diff options
author | smitsohu <smitsohu@gmail.com> | 2018-05-02 23:06:31 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2018-05-02 23:06:31 +0200 |
commit | 22d9b7ecc083c61ad6cacec886a676083a27ad4e (patch) | |
tree | 5917454e74166c225eaa5274717b776ca3c19049 | |
parent | cleanup (diff) | |
download | firejail-22d9b7ecc083c61ad6cacec886a676083a27ad4e.tar.gz firejail-22d9b7ecc083c61ad6cacec886a676083a27ad4e.tar.zst firejail-22d9b7ecc083c61ad6cacec886a676083a27ad4e.zip |
harden pulseaudio, xauthority mounts
-rw-r--r-- | src/firejail/pulseaudio.c | 14 | ||||
-rw-r--r-- | src/firejail/x11.c | 8 |
2 files changed, 21 insertions, 1 deletions
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index 9109a6865..ad93efe3c 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -162,22 +162,34 @@ void pulseaudio_init(void) { | |||
162 | } | 162 | } |
163 | free(dir1); | 163 | free(dir1); |
164 | 164 | ||
165 | |||
166 | // if we have ~/.config/pulse mount the new directory, else set environment variable | 165 | // if we have ~/.config/pulse mount the new directory, else set environment variable |
167 | char *homeusercfg; | 166 | char *homeusercfg; |
168 | if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1) | 167 | if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1) |
169 | errExit("asprintf"); | 168 | errExit("asprintf"); |
170 | if (stat(homeusercfg, &s) == 0) { | 169 | if (stat(homeusercfg, &s) == 0) { |
170 | if (is_link(homeusercfg)) { | ||
171 | fprintf(stderr, "Error: user .config/pulse is a symbolic link\n"); | ||
172 | exit(1); | ||
173 | } | ||
171 | if (mount(RUN_PULSE_DIR, homeusercfg, "none", MS_BIND, NULL) < 0 || | 174 | if (mount(RUN_PULSE_DIR, homeusercfg, "none", MS_BIND, NULL) < 0 || |
172 | mount(NULL, homeusercfg, NULL, MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_BIND|MS_REMOUNT, NULL) < 0) | 175 | mount(NULL, homeusercfg, NULL, MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_BIND|MS_REMOUNT, NULL) < 0) |
173 | errExit("mount pulseaudio"); | 176 | errExit("mount pulseaudio"); |
174 | fs_logger2("tmpfs", homeusercfg); | 177 | fs_logger2("tmpfs", homeusercfg); |
178 | |||
179 | // check /proc/self/mounts to confirm the mount is ok | ||
180 | MountData *mptr = get_last_mount(); | ||
181 | if (strncmp(mptr->dir,homeusercfg,strlen(homeusercfg)) != 0) { | ||
182 | fprintf(stderr, "Error: invalid mount on top of %s (should be %s)\n", mptr->dir, homeusercfg); | ||
183 | exit(1); | ||
184 | } | ||
185 | |||
175 | char *p; | 186 | char *p; |
176 | if (asprintf(&p, "%s/client.conf", homeusercfg) == -1) | 187 | if (asprintf(&p, "%s/client.conf", homeusercfg) == -1) |
177 | errExit("asprintf"); | 188 | errExit("asprintf"); |
178 | fs_logger2("create", p); | 189 | fs_logger2("create", p); |
179 | free(p); | 190 | free(p); |
180 | } | 191 | } |
192 | |||
181 | else { | 193 | else { |
182 | // set environment | 194 | // set environment |
183 | if (setenv("PULSE_CLIENTCONFIG", pulsecfg, 1) < 0) | 195 | if (setenv("PULSE_CLIENTCONFIG", pulsecfg, 1) < 0) |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 8cf4fccf3..d8b5961a2 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -1193,6 +1193,14 @@ void x11_xorg(void) { | |||
1193 | // just in case... | 1193 | // just in case... |
1194 | if (set_perms(dest, getuid(), getgid(), 0600)) | 1194 | if (set_perms(dest, getuid(), getgid(), 0600)) |
1195 | errExit("set_perms"); | 1195 | errExit("set_perms"); |
1196 | |||
1197 | // check /proc/self/mounts to confirm the mount is ok | ||
1198 | MountData *mptr = get_last_mount(); | ||
1199 | if (strncmp(mptr->dir,dest,strlen(dest)) != 0) { | ||
1200 | fprintf(stderr, "Error: invalid mount on top of %s (should be %s)\n", mptr->dir, dest); | ||
1201 | exit(1); | ||
1202 | } | ||
1203 | |||
1196 | free(dest); | 1204 | free(dest); |
1197 | #endif | 1205 | #endif |
1198 | } | 1206 | } |