diff options
| author |  smitsohu <smitsohu@gmail.com> | 2018-10-01 17:13:12 +0200 |
|---|---|---|
| committer | smitsohu <smitsohu@gmail.com> | 2018-10-01 17:13:12 +0200 |
| commit | bdf8118dd69a6ef734b3fdefccfc7374398723f5 (patch) | |
| tree | 6c3ef2353a2da1a221f0438784e0292232973efe | |
| parent | tests: skip audit.exp if tests are already running in a pid namespace (diff) | |
| download | firejail-bdf8118dd69a6ef734b3fdefccfc7374398723f5.tar.gz firejail-bdf8118dd69a6ef734b3fdefccfc7374398723f5.tar.zst firejail-bdf8118dd69a6ef734b3fdefccfc7374398723f5.zip | |
mount empty home if macro can't be whitelisted
| -rw-r--r-- | src/firejail/firejail.h | 1 | ||||
| -rw-r--r-- | src/firejail/fs_whitelist.c | 16 | ||||
| -rw-r--r-- | src/firejail/macros.c | 2 |
3 files changed, 12 insertions, 7 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 389bdbbcb..1b34a882d 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -498,6 +498,7 @@ char *expand_home(const char *path, const char *homedir); | |||
| 498 | char *resolve_macro(const char *name); | 498 | char *resolve_macro(const char *name); |
| 499 | void invalid_filename(const char *fname, int globbing); | 499 | void invalid_filename(const char *fname, int globbing); |
| 500 | int is_macro(const char *name); | 500 | int is_macro(const char *name); |
| 501 | int macro_id(const char *name); | ||
| 501 | 502 | ||
| 502 | 503 | ||
| 503 | // util.c | 504 | // util.c |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 86a901506..2d4640430 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
| @@ -372,12 +372,16 @@ void fs_whitelist(void) { | |||
| 372 | assert(new_name); | 372 | assert(new_name); |
| 373 | 373 | ||
| 374 | // skip command if resolving the macro was not successful | 374 | // skip command if resolving the macro was not successful |
| 375 | if (is_macro(new_name)) { | 375 | if (is_macro(new_name) && macro_id(new_name) > -1) { |
| 376 | if (!nowhitelist_flag && !arg_quiet && !arg_private) { | 376 | // mount empty home directory and print a warning |
| 377 | fprintf(stderr, "***\n"); | 377 | if (!nowhitelist_flag && !arg_private) { |
| 378 | fprintf(stderr, "*** Warning: cannot whitelist %s directory\n", new_name); | 378 | home_dir = 1; |
| 379 | fprintf(stderr, "*** Any file saved in this directory will be lost when the sandbox is closed.\n"); | 379 | if (!arg_quiet) { |
| 380 | fprintf(stderr, "***\n"); | 380 | fprintf(stderr, "***\n"); |
| 381 | fprintf(stderr, "*** Warning: cannot whitelist %s directory\n", new_name); | ||
| 382 | fprintf(stderr, "*** Any file saved in this directory will be lost when the sandbox is closed.\n"); | ||
| 383 | fprintf(stderr, "***\n"); | ||
| 384 | } | ||
| 381 | } | 385 | } |
| 382 | entry->data = EMPTY_STRING; | 386 | entry->data = EMPTY_STRING; |
| 383 | entry = entry->next; | 387 | entry = entry->next; |
diff --git a/src/firejail/macros.c b/src/firejail/macros.c index 27893938f..4bf3d3589 100644 --- a/src/firejail/macros.c +++ b/src/firejail/macros.c | |||
| @@ -69,7 +69,7 @@ Macro macro[] = { | |||
| 69 | }; | 69 | }; |
| 70 | 70 | ||
| 71 | // return -1 if not found | 71 | // return -1 if not found |
| 72 | static int macro_id(const char *name) { | 72 | int macro_id(const char *name) { |
| 73 | int i = 0; | 73 | int i = 0; |
| 74 | while (macro[i].name != NULL) { | 74 | while (macro[i].name != NULL) { |
| 75 | if (strcmp(name, macro[i].name) == 0) | 75 | if (strcmp(name, macro[i].name) == 0) |