diff options
author | startx2017 <vradu.startx@yandex.com> | 2018-03-17 10:02:31 -0400 |
---|---|---|
committer | startx2017 <vradu.startx@yandex.com> | 2018-03-17 10:02:31 -0400 |
commit | d2f56e0adf116656a96fc1e0bea312f2a37235e9 (patch) | |
tree | 7e40263af88568be32040296c06200b6112c7599 | |
parent | split run files processing in a separate file - src/firejail/run_files.c (diff) | |
download | firejail-d2f56e0adf116656a96fc1e0bea312f2a37235e9.tar.gz firejail-d2f56e0adf116656a96fc1e0bea312f2a37235e9.tar.zst firejail-d2f56e0adf116656a96fc1e0bea312f2a37235e9.zip |
locking run file operations
-rw-r--r-- | src/firejail/firejail.h | 3 | ||||
-rw-r--r-- | src/firejail/main.c | 27 |
2 files changed, 20 insertions, 10 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 27c3dd2ea..ca3cf18ac 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -36,7 +36,8 @@ | |||
36 | #define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network" | 36 | #define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network" |
37 | #define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth" | 37 | #define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth" |
38 | #define RUN_FIREJAIL_PROFILE_DIR "/run/firejail/profile" | 38 | #define RUN_FIREJAIL_PROFILE_DIR "/run/firejail/profile" |
39 | #define RUN_NETWORK_LOCK_FILE "/run/firejail/firejail.lock" | 39 | #define RUN_NETWORK_LOCK_FILE "/run/firejail/firejail-network.lock" |
40 | #define RUN_DIRECTORY_LOCK_FILE "/run/firejail/firejail-run.lock" | ||
40 | #define RUN_RO_DIR "/run/firejail/firejail.ro.dir" | 41 | #define RUN_RO_DIR "/run/firejail/firejail.ro.dir" |
41 | #define RUN_RO_FILE "/run/firejail/firejail.ro.file" | 42 | #define RUN_RO_FILE "/run/firejail/firejail.ro.file" |
42 | #define RUN_MNT_DIR "/run/firejail/mnt" // a tmpfs is mounted on this directory before any of the files below are created | 43 | #define RUN_MNT_DIR "/run/firejail/mnt" // a tmpfs is mounted on this directory before any of the files below are created |
diff --git a/src/firejail/main.c b/src/firejail/main.c index ec090cdc6..dad9befd3 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -824,7 +824,8 @@ static void run_builder(int argc, char **argv) { | |||
824 | int main(int argc, char **argv) { | 824 | int main(int argc, char **argv) { |
825 | int i; | 825 | int i; |
826 | int prog_index = -1; // index in argv where the program command starts | 826 | int prog_index = -1; // index in argv where the program command starts |
827 | int lockfd = -1; | 827 | int lockfd_network = -1; |
828 | int lockfd_directory = -1; | ||
828 | int option_cgroup = 0; | 829 | int option_cgroup = 0; |
829 | int option_force = 0; | 830 | int option_force = 0; |
830 | int custom_profile = 0; // custom profile loaded | 831 | int custom_profile = 0; // custom profile loaded |
@@ -2393,11 +2394,11 @@ int main(int argc, char **argv) { | |||
2393 | // check and assign an IP address - for macvlan it will be done again in the sandbox! | 2394 | // check and assign an IP address - for macvlan it will be done again in the sandbox! |
2394 | if (any_bridge_configured()) { | 2395 | if (any_bridge_configured()) { |
2395 | EUID_ROOT(); | 2396 | EUID_ROOT(); |
2396 | lockfd = open(RUN_NETWORK_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); | 2397 | lockfd_network = open(RUN_NETWORK_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); |
2397 | if (lockfd != -1) { | 2398 | if (lockfd_network != -1) { |
2398 | int rv = fchown(lockfd, 0, 0); | 2399 | int rv = fchown(lockfd_network, 0, 0); |
2399 | (void) rv; | 2400 | (void) rv; |
2400 | flock(lockfd, LOCK_EX); | 2401 | flock(lockfd_network, LOCK_EX); |
2401 | } | 2402 | } |
2402 | 2403 | ||
2403 | check_network(&cfg.bridge0); | 2404 | check_network(&cfg.bridge0); |
@@ -2426,13 +2427,21 @@ int main(int argc, char **argv) { | |||
2426 | } | 2427 | } |
2427 | 2428 | ||
2428 | 2429 | ||
2429 | // set name file | 2430 | // set name and x11 run files |
2430 | EUID_ROOT(); | 2431 | EUID_ROOT(); |
2432 | lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); | ||
2433 | if (lockfd_directory != -1) { | ||
2434 | int rv = fchown(lockfd_directory, 0, 0); | ||
2435 | (void) rv; | ||
2436 | flock(lockfd_directory, LOCK_EX); | ||
2437 | } | ||
2431 | if (cfg.name) | 2438 | if (cfg.name) |
2432 | set_name_run_file(sandbox_pid); | 2439 | set_name_run_file(sandbox_pid); |
2433 | int display = x11_display(); | 2440 | int display = x11_display(); |
2434 | if (display > 0) | 2441 | if (display > 0) |
2435 | set_x11_run_file(sandbox_pid, display); | 2442 | set_x11_run_file(sandbox_pid, display); |
2443 | flock(lockfd_directory, LOCK_UN); | ||
2444 | close(lockfd_directory); | ||
2436 | EUID_USER(); | 2445 | EUID_USER(); |
2437 | 2446 | ||
2438 | // clone environment | 2447 | // clone environment |
@@ -2573,9 +2582,9 @@ int main(int argc, char **argv) { | |||
2573 | close(parent_to_child_fds[1]); | 2582 | close(parent_to_child_fds[1]); |
2574 | 2583 | ||
2575 | EUID_ROOT(); | 2584 | EUID_ROOT(); |
2576 | if (lockfd != -1) { | 2585 | if (lockfd_network != -1) { |
2577 | flock(lockfd, LOCK_UN); | 2586 | flock(lockfd_network, LOCK_UN); |
2578 | close(lockfd); | 2587 | close(lockfd_network); |
2579 | } | 2588 | } |
2580 | 2589 | ||
2581 | // handle CTRL-C in parent | 2590 | // handle CTRL-C in parent |