mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-21 06:45:29 -06:00
219 lines
4.8 KiB
C
219 lines
4.8 KiB
C
/*
|
|
* Copyright (C) 2014-2016 netblue30 (netblue30@yahoo.com)
|
|
*
|
|
* This file is part of firejail project
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License along
|
|
* with this program; if not, write to the Free Software Foundation, Inc.,
|
|
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
*/
|
|
#define _GNU_SOURCE
|
|
#include <stdio.h>
|
|
#include <sys/types.h>
|
|
#include <sys/stat.h>
|
|
#include <sys/wait.h>
|
|
#include <fcntl.h>
|
|
#include <sys/syscall.h>
|
|
#include <errno.h>
|
|
#include <unistd.h>
|
|
#include <sys/prctl.h>
|
|
#include <signal.h>
|
|
#include <dirent.h>
|
|
#include <string.h>
|
|
#include "../include/common.h"
|
|
#define BUFLEN 4096
|
|
|
|
int join_namespace(pid_t pid, char *type) {
|
|
char *path;
|
|
if (asprintf(&path, "/proc/%u/ns/%s", pid, type) == -1)
|
|
errExit("asprintf");
|
|
|
|
int fd = open(path, O_RDONLY);
|
|
if (fd < 0) {
|
|
free(path);
|
|
fprintf(stderr, "Error: cannot open /proc/%u/ns/%s.\n", pid, type);
|
|
return -1;
|
|
}
|
|
|
|
if (syscall(__NR_setns, fd, 0) < 0) {
|
|
free(path);
|
|
fprintf(stderr, "Error: cannot join namespace %s.\n", type);
|
|
close(fd);
|
|
return -1;
|
|
}
|
|
|
|
close(fd);
|
|
free(path);
|
|
return 0;
|
|
}
|
|
|
|
// return 1 if error
|
|
// this function requires root access - todo: fix it!
|
|
int name2pid(const char *name, pid_t *pid) {
|
|
pid_t parent = getpid();
|
|
|
|
DIR *dir;
|
|
if (!(dir = opendir("/proc"))) {
|
|
// sleep 2 seconds and try again
|
|
sleep(2);
|
|
if (!(dir = opendir("/proc"))) {
|
|
fprintf(stderr, "Error: cannot open /proc directory\n");
|
|
exit(1);
|
|
}
|
|
}
|
|
|
|
struct dirent *entry;
|
|
char *end;
|
|
while ((entry = readdir(dir))) {
|
|
pid_t newpid = strtol(entry->d_name, &end, 10);
|
|
if (end == entry->d_name || *end)
|
|
continue;
|
|
if (newpid == parent)
|
|
continue;
|
|
|
|
// check if this is a firejail executable
|
|
char *comm = pid_proc_comm(newpid);
|
|
if (comm) {
|
|
// remove \n
|
|
char *ptr = strchr(comm, '\n');
|
|
if (ptr)
|
|
*ptr = '\0';
|
|
if (strcmp(comm, "firejail")) {
|
|
free(comm);
|
|
continue;
|
|
}
|
|
free(comm);
|
|
}
|
|
|
|
char *cmd = pid_proc_cmdline(newpid);
|
|
if (cmd) {
|
|
// mark the end of the name
|
|
char *ptr = strstr(cmd, "--name=");
|
|
char *start = ptr;
|
|
if (!ptr) {
|
|
free(cmd);
|
|
|
|
// extract name for /run/mnt/firejail/fslogger file
|
|
char *fname;
|
|
if (asprintf(&fname, "/proc/%d/root/run/firejail/mnt/fslogger", newpid) == -1)
|
|
errExit("asprintf");
|
|
|
|
struct stat s;
|
|
if (stat(fname, &s) == 0) {
|
|
FILE *fp = fopen(fname, "r");
|
|
if (fp) {
|
|
char buf[BUFLEN];
|
|
if (fgets(buf, BUFLEN, fp)) {
|
|
if (strncmp(buf, "sandbox name: ", 14) == 0) {
|
|
char *ptr2 = buf + 14;
|
|
if (strncmp(name, ptr2, strlen(name)) == 0) {
|
|
fclose(fp);
|
|
*pid = newpid;
|
|
closedir(dir);
|
|
return 0;
|
|
}
|
|
}
|
|
}
|
|
fclose(fp);
|
|
}
|
|
}
|
|
|
|
continue;
|
|
}
|
|
while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0')
|
|
ptr++;
|
|
*ptr = '\0';
|
|
int rv = strcmp(start + 7, name);
|
|
if (rv == 0) {
|
|
free(cmd);
|
|
*pid = newpid;
|
|
closedir(dir);
|
|
return 0;
|
|
}
|
|
free(cmd);
|
|
}
|
|
}
|
|
closedir(dir);
|
|
return 1;
|
|
}
|
|
|
|
char *pid_proc_comm(const pid_t pid) {
|
|
// open /proc/pid/cmdline file
|
|
char *fname;
|
|
int fd;
|
|
if (asprintf(&fname, "/proc/%d//comm", pid) == -1)
|
|
return NULL;
|
|
if ((fd = open(fname, O_RDONLY)) < 0) {
|
|
free(fname);
|
|
return NULL;
|
|
}
|
|
free(fname);
|
|
|
|
// read file
|
|
unsigned char buffer[BUFLEN];
|
|
ssize_t len;
|
|
if ((len = read(fd, buffer, sizeof(buffer) - 1)) <= 0) {
|
|
close(fd);
|
|
return NULL;
|
|
}
|
|
buffer[len] = '\0';
|
|
close(fd);
|
|
|
|
// return a malloc copy of the command line
|
|
char *rv = strdup((char *) buffer);
|
|
if (strlen(rv) == 0) {
|
|
free(rv);
|
|
return NULL;
|
|
}
|
|
return rv;
|
|
}
|
|
|
|
char *pid_proc_cmdline(const pid_t pid) {
|
|
// open /proc/pid/cmdline file
|
|
char *fname;
|
|
int fd;
|
|
if (asprintf(&fname, "/proc/%d/cmdline", pid) == -1)
|
|
return NULL;
|
|
if ((fd = open(fname, O_RDONLY)) < 0) {
|
|
free(fname);
|
|
return NULL;
|
|
}
|
|
free(fname);
|
|
|
|
// read file
|
|
unsigned char buffer[BUFLEN];
|
|
ssize_t len;
|
|
if ((len = read(fd, buffer, sizeof(buffer) - 1)) <= 0) {
|
|
close(fd);
|
|
return NULL;
|
|
}
|
|
buffer[len] = '\0';
|
|
close(fd);
|
|
|
|
// clean data
|
|
int i;
|
|
for (i = 0; i < len; i++) {
|
|
if (buffer[i] == '\0')
|
|
buffer[i] = ' ';
|
|
// if (buffer[i] >= 0x80) // execv in progress!!!
|
|
// return NULL;
|
|
}
|
|
|
|
// return a malloc copy of the command line
|
|
char *rv = strdup((char *) buffer);
|
|
if (strlen(rv) == 0) {
|
|
free(rv);
|
|
return NULL;
|
|
}
|
|
return rv;
|
|
}
|