diff options
| author |  smitsohu <smitsohu@gmail.com> | 2018-12-13 15:35:13 +0100 |
|---|---|---|
| committer | smitsohu <smitsohu@gmail.com> | 2018-12-13 15:35:13 +0100 |
| commit | edfc39dcb320163ab48e2e7d1fd04e5c0ba19fbe (patch) | |
| tree | 389d93782188a9871f528b81fadae818f66b02f6 | |
| parent | Merge pull request #2293 from smitsohu/smitsohu-patch-libreoffice (diff) | |
| download | firejail-edfc39dcb320163ab48e2e7d1fd04e5c0ba19fbe.tar.gz firejail-edfc39dcb320163ab48e2e7d1fd04e5c0ba19fbe.tar.zst firejail-edfc39dcb320163ab48e2e7d1fd04e5c0ba19fbe.zip | |
pulseaudio: use create_dir_as_user(); small adjustments
| -rw-r--r-- | src/firejail/firejail.h | 2 | ||||
| -rw-r--r-- | src/firejail/fs.c | 6 | ||||
| -rw-r--r-- | src/firejail/pulseaudio.c | 98 | ||||
| -rw-r--r-- | src/firejail/util.c | 8 |
4 files changed, 38 insertions, 76 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index c0072debe..bd392846a 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -540,7 +540,7 @@ uid_t pid_get_uid(pid_t pid); | |||
| 540 | uid_t get_group_id(const char *group); | 540 | uid_t get_group_id(const char *group); |
| 541 | int remove_overlay_directory(void); | 541 | int remove_overlay_directory(void); |
| 542 | void flush_stdin(void); | 542 | void flush_stdin(void); |
| 543 | void create_empty_dir_as_user(const char *dir, mode_t mode); | 543 | int create_empty_dir_as_user(const char *dir, mode_t mode); |
| 544 | void create_empty_dir_as_root(const char *dir, mode_t mode); | 544 | void create_empty_dir_as_root(const char *dir, mode_t mode); |
| 545 | void create_empty_file_as_root(const char *dir, mode_t mode); | 545 | void create_empty_file_as_root(const char *dir, mode_t mode); |
| 546 | int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode); | 546 | int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode); |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index c689a49fa..5edcdd58f 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
| @@ -767,7 +767,8 @@ void fs_proc_sys_dev_boot(void) { | |||
| 767 | char *fnamegpg; | 767 | char *fnamegpg; |
| 768 | if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1) | 768 | if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1) |
| 769 | errExit("asprintf"); | 769 | errExit("asprintf"); |
| 770 | create_empty_dir_as_user(fnamegpg, 0700); | 770 | if (create_empty_dir_as_user(fnamegpg, 0700)) |
| 771 | fs_logger2("create", fnamegpg); | ||
| 771 | if (stat(fnamegpg, &s) == 0) | 772 | if (stat(fnamegpg, &s) == 0) |
| 772 | disable_file(BLACKLIST_FILE, fnamegpg); | 773 | disable_file(BLACKLIST_FILE, fnamegpg); |
| 773 | free(fnamegpg); | 774 | free(fnamegpg); |
| @@ -776,7 +777,8 @@ void fs_proc_sys_dev_boot(void) { | |||
| 776 | char *fnamesysd; | 777 | char *fnamesysd; |
| 777 | if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) | 778 | if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) |
| 778 | errExit("asprintf"); | 779 | errExit("asprintf"); |
| 779 | create_empty_dir_as_user(fnamesysd, 0755); | 780 | if (create_empty_dir_as_user(fnamesysd, 0755)) |
| 781 | fs_logger2("create", fnamesysd); | ||
| 780 | if (stat(fnamesysd, &s) == 0) | 782 | if (stat(fnamesysd, &s) == 0) |
| 781 | disable_file(BLACKLIST_FILE, fnamesysd); | 783 | disable_file(BLACKLIST_FILE, fnamesysd); |
| 782 | free(fnamesysd); | 784 | free(fnamesysd); |
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index 4ddaba7ed..c683eea3a 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
| @@ -92,7 +92,7 @@ void pulseaudio_init(void) { | |||
| 92 | errExit("asprintf"); | 92 | errExit("asprintf"); |
| 93 | if (copy_file("/etc/pulse/client.conf", pulsecfg, -1, -1, 0644)) // root needed | 93 | if (copy_file("/etc/pulse/client.conf", pulsecfg, -1, -1, 0644)) // root needed |
| 94 | errExit("copy_file"); | 94 | errExit("copy_file"); |
| 95 | FILE *fp = fopen(pulsecfg, "a+"); | 95 | FILE *fp = fopen(pulsecfg, "a"); |
| 96 | if (!fp) | 96 | if (!fp) |
| 97 | errExit("fopen"); | 97 | errExit("fopen"); |
| 98 | fprintf(fp, "%s", "\nenable-shm = no\n"); | 98 | fprintf(fp, "%s", "\nenable-shm = no\n"); |
| @@ -103,91 +103,49 @@ void pulseaudio_init(void) { | |||
| 103 | errExit("set_perms"); | 103 | errExit("set_perms"); |
| 104 | 104 | ||
| 105 | // create ~/.config/pulse directory if not present | 105 | // create ~/.config/pulse directory if not present |
| 106 | char *dir1; | 106 | char *homeusercfg; |
| 107 | if (asprintf(&dir1, "%s/.config", cfg.homedir) == -1) | 107 | if (asprintf(&homeusercfg, "%s/.config", cfg.homedir) == -1) |
| 108 | errExit("asprintf"); | 108 | errExit("asprintf"); |
| 109 | if (lstat(dir1, &s) == -1) { | 109 | if (lstat(homeusercfg, &s) == -1) { |
| 110 | pid_t child = fork(); | 110 | if (create_empty_dir_as_user(homeusercfg, 0700)) |
| 111 | if (child < 0) | 111 | fs_logger2("create", homeusercfg); |
| 112 | errExit("fork"); | ||
| 113 | if (child == 0) { | ||
| 114 | // drop privileges | ||
| 115 | drop_privs(0); | ||
| 116 | |||
| 117 | int rv = mkdir(dir1, 0755); | ||
| 118 | if (rv == 0) { | ||
| 119 | if (chmod(dir1, 0755)) | ||
| 120 | {;} // do nothing | ||
| 121 | } | ||
| 122 | #ifdef HAVE_GCOV | ||
| 123 | __gcov_flush(); | ||
| 124 | #endif | ||
| 125 | _exit(0); | ||
| 126 | } | ||
| 127 | // wait for the child to finish | ||
| 128 | waitpid(child, NULL, 0); | ||
| 129 | fs_logger2("create", dir1); | ||
| 130 | } | 112 | } |
| 131 | else { | 113 | else if (!S_ISDIR(s.st_mode)) { |
| 132 | // we expect a user owned directory | 114 | if (S_ISLNK(s.st_mode)) |
| 133 | if (!S_ISDIR(s.st_mode) || s.st_uid != getuid()) { | 115 | fprintf(stderr, "Error: %s is a symbolic link\n", homeusercfg); |
| 134 | if (S_ISLNK(s.st_mode)) | 116 | else |
| 135 | fprintf(stderr, "Error: user .config is a symbolic link\n"); | 117 | fprintf(stderr, "Error: %s is not a directory\n", homeusercfg); |
| 136 | else | 118 | exit(1); |
| 137 | fprintf(stderr, "Error: user .config is not a directory owned by the current user\n"); | ||
| 138 | exit(1); | ||
| 139 | } | ||
| 140 | } | 119 | } |
| 141 | free(dir1); | 120 | free(homeusercfg); |
| 142 | 121 | ||
| 143 | if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1) | 122 | if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1) |
| 144 | errExit("asprintf"); | 123 | errExit("asprintf"); |
| 145 | if (lstat(dir1, &s) == -1) { | 124 | if (lstat(homeusercfg, &s) == -1) { |
| 146 | pid_t child = fork(); | 125 | if (create_empty_dir_as_user(homeusercfg, 0700)) |
| 147 | if (child < 0) | 126 | fs_logger2("create", homeusercfg); |
| 148 | errExit("fork"); | ||
| 149 | if (child == 0) { | ||
| 150 | // drop privileges | ||
| 151 | drop_privs(0); | ||
| 152 | |||
| 153 | int rv = mkdir(dir1, 0700); | ||
| 154 | if (rv == 0) { | ||
| 155 | if (chmod(dir1, 0700)) | ||
| 156 | {;} // do nothing | ||
| 157 | } | ||
| 158 | #ifdef HAVE_GCOV | ||
| 159 | __gcov_flush(); | ||
| 160 | #endif | ||
| 161 | _exit(0); | ||
| 162 | } | ||
| 163 | // wait for the child to finish | ||
| 164 | waitpid(child, NULL, 0); | ||
| 165 | fs_logger2("create", dir1); | ||
| 166 | } | 127 | } |
| 167 | else { | 128 | else if (!S_ISDIR(s.st_mode)) { |
| 168 | // we expect a user owned directory | 129 | if (S_ISLNK(s.st_mode)) |
| 169 | if (!S_ISDIR(s.st_mode) || s.st_uid != getuid()) { | 130 | fprintf(stderr, "Error: %s is a symbolic link\n", homeusercfg); |
| 170 | if (S_ISLNK(s.st_mode)) | 131 | else |
| 171 | fprintf(stderr, "Error: user .config/pulse is a symbolic link\n"); | 132 | fprintf(stderr, "Error: %s is not a directory\n", homeusercfg); |
| 172 | else | 133 | exit(1); |
| 173 | fprintf(stderr, "Error: user .config/pulse is not a directory owned by the current user\n"); | ||
| 174 | exit(1); | ||
| 175 | } | ||
| 176 | } | 134 | } |
| 177 | free(dir1); | ||
| 178 | 135 | ||
| 179 | // if we have ~/.config/pulse mount the new directory, else set environment variable. | 136 | // if we have ~/.config/pulse mount the new directory, else set environment variable. |
| 180 | char *homeusercfg; | ||
| 181 | if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1) | ||
| 182 | errExit("asprintf"); | ||
| 183 | if (stat(homeusercfg, &s) == 0) { | 137 | if (stat(homeusercfg, &s) == 0) { |
| 184 | // get a file descriptor for ~/.config/pulse, fails if there is any symlink | 138 | // get a file descriptor for ~/.config/pulse, fails if there is any symlink |
| 185 | int fd = safe_fd(homeusercfg, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | 139 | int fd = safe_fd(homeusercfg, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
| 186 | if (fd == -1) | 140 | if (fd == -1) |
| 187 | errExit("safe_fd"); | 141 | errExit("safe_fd"); |
| 188 | // confirm the actual mount destination is owned by the user | 142 | // confirm the actual mount destination is owned by the user |
| 189 | if (fstat(fd, &s) == -1 || s.st_uid != getuid()) | 143 | if (fstat(fd, &s) == -1) |
| 190 | errExit("fstat"); | 144 | errExit("fstat"); |
| 145 | if (s.st_uid != getuid()) { | ||
| 146 | fprintf(stderr, "Error: %s is not owned by the current user\n", homeusercfg); | ||
| 147 | exit(1); | ||
| 148 | } | ||
| 191 | // preserve a read-only mount | 149 | // preserve a read-only mount |
| 192 | struct statvfs vfs; | 150 | struct statvfs vfs; |
| 193 | if (fstatvfs(fd, &vfs) == -1) | 151 | if (fstatvfs(fd, &vfs) == -1) |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 9af41ffe2..8c474f966 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
| @@ -961,7 +961,8 @@ void flush_stdin(void) { | |||
| 961 | } | 961 | } |
| 962 | } | 962 | } |
| 963 | 963 | ||
| 964 | void create_empty_dir_as_user(const char *dir, mode_t mode) { | 964 | // return 1 if new directory was created, else return 0 |
| 965 | int create_empty_dir_as_user(const char *dir, mode_t mode) { | ||
| 965 | assert(dir); | 966 | assert(dir); |
| 966 | mode &= 07777; | 967 | mode &= 07777; |
| 967 | struct stat s; | 968 | struct stat s; |
| @@ -980,7 +981,7 @@ void create_empty_dir_as_user(const char *dir, mode_t mode) { | |||
| 980 | if (chmod(dir, mode) == -1) | 981 | if (chmod(dir, mode) == -1) |
| 981 | {;} // do nothing | 982 | {;} // do nothing |
| 982 | } | 983 | } |
| 983 | else if (errno != EEXIST && arg_debug) { | 984 | else if (arg_debug) { |
| 984 | char *str; | 985 | char *str; |
| 985 | if (asprintf(&str, "Directory %s not created", dir) == -1) | 986 | if (asprintf(&str, "Directory %s not created", dir) == -1) |
| 986 | errExit("asprintf"); | 987 | errExit("asprintf"); |
| @@ -993,8 +994,9 @@ void create_empty_dir_as_user(const char *dir, mode_t mode) { | |||
| 993 | } | 994 | } |
| 994 | waitpid(child, NULL, 0); | 995 | waitpid(child, NULL, 0); |
| 995 | if (stat(dir, &s) == 0) | 996 | if (stat(dir, &s) == 0) |
| 996 | fs_logger2("create", dir); | 997 | return 1; |
| 997 | } | 998 | } |
| 999 | return 0; | ||
| 998 | } | 1000 | } |
| 999 | 1001 | ||
| 1000 | void create_empty_dir_as_root(const char *dir, mode_t mode) { | 1002 | void create_empty_dir_as_root(const char *dir, mode_t mode) { |