diff options
author | smitsohu <smitsohu@gmail.com> | 2020-08-09 22:18:48 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2020-08-09 22:18:48 +0200 |
commit | 89accfbe072c062209eee81ef4a6a50b9be5f02c (patch) | |
tree | a5f8676387b307925a1f7336e9fd17a76857e4cf | |
parent | Merge branch 'release-0.9.62' of https://github.com/netblue30/firejail into r... (diff) | |
download | firejail-89accfbe072c062209eee81ef4a6a50b9be5f02c.tar.gz firejail-89accfbe072c062209eee81ef4a6a50b9be5f02c.tar.zst firejail-89accfbe072c062209eee81ef4a6a50b9be5f02c.zip |
fix writable-var-log
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs.c | 7 |
2 files changed, 5 insertions, 3 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index fdbeb4691..99afbc023 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -374,6 +374,7 @@ typedef enum { | |||
374 | MOUNT_TMPFS, | 374 | MOUNT_TMPFS, |
375 | MOUNT_NOEXEC, | 375 | MOUNT_NOEXEC, |
376 | MOUNT_RDWR, | 376 | MOUNT_RDWR, |
377 | MOUNT_RDWR_NOCHECK, // no check of ownership | ||
377 | OPERATION_MAX | 378 | OPERATION_MAX |
378 | } OPERATION; | 379 | } OPERATION; |
379 | 380 | ||
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index ce1ee4618..190dbb9b3 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -50,6 +50,7 @@ static char *opstr[] = { | |||
50 | [MOUNT_TMPFS] = "tmpfs", | 50 | [MOUNT_TMPFS] = "tmpfs", |
51 | [MOUNT_NOEXEC] = "noexec", | 51 | [MOUNT_NOEXEC] = "noexec", |
52 | [MOUNT_RDWR] = "read-write", | 52 | [MOUNT_RDWR] = "read-write", |
53 | [MOUNT_RDWR_NOCHECK] = "read-write", | ||
53 | }; | 54 | }; |
54 | 55 | ||
55 | typedef enum { | 56 | typedef enum { |
@@ -491,9 +492,9 @@ void fs_remount(const char *dir, OPERATION op, unsigned check_mnt) { | |||
491 | fwarning("cannot remount %s\n", dir); | 492 | fwarning("cannot remount %s\n", dir); |
492 | return; | 493 | return; |
493 | } | 494 | } |
494 | if (op == MOUNT_RDWR) { | 495 | if (op == MOUNT_RDWR || op == MOUNT_RDWR_NOCHECK) { |
495 | // allow only user owned directories, except the user is root | 496 | // allow only user owned directories, except the user is root |
496 | if (getuid() != 0 && s.st_uid != getuid()) { | 497 | if (op != MOUNT_RDWR_NOCHECK && getuid() != 0 && s.st_uid != getuid()) { |
497 | fwarning("you are not allowed to change %s to read-write\n", dir); | 498 | fwarning("you are not allowed to change %s to read-write\n", dir); |
498 | return; | 499 | return; |
499 | } | 500 | } |
@@ -773,7 +774,7 @@ void fs_basic_fs(void) { | |||
773 | if (!arg_writable_var_log) | 774 | if (!arg_writable_var_log) |
774 | fs_var_log(); | 775 | fs_var_log(); |
775 | else | 776 | else |
776 | fs_remount("/var/log", MOUNT_RDWR, 0); | 777 | fs_remount("/var/log", MOUNT_RDWR_NOCHECK, 0); |
777 | 778 | ||
778 | fs_var_lib(); | 779 | fs_var_lib(); |
779 | fs_var_cache(); | 780 | fs_var_cache(); |