From 2cbffc072197b72ac234b969d77ab9c1def41f1d Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Thu, 6 Sep 2018 19:40:11 +0200
Subject: disallow overriding of global rlimits, tiny improvements

---
 src/firejail/join.c    |  3 +--
 src/firejail/macros.c  |  1 +
 src/firejail/rlimit.c  | 31 +++++++++++++++++++++++++++++++
 src/firejail/sandbox.c |  8 ++++----
 src/firejail/util.c    |  4 ++--
 5 files changed, 39 insertions(+), 8 deletions(-)

(limited to 'src')

diff --git a/src/firejail/join.c b/src/firejail/join.c
index cdd95b6a8..c2b207c52 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -383,6 +383,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
 				caps_set(caps);
 		}
 
+		EUID_USER();
 		// set nice
 		if (arg_nice) {
 			errno = 0;
@@ -395,8 +396,6 @@ void join(pid_t pid, int argc, char **argv, int index) {
 		}
 
 		// set environment, add x11 display
-		EUID_USER();
-
 		env_defaults();
 		if (display) {
 			char *display_str;
diff --git a/src/firejail/macros.c b/src/firejail/macros.c
index 283de57f2..27893938f 100644
--- a/src/firejail/macros.c
+++ b/src/firejail/macros.c
@@ -92,6 +92,7 @@ int is_macro(const char *name) {
 
 // returns mallocated memory
 static char *resolve_xdg(const char *var) {
+	EUID_ASSERT();
 	char *fname;
 	struct stat s;
 	size_t length = strlen(var);
diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c
index e9d459ac2..8d62a5b6b 100644
--- a/src/firejail/rlimit.c
+++ b/src/firejail/rlimit.c
@@ -22,9 +22,15 @@
 #include <sys/resource.h>
 
 void set_rlimits(void) {
+	EUID_ASSERT();
 	// resource limits
 	struct rlimit rl;
 	if (arg_rlimit_cpu) {
+		if (getrlimit(RLIMIT_CPU, &rl) == -1)
+			errExit("getrlimit");
+		if (cfg.rlimit_cpu > rl.rlim_max && getuid() != 0)
+			cfg.rlimit_cpu = rl.rlim_max;
+		// set the new limit
 		rl.rlim_cur = (rlim_t) cfg.rlimit_cpu;
 		rl.rlim_max = (rlim_t) cfg.rlimit_cpu;
 #ifdef HAVE_GCOV
@@ -37,6 +43,11 @@ void set_rlimits(void) {
 	}
 
 	if (arg_rlimit_nofile) {
+		if (getrlimit(RLIMIT_NOFILE, &rl) == -1)
+			errExit("getrlimit");
+		if (cfg.rlimit_nofile > rl.rlim_max && getuid() != 0)
+			cfg.rlimit_nofile = rl.rlim_max;
+		// set the new limit
 		rl.rlim_cur = (rlim_t) cfg.rlimit_nofile;
 		rl.rlim_max = (rlim_t) cfg.rlimit_nofile;
 #ifdef HAVE_GCOV	// gcov-instrumented programs might crash at this point
@@ -49,6 +60,11 @@ void set_rlimits(void) {
 	}
 
 	if (arg_rlimit_nproc) {
+		if (getrlimit(RLIMIT_NPROC, &rl) == -1)
+			errExit("getrlimit");
+		if (cfg.rlimit_nproc > rl.rlim_max && getuid() != 0)
+			cfg.rlimit_nproc = rl.rlim_max;
+		// set the new limit
 		rl.rlim_cur = (rlim_t) cfg.rlimit_nproc;
 		rl.rlim_max = (rlim_t) cfg.rlimit_nproc;
 #ifdef HAVE_GCOV
@@ -61,6 +77,11 @@ void set_rlimits(void) {
 	}
 
 	if (arg_rlimit_fsize) {
+		if (getrlimit(RLIMIT_FSIZE, &rl) == -1)
+			errExit("getrlimit");
+		if (cfg.rlimit_fsize > rl.rlim_max && getuid() != 0)
+			cfg.rlimit_fsize = rl.rlim_max;
+		// set the new limit
 		rl.rlim_cur = (rlim_t) cfg.rlimit_fsize;
 		rl.rlim_max = (rlim_t) cfg.rlimit_fsize;
 #ifdef HAVE_GCOV
@@ -73,6 +94,11 @@ void set_rlimits(void) {
 	}
 
 	if (arg_rlimit_sigpending) {
+		if (getrlimit(RLIMIT_SIGPENDING, &rl) == -1)
+			errExit("getrlimit");
+		if (cfg.rlimit_sigpending > rl.rlim_max && getuid() != 0)
+			cfg.rlimit_sigpending = rl.rlim_max;
+		// set the new limit
 		rl.rlim_cur = (rlim_t) cfg.rlimit_sigpending;
 		rl.rlim_max = (rlim_t) cfg.rlimit_sigpending;
 #ifdef HAVE_GCOV
@@ -85,6 +111,11 @@ void set_rlimits(void) {
 	}
 
 	if (arg_rlimit_as) {
+		if (getrlimit(RLIMIT_AS, &rl) == -1)
+			errExit("getrlimit");
+		if (cfg.rlimit_as > rl.rlim_max && getuid() != 0)
+			cfg.rlimit_as = rl.rlim_max;
+		// set the new limit
 		rl.rlim_cur = (rlim_t) cfg.rlimit_as;
 		rl.rlim_max = (rlim_t) cfg.rlimit_as;
 #ifdef HAVE_GCOV
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 0e719ceaf..f5abb18ba 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1008,7 +1008,9 @@ int sandbox(void* sandbox_arg) {
 		}
 	}
 
-	EUID_ROOT();
+	// set rlimits
+	set_rlimits();
+
 	// set nice
 	if (arg_nice) {
 		errno = 0;
@@ -1020,6 +1022,7 @@ int sandbox(void* sandbox_arg) {
 		}
 	}
 
+	EUID_ROOT();
 	// clean /tmp/.X11-unix sockets
 	fs_x11();
 	if (arg_x11_xorg)
@@ -1031,9 +1034,6 @@ int sandbox(void* sandbox_arg) {
 	// set capabilities
 	set_caps();
 
-	// set rlimits
-	set_rlimits();
-
 	// set cpu affinity
 	if (cfg.cpus) {
 		save_cpu(); // save cpu affinity mask to CPU_CFG file
diff --git a/src/firejail/util.c b/src/firejail/util.c
index f677b44eb..4a164901d 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -33,7 +33,7 @@
 
 #define MAX_GROUPS 1024
 #define MAXBUF 4098
-
+#define EMPTY_STRING ("")
 
 
 // send the error to /var/log/auth.log and exit after a small delay
@@ -1079,7 +1079,7 @@ int safe_fd(const char *path, int flags) {
 
 	// traverse the path and return -1 if a symlink is encountered
 	int fd = -1;
-	char *current_tok = NULL;
+	char *current_tok = EMPTY_STRING;
 	char *tok = strtok(dup, "/");
 	assert(tok);
 	while (tok) {
-- 
cgit v1.2.3-70-g09d2