diff options
author | netblue30 <netblue30@yahoo.com> | 2015-11-18 08:37:01 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2015-11-18 08:37:01 -0500 |
commit | e1463e78dcbcebe63d835bb64312c74c49cc3a6f (patch) | |
tree | 78f9d1c5d8aad7ef152d475ddf9b0f8998bfcdaa | |
parent | blacklist multiple times fix (diff) | |
download | firejail-e1463e78dcbcebe63d835bb64312c74c49cc3a6f.tar.gz firejail-e1463e78dcbcebe63d835bb64312c74c49cc3a6f.tar.zst firejail-e1463e78dcbcebe63d835bb64312c74c49cc3a6f.zip |
/home rework
-rw-r--r-- | src/firejail/firejail.h | 3 | ||||
-rw-r--r-- | src/firejail/fs.c | 72 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 14 |
3 files changed, 44 insertions, 45 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 4f8968e4a..b29e11923 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -40,7 +40,8 @@ | |||
40 | #define PULSE_DIR "/run/firejail/mnt/pulse" | 40 | #define PULSE_DIR "/run/firejail/mnt/pulse" |
41 | #define DEVLOG_FILE "/run/firejail/mnt/devlog" | 41 | #define DEVLOG_FILE "/run/firejail/mnt/devlog" |
42 | 42 | ||
43 | #define WHITELIST_HOME_DIR "/run/firejail/mnt/orig-home" | 43 | #define WHITELIST_HOME_DIR "/run/firejail/mnt/orig-home" // default home directory masking |
44 | #define WHITELIST_HOME_USER_DIR "/run/firejail/mnt/orig-home-user" // home directory whitelisting | ||
44 | #define WHITELIST_TMP_DIR "/run/firejail/mnt/orig-tmp" | 45 | #define WHITELIST_TMP_DIR "/run/firejail/mnt/orig-tmp" |
45 | #define WHITELIST_MEDIA_DIR "/run/firejail/mnt/orig-media" | 46 | #define WHITELIST_MEDIA_DIR "/run/firejail/mnt/orig-media" |
46 | #define WHITELIST_VAR_DIR "/run/firejail/mnt/orig-var" | 47 | #define WHITELIST_VAR_DIR "/run/firejail/mnt/orig-var" |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 5cce383e2..aec1698b0 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -540,50 +540,48 @@ void fs_proc_sys_dev_boot(void) { | |||
540 | } | 540 | } |
541 | 541 | ||
542 | static void sanitize_home(void) { | 542 | static void sanitize_home(void) { |
543 | // extract current /home directory data | 543 | assert(getuid() != 0); // this code works only for regular users |
544 | struct dirent *dir; | 544 | |
545 | DIR *d = opendir("/home"); | 545 | if (arg_debug) |
546 | if (d == NULL) | 546 | printf("Cleaning /home directory\n"); |
547 | |||
548 | struct stat s; | ||
549 | if (stat(cfg.homedir, &s) == -1) { | ||
550 | // cannot find home directory, just return | ||
551 | fprintf(stderr, "Warning: cannot find home directory\n"); | ||
547 | return; | 552 | return; |
548 | |||
549 | while ((dir = readdir(d))) { | ||
550 | if(strcmp(dir->d_name, "." ) == 0 || strcmp(dir->d_name, ".." ) == 0) | ||
551 | continue; | ||
552 | |||
553 | if (dir->d_type == DT_DIR ) { | ||
554 | // get properties | ||
555 | struct stat s; | ||
556 | char *name; | ||
557 | if (asprintf(&name, "/home/%s", dir->d_name) == -1) | ||
558 | continue; | ||
559 | if (stat(name, &s) == -1) | ||
560 | continue; | ||
561 | if (S_ISLNK(s.st_mode)) { | ||
562 | free(name); | ||
563 | continue; | ||
564 | } | ||
565 | |||
566 | if (strcmp(name, cfg.homedir) == 0) | ||
567 | continue; | ||
568 | |||
569 | // printf("directory %u %u:%u #%s#\n", | ||
570 | // s.st_mode, | ||
571 | // s.st_uid, | ||
572 | // s.st_gid, | ||
573 | // name); | ||
574 | |||
575 | // disable directory | ||
576 | disable_file(BLACKLIST_FILE, name); | ||
577 | free(name); | ||
578 | } | ||
579 | } | 553 | } |
580 | closedir(d); | 554 | |
581 | } | 555 | fs_build_mnt_dir(); |
556 | if (mkdir(WHITELIST_HOME_DIR, 0755) == -1) | ||
557 | errExit("mkdir"); | ||
558 | |||
559 | // keep a copy of the user home directory | ||
560 | if (mount(cfg.homedir, WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
561 | errExit("mount bind"); | ||
582 | 562 | ||
563 | // mount tmpfs in the new home | ||
564 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | ||
565 | errExit("mount tmpfs"); | ||
583 | 566 | ||
567 | // create user home directory | ||
568 | if (mkdir(cfg.homedir, 0755) == -1) | ||
569 | errExit("mkdir"); | ||
584 | 570 | ||
571 | // set mode and ownership | ||
572 | if (chown(cfg.homedir, s.st_uid, s.st_gid) == -1) | ||
573 | errExit("chown"); | ||
574 | if (chmod(cfg.homedir, s.st_mode) == -1) | ||
575 | errExit("chmod"); | ||
585 | 576 | ||
577 | // mount user home directory | ||
578 | if (mount(WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
579 | errExit("mount bind"); | ||
586 | 580 | ||
581 | // mask home dir under /run | ||
582 | if (mount("tmpfs", WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | ||
583 | errExit("mount tmpfs"); | ||
584 | } | ||
587 | 585 | ||
588 | // build a basic read-only filesystem | 586 | // build a basic read-only filesystem |
589 | void fs_basic_fs(void) { | 587 | void fs_basic_fs(void) { |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 9203e3d00..b081752f4 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -70,7 +70,7 @@ static void whitelist_path(ProfileEntry *entry) { | |||
70 | exit(1); | 70 | exit(1); |
71 | } | 71 | } |
72 | 72 | ||
73 | if (asprintf(&wfile, "%s/%s", WHITELIST_HOME_DIR, fname) == -1) | 73 | if (asprintf(&wfile, "%s/%s", WHITELIST_HOME_USER_DIR, fname) == -1) |
74 | errExit("asprintf"); | 74 | errExit("asprintf"); |
75 | } | 75 | } |
76 | else if (entry->tmp_dir) { | 76 | else if (entry->tmp_dir) { |
@@ -284,16 +284,16 @@ void fs_whitelist(void) { | |||
284 | 284 | ||
285 | // /home/user | 285 | // /home/user |
286 | if (home_dir) { | 286 | if (home_dir) { |
287 | // keep a copy of real home dir in WHITELIST_HOME_DIR | 287 | // keep a copy of real home dir in WHITELIST_HOME_USER_DIR |
288 | int rv = mkdir(WHITELIST_HOME_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 288 | int rv = mkdir(WHITELIST_HOME_USER_DIR, S_IRWXU | S_IRWXG | S_IRWXO); |
289 | if (rv == -1) | 289 | if (rv == -1) |
290 | errExit("mkdir"); | 290 | errExit("mkdir"); |
291 | if (chown(WHITELIST_HOME_DIR, getuid(), getgid()) < 0) | 291 | if (chown(WHITELIST_HOME_USER_DIR, getuid(), getgid()) < 0) |
292 | errExit("chown"); | 292 | errExit("chown"); |
293 | if (chmod(WHITELIST_HOME_DIR, 0755) < 0) | 293 | if (chmod(WHITELIST_HOME_USER_DIR, 0755) < 0) |
294 | errExit("chmod"); | 294 | errExit("chmod"); |
295 | 295 | ||
296 | if (mount(cfg.homedir, WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 296 | if (mount(cfg.homedir, WHITELIST_HOME_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
297 | errExit("mount bind"); | 297 | errExit("mount bind"); |
298 | 298 | ||
299 | // mount a tmpfs and initialize /home/user | 299 | // mount a tmpfs and initialize /home/user |
@@ -418,7 +418,7 @@ void fs_whitelist(void) { | |||
418 | 418 | ||
419 | // mask the real home directory, currently mounted on WHITELIST_HOME_DIR | 419 | // mask the real home directory, currently mounted on WHITELIST_HOME_DIR |
420 | if (home_dir) { | 420 | if (home_dir) { |
421 | if (mount("tmpfs", WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 421 | if (mount("tmpfs", WHITELIST_HOME_USER_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
422 | errExit("mount tmpfs"); | 422 | errExit("mount tmpfs"); |
423 | } | 423 | } |
424 | 424 | ||