diff options
author | netblue30 <netblue30@yahoo.com> | 2017-03-25 11:44:02 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-03-25 11:44:02 -0400 |
commit | 2131e7379f1fa2531321ee4b0ea50bcb2c8156b8 (patch) | |
tree | 0363f0e9a7b0fbc0d9d23c50233c18f7de383b7b | |
parent | Use thunderbird instead of icedove for testing (diff) | |
download | firejail-2131e7379f1fa2531321ee4b0ea50bcb2c8156b8.tar.gz firejail-2131e7379f1fa2531321ee4b0ea50bcb2c8156b8.tar.zst firejail-2131e7379f1fa2531321ee4b0ea50bcb2c8156b8.zip |
reverted back commit 22414ad - TOCTOU condition found by Martin Carpenter
-rw-r--r-- | RELNOTES | 3 | ||||
-rw-r--r-- | src/firejail/fs.c | 2 | ||||
-rw-r--r-- | src/firejail/profile.c | 15 |
3 files changed, 4 insertions, 16 deletions
@@ -34,9 +34,6 @@ firejail (0.9.45) baseline; urgency=low | |||
34 | * feature: allow /tmp directory in mkdir and mkfile profile commands | 34 | * feature: allow /tmp directory in mkdir and mkfile profile commands |
35 | * feature: implemented --noblacklist command, profile support | 35 | * feature: implemented --noblacklist command, profile support |
36 | * feature: config support to disable access to /mnt and /media (disable-mnt) | 36 | * feature: config support to disable access to /mnt and /media (disable-mnt) |
37 | * feature: allow tmpfs for regular users for files in home directory | ||
38 | * feature: mount a tmpfs on top of ~/.cache directory by default | ||
39 | * feature: config support to disable tmpfs mounting on ~/.cache (cache-tmpfs) | ||
40 | * feature: config support to disable join (join) | 37 | * feature: config support to disable join (join) |
41 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, | 38 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, |
42 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, | 39 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 3413febcb..e1bac33f3 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -481,6 +481,7 @@ void fs_mnt(void) { | |||
481 | 481 | ||
482 | 482 | ||
483 | void fs_cache(void) { | 483 | void fs_cache(void) { |
484 | #if 0 | ||
484 | if (arg_debug) | 485 | if (arg_debug) |
485 | printf("Deploy ~/.cache tmpfs\n"); | 486 | printf("Deploy ~/.cache tmpfs\n"); |
486 | char *cache; | 487 | char *cache; |
@@ -488,6 +489,7 @@ void fs_cache(void) { | |||
488 | errExit("asprintf"); | 489 | errExit("asprintf"); |
489 | disable_file(MOUNT_TMPFS, cache); | 490 | disable_file(MOUNT_TMPFS, cache); |
490 | free(cache); | 491 | free(cache); |
492 | #endif | ||
491 | } | 493 | } |
492 | 494 | ||
493 | // mount /proc and /sys directories | 495 | // mount /proc and /sys directories |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 4b3cab041..993acf2aa 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -970,19 +970,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
970 | ptr += 7; | 970 | ptr += 7; |
971 | else if (strncmp(ptr, "tmpfs ", 6) == 0) { | 971 | else if (strncmp(ptr, "tmpfs ", 6) == 0) { |
972 | if (getuid() != 0) { | 972 | if (getuid() != 0) { |
973 | // allow a non-root user to mount tmpfs in user home directory, links are not allowed | 973 | fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n"); |
974 | invalid_filename(ptr + 6); | 974 | exit(1); |
975 | char *newfname = expand_home(ptr + 6, cfg.homedir); | ||
976 | assert(newfname); | ||
977 | if (is_link(newfname)) { | ||
978 | fprintf(stderr, "Error: for regular user, tmpfs is not available for symbolic links\n"); | ||
979 | exit(1); | ||
980 | } | ||
981 | if (strncmp(newfname, cfg.homedir, strlen(cfg.homedir)) != 0) { | ||
982 | fprintf(stderr, "Error: for regular user, tmpfs is available only for files in user home directory\n"); | ||
983 | exit(1); | ||
984 | } | ||
985 | free(newfname); | ||
986 | } | 975 | } |
987 | ptr += 6; | 976 | ptr += 6; |
988 | } | 977 | } |