From 46f2bd2531324174f4e6e2f88c361cbddf5055ce Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Thu, 17 Mar 2016 13:09:03 -0400
Subject: various fixes

---
 src/firejail/bandwidth.c |  4 ++++
 src/firejail/caps.c      |  2 --
 src/firejail/main.c      | 30 +++++++++++++++++++++++++++---
 src/firejail/sandbox.c   |  8 +++-----
 src/firejail/seccomp.c   |  6 +++---
 5 files changed, 37 insertions(+), 13 deletions(-)

(limited to 'src')

diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
index 0be23b9bc..10032b87a 100644
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@@ -341,6 +341,7 @@ void bandwidth_shm_set(pid_t pid, const char *dev, int down, int up) {
 // command execution
 //***********************************
 void bandwidth_name(const char *name, const char *command, const char *dev, int down, int up) {
+	EUID_ASSERT();
 	if (!name || strlen(name) == 0) {
 		fprintf(stderr, "Error: invalid sandbox name\n");
 		exit(1);
@@ -355,6 +356,7 @@ void bandwidth_name(const char *name, const char *command, const char *dev, int
 }
 
 void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up) {
+	EUID_ASSERT();
 	//************************
 	// verify sandbox
 	//************************
@@ -388,6 +390,8 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
 		fprintf(stderr, "Error: cannot join the network namespace\n");
 		exit(1);
 	}
+
+	EUID_ROOT();
 	if (join_namespace(child, "net")) {
 		fprintf(stderr, "Error: cannot join the network namespace\n");
 		exit(1);
diff --git a/src/firejail/caps.c b/src/firejail/caps.c
index de7c93b48..896293fd1 100644
--- a/src/firejail/caps.c
+++ b/src/firejail/caps.c
@@ -439,8 +439,6 @@ void caps_print_filter(pid_t pid) {
 	}
 
 	uint64_t caps = extract_caps(pid);
-	drop_privs(1);
-
 	int i;
 	uint64_t mask;
 	int elems = sizeof(capslist) / sizeof(capslist[0]);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 476f9c39c..02a55ac70 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -343,7 +343,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 		
 		// extract pid or sandbox name
 		pid_t pid;
-		EUID_ROOT();
 		if (read_pid(argv[i] + 12, &pid) == 0)
 			bandwidth_pid(pid, cmd, dev, down, up);
 		else
@@ -669,10 +668,35 @@ int main(int argc, char **argv) {
 		int found = 0;
 		for (i = 1; i < argc; i++) {
 			if (strcmp(argv[i], "--force") == 0 ||
-			    strcmp(argv[i], "--netstats") == 0 ||	
 			    strcmp(argv[i], "--list") == 0 ||	
+			    strcmp(argv[i], "--netstats") == 0 ||	
 			    strcmp(argv[i], "--tree") == 0 ||	
-			    strcmp(argv[i], "--top") == 0) {
+			    strcmp(argv[i], "--top") == 0 ||
+			    strncmp(argv[i], "--ls=", 5) == 0 ||
+			    strncmp(argv[i], "--get=", 6) == 0 ||
+			    strcmp(argv[i], "--debug-caps") == 0 ||
+			    strcmp(argv[i], "--debug-errnos") == 0 ||
+			    strcmp(argv[i], "--debug-syscalls") == 0 ||
+			    strcmp(argv[i], "--debug-protocols") == 0 ||
+			    strcmp(argv[i], "--help") == 0 ||
+			    strcmp(argv[i], "--version") == 0 ||
+			    strncmp(argv[i], "--dns.print=", 12) == 0 ||
+			    strncmp(argv[i], "--bandwidth=", 12) == 0 ||
+			    strncmp(argv[i], "--caps.print=", 13) == 0 ||
+//********************************************************************************
+// todo: fix the following problems
+			    strncmp(argv[i], "--join=", 7) == 0 ||
+//[netblue@debian Downloads]$ firejail --join=896
+//Switching to pid 897, the first child process inside the sandbox
+//Error: seccomp file not found
+//********************************************************************************
+
+			    strncmp(argv[i], "--join-filesystem=", 18) == 0 ||
+			    strncmp(argv[i], "--join-network=", 15) == 0 ||
+			    strncmp(argv[i], "--fs.print=", 11) == 0 ||
+			    strncmp(argv[i], "--protocol.print=", 17) == 0 ||
+			    strncmp(argv[i], "--seccomp.print", 15) == 0 ||
+			    strncmp(argv[i], "--shutdown=", 11) == 0) {
 				found = 1;
 				break;
 			}
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 5bd86019a..c371f4c75 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -604,7 +604,7 @@ int sandbox(void* sandbox_arg) {
 	// set security filters
 	//****************************
 	// set capabilities
-	if (!arg_noroot)
+//	if (!arg_noroot)
 		set_caps();
 
 	// set rlimits
@@ -646,8 +646,7 @@ int sandbox(void* sandbox_arg) {
 	if (arg_noroot) {
 		int rv = unshare(CLONE_NEWUSER);
 		if (rv == -1) {
-			fprintf(stderr, "Warning: cannot mount a new user namespace, going forward without it\n");
-			perror("unshare");
+			fprintf(stderr, "Warning: cannot mount a new user namespace, going forward without it...\n");
 			drop_privs(arg_nogroups);
 			arg_noroot = 0;
 		}
@@ -667,12 +666,11 @@ int sandbox(void* sandbox_arg) {
 	// somehow, the new user namespace resets capabilities;
 	// we need to do them again
 	if (arg_noroot) {
-		set_caps();
 		if (arg_debug)
 			printf("noroot user namespace installed\n");
+		set_caps();
 	}
 
-
 	//****************************************
 	// fork the application and monitor it
 	//****************************************
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index a5a77abab..d29184b7c 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -261,7 +261,7 @@ static void filter_end_whitelist(void) {
 }
 
 
-// save seccomp filter in  /tmp/firejail/mnt/seccomp
+// save seccomp filter in  /run/firejail/mnt/seccomp
 static void write_seccomp_file(void) {
 	fs_build_mnt_dir();
 	assert(sfilter);
@@ -283,10 +283,10 @@ static void write_seccomp_file(void) {
 		errExit("chown");
 }
 
-// read seccomp filter from /tmp/firejail/mnt/seccomp
+// read seccomp filter from /run/firejail/mnt/seccomp
 static void read_seccomp_file(const char *fname) {
 	assert(sfilter == NULL && sfilter_index == 0);
-
+printf("***%s***\n", fname);
 	// check file
 	struct stat s;
 	if (stat(fname, &s) == -1) {
-- 
cgit v1.2.3-54-g00ecf