cleanup, small improvements

author: smitsohu <smitsohu@gmail.com> 2018-08-25 10:29:16 +0200
committer: smitsohu <smitsohu@gmail.com> 2018-08-25 10:29:16 +0200
commit: da76c64dcdf7f98e94a33fa74e1e0050e384ce5c (patch)
tree: d38487546b1e3540aac6db15a2f2ba665d13874d
parent: Add python program to more easily debug profiles (diff)
download: firejail-da76c64dcdf7f98e94a33fa74e1e0050e384ce5c.tar.gz
firejail-da76c64dcdf7f98e94a33fa74e1e0050e384ce5c.tar.zst
firejail-da76c64dcdf7f98e94a33fa74e1e0050e384ce5c.zip
8 files changed, 22 insertions, 39 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 906ec6307..051456539 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -514,7 +514,7 @@ void logerr(const char *msg);
 int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
 void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
 void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode);
-void touch_file_as_user(const char *fname, uid_t uid, gid_t gid, mode_t mode);
+void touch_file_as_user(const char *fname, mode_t mode);
 int is_dir(const char *fname);
 int is_link(const char *fname);
 void trim_trailing_slash_or_dot(char *path);
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 7b138eada..d262d18bf 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -648,10 +648,10 @@ void fs_proc_sys_dev_boot(void) {
                                if (child == 0) {
                                        // drop privileges
                                        drop_privs(0);
-                                        if (mkdir(fnamegpg, 0700) == -1)
+                                        if (mkdir(fnamegpg, 0700) == 0) {
-                                                {;} // do nothing
+                                                if (chmod(fnamegpg, 0700) == -1)
-                                        if (set_perms(fnamegpg, -1, -1, 0700))
+                                                        {;} // do nothing
-                                                {;}
+                                        }
 #ifdef HAVE_GCOV
                                        __gcov_flush();
 #endif
@@ -676,10 +676,10 @@ void fs_proc_sys_dev_boot(void) {
                                if (child == 0) {
                                        // drop privileges
                                        drop_privs(0);
-                                        if (mkdir(fnamesysd, 0755) == -1)
+                                        if (mkdir(fnamesysd, 0755) == 0) {
-                                                {;} // do nothing
+                                                if (chmod(fnamesysd, 0755) == -1)
-                                        if (set_perms(fnamesysd, -1, -1, 0755))
+                                                        {;} // do nothing
-                                                {;}
+                                        }
 #ifdef HAVE_GCOV
                                        __gcov_flush();
 #endif
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 03f3512b4..bcfc8a38a 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -53,7 +53,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                        fs_logger2("clone", fname);
                }
                else {
-                        touch_file_as_user(fname, u, g, 0644);
+                        touch_file_as_user(fname, 0644);
                        fs_logger2("touch", fname);
                }
                free(fname);
@@ -78,7 +78,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
                        fs_logger2("clone", fname);
                }
                else {
-                        touch_file_as_user(fname, u, g, 0644);
+                        touch_file_as_user(fname, 0644);
                        fs_logger2("touch", fname);
                }
                free(fname);
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c
index 9d22093ee..b66068a95 100644
--- a/src/firejail/fs_mkdir.c
+++ b/src/firejail/fs_mkdir.c
@@ -114,7 +114,7 @@ void fs_mkfile(const char *name) {
        }
        // create file
-        touch_file_as_user(expanded, getuid(), getgid(), 0600);
+        touch_file_as_user(expanded, 0600);
 doexit:
        free(expanded);
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index 9fbbdfa8f..8c53e6161 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -255,23 +255,8 @@ void fs_var_lock(void) {
                fs_logger("tmpfs /var/lock");
        }
        else {
-                char *lnk = realpath("/var/lock", NULL);
+                fwarning("/var/lock not mounted\n");
-                if (lnk) {
+                dbg_test_dir("/var/lock");
-                        if (!is_dir(lnk)) {
-                                // create directory
-                                mkdir_attr(lnk, S_IRWXU|S_IRWXG|S_IRWXO, 0, 0);
-                        }
-                        if (arg_debug)
-                                printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk);
-                        if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
-                                errExit("mounting /var/lock");
-                        free(lnk);
-                        fs_logger("tmpfs /var/lock");
-                }
-                else {
-                        fwarning("/var/lock not mounted\n");
-                        dbg_test_dir("/var/lock");
-                }
        }
 }
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index 521f144e8..e6696ecb4 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -117,7 +117,7 @@ void pulseaudio_init(void) {
                        int rv = mkdir(dir1, 0755);
                        if (rv == 0) {
-                                if (set_perms(dir1, getuid(), getgid(), 0755))
+                                if (chmod(dir1, 0755))
                                        {;} // do nothing
                        }
 #ifdef HAVE_GCOV
@@ -153,7 +153,7 @@ void pulseaudio_init(void) {
                        int rv = mkdir(dir1, 0700);
                        if (rv == 0) {
-                                if (set_perms(dir1, getuid(), getgid(), 0700))
+                                if (chmod(dir1, 0700))
                                        {;} // do nothing
                        }
 #ifdef HAVE_GCOV
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 86faaf8b8..050f7534a 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -156,7 +156,6 @@ int mkpath_as_root(const char* path) {
                *p='\0';
                if (mkdir(file_path, 0755)==-1) {
                        if (errno != EEXIST) {
-                                *p='/';
                                free(file_path);
                                return -1;
                        }
@@ -365,7 +364,7 @@ void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_
 }
 // return -1 if error, 0 if no error
-void touch_file_as_user(const char *fname, uid_t uid, gid_t gid, mode_t mode) {
+void touch_file_as_user(const char *fname, mode_t mode) {
        pid_t child = fork();
        if (child < 0)
                errExit("fork");
@@ -373,10 +372,10 @@ void touch_file_as_user(const char *fname, uid_t uid, gid_t gid, mode_t mode) {
                // drop privileges
                drop_privs(0);
-                FILE *fp = fopen(fname, "w");
+                FILE *fp = fopen(fname, "wx");
                if (fp) {
                        fprintf(fp, "\n");
-                        SET_PERMS_STREAM(fp, uid, gid, mode);
+                        SET_PERMS_STREAM(fp, -1, -1, mode);
                        fclose(fp);
                }
 #ifdef HAVE_GCOV
@@ -922,10 +921,8 @@ void create_empty_file_as_root(const char *fname, mode_t mode) {
                FILE *fp = fopen(fname, "w");
                if (!fp)
                        errExit("fopen");
-                SET_PERMS_STREAM(fp, 0, 0, S_IRUSR);
+                SET_PERMS_STREAM(fp, 0, 0, mode);
                fclose(fp);
-                if (chmod(fname, mode) == -1)
-                        errExit("chmod");
        }
 }
@@ -1133,6 +1130,7 @@ int invalid_sandbox(const pid_t pid) {
        int i;
        for (i = 0; i < MAXNODES; i++) {
                if (find_child(current, &next) == 1) {
+                        // found a leaf
                        EUID_ROOT();
                        char *comm = pid_proc_comm(current);
                        EUID_USER();
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index e40ca0f05..7d02701c9 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1168,7 +1168,7 @@ void x11_xorg(void) {
        if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1)
                errExit("asprintf");
        if (lstat(dest, &s) == -1)
-                touch_file_as_user(dest, getuid(), getgid(), 0600);
+                touch_file_as_user(dest, 0600);
        // get a file descriptor for .Xauthority
        fd = safe_fd(dest, O_PATH|O_NOFOLLOW|O_CLOEXEC);
author	smitsohu <smitsohu@gmail.com>	2018-08-25 10:29:16 +0200
committer	smitsohu <smitsohu@gmail.com>	2018-08-25 10:29:16 +0200
commit	da76c64dcdf7f98e94a33fa74e1e0050e384ce5c (patch)
tree	d38487546b1e3540aac6db15a2f2ba665d13874d
parent	Add python program to more easily debug profiles (diff)
download	firejail-da76c64dcdf7f98e94a33fa74e1e0050e384ce5c.tar.gz firejail-da76c64dcdf7f98e94a33fa74e1e0050e384ce5c.tar.zst firejail-da76c64dcdf7f98e94a33fa74e1e0050e384ce5c.zip