diff options
author | smitsohu <smitsohu@gmail.com> | 2018-07-05 23:11:40 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2018-07-05 23:11:40 +0200 |
commit | 0be440a16f04dffc62286236d557a44db5bc04a8 (patch) | |
tree | c09cc1196484d9658fe5067eaa2ca2f2b0227957 | |
parent | Merges + misc fixes (diff) | |
download | firejail-0be440a16f04dffc62286236d557a44db5bc04a8.tar.gz firejail-0be440a16f04dffc62286236d557a44db5bc04a8.tar.zst firejail-0be440a16f04dffc62286236d557a44db5bc04a8.zip |
remove redundant checks in whitelist_path
-rw-r--r-- | src/firejail/fs_whitelist.c | 64 |
1 files changed, 12 insertions, 52 deletions
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index d52b3996a..d11f727ec 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -197,111 +197,83 @@ static void whitelist_path(ProfileEntry *entry) { | |||
197 | char *wfile = NULL; | 197 | char *wfile = NULL; |
198 | 198 | ||
199 | if (entry->home_dir) { | 199 | if (entry->home_dir) { |
200 | if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) { | 200 | if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) != 0) |
201 | fname = path + strlen(cfg.homedir); | ||
202 | if (*fname == '\0') | ||
203 | goto errexit; | ||
204 | } | ||
205 | else | ||
206 | // symlink pointing outside /home, skip the mount | 201 | // symlink pointing outside /home, skip the mount |
207 | return; | 202 | return; |
208 | 203 | ||
204 | fname = path + strlen(cfg.homedir); | ||
205 | |||
209 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1) | 206 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1) |
210 | errExit("asprintf"); | 207 | errExit("asprintf"); |
211 | } | 208 | } |
212 | else if (entry->tmp_dir) { | 209 | else if (entry->tmp_dir) { |
213 | fname = path + 5; // strlen("/tmp/") | 210 | fname = path + 5; // strlen("/tmp/") |
214 | #ifndef TEST_MOUNTINFO | ||
215 | if (*fname == '\0') | ||
216 | errLogExit("whitelisting /tmp problem"); | ||
217 | #endif | ||
218 | 211 | ||
219 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_TMP_DIR, fname) == -1) | 212 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_TMP_DIR, fname) == -1) |
220 | errExit("asprintf"); | 213 | errExit("asprintf"); |
221 | } | 214 | } |
222 | else if (entry->media_dir) { | 215 | else if (entry->media_dir) { |
223 | fname = path + 7; // strlen("/media/") | 216 | fname = path + 7; // strlen("/media/") |
224 | if (*fname == '\0') | ||
225 | goto errexit; | ||
226 | 217 | ||
227 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MEDIA_DIR, fname) == -1) | 218 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MEDIA_DIR, fname) == -1) |
228 | errExit("asprintf"); | 219 | errExit("asprintf"); |
229 | } | 220 | } |
230 | else if (entry->mnt_dir) { | 221 | else if (entry->mnt_dir) { |
231 | fname = path + 5; // strlen("/mnt/") | 222 | fname = path + 5; // strlen("/mnt/") |
232 | if (*fname == '\0') | ||
233 | goto errexit; | ||
234 | 223 | ||
235 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MNT_DIR, fname) == -1) | 224 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MNT_DIR, fname) == -1) |
236 | errExit("asprintf"); | 225 | errExit("asprintf"); |
237 | } | 226 | } |
238 | else if (entry->var_dir) { | 227 | else if (entry->var_dir) { |
239 | if (strncmp(path, "/var/", 5) == 0) { | 228 | if (strncmp(path, "/var/", 5) != 0) |
240 | fname = path + 5; // strlen("/var/") | ||
241 | if (*fname == '\0') | ||
242 | goto errexit; | ||
243 | } | ||
244 | else | ||
245 | // symlink pointing outside /var, skip the mount | 229 | // symlink pointing outside /var, skip the mount |
246 | return; | 230 | return; |
247 | 231 | ||
232 | fname = path + 5; // strlen("/var/") | ||
233 | |||
248 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_VAR_DIR, fname) == -1) | 234 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_VAR_DIR, fname) == -1) |
249 | errExit("asprintf"); | 235 | errExit("asprintf"); |
250 | } | 236 | } |
251 | else if (entry->dev_dir) { | 237 | else if (entry->dev_dir) { |
252 | if (strncmp(path, "/dev/", 5) == 0) { | 238 | if (strncmp(path, "/dev/", 5) != 0) |
253 | fname = path + 5; // strlen("/dev/") | ||
254 | if (*fname == '\0') | ||
255 | goto errexit; | ||
256 | } | ||
257 | else | ||
258 | // symlink pointing outside /dev, skip the mount | 239 | // symlink pointing outside /dev, skip the mount |
259 | return; | 240 | return; |
260 | 241 | ||
242 | fname = path + 5; // strlen("/dev/") | ||
243 | |||
261 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_DEV_DIR, fname) == -1) | 244 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_DEV_DIR, fname) == -1) |
262 | errExit("asprintf"); | 245 | errExit("asprintf"); |
263 | } | 246 | } |
264 | else if (entry->opt_dir) { | 247 | else if (entry->opt_dir) { |
265 | fname = path + 5; // strlen("/opt/") | 248 | fname = path + 5; // strlen("/opt/") |
266 | if (*fname == '\0') | ||
267 | goto errexit; | ||
268 | 249 | ||
269 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1) | 250 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1) |
270 | errExit("asprintf"); | 251 | errExit("asprintf"); |
271 | } | 252 | } |
272 | else if (entry->srv_dir) { | 253 | else if (entry->srv_dir) { |
273 | fname = path + 5; // strlen("/srv/") | 254 | fname = path + 5; // strlen("/srv/") |
274 | if (*fname == '\0') | ||
275 | goto errexit; | ||
276 | 255 | ||
277 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SRV_DIR, fname) == -1) | 256 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SRV_DIR, fname) == -1) |
278 | errExit("asprintf"); | 257 | errExit("asprintf"); |
279 | } | 258 | } |
280 | else if (entry->etc_dir) { | 259 | else if (entry->etc_dir) { |
281 | if (strncmp(path, "/etc/", 5) == 0) { | 260 | if (strncmp(path, "/etc/", 5) != 0) |
282 | fname = path + 5; // strlen("/etc/") | ||
283 | if (*fname == '\0') | ||
284 | goto errexit; | ||
285 | } | ||
286 | else | ||
287 | // symlink pointing outside /etc, skip the mount | 261 | // symlink pointing outside /etc, skip the mount |
288 | return; | 262 | return; |
289 | 263 | ||
264 | fname = path + 5; // strlen("/etc/") | ||
265 | |||
290 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_ETC_DIR, fname) == -1) | 266 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_ETC_DIR, fname) == -1) |
291 | errExit("asprintf"); | 267 | errExit("asprintf"); |
292 | } | 268 | } |
293 | else if (entry->share_dir) { | 269 | else if (entry->share_dir) { |
294 | fname = path + 11; // strlen("/usr/share/") | 270 | fname = path + 11; // strlen("/usr/share/") |
295 | if (*fname == '\0') | ||
296 | goto errexit; | ||
297 | 271 | ||
298 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SHARE_DIR, fname) == -1) | 272 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SHARE_DIR, fname) == -1) |
299 | errExit("asprintf"); | 273 | errExit("asprintf"); |
300 | } | 274 | } |
301 | else if (entry->module_dir) { | 275 | else if (entry->module_dir) { |
302 | fname = path + 12; // strlen("/sys/module/") | 276 | fname = path + 12; // strlen("/sys/module/") |
303 | if (*fname == '\0') | ||
304 | goto errexit; | ||
305 | 277 | ||
306 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MODULE_DIR, fname) == -1) | 278 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MODULE_DIR, fname) == -1) |
307 | errExit("asprintf"); | 279 | errExit("asprintf"); |
@@ -366,10 +338,6 @@ static void whitelist_path(ProfileEntry *entry) { | |||
366 | 338 | ||
367 | free(wfile); | 339 | free(wfile); |
368 | return; | 340 | return; |
369 | |||
370 | errexit: | ||
371 | fprintf(stderr, "Error: file %s is not in the whitelisted directory\n", path); | ||
372 | exit(1); | ||
373 | } | 341 | } |
374 | 342 | ||
375 | 343 | ||
@@ -934,14 +902,6 @@ void fs_whitelist(void) { | |||
934 | fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link); | 902 | fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link); |
935 | else if (arg_debug || arg_debug_whitelists) | 903 | else if (arg_debug || arg_debug_whitelists) |
936 | printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10); | 904 | printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10); |
937 | |||
938 | // check again for files in /tmp directory | ||
939 | if (strncmp(entry->link, "/tmp/", 5) == 0) { | ||
940 | char *path = realpath(entry->link, NULL); | ||
941 | if (path == NULL || strncmp(path, "/tmp/", 5) != 0) | ||
942 | errLogExit("invalid whitelist symlink %s\n", entry->link); | ||
943 | free(path); | ||
944 | } | ||
945 | } | 905 | } |
946 | } | 906 | } |
947 | 907 | ||