diff options
| author |  smitsohu <smitsohu@gmail.com> | 2021-10-22 23:10:07 +0200 |
|---|---|---|
| committer | smitsohu <smitsohu@gmail.com> | 2021-10-22 23:10:07 +0200 |
| commit | ee1d5d7c8cb2f7b3ab81125168881040f5d17d48 (patch) | |
| tree | 992bc07cd65c2b2351cf5f641476acd69df1680a | |
| parent | private-bin: fix #4626, refactor symlink detection (diff) | |
| download | firejail-ee1d5d7c8cb2f7b3ab81125168881040f5d17d48.tar.gz firejail-ee1d5d7c8cb2f7b3ab81125168881040f5d17d48.tar.zst firejail-ee1d5d7c8cb2f7b3ab81125168881040f5d17d48.zip | |
private-bin: switch effective uid
| -rw-r--r-- | src/firejail/fs_bin.c | 9 | ||||
| -rw-r--r-- | src/firejail/sandbox.c | 4 |
2 files changed, 11 insertions, 2 deletions
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index d485de05a..1ff074599 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
| @@ -41,6 +41,7 @@ static char *paths[] = { | |||
| 41 | 41 | ||
| 42 | // return 1 if found, 0 if not found | 42 | // return 1 if found, 0 if not found |
| 43 | static char *check_dir_or_file(const char *name) { | 43 | static char *check_dir_or_file(const char *name) { |
| 44 | EUID_ASSERT(); | ||
| 44 | assert(name); | 45 | assert(name); |
| 45 | struct stat s; | 46 | struct stat s; |
| 46 | 47 | ||
| @@ -80,6 +81,7 @@ static char *check_dir_or_file(const char *name) { | |||
| 80 | 81 | ||
| 81 | // return 1 if the file is in paths[] | 82 | // return 1 if the file is in paths[] |
| 82 | static int valid_full_path_file(const char *name) { | 83 | static int valid_full_path_file(const char *name) { |
| 84 | EUID_ASSERT(); | ||
| 83 | assert(name); | 85 | assert(name); |
| 84 | 86 | ||
| 85 | if (*name != '/') | 87 | if (*name != '/') |
| @@ -131,6 +133,7 @@ static void report_duplication(const char *fname) { | |||
| 131 | } | 133 | } |
| 132 | 134 | ||
| 133 | static void duplicate(char *fname) { | 135 | static void duplicate(char *fname) { |
| 136 | EUID_ASSERT(); | ||
| 134 | assert(fname); | 137 | assert(fname); |
| 135 | 138 | ||
| 136 | if (*fname == '~' || strstr(fname, "..")) { | 139 | if (*fname == '~' || strstr(fname, "..")) { |
| @@ -202,6 +205,7 @@ static void duplicate(char *fname) { | |||
| 202 | } | 205 | } |
| 203 | 206 | ||
| 204 | static void globbing(char *fname) { | 207 | static void globbing(char *fname) { |
| 208 | EUID_ASSERT(); | ||
| 205 | assert(fname); | 209 | assert(fname); |
| 206 | 210 | ||
| 207 | // go directly to duplicate() if no globbing char is present - see man 7 glob | 211 | // go directly to duplicate() if no globbing char is present - see man 7 glob |
| @@ -252,6 +256,7 @@ static void globbing(char *fname) { | |||
| 252 | } | 256 | } |
| 253 | 257 | ||
| 254 | void fs_private_bin_list(void) { | 258 | void fs_private_bin_list(void) { |
| 259 | EUID_ASSERT(); | ||
| 255 | char *private_list = cfg.bin_private_keep; | 260 | char *private_list = cfg.bin_private_keep; |
| 256 | assert(private_list); | 261 | assert(private_list); |
| 257 | 262 | ||
| @@ -259,7 +264,9 @@ void fs_private_bin_list(void) { | |||
| 259 | timetrace_start(); | 264 | timetrace_start(); |
| 260 | 265 | ||
| 261 | // create /run/firejail/mnt/bin directory | 266 | // create /run/firejail/mnt/bin directory |
| 267 | EUID_ROOT(); | ||
| 262 | mkdir_attr(RUN_BIN_DIR, 0755, 0, 0); | 268 | mkdir_attr(RUN_BIN_DIR, 0755, 0, 0); |
| 269 | EUID_USER(); | ||
| 263 | 270 | ||
| 264 | if (arg_debug) | 271 | if (arg_debug) |
| 265 | printf("Copying files in the new bin directory\n"); | 272 | printf("Copying files in the new bin directory\n"); |
| @@ -287,8 +294,10 @@ void fs_private_bin_list(void) { | |||
| 287 | if (stat(paths[i], &s) == 0) { | 294 | if (stat(paths[i], &s) == 0) { |
| 288 | if (arg_debug) | 295 | if (arg_debug) |
| 289 | printf("Mount-bind %s on top of %s\n", RUN_BIN_DIR, paths[i]); | 296 | printf("Mount-bind %s on top of %s\n", RUN_BIN_DIR, paths[i]); |
| 297 | EUID_ROOT(); | ||
| 290 | if (mount(RUN_BIN_DIR, paths[i], NULL, MS_BIND|MS_REC, NULL) < 0) | 298 | if (mount(RUN_BIN_DIR, paths[i], NULL, MS_BIND|MS_REC, NULL) < 0) |
| 291 | errExit("mount bind"); | 299 | errExit("mount bind"); |
| 300 | EUID_USER(); | ||
| 292 | fs_logger2("tmpfs", paths[i]); | 301 | fs_logger2("tmpfs", paths[i]); |
| 293 | fs_logger2("mount", paths[i]); | 302 | fs_logger2("mount", paths[i]); |
| 294 | } | 303 | } |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index d66b6c573..efa21c34b 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -890,16 +890,16 @@ int sandbox(void* sandbox_arg) { | |||
| 890 | else if (arg_overlay) | 890 | else if (arg_overlay) |
| 891 | fwarning("private-bin feature is disabled in overlay\n"); | 891 | fwarning("private-bin feature is disabled in overlay\n"); |
| 892 | else { | 892 | else { |
| 893 | EUID_USER(); | ||
| 893 | // for --x11=xorg we need to add xauth command | 894 | // for --x11=xorg we need to add xauth command |
| 894 | if (arg_x11_xorg) { | 895 | if (arg_x11_xorg) { |
| 895 | EUID_USER(); | ||
| 896 | char *tmp; | 896 | char *tmp; |
| 897 | if (asprintf(&tmp, "%s,xauth", cfg.bin_private_keep) == -1) | 897 | if (asprintf(&tmp, "%s,xauth", cfg.bin_private_keep) == -1) |
| 898 | errExit("asprintf"); | 898 | errExit("asprintf"); |
| 899 | cfg.bin_private_keep = tmp; | 899 | cfg.bin_private_keep = tmp; |
| 900 | EUID_ROOT(); | ||
| 901 | } | 900 | } |
| 902 | fs_private_bin_list(); | 901 | fs_private_bin_list(); |
| 902 | EUID_ROOT(); | ||
| 903 | } | 903 | } |
| 904 | } | 904 | } |
| 905 | 905 | ||