diff options
author | netblue30 <netblue30@yahoo.com> | 2016-03-07 15:34:25 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-03-07 15:34:25 -0500 |
commit | 159f33e886fa5fc150972dc3a5071c59b8691e1e (patch) | |
tree | d5fe8ede844bee46e264e9c138898e5d6aa54775 | |
parent | profile fix (diff) | |
download | firejail-159f33e886fa5fc150972dc3a5071c59b8691e1e.tar.gz firejail-159f33e886fa5fc150972dc3a5071c59b8691e1e.tar.zst firejail-159f33e886fa5fc150972dc3a5071c59b8691e1e.zip |
logging fixes
-rw-r--r-- | src/firejail/fs.c | 4 | ||||
-rw-r--r-- | src/firejail/fs_bin.c | 22 | ||||
-rw-r--r-- | src/firejail/fs_dev.c | 6 | ||||
-rw-r--r-- | src/firejail/fs_home.c | 11 | ||||
-rw-r--r-- | src/firejail/fs_var.c | 20 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 16 | ||||
-rw-r--r-- | src/firejail/restrict_users.c | 8 | ||||
-rw-r--r-- | src/firejail/x11.c | 2 |
8 files changed, 61 insertions, 28 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index d9a860722..5efdd4d87 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -178,6 +178,7 @@ void fs_build_mnt_dir(void) { | |||
178 | if (mount("tmpfs", RUN_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 178 | if (mount("tmpfs", RUN_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
179 | errExit("mounting /tmp/firejail/mnt"); | 179 | errExit("mounting /tmp/firejail/mnt"); |
180 | tmpfs_mounted = 1; | 180 | tmpfs_mounted = 1; |
181 | fs_logger2("tmpfs", RUN_MNT_DIR); | ||
181 | } | 182 | } |
182 | } | 183 | } |
183 | 184 | ||
@@ -342,7 +343,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
342 | if (chown(fname, s.st_uid, s.st_gid) == -1) | 343 | if (chown(fname, s.st_uid, s.st_gid) == -1) |
343 | errExit("mounting tmpfs chmod"); | 344 | errExit("mounting tmpfs chmod"); |
344 | last_disable = SUCCESSFUL; | 345 | last_disable = SUCCESSFUL; |
345 | fs_logger2("mount tmpfs on", fname); | 346 | fs_logger2("tmpfs", fname); |
346 | } | 347 | } |
347 | else | 348 | else |
348 | printf("Warning: %s is not a directory; cannot mount a tmpfs on top of it.\n", fname); | 349 | printf("Warning: %s is not a directory; cannot mount a tmpfs on top of it.\n", fname); |
@@ -1030,5 +1031,6 @@ void fs_private_tmp(void) { | |||
1030 | printf("Mounting tmpfs on /tmp directory\n"); | 1031 | printf("Mounting tmpfs on /tmp directory\n"); |
1031 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) | 1032 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) |
1032 | errExit("mounting /tmp/firejail/mnt"); | 1033 | errExit("mounting /tmp/firejail/mnt"); |
1034 | fs_logger2("tmpfs", "/tmp"); | ||
1033 | } | 1035 | } |
1034 | 1036 | ||
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 447ef7f8f..228ed347a 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
@@ -144,7 +144,6 @@ static void duplicate(char *fname) { | |||
144 | printf("%s\n", cmd); | 144 | printf("%s\n", cmd); |
145 | if (system(cmd)) | 145 | if (system(cmd)) |
146 | errExit("system cp -a"); | 146 | errExit("system cp -a"); |
147 | fs_logger2("clone", fname); | ||
148 | free(cmd); | 147 | free(cmd); |
149 | free(actual_path); | 148 | free(actual_path); |
150 | } | 149 | } |
@@ -220,8 +219,29 @@ void fs_private_bin_list(void) { | |||
220 | printf("Mount-bind %s on top of %s\n", RUN_BIN_DIR, paths[i]); | 219 | printf("Mount-bind %s on top of %s\n", RUN_BIN_DIR, paths[i]); |
221 | if (mount(RUN_BIN_DIR, paths[i], NULL, MS_BIND|MS_REC, NULL) < 0) | 220 | if (mount(RUN_BIN_DIR, paths[i], NULL, MS_BIND|MS_REC, NULL) < 0) |
222 | errExit("mount bind"); | 221 | errExit("mount bind"); |
222 | fs_logger2("tmpfs", paths[i]); | ||
223 | fs_logger2("mount", paths[i]); | 223 | fs_logger2("mount", paths[i]); |
224 | i++; | 224 | i++; |
225 | } | 225 | } |
226 | |||
227 | // log cloned files | ||
228 | char *dlist = strdup(private_list); | ||
229 | if (!dlist) | ||
230 | errExit("strdup"); | ||
231 | |||
232 | |||
233 | char *ptr = strtok(dlist, ","); | ||
234 | while (ptr) { | ||
235 | i = 0; | ||
236 | while (paths[i]) { | ||
237 | char *fname; | ||
238 | if (asprintf(&fname, "%s/%s", paths[i], ptr) == -1) | ||
239 | errExit("asprintf"); | ||
240 | fs_logger2("clone", fname); | ||
241 | free(fname); | ||
242 | i++; | ||
243 | } | ||
244 | ptr = strtok(NULL, ","); | ||
245 | } | ||
226 | } | 246 | } |
227 | 247 | ||
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 97ee9de55..2525dab24 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -107,7 +107,7 @@ void fs_private_dev(void){ | |||
107 | // mount tmpfs on top of /dev | 107 | // mount tmpfs on top of /dev |
108 | if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 108 | if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
109 | errExit("mounting /dev"); | 109 | errExit("mounting /dev"); |
110 | fs_logger("mount tmpfs on /dev"); | 110 | fs_logger("tmpfs /dev"); |
111 | 111 | ||
112 | // bring back /dev/log | 112 | // bring back /dev/log |
113 | if (have_devlog) { | 113 | if (have_devlog) { |
@@ -203,7 +203,7 @@ void fs_dev_shm(void) { | |||
203 | printf("Mounting tmpfs on /dev/shm\n"); | 203 | printf("Mounting tmpfs on /dev/shm\n"); |
204 | if (mount("tmpfs", "/dev/shm", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) | 204 | if (mount("tmpfs", "/dev/shm", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) |
205 | errExit("mounting /dev/shm"); | 205 | errExit("mounting /dev/shm"); |
206 | fs_logger("mount tmpfs on /dev/shm"); | 206 | fs_logger("tmpfs /dev/shm"); |
207 | } | 207 | } |
208 | else { | 208 | else { |
209 | char *lnk = realpath("/dev/shm", NULL); | 209 | char *lnk = realpath("/dev/shm", NULL); |
@@ -221,7 +221,7 @@ void fs_dev_shm(void) { | |||
221 | printf("Mounting tmpfs on %s on behalf of /dev/shm\n", lnk); | 221 | printf("Mounting tmpfs on %s on behalf of /dev/shm\n", lnk); |
222 | if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) | 222 | if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) |
223 | errExit("mounting /var/tmp"); | 223 | errExit("mounting /var/tmp"); |
224 | fs_logger3("mount tmpfs on", lnk, "on behalf of /dev/shm"); | 224 | fs_logger2("tmpfs", lnk); |
225 | free(lnk); | 225 | free(lnk); |
226 | } | 226 | } |
227 | else { | 227 | else { |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 2b6142c6c..8a3484b06 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -107,7 +107,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) { | |||
107 | errExit("asprintf"); | 107 | errExit("asprintf"); |
108 | struct stat s; | 108 | struct stat s; |
109 | // don't copy it if we already have the file | 109 | // don't copy it if we already have the file |
110 | if (stat(fname, &s) == 0) | 110 | if (stat(fname, &s) == 0) |
111 | return; | 111 | return; |
112 | if (stat("/etc/skel/.bashrc", &s) == 0) { | 112 | if (stat("/etc/skel/.bashrc", &s) == 0) { |
113 | if (is_link("/etc/skel/.bashrc")) { | 113 | if (is_link("/etc/skel/.bashrc")) { |
@@ -254,6 +254,7 @@ void fs_private_homedir(void) { | |||
254 | if (mount(private_homedir, homedir, NULL, MS_BIND|MS_REC, NULL) < 0) | 254 | if (mount(private_homedir, homedir, NULL, MS_BIND|MS_REC, NULL) < 0) |
255 | errExit("mount bind"); | 255 | errExit("mount bind"); |
256 | fs_logger3("mount-bind", private_homedir, cfg.homedir); | 256 | fs_logger3("mount-bind", private_homedir, cfg.homedir); |
257 | fs_logger2("whitelist", cfg.homedir); | ||
257 | // preserve mode and ownership | 258 | // preserve mode and ownership |
258 | // if (chown(homedir, s.st_uid, s.st_gid) == -1) | 259 | // if (chown(homedir, s.st_uid, s.st_gid) == -1) |
259 | // errExit("mount-bind chown"); | 260 | // errExit("mount-bind chown"); |
@@ -266,7 +267,7 @@ void fs_private_homedir(void) { | |||
266 | printf("Mounting a new /root directory\n"); | 267 | printf("Mounting a new /root directory\n"); |
267 | if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=700,gid=0") < 0) | 268 | if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=700,gid=0") < 0) |
268 | errExit("mounting home directory"); | 269 | errExit("mounting home directory"); |
269 | fs_logger("mount tmpfs on /root"); | 270 | fs_logger("tmpfs /root"); |
270 | } | 271 | } |
271 | else { | 272 | else { |
272 | // mask /home | 273 | // mask /home |
@@ -274,7 +275,7 @@ void fs_private_homedir(void) { | |||
274 | printf("Mounting a new /home directory\n"); | 275 | printf("Mounting a new /home directory\n"); |
275 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 276 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
276 | errExit("mounting home directory"); | 277 | errExit("mounting home directory"); |
277 | fs_logger("mount tmpfs on /home"); | 278 | fs_logger("tmpfs /home"); |
278 | } | 279 | } |
279 | 280 | ||
280 | 281 | ||
@@ -304,14 +305,14 @@ void fs_private(void) { | |||
304 | printf("Mounting a new /home directory\n"); | 305 | printf("Mounting a new /home directory\n"); |
305 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 306 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
306 | errExit("mounting home directory"); | 307 | errExit("mounting home directory"); |
307 | fs_logger("mount tmpfs on /home"); | 308 | fs_logger("tmpfs /home"); |
308 | 309 | ||
309 | // mask /root | 310 | // mask /root |
310 | if (arg_debug) | 311 | if (arg_debug) |
311 | printf("Mounting a new /root directory\n"); | 312 | printf("Mounting a new /root directory\n"); |
312 | if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=700,gid=0") < 0) | 313 | if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=700,gid=0") < 0) |
313 | errExit("mounting root directory"); | 314 | errExit("mounting root directory"); |
314 | fs_logger("mount tmpfs on /root"); | 315 | fs_logger("tmpfs /root"); |
315 | 316 | ||
316 | if (u != 0) { | 317 | if (u != 0) { |
317 | // create /home/user | 318 | // create /home/user |
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 82d453308..f904fa5d9 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
@@ -123,7 +123,7 @@ void fs_var_log(void) { | |||
123 | printf("Mounting tmpfs on /var/log\n"); | 123 | printf("Mounting tmpfs on /var/log\n"); |
124 | if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 124 | if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
125 | errExit("mounting /var/log"); | 125 | errExit("mounting /var/log"); |
126 | fs_logger("mount tmpfs on /var/log"); | 126 | fs_logger("tmpfs /var/log"); |
127 | 127 | ||
128 | build_dirs(); | 128 | build_dirs(); |
129 | release_all(); | 129 | release_all(); |
@@ -162,7 +162,7 @@ void fs_var_lib(void) { | |||
162 | printf("Mounting tmpfs on /var/lib/dhcp\n"); | 162 | printf("Mounting tmpfs on /var/lib/dhcp\n"); |
163 | if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 163 | if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
164 | errExit("mounting /var/lib/dhcp"); | 164 | errExit("mounting /var/lib/dhcp"); |
165 | fs_logger("mount tmpfs on /var/lib/dhcp"); | 165 | fs_logger("tmpfs /var/lib/dhcp"); |
166 | 166 | ||
167 | // isc dhcp server requires a /var/lib/dhcp/dhcpd.leases file | 167 | // isc dhcp server requires a /var/lib/dhcp/dhcpd.leases file |
168 | FILE *fp = fopen("/var/lib/dhcp/dhcpd.leases", "w"); | 168 | FILE *fp = fopen("/var/lib/dhcp/dhcpd.leases", "w"); |
@@ -184,7 +184,7 @@ void fs_var_lib(void) { | |||
184 | printf("Mounting tmpfs on /var/lib/nginx\n"); | 184 | printf("Mounting tmpfs on /var/lib/nginx\n"); |
185 | if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 185 | if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
186 | errExit("mounting /var/lib/nginx"); | 186 | errExit("mounting /var/lib/nginx"); |
187 | fs_logger("mount tmpfs on /var/lib/nginx"); | 187 | fs_logger("tmpfs /var/lib/nginx"); |
188 | } | 188 | } |
189 | 189 | ||
190 | // net-snmp multiserver | 190 | // net-snmp multiserver |
@@ -193,7 +193,7 @@ void fs_var_lib(void) { | |||
193 | printf("Mounting tmpfs on /var/lib/snmp\n"); | 193 | printf("Mounting tmpfs on /var/lib/snmp\n"); |
194 | if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 194 | if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
195 | errExit("mounting /var/lib/snmp"); | 195 | errExit("mounting /var/lib/snmp"); |
196 | fs_logger("mount tmpfs on /var/lib/snmp"); | 196 | fs_logger("tmpfs /var/lib/snmp"); |
197 | } | 197 | } |
198 | 198 | ||
199 | // this is where sudo remembers its state | 199 | // this is where sudo remembers its state |
@@ -202,7 +202,7 @@ void fs_var_lib(void) { | |||
202 | printf("Mounting tmpfs on /var/lib/sudo\n"); | 202 | printf("Mounting tmpfs on /var/lib/sudo\n"); |
203 | if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 203 | if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
204 | errExit("mounting /var/lib/sudo"); | 204 | errExit("mounting /var/lib/sudo"); |
205 | fs_logger("mount tmpfs on /var/lib/sudo"); | 205 | fs_logger("tmpfs /var/lib/sudo"); |
206 | } | 206 | } |
207 | } | 207 | } |
208 | 208 | ||
@@ -214,7 +214,7 @@ void fs_var_cache(void) { | |||
214 | printf("Mounting tmpfs on /var/cache/apache2\n"); | 214 | printf("Mounting tmpfs on /var/cache/apache2\n"); |
215 | if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 215 | if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
216 | errExit("mounting /var/cache/apache2"); | 216 | errExit("mounting /var/cache/apache2"); |
217 | fs_logger("mount tmpfs on /var/cache/apache2"); | 217 | fs_logger("tmpfs /var/cache/apache2"); |
218 | } | 218 | } |
219 | 219 | ||
220 | if (stat("/var/cache/lighttpd", &s) == 0) { | 220 | if (stat("/var/cache/lighttpd", &s) == 0) { |
@@ -222,7 +222,7 @@ void fs_var_cache(void) { | |||
222 | printf("Mounting tmpfs on /var/cache/lighttpd\n"); | 222 | printf("Mounting tmpfs on /var/cache/lighttpd\n"); |
223 | if (mount("tmpfs", "/var/cache/lighttpd", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 223 | if (mount("tmpfs", "/var/cache/lighttpd", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
224 | errExit("mounting /var/cache/lighttpd"); | 224 | errExit("mounting /var/cache/lighttpd"); |
225 | fs_logger("mount tmpfs on /var/cache/lighttpd"); | 225 | fs_logger("tmpfs /var/cache/lighttpd"); |
226 | 226 | ||
227 | struct passwd *p = getpwnam("www-data"); | 227 | struct passwd *p = getpwnam("www-data"); |
228 | uid_t uid = 0; | 228 | uid_t uid = 0; |
@@ -270,7 +270,7 @@ void fs_var_lock(void) { | |||
270 | printf("Mounting tmpfs on /var/lock\n"); | 270 | printf("Mounting tmpfs on /var/lock\n"); |
271 | if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) | 271 | if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) |
272 | errExit("mounting /lock"); | 272 | errExit("mounting /lock"); |
273 | fs_logger("mount tmpfs on /var/lock"); | 273 | fs_logger("tmpfs /var/lock"); |
274 | } | 274 | } |
275 | else { | 275 | else { |
276 | char *lnk = realpath("/var/lock", NULL); | 276 | char *lnk = realpath("/var/lock", NULL); |
@@ -289,7 +289,7 @@ void fs_var_lock(void) { | |||
289 | if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) | 289 | if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) |
290 | errExit("mounting /var/lock"); | 290 | errExit("mounting /var/lock"); |
291 | free(lnk); | 291 | free(lnk); |
292 | fs_logger("mount tmpfs on /var/lock"); | 292 | fs_logger("tmpfs /var/lock"); |
293 | } | 293 | } |
294 | else { | 294 | else { |
295 | fprintf(stderr, "Warning: /var/lock not mounted\n"); | 295 | fprintf(stderr, "Warning: /var/lock not mounted\n"); |
@@ -306,7 +306,7 @@ void fs_var_tmp(void) { | |||
306 | printf("Mounting tmpfs on /var/tmp\n"); | 306 | printf("Mounting tmpfs on /var/tmp\n"); |
307 | if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) | 307 | if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) |
308 | errExit("mounting /var/tmp"); | 308 | errExit("mounting /var/tmp"); |
309 | fs_logger("mount tmpfs on /var/tmp"); | 309 | fs_logger("tmpfs /var/tmp"); |
310 | } | 310 | } |
311 | } | 311 | } |
312 | else { | 312 | else { |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index dce044cb7..7e61bfde5 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -516,7 +516,7 @@ void fs_whitelist(void) { | |||
516 | printf("Mounting tmpfs on /tmp directory\n"); | 516 | printf("Mounting tmpfs on /tmp directory\n"); |
517 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) | 517 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) |
518 | errExit("mounting tmpfs on /tmp"); | 518 | errExit("mounting tmpfs on /tmp"); |
519 | fs_logger("mount tmpfs on /tmp"); | 519 | fs_logger("tmpfs /tmp"); |
520 | } | 520 | } |
521 | 521 | ||
522 | // /media mountpoint | 522 | // /media mountpoint |
@@ -538,7 +538,7 @@ void fs_whitelist(void) { | |||
538 | printf("Mounting tmpfs on /media directory\n"); | 538 | printf("Mounting tmpfs on /media directory\n"); |
539 | if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 539 | if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
540 | errExit("mounting tmpfs on /media"); | 540 | errExit("mounting tmpfs on /media"); |
541 | fs_logger("mount tmpfs on /media"); | 541 | fs_logger("tmpfs /media"); |
542 | } | 542 | } |
543 | 543 | ||
544 | // /var mountpoint | 544 | // /var mountpoint |
@@ -560,7 +560,7 @@ void fs_whitelist(void) { | |||
560 | printf("Mounting tmpfs on /var directory\n"); | 560 | printf("Mounting tmpfs on /var directory\n"); |
561 | if (mount("tmpfs", "/var", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 561 | if (mount("tmpfs", "/var", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
562 | errExit("mounting tmpfs on /var"); | 562 | errExit("mounting tmpfs on /var"); |
563 | fs_logger("mount tmpfs on /var"); | 563 | fs_logger("tmpfs /var"); |
564 | } | 564 | } |
565 | 565 | ||
566 | // /dev mountpoint | 566 | // /dev mountpoint |
@@ -582,7 +582,7 @@ void fs_whitelist(void) { | |||
582 | printf("Mounting tmpfs on /dev directory\n"); | 582 | printf("Mounting tmpfs on /dev directory\n"); |
583 | if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 583 | if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
584 | errExit("mounting tmpfs on /dev"); | 584 | errExit("mounting tmpfs on /dev"); |
585 | fs_logger("mount tmpfs on /dev"); | 585 | fs_logger("tmpfs /dev"); |
586 | } | 586 | } |
587 | 587 | ||
588 | // /opt mountpoint | 588 | // /opt mountpoint |
@@ -604,7 +604,7 @@ void fs_whitelist(void) { | |||
604 | printf("Mounting tmpfs on /opt directory\n"); | 604 | printf("Mounting tmpfs on /opt directory\n"); |
605 | if (mount("tmpfs", "/opt", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 605 | if (mount("tmpfs", "/opt", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
606 | errExit("mounting tmpfs on /opt"); | 606 | errExit("mounting tmpfs on /opt"); |
607 | fs_logger("mount tmpfs on /opt"); | 607 | fs_logger("tmpfs /opt"); |
608 | } | 608 | } |
609 | 609 | ||
610 | // go through profile rules again, and interpret whitelist commands | 610 | // go through profile rules again, and interpret whitelist commands |
@@ -643,36 +643,42 @@ void fs_whitelist(void) { | |||
643 | if (home_dir) { | 643 | if (home_dir) { |
644 | if (mount("tmpfs", RUN_WHITELIST_HOME_USER_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 644 | if (mount("tmpfs", RUN_WHITELIST_HOME_USER_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
645 | errExit("mount tmpfs"); | 645 | errExit("mount tmpfs"); |
646 | fs_logger2("tmpfs", RUN_WHITELIST_HOME_USER_DIR); | ||
646 | } | 647 | } |
647 | 648 | ||
648 | // mask the real /tmp directory, currently mounted on RUN_WHITELIST_TMP_DIR | 649 | // mask the real /tmp directory, currently mounted on RUN_WHITELIST_TMP_DIR |
649 | if (tmp_dir) { | 650 | if (tmp_dir) { |
650 | if (mount("tmpfs", RUN_WHITELIST_TMP_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 651 | if (mount("tmpfs", RUN_WHITELIST_TMP_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
651 | errExit("mount tmpfs"); | 652 | errExit("mount tmpfs"); |
653 | fs_logger2("tmpfs", RUN_WHITELIST_TMP_DIR); | ||
652 | } | 654 | } |
653 | 655 | ||
654 | // mask the real /var directory, currently mounted on RUN_WHITELIST_VAR_DIR | 656 | // mask the real /var directory, currently mounted on RUN_WHITELIST_VAR_DIR |
655 | if (var_dir) { | 657 | if (var_dir) { |
656 | if (mount("tmpfs", RUN_WHITELIST_VAR_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 658 | if (mount("tmpfs", RUN_WHITELIST_VAR_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
657 | errExit("mount tmpfs"); | 659 | errExit("mount tmpfs"); |
660 | fs_logger2("tmpfs", RUN_WHITELIST_VAR_DIR); | ||
658 | } | 661 | } |
659 | 662 | ||
660 | // mask the real /opt directory, currently mounted on RUN_WHITELIST_OPT_DIR | 663 | // mask the real /opt directory, currently mounted on RUN_WHITELIST_OPT_DIR |
661 | if (opt_dir) { | 664 | if (opt_dir) { |
662 | if (mount("tmpfs", RUN_WHITELIST_OPT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 665 | if (mount("tmpfs", RUN_WHITELIST_OPT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
663 | errExit("mount tmpfs"); | 666 | errExit("mount tmpfs"); |
667 | fs_logger2("tmpfs", RUN_WHITELIST_OPT_DIR); | ||
664 | } | 668 | } |
665 | 669 | ||
666 | // mask the real /dev directory, currently mounted on RUN_WHITELIST_DEV_DIR | 670 | // mask the real /dev directory, currently mounted on RUN_WHITELIST_DEV_DIR |
667 | if (dev_dir) { | 671 | if (dev_dir) { |
668 | if (mount("tmpfs", RUN_WHITELIST_DEV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 672 | if (mount("tmpfs", RUN_WHITELIST_DEV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
669 | errExit("mount tmpfs"); | 673 | errExit("mount tmpfs"); |
674 | fs_logger2("tmpfs", RUN_WHITELIST_DEV_DIR); | ||
670 | } | 675 | } |
671 | 676 | ||
672 | // mask the real /media directory, currently mounted on RUN_WHITELIST_MEDIA_DIR | 677 | // mask the real /media directory, currently mounted on RUN_WHITELIST_MEDIA_DIR |
673 | if (media_dir) { | 678 | if (media_dir) { |
674 | if (mount("tmpfs", RUN_WHITELIST_MEDIA_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 679 | if (mount("tmpfs", RUN_WHITELIST_MEDIA_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
675 | errExit("mount tmpfs"); | 680 | errExit("mount tmpfs"); |
681 | fs_logger2("tmpfs", RUN_WHITELIST_MEDIA_DIR); | ||
676 | } | 682 | } |
677 | 683 | ||
678 | if (new_name) | 684 | if (new_name) |
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 88dd38021..5a41c441b 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -83,7 +83,7 @@ static void sanitize_home(void) { | |||
83 | // mount tmpfs in the new home | 83 | // mount tmpfs in the new home |
84 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 84 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
85 | errExit("mount tmpfs"); | 85 | errExit("mount tmpfs"); |
86 | fs_logger("mount tmpfs on /home"); | 86 | fs_logger("tmpfs /home"); |
87 | 87 | ||
88 | // create user home directory | 88 | // create user home directory |
89 | if (mkdir(cfg.homedir, 0755) == -1) { | 89 | if (mkdir(cfg.homedir, 0755) == -1) { |
@@ -107,6 +107,10 @@ static void sanitize_home(void) { | |||
107 | // mask home dir under /run | 107 | // mask home dir under /run |
108 | if (mount("tmpfs", RUN_WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 108 | if (mount("tmpfs", RUN_WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
109 | errExit("mount tmpfs"); | 109 | errExit("mount tmpfs"); |
110 | fs_logger2("tmpfs", RUN_WHITELIST_HOME_DIR); | ||
111 | if (!arg_private) | ||
112 | fs_logger2("whitelist", cfg.homedir); | ||
113 | |||
110 | } | 114 | } |
111 | 115 | ||
112 | static void sanitize_passwd(void) { | 116 | static void sanitize_passwd(void) { |
@@ -347,7 +351,7 @@ void restrict_users(void) { | |||
347 | // mount tmpfs on top of /home in order to hide it | 351 | // mount tmpfs on top of /home in order to hide it |
348 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 352 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
349 | errExit("mount tmpfs"); | 353 | errExit("mount tmpfs"); |
350 | fs_logger("mount tmpfs on /home"); | 354 | fs_logger("tmpfs /home"); |
351 | } | 355 | } |
352 | sanitize_passwd(); | 356 | sanitize_passwd(); |
353 | sanitize_group(); | 357 | sanitize_group(); |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 7769503b1..8c781c67a 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -84,7 +84,7 @@ void fs_x11(void) { | |||
84 | printf("Mounting tmpfs on /tmp/.X11-unix directory\n"); | 84 | printf("Mounting tmpfs on /tmp/.X11-unix directory\n"); |
85 | if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) | 85 | if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) |
86 | errExit("mounting tmpfs on /tmp"); | 86 | errExit("mounting tmpfs on /tmp"); |
87 | fs_logger("mount tmpfs on /tmp/.X11-unix"); | 87 | fs_logger("tmpfs /tmp/.X11-unix"); |
88 | 88 | ||
89 | // create an empty file | 89 | // create an empty file |
90 | FILE *fp = fopen(x11file, "w"); | 90 | FILE *fp = fopen(x11file, "w"); |