diff options
| author |  smitsohu <smitsohu@gmail.com> | 2019-09-17 14:38:24 +0200 |
|---|---|---|
| committer | smitsohu <smitsohu@gmail.com> | 2019-09-17 14:38:24 +0200 |
| commit | 528f6a67ea4f5d2796f2e68432e92fc6d8999976 (patch) | |
| tree | 03fe1a90115e4a3d569da39647954f20be52a42b | |
| parent | Add allow-perl.inc to w3m.profile (#2965) (diff) | |
| download | firejail-528f6a67ea4f5d2796f2e68432e92fc6d8999976.tar.gz firejail-528f6a67ea4f5d2796f2e68432e92fc6d8999976.tar.zst firejail-528f6a67ea4f5d2796f2e68432e92fc6d8999976.zip | |
move to fd based trace file mount
| -rw-r--r-- | src/firejail/fs_trace.c | 33 |
1 files changed, 25 insertions, 8 deletions
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 2a7c83049..9ade0bdc3 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c | |||
| @@ -46,21 +46,38 @@ void fs_trace_preload(void) { | |||
| 46 | printf("Creating an empty trace log file: %s\n", arg_tracefile); | 46 | printf("Creating an empty trace log file: %s\n", arg_tracefile); |
| 47 | // create a bind mounted trace logfile that the sandbox can see | 47 | // create a bind mounted trace logfile that the sandbox can see |
| 48 | EUID_USER(); | 48 | EUID_USER(); |
| 49 | FILE *fp = fopen(arg_tracefile, "w"); | 49 | int fd = open(arg_tracefile, O_CREAT|O_RDWR, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); |
| 50 | if (!fp) | 50 | if (fd == -1) { |
| 51 | errExit("fopen"); | 51 | perror("open"); |
| 52 | SET_PERMS_STREAM(fp, firejail_uid, firejail_gid, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); | 52 | fprintf(stderr, "Error: cannot open trace log file %s\n", arg_tracefile); |
| 53 | fclose(fp); | 53 | exit(1); |
| 54 | } | ||
| 55 | if (fstat(fd, &s) == -1) | ||
| 56 | errExit("fstat"); | ||
| 57 | if (!S_ISREG(s.st_mode)) { | ||
| 58 | fprintf(stderr, "Error: cannot write trace log: %s is no regular file\n", arg_tracefile); | ||
| 59 | exit(1); | ||
| 60 | } | ||
| 61 | if (ftruncate(fd, 0) == -1) | ||
| 62 | errExit("ftruncate"); | ||
| 54 | EUID_ROOT(); | 63 | EUID_ROOT(); |
| 55 | fp = fopen(RUN_TRACE_FILE, "w"); | 64 | FILE *fp = fopen(RUN_TRACE_FILE, "w"); |
| 56 | if (!fp) | 65 | if (!fp) |
| 57 | errExit("fopen " RUN_TRACE_FILE); | 66 | errExit("fopen " RUN_TRACE_FILE); |
| 58 | fclose(fp); | 67 | fclose(fp); |
| 59 | fs_logger2("touch ", arg_tracefile); | 68 | fs_logger2("touch ", arg_tracefile); |
| 60 | if (mount(arg_tracefile, RUN_TRACE_FILE, NULL, MS_BIND|MS_REC, NULL) < 0) | 69 | // mount using the symbolic link in /proc/self/fd |
| 61 | errExit("mount bind " RUN_TRACE_FILE); | ||
| 62 | if (arg_debug) | 70 | if (arg_debug) |
| 63 | printf("Bind mount %s to %s\n", arg_tracefile, RUN_TRACE_FILE); | 71 | printf("Bind mount %s to %s\n", arg_tracefile, RUN_TRACE_FILE); |
| 72 | char *proc; | ||
| 73 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | ||
| 74 | errExit("asprintf"); | ||
| 75 | if (mount(proc, RUN_TRACE_FILE, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
| 76 | errExit("mount bind " RUN_TRACE_FILE); | ||
| 77 | free(proc); | ||
| 78 | close(fd); | ||
| 79 | // now that RUN_TRACE_FILE is user-writable, mount it noexec | ||
| 80 | fs_remount(RUN_TRACE_FILE, MOUNT_NOEXEC, 0); | ||
| 64 | } | 81 | } |
| 65 | } | 82 | } |
| 66 | 83 | ||