diff options
| author |  netblue30 <netblue30@yahoo.com> | 2016-01-19 10:29:18 -0500 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2016-01-19 10:29:18 -0500 |
| commit | 0430643b36669aeaf4ea3b9ff31eb092c92b48dc (patch) | |
| tree | 499cc2e8db4a69f2cc3b69f617ebce6826bc020d | |
| parent | man firejail-profile fixes (diff) | |
| download | firejail-0430643b36669aeaf4ea3b9ff31eb092c92b48dc.tar.gz firejail-0430643b36669aeaf4ea3b9ff31eb092c92b48dc.tar.zst firejail-0430643b36669aeaf4ea3b9ff31eb092c92b48dc.zip | |
debug whitelist code
| -rw-r--r-- | src/firejail/fs_whitelist.c | 43 |
1 files changed, 35 insertions, 8 deletions
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 94b2da47e..22fbe2111 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
| @@ -335,6 +335,8 @@ void fs_whitelist(void) { | |||
| 335 | // replace ~/ or ${HOME} into /home/username | 335 | // replace ~/ or ${HOME} into /home/username |
| 336 | new_name = expand_home(entry->data + 10, cfg.homedir); | 336 | new_name = expand_home(entry->data + 10, cfg.homedir); |
| 337 | assert(new_name); | 337 | assert(new_name); |
| 338 | if (arg_debug) | ||
| 339 | fprintf(stderr, "Debug %d: new_name #%s#\n", __LINE__, new_name); | ||
| 338 | 340 | ||
| 339 | // extract the absolute path of the file | 341 | // extract the absolute path of the file |
| 340 | // realpath function will fail with ENOENT if the file is not found | 342 | // realpath function will fail with ENOENT if the file is not found |
| @@ -353,8 +355,11 @@ void fs_whitelist(void) { | |||
| 353 | } | 355 | } |
| 354 | 356 | ||
| 355 | // valid path referenced to filesystem root | 357 | // valid path referenced to filesystem root |
| 356 | if (*new_name != '/') | 358 | if (*new_name != '/') { |
| 359 | if (arg_debug) | ||
| 360 | fprintf(stderr, "Debug %d: \n", __LINE__); | ||
| 357 | goto errexit; | 361 | goto errexit; |
| 362 | } | ||
| 358 | 363 | ||
| 359 | // check for supported directories | 364 | // check for supported directories |
| 360 | if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) { | 365 | if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) { |
| @@ -370,46 +375,68 @@ void fs_whitelist(void) { | |||
| 370 | entry->home_dir = 1; | 375 | entry->home_dir = 1; |
| 371 | home_dir = 1; | 376 | home_dir = 1; |
| 372 | // both path and absolute path are under /home | 377 | // both path and absolute path are under /home |
| 373 | if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) | 378 | if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) { |
| 379 | if (arg_debug) | ||
| 380 | fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n", | ||
| 381 | __LINE__, fname, cfg.homedir); | ||
| 374 | goto errexit; | 382 | goto errexit; |
| 383 | } | ||
| 375 | } | 384 | } |
| 376 | else if (strncmp(new_name, "/tmp/", 5) == 0) { | 385 | else if (strncmp(new_name, "/tmp/", 5) == 0) { |
| 377 | entry->tmp_dir = 1; | 386 | entry->tmp_dir = 1; |
| 378 | tmp_dir = 1; | 387 | tmp_dir = 1; |
| 379 | // both path and absolute path are under /tmp | 388 | // both path and absolute path are under /tmp |
| 380 | if (strncmp(fname, "/tmp/", 5) != 0) | 389 | if (strncmp(fname, "/tmp/", 5) != 0) { |
| 390 | if (arg_debug) | ||
| 391 | fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); | ||
| 381 | goto errexit; | 392 | goto errexit; |
| 393 | } | ||
| 382 | } | 394 | } |
| 383 | else if (strncmp(new_name, "/media/", 7) == 0) { | 395 | else if (strncmp(new_name, "/media/", 7) == 0) { |
| 384 | entry->media_dir = 1; | 396 | entry->media_dir = 1; |
| 385 | media_dir = 1; | 397 | media_dir = 1; |
| 386 | // both path and absolute path are under /media | 398 | // both path and absolute path are under /media |
| 387 | if (strncmp(fname, "/media/", 7) != 0) | 399 | if (strncmp(fname, "/media/", 7) != 0) { |
| 400 | if (arg_debug) | ||
| 401 | fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); | ||
| 388 | goto errexit; | 402 | goto errexit; |
| 403 | } | ||
| 389 | } | 404 | } |
| 390 | else if (strncmp(new_name, "/var/", 5) == 0) { | 405 | else if (strncmp(new_name, "/var/", 5) == 0) { |
| 391 | entry->var_dir = 1; | 406 | entry->var_dir = 1; |
| 392 | var_dir = 1; | 407 | var_dir = 1; |
| 393 | // both path and absolute path are under /var | 408 | // both path and absolute path are under /var |
| 394 | if (strncmp(fname, "/var/", 5) != 0) | 409 | if (strncmp(fname, "/var/", 5) != 0) { |
| 410 | if (arg_debug) | ||
| 411 | fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); | ||
| 395 | goto errexit; | 412 | goto errexit; |
| 413 | } | ||
| 396 | } | 414 | } |
| 397 | else if (strncmp(new_name, "/dev/", 5) == 0) { | 415 | else if (strncmp(new_name, "/dev/", 5) == 0) { |
| 398 | entry->dev_dir = 1; | 416 | entry->dev_dir = 1; |
| 399 | dev_dir = 1; | 417 | dev_dir = 1; |
| 400 | // both path and absolute path are under /dev | 418 | // both path and absolute path are under /dev |
| 401 | if (strncmp(fname, "/dev/", 5) != 0) | 419 | if (strncmp(fname, "/dev/", 5) != 0) { |
| 420 | if (arg_debug) | ||
| 421 | fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); | ||
| 402 | goto errexit; | 422 | goto errexit; |
| 423 | } | ||
| 403 | } | 424 | } |
| 404 | else if (strncmp(new_name, "/opt/", 5) == 0) { | 425 | else if (strncmp(new_name, "/opt/", 5) == 0) { |
| 405 | entry->opt_dir = 1; | 426 | entry->opt_dir = 1; |
| 406 | opt_dir = 1; | 427 | opt_dir = 1; |
| 407 | // both path and absolute path are under /dev | 428 | // both path and absolute path are under /dev |
| 408 | if (strncmp(fname, "/opt/", 5) != 0) | 429 | if (strncmp(fname, "/opt/", 5) != 0) { |
| 430 | if (arg_debug) | ||
| 431 | fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); | ||
| 409 | goto errexit; | 432 | goto errexit; |
| 433 | } | ||
| 410 | } | 434 | } |
| 411 | else | 435 | else { |
| 436 | if (arg_debug) | ||
| 437 | fprintf(stderr, "Debug %d: \n", __LINE__); | ||
| 412 | goto errexit; | 438 | goto errexit; |
| 439 | } | ||
| 413 | 440 | ||
| 414 | // mark symbolic links | 441 | // mark symbolic links |
| 415 | if (is_link(new_name)) | 442 | if (is_link(new_name)) |