void seccomp_print_filter(pid_t pid) { // if the pid is that of a firejail process, use the pid of the first child process char *comm = pid_proc_comm(pid); if (comm) { // remove \n char *ptr = strchr(comm, '\n'); if (ptr) *ptr = '\0'; if (strcmp(comm, "firejail") == 0) { pid_t child; if (find_child(pid, &child) == 0) { pid = child; } } free(comm); } // check privileges for non-root users uid_t uid = getuid(); if (uid != 0) { struct stat s; char *dir; if (asprintf(&dir, "/proc/%u/ns", pid) == -1) errExit("asprintf"); if (stat(dir, &s) < 0) errExit("stat"); if (s.st_uid != uid) { printf("Error: permission denied.\n"); exit(1); } } // find the seccomp filter char *fname; if (asprintf(&fname, "/proc/%d/root/tmp/firejail/mnt/seccomp", pid) == -1) errExit("asprintf"); struct stat s; if (stat(fname, &s) == -1) { printf("Cannot access seccomp filter.\n"); exit(1); } // read and print the filter read_seccomp_file(fname); drop_privs(1); filter_debug(); exit(0); }
void seccomp_print_filter(pid_t pid) { EUID_ASSERT(); // if the pid is that of a firejail process, use the pid of the first child process char *comm = pid_proc_comm(pid); if (comm) { // remove \n char *ptr = strchr(comm, '\n'); if (ptr) *ptr = '\0'; if (strcmp(comm, "firejail") == 0) { pid_t child; if (find_child(pid, &child) == 0) { pid = child; } } free(comm); } // check privileges for non-root users uid_t uid = getuid(); if (uid != 0) { uid_t sandbox_uid = pid_get_uid(pid); if (uid != sandbox_uid) { fprintf(stderr, "Error: permission denied.\n"); exit(1); } } // find the seccomp filter EUID_ROOT(); char *fname; if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_SECCOMP_CFG) == -1) errExit("asprintf"); struct stat s; if (stat(fname, &s) == -1) { printf("Cannot access seccomp filter.\n"); exit(1); } // read and print the filter read_seccomp_file(fname); drop_privs(1); filter_debug(); free(fname); exit(0); }
void seccomp_print_filter(pid_t pid) { // if the pid is that of a firejail process, use the pid of the first child process char *comm = pid_proc_comm(pid); if (comm) { // remove \n char *ptr = strchr(comm, '\n'); if (ptr) *ptr = '\0'; if (strcmp(comm, "firejail") == 0) { pid_t child; if (find_child(pid, &child) == 0) { pid = child; } } free(comm); } // check privileges for non-root users uid_t uid = getuid(); if (uid != 0) { uid_t sandbox_uid = pid_get_uid(pid); if (uid != sandbox_uid) { exechelp_logerrv("firejail", FIREJAIL_ERROR, "Error: permission denied to print seccomp filters (sandbox belongs to a different user).\n"); exit(1); } } // find the seccomp filter char *fname; if (asprintf(&fname, "/proc/%d/root/tmp/firejail/mnt/seccomp", pid) == -1) errExit("asprintf"); struct stat s; if (stat(fname, &s) == -1) { exechelp_logerrv("firejail", FIREJAIL_ERROR, "Error: Cannot access seccomp filter.\n"); exit(1); } // read and print the filter read_seccomp_file(fname); drop_privs(1); filter_debug(); exit(0); }
void seccomp_set(void) { // read seccomp filter from /tmp/firejail/mnt/seccomp read_seccomp_file(NULL); // apply filter struct sock_fprog prog = { .len = sfilter_index, .filter = sfilter, }; if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { exechelp_logerrv("firejail", FIREJAIL_WARNING, "Error: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); return; } else if (arg_debug) { printf("seccomp enabled\n"); } }
void seccomp_set(void) { // read seccomp filter from /tmp/firejail/mnt/seccomp read_seccomp_file(RUN_SECCOMP_CFG); // apply filter struct sock_fprog prog = { .len = sfilter_index, .filter = sfilter, }; if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); return; } else if (arg_debug) { printf("seccomp enabled\n"); } }