From 672fa03d65e8ffe0cca6e79d374caf0bf9988d20 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 11 Nov 2016 08:57:44 -0500 Subject: hidepid part 1 --- src/firejail/main.c | 13 ++++--------- src/firemon/arp.c | 3 --- src/firemon/caps.c | 3 --- src/firemon/cgroup.c | 3 --- src/firemon/cpu.c | 3 --- src/firemon/firemon.c | 11 ----------- src/firemon/firemon.h | 1 - src/firemon/list.c | 3 --- src/firemon/netstats.c | 3 --- src/firemon/route.c | 3 --- src/firemon/seccomp.c | 3 --- src/firemon/top.c | 3 --- src/firemon/tree.c | 3 --- src/firemon/x11.c | 3 --- 14 files changed, 4 insertions(+), 54 deletions(-) (limited to 'src') diff --git a/src/firejail/main.c b/src/firejail/main.c index 3f005b547..e100e1f2c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -499,15 +499,15 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { exit(0); } else if (strcmp(argv[i], "--list") == 0) { - int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); + int rv = sbox_run(SBOX_ROOT| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list"); exit(rv); } else if (strcmp(argv[i], "--tree") == 0) { - int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); + int rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree"); exit(rv); } else if (strcmp(argv[i], "--top") == 0) { - int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, + int rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, 2, PATH_FIREMON, "--top"); exit(rv); } @@ -515,12 +515,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { else if (strcmp(argv[i], "--netstats") == 0) { if (checkcfg(CFG_NETWORK)) { struct stat s; - int rv; - if (stat("/proc/sys/kernel/grsecurity", &s) == 0) - rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, - 2, PATH_FIREMON, "--netstats"); - else - rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, + int rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN, 2, PATH_FIREMON, "--netstats"); exit(rv); } diff --git a/src/firemon/arp.c b/src/firemon/arp.c index 7cb8ff4c3..d204a0c3a 100644 --- a/src/firemon/arp.c +++ b/src/firemon/arp.c @@ -73,9 +73,6 @@ static void print_arp(const char *fname) { } void arp(pid_t pid) { - if (getuid() == 0) - firemon_drop_privs(); - pid_read(pid); // print processes diff --git a/src/firemon/caps.c b/src/firemon/caps.c index 5cd9b5d0d..49c7b204b 100644 --- a/src/firemon/caps.c +++ b/src/firemon/caps.c @@ -49,9 +49,6 @@ static void print_caps(int pid) { } void caps(pid_t pid) { - if (getuid() == 0) - firemon_drop_privs(); - pid_read(pid); // include all processes // print processes diff --git a/src/firemon/cgroup.c b/src/firemon/cgroup.c index 0b93390ae..ec2d350af 100644 --- a/src/firemon/cgroup.c +++ b/src/firemon/cgroup.c @@ -45,9 +45,6 @@ static void print_cgroup(int pid) { } void cgroup(pid_t pid) { - if (getuid() == 0) - firemon_drop_privs(); - pid_read(pid); // print processes diff --git a/src/firemon/cpu.c b/src/firemon/cpu.c index 06658f58c..20fba33d6 100644 --- a/src/firemon/cpu.c +++ b/src/firemon/cpu.c @@ -49,9 +49,6 @@ static void print_cpu(int pid) { } void cpu(pid_t pid) { - if (getuid() == 0) - firemon_drop_privs(); - pid_read(pid); // print processes diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index 3140c5f70..950311c00 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c @@ -62,17 +62,6 @@ int find_child(int id) { return -1; } -// drop privileges -void firemon_drop_privs(void) { - // drop privileges - if (setgroups(0, NULL) < 0) - errExit("setgroups"); - if (setgid(getgid()) < 0) - errExit("setgid/getgid"); - if (setuid(getuid()) < 0) - errExit("setuid/getuid"); -} - // sleep and wait for a key to be pressed void firemon_sleep(int st) { if (terminal_set == 0) { diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h index 522ece077..a873430a3 100644 --- a/src/firemon/firemon.h +++ b/src/firemon/firemon.h @@ -38,7 +38,6 @@ static inline void firemon_clrscr(void) { // firemon.c extern int arg_nowrap; int find_child(int id); -void firemon_drop_privs(void); void firemon_sleep(int st); diff --git a/src/firemon/list.c b/src/firemon/list.c index 901627c2a..acff13a28 100644 --- a/src/firemon/list.c +++ b/src/firemon/list.c @@ -20,9 +20,6 @@ #include "firemon.h" void list(void) { - if (getuid() == 0) - firemon_drop_privs(); - pid_read(0); // include all processes // print processes diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c index 0ff0dd33d..3c020d630 100644 --- a/src/firemon/netstats.c +++ b/src/firemon/netstats.c @@ -170,9 +170,6 @@ static void print_proc(int index, int itv, int col) { } void netstats(void) { - if (getuid() == 0) - firemon_drop_privs(); - pid_read(0); // include all processes printf("Displaying network statistics only for sandboxes using a new network namespace.\n"); diff --git a/src/firemon/route.c b/src/firemon/route.c index 398965671..ac8000b6a 100644 --- a/src/firemon/route.c +++ b/src/firemon/route.c @@ -182,9 +182,6 @@ static void print_route(const char *fname) { } void route(pid_t pid) { - if (getuid() == 0) - firemon_drop_privs(); - pid_read(pid); // print processes diff --git a/src/firemon/seccomp.c b/src/firemon/seccomp.c index 71771c72d..d4c248f8b 100644 --- a/src/firemon/seccomp.c +++ b/src/firemon/seccomp.c @@ -49,9 +49,6 @@ static void print_seccomp(int pid) { } void seccomp(pid_t pid) { - if (getuid() == 0) - firemon_drop_privs(); - pid_read(pid); // include all processes // print processes diff --git a/src/firemon/top.c b/src/firemon/top.c index a6da6f64e..b804761dd 100644 --- a/src/firemon/top.c +++ b/src/firemon/top.c @@ -232,9 +232,6 @@ void head_print(int col, int row) { } void top(void) { - if (getuid() == 0) - firemon_drop_privs(); - while (1) { // clear linked list head_clear(); diff --git a/src/firemon/tree.c b/src/firemon/tree.c index b05eb92f9..a4b92a11f 100644 --- a/src/firemon/tree.c +++ b/src/firemon/tree.c @@ -20,9 +20,6 @@ #include "firemon.h" void tree(pid_t pid) { - if (getuid() == 0) - firemon_drop_privs(); - pid_read(pid); // include all processes // print processes diff --git a/src/firemon/x11.c b/src/firemon/x11.c index e30c2d78b..c7fe4c616 100644 --- a/src/firemon/x11.c +++ b/src/firemon/x11.c @@ -23,9 +23,6 @@ #include void x11(pid_t pid) { - if (getuid() == 0) - firemon_drop_privs(); - pid_read(pid); // print processes -- cgit v1.2.3-54-g00ecf