cleanup

author: netblue30 <netblue30@yahoo.com> 2017-01-12 20:10:17 -0500
committer: netblue30 <netblue30@yahoo.com> 2017-01-12 20:10:17 -0500
commit: 5440bc47971bfbe0db570283973bafb0b2486e69 (patch)
tree: 54e9b95e20e40c64b82768d05439be58447b85bf
parent: Gentoo compile fix (diff)
download: firejail-5440bc47971bfbe0db570283973bafb0b2486e69.tar.gz
firejail-5440bc47971bfbe0db570283973bafb0b2486e69.tar.zst
firejail-5440bc47971bfbe0db570283973bafb0b2486e69.zip
3 files changed, 37 insertions, 30 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index d7764accd..0da4cc111 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -711,10 +711,36 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
        // create ~/.firejail directory
        if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
                errExit("asprintf");
+                
+        if (is_link(dirname)) {
+                fprintf(stderr, "Error: invalid ~/.firejail directory\n");
+                exit(1);
+        }
        if (stat(dirname, &s) == -1) {
-                mkdir_attr(dirname, 0700, 0, 0);
+                // create directory
+                pid_t child = fork();
+                if (child < 0)
+                        errExit("fork");
+                if (child == 0) {
+                        // drop privileges
+                        drop_privs(0);
+        
+                        // create directory
+                        if (mkdir(dirname, 0700))
+                                errExit("mkdir");
+                        if (chmod(dirname, 0700) == -1)
+                                errExit("chmod");
+                        ASSERT_PERMS(dirname, getuid(), getgid(), 0700);
+                        _exit(0);
+                }
+                // wait for the child to finish
+                waitpid(child, NULL, 0);
+                if (stat(dirname, &s) == -1) {
+                        fprintf(stderr, "Error: cannot create ~/.firejail directory\n");
+                        exit(1);
+                }
        }
-        else if (is_link(dirname)) {
+        else if (s.st_uid != getuid()) {
                fprintf(stderr, "Error: invalid ~/.firejail directory\n");
                exit(1);
        }
@@ -1141,10 +1167,16 @@ void fs_chroot(const char *rootdir) {
                        free(newx11);
                }
                
+                // some older distros don't have a /run directory
+                // create one by default
                // create /run/firejail directory in chroot
                char *rundir;
                if (asprintf(&rundir, "%s/run", rootdir) == -1)
                        errExit("asprintf");
+                if (is_link(rundir)) {
+                        fprintf(stderr, "Error: invalid run directory inside chroot\n");
+                        exit(1);
+                }
                create_empty_dir_as_root(rundir, 0755);
                free(rundir);
                if (asprintf(&rundir, "%s/run/firejail", rootdir) == -1)
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c
index 5b6ceae90..d29f58a58 100644
--- a/src/firejail/fs_mkdir.c
+++ b/src/firejail/fs_mkdir.c
@@ -112,33 +112,8 @@ void fs_mkfile(const char *name) {
        }
        // create file
-        pid_t child = fork();
+        touch_file_as_user(expanded, getuid(), getgid(), 0600);
-        if (child < 0)
+        
-                errExit("fork");
-        if (child == 0) {
-                // drop privileges
-                drop_privs(0);
-                /* coverity[toctou] */
-                FILE *fp = fopen(expanded, "w");
-                if (!fp)
-                        fprintf(stderr, "Warning: cannot create %s file\n", expanded);
-                else {
-                        int fd = fileno(fp);
-                        if (fd == -1)
-                                errExit("fileno");
-                        int rv = fchmod(fd, 0600);
-                        (void) rv;
-                        fclose(fp);
-                }
-#ifdef HAVE_GCOV
-                __gcov_flush();
-#endif
-                _exit(0);
-        }
-        // wait for the child to finish
-        waitpid(child, NULL, 0);
 doexit:
        free(expanded);
 }
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 763e6b58b..10000e912 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -231,7 +231,7 @@ void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid
                // copy, set permissions and ownership
                int rv = copy_file(srcname, destname, uid, gid, mode); // already a regular user
                if (rv)
-                        fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
+                        fprintf(stderr, "Warning: cannot copy %s\n", srcname);
 #ifdef HAVE_GCOV
                __gcov_flush();
 #endif
author	netblue30 <netblue30@yahoo.com>	2017-01-12 20:10:17 -0500
committer	netblue30 <netblue30@yahoo.com>	2017-01-12 20:10:17 -0500
commit	5440bc47971bfbe0db570283973bafb0b2486e69 (patch)
tree	54e9b95e20e40c64b82768d05439be58447b85bf
parent	Gentoo compile fix (diff)
download	firejail-5440bc47971bfbe0db570283973bafb0b2486e69.tar.gz firejail-5440bc47971bfbe0db570283973bafb0b2486e69.tar.zst firejail-5440bc47971bfbe0db570283973bafb0b2486e69.zip

diff --git a/src/firejail/fs.c b/src/firejail/fs.c index d7764accd..0da4cc111 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -711,10 +711,36 @@ char fs_check_overlay_dir(const char subdirname, int allow_reuse) {
711	// create ~/.firejail directory	711	// create ~/.firejail directory
712	if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)	712	if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
713	errExit("asprintf");	713	errExit("asprintf");
		714
		715	if (is_link(dirname)) {
		716	fprintf(stderr, "Error: invalid ~/.firejail directory\n");
		717	exit(1);
		718	}
714	if (stat(dirname, &s) == -1) {	719	if (stat(dirname, &s) == -1) {
715	mkdir_attr(dirname, 0700, 0, 0);	720	// create directory
		721	pid_t child = fork();
		722	if (child < 0)
		723	errExit("fork");
		724	if (child == 0) {
		725	// drop privileges
		726	drop_privs(0);
		727
		728	// create directory
		729	if (mkdir(dirname, 0700))
		730	errExit("mkdir");
		731	if (chmod(dirname, 0700) == -1)
		732	errExit("chmod");
		733	ASSERT_PERMS(dirname, getuid(), getgid(), 0700);
		734	_exit(0);
		735	}
		736	// wait for the child to finish
		737	waitpid(child, NULL, 0);
		738	if (stat(dirname, &s) == -1) {
		739	fprintf(stderr, "Error: cannot create ~/.firejail directory\n");
		740	exit(1);
		741	}
716	}	742	}
717	else if (is_link(dirname)) {	743	else if (s.st_uid != getuid()) {
718	fprintf(stderr, "Error: invalid ~/.firejail directory\n");	744	fprintf(stderr, "Error: invalid ~/.firejail directory\n");
719	exit(1);	745	exit(1);
720	}	746	}
@@ -1141,10 +1167,16 @@ void fs_chroot(const char *rootdir) {
1141	free(newx11);	1167	free(newx11);
1142	}	1168	}
1143		1169
		1170	// some older distros don't have a /run directory
		1171	// create one by default
1144	// create /run/firejail directory in chroot	1172	// create /run/firejail directory in chroot
1145	char *rundir;	1173	char *rundir;
1146	if (asprintf(&rundir, "%s/run", rootdir) == -1)	1174	if (asprintf(&rundir, "%s/run", rootdir) == -1)
1147	errExit("asprintf");	1175	errExit("asprintf");
		1176	if (is_link(rundir)) {
		1177	fprintf(stderr, "Error: invalid run directory inside chroot\n");
		1178	exit(1);
		1179	}
1148	create_empty_dir_as_root(rundir, 0755);	1180	create_empty_dir_as_root(rundir, 0755);
1149	free(rundir);	1181	free(rundir);
1150	if (asprintf(&rundir, "%s/run/firejail", rootdir) == -1)	1182	if (asprintf(&rundir, "%s/run/firejail", rootdir) == -1)


diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index 5b6ceae90..d29f58a58 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c
@@ -112,33 +112,8 @@ void fs_mkfile(const char *name) {
112	}	112	}
113		113
114	// create file	114	// create file
115	pid_t child = fork();	115	touch_file_as_user(expanded, getuid(), getgid(), 0600);
116	if (child < 0)	116
117	errExit("fork");
118	if (child == 0) {
119	// drop privileges
120	drop_privs(0);
121
122	/* coverity[toctou] */
123	FILE *fp = fopen(expanded, "w");
124	if (!fp)
125	fprintf(stderr, "Warning: cannot create %s file\n", expanded);
126	else {
127	int fd = fileno(fp);
128	if (fd == -1)
129	errExit("fileno");
130	int rv = fchmod(fd, 0600);
131	(void) rv;
132	fclose(fp);
133	}
134	#ifdef HAVE_GCOV
135	__gcov_flush();
136	#endif
137	_exit(0);
138	}
139	// wait for the child to finish
140	waitpid(child, NULL, 0);
141
142	doexit:	117	doexit:
143	free(expanded);	118	free(expanded);
144	}	119	}


diff --git a/src/firejail/util.c b/src/firejail/util.c index 763e6b58b..10000e912 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c
@@ -231,7 +231,7 @@ void copy_file_as_user(const char srcname, const char destname, uid_t uid, gid
231	// copy, set permissions and ownership	231	// copy, set permissions and ownership
232	int rv = copy_file(srcname, destname, uid, gid, mode); // already a regular user	232	int rv = copy_file(srcname, destname, uid, gid, mode); // already a regular user
233	if (rv)	233	if (rv)
234	fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");	234	fprintf(stderr, "Warning: cannot copy %s\n", srcname);
235	#ifdef HAVE_GCOV	235	#ifdef HAVE_GCOV
236	__gcov_flush();	236	__gcov_flush();
237	#endif	237	#endif