Commit 820de682 authored by netblue30's avatar netblue30

added --env option

parent ef1d3bdf
......@@ -3,13 +3,14 @@ firejail (0.9.29) baseline; urgency=low
disable-history.inc included in all default profiles
* Firefox PDF.js exploit (CVE-2015-4495) fixes
* added --private-etc option
* added --env option
* support ${HOME} token in include directive in profile files
* --private.keep is transitioned to --private-home
* support ~ and blanks in blacklist option
* support "net none" command in profile files
* added "net none" to Evince PDF viewer
* bugfixes
-- netblue30 <netblue30@yahoo.com> Sat, 22 Aug 2015 20:25:00 -0500
-- netblue30 <netblue30@yahoo.com> Mon, 24 Aug 2015 20:25:00 -0500
firejail (0.9.28) baseline; urgency=low
* network scanning, --scan option
......
/*
* Copyright (C) 2014, 2015 Firejail Authors
*
* This file is part of firejail project
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#include "firejail.h"
typedef struct env_t {
struct env_t *next;
char *name;
char *value;
} Env;
static Env *envlist = NULL;
static void env_add(Env *env) {
env->next = envlist;
envlist = env;
}
// parse and store the environment setting
void env_store(const char *str) {
assert(str);
// some basic checking
if (*str == '\0')
goto errexit;
char *ptr = strchr(str, '=');
if (!ptr)
goto errexit;
ptr++;
if (*ptr == '\0')
goto errexit;
// build list entry
Env *env = malloc(sizeof(Env));
if (!env)
errExit("malloc");
memset(env, 0, sizeof(Env));
env->name = strdup(str);
if (env->name == NULL)
errExit("strdup");
char *ptr2 = strchr(env->name, '=');
assert(ptr2);
*ptr2 = '\0';
env->value = ptr2 + 1;
// add entry to the list
env_add(env);
return;
errexit:
fprintf(stderr, "Error: invalid --env setting\n");
exit(1);
}
// set env variables in the new sandbox process
void env_apply(void) {
Env *env = envlist;
while (env) {
setenv(env->name, env->value, 1);
env = env->next;
}
}
......@@ -363,5 +363,9 @@ void fs_private_etc_list(void);
int check_kernel_procs(void);
void run_no_sandbox(int argc, char **argv);
// env.c
void env_store(const char *str);
void env_apply(void);
#endif
......@@ -764,6 +764,8 @@ int main(int argc, char **argv) {
else if (strcmp(argv[i], "--noroot") == 0) {
check_user_namespace();
}
else if (strncmp(argv[i], "--env=", 6) == 0)
env_store(argv[i] + 6);
//*************************************
// network
......
/*
* Copyright (C) 2014, 2015 Firejail Authors
*
* This file is part of firejail project
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#include "firejail.h"
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <grp.h>
// check process space for kernel processes
// return 1 if found, 0 if not found
......@@ -112,7 +132,8 @@ void run_no_sandbox(int argc, char **argv) {
// start the program in /bin/sh
fprintf(stderr, "Warning: an existing sandbox was detected. "
"%s will run without any additional sandboxing features in a /bin/sh shell\n", command);
system(command);
rv = system(command);
(void) rv;
if (allocated)
free(command);
exit(1);
......
......@@ -137,6 +137,11 @@ int profile_check_line(char *ptr, int lineno) {
return 0;
}
if (strncmp(ptr, "env ", 4) == 0) {
env_store(ptr + 4);
return 0;
}
// seccomp drop list on top of default list
if (strncmp(ptr, "seccomp ", 8) == 0) {
arg_seccomp = 1;
......
......@@ -359,7 +359,8 @@ int sandbox(void* sandbox_arg) {
//export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] '
if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0)
errExit("setenv");
// set user-supplied environment variables
env_apply();
// set capabilities
if (!arg_noroot)
......
......@@ -78,6 +78,9 @@ void usage(void) {
printf("\t\tby name.\n\n");
printf("\t--dns.print=pid - print DNS configuration of the sandbox identified.\n");
printf("\t\tby PID.\n\n");
printf("\t--env=name=value - set environment variable in the new sandbox\n");
printf("\t--help, -? - this help screen.\n\n");
printf("\t--ip=address - set interface IP address.\n\n");
printf("\t--ip=none - no IP address and no default gateway address are configured\n");
......@@ -275,7 +278,7 @@ void usage(void) {
printf("\tPrcs - number of processes running in sandbox, including the controlling\n");
printf("\t process.\n");
printf("\tRES - Resident Memory Size (KiB), sandbox non-swapped physical memory.\n");
printf("\t It is a sum of the RES values for all processes running in the\n");
printf("\t It is a sum of the RES valprivate-etcues for all processes running in the\n");
printf("\t sandbox.\n");
printf("\tSHR - Shared Memory Size (KiB), it reflects memory shared with other\n");
printf("\t processes. It is a sum of the SHR values for all processes running\n");
......
......@@ -159,7 +159,7 @@ int rtnl_send_check(struct rtnl_handle *rth, const void *buf, int len)
return -1;
}
for (h = (struct nlmsghdr *)resp; NLMSG_OK(h, status);
for (h = (struct nlmsghdr *)resp; NLMSG_OK(h, (unsigned) status);
h = NLMSG_NEXT(h, status)) {
if (h->nlmsg_type == NLMSG_ERROR) {
struct nlmsgerr *err = (struct nlmsgerr*)NLMSG_DATA(h);
......@@ -239,7 +239,7 @@ int rtnl_dump_filter_l(struct rtnl_handle *rth,
struct nlmsghdr *h = (struct nlmsghdr*)buf;
msglen = status;
while (NLMSG_OK(h, msglen)) {
while (NLMSG_OK(h, (unsigned) msglen)) {
int err;
if (nladdr.nl_pid != 0 ||
......
......@@ -161,6 +161,18 @@ The sandbox is placed in g1 control group.
.SH User Environment
.TP
env LD_LIBRARY_PATH=/opt/test/lib
Set environment variable.
.br
Examples:
.br
.br
env LD_LIBRARY_PATH=/opt/test/lib
.br
env CFLAGS="-W -Wall -Werror"
.TP
nogroups
Disable supplementary user groups
......
......@@ -298,6 +298,16 @@ $ firejail \-\-list
.br
$ firejail \-\-dns.print=3272
.TP
\fB\-\-env=name=value
Set environment variable in the new sandbox.
.br
.br
Example:
.br
$ firejail \-\-env=LD_LIBRARY_PATH=/opt/test/lib
.TP
\fB\-?\fR, \fB\-\-help\fR
Print options end exit.
......
#!/usr/bin/expect -f
set timeout 10
spawn $env(SHELL)
match_max 100000
#***********************************************
send -- "firejail --env=ENV1=env1 --env=ENV2=env2 --env=ENV3=env3\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"Child process initialized"
}
sleep 1
send -- "env | grep ENV\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"ENV1"
}
send -- "env | grep ENV\r"
expect {
timeout {puts "TESTING ERROR 2\n";exit}
"ENV2"
}
send -- "env | grep ENV\r"
expect {
timeout {puts "TESTING ERROR 3\n";exit}
"ENV3"
}
send -- "exit\r"
sleep 1
#***********************************************
send -- "firejail --profile=env.profile\r"
expect {
timeout {puts "TESTING ERROR 4\n";exit}
"Child process initialized"
}
sleep 1
send -- "env | grep LD_LIBRARY_PATH\r"
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"/opt/test/lib"
}
send -- "env | grep CFLAGS\r"
expect {
timeout {puts "TESTING ERROR 6\n";exit}
"Wall"
}
expect {
timeout {puts "TESTING ERROR 7\n";exit}
"Werror"
}
puts "\n"
env LD_LIBRARY_PATH=/opt/test/lib
env CFLAGS="-W -Wall -Werror"
......@@ -14,24 +14,8 @@ sleep 1
send -- "firejail\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"Child process initialized"
}
sleep 1
send -- "firejail\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"Child process initialized"
"Warning: an existing sandbox was detected"
}
sleep 1
puts "\n"
send -- "exit\r"
sleep 1
send -- "exit\r"
sleep 1
send -- "exit\r"
sleep 1
puts "\n"
......@@ -4,37 +4,30 @@ set timeout 10
spawn $env(SHELL)
match_max 100000
# dir
#send -- "firejail --net=br0 --private=fscheck-dir\r"
# ..
#send -- "firejail --net=br0 --private=../test/fscheck-dir\r"
#expect {
# timeout {puts "TESTING ERROR 0\n";exit}
# timeout {puts "TESTING ERROR 0.1\n";exit}
# "Error"
#}
#after 100
# ..
send -- "firejail --net=br0 --private=../test/fscheck-dir\r"
expect {
timeout {puts "TESTING ERROR 0.1\n";exit}
"Error"
}
after 100
# dir link
send -- "firejail --net=br0 --private=fscheck-dir-link\r"
expect {
timeout {puts "TESTING ERROR 1\n";exit}
"Error"
}
after 100
#send -- "firejail --net=br0 --private=fscheck-dir-link\r"
#expect {
# timeout {puts "TESTING ERROR 1\n";exit}
# "Error"
#}
#after 100
# ..
send -- "firejail --net=br0 --private=../test/fscheck-dir-link\r"
expect {
timeout {puts "TESTING ERROR 1.1\n";exit}
"Error"
}
after 100
#send -- "firejail --net=br0 --private=../test/fscheck-dir-link\r"
#expect {
# timeout {puts "TESTING ERROR 1.1\n";exit}
# "Error"
#}
#after 100
# file link
send -- "firejail --net=br0 --private=fscheck-file-link\r"
......
......@@ -4,6 +4,9 @@
./fscheck.sh
echo "TESTING: environment variables"
./env.exp
echo "TESTING: private-etc"
./private-etc.exp
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment