From 94abb4298e20bd1f9f89faf781defeb706462ac4 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Tue, 6 Dec 2016 08:49:47 -0500
Subject: testing

---
 src/firejail/main.c       | 130 ++++++++++++----------------------------------
 src/firejail/no_sandbox.c |  96 +++++++---------------------------
 2 files changed, 51 insertions(+), 175 deletions(-)

diff --git a/src/firejail/main.c b/src/firejail/main.c
index 32769845d..545c38018 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -751,42 +751,6 @@ static void delete_x11_file(pid_t pid) {
 	free(fname);
 }
 
-static void detect_quiet(int argc, char **argv) {
-	int i;
-	
-	// detect --quiet
-	for (i = 1; i < argc; i++) {
-		if (strcmp(argv[i], "--quiet") == 0) {
-			arg_quiet = 1;
-			break;
-		}
-		
-		// detect end of firejail params
-		if (strcmp(argv[i], "--") == 0)
-			break;
-		if (strncmp(argv[i], "--", 2) != 0)
-			break;
-	}
-}
-
-static void detect_allow_debuggers(int argc, char **argv) {
-	int i;
-	
-	// detect --allow-debuggers
-	for (i = 1; i < argc; i++) {
-		if (strcmp(argv[i], "--allow-debuggers") == 0) {
-			arg_allow_debuggers = 1;
-			break;
-		}
-		
-		// detect end of firejail params
-		if (strcmp(argv[i], "--") == 0)
-			break;
-		if (strncmp(argv[i], "--", 2) != 0)
-			break;
-	}
-}
-
 char *guess_shell(void) {
 	char *shell = NULL;
 	// shells in order of preference
@@ -806,6 +770,25 @@ char *guess_shell(void) {
 	return shell;
 }
 
+static int check_arg(int argc, char **argv, const char *argument) {
+	int i;
+	int found = 0;
+	for (i = 1; i < argc; i++) {
+		if (strcmp(argv[i], "--force") == 0) {
+			found = 1;
+			break;
+		}
+
+		// detect end of firejail params
+		if (strcmp(argv[i], "--") == 0)
+			break;
+		if (strncmp(argv[i], "--", 2) != 0)
+			break;
+	}
+	
+	return found;
+}
+
 //*******************************************
 // Main program
 //*******************************************
@@ -822,8 +805,10 @@ int main(int argc, char **argv) {
 	// build /run/firejail directory structure
 	preproc_build_firejail_dir();
 	
-	detect_quiet(argc, argv);
-	detect_allow_debuggers(argc, argv);
+	if (check_arg(argc, argv, "--quiet"))
+		arg_quiet = 1;
+	if (check_arg(argc, argv, "--allow-debuggers"))
+		arg_allow_debuggers = 1;
 
 	// drop permissions by default and rise them when required
 	EUID_INIT();
@@ -845,78 +830,27 @@ int main(int argc, char **argv) {
 		EUID_USER();
 		if (rv == 0) {
 			// if --force option is passed to the program, disregard the existing sandbox
-			int found = 0;
-			for (i = 1; i < argc; i++) {
-				if (strcmp(argv[i], "--force") == 0 ||
-				    strcmp(argv[i], "--list") == 0 ||	
-				    strcmp(argv[i], "--netstats") == 0 ||	
-				    strcmp(argv[i], "--tree") == 0 ||	
-				    strcmp(argv[i], "--top") == 0 ||
-				    strncmp(argv[i], "--ls=", 5) == 0 ||
-				    strncmp(argv[i], "--get=", 6) == 0 ||
-				    strcmp(argv[i], "--debug-caps") == 0 ||
-				    strcmp(argv[i], "--debug-errnos") == 0 ||
-				    strcmp(argv[i], "--debug-syscalls") == 0 ||
-				    strcmp(argv[i], "--debug-protocols") == 0 ||
-				    strcmp(argv[i], "--help") == 0 ||
-				    strcmp(argv[i], "--version") == 0 ||
-				    strcmp(argv[i], "--overlay-clean") == 0 ||
-				    strncmp(argv[i], "--dns.print=", 12) == 0 ||
-				    strncmp(argv[i], "--bandwidth=", 12) == 0 ||
-				    strncmp(argv[i], "--caps.print=", 13) == 0 ||
-				    strncmp(argv[i], "--cpu.print=", 12) == 0 ||
-	//********************************************************************************
-	// todo: fix the following problems
-				    strncmp(argv[i], "--join=", 7) == 0 ||
-	//[netblue@debian Downloads]$ firejail --join=896
-	//Switching to pid 897, the first child process inside the sandbox
-	//Error: seccomp file not found
-	//********************************************************************************
-	
-				    strncmp(argv[i], "--join-filesystem=", 18) == 0 ||
-				    strncmp(argv[i], "--join-network=", 15) == 0 ||
-				    strncmp(argv[i], "--fs.print=", 11) == 0 ||
-				    strncmp(argv[i], "--protocol.print=", 17) == 0 ||
-				    strncmp(argv[i], "--seccomp.print", 15) == 0 ||
-				    strncmp(argv[i], "--shutdown=", 11) == 0) {
-					found = 1;
-					break;
-				}
-	
-				// detect end of firejail params
-				if (strcmp(argv[i], "--") == 0)
-					break;
-				if (strncmp(argv[i], "--", 2) != 0)
-					break;
-			}
-			
-			if (found == 0) {
+			if (check_arg(argc, argv, "--force"))
+				option_force = 1;
+			else {
 				// start the program directly without sandboxing
 				run_no_sandbox(argc, argv);
 				// it will never get here!
 				assert(0);
 			}
-			else
-				option_force = 1;
 		}
 	}
 	
 	// check root/suid
 	EUID_ROOT();
 	if (geteuid()) {
-		// detect --version
-		for (i = 1; i < argc; i++) {
-			if (strcmp(argv[i], "--version") == 0) {
-				printf("firejail version %s\n", VERSION);
-				exit(0);
-			}
-			
-			// detect end of firejail params
-			if (strcmp(argv[i], "--") == 0)
-				break;
-			if (strncmp(argv[i], "--", 2) != 0)
-				break;
+		// only --version is supported without SUID support
+		if (check_arg(argc, argv, "--force")) {
+			printf("firejail version %s\n", VERSION);
+			exit(0);
 		}
+
+		fprintf(stderr, "Error: cannot rise privileges\n");
 		exit(1);
 	}
 	EUID_USER();
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 8af555ea2..07ac25dca 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -165,84 +165,28 @@ void run_no_sandbox(int argc, char **argv) {
 	// process limited subset of options
 	int i;
 	for (i = 0; i < argc; i++) {
-		if (strcmp(argv[i], "--csh") == 0) {
-			if (arg_shell_none) {
-				fprintf(stderr, "Error: --shell=none was already specified.\n");
-				exit(1);
-			}
-			if (cfg.shell) {
-				fprintf(stderr, "Error: only one default user shell can be specified\n");
-				exit(1);
-			}
-			cfg.shell = "/bin/csh";
-		}
-		else if (strcmp(argv[i], "--zsh") == 0) {
-			if (arg_shell_none) {
-				fprintf(stderr, "Error: --shell=none was already specified.\n");
-				exit(1);
-			}
-			if (cfg.shell) {
-				fprintf(stderr, "Error: only one default user shell can be specified\n");
-				exit(1);
-			}
-			cfg.shell = "/bin/zsh";
-		}
-		else if (strcmp(argv[i], "--shell=none") == 0) {
-			arg_shell_none = 1;
-			if (cfg.shell) {
-				fprintf(stderr, "Error: a shell was already specified\n");
-				exit(1);
-			}
-		}
-		else if (strncmp(argv[i], "--shell=", 8) == 0) {
-			if (arg_shell_none) {
-				fprintf(stderr, "Error: --shell=none was already specified.\n");
-				exit(1);
-			}
-			invalid_filename(argv[i] + 8);
-
-			if (cfg.shell) {
-				fprintf(stderr, "Error: only one user shell can be specified\n");
-				exit(1);
-			}
-			cfg.shell = argv[i] + 8;
-
-			if (is_dir(cfg.shell) || strstr(cfg.shell, "..")) {
-				fprintf(stderr, "Error: invalid shell\n");
-				exit(1);
-			}
-
-			// access call checks as real UID/GID, not as effective UID/GID
-			if(cfg.chrootdir) {
-				char *shellpath;
-				if (asprintf(&shellpath, "%s%s", cfg.chrootdir, cfg.shell) == -1)
-					errExit("asprintf");
-				if (access(shellpath, R_OK)) {
-					fprintf(stderr, "Error: cannot access shell file in chroot\n");
-					exit(1);
-				}
-				free(shellpath);
-			} else if (access(cfg.shell, R_OK)) {
-				fprintf(stderr, "Error: cannot access shell file\n");
-				exit(1);
-			}
-		}
+		if (strcmp(argv[i], "--debug") == 0)
+			arg_debug = 1;
+ 		else if (strcmp(argv[i], "--csh") == 0 ||
+		    strcmp(argv[i], "--zsh") == 0 ||
+		    strcmp(argv[i], "--shell=none") == 0 ||
+		    strncmp(argv[i], "--shell=", 8) == 0)
+			fprintf(stderr, "Warning: shell-related command line options are disregarded - using SHELL environment variable");
 	}
 
 	// use $SHELL to get shell used in sandbox
-	if (!arg_shell_none && !cfg.shell) {
-		char *shell =  getenv("SHELL");
-		if (shell && access(shell, R_OK) == 0)
-			cfg.shell = shell;
-	}
+	char *shell =  getenv("SHELL");
+	if (shell && access(shell, R_OK) == 0)
+		cfg.shell = shell;
+
 	// guess shell otherwise
-	if (!arg_shell_none && !cfg.shell) {
+	if (!cfg.shell) {
 		cfg.shell = guess_shell();
 		if (arg_debug)
 			printf("Autoselecting %s as shell\n", cfg.shell);
 	}
-	if (!arg_shell_none && !cfg.shell) {
-		fprintf(stderr, "Error: unable to guess your shell, please set explicitly by using --shell option.\n");
+	if (!cfg.shell) {
+		fprintf(stderr, "Error: unable to guess your shell, please set SHELL environment variable\n");
 		exit(1);
 	}
 
@@ -266,13 +210,11 @@ void run_no_sandbox(int argc, char **argv) {
 		}
 	}
 
-	if (!arg_shell_none) {
-		if (prog_index == 0) {
-			cfg.command_line = cfg.shell;
-			cfg.window_title = cfg.shell;
-		} else {
-			build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
-		}
+	if (prog_index == 0) {
+		cfg.command_line = cfg.shell;
+		cfg.window_title = cfg.shell;
+	} else {
+		build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index);
 	}
 
 	cfg.original_argv = argv;
-- 
cgit v1.2.3-54-g00ecf