diff options
| author |  smitsohu <smitsohu@gmail.com> | 2022-02-24 19:29:19 +0100 |
|---|---|---|
| committer | smitsohu <smitsohu@gmail.com> | 2022-02-24 19:29:19 +0100 |
| commit | 4b41e0c27ba4727fccba5009b3bf7085fb132846 (patch) | |
| tree | 160998a4cdff36b59d0b7ededb3ac7e985c06be6 | |
| parent | hardening zeal.profile (#4970) (diff) | |
| download | firejail-4b41e0c27ba4727fccba5009b3bf7085fb132846.tar.gz firejail-4b41e0c27ba4727fccba5009b3bf7085fb132846.tar.zst firejail-4b41e0c27ba4727fccba5009b3bf7085fb132846.zip | |
fix --whitelist=/run/*
| -rw-r--r-- | src/firejail/fs_whitelist.c | 21 |
1 files changed, 14 insertions, 7 deletions
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index c515b59f5..2acde5837 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
| @@ -592,10 +592,6 @@ void fs_whitelist(void) { | |||
| 592 | if (strstr(new_name, "..")) | 592 | if (strstr(new_name, "..")) |
| 593 | whitelist_error(new_name); | 593 | whitelist_error(new_name); |
| 594 | 594 | ||
| 595 | // /run/firejail is not allowed | ||
| 596 | if (strncmp(new_name, RUN_FIREJAIL_DIR, strlen(RUN_FIREJAIL_DIR)) == 0) | ||
| 597 | whitelist_error(new_name); | ||
| 598 | |||
| 599 | TopDir *current_top = NULL; | 595 | TopDir *current_top = NULL; |
| 600 | if (!nowhitelist_flag) { | 596 | if (!nowhitelist_flag) { |
| 601 | // extract whitelist top level directory | 597 | // extract whitelist top level directory |
| @@ -617,6 +613,13 @@ void fs_whitelist(void) { | |||
| 617 | free(dir); | 613 | free(dir); |
| 618 | } | 614 | } |
| 619 | 615 | ||
| 616 | // /run/firejail directory is internal and not allowed | ||
| 617 | if (strncmp(new_name, RUN_FIREJAIL_DIR, strlen(RUN_FIREJAIL_DIR)) == 0) { | ||
| 618 | entry = entry->next; | ||
| 619 | free(new_name); | ||
| 620 | continue; | ||
| 621 | } | ||
| 622 | |||
| 620 | // extract resolved path of the file | 623 | // extract resolved path of the file |
| 621 | // realpath function will fail with ENOENT if the file is not found or with EACCES if user has no permission | 624 | // realpath function will fail with ENOENT if the file is not found or with EACCES if user has no permission |
| 622 | // special processing for /dev/fd, /dev/stdin, /dev/stdout and /dev/stderr | 625 | // special processing for /dev/fd, /dev/stdin, /dev/stdout and /dev/stderr |
| @@ -653,9 +656,13 @@ void fs_whitelist(void) { | |||
| 653 | continue; | 656 | continue; |
| 654 | } | 657 | } |
| 655 | 658 | ||
| 656 | // /run/firejail is not allowed | 659 | // /run/firejail directory is internal and not allowed |
| 657 | if (strncmp(fname, RUN_FIREJAIL_DIR, strlen(RUN_FIREJAIL_DIR)) == 0) | 660 | if (strncmp(fname, RUN_FIREJAIL_DIR, strlen(RUN_FIREJAIL_DIR)) == 0) { |
| 658 | whitelist_error(fname); | 661 | entry = entry->next; |
| 662 | free(new_name); | ||
| 663 | free(fname); | ||
| 664 | continue; | ||
| 665 | } | ||
| 659 | 666 | ||
| 660 | if (nowhitelist_flag) { | 667 | if (nowhitelist_flag) { |
| 661 | // store the path in nowhitelist array | 668 | // store the path in nowhitelist array |