7 files changed, 89 insertions, 45 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 3c061e607..65569ae5f 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -494,25 +494,39 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                exit(0);
        }
        else if (strcmp(argv[i], "--list") == 0) {
-                int rv = sbox_run(SBOX_ROOT| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list");
+                if (pid_hidepid())
-                exit(rv);
+                        sbox_run(SBOX_ROOT| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list");
+                else
+                        sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list");
+                exit(0);
        }
        else if (strcmp(argv[i], "--tree") == 0) {
-                int rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");
+                if (pid_hidepid())
-                exit(rv);
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");
+                else
+                        sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");
+                exit(0);
        }
        else if (strcmp(argv[i], "--top") == 0) {
-                int rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
+                if (pid_hidepid())
-                        2, PATH_FIREMON, "--top");
+                        sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
-                exit(rv);
+                                2, PATH_FIREMON, "--top");
+                else
+                        sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
+                                2, PATH_FIREMON, "--top");
+                exit(0);
        }
 #ifdef HAVE_NETWORK     
        else if (strcmp(argv[i], "--netstats") == 0) {
                if (checkcfg(CFG_NETWORK)) {
                        struct stat s;
-                        int rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
+                        if (stat("/proc/sys/kernel/grsecurity", &s) == 0 || pid_hidepid())
+                                sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
                                        2, PATH_FIREMON, "--netstats");
-                        exit(rv);
+                        else
+                                sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
+                                        2, PATH_FIREMON, "--netstats");
+                        exit(0);
                }
                else {
                        fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c
index 950311c00..1ec64bea8 100644
--- a/src/firemon/firemon.c
+++ b/src/firemon/firemon.c
@@ -35,6 +35,9 @@ static int arg_caps = 0;
 static int arg_cpu = 0;
 static int arg_cgroup = 0;
 static int arg_x11 = 0;
+static int arg_top = 0;
+static int arg_list = 0;
+static int arg_netstats = 0;
 int arg_nowrap = 0;
 static struct termios tlocal;   // startup terminal setting
@@ -118,53 +121,39 @@ int main(int argc, char **argv) {
                }
                
                // options without a pid argument
-                else if (strcmp(argv[i], "--top") == 0) {
+                else if (strcmp(argv[i], "--top") == 0)
-                        top(); // never to return
+                        arg_top = 1;
-                }
+                else if (strcmp(argv[i], "--list") == 0)
-                else if (strcmp(argv[i], "--list") == 0) {
+                        arg_list = 1;
-                        list();
+                else if (strcmp(argv[i], "--tree") == 0)
-                        return 0;
+                        arg_tree = 1;
-                }
                else if (strcmp(argv[i], "--netstats") == 0) {
                        struct stat s;
                        if (getuid() != 0 && stat("/proc/sys/kernel/grsecurity", &s) == 0) {
                                fprintf(stderr, "Error: this feature is not available on Grsecurity systems\n");
                                exit(1);
                        }       
+                        arg_netstats = 1;
-                        netstats();
-                        return 0;
                }
                // cumulative options with or without a pid argument
-                else if (strcmp(argv[i], "--x11") == 0) {
+                else if (strcmp(argv[i], "--x11") == 0)
                        arg_x11 = 1;
-                }
+                else if (strcmp(argv[i], "--cgroup") == 0)
-                else if (strcmp(argv[i], "--cgroup") == 0) {
                        arg_cgroup = 1;
-                }
+                else if (strcmp(argv[i], "--cpu") == 0)
-                else if (strcmp(argv[i], "--cpu") == 0) {
                        arg_cpu = 1;
-                }
+                else if (strcmp(argv[i], "--seccomp") == 0)
-                else if (strcmp(argv[i], "--seccomp") == 0) {
                        arg_seccomp = 1;
-                }
+                else if (strcmp(argv[i], "--caps") == 0)
-                else if (strcmp(argv[i], "--caps") == 0) {
                        arg_caps = 1;
-                }
+                else if (strcmp(argv[i], "--interface") == 0)
-                else if (strcmp(argv[i], "--tree") == 0) {
-                        arg_tree = 1;
-                }
-                else if (strcmp(argv[i], "--interface") == 0) {
                        arg_interface = 1;
-                }
+                else if (strcmp(argv[i], "--route") == 0)
-                else if (strcmp(argv[i], "--route") == 0) {
                        arg_route = 1;
-                }
+                else if (strcmp(argv[i], "--arp") == 0)
-                else if (strcmp(argv[i], "--arp") == 0) {
                        arg_arp = 1;
-                }
                else if (strncmp(argv[i], "--name=", 7) == 0) {
                        char *name = argv[i] + 7;
@@ -201,8 +190,28 @@ int main(int argc, char **argv) {
                }
        }
-        if (arg_tree)
+        // allow only root user if /proc is mounted hidepid
-                tree((pid_t) pid);
+        if (pid_hidepid() && getuid() != 0) {
+                fprintf(stderr, "Error: /proc is mounted hidepid, you would need to be root to run this command\n");
+                exit(1);
+        }
+        
+        if (arg_top)
+                top(); // never to return
+        if (arg_tree) {
+                tree();
+                return 0;
+        }
+        if (arg_list) {
+                list();
+                return 0;
+        }
+        if (arg_netstats) {
+                netstats();
+                return 0;               
+        }
+        
+        // cumulative options
        if (arg_interface)
                interface((pid_t) pid);
        if (arg_route)
@@ -220,7 +229,7 @@ int main(int argc, char **argv) {
        if (arg_x11)
                x11((pid_t) pid);
        
-        if (!arg_route && !arg_arp && !arg_interface && !arg_tree && !arg_caps && !arg_seccomp && !arg_x11)
+        if (!arg_interface && !arg_route && !arg_arp && !arg_seccomp && !arg_caps && !arg_cgroup && !arg_x11)
                procevent((pid_t) pid); // never to return
                
        return 0;
diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h
index a873430a3..c5607a792 100644
--- a/src/firemon/firemon.h
+++ b/src/firemon/firemon.h
@@ -75,7 +75,7 @@ void cpu(pid_t pid);
 void cgroup(pid_t pid);
 // tree.c
-void tree(pid_t pid);
+void tree(void);
 // netstats.c
 void netstats(void);
diff --git a/src/firemon/tree.c b/src/firemon/tree.c
index a4b92a11f..f6d22b517 100644
--- a/src/firemon/tree.c
+++ b/src/firemon/tree.c
@@ -19,8 +19,8 @@
 */
 #include "firemon.h"
-void tree(pid_t pid) {
+void tree(void) {
-        pid_read(pid);  // include all processes
+        pid_read(0);    // include all processes
        
        // print processes
        int i;
diff --git a/src/include/common.h b/src/include/common.h
index f7c8ea725..108820290 100644
--- a/src/include/common.h
+++ b/src/include/common.h
@@ -114,4 +114,5 @@ int name2pid(const char *name, pid_t *pid);
 char *pid_proc_comm(const pid_t pid);
 char *pid_proc_cmdline(const pid_t pid);
 int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid);
+int pid_hidepid(void);
 #endif
diff --git a/src/lib/common.c b/src/lib/common.c
index fc4c167ba..ea0ab781a 100644
--- a/src/lib/common.c
+++ b/src/lib/common.c
@@ -260,5 +260,26 @@ int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid) {
        return 0;
 }
+// return 1 if /proc is mounted hidepid, or if /proc/mouns access is denied
+#define BUFLEN 4096
+int pid_hidepid(void) {
+        FILE *fp = fopen("/proc/mounts", "r");
+        if (!fp)
+                return 1;
+                
+        char buf[BUFLEN];
+        while (fgets(buf, BUFLEN, fp)) {
+                if (strstr(buf, "proc /proc proc")) {
+                        fclose(fp);
+                        // check hidepid
+                        if (strstr(buf, "hidepid=2") || strstr(buf, "hidepid=1"))
+                                return 1;
+                        return 0;
+                }
+        }
+        
+        return 0;
+}
diff --git a/src/lib/pid.c b/src/lib/pid.c
index ef1a428fb..ed583c51d 100644
--- a/src/lib/pid.c
+++ b/src/lib/pid.c
@@ -29,7 +29,6 @@
 //Process pids[max_pids];
 Process *pids = NULL;
 int max_pids=32769;
-#define PIDS_BUFLEN 4096
 // get the memory associated with this pid
 void pid_getmem(unsigned pid, unsigned *rss, unsigned *shared) {

diff --git a/src/firejail/main.c b/src/firejail/main.c index 3c061e607..65569ae5f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -494,25 +494,39 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
494	exit(0);	494	exit(0);
495	}	495	}
496	else if (strcmp(argv[i], "--list") == 0) {	496	else if (strcmp(argv[i], "--list") == 0) {
497	int rv = sbox_run(SBOX_ROOT\| SBOX_CAPS_NONE \| SBOX_SECCOMP, 2, PATH_FIREMON, "--list");	497	if (pid_hidepid())
498	exit(rv);	498	sbox_run(SBOX_ROOT\| SBOX_CAPS_NONE \| SBOX_SECCOMP, 2, PATH_FIREMON, "--list");
		499	else
		500	sbox_run(SBOX_USER\| SBOX_CAPS_NONE \| SBOX_SECCOMP, 2, PATH_FIREMON, "--list");
		501	exit(0);
499	}	502	}
500	else if (strcmp(argv[i], "--tree") == 0) {	503	else if (strcmp(argv[i], "--tree") == 0) {
501	int rv = sbox_run(SBOX_ROOT \| SBOX_CAPS_NONE \| SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");	504	if (pid_hidepid())
502	exit(rv);	505	sbox_run(SBOX_ROOT \| SBOX_CAPS_NONE \| SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");
		506	else
		507	sbox_run(SBOX_USER \| SBOX_CAPS_NONE \| SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");
		508	exit(0);
503	}	509	}
504	else if (strcmp(argv[i], "--top") == 0) {	510	else if (strcmp(argv[i], "--top") == 0) {
505	int rv = sbox_run(SBOX_ROOT \| SBOX_CAPS_NONE \| SBOX_SECCOMP \| SBOX_ALLOW_STDIN,	511	if (pid_hidepid())
506	2, PATH_FIREMON, "--top");	512	sbox_run(SBOX_ROOT \| SBOX_CAPS_NONE \| SBOX_SECCOMP \| SBOX_ALLOW_STDIN,
507	exit(rv);	513	2, PATH_FIREMON, "--top");
		514	else
		515	sbox_run(SBOX_USER \| SBOX_CAPS_NONE \| SBOX_SECCOMP \| SBOX_ALLOW_STDIN,
		516	2, PATH_FIREMON, "--top");
		517	exit(0);
508	}	518	}
509	#ifdef HAVE_NETWORK	519	#ifdef HAVE_NETWORK
510	else if (strcmp(argv[i], "--netstats") == 0) {	520	else if (strcmp(argv[i], "--netstats") == 0) {
511	if (checkcfg(CFG_NETWORK)) {	521	if (checkcfg(CFG_NETWORK)) {
512	struct stat s;	522	struct stat s;
513	int rv = sbox_run(SBOX_ROOT \| SBOX_CAPS_NONE \| SBOX_SECCOMP \| SBOX_ALLOW_STDIN,	523	if (stat("/proc/sys/kernel/grsecurity", &s) == 0 \|\| pid_hidepid())
		524	sbox_run(SBOX_ROOT \| SBOX_CAPS_NONE \| SBOX_SECCOMP \| SBOX_ALLOW_STDIN,
514	2, PATH_FIREMON, "--netstats");	525	2, PATH_FIREMON, "--netstats");
515	exit(rv);	526	else
		527	sbox_run(SBOX_USER \| SBOX_CAPS_NONE \| SBOX_SECCOMP \| SBOX_ALLOW_STDIN,
		528	2, PATH_FIREMON, "--netstats");
		529	exit(0);
516	}	530	}
517	else {	531	else {
518	fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");	532	fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");


diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index 950311c00..1ec64bea8 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c
@@ -35,6 +35,9 @@ static int arg_caps = 0;
35	static int arg_cpu = 0;	35	static int arg_cpu = 0;
36	static int arg_cgroup = 0;	36	static int arg_cgroup = 0;
37	static int arg_x11 = 0;	37	static int arg_x11 = 0;
		38	static int arg_top = 0;
		39	static int arg_list = 0;
		40	static int arg_netstats = 0;
38	int arg_nowrap = 0;	41	int arg_nowrap = 0;
39		42
40	static struct termios tlocal; // startup terminal setting	43	static struct termios tlocal; // startup terminal setting
@@ -118,53 +121,39 @@ int main(int argc, char **argv) {
118	}	121	}
119		122
120	// options without a pid argument	123	// options without a pid argument
121	else if (strcmp(argv[i], "--top") == 0) {	124	else if (strcmp(argv[i], "--top") == 0)
122	top(); // never to return	125	arg_top = 1;
123	}	126	else if (strcmp(argv[i], "--list") == 0)
124	else if (strcmp(argv[i], "--list") == 0) {	127	arg_list = 1;
125	list();	128	else if (strcmp(argv[i], "--tree") == 0)
126	return 0;	129	arg_tree = 1;
127	}
128	else if (strcmp(argv[i], "--netstats") == 0) {	130	else if (strcmp(argv[i], "--netstats") == 0) {
129	struct stat s;	131	struct stat s;
130	if (getuid() != 0 && stat("/proc/sys/kernel/grsecurity", &s) == 0) {	132	if (getuid() != 0 && stat("/proc/sys/kernel/grsecurity", &s) == 0) {
131	fprintf(stderr, "Error: this feature is not available on Grsecurity systems\n");	133	fprintf(stderr, "Error: this feature is not available on Grsecurity systems\n");
132	exit(1);	134	exit(1);
133	}	135	}
134		136	arg_netstats = 1;
135	netstats();
136	return 0;
137	}	137	}
138		138
139		139
140	// cumulative options with or without a pid argument	140	// cumulative options with or without a pid argument
141	else if (strcmp(argv[i], "--x11") == 0) {	141	else if (strcmp(argv[i], "--x11") == 0)
142	arg_x11 = 1;	142	arg_x11 = 1;
143	}	143	else if (strcmp(argv[i], "--cgroup") == 0)
144	else if (strcmp(argv[i], "--cgroup") == 0) {
145	arg_cgroup = 1;	144	arg_cgroup = 1;
146	}	145	else if (strcmp(argv[i], "--cpu") == 0)
147	else if (strcmp(argv[i], "--cpu") == 0) {
148	arg_cpu = 1;	146	arg_cpu = 1;
149	}	147	else if (strcmp(argv[i], "--seccomp") == 0)
150	else if (strcmp(argv[i], "--seccomp") == 0) {
151	arg_seccomp = 1;	148	arg_seccomp = 1;
152	}	149	else if (strcmp(argv[i], "--caps") == 0)
153	else if (strcmp(argv[i], "--caps") == 0) {
154	arg_caps = 1;	150	arg_caps = 1;
155	}	151	else if (strcmp(argv[i], "--interface") == 0)
156	else if (strcmp(argv[i], "--tree") == 0) {
157	arg_tree = 1;
158	}
159	else if (strcmp(argv[i], "--interface") == 0) {
160	arg_interface = 1;	152	arg_interface = 1;
161	}	153	else if (strcmp(argv[i], "--route") == 0)
162	else if (strcmp(argv[i], "--route") == 0) {
163	arg_route = 1;	154	arg_route = 1;
164	}	155	else if (strcmp(argv[i], "--arp") == 0)
165	else if (strcmp(argv[i], "--arp") == 0) {
166	arg_arp = 1;	156	arg_arp = 1;
167	}
168		157
169	else if (strncmp(argv[i], "--name=", 7) == 0) {	158	else if (strncmp(argv[i], "--name=", 7) == 0) {
170	char *name = argv[i] + 7;	159	char *name = argv[i] + 7;
@@ -201,8 +190,28 @@ int main(int argc, char **argv) {
201	}	190	}
202	}	191	}
203		192
204	if (arg_tree)	193	// allow only root user if /proc is mounted hidepid
205	tree((pid_t) pid);	194	if (pid_hidepid() && getuid() != 0) {
		195	fprintf(stderr, "Error: /proc is mounted hidepid, you would need to be root to run this command\n");
		196	exit(1);
		197	}
		198
		199	if (arg_top)
		200	top(); // never to return
		201	if (arg_tree) {
		202	tree();
		203	return 0;
		204	}
		205	if (arg_list) {
		206	list();
		207	return 0;
		208	}
		209	if (arg_netstats) {
		210	netstats();
		211	return 0;
		212	}
		213
		214	// cumulative options
206	if (arg_interface)	215	if (arg_interface)
207	interface((pid_t) pid);	216	interface((pid_t) pid);
208	if (arg_route)	217	if (arg_route)
@@ -220,7 +229,7 @@ int main(int argc, char **argv) {
220	if (arg_x11)	229	if (arg_x11)
221	x11((pid_t) pid);	230	x11((pid_t) pid);
222		231
223	if (!arg_route && !arg_arp && !arg_interface && !arg_tree && !arg_caps && !arg_seccomp && !arg_x11)	232	if (!arg_interface && !arg_route && !arg_arp && !arg_seccomp && !arg_caps && !arg_cgroup && !arg_x11)
224	procevent((pid_t) pid); // never to return	233	procevent((pid_t) pid); // never to return
225		234
226	return 0;	235	return 0;


diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h index a873430a3..c5607a792 100644 --- a/src/firemon/firemon.h +++ b/src/firemon/firemon.h
@@ -75,7 +75,7 @@ void cpu(pid_t pid);
75	void cgroup(pid_t pid);	75	void cgroup(pid_t pid);
76		76
77	// tree.c	77	// tree.c
78	void tree(pid_t pid);	78	void tree(void);
79		79
80	// netstats.c	80	// netstats.c
81	void netstats(void);	81	void netstats(void);


diff --git a/src/firemon/tree.c b/src/firemon/tree.c index a4b92a11f..f6d22b517 100644 --- a/src/firemon/tree.c +++ b/src/firemon/tree.c
@@ -19,8 +19,8 @@
19	*/	19	*/
20	#include "firemon.h"	20	#include "firemon.h"
21		21
22	void tree(pid_t pid) {	22	void tree(void) {
23	pid_read(pid); // include all processes	23	pid_read(0); // include all processes
24		24
25	// print processes	25	// print processes
26	int i;	26	int i;


diff --git a/src/include/common.h b/src/include/common.h index f7c8ea725..108820290 100644 --- a/src/include/common.h +++ b/src/include/common.h
@@ -114,4 +114,5 @@ int name2pid(const char name, pid_t pid);
114	char *pid_proc_comm(const pid_t pid);	114	char *pid_proc_comm(const pid_t pid);
115	char *pid_proc_cmdline(const pid_t pid);	115	char *pid_proc_cmdline(const pid_t pid);
116	int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid);	116	int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid);
		117	int pid_hidepid(void);
117	#endif	118	#endif


diff --git a/src/lib/common.c b/src/lib/common.c index fc4c167ba..ea0ab781a 100644 --- a/src/lib/common.c +++ b/src/lib/common.c
@@ -260,5 +260,26 @@ int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid) {
260	return 0;	260	return 0;
261	}	261	}
262		262
		263	// return 1 if /proc is mounted hidepid, or if /proc/mouns access is denied
		264	#define BUFLEN 4096
		265	int pid_hidepid(void) {
		266	FILE *fp = fopen("/proc/mounts", "r");
		267	if (!fp)
		268	return 1;
		269
		270	char buf[BUFLEN];
		271	while (fgets(buf, BUFLEN, fp)) {
		272	if (strstr(buf, "proc /proc proc")) {
		273	fclose(fp);
		274	// check hidepid
		275	if (strstr(buf, "hidepid=2") \|\| strstr(buf, "hidepid=1"))
		276	return 1;
		277	return 0;
		278	}
		279	}
		280
		281	return 0;
		282	}
		283
263		284
264		285


diff --git a/src/lib/pid.c b/src/lib/pid.c index ef1a428fb..ed583c51d 100644 --- a/src/lib/pid.c +++ b/src/lib/pid.c
@@ -29,7 +29,6 @@
29	//Process pids[max_pids];	29	//Process pids[max_pids];
30	Process *pids = NULL;	30	Process *pids = NULL;
31	int max_pids=32769;	31	int max_pids=32769;
32	#define PIDS_BUFLEN 4096
33		32
34	// get the memory associated with this pid	33	// get the memory associated with this pid
35	void pid_getmem(unsigned pid, unsigned rss, unsigned shared) {	34	void pid_getmem(unsigned pid, unsigned rss, unsigned shared) {