diff options
author | netblue30 <netblue30@yahoo.com> | 2017-02-15 19:51:50 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-02-15 19:51:50 -0500 |
commit | f4ab39bfce61aa7b61b860fab96488b7f3e8fb66 (patch) | |
tree | ae8cae477d8a19cdf3a107b1dcfb3c8cbfef480d | |
parent | merge #1100 from zackw: fcopy rework, --follow-link support in fcopy (diff) | |
download | firejail-f4ab39bfce61aa7b61b860fab96488b7f3e8fb66.tar.gz firejail-f4ab39bfce61aa7b61b860fab96488b7f3e8fb66.tar.zst firejail-f4ab39bfce61aa7b61b860fab96488b7f3e8fb66.zip |
merge #1100 from zackw: follow link support in --private-bin
-rw-r--r-- | README | 1 | ||||
-rw-r--r-- | src/fcopy/main.c | 16 | ||||
-rw-r--r-- | src/firejail/fs_bin.c | 2 | ||||
-rwxr-xr-x | test/fcopy/cmdline.exp | 8 | ||||
-rwxr-xr-x | test/fs/private-home.exp | 2 |
5 files changed, 16 insertions, 13 deletions
@@ -111,6 +111,7 @@ Zack Weinberg (https://github.com/zackw) | |||
111 | - rework X11 display number assignment | 111 | - rework X11 display number assignment |
112 | - rework X11 xorg processing | 112 | - rework X11 xorg processing |
113 | - rework fcopy, --follow-link support in fcopy | 113 | - rework fcopy, --follow-link support in fcopy |
114 | - follow link support in --private-bin | ||
114 | Igor Bukanov (https://github.com/ibukanov) | 115 | Igor Bukanov (https://github.com/ibukanov) |
115 | - found/fiixed privilege escalation in --hosts-file option | 116 | - found/fiixed privilege escalation in --hosts-file option |
116 | Cat (https://github.com/ecat3) | 117 | Cat (https://github.com/ecat3) |
diff --git a/src/fcopy/main.c b/src/fcopy/main.c index 089152efc..9f19b6dd8 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c | |||
@@ -23,6 +23,8 @@ | |||
23 | #include <ftw.h> | 23 | #include <ftw.h> |
24 | #include <errno.h> | 24 | #include <errno.h> |
25 | 25 | ||
26 | static int arg_follow_link = 0; | ||
27 | |||
26 | 28 | ||
27 | #define COPY_LIMIT (500 * 1024 *1024) | 29 | #define COPY_LIMIT (500 * 1024 *1024) |
28 | static int size_limit_reached = 0; | 30 | static int size_limit_reached = 0; |
@@ -221,7 +223,7 @@ static void duplicate_dir(const char *src, const char *dest, struct stat *s) { | |||
221 | } | 223 | } |
222 | 224 | ||
223 | static void duplicate_file(const char *src, const char *dest, struct stat *s) { | 225 | static void duplicate_file(const char *src, const char *dest, struct stat *s) { |
224 | char *rsrc = check(src); // we drop the result and use the original name | 226 | char *rsrc = check(src); |
225 | char *rdest = check(dest); | 227 | char *rdest = check(dest); |
226 | uid_t uid = s->st_uid; | 228 | uid_t uid = s->st_uid; |
227 | gid_t gid = s->st_gid; | 229 | gid_t gid = s->st_gid; |
@@ -229,7 +231,7 @@ static void duplicate_file(const char *src, const char *dest, struct stat *s) { | |||
229 | 231 | ||
230 | // build destination file name | 232 | // build destination file name |
231 | char *name; | 233 | char *name; |
232 | char *ptr = strrchr(src, '/'); | 234 | char *ptr = (arg_follow_link)? strrchr(src, '/'): strrchr(rsrc, '/'); |
233 | ptr++; | 235 | ptr++; |
234 | if (asprintf(&name, "%s/%s", rdest, ptr) == -1) | 236 | if (asprintf(&name, "%s/%s", rdest, ptr) == -1) |
235 | errExit("asprintf"); | 237 | errExit("asprintf"); |
@@ -251,7 +253,7 @@ static void duplicate_link(const char *src, const char *dest, struct stat *s) { | |||
251 | 253 | ||
252 | // build destination file name | 254 | // build destination file name |
253 | char *name; | 255 | char *name; |
254 | // char *ptr = strrchr(rsrc, '/'); | 256 | // char *ptr = strrchr(rsrc, '/'); |
255 | char *ptr = strrchr(src, '/'); | 257 | char *ptr = strrchr(src, '/'); |
256 | ptr++; | 258 | ptr++; |
257 | if (asprintf(&name, "%s/%s", rdest, ptr) == -1) | 259 | if (asprintf(&name, "%s/%s", rdest, ptr) == -1) |
@@ -287,19 +289,19 @@ printf("\n"); | |||
287 | #endif | 289 | #endif |
288 | char *src; | 290 | char *src; |
289 | char *dest; | 291 | char *dest; |
290 | int follow_link; | ||
291 | 292 | ||
292 | if (argc == 3) { | 293 | if (argc == 3) { |
293 | src = argv[1]; | 294 | src = argv[1]; |
294 | dest = argv[2]; | 295 | dest = argv[2]; |
295 | follow_link = 0; | 296 | arg_follow_link = 0; |
296 | } | 297 | } |
297 | else if (argc == 4 && !strcmp(argv[1], "--follow-link")) { | 298 | else if (argc == 4 && !strcmp(argv[1], "--follow-link")) { |
298 | src = argv[2]; | 299 | src = argv[2]; |
299 | dest = argv[3]; | 300 | dest = argv[3]; |
300 | follow_link = 1; | 301 | arg_follow_link = 1; |
301 | } | 302 | } |
302 | else { | 303 | else { |
304 | fprintf(stderr, "Error: arguments missing\n"); | ||
303 | usage(); | 305 | usage(); |
304 | exit(1); | 306 | exit(1); |
305 | } | 307 | } |
@@ -334,7 +336,7 @@ printf("\n"); | |||
334 | } | 336 | } |
335 | 337 | ||
336 | // copy files | 338 | // copy files |
337 | if ((follow_link ? stat : lstat)(src, &s) == -1) { | 339 | if ((arg_follow_link ? stat : lstat)(src, &s) == -1) { |
338 | fprintf(stderr, "Error fcopy: src %s: %s\n", src, strerror(errno)); | 340 | fprintf(stderr, "Error fcopy: src %s: %s\n", src, strerror(errno)); |
339 | exit(1); | 341 | exit(1); |
340 | } | 342 | } |
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 547978b47..3473fca4c 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
@@ -111,7 +111,7 @@ static void duplicate(char *fname) { | |||
111 | errExit("asprintf"); | 111 | errExit("asprintf"); |
112 | 112 | ||
113 | // copy the file | 113 | // copy the file |
114 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR); | 114 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, RUN_BIN_DIR); |
115 | fs_logger2("clone", fname); | 115 | fs_logger2("clone", fname); |
116 | free(full_path); | 116 | free(full_path); |
117 | } | 117 | } |
diff --git a/test/fcopy/cmdline.exp b/test/fcopy/cmdline.exp index 3ea33b01b..10dd8da58 100755 --- a/test/fcopy/cmdline.exp +++ b/test/fcopy/cmdline.exp | |||
@@ -10,7 +10,7 @@ match_max 100000 | |||
10 | send -- "/usr/lib/firejail/fcopy\r" | 10 | send -- "/usr/lib/firejail/fcopy\r" |
11 | expect { | 11 | expect { |
12 | timeout {puts "TESTING ERROR 0\n";exit} | 12 | timeout {puts "TESTING ERROR 0\n";exit} |
13 | "files missing" | 13 | "arguments missing" |
14 | } | 14 | } |
15 | expect { | 15 | expect { |
16 | timeout {puts "TESTING ERROR 1\n";exit} | 16 | timeout {puts "TESTING ERROR 1\n";exit} |
@@ -21,7 +21,7 @@ after 100 | |||
21 | send -- "/usr/lib/firejail/fcopy foo\r" | 21 | send -- "/usr/lib/firejail/fcopy foo\r" |
22 | expect { | 22 | expect { |
23 | timeout {puts "TESTING ERROR 2\n";exit} | 23 | timeout {puts "TESTING ERROR 2\n";exit} |
24 | "files missing" | 24 | "arguments missing" |
25 | } | 25 | } |
26 | expect { | 26 | expect { |
27 | timeout {puts "TESTING ERROR 3\n";exit} | 27 | timeout {puts "TESTING ERROR 3\n";exit} |
@@ -32,14 +32,14 @@ after 100 | |||
32 | send -- "/usr/lib/firejail/fcopy f%oo1 foo2\r" | 32 | send -- "/usr/lib/firejail/fcopy f%oo1 foo2\r" |
33 | expect { | 33 | expect { |
34 | timeout {puts "TESTING ERROR 4\n";exit} | 34 | timeout {puts "TESTING ERROR 4\n";exit} |
35 | "invalid file name" | 35 | "invalid source file name" |
36 | } | 36 | } |
37 | after 100 | 37 | after 100 |
38 | 38 | ||
39 | send -- "/usr/lib/firejail/fcopy foo1 f,oo2\r" | 39 | send -- "/usr/lib/firejail/fcopy foo1 f,oo2\r" |
40 | expect { | 40 | expect { |
41 | timeout {puts "TESTING ERROR 5\n";exit} | 41 | timeout {puts "TESTING ERROR 5\n";exit} |
42 | "invalid file name" | 42 | "invalid dest file name" |
43 | } | 43 | } |
44 | after 100 | 44 | after 100 |
45 | 45 | ||
diff --git a/test/fs/private-home.exp b/test/fs/private-home.exp index f2f30914d..259eb4f9e 100755 --- a/test/fs/private-home.exp +++ b/test/fs/private-home.exp | |||
@@ -89,7 +89,7 @@ expect { | |||
89 | "Child process initialized" | 89 | "Child process initialized" |
90 | } | 90 | } |
91 | after 100 | 91 | after 100 |
92 | send -- "file file ~/_firejail_test_link2\r" | 92 | send -- "file ~/_firejail_test_link2\r" |
93 | expect { | 93 | expect { |
94 | timeout {puts "TESTING ERROR 11\n";exit} | 94 | timeout {puts "TESTING ERROR 11\n";exit} |
95 | "broken symbolic link" | 95 | "broken symbolic link" |