mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-21 06:45:29 -06:00
hidepid part 4
This commit is contained in:
netblue30
parent
c8f8341c27
commit
cffa48d80c
7 changed files with 89 additions and 45 deletions
|
|
@ -494,25 +494,39 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
|
|||
exit(0);
|
||||
}
|
||||
else if (strcmp(argv[i], "--list") == 0) {
|
||||
int rv = sbox_run(SBOX_ROOT| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list");
|
||||
exit(rv);
|
||||
if (pid_hidepid())
|
||||
sbox_run(SBOX_ROOT| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list");
|
||||
else
|
||||
sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--list");
|
||||
exit(0);
|
||||
}
|
||||
else if (strcmp(argv[i], "--tree") == 0) {
|
||||
int rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");
|
||||
exit(rv);
|
||||
if (pid_hidepid())
|
||||
sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");
|
||||
else
|
||||
sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FIREMON, "--tree");
|
||||
exit(0);
|
||||
}
|
||||
else if (strcmp(argv[i], "--top") == 0) {
|
||||
int rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
|
||||
2, PATH_FIREMON, "--top");
|
||||
exit(rv);
|
||||
if (pid_hidepid())
|
||||
sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
|
||||
2, PATH_FIREMON, "--top");
|
||||
else
|
||||
sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
|
||||
2, PATH_FIREMON, "--top");
|
||||
exit(0);
|
||||
}
|
||||
#ifdef HAVE_NETWORK
|
||||
else if (strcmp(argv[i], "--netstats") == 0) {
|
||||
if (checkcfg(CFG_NETWORK)) {
|
||||
struct stat s;
|
||||
int rv = sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
|
||||
if (stat("/proc/sys/kernel/grsecurity", &s) == 0 || pid_hidepid())
|
||||
sbox_run(SBOX_ROOT | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
|
||||
2, PATH_FIREMON, "--netstats");
|
||||
exit(rv);
|
||||
else
|
||||
sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP | SBOX_ALLOW_STDIN,
|
||||
2, PATH_FIREMON, "--netstats");
|
||||
exit(0);
|
||||
}
|
||||
else {
|
||||
fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n");
|
||||
|
|
|
|||
|
|
@ -35,6 +35,9 @@ static int arg_caps = 0;
|
|||
static int arg_cpu = 0;
|
||||
static int arg_cgroup = 0;
|
||||
static int arg_x11 = 0;
|
||||
static int arg_top = 0;
|
||||
static int arg_list = 0;
|
||||
static int arg_netstats = 0;
|
||||
int arg_nowrap = 0;
|
||||
|
||||
static struct termios tlocal; // startup terminal setting
|
||||
|
|
@ -118,53 +121,39 @@ int main(int argc, char **argv) {
|
|||
}
|
||||
|
||||
// options without a pid argument
|
||||
else if (strcmp(argv[i], "--top") == 0) {
|
||||
top(); // never to return
|
||||
}
|
||||
else if (strcmp(argv[i], "--list") == 0) {
|
||||
list();
|
||||
return 0;
|
||||
}
|
||||
else if (strcmp(argv[i], "--top") == 0)
|
||||
arg_top = 1;
|
||||
else if (strcmp(argv[i], "--list") == 0)
|
||||
arg_list = 1;
|
||||
else if (strcmp(argv[i], "--tree") == 0)
|
||||
arg_tree = 1;
|
||||
else if (strcmp(argv[i], "--netstats") == 0) {
|
||||
struct stat s;
|
||||
if (getuid() != 0 && stat("/proc/sys/kernel/grsecurity", &s) == 0) {
|
||||
fprintf(stderr, "Error: this feature is not available on Grsecurity systems\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
netstats();
|
||||
return 0;
|
||||
arg_netstats = 1;
|
||||
}
|
||||
|
||||
|
||||
// cumulative options with or without a pid argument
|
||||
else if (strcmp(argv[i], "--x11") == 0) {
|
||||
else if (strcmp(argv[i], "--x11") == 0)
|
||||
arg_x11 = 1;
|
||||
}
|
||||
else if (strcmp(argv[i], "--cgroup") == 0) {
|
||||
else if (strcmp(argv[i], "--cgroup") == 0)
|
||||
arg_cgroup = 1;
|
||||
}
|
||||
else if (strcmp(argv[i], "--cpu") == 0) {
|
||||
else if (strcmp(argv[i], "--cpu") == 0)
|
||||
arg_cpu = 1;
|
||||
}
|
||||
else if (strcmp(argv[i], "--seccomp") == 0) {
|
||||
else if (strcmp(argv[i], "--seccomp") == 0)
|
||||
arg_seccomp = 1;
|
||||
}
|
||||
else if (strcmp(argv[i], "--caps") == 0) {
|
||||
else if (strcmp(argv[i], "--caps") == 0)
|
||||
arg_caps = 1;
|
||||
}
|
||||
else if (strcmp(argv[i], "--tree") == 0) {
|
||||
arg_tree = 1;
|
||||
}
|
||||
else if (strcmp(argv[i], "--interface") == 0) {
|
||||
else if (strcmp(argv[i], "--interface") == 0)
|
||||
arg_interface = 1;
|
||||
}
|
||||
else if (strcmp(argv[i], "--route") == 0) {
|
||||
else if (strcmp(argv[i], "--route") == 0)
|
||||
arg_route = 1;
|
||||
}
|
||||
else if (strcmp(argv[i], "--arp") == 0) {
|
||||
else if (strcmp(argv[i], "--arp") == 0)
|
||||
arg_arp = 1;
|
||||
}
|
||||
|
||||
else if (strncmp(argv[i], "--name=", 7) == 0) {
|
||||
char *name = argv[i] + 7;
|
||||
|
|
@ -201,8 +190,28 @@ int main(int argc, char **argv) {
|
|||
}
|
||||
}
|
||||
|
||||
if (arg_tree)
|
||||
tree((pid_t) pid);
|
||||
// allow only root user if /proc is mounted hidepid
|
||||
if (pid_hidepid() && getuid() != 0) {
|
||||
fprintf(stderr, "Error: /proc is mounted hidepid, you would need to be root to run this command\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if (arg_top)
|
||||
top(); // never to return
|
||||
if (arg_tree) {
|
||||
tree();
|
||||
return 0;
|
||||
}
|
||||
if (arg_list) {
|
||||
list();
|
||||
return 0;
|
||||
}
|
||||
if (arg_netstats) {
|
||||
netstats();
|
||||
return 0;
|
||||
}
|
||||
|
||||
// cumulative options
|
||||
if (arg_interface)
|
||||
interface((pid_t) pid);
|
||||
if (arg_route)
|
||||
|
|
@ -220,7 +229,7 @@ int main(int argc, char **argv) {
|
|||
if (arg_x11)
|
||||
x11((pid_t) pid);
|
||||
|
||||
if (!arg_route && !arg_arp && !arg_interface && !arg_tree && !arg_caps && !arg_seccomp && !arg_x11)
|
||||
if (!arg_interface && !arg_route && !arg_arp && !arg_seccomp && !arg_caps && !arg_cgroup && !arg_x11)
|
||||
procevent((pid_t) pid); // never to return
|
||||
|
||||
return 0;
|
||||
|
|
|
|||
|
|
@ -75,7 +75,7 @@ void cpu(pid_t pid);
|
|||
void cgroup(pid_t pid);
|
||||
|
||||
// tree.c
|
||||
void tree(pid_t pid);
|
||||
void tree(void);
|
||||
|
||||
// netstats.c
|
||||
void netstats(void);
|
||||
|
|
|
|||
|
|
@ -19,8 +19,8 @@
|
|||
*/
|
||||
#include "firemon.h"
|
||||
|
||||
void tree(pid_t pid) {
|
||||
pid_read(pid); // include all processes
|
||||
void tree(void) {
|
||||
pid_read(0); // include all processes
|
||||
|
||||
// print processes
|
||||
int i;
|
||||
|
|
|
|||
|
|
@ -114,4 +114,5 @@ int name2pid(const char *name, pid_t *pid);
|
|||
char *pid_proc_comm(const pid_t pid);
|
||||
char *pid_proc_cmdline(const pid_t pid);
|
||||
int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid);
|
||||
int pid_hidepid(void);
|
||||
#endif
|
||||
|
|
|
|||
|
|
@ -260,5 +260,26 @@ int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid) {
|
|||
return 0;
|
||||
}
|
||||
|
||||
// return 1 if /proc is mounted hidepid, or if /proc/mouns access is denied
|
||||
#define BUFLEN 4096
|
||||
int pid_hidepid(void) {
|
||||
FILE *fp = fopen("/proc/mounts", "r");
|
||||
if (!fp)
|
||||
return 1;
|
||||
|
||||
char buf[BUFLEN];
|
||||
while (fgets(buf, BUFLEN, fp)) {
|
||||
if (strstr(buf, "proc /proc proc")) {
|
||||
fclose(fp);
|
||||
// check hidepid
|
||||
if (strstr(buf, "hidepid=2") || strstr(buf, "hidepid=1"))
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -29,7 +29,6 @@
|
|||
//Process pids[max_pids];
|
||||
Process *pids = NULL;
|
||||
int max_pids=32769;
|
||||
#define PIDS_BUFLEN 4096
|
||||
|
||||
// get the memory associated with this pid
|
||||
void pid_getmem(unsigned pid, unsigned *rss, unsigned *shared) {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue