some hardening

netblue30 · Jan 17, 2022 · 493a0ef · 493a0ef
1 parent b8d282c
commit 493a0ef
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
@@ -142,7 +142,7 @@ static int check_dir_or_file(const char *fname) {
 static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) {
  assert(fname);
 
- if (*fname == '~' || *fname == '/' || strncmp(fname, "..", 2) == 0) {
+ if (*fname == '~' || *fname == '/' || strstr(fname, "..")) {
  fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname);
  exit(1);
  }

diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
@@ -23,6 +23,7 @@
 #include <unistd.h>
 #include <net/if.h>
 #include <stdarg.h>
+#include <sys/resource.h>
 #include <sys/wait.h>
 #include "../include/seccomp.h"
 
@@ -77,6 +78,11 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char *
 
  umask(027);
 
+ // https://seclists.org/oss-sec/2021/q4/43
+ struct rlimit tozero = { .rlim_cur = 0, .rlim_max = 0 };
+ if (setrlimit(RLIMIT_CORE, &tozero))
+ errExit("setrlimit");
+
  // apply filters
  if (filtermask & SBOX_CAPS_NONE) {
  caps_drop_all();
@@ -289,7 +295,7 @@ int sbox_run_v(unsigned filtermask, char * const arg[]) {
  if (waitpid(child, &status, 0) == -1 ) {
  errExit("waitpid");
  }
- if (WIFEXITED(status) && WEXITSTATUS(status) != 0) {
+ if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) {
  fprintf(stderr, "Error: failed to run %s, exiting...\n", arg[0]);
  exit(1);
  }