From 384312c9a5d125ecbb7a63bbe6827e4722e08d93 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 3 Apr 2018 11:20:01 -0400 Subject: EUID cleanup --- src/firejail/main.c | 59 ++++++++++++++++++++++++----------------------------- 1 file changed, 27 insertions(+), 32 deletions(-) (limited to 'src') diff --git a/src/firejail/main.c b/src/firejail/main.c index 787fa28e1..0d53a24a8 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -830,16 +830,23 @@ int main(int argc, char **argv) { int lockfd_directory = -1; int option_cgroup = 0; int custom_profile = 0; // custom profile loaded - atexit(clear_atexit); - // get starting timestamp - start_timestamp = getticks(); + // drop permissions by default and rise them when required + EUID_INIT(); + EUID_USER(); + + // check if the user is allowed to use firejail + init_cfg(argc, argv); + // get starting timestamp, process --quiet + start_timestamp = getticks(); if (check_arg(argc, argv, "--quiet", 1)) arg_quiet = 1; + // build /run/firejail directory structure + EUID_ROOT(); preproc_build_firejail_dir(); char *container_name = getenv("container"); if (!container_name || strcmp(container_name, "firejail")) { @@ -853,7 +860,10 @@ int main(int argc, char **argv) { flock(lockfd_directory, LOCK_UN); close(lockfd_directory); } + EUID_USER(); + + // process allow-debuggers if (check_arg(argc, argv, "--allow-debuggers", 1)) { // check kernel version struct utsname u; @@ -874,11 +884,12 @@ int main(int argc, char **argv) { } arg_allow_debuggers = 1; + char *cmd = strdup("noblacklist ${PATH}/strace"); + if (!cmd) + errExit("strdup"); + profile_add(cmd); } - // drop permissions by default and rise them when required - EUID_INIT(); - EUID_USER(); #ifdef HAVE_GIT_INSTALL // process git-install and git-uninstall @@ -916,28 +927,12 @@ int main(int argc, char **argv) { assert(0); } } + EUID_ASSERT(); - // check root/suid - EUID_ROOT(); - if (geteuid()) { - // only --version is supported without SUID support - if (check_arg(argc, argv, "--version", 1)) { - printf("firejail version %s\n", VERSION); - exit(0); - } - - fprintf(stderr, "Error: cannot rise privileges\n"); - exit(1); - } - EUID_USER(); - - // initialize globals - init_cfg(argc, argv); // check firejail directories EUID_ROOT(); delete_run_files(sandbox_pid); - EUID_USER(); //check if the parent is sshd daemon @@ -991,6 +986,7 @@ int main(int argc, char **argv) { free(comm); } } + EUID_ASSERT(); // is this a login shell, or a command passed by sshd, insert command line options from /etc/firejail/login.users if (*argv[0] == '-' || parent_sshd) { @@ -1040,26 +1036,19 @@ int main(int argc, char **argv) { // check --output option and execute it; check_output(argc, argv); // the function will not return if --output or --output-stderr option was found } + EUID_ASSERT(); // check for force-nonewprivs in /etc/firejail/firejail.config file if (checkcfg(CFG_FORCE_NONEWPRIVS)) arg_nonewprivs = 1; - if (arg_allow_debuggers) { - char *cmd = strdup("noblacklist ${PATH}/strace"); - if (!cmd) - errExit("strdup"); - profile_add(cmd); - } - // parse arguments for (i = 1; i < argc; i++) { run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized - if (strcmp(argv[i], "--debug") == 0 && !arg_quiet) { + if (strcmp(argv[i], "--debug") == 0 && !arg_quiet) arg_debug = 1; - } else if (strcmp(argv[i], "--debug-check-filename") == 0) arg_debug_check_filename = 1; else if (strcmp(argv[i], "--debug-blacklists") == 0) @@ -2260,6 +2249,7 @@ int main(int argc, char **argv) { break; } } + EUID_ASSERT(); // prog_index could still be -1 if no program was specified if (prog_index == -1 && arg_shell_none) { @@ -2388,6 +2378,7 @@ int main(int argc, char **argv) { fmessage("\n** Note: you can use --noprofile to disable %s.profile **\n\n", profile_name); } } + EUID_ASSERT(); // block X11 sockets if (arg_x11_block) @@ -2415,6 +2406,7 @@ int main(int argc, char **argv) { network_set_run_file(sandbox_pid); EUID_USER(); } + EUID_ASSERT(); // create the parent-child communication pipe if (pipe(parent_to_child_fds) < 0) @@ -2466,6 +2458,7 @@ int main(int argc, char **argv) { else if (arg_debug) printf("Using the local network stack\n"); + EUID_ASSERT(); EUID_ROOT(); child = clone(sandbox, child_stack + STACK_SIZE, @@ -2506,6 +2499,7 @@ int main(int argc, char **argv) { waitpid(net_child, NULL, 0); EUID_USER(); } + EUID_ASSERT(); // close each end of the unused pipes close(parent_to_child_fds[0]); @@ -2581,6 +2575,7 @@ int main(int argc, char **argv) { EUID_USER(); free(map_path); } + EUID_ASSERT(); // notify child that UID/GID mapping is complete notify_other(parent_to_child_fds[1]); -- cgit v1.2.3-70-g09d2