From 62b9173095929c7ef21b9fb2385f54ceba956aa7 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Sun, 20 Nov 2016 17:52:30 -0500
Subject: caps testing

---
 src/firejail/caps.c     | 77 ++++++++++++++++++++++++-------------------------
 src/firejail/firejail.h |  2 +-
 src/firejail/main.c     |  6 ++--
 src/firejail/profile.c  |  6 ++--
 4 files changed, 42 insertions(+), 49 deletions(-)

(limited to 'src')

diff --git a/src/firejail/caps.c b/src/firejail/caps.c
index ba811cada..6cfa36629 100644
--- a/src/firejail/caps.c
+++ b/src/firejail/caps.c
@@ -181,12 +181,10 @@ static int caps_find_name(const char *name) {
 }
 
 // return 1 if error, 0 if OK
-int caps_check_list(const char *clist, void (*callback)(int)) {
+void caps_check_list(const char *clist, void (*callback)(int)) {
 	// don't allow empty lists
-	if (clist == NULL || *clist == '\0') {
-		fprintf(stderr, "Error: empty capabilities lists are not allowed\n");
-		return -1;
-	}
+	if (clist == NULL || *clist == '\0')
+		goto errexit;
 
 	// work on a copy of the string
 	char *str = strdup(clist);
@@ -201,11 +199,8 @@ int caps_check_list(const char *clist, void (*callback)(int)) {
 		else if (*ptr == ',') {
 			*ptr = '\0';
 			int nr = caps_find_name(start);
-			if (nr == -1) {
-				fprintf(stderr, "Error: capability %s not found\n", start);
-				free(str);
-				return -1;
-			}
+			if (nr == -1)
+				goto errexit;
 			else if (callback != NULL)
 				callback(nr);
 				
@@ -215,17 +210,18 @@ int caps_check_list(const char *clist, void (*callback)(int)) {
 	}
 	if (*start != '\0') {
 		int nr = caps_find_name(start);
-		if (nr == -1) {
-			fprintf(stderr, "Error: capability %s not found\n", start);
-			free(str);	
-			return -1;
-		}
+		if (nr == -1) 
+			goto errexit;
 		else if (callback != NULL)
 			callback(nr);
 	}
 
 	free(str);	
-	return 0;
+	return;
+
+errexit:
+	fprintf(stderr, "Error: capability \"%s\" not found\n", start);
+	exit(1);	
 }
 
 void caps_print(void) {
@@ -256,49 +252,53 @@ void caps_print(void) {
 // enabled by default
 int caps_default_filter(void) {
 	// drop capabilities
-	if (prctl(PR_CAPBSET_DROP, CAP_SYS_MODULE, 0, 0, 0) && arg_debug)
-		fprintf(stderr, "Warning: cannot drop CAP_SYS_MODULE");
+	if (prctl(PR_CAPBSET_DROP, CAP_SYS_MODULE, 0, 0, 0))
+		goto errexit;
 	else if (arg_debug)
 		printf("Drop CAP_SYS_MODULE\n");
 
-	if (prctl(PR_CAPBSET_DROP, CAP_SYS_RAWIO, 0, 0, 0) && arg_debug)
-		fprintf(stderr, "Warning: cannot drop CAP_SYS_RAWIO");
+	if (prctl(PR_CAPBSET_DROP, CAP_SYS_RAWIO, 0, 0, 0))
+		goto errexit;
 	else if (arg_debug)
 		printf("Drop CAP_SYS_RAWIO\n");
 
-	if (prctl(PR_CAPBSET_DROP, CAP_SYS_BOOT, 0, 0, 0) && arg_debug)
-		fprintf(stderr, "Warning: cannot drop CAP_SYS_BOOT");
+	if (prctl(PR_CAPBSET_DROP, CAP_SYS_BOOT, 0, 0, 0))
+		goto errexit;
 	else if (arg_debug)
 		printf("Drop CAP_SYS_BOOT\n");
 
-	if (prctl(PR_CAPBSET_DROP, CAP_SYS_NICE, 0, 0, 0) && arg_debug)
-		fprintf(stderr, "Warning: cannot drop CAP_SYS_NICE");
+	if (prctl(PR_CAPBSET_DROP, CAP_SYS_NICE, 0, 0, 0))
+		goto errexit;
 	else if (arg_debug)
 		printf("Drop CAP_SYS_NICE\n");
 
-	if (prctl(PR_CAPBSET_DROP, CAP_SYS_TTY_CONFIG, 0, 0, 0) && arg_debug)
-		fprintf(stderr, "Warning: cannot drop CAP_SYS_TTY_CONFIG");
+	if (prctl(PR_CAPBSET_DROP, CAP_SYS_TTY_CONFIG, 0, 0, 0))
+		goto errexit;
 	else if (arg_debug)
 		printf("Drop CAP_SYS_TTY_CONFIG\n");
 
 #ifdef CAP_SYSLOG
-	if (prctl(PR_CAPBSET_DROP, CAP_SYSLOG, 0, 0, 0) && arg_debug)
-		fprintf(stderr, "Warning: cannot drop CAP_SYSLOG");
+	if (prctl(PR_CAPBSET_DROP, CAP_SYSLOG, 0, 0, 0))
+		goto errexit;
 	else if (arg_debug)
 		printf("Drop CAP_SYSLOG\n");
 #endif
 
-	if (prctl(PR_CAPBSET_DROP, CAP_MKNOD, 0, 0, 0) && arg_debug)
-		fprintf(stderr, "Warning: cannot drop CAP_MKNOD");
+	if (prctl(PR_CAPBSET_DROP, CAP_MKNOD, 0, 0, 0))
+		goto errexit;
 	else if (arg_debug)
 		printf("Drop CAP_MKNOD\n");
 
-	if (prctl(PR_CAPBSET_DROP, CAP_SYS_ADMIN, 0, 0, 0) && arg_debug)
-		fprintf(stderr, "Warning: cannot drop CAP_SYS_ADMIN");
+	if (prctl(PR_CAPBSET_DROP, CAP_SYS_ADMIN, 0, 0, 0))
+		goto errexit;
 	else if (arg_debug)
 		printf("Drop CAP_SYS_ADMIN\n");
 
 	return 0;
+
+errexit:
+	fprintf(stderr, "Error: cannot drop capabilities\n");
+	exit(1);	
 }
 
 void caps_drop_all(void) {
@@ -359,19 +359,14 @@ static uint64_t extract_caps(int pid) {
 	EUID_ASSERT();
 	
 	char *file;
-	if (asprintf(&file, "/proc/%d/status", pid) == -1) {
+	if (asprintf(&file, "/proc/%d/status", pid) == -1)
 		errExit("asprintf");
-		exit(1);
-	}
 
 	EUID_ROOT();	// grsecurity
 	FILE *fp = fopen(file, "r");
 	EUID_USER();	// grsecurity
-	if (!fp) {
-		printf("Error: cannot open %s\n", file);
-		free(file);
-		exit(1);
-	}
+	if (!fp)
+		goto errexit;
 	
 	char buf[MAXBUF];
 	while (fgets(buf, MAXBUF, fp)) {
@@ -385,6 +380,8 @@ static uint64_t extract_caps(int pid) {
 		}
 	}
 	fclose(fp);
+
+errexit:	
 	free(file);
 	fprintf(stderr, "Error: cannot read caps configuration\n");
 	exit(1);
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 2e031ce04..4ae3cfd9f 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -508,7 +508,7 @@ int caps_default_filter(void);
 void caps_print(void);
 void caps_drop_all(void);
 void caps_set(uint64_t caps);
-int caps_check_list(const char *clist, void (*callback)(int));
+void caps_check_list(const char *clist, void (*callback)(int));
 void caps_drop_list(const char *clist);
 void caps_keep_list(const char *clist);
 void caps_print_filter(pid_t pid);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index ff7b762cd..111a1d751 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1186,8 +1186,7 @@ int main(int argc, char **argv) {
 			if (!arg_caps_list)
 				errExit("strdup");
 			// verify caps list and exit if problems
-			if (caps_check_list(arg_caps_list, NULL))
-				return 1;
+			caps_check_list(arg_caps_list, NULL);
 		}
 		else if (strncmp(argv[i], "--caps.keep=", 12) == 0) {
 			arg_caps_keep = 1;
@@ -1195,8 +1194,7 @@ int main(int argc, char **argv) {
 			if (!arg_caps_list)
 				errExit("strdup");
 			// verify caps list and exit if problems
-			if (caps_check_list(arg_caps_list, NULL))
-				return 1;
+			caps_check_list(arg_caps_list, NULL);
 		}
 
 
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 688fa9609..abb8bd9b6 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -570,8 +570,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		if (!arg_caps_list)
 			errExit("strdup");
 		// verify caps list and exit if problems
-		if (caps_check_list(arg_caps_list, NULL))
-			exit(1);
+		caps_check_list(arg_caps_list, NULL);
 		return 0;
 	}
 	
@@ -582,8 +581,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		if (!arg_caps_list)
 			errExit("strdup");
 		// verify caps list and exit if problems
-		if (caps_check_list(arg_caps_list, NULL))
-			exit(1);
+		caps_check_list(arg_caps_list, NULL);
 		return 0;
 	}
 
-- 
cgit v1.2.3-54-g00ecf