diff options
author | smitsohu <smitsohu@gmail.com> | 2021-10-22 23:10:07 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2021-10-22 23:10:07 +0200 |
commit | ee1d5d7c8cb2f7b3ab81125168881040f5d17d48 (patch) | |
tree | 992bc07cd65c2b2351cf5f641476acd69df1680a | |
parent | private-bin: fix #4626, refactor symlink detection (diff) | |
download | firejail-ee1d5d7c8cb2f7b3ab81125168881040f5d17d48.tar.gz firejail-ee1d5d7c8cb2f7b3ab81125168881040f5d17d48.tar.zst firejail-ee1d5d7c8cb2f7b3ab81125168881040f5d17d48.zip |
private-bin: switch effective uid
-rw-r--r-- | src/firejail/fs_bin.c | 9 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 4 |
2 files changed, 11 insertions, 2 deletions
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index d485de05a..1ff074599 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
@@ -41,6 +41,7 @@ static char *paths[] = { | |||
41 | 41 | ||
42 | // return 1 if found, 0 if not found | 42 | // return 1 if found, 0 if not found |
43 | static char *check_dir_or_file(const char *name) { | 43 | static char *check_dir_or_file(const char *name) { |
44 | EUID_ASSERT(); | ||
44 | assert(name); | 45 | assert(name); |
45 | struct stat s; | 46 | struct stat s; |
46 | 47 | ||
@@ -80,6 +81,7 @@ static char *check_dir_or_file(const char *name) { | |||
80 | 81 | ||
81 | // return 1 if the file is in paths[] | 82 | // return 1 if the file is in paths[] |
82 | static int valid_full_path_file(const char *name) { | 83 | static int valid_full_path_file(const char *name) { |
84 | EUID_ASSERT(); | ||
83 | assert(name); | 85 | assert(name); |
84 | 86 | ||
85 | if (*name != '/') | 87 | if (*name != '/') |
@@ -131,6 +133,7 @@ static void report_duplication(const char *fname) { | |||
131 | } | 133 | } |
132 | 134 | ||
133 | static void duplicate(char *fname) { | 135 | static void duplicate(char *fname) { |
136 | EUID_ASSERT(); | ||
134 | assert(fname); | 137 | assert(fname); |
135 | 138 | ||
136 | if (*fname == '~' || strstr(fname, "..")) { | 139 | if (*fname == '~' || strstr(fname, "..")) { |
@@ -202,6 +205,7 @@ static void duplicate(char *fname) { | |||
202 | } | 205 | } |
203 | 206 | ||
204 | static void globbing(char *fname) { | 207 | static void globbing(char *fname) { |
208 | EUID_ASSERT(); | ||
205 | assert(fname); | 209 | assert(fname); |
206 | 210 | ||
207 | // go directly to duplicate() if no globbing char is present - see man 7 glob | 211 | // go directly to duplicate() if no globbing char is present - see man 7 glob |
@@ -252,6 +256,7 @@ static void globbing(char *fname) { | |||
252 | } | 256 | } |
253 | 257 | ||
254 | void fs_private_bin_list(void) { | 258 | void fs_private_bin_list(void) { |
259 | EUID_ASSERT(); | ||
255 | char *private_list = cfg.bin_private_keep; | 260 | char *private_list = cfg.bin_private_keep; |
256 | assert(private_list); | 261 | assert(private_list); |
257 | 262 | ||
@@ -259,7 +264,9 @@ void fs_private_bin_list(void) { | |||
259 | timetrace_start(); | 264 | timetrace_start(); |
260 | 265 | ||
261 | // create /run/firejail/mnt/bin directory | 266 | // create /run/firejail/mnt/bin directory |
267 | EUID_ROOT(); | ||
262 | mkdir_attr(RUN_BIN_DIR, 0755, 0, 0); | 268 | mkdir_attr(RUN_BIN_DIR, 0755, 0, 0); |
269 | EUID_USER(); | ||
263 | 270 | ||
264 | if (arg_debug) | 271 | if (arg_debug) |
265 | printf("Copying files in the new bin directory\n"); | 272 | printf("Copying files in the new bin directory\n"); |
@@ -287,8 +294,10 @@ void fs_private_bin_list(void) { | |||
287 | if (stat(paths[i], &s) == 0) { | 294 | if (stat(paths[i], &s) == 0) { |
288 | if (arg_debug) | 295 | if (arg_debug) |
289 | printf("Mount-bind %s on top of %s\n", RUN_BIN_DIR, paths[i]); | 296 | printf("Mount-bind %s on top of %s\n", RUN_BIN_DIR, paths[i]); |
297 | EUID_ROOT(); | ||
290 | if (mount(RUN_BIN_DIR, paths[i], NULL, MS_BIND|MS_REC, NULL) < 0) | 298 | if (mount(RUN_BIN_DIR, paths[i], NULL, MS_BIND|MS_REC, NULL) < 0) |
291 | errExit("mount bind"); | 299 | errExit("mount bind"); |
300 | EUID_USER(); | ||
292 | fs_logger2("tmpfs", paths[i]); | 301 | fs_logger2("tmpfs", paths[i]); |
293 | fs_logger2("mount", paths[i]); | 302 | fs_logger2("mount", paths[i]); |
294 | } | 303 | } |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index d66b6c573..efa21c34b 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -890,16 +890,16 @@ int sandbox(void* sandbox_arg) { | |||
890 | else if (arg_overlay) | 890 | else if (arg_overlay) |
891 | fwarning("private-bin feature is disabled in overlay\n"); | 891 | fwarning("private-bin feature is disabled in overlay\n"); |
892 | else { | 892 | else { |
893 | EUID_USER(); | ||
893 | // for --x11=xorg we need to add xauth command | 894 | // for --x11=xorg we need to add xauth command |
894 | if (arg_x11_xorg) { | 895 | if (arg_x11_xorg) { |
895 | EUID_USER(); | ||
896 | char *tmp; | 896 | char *tmp; |
897 | if (asprintf(&tmp, "%s,xauth", cfg.bin_private_keep) == -1) | 897 | if (asprintf(&tmp, "%s,xauth", cfg.bin_private_keep) == -1) |
898 | errExit("asprintf"); | 898 | errExit("asprintf"); |
899 | cfg.bin_private_keep = tmp; | 899 | cfg.bin_private_keep = tmp; |
900 | EUID_ROOT(); | ||
901 | } | 900 | } |
902 | fs_private_bin_list(); | 901 | fs_private_bin_list(); |
902 | EUID_ROOT(); | ||
903 | } | 903 | } |
904 | } | 904 | } |
905 | 905 | ||