aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2016-11-10 08:12:32 -0500
committerLibravatar netblue30 <netblue30@yahoo.com>2016-11-10 08:12:32 -0500
commit9c9506f40b6e73e7ba9acbf676b1867c2b3e407f (patch)
treebe80b976ff544860648c266e592cdcb8b14c2886
parenttesting (diff)
downloadfirejail-9c9506f40b6e73e7ba9acbf676b1867c2b3e407f.tar.gz
firejail-9c9506f40b6e73e7ba9acbf676b1867c2b3e407f.tar.zst
firejail-9c9506f40b6e73e7ba9acbf676b1867c2b3e407f.zip
bug: mkdir and mkfile are not applied to private directories
Diffstat
-rw-r--r--src/firejail/fs.c14
-rw-r--r--src/firejail/profile.c4
-rw-r--r--src/firejail/sandbox.c2
-rw-r--r--src/firejail/sbox.c2
4 files changed, 18 insertions, 4 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index dbd7eced7..4556f0a82 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -348,6 +348,20 @@ void fs_blacklist(void) {
348 ptr = entry->data + 6; 348 ptr = entry->data + 6;
349 op = MOUNT_TMPFS; 349 op = MOUNT_TMPFS;
350 } 350 }
351 else if (strncmp(entry->data, "mkdir ", 6) == 0) {
352 EUID_USER();
353 fs_mkdir(entry->data + 6);
354 EUID_ROOT();
355 entry = entry->next;
356 continue;
357 }
358 else if (strncmp(entry->data, "mkfile ", 7) == 0) {
359 EUID_USER();
360 fs_mkfile(entry->data + 7);
361 EUID_ROOT();
362 entry = entry->next;
363 continue;
364 }
351 else { 365 else {
352 fprintf(stderr, "Error: invalid profile line %s\n", entry->data); 366 fprintf(stderr, "Error: invalid profile line %s\n", entry->data);
353 entry = entry->next; 367 entry = entry->next;
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index f3a7eb727..0fd45d1ef 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -105,12 +105,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
105 // mkdir 105 // mkdir
106 if (strncmp(ptr, "mkdir ", 6) == 0) { 106 if (strncmp(ptr, "mkdir ", 6) == 0) {
107 fs_mkdir(ptr + 6); 107 fs_mkdir(ptr + 6);
108 return 0; 108 return 1; // process mkdir again while applying blacklists
109 } 109 }
110 // mkfile 110 // mkfile
111 if (strncmp(ptr, "mkfile ", 7) == 0) { 111 if (strncmp(ptr, "mkfile ", 7) == 0) {
112 fs_mkfile(ptr + 7); 112 fs_mkfile(ptr + 7);
113 return 0; 113 return 1; // process mkfile again while applying blacklists
114 } 114 }
115 // sandbox name 115 // sandbox name
116 else if (strncmp(ptr, "name ", 5) == 0) { 116 else if (strncmp(ptr, "name ", 5) == 0) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 6b7f7f003..109daf552 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -734,7 +734,7 @@ int sandbox(void* sandbox_arg) {
734 fs_whitelist(); 734 fs_whitelist();
735 735
736 // ... followed by blacklist commands 736 // ... followed by blacklist commands
737 fs_blacklist(); 737 fs_blacklist(); // mkdir and mkfile are processed all over again
738 738
739 //**************************** 739 //****************************
740 // install trace 740 // install trace
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index bca72c14a..430ffb86e 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -142,7 +142,7 @@ int sbox_run(unsigned filter, int num, ...) {
142 for (i = 3; i < max; i++) 142 for (i = 3; i < max; i++)
143 close(i); // close open files 143 close(i); // close open files
144 if ((filter & SBOX_ALLOW_STDIN) == 0) { 144 if ((filter & SBOX_ALLOW_STDIN) == 0) {
145 int fd = open("/dev/null",O_RDWR, 0); 145 int fd = open("/dev/null",O_RDWR, 0);
146 if (fd != -1) { 146 if (fd != -1) {
147 dup2 (fd, STDIN_FILENO); 147 dup2 (fd, STDIN_FILENO);
148 if (fd > 2) 148 if (fd > 2)
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-19 14:00:11 +0000