From 10c7565f9d414d745122dac2e441f5e816db7843 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 5 Apr 2016 13:17:20 -0400 Subject: grsecurity: --caps.print --- src/firejail/caps.c | 4 ++++ src/firemon/firemon.c | 9 ++++++++- src/firemon/usage.c | 3 ++- src/man/firejail.txt | 2 +- src/man/firemon.txt | 3 ++- test/caps-print.exp | 29 +++++++++++++++++++++++++++++ test/test.sh | 3 +++ 7 files changed, 49 insertions(+), 4 deletions(-) create mode 100755 test/caps-print.exp diff --git a/src/firejail/caps.c b/src/firejail/caps.c index 896293fd1..6b934bda6 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c @@ -373,7 +373,9 @@ static uint64_t extract_caps(int pid) { exit(1); } + EUID_ROOT(); // grsecurity FILE *fp = fopen(file, "r"); + EUID_USER(); // grsecurity if (!fp) { printf("Error: cannot open %s\n", file); free(file); @@ -417,7 +419,9 @@ void caps_print_filter(pid_t pid) { EUID_ASSERT(); // if the pid is that of a firejail process, use the pid of the first child process + EUID_ROOT(); // grsecurity char *comm = pid_proc_comm(pid); + EUID_USER(); // grsecurity if (comm) { if (strcmp(comm, "firejail") == 0) { pid_t child; diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index 0e38696ac..9c3558362 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c @@ -23,7 +23,8 @@ #include #include #include - +#include + static int arg_route = 0; static int arg_arp = 0; @@ -111,6 +112,12 @@ int main(int argc, char **argv) { unsigned pid = 0; int i; + struct stat s; + if (getuid() != 0 &&stat("/proc/sys/kernel/grsecurity", &s) == 0) { + fprintf(stderr, "Error: on Grsecurity systems only root user can run this program\n"); + exit(1); + } + // handle CTRL-C signal (SIGINT, my_handler); signal (SIGTERM, my_handler); diff --git a/src/firemon/usage.c b/src/firemon/usage.c index 926e1c89f..74a2a61f0 100644 --- a/src/firemon/usage.c +++ b/src/firemon/usage.c @@ -24,7 +24,8 @@ void usage(void) { printf("Usage: firemon [OPTIONS] [PID]\n\n"); printf("Monitor processes started in a Firejail sandbox. Without any PID specified,\n"); printf("all processes started by Firejail are monitored. Descendants of these processes\n"); - printf("are also being monitored.\n\n"); + printf("are also being monitored. On Grsecurity systems only root user\n"); + printf("can run this program.\n\n"); printf("Options:\n"); printf("\t--arp - print ARP table for each sandbox.\n\n"); printf("\t--caps - print capabilities configuration for each sandbox.\n\n"); diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 24dbff67a..2f3fb6d01 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -118,7 +118,7 @@ The filter is applied to all processes started in the sandbox. .br Example: .br -$ sudo firejail \-\-caps "/etc/init.d/nginx start && sleep inf" +$ sudo firejail \-\-caps /etc/init.d/nginx start .TP \fB\-\-caps.drop=all diff --git a/src/man/firemon.txt b/src/man/firemon.txt index 906b5cd9a..ef99b0927 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt @@ -6,7 +6,8 @@ firemon [OPTIONS] [PID] .SH DESCRIPTION Firemon monitors programs started in a Firejail sandbox. Without a PID specified, all processes started by Firejail are monitored. Descendants of -these processes are also being monitored. +these processes are also being monitored. On Grsecurity systems only root user +can run this program. .SH OPTIONS .TP \fB\-\-arp diff --git a/test/caps-print.exp b/test/caps-print.exp new file mode 100755 index 000000000..39e5ec50a --- /dev/null +++ b/test/caps-print.exp @@ -0,0 +1,29 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --name=test\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 2 + +spawn $env(SHELL) +send -- "firejail --caps.print=test\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "setgid - disabled" +} +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "setuid - disabled" +} +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "net_raw - disabled" +} +sleep 1 +puts "\nall done\n" diff --git a/test/test.sh b/test/test.sh index 2dcb89f2a..99ca4287d 100755 --- a/test/test.sh +++ b/test/test.sh @@ -6,6 +6,9 @@ ./fscheck.sh +echo "TESTING: caps.print (caps-print.exp) +./caps-print.exp + echo "TESTING: sound (sound.exp)" ./sound.exp -- cgit v1.2.3-54-g00ecf