diff options
author | netblue30 <netblue30@yahoo.com> | 2016-05-07 10:05:29 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-05-07 10:05:29 -0400 |
commit | 571e8a53d6f083de8c6c90cdc9e6c48c31bb2702 (patch) | |
tree | 53f63b3f9ec76c2d958246fe8e184b71615604d4 | |
parent | Merge pull request #502 from Fred-Barclay/xapps (diff) | |
download | firejail-571e8a53d6f083de8c6c90cdc9e6c48c31bb2702.tar.gz firejail-571e8a53d6f083de8c6c90cdc9e6c48c31bb2702.tar.zst firejail-571e8a53d6f083de8c6c90cdc9e6c48c31bb2702.zip |
fix private-etc empty list
-rw-r--r-- | src/firejail/fs_etc.c | 60 | ||||
-rw-r--r-- | src/firejail/main.c | 7 | ||||
-rw-r--r-- | src/firejail/profile.c | 7 | ||||
-rwxr-xr-x | test/fs/fs.sh | 3 | ||||
-rwxr-xr-x | test/fs/private-etc-empty.exp | 38 | ||||
-rw-r--r-- | test/fs/private-etc-empty.profile | 1 |
6 files changed, 76 insertions, 40 deletions
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 1a44b1305..2ff36f5d2 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -129,40 +129,44 @@ void fs_private_etc_list(void) { | |||
129 | errExit("chmod"); | 129 | errExit("chmod"); |
130 | fs_logger("tmpfs /etc"); | 130 | fs_logger("tmpfs /etc"); |
131 | 131 | ||
132 | // copy the list of files in the new etc directory | ||
133 | // using a new child process without root privileges | ||
134 | fs_logger_print(); // save the current log | 132 | fs_logger_print(); // save the current log |
135 | pid_t child = fork(); | ||
136 | if (child < 0) | ||
137 | errExit("fork"); | ||
138 | if (child == 0) { | ||
139 | if (arg_debug) | ||
140 | printf("Copying files in the new etc directory:\n"); | ||
141 | 133 | ||
142 | // elevate privileges - files in the new /etc directory belong to root | ||
143 | if (setreuid(0, 0) < 0) | ||
144 | errExit("setreuid"); | ||
145 | if (setregid(0, 0) < 0) | ||
146 | errExit("setregid"); | ||
147 | |||
148 | // copy the list of files in the new home directory | ||
149 | char *dlist = strdup(private_list); | ||
150 | if (!dlist) | ||
151 | errExit("strdup"); | ||
152 | |||
153 | 134 | ||
154 | char *ptr = strtok(dlist, ","); | 135 | // copy the list of files in the new etc directory |
155 | duplicate(ptr); | 136 | // using a new child process without root privileges |
137 | if (*private_list != '\0') { | ||
138 | pid_t child = fork(); | ||
139 | if (child < 0) | ||
140 | errExit("fork"); | ||
141 | if (child == 0) { | ||
142 | if (arg_debug) | ||
143 | printf("Copying files in the new etc directory:\n"); | ||
156 | 144 | ||
157 | while ((ptr = strtok(NULL, ",")) != NULL) | 145 | // elevate privileges - files in the new /etc directory belong to root |
146 | if (setreuid(0, 0) < 0) | ||
147 | errExit("setreuid"); | ||
148 | if (setregid(0, 0) < 0) | ||
149 | errExit("setregid"); | ||
150 | |||
151 | // copy the list of files in the new home directory | ||
152 | char *dlist = strdup(private_list); | ||
153 | if (!dlist) | ||
154 | errExit("strdup"); | ||
155 | |||
156 | |||
157 | char *ptr = strtok(dlist, ","); | ||
158 | duplicate(ptr); | 158 | duplicate(ptr); |
159 | free(dlist); | 159 | |
160 | fs_logger_print(); | 160 | while ((ptr = strtok(NULL, ",")) != NULL) |
161 | exit(0); | 161 | duplicate(ptr); |
162 | free(dlist); | ||
163 | fs_logger_print(); | ||
164 | exit(0); | ||
165 | } | ||
166 | // wait for the child to finish | ||
167 | waitpid(child, NULL, 0); | ||
162 | } | 168 | } |
163 | // wait for the child to finish | 169 | |
164 | waitpid(child, NULL, 0); | ||
165 | |||
166 | if (arg_debug) | 170 | if (arg_debug) |
167 | printf("Mount-bind %s on top of /etc\n", RUN_ETC_DIR); | 171 | printf("Mount-bind %s on top of /etc\n", RUN_ETC_DIR); |
168 | if (mount(RUN_ETC_DIR, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0) | 172 | if (mount(RUN_ETC_DIR, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0) |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 7aa81a9c5..59f500e3a 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1330,12 +1330,7 @@ int main(int argc, char **argv) { | |||
1330 | exit(1); | 1330 | exit(1); |
1331 | } | 1331 | } |
1332 | fs_check_etc_list(); | 1332 | fs_check_etc_list(); |
1333 | if (*cfg.etc_private_keep != '\0') | 1333 | arg_private_etc = 1; |
1334 | arg_private_etc = 1; | ||
1335 | else { | ||
1336 | arg_private_etc = 0; | ||
1337 | fprintf(stderr, "Warning: private-etc disabled, no file found\n"); | ||
1338 | } | ||
1339 | } | 1334 | } |
1340 | else if (strncmp(argv[i], "--private-bin=", 14) == 0) { | 1335 | else if (strncmp(argv[i], "--private-bin=", 14) == 0) { |
1341 | // extract private bin list | 1336 | // extract private bin list |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 2b3984a99..095e5eecc 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -611,12 +611,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
611 | } | 611 | } |
612 | cfg.etc_private_keep = ptr + 12; | 612 | cfg.etc_private_keep = ptr + 12; |
613 | fs_check_etc_list(); | 613 | fs_check_etc_list(); |
614 | if (*cfg.etc_private_keep != '\0') | 614 | arg_private_etc = 1; |
615 | arg_private_etc = 1; | ||
616 | else { | ||
617 | arg_private_etc = 0; | ||
618 | fprintf(stderr, "Warning: private-etc disabled, no file found\n"); | ||
619 | } | ||
620 | 615 | ||
621 | return 0; | 616 | return 0; |
622 | } | 617 | } |
diff --git a/test/fs/fs.sh b/test/fs/fs.sh index 0fcffcb8e..b49aadf02 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh | |||
@@ -24,6 +24,9 @@ echo "TESTING: private (test/fs/private.exp)" | |||
24 | echo "TESTING: private-etc (test/fs/private-etc.exp)" | 24 | echo "TESTING: private-etc (test/fs/private-etc.exp)" |
25 | ./private-etc.exp | 25 | ./private-etc.exp |
26 | 26 | ||
27 | echo "TESTING: empty private-etc (test/fs/private-etc-empty.exp)" | ||
28 | ./private-etc-empty.exp | ||
29 | |||
27 | echo "TESTING: private-bin (test/fs/private-bin.exp)" | 30 | echo "TESTING: private-bin (test/fs/private-bin.exp)" |
28 | ./private-bin.exp | 31 | ./private-bin.exp |
29 | 32 | ||
diff --git a/test/fs/private-etc-empty.exp b/test/fs/private-etc-empty.exp new file mode 100755 index 000000000..13e917a5c --- /dev/null +++ b/test/fs/private-etc-empty.exp | |||
@@ -0,0 +1,38 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 30 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "firejail --private-etc=blablabla\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 0\n";exit} | ||
13 | "Child process initialized" | ||
14 | } | ||
15 | sleep 1 | ||
16 | |||
17 | send -- "ls -l /etc | wc -l\r" | ||
18 | expect { | ||
19 | timeout {puts "TESTING ERROR 1\n";exit} | ||
20 | "0" | ||
21 | } | ||
22 | send -- "exit\r" | ||
23 | sleep 1 | ||
24 | |||
25 | send -- "firejail --profile=private-etc-empty.profile\r" | ||
26 | expect { | ||
27 | timeout {puts "TESTING ERROR 0\n";exit} | ||
28 | "Child process initialized" | ||
29 | } | ||
30 | sleep 1 | ||
31 | |||
32 | send -- "ls -l /etc | wc -l\r" | ||
33 | expect { | ||
34 | timeout {puts "TESTING ERROR 1\n";exit} | ||
35 | "0" | ||
36 | } | ||
37 | |||
38 | puts "\nall done\n" | ||
diff --git a/test/fs/private-etc-empty.profile b/test/fs/private-etc-empty.profile new file mode 100644 index 000000000..38aa8cd68 --- /dev/null +++ b/test/fs/private-etc-empty.profile | |||
@@ -0,0 +1 @@ | |||
private-etc blablabla | |||