diff options
| author |  smitsohu <smitsohu@gmail.com> | 2018-12-11 20:42:33 +0100 |
|---|---|---|
| committer | smitsohu <smitsohu@gmail.com> | 2018-12-11 20:42:33 +0100 |
| commit | d921d58ec1f027faafc59b4bad342c076454a588 (patch) | |
| tree | dcf3332410d75b67f7952e9ebba32a71ddc89d3d | |
| parent | xorg: check if Xauthority mount point was created (diff) | |
| download | firejail-d921d58ec1f027faafc59b4bad342c076454a588.tar.gz firejail-d921d58ec1f027faafc59b4bad342c076454a588.tar.zst firejail-d921d58ec1f027faafc59b4bad342c076454a588.zip | |
add create_empty_dir_as_user function, refactor
| -rw-r--r-- | src/firejail/firejail.h | 1 | ||||
| -rw-r--r-- | src/firejail/fs.c | 66 | ||||
| -rw-r--r-- | src/firejail/util.c | 38 |
3 files changed, 42 insertions, 63 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index a4aa20667..c0072debe 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -540,6 +540,7 @@ uid_t pid_get_uid(pid_t pid); | |||
| 540 | uid_t get_group_id(const char *group); | 540 | uid_t get_group_id(const char *group); |
| 541 | int remove_overlay_directory(void); | 541 | int remove_overlay_directory(void); |
| 542 | void flush_stdin(void); | 542 | void flush_stdin(void); |
| 543 | void create_empty_dir_as_user(const char *dir, mode_t mode); | ||
| 543 | void create_empty_dir_as_root(const char *dir, mode_t mode); | 544 | void create_empty_dir_as_root(const char *dir, mode_t mode); |
| 544 | void create_empty_file_as_root(const char *dir, mode_t mode); | 545 | void create_empty_file_as_root(const char *dir, mode_t mode); |
| 545 | int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode); | 546 | int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode); |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 49074f525..c689a49fa 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
| @@ -767,26 +767,7 @@ void fs_proc_sys_dev_boot(void) { | |||
| 767 | char *fnamegpg; | 767 | char *fnamegpg; |
| 768 | if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1) | 768 | if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1) |
| 769 | errExit("asprintf"); | 769 | errExit("asprintf"); |
| 770 | if (stat(fnamegpg, &s) == -1) { | 770 | create_empty_dir_as_user(fnamegpg, 0700); |
| 771 | pid_t child = fork(); | ||
| 772 | if (child < 0) | ||
| 773 | errExit("fork"); | ||
| 774 | if (child == 0) { | ||
| 775 | // drop privileges | ||
| 776 | drop_privs(0); | ||
| 777 | if (mkdir(fnamegpg, 0700) == 0) { | ||
| 778 | if (chmod(fnamegpg, 0700) == -1) | ||
| 779 | {;} // do nothing | ||
| 780 | } | ||
| 781 | #ifdef HAVE_GCOV | ||
| 782 | __gcov_flush(); | ||
| 783 | #endif | ||
| 784 | _exit(0); | ||
| 785 | } | ||
| 786 | // wait for the child to finish | ||
| 787 | waitpid(child, NULL, 0); | ||
| 788 | fs_logger2("create", fnamegpg); | ||
| 789 | } | ||
| 790 | if (stat(fnamegpg, &s) == 0) | 771 | if (stat(fnamegpg, &s) == 0) |
| 791 | disable_file(BLACKLIST_FILE, fnamegpg); | 772 | disable_file(BLACKLIST_FILE, fnamegpg); |
| 792 | free(fnamegpg); | 773 | free(fnamegpg); |
| @@ -795,26 +776,7 @@ void fs_proc_sys_dev_boot(void) { | |||
| 795 | char *fnamesysd; | 776 | char *fnamesysd; |
| 796 | if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) | 777 | if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) |
| 797 | errExit("asprintf"); | 778 | errExit("asprintf"); |
| 798 | if (stat(fnamesysd, &s) == -1) { | 779 | create_empty_dir_as_user(fnamesysd, 0755); |
| 799 | pid_t child = fork(); | ||
| 800 | if (child < 0) | ||
| 801 | errExit("fork"); | ||
| 802 | if (child == 0) { | ||
| 803 | // drop privileges | ||
| 804 | drop_privs(0); | ||
| 805 | if (mkdir(fnamesysd, 0755) == 0) { | ||
| 806 | if (chmod(fnamesysd, 0755) == -1) | ||
| 807 | {;} // do nothing | ||
| 808 | } | ||
| 809 | #ifdef HAVE_GCOV | ||
| 810 | __gcov_flush(); | ||
| 811 | #endif | ||
| 812 | _exit(0); | ||
| 813 | } | ||
| 814 | // wait for the child to finish | ||
| 815 | waitpid(child, NULL, 0); | ||
| 816 | fs_logger2("create", fnamesysd); | ||
| 817 | } | ||
| 818 | if (stat(fnamesysd, &s) == 0) | 780 | if (stat(fnamesysd, &s) == 0) |
| 819 | disable_file(BLACKLIST_FILE, fnamesysd); | 781 | disable_file(BLACKLIST_FILE, fnamesysd); |
| 820 | free(fnamesysd); | 782 | free(fnamesysd); |
| @@ -924,31 +886,11 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { | |||
| 924 | } | 886 | } |
| 925 | else { | 887 | else { |
| 926 | // create ~/.firejail directory | 888 | // create ~/.firejail directory |
| 927 | pid_t child = fork(); | 889 | create_empty_dir_as_user(dirname, 0700); |
| 928 | if (child < 0) | ||
| 929 | errExit("fork"); | ||
| 930 | if (child == 0) { | ||
| 931 | // drop privileges | ||
| 932 | drop_privs(0); | ||
| 933 | |||
| 934 | // create directory | ||
| 935 | if (mkdir(dirname, 0700)) | ||
| 936 | errExit("mkdir"); | ||
| 937 | if (chmod(dirname, 0700) == -1) | ||
| 938 | errExit("chmod"); | ||
| 939 | ASSERT_PERMS(dirname, getuid(), getgid(), 0700); | ||
| 940 | #ifdef HAVE_GCOV | ||
| 941 | __gcov_flush(); | ||
| 942 | #endif | ||
| 943 | _exit(0); | ||
| 944 | } | ||
| 945 | // wait for the child to finish | ||
| 946 | waitpid(child, NULL, 0); | ||
| 947 | if (stat(dirname, &s) == -1) { | 890 | if (stat(dirname, &s) == -1) { |
| 948 | fprintf(stderr, "Error: cannot create ~/.firejail directory\n"); | 891 | fprintf(stderr, "Error: cannot create directory %s\n", dirname); |
| 949 | exit(1); | 892 | exit(1); |
| 950 | } | 893 | } |
| 951 | fs_logger2("create", dirname); | ||
| 952 | } | 894 | } |
| 953 | free(dirname); | 895 | free(dirname); |
| 954 | 896 | ||
diff --git a/src/firejail/util.c b/src/firejail/util.c index 47b237911..9af41ffe2 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
| @@ -961,6 +961,42 @@ void flush_stdin(void) { | |||
| 961 | } | 961 | } |
| 962 | } | 962 | } |
| 963 | 963 | ||
| 964 | void create_empty_dir_as_user(const char *dir, mode_t mode) { | ||
| 965 | assert(dir); | ||
| 966 | mode &= 07777; | ||
| 967 | struct stat s; | ||
| 968 | |||
| 969 | if (stat(dir, &s)) { | ||
| 970 | if (arg_debug) | ||
| 971 | printf("Creating empty %s directory\n", dir); | ||
| 972 | pid_t child = fork(); | ||
| 973 | if (child < 0) | ||
| 974 | errExit("fork"); | ||
| 975 | if (child == 0) { | ||
| 976 | // drop privileges | ||
| 977 | drop_privs(0); | ||
| 978 | |||
| 979 | if (mkdir(dir, mode) == 0) { | ||
| 980 | if (chmod(dir, mode) == -1) | ||
| 981 | {;} // do nothing | ||
| 982 | } | ||
| 983 | else if (errno != EEXIST && arg_debug) { | ||
| 984 | char *str; | ||
| 985 | if (asprintf(&str, "Directory %s not created", dir) == -1) | ||
| 986 | errExit("asprintf"); | ||
| 987 | perror(str); | ||
| 988 | } | ||
| 989 | #ifdef HAVE_GCOV | ||
| 990 | __gcov_flush(); | ||
| 991 | #endif | ||
| 992 | _exit(0); | ||
| 993 | } | ||
| 994 | waitpid(child, NULL, 0); | ||
| 995 | if (stat(dir, &s) == 0) | ||
| 996 | fs_logger2("create", dir); | ||
| 997 | } | ||
| 998 | } | ||
| 999 | |||
| 964 | void create_empty_dir_as_root(const char *dir, mode_t mode) { | 1000 | void create_empty_dir_as_root(const char *dir, mode_t mode) { |
| 965 | assert(dir); | 1001 | assert(dir); |
| 966 | mode &= 07777; | 1002 | mode &= 07777; |
| @@ -1262,4 +1298,4 @@ void enter_network_namespace(pid_t pid) { | |||
| 1262 | fprintf(stderr, "Error: cannot join the network namespace\n"); | 1298 | fprintf(stderr, "Error: cannot join the network namespace\n"); |
| 1263 | exit(1); | 1299 | exit(1); |
| 1264 | } | 1300 | } |
| 1265 | } \ No newline at end of file | 1301 | } |