From f1c1e550aaf04b3573b232b6e464d9a3b4304288 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 17 Mar 2016 08:35:27 -0400 Subject: overlayfs work, fixed hedgwoars profile --- src/firejail/fs.c | 8 +++++++- src/firejail/main.c | 22 ++++++++++++++++------ src/lib/pid.c | 6 +++++- 3 files changed, 28 insertions(+), 8 deletions(-) (limited to 'src') diff --git a/src/firejail/fs.c b/src/firejail/fs.c index f63e8b5eb..644255de5 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -960,7 +960,13 @@ void fs_overlayfs(void) { // don't leak user information restrict_users(); - disable_firejail_config(); + // when starting as root in overlay mode, firejail config is not disabled; + // this mode could be used to install and test new software by chaining + // firejail sandboxes (firejail --force) + if (getuid() != 0) + disable_firejail_config(); + else + fprintf(stderr, "Warning: masking /etc/firejail disabled when starting the sandbox as root using --overlay option\n"); // cleanup and exit free(option); diff --git a/src/firejail/main.c b/src/firejail/main.c index 8f89a804f..476f9c39c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -645,7 +645,8 @@ int main(int argc, char **argv) { int i; int prog_index = -1; // index in argv where the program command starts int lockfd = -1; - int arg_cgroup = 0; + int option_cgroup = 0; + int option_force = 0; int custom_profile = 0; // custom profile loaded char *custom_profile_dir = NULL; // custom profile directory int arg_noprofile = 0; // use generic.profile if none other found/specified @@ -667,7 +668,11 @@ int main(int argc, char **argv) { // if --force option is passed to the program, disregard the existing sandbox int found = 0; for (i = 1; i < argc; i++) { - if (strcmp(argv[i], "--force") == 0) { + if (strcmp(argv[i], "--force") == 0 || + strcmp(argv[i], "--netstats") == 0 || + strcmp(argv[i], "--list") == 0 || + strcmp(argv[i], "--tree") == 0 || + strcmp(argv[i], "--top") == 0) { found = 1; break; } @@ -683,6 +688,8 @@ int main(int argc, char **argv) { // it will never get here! assert(0); } + else + option_force = 1; } // check root/suid @@ -740,8 +747,11 @@ int main(int argc, char **argv) { for (i = 1; i < argc; i++) { run_cmd_and_exit(i, argc, argv); // will exit if the command is recognized - if (strcmp(argv[i], "--debug") == 0) + if (strcmp(argv[i], "--debug") == 0) { arg_debug = 1; + if (option_force) + printf("Entering sandbox-in-sandbox mode\n"); + } else if (strcmp(argv[i], "--debug-check-filename") == 0) arg_debug_check_filename = 1; else if (strcmp(argv[i], "--debug-blacklists") == 0) @@ -752,7 +762,7 @@ int main(int argc, char **argv) { arg_quiet = 1; else if (strcmp(argv[i], "--force") == 0) ; - + //************************************* // filtering //************************************* @@ -931,12 +941,12 @@ int main(int argc, char **argv) { arg_nice = 1; } else if (strncmp(argv[i], "--cgroup=", 9) == 0) { - if (arg_cgroup) { + if (option_cgroup) { fprintf(stderr, "Error: only a cgroup can be defined\n"); exit(1); } - arg_cgroup = 1; + option_cgroup = 1; cfg.cgroup = strdup(argv[i] + 9); if (!cfg.cgroup) errExit("strdup"); diff --git a/src/lib/pid.c b/src/lib/pid.c index a89ac434b..d1ade389e 100644 --- a/src/lib/pid.c +++ b/src/lib/pid.c @@ -310,7 +310,11 @@ void pid_read(pid_t mon_pid) { continue; if (pid == mypid) continue; - + + // skip PID 1 just in case we run a sandbox-in-sandbox + if (pid == 1) + continue; + // open stat file char *file; if (asprintf(&file, "/proc/%u/status", pid) == -1) { -- cgit v1.2.3-54-g00ecf