.\n");
+                        exit(1);
+                }
+        }
+        print_cpu(pid);
+        exit(0);
+}
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index e50b22b4e..f43f31f02 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -438,6 +438,8 @@ void read_cpu_list(const char *str);
 void set_cpu_affinity(void);
 void load_cpu(const char *fname);
 void save_cpu(void);
+void cpu_print_filter_name(const char *name);
+void cpu_print_filter(pid_t pid);
 // cgroup.c
 void save_cgroup(void);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 166ca1b89..c9954d8c7 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -437,6 +437,15 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                exit(0);
        }
 #endif
+        else if (strncmp(argv[i], "--cpu.print=", 12) == 0) {
+                // join sandbox by pid or by name
+                pid_t pid;
+                if (read_pid(argv[i] + 12, &pid) == 0)          
+                        cpu_print_filter(pid);
+                else
+                        cpu_print_filter_name(argv[i] + 12);
+                exit(0);
+        }
        else if (strncmp(argv[i], "--caps.print=", 13) == 0) {
                // join sandbox by pid or by name
                pid_t pid;
@@ -726,6 +735,7 @@ int main(int argc, char **argv) {
                            strncmp(argv[i], "--dns.print=", 12) == 0 ||
                            strncmp(argv[i], "--bandwidth=", 12) == 0 ||
                            strncmp(argv[i], "--caps.print=", 13) == 0 ||
+                            strncmp(argv[i], "--cpu.print=", 12) == 0 ||
 //********************************************************************************
 // todo: fix the following problems
                            strncmp(argv[i], "--join=", 7) == 0 ||
@@ -787,8 +797,10 @@ int main(int argc, char **argv) {
                char *comm = pid_proc_comm(ppid);
                EUID_USER();
                if (comm) {
-                        if (strcmp(comm, "sshd") == 0)
+                        if (strcmp(comm, "sshd") == 0) {
+                                arg_quiet = 1;
                                parent_sshd = 1;
+                        }
                        free(comm);
                }
        }
@@ -817,9 +829,11 @@ int main(int argc, char **argv) {
                run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized
                
                if (strcmp(argv[i], "--debug") == 0) {
-                        arg_debug = 1;
+                        if (!arg_quiet) {
-                        if (option_force)
+                                arg_debug = 1;
-                                printf("Entering sandbox-in-sandbox mode\n");
+                                if (option_force)
+                                        printf("Entering sandbox-in-sandbox mode\n");
+                        }
                }
                else if (strcmp(argv[i], "--debug-check-filename") == 0)
                        arg_debug_check_filename = 1;
@@ -827,8 +841,10 @@ int main(int argc, char **argv) {
                        arg_debug_blacklists = 1;
                else if (strcmp(argv[i], "--debug-whitelists") == 0)
                        arg_debug_whitelists = 1;
-                else if (strcmp(argv[i], "--quiet") == 0)
+                else if (strcmp(argv[i], "--quiet") == 0) {
                        arg_quiet = 1;
+                        arg_debug = 0;
+                }
                else if (strcmp(argv[i], "--force") == 0)
                        ;
diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c
index da4e9d332..ee6e94957 100644
--- a/src/firejail/restricted_shell.c
+++ b/src/firejail/restricted_shell.c
@@ -61,7 +61,20 @@ int restricted_shell(const char *user) {
                ptr = strchr(args, '\n');
                if (ptr)
                        *ptr = '\0';
-                        
+                
+                // if nothing follows, continue
+                char *ptr2 = args;
+                int found = 0;
+                while (*ptr2 != '\0') {
+                        if (*ptr2 != ' ' && *ptr2 != '\t') {
+                                found = 1;
+                                break;
+                        }
+                }
+                if (!found)
+                        continue;
+                
+                // process user
                if (strcmp(user, usr) == 0) {
                        restricted_user = strdup(user);
                        // extract program arguments
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index ccddeb888..d148c1f40 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -131,9 +131,16 @@ static void chk_chroot(void) {
 }
 static int monitor_application(pid_t app_pid) {
        int status;
        while (app_pid) {
                usleep(20000);
+                char *msg;
+                if (asprintf(&msg, "monitoring pid %d\n", app_pid) == -1)
+                        errExit("asprintf");
+                logmsg(msg);
+                free(msg);
                pid_t rv;
                do {
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 597005128..3e4a0d1c3 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -56,6 +56,8 @@ void usage(void) {
        printf("    --chroot=dirname - chroot into directory.\n\n");
 #endif
        printf("    --cpu=cpu-number,cpu-number - set cpu affinity.\n\n");
+        printf("    --cpu.print=name|pid - print the cup in use by the sandbox identified\n");
+        printf("\tby name or PID.\n\n");
        printf("    --csh - use /bin/csh as default shell.\n\n");
        
        printf("    --debug - print sandbox debug messages.\n\n");
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt
index 2825ca4cf..6cd9ce3cb 100644
--- a/src/man/firejail-login.txt
+++ b/src/man/firejail-login.txt
@@ -11,7 +11,7 @@ a user name followed by the arguments passed to firejail. The format is as follo
 Example:
-        netblue:--debug --net=none
+        netblue:--net=none --protocol=unix
 .SH RESTRICTED SHELL
 To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 509461f0d..60c53378a 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -161,8 +161,8 @@ make the whitelist read-only. Example:
 .br
 $ firejail --whitelist=~/work --read-only=~/ --read-only=~/work
 .TP
-\fB\-\-caps.print=name
+\fB\-\-caps.print=name|pid
-Print the caps filter for the sandbox identified by name.
+Print the caps filter for the sandbox identified by name or by PID.
 .br
 .br
@@ -170,13 +170,7 @@ Example:
 .br
 $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
 .br
-[...]
-.br
 $ firejail \-\-caps.print=mygame
-.TP
-\fB\-\-caps.print=pid
-Print the caps filter for a sandbox identified by PID.
 .br
 .br
@@ -221,6 +215,28 @@ Example:
 $ firejail \-\-cpu=0,1 handbrake
 .TP
+\fB\-\-cpu.print=name|pid
+Print the CPU cores in use by the sandbox identified by name or by PID.
+.br
+.br
+Example:
+.br
+$ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
+.br
+$ firejail \-\-cpu.print=mygame
+.br
+.br
+Example:
+.br
+$ firejail \-\-list
+.br
+3272:netblue:firejail \-\-private firefox
+.br
+$ firejail \-\-cpu.print=3272
+.TP
 \fB\-\-csh
 Use /bin/csh as default user shell.
 .br
@@ -327,8 +343,8 @@ Example:
 $ firejail \-\-dns=8.8.8.8 \-\-dns=8.8.4.4 firefox
 .TP
-\fB\-\-dns.print=name
+\fB\-\-dns.print=name|pid
-Print DNS configuration for a sandbox identified by name.
+Print DNS configuration for a sandbox identified by name or by PID.
 .br
 .br
@@ -336,13 +352,7 @@ Example:
 .br
 $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
 .br
-[...]
-.br
 $ firejail \-\-dns.print=mygame
-.TP
-\fB\-\-dns.print=pid
-Print DNS configuration for a sandbox identified by PID.
 .br
 .br
@@ -372,8 +382,8 @@ There could be lots of reasons for it to fail, for example if the existing sandb
 admin capabilities, SUID binaries, or if it runs seccomp.
 .TP
-\fB\-\-fs.print=name
+\fB\-\-fs.print=name|print
-Print the filesystem log for the sandbox identified by name.
+Print the filesystem log for the sandbox identified by name or by PID.
 .br
 .br
@@ -381,13 +391,7 @@ Example:
 .br
 $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
 .br
-[...]
-.br
 $ firejail \-\-fs.print=mygame
-.TP
-\fB\-\-fs.print=pid
-Print the filesystem log for a sandbox identified by PID.
 .br
 .br
@@ -496,13 +500,12 @@ Example:
 .br
 $ firejail \-\-ipc-namespace firefox
 .TP
-\fB\-\-join=name
+\fB\-\-join=name|pid
-Join the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox.
+Join the sandbox identified by name or by PID. By default a /bin/bash shell is started after joining the sandbox.
 If a program is specified, the program is run in the sandbox. If \-\-join command is issued as a regular user,
 all security filters are configured for the new process the same they are configured in the sandbox.
 If \-\-join command is issued as root, the security filters, cgroups and cpus configurations are not applied
 to the process joining the sandbox.
 .br
 .br
@@ -510,18 +513,7 @@ Example:
 .br
 $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
 .br
-[...]
-.br
 $ firejail \-\-join=mygame
-.TP
-\fB\-\-join=pid
-Join the sandbox identified by process ID. By default a /bin/bash shell is started after joining the sandbox.
-If a program is specified, the program is run in the sandbox. If \-\-join command is issued as a regular user,
-all security filters are configured for the new process the same they are configured in the sandbox.
-If \-\-join command is issued as root, the security filters, cgroups and cpus configurations are not applied
-to the process joining the sandbox.
 .br
 .br
@@ -534,19 +526,13 @@ $ firejail \-\-list
 $ firejail \-\-join=3272
 .TP
-\fB\-\-join-filesystem=name
+\fB\-\-join-filesystem=name|pid
-Join the mount namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox.
+Join the mount namespace of the sandbox identified by name or PID. By default a /bin/bash shell is started after joining the sandbox.
 If a program is specified, the program is run in the sandbox. This command is available only to root user.
 Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox.
 .TP
-\fB\-\-join-filesystem=pid
+\fB\-\-join-network=name|PID
-Join the mount namespace of the sandbox identified by process ID. By default a /bin/bash shell is started after joining the sandbox.
-If a program is specified, the program is run in the sandbox. This command is available only to root user.
-Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox.
-.TP
-\fB\-\-join-network=name
 Join the network namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox.
 If a program is specified, the program is run in the sandbox. This command is available only to root user.
 Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. Example:
@@ -602,19 +588,9 @@ Switching to pid 1932, the first child process inside the sandbox
       valid_lft forever preferred_lft forever
 .TP
-\fB\-\-join-network=pid
-Join the network namespace of the sandbox identified by process ID. By default a /bin/bash shell is started after joining the sandbox.
-If a program is specified, the program is run in the sandbox. This command is available only to root user.
-Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox.
-.TP
 \fB\-\-ls=name|pid dir_or_filename
 List files in sandbox container, see \fBFILE TRANSFER\fR section for more details.
-\fB
 .TP
 \fB\-\-list
 List all sandboxes, see \fBMONITORING\fR section for more details.
@@ -1119,8 +1095,8 @@ Example:
 .br
 $ firejail \-\-protocol=unix,inet,inet6 firefox
 .TP
-\fB\-\-protocol.print=name
+\fB\-\-protocol.print=name|pid
-Print the protocol filter for the sandbox identified by name.
+Print the protocol filter for the sandbox identified by name or PID.
 .br
 .br
@@ -1128,15 +1104,9 @@ Example:
 .br
 $ firejail \-\-name=mybrowser firefox &
 .br
-[...]
-.br
 $ firejail \-\-protocol.print=mybrowser
 .br
 unix,inet,inet6,netlink
-.TP
-\fB\-\-protocol.print=pid
-Print the protocol filter for a sandbox identified by PID.
 .br
 .br
@@ -1256,8 +1226,8 @@ $ rm testfile
 rm: cannot remove `testfile': Operation not permitted
 .TP
-\fB\-\-seccomp.print=name
+\fB\-\-seccomp.print=name|PID
-Print the seccomp filter for the sandbox started using \-\-name option.
+Print the seccomp filter for the sandbox identified by name or PID.
 .br
 .br
@@ -1321,72 +1291,6 @@ SECCOMP Filter:
 .br
 $ 
 .TP
-\fB\-\-seccomp.print=pid
-Print the seccomp filter for the sandbox specified by process ID. Use \-\-list option to get a list of all active sandboxes.
-.br
-.br
-Example:
-.br
-$ firejail \-\-list
-.br
-10786:netblue:firejail \-\-name=browser firefox 
-$ firejail \-\-seccomp.print=10786
-.br
-SECCOMP Filter:
-.br
-  VALIDATE_ARCHITECTURE
-.br
-  EXAMINE_SYSCAL
-.br
-  BLACKLIST 165 mount
-.br
-  BLACKLIST 166 umount2
-.br
-  BLACKLIST 101 ptrace
-.br
-  BLACKLIST 246 kexec_load
-.br
-  BLACKLIST 304 open_by_handle_at
-.br
-  BLACKLIST 175 init_module
-.br
-  BLACKLIST 176 delete_module
-.br
-  BLACKLIST 172 iopl
-.br
-  BLACKLIST 173 ioperm
-.br
-  BLACKLIST 167 swapon
-.br
-  BLACKLIST 168 swapoff
-.br
-  BLACKLIST 103 syslog
-.br
-  BLACKLIST 310 process_vm_readv
-.br
-  BLACKLIST 311 process_vm_writev
-.br
-  BLACKLIST 133 mknod
-.br
-  BLACKLIST 139 sysfs
-.br
-  BLACKLIST 156 _sysctl
-.br
-  BLACKLIST 159 adjtimex
-.br
-  BLACKLIST 305 clock_adjtime
-.br
-  BLACKLIST 212 lookup_dcookie
-.br
-  BLACKLIST 298 perf_event_open
-.br
-  BLACKLIST 300 fanotify_init
-.br
-  RETURN_ALLOW
-.br
-$ 
-.TP
 \fB\-\-shell=none
 Run the program directly, without a user shell.
 .br
@@ -1407,8 +1311,8 @@ shell.
 Example:
 $firejail \-\-shell=/bin/dash script.sh
 .TP
-\fB\-\-shutdown=name
+\fB\-\-shutdown=name|PID
-Shutdown the sandbox started using \-\-name option.
+Shutdown the sandbox identified by name or PID.
 .br
 .br
@@ -1416,12 +1320,7 @@ Example:
 .br
 $ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
 .br
-[...]
-.br
 $ firejail \-\-shutdown=mygame
-.TP
-\fB\-\-shutdown=pid
-Shutdown the sandbox specified by process ID. Use \-\-list option to get a list of all active sandboxes.
 .br
 .br
@@ -1682,25 +1581,13 @@ These features allow the user to inspect the filesystem container of an existing
 and transfer files from the container to the host filesystem.
 .TP
-\fB\-\-get=name filename
+\fB\-\-get=name|pid filename
-Retrieve the container file and store it on the host in the current working directory.
-The container is specified by name (\-\-name option). Full path is needed for filename.
-.TP
-\fB\-\-get=pid filename
 Retrieve the container file and store it on the host in the current working directory.
-The container is specified by process ID. Full path is needed for filename.
+The container is specified by name or PID. Full path is needed for filename.
 .TP
-\fB\-\-ls=name dir_or_filename
+\fB\-\-ls=name|pid dir_or_filename
-List container files.
+List container files. The container is specified by name or PID.
-The container is specified by name (\-\-name option).
-Full path is needed for dir_or_filename.
-.TP
-\fB\-\-ls=pid dir_or_filename
-List container files.
-The container is specified by process ID.
 Full path is needed for dir_or_filename.
 .TP
@@ -1739,15 +1626,15 @@ The shaper works at sandbox level, and can be used only for sandboxes configured
 Set rate-limits:
-        firejail --bandwidth={name|pid} set network download upload
+        firejail --bandwidth=name|pid set network download upload
 Clear rate-limits:
-        firejail --bandwidth={name|pid} clear network
+        firejail --bandwidth=name|pid clear network
 Status:
-        firejail --bandwidth={name|pid} status
+        firejail --bandwidth=name|pid status
 where:
 .br