chroot hardening

the check was introduced some time ago in fs_x11(), but fs_chroot() does the same thing and needs it as well
author: smitsohu <smitsohu@gmail.com> 2021-02-12 15:59:33 +0100
committer: smitsohu <smitsohu@gmail.com> 2021-02-12 15:59:33 +0100
commit: 6fd17bd2d331d35ba113430f8b522b11f9e2512b (patch)
tree: 704c7aa6085d0de80c639ca3ad015ec8c480a209
parent: Revert "Merge pull request #3607 from kortewegdevries/wemail" (diff)
download: firejail-6fd17bd2d331d35ba113430f8b522b11f9e2512b.tar.gz
firejail-6fd17bd2d331d35ba113430f8b522b11f9e2512b.tar.zst
firejail-6fd17bd2d331d35ba113430f8b522b11f9e2512b.zip
1 files changed, 12 insertions, 0 deletions
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c
index 6de4b819c..9253490ca 100644
--- a/src/firejail/chroot.c
+++ b/src/firejail/chroot.c
@@ -176,6 +176,18 @@ void fs_chroot(const char *rootdir) {
        if (env_get("FIREJAIL_X11") || env_get("FIREJAIL_CHROOT_X11")) {
                if (arg_debug)
                        printf("Mounting /tmp/.X11-unix on chroot /tmp/.X11-unix\n");
+                struct stat s1, s2;
+                if (stat("/tmp", &s1) || lstat("/tmp/.X11-unix", &s2))
+                        errExit("mounting /tmp/.X11-unix");
+                if ((s1.st_mode & S_ISVTX) != S_ISVTX) {
+                        fprintf(stderr, "Error: sticky bit not set on /tmp directory\n");
+                        exit(1);
+                }
+                if (s2.st_uid != 0) {
+                        fprintf(stderr, "Error: /tmp/.X11-unix not owned by root user\n");
+                        exit(1);
+                }
                check_subdir(parentfd, "tmp/.X11-unix", 0);
                fd = openat(parentfd, "tmp/.X11-unix", O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
                if (fd == -1)
author	smitsohu <smitsohu@gmail.com>	2021-02-12 15:59:33 +0100
committer	smitsohu <smitsohu@gmail.com>	2021-02-12 15:59:33 +0100
commit	6fd17bd2d331d35ba113430f8b522b11f9e2512b (patch)
tree	704c7aa6085d0de80c639ca3ad015ec8c480a209
parent	Revert "Merge pull request #3607 from kortewegdevries/wemail" (diff)
download	firejail-6fd17bd2d331d35ba113430f8b522b11f9e2512b.tar.gz firejail-6fd17bd2d331d35ba113430f8b522b11f9e2512b.tar.zst firejail-6fd17bd2d331d35ba113430f8b522b11f9e2512b.zip

diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c index 6de4b819c..9253490ca 100644 --- a/src/firejail/chroot.c +++ b/src/firejail/chroot.c
@@ -176,6 +176,18 @@ void fs_chroot(const char *rootdir) {
176	if (env_get("FIREJAIL_X11") \|\| env_get("FIREJAIL_CHROOT_X11")) {	176	if (env_get("FIREJAIL_X11") \|\| env_get("FIREJAIL_CHROOT_X11")) {
177	if (arg_debug)	177	if (arg_debug)
178	printf("Mounting /tmp/.X11-unix on chroot /tmp/.X11-unix\n");	178	printf("Mounting /tmp/.X11-unix on chroot /tmp/.X11-unix\n");
		179	struct stat s1, s2;
		180	if (stat("/tmp", &s1) \|\| lstat("/tmp/.X11-unix", &s2))
		181	errExit("mounting /tmp/.X11-unix");
		182	if ((s1.st_mode & S_ISVTX) != S_ISVTX) {
		183	fprintf(stderr, "Error: sticky bit not set on /tmp directory\n");
		184	exit(1);
		185	}
		186	if (s2.st_uid != 0) {
		187	fprintf(stderr, "Error: /tmp/.X11-unix not owned by root user\n");
		188	exit(1);
		189	}
		190
179	check_subdir(parentfd, "tmp/.X11-unix", 0);	191	check_subdir(parentfd, "tmp/.X11-unix", 0);
180	fd = openat(parentfd, "tmp/.X11-unix", O_PATH\|O_DIRECTORY\|O_NOFOLLOW\|O_CLOEXEC);	192	fd = openat(parentfd, "tmp/.X11-unix", O_PATH\|O_DIRECTORY\|O_NOFOLLOW\|O_CLOEXEC);
181	if (fd == -1)	193	if (fd == -1)