diff options
| author |  smitsohu <smitsohu@gmail.com> | 2020-08-09 22:18:48 +0200 |
|---|---|---|
| committer | smitsohu <smitsohu@gmail.com> | 2020-08-09 22:18:48 +0200 |
| commit | 89accfbe072c062209eee81ef4a6a50b9be5f02c (patch) | |
| tree | a5f8676387b307925a1f7336e9fd17a76857e4cf | |
| parent | Merge branch 'release-0.9.62' of https://github.com/netblue30/firejail into r... (diff) | |
| download | firejail-89accfbe072c062209eee81ef4a6a50b9be5f02c.tar.gz firejail-89accfbe072c062209eee81ef4a6a50b9be5f02c.tar.zst firejail-89accfbe072c062209eee81ef4a6a50b9be5f02c.zip | |
fix writable-var-log
| -rw-r--r-- | src/firejail/firejail.h | 1 | ||||
| -rw-r--r-- | src/firejail/fs.c | 7 |
2 files changed, 5 insertions, 3 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index fdbeb4691..99afbc023 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -374,6 +374,7 @@ typedef enum { | |||
| 374 | MOUNT_TMPFS, | 374 | MOUNT_TMPFS, |
| 375 | MOUNT_NOEXEC, | 375 | MOUNT_NOEXEC, |
| 376 | MOUNT_RDWR, | 376 | MOUNT_RDWR, |
| 377 | MOUNT_RDWR_NOCHECK, // no check of ownership | ||
| 377 | OPERATION_MAX | 378 | OPERATION_MAX |
| 378 | } OPERATION; | 379 | } OPERATION; |
| 379 | 380 | ||
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index ce1ee4618..190dbb9b3 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
| @@ -50,6 +50,7 @@ static char *opstr[] = { | |||
| 50 | [MOUNT_TMPFS] = "tmpfs", | 50 | [MOUNT_TMPFS] = "tmpfs", |
| 51 | [MOUNT_NOEXEC] = "noexec", | 51 | [MOUNT_NOEXEC] = "noexec", |
| 52 | [MOUNT_RDWR] = "read-write", | 52 | [MOUNT_RDWR] = "read-write", |
| 53 | [MOUNT_RDWR_NOCHECK] = "read-write", | ||
| 53 | }; | 54 | }; |
| 54 | 55 | ||
| 55 | typedef enum { | 56 | typedef enum { |
| @@ -491,9 +492,9 @@ void fs_remount(const char *dir, OPERATION op, unsigned check_mnt) { | |||
| 491 | fwarning("cannot remount %s\n", dir); | 492 | fwarning("cannot remount %s\n", dir); |
| 492 | return; | 493 | return; |
| 493 | } | 494 | } |
| 494 | if (op == MOUNT_RDWR) { | 495 | if (op == MOUNT_RDWR || op == MOUNT_RDWR_NOCHECK) { |
| 495 | // allow only user owned directories, except the user is root | 496 | // allow only user owned directories, except the user is root |
| 496 | if (getuid() != 0 && s.st_uid != getuid()) { | 497 | if (op != MOUNT_RDWR_NOCHECK && getuid() != 0 && s.st_uid != getuid()) { |
| 497 | fwarning("you are not allowed to change %s to read-write\n", dir); | 498 | fwarning("you are not allowed to change %s to read-write\n", dir); |
| 498 | return; | 499 | return; |
| 499 | } | 500 | } |
| @@ -773,7 +774,7 @@ void fs_basic_fs(void) { | |||
| 773 | if (!arg_writable_var_log) | 774 | if (!arg_writable_var_log) |
| 774 | fs_var_log(); | 775 | fs_var_log(); |
| 775 | else | 776 | else |
| 776 | fs_remount("/var/log", MOUNT_RDWR, 0); | 777 | fs_remount("/var/log", MOUNT_RDWR_NOCHECK, 0); |
| 777 | 778 | ||
| 778 | fs_var_lib(); | 779 | fs_var_lib(); |
| 779 | fs_var_cache(); | 780 | fs_var_cache(); |