diff options
author | smitsohu <smitsohu@gmail.com> | 2022-02-24 19:29:19 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2022-02-24 19:29:19 +0100 |
commit | 4b41e0c27ba4727fccba5009b3bf7085fb132846 (patch) | |
tree | 160998a4cdff36b59d0b7ededb3ac7e985c06be6 | |
parent | hardening zeal.profile (#4970) (diff) | |
download | firejail-4b41e0c27ba4727fccba5009b3bf7085fb132846.tar.gz firejail-4b41e0c27ba4727fccba5009b3bf7085fb132846.tar.zst firejail-4b41e0c27ba4727fccba5009b3bf7085fb132846.zip |
fix --whitelist=/run/*
-rw-r--r-- | src/firejail/fs_whitelist.c | 21 |
1 files changed, 14 insertions, 7 deletions
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index c515b59f5..2acde5837 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -592,10 +592,6 @@ void fs_whitelist(void) { | |||
592 | if (strstr(new_name, "..")) | 592 | if (strstr(new_name, "..")) |
593 | whitelist_error(new_name); | 593 | whitelist_error(new_name); |
594 | 594 | ||
595 | // /run/firejail is not allowed | ||
596 | if (strncmp(new_name, RUN_FIREJAIL_DIR, strlen(RUN_FIREJAIL_DIR)) == 0) | ||
597 | whitelist_error(new_name); | ||
598 | |||
599 | TopDir *current_top = NULL; | 595 | TopDir *current_top = NULL; |
600 | if (!nowhitelist_flag) { | 596 | if (!nowhitelist_flag) { |
601 | // extract whitelist top level directory | 597 | // extract whitelist top level directory |
@@ -617,6 +613,13 @@ void fs_whitelist(void) { | |||
617 | free(dir); | 613 | free(dir); |
618 | } | 614 | } |
619 | 615 | ||
616 | // /run/firejail directory is internal and not allowed | ||
617 | if (strncmp(new_name, RUN_FIREJAIL_DIR, strlen(RUN_FIREJAIL_DIR)) == 0) { | ||
618 | entry = entry->next; | ||
619 | free(new_name); | ||
620 | continue; | ||
621 | } | ||
622 | |||
620 | // extract resolved path of the file | 623 | // extract resolved path of the file |
621 | // realpath function will fail with ENOENT if the file is not found or with EACCES if user has no permission | 624 | // realpath function will fail with ENOENT if the file is not found or with EACCES if user has no permission |
622 | // special processing for /dev/fd, /dev/stdin, /dev/stdout and /dev/stderr | 625 | // special processing for /dev/fd, /dev/stdin, /dev/stdout and /dev/stderr |
@@ -653,9 +656,13 @@ void fs_whitelist(void) { | |||
653 | continue; | 656 | continue; |
654 | } | 657 | } |
655 | 658 | ||
656 | // /run/firejail is not allowed | 659 | // /run/firejail directory is internal and not allowed |
657 | if (strncmp(fname, RUN_FIREJAIL_DIR, strlen(RUN_FIREJAIL_DIR)) == 0) | 660 | if (strncmp(fname, RUN_FIREJAIL_DIR, strlen(RUN_FIREJAIL_DIR)) == 0) { |
658 | whitelist_error(fname); | 661 | entry = entry->next; |
662 | free(new_name); | ||
663 | free(fname); | ||
664 | continue; | ||
665 | } | ||
659 | 666 | ||
660 | if (nowhitelist_flag) { | 667 | if (nowhitelist_flag) { |
661 | // store the path in nowhitelist array | 668 | // store the path in nowhitelist array |