aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar smitsohu <smitsohu@gmail.com>2020-08-27 22:40:56 +0200
committerLibravatar smitsohu <smitsohu@gmail.com>2020-08-27 22:40:56 +0200
commit67998ba685f1a715c6b386314793793da840326b (patch)
tree4355f149ec5f3ecac4adc71ad3b5d9496da6e188
parentmask writable pulseaudio runtime dir (diff)
downloadfirejail-67998ba685f1a715c6b386314793793da840326b.tar.gz
firejail-67998ba685f1a715c6b386314793793da840326b.tar.zst
firejail-67998ba685f1a715c6b386314793793da840326b.zip
chroot: little tweaks
Diffstat
-rw-r--r--src/firejail/chroot.c15
1 files changed, 8 insertions, 7 deletions
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c
index 5fc6c8298..26a91faba 100644
--- a/src/firejail/chroot.c
+++ b/src/firejail/chroot.c
@@ -26,7 +26,7 @@
26 26
27#include <fcntl.h> 27#include <fcntl.h>
28#ifndef O_PATH 28#ifndef O_PATH
29# define O_PATH 010000000 29#define O_PATH 010000000
30#endif 30#endif
31 31
32 32
@@ -35,13 +35,12 @@ void fs_check_chroot_dir(void) {
35 EUID_ASSERT(); 35 EUID_ASSERT();
36 assert(cfg.chrootdir); 36 assert(cfg.chrootdir);
37 if (strstr(cfg.chrootdir, "..") || 37 if (strstr(cfg.chrootdir, "..") ||
38 is_link(cfg.chrootdir) || 38 is_link(cfg.chrootdir))
39 !is_dir(cfg.chrootdir))
40 goto errout; 39 goto errout;
41 40
42 // check chroot dirname exists, chrooting into the root directory is not allowed 41 // check chroot dirname exists, chrooting into the root directory is not allowed
43 char *rpath = realpath(cfg.chrootdir, NULL); 42 char *rpath = realpath(cfg.chrootdir, NULL);
44 if (rpath == NULL || strcmp(rpath, "/") == 0) 43 if (rpath == NULL || !is_dir(rpath) || strcmp(rpath, "/") == 0)
45 goto errout; 44 goto errout;
46 45
47 char *overlay; 46 char *overlay;
@@ -52,6 +51,7 @@ void fs_check_chroot_dir(void) {
52 exit(1); 51 exit(1);
53 } 52 }
54 free(overlay); 53 free(overlay);
54
55 cfg.chrootdir = rpath; 55 cfg.chrootdir = rpath;
56 return; 56 return;
57 57
@@ -146,6 +146,7 @@ void fs_chroot(const char *rootdir) {
146 check_subdir(parentfd, "etc", 1); 146 check_subdir(parentfd, "etc", 1);
147 check_subdir(parentfd, "proc", 0); 147 check_subdir(parentfd, "proc", 0);
148 check_subdir(parentfd, "tmp", 0); 148 check_subdir(parentfd, "tmp", 0);
149 check_subdir(parentfd, "var", 1);
149 check_subdir(parentfd, "var/tmp", 0); 150 check_subdir(parentfd, "var/tmp", 0);
150 151
151 // mount-bind a /dev in rootdir 152 // mount-bind a /dev in rootdir
@@ -244,15 +245,15 @@ void fs_chroot(const char *rootdir) {
244 if (chroot(oroot) < 0) 245 if (chroot(oroot) < 0)
245 errExit("chroot"); 246 errExit("chroot");
246 247
247 // create all other /run/firejail files and directories
248 preproc_build_firejail_dir();
249
250 // mount a new proc filesystem 248 // mount a new proc filesystem
251 if (arg_debug) 249 if (arg_debug)
252 printf("Mounting /proc filesystem representing the PID namespace\n"); 250 printf("Mounting /proc filesystem representing the PID namespace\n");
253 if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) 251 if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
254 errExit("mounting /proc"); 252 errExit("mounting /proc");
255 253
254 // create all other /run/firejail files and directories
255 preproc_build_firejail_dir();
256
256 // update /var directory in order to support multiple sandboxes running on the same root directory 257 // update /var directory in order to support multiple sandboxes running on the same root directory
257 // if (!arg_private_dev) 258 // if (!arg_private_dev)
258 // fs_dev_shm(); 259 // fs_dev_shm();
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-03 22:33:58 +0000