From 811af13d5120e85d1e0cb2cbc9ea0b60c0350af7 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 17 Dec 2015 12:35:15 -0500 Subject: added --force option --- RELNOTES | 1 + src/firejail/main.c | 21 +++++++++++++++++---- src/man/firejail.txt | 7 +++++++ test/firejail-in-firejail.exp | 2 +- test/firejail-in-firejail2.exp | 21 +++++++++++++++++++++ test/test.sh | 5 ++++- 6 files changed, 51 insertions(+), 6 deletions(-) create mode 100755 test/firejail-in-firejail2.exp diff --git a/RELNOTES b/RELNOTES index 655f3309e..b82231aca 100644 --- a/RELNOTES +++ b/RELNOTES @@ -9,6 +9,7 @@ firejail (0.9.36-rc1) baseline; urgency=low * added opera-beta profile * added --noblacklist option * added --profile-path option + * added --force option * whitelist command enhancements * prevent user name enumeration * added /etc/firejail/nolocal.net network filter diff --git a/src/firejail/main.c b/src/firejail/main.c index a9ccfc9cc..3a06ec0f1 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -425,10 +425,21 @@ int main(int argc, char **argv) { // check if we already have a sandbox running int rv = check_kernel_procs(); if (rv == 0) { - // start the program directly without sandboxing - run_no_sandbox(argc, argv); - // it will never get here! - assert(0); + // if --force option is passed to the program, disregard the existing sandbox + int found = 0; + for (i = 1; i < argc; i++) { + if (strcmp(argv[i], "--force") == 0) { + found = 1; + break; + } + } + + if (found == 0) { + // start the program directly without sandboxing + run_no_sandbox(argc, argv); + // it will never get here! + assert(0); + } } // initialize globals @@ -478,6 +489,8 @@ int main(int argc, char **argv) { arg_debug_whitelists = 1; else if (strcmp(argv[i], "--quiet") == 0) arg_quiet = 1; + else if (strcmp(argv[i], "--force") == 0) + ; //************************************* // filtering diff --git a/src/man/firejail.txt b/src/man/firejail.txt index cd36bead6..eed87c574 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -367,6 +367,13 @@ Example: .br $ firejail \-\-env=LD_LIBRARY_PATH=/opt/test/lib +.TP +\fB\-\-force +By default, if Firejail is started in an existing sandbox, it will run the program in a bash shell. +This option disables this behavior, and attempts to start Firejail in the existing sandbox. +There could be lots of reasons for it to fail, for example if the existing sandbox disables +admin capabilities, SUID binaries, or if it runs seccomp. + .TP \fB\-\-fs.print=name Print the filesystem log for the sandbox identified by name. diff --git a/test/firejail-in-firejail.exp b/test/firejail-in-firejail.exp index 59a94a7fb..5ba18d1fa 100755 --- a/test/firejail-in-firejail.exp +++ b/test/firejail-in-firejail.exp @@ -18,4 +18,4 @@ expect { } sleep 1 -puts "\n" +puts "\nall done\n" diff --git a/test/firejail-in-firejail2.exp b/test/firejail-in-firejail2.exp new file mode 100755 index 000000000..b0fed0dae --- /dev/null +++ b/test/firejail-in-firejail2.exp @@ -0,0 +1,21 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --noprofile\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "firejail --force\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +puts "\nall done\n" diff --git a/test/test.sh b/test/test.sh index 78fc7b974..ab288cbeb 100755 --- a/test/test.sh +++ b/test/test.sh @@ -98,9 +98,12 @@ echo "TESTING: join" echo "TESTING: join profile" ./option-join-profile.exp -echo "TESTING: firejail in firejail" +echo "TESTING: firejail in firejail - single sandbox" ./firejail-in-firejail.exp +echo "TESTING: firejail in firejail - force new sandbox" +./firejail-in-firejail2.exp + echo "TESTING: chroot overlay" ./option_chroot_overlay.exp -- cgit v1.2.3-70-g09d2