fix empty spaces in mountinfo fields

author: smitsohu <smitsohu@gmail.com> 2018-07-13 18:17:32 +0200
committer: smitsohu <smitsohu@gmail.com> 2018-07-13 18:17:32 +0200
commit: 949b924fba58dc05f1c21d6621f05047be5397f0 (patch)
tree: 24783130bedb3061812dc9daa06238f0fcc06be9
parent: Blacklist all .snapshots directories in AppArmor profile (diff)
download: firejail-949b924fba58dc05f1c21d6621f05047be5397f0.tar.gz
firejail-949b924fba58dc05f1c21d6621f05047be5397f0.tar.zst
firejail-949b924fba58dc05f1c21d6621f05047be5397f0.zip
2 files changed, 40 insertions, 2 deletions
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 24c83adee..e177c3ec0 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -358,8 +358,8 @@ static void whitelist_path(ProfileEntry *entry) {
        // check the last mount operation
        MountData *mptr = get_last_mount(); // will do exit(1) if the mount cannot be found
-        //if (strncmp(mptr->dir, path, strlen(path)) != 0) - temporarily disabled, problems with paths that have empty spaces
+        if (strncmp(mptr->dir, path, strlen(path)) != 0)
-        //      errLogExit("invalid whitelist mount");
+                errLogExit("invalid whitelist mount");
        // No mounts are allowed on top level directories. A destination such as "/etc" is very bad!
        //  - there should be more than one '/' char in dest string
        if (mptr->dir == strrchr(mptr->dir, '/'))
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 1d36980bb..54e59d7d2 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -1045,6 +1045,40 @@ void disable_file_path(const char *path, const char *file) {
        free(fname);
 }
+// Restore empty spaces in pathnames extracted from /proc/self/mountinfo
+static void unmangle_path(char *path) {
+        int i, decimal;
+        char *worker;
+        char *p = strchr(path, '\\');
+        while (p) {
+                // convert octal to decimal
+                decimal = 0;
+                for (i = 1; i < 4; i++) {
+                        worker = p + i;
+                        // there are always three octal digits
+                        if (*worker < '0' || *worker > '7') {
+                                fprintf(stderr, "Error: bad escape sequence\n");
+                                exit(1);
+                        }
+                        decimal += *worker - '0';
+                        if (i < 3)
+                                decimal *= 8;
+                }
+                // do the replacement
+                if (decimal == ' ') {
+                        *p = ' ';
+                        worker = p;
+                        do {
+                        worker++;
+                        *worker = *(worker + 3);
+                        } while (*worker);
+                }
+                p = strchr(p + 1, '\\');
+        }
+}
 #define MAX_BUF 4096
 static char mbuf[MAX_BUF];
 static MountData mdata;
@@ -1103,6 +1137,10 @@ MountData *get_last_mount(void) {
            mdata.dir == NULL ||
            mdata.fstype == NULL)
                goto errexit;
+        unmangle_path(mdata.fsname);
+        unmangle_path(mdata.dir);
        if (arg_debug)
                printf("fsname=%s dir=%s fstype=%s\n", mdata.fsname, mdata.dir, mdata.fstype);
        return &mdata;
author	smitsohu <smitsohu@gmail.com>	2018-07-13 18:17:32 +0200
committer	smitsohu <smitsohu@gmail.com>	2018-07-13 18:17:32 +0200
commit	949b924fba58dc05f1c21d6621f05047be5397f0 (patch)
tree	24783130bedb3061812dc9daa06238f0fcc06be9
parent	Blacklist all .snapshots directories in AppArmor profile (diff)
download	firejail-949b924fba58dc05f1c21d6621f05047be5397f0.tar.gz firejail-949b924fba58dc05f1c21d6621f05047be5397f0.tar.zst firejail-949b924fba58dc05f1c21d6621f05047be5397f0.zip

diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 24c83adee..e177c3ec0 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c
@@ -358,8 +358,8 @@ static void whitelist_path(ProfileEntry *entry) {
358	// check the last mount operation	358	// check the last mount operation
359	MountData *mptr = get_last_mount(); // will do exit(1) if the mount cannot be found	359	MountData *mptr = get_last_mount(); // will do exit(1) if the mount cannot be found
360		360
361	//if (strncmp(mptr->dir, path, strlen(path)) != 0) - temporarily disabled, problems with paths that have empty spaces	361	if (strncmp(mptr->dir, path, strlen(path)) != 0)
362	// errLogExit("invalid whitelist mount");	362	errLogExit("invalid whitelist mount");
363	// No mounts are allowed on top level directories. A destination such as "/etc" is very bad!	363	// No mounts are allowed on top level directories. A destination such as "/etc" is very bad!
364	// - there should be more than one '/' char in dest string	364	// - there should be more than one '/' char in dest string
365	if (mptr->dir == strrchr(mptr->dir, '/'))	365	if (mptr->dir == strrchr(mptr->dir, '/'))


diff --git a/src/firejail/util.c b/src/firejail/util.c index 1d36980bb..54e59d7d2 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c
@@ -1045,6 +1045,40 @@ void disable_file_path(const char path, const char file) {
1045	free(fname);	1045	free(fname);
1046	}	1046	}
1047		1047
		1048	// Restore empty spaces in pathnames extracted from /proc/self/mountinfo
		1049	static void unmangle_path(char *path) {
		1050	int i, decimal;
		1051	char *worker;
		1052
		1053	char *p = strchr(path, '\\');
		1054	while (p) {
		1055	// convert octal to decimal
		1056	decimal = 0;
		1057	for (i = 1; i < 4; i++) {
		1058	worker = p + i;
		1059	// there are always three octal digits
		1060	if (worker < '0' \|\| worker > '7') {
		1061	fprintf(stderr, "Error: bad escape sequence\n");
		1062	exit(1);
		1063	}
		1064	decimal += *worker - '0';
		1065	if (i < 3)
		1066	decimal *= 8;
		1067	}
		1068	// do the replacement
		1069	if (decimal == ' ') {
		1070	*p = ' ';
		1071	worker = p;
		1072	do {
		1073	worker++;
		1074	worker = (worker + 3);
		1075	} while (*worker);
		1076	}
		1077
		1078	p = strchr(p + 1, '\\');
		1079	}
		1080	}
		1081
1048	#define MAX_BUF 4096	1082	#define MAX_BUF 4096
1049	static char mbuf[MAX_BUF];	1083	static char mbuf[MAX_BUF];
1050	static MountData mdata;	1084	static MountData mdata;
@@ -1103,6 +1137,10 @@ MountData *get_last_mount(void) {
1103	mdata.dir == NULL \|\|	1137	mdata.dir == NULL \|\|
1104	mdata.fstype == NULL)	1138	mdata.fstype == NULL)
1105	goto errexit;	1139	goto errexit;
		1140
		1141	unmangle_path(mdata.fsname);
		1142	unmangle_path(mdata.dir);
		1143
1106	if (arg_debug)	1144	if (arg_debug)
1107	printf("fsname=%s dir=%s fstype=%s\n", mdata.fsname, mdata.dir, mdata.fstype);	1145	printf("fsname=%s dir=%s fstype=%s\n", mdata.fsname, mdata.dir, mdata.fstype);
1108	return &mdata;	1146	return &mdata;