From b79e4416fe642976111a2d610a19c3e4696bb2e2 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 18 May 2021 13:49:02 -0400 Subject: jailtest -> jailcheck (#4268) --- src/jailcheck/sysfiles.c | 88 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 src/jailcheck/sysfiles.c (limited to 'src/jailcheck/sysfiles.c') diff --git a/src/jailcheck/sysfiles.c b/src/jailcheck/sysfiles.c new file mode 100644 index 000000000..caeb580af --- /dev/null +++ b/src/jailcheck/sysfiles.c @@ -0,0 +1,88 @@ +/* + * Copyright (C) 2014-2021 Firejail Authors + * + * This file is part of firejail project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +*/ +#include "jailcheck.h" +#include +#include + +typedef struct { + char *tfile; +} TestFile; + +#define MAX_TEST_FILES 32 +TestFile tf[MAX_TEST_FILES]; +static int files_cnt = 0; + +void sysfiles_setup(const char *file) { + // I am root! + assert(file); + + if (files_cnt >= MAX_TEST_FILES) { + fprintf(stderr, "Error: maximum number of system test files exceded\n"); + exit(1); + } + + if (access(file, F_OK)) { + // no such file + return; + } + + + char *fname = strdup(file); + if (!fname) + errExit("strdup"); + + tf[files_cnt].tfile = fname; + files_cnt++; +} + +void sysfiles_test(void) { + // I am root in sandbox mount namespace + assert(user_uid); + int i; + + pid_t child = fork(); + if (child == -1) + errExit("fork"); + + if (child == 0) { // child + // drop privileges + if (setgid(user_gid) != 0) + errExit("setgid"); + if (setuid(user_uid) != 0) + errExit("setuid"); + + for (i = 0; i < files_cnt; i++) { + assert(tf[i].tfile); + + // try to open the file for reading + FILE *fp = fopen(tf[i].tfile, "r"); + if (fp) { + + printf(" Warning: I can access %s\n", tf[i].tfile); + fclose(fp); + } + } + exit(0); + } + + // wait for the child to finish + int status; + wait(&status); +} -- cgit v1.2.3-54-g00ecf