From eb08fa57fe7a34ab2b0f7be2cf8ee63d1edd6ede Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 28 Aug 2015 11:27:19 -0400 Subject: fix firejail-in-firejail again --- src/firejail/bandwidth.c | 6 ++---- src/firejail/firejail.h | 3 --- src/firejail/fs.c | 6 ++---- src/firejail/main.c | 26 +++++++++----------------- 4 files changed, 13 insertions(+), 28 deletions(-) (limited to 'src') diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index 61d0acd4a..e0be1f06a 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c @@ -125,10 +125,8 @@ void shm_create_firejail_dir(void) { } else { // check /dev/shm/firejail directory belongs to root end exit if doesn't! if (s.st_uid != 0 || s.st_gid != 0) { - if (firejail_in_firejail == 0) { - fprintf(stderr, "Error: non-root %s directory, exiting...\n", "/dev/shm/firejail"); - exit(1); - } + fprintf(stderr, "Error: non-root %s directory, exiting...\n", "/dev/shm/firejail"); + exit(1); } } } diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index ce2b0e7a5..cb841cc59 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -149,9 +149,6 @@ extern int arg_scan; // arp-scan all interfaces extern int parent_to_child_fds[2]; extern int child_to_parent_fds[2]; extern pid_t sandbox_pid; -extern int firejail_in_firejail; - - #define MAX_ARGS 128 // maximum number of command arguments (argc) extern char *fullargv[MAX_ARGS]; diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 3f8f7176c..f4384faf7 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -44,10 +44,8 @@ void fs_build_firejail_dir(void) { } else { // check /tmp/firejail directory belongs to root end exit if doesn't! if (s.st_uid != 0 || s.st_gid != 0) { - if (firejail_in_firejail == 0) { - fprintf(stderr, "Error: non-root %s directory, exiting...\n", FIREJAIL_DIR); - exit(1); - } + fprintf(stderr, "Error: non-root %s directory, exiting...\n", FIREJAIL_DIR); + exit(1); } } } diff --git a/src/firejail/main.c b/src/firejail/main.c index 3a5a21cad..a1e67c298 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -90,7 +90,6 @@ char *fullargv[MAX_ARGS]; // expanded argv for restricted shell int fullargc = 0; static pid_t child = 0; pid_t sandbox_pid; -int firejail_in_firejail = 0; // firejail started in a firejail sandbox static void myexit(int rv) { logmsg("exiting..."); @@ -114,10 +113,8 @@ static void my_handler(int s){ static void extract_user_data(void) { // check suid if (geteuid()) { - if (firejail_in_firejail == 0) { - fprintf(stderr, "Error: the sandbox is not setuid root\n"); - exit(1); - } + fprintf(stderr, "Error: the sandbox is not setuid root\n"); + exit(1); } struct passwd *pw = getpwuid(getuid()); @@ -392,12 +389,13 @@ int main(int argc, char **argv) { // check if we already have a sandbox running int rv = check_kernel_procs(); - if (rv == 0) - firejail_in_firejail = 1; - - + if (rv == 0) { + // start the program directly without sandboxing + run_no_sandbox(argc, argv); + // it will never get here! + assert(0); + } - // initialize globals init_cfg(); cfg.original_argv = argv; @@ -697,6 +695,7 @@ int main(int argc, char **argv) { } // extract private home dirname +printf("here %s:%d\n", __FILE__, __LINE__); cfg.home_private = argv[i] + 10; fs_check_private_dir(); arg_private = 1; @@ -974,13 +973,6 @@ int main(int argc, char **argv) { } } - // if a sandbox is already running, start the program directly without sandboxing - if (firejail_in_firejail) { - run_no_sandbox(argc, argv); - // it will never get here! - assert(0); - } - // check network configuration options - it will exit if anything went wrong net_check_cfg(); -- cgit v1.2.3-54-g00ecf