From 19302eb4a3f6d8594f87019018a434439ff4bde4 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 10 Oct 2016 08:30:54 -0400 Subject: 0.9.38.4 testing --- RELNOTES | 4 ++-- configure | 18 +++++++++--------- configure.ac | 2 +- src/firejail/firejail.h | 1 + src/firejail/join.c | 8 ++++++++ src/firejail/main.c | 1 + src/firejail/sandbox.c | 26 +------------------------- src/firejail/util.c | 14 ++++++++++++++ 8 files changed, 37 insertions(+), 37 deletions(-) diff --git a/RELNOTES b/RELNOTES index 493f411ff..4b5b66287 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,7 +1,7 @@ firejail (0.9.38.3) baseline; urgency=low - * this is a development version for LTS branch + * CVE-2016-7545 submitted by Aleksey Manevich * bugfixes - -- netblue30 Tue, 23 Aug 2016 10:00:00 -0500 + -- netblue30 Mon, 10 Oct 2016 10:00:00 -0500 firejail (0.9.38.2) baseline; urgency=low * security: --whitelist deleted files, submitted by Vasya Novikov diff --git a/configure b/configure index 625ccbcbe..2f3b7a9b7 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for firejail 0.9.38.3. +# Generated by GNU Autoconf 2.69 for firejail 0.9.38.4. # # Report bugs to . # @@ -580,8 +580,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='firejail' PACKAGE_TARNAME='firejail' -PACKAGE_VERSION='0.9.38.3' -PACKAGE_STRING='firejail 0.9.38.3' +PACKAGE_VERSION='0.9.38.4' +PACKAGE_STRING='firejail 0.9.38.4' PACKAGE_BUGREPORT='netblue30@yahoo.com' PACKAGE_URL='http://firejail.wordpress.com' @@ -1242,7 +1242,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures firejail 0.9.38.3 to adapt to many kinds of systems. +\`configure' configures firejail 0.9.38.4 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1303,7 +1303,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of firejail 0.9.38.3:";; + short | recursive ) echo "Configuration of firejail 0.9.38.4:";; esac cat <<\_ACEOF @@ -1395,7 +1395,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -firejail configure 0.9.38.3 +firejail configure 0.9.38.4 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1697,7 +1697,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by firejail $as_me 0.9.38.3, which was +It was created by firejail $as_me 0.9.38.4, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4140,7 +4140,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by firejail $as_me 0.9.38.3, which was +This file was extended by firejail $as_me 0.9.38.4, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4194,7 +4194,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -firejail config.status 0.9.38.3 +firejail config.status 0.9.38.4 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 1ca50465d..718cfd3bd 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.68]) -AC_INIT(firejail, 0.9.38.3, netblue30@yahoo.com, , http://firejail.wordpress.com) +AC_INIT(firejail, 0.9.38.4, netblue30@yahoo.com, , http://firejail.wordpress.com) AC_CONFIG_SRCDIR([src/firejail/main.c]) #AC_CONFIG_HEADERS([config.h]) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 5104bd688..759569cb4 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -358,6 +358,7 @@ const char *gnu_basename(const char *path); uid_t pid_get_uid(pid_t pid); void invalid_filename(const char *fname); int remove_directory(const char *path); +void flush_stdin(void); // fs_var.c void fs_var_log(void); // mounting /var/log diff --git a/src/firejail/join.c b/src/firejail/join.c index b05e25387..575baf71e 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c @@ -29,6 +29,12 @@ static uint64_t caps = 0; static int apply_seccomp = 0; #define BUFLEN 4096 +static void signal_handler(int sig){ + flush_stdin(); + + exit(sig); +} + static void extract_command(int argc, char **argv, int index) { if (index >= argc) return; @@ -194,6 +200,7 @@ void join_name(const char *name, const char *homedir, int argc, char **argv, int void join(pid_t pid, const char *homedir, int argc, char **argv, int index) { extract_command(argc, argv, index); + signal (SIGTERM, signal_handler); // if the pid is that of a firejail process, use the pid of the first child process char *comm = pid_proc_comm(pid); @@ -388,6 +395,7 @@ void join(pid_t pid, const char *homedir, int argc, char **argv, int index) { // wait for the child to finish waitpid(child, NULL, 0); + flush_stdin(); exit(0); } diff --git a/src/firejail/main.c b/src/firejail/main.c index b945f504b..9e2aec4d5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -111,6 +111,7 @@ static void myexit(int rv) { bandwidth_shm_del_file(sandbox_pid); // bandwidth file network_shm_del_file(sandbox_pid); // network map file + flush_stdin(); exit(rv); } diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 9cb97187e..fc93e1eef 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -171,31 +171,6 @@ static void monitor_application(pid_t app_pid) { printf("Sandbox monitor: monitoring %u\n", app_pid); } -#if 0 -// todo: find a way to shut down interfaces before closing the namespace -// the problem is we don't have enough privileges to shutdown interfaces in this moment - // shut down bridge/macvlan interfaces - if (any_bridge_configured()) { - - if (cfg.bridge0.configured) { - printf("Shutting down %s\n", cfg.bridge0.devsandbox); - net_if_down( cfg.bridge0.devsandbox); - } - if (cfg.bridge1.configured) { - printf("Shutting down %s\n", cfg.bridge1.devsandbox); - net_if_down( cfg.bridge1.devsandbox); - } - if (cfg.bridge2.configured) { - printf("Shutting down %s\n", cfg.bridge2.devsandbox); - net_if_down( cfg.bridge2.devsandbox); - } - if (cfg.bridge3.configured) { - printf("Shutting down %s\n", cfg.bridge3.devsandbox); - net_if_down( cfg.bridge3.devsandbox); - } - usleep(20000); // 20 ms sleep - } -#endif } @@ -672,6 +647,7 @@ int sandbox(void* sandbox_arg) { } monitor_application(app_pid); // monitor application + flush_stdin(); return 0; } diff --git a/src/firejail/util.c b/src/firejail/util.c index 7b871ae0d..9c2caaf74 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -25,6 +25,8 @@ #include #include #include +#include +#include #define MAX_GROUPS 1024 // drop privileges @@ -641,3 +643,15 @@ int remove_directory(const char *path) { // FTW_PHYS - do not follow symbolic links return nftw(path, remove_callback, 64, FTW_DEPTH | FTW_PHYS); } + +void flush_stdin(void) { + if (isatty(STDIN_FILENO)) { + int cnt = 0; + ioctl(STDIN_FILENO, FIONREAD, &cnt); + if (cnt) { + if (!arg_quiet) + printf("Warning: removing %d bytes from stdin\n", cnt); + ioctl(STDIN_FILENO, TCFLSH, TCIFLUSH); + } + } +} -- cgit v1.2.3-54-g00ecf