fix private-etc empty list

author: netblue30 <netblue30@yahoo.com> 2016-05-07 10:05:29 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-05-07 10:05:29 -0400
commit: 571e8a53d6f083de8c6c90cdc9e6c48c31bb2702 (patch)
tree: 53f63b3f9ec76c2d958246fe8e184b71615604d4
parent: Merge pull request #502 from Fred-Barclay/xapps (diff)
download: firejail-571e8a53d6f083de8c6c90cdc9e6c48c31bb2702.tar.gz
firejail-571e8a53d6f083de8c6c90cdc9e6c48c31bb2702.tar.zst
firejail-571e8a53d6f083de8c6c90cdc9e6c48c31bb2702.zip
6 files changed, 76 insertions, 40 deletions
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index 1a44b1305..2ff36f5d2 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -129,40 +129,44 @@ void fs_private_etc_list(void) {
                errExit("chmod");
        fs_logger("tmpfs /etc");
        
-        // copy the list of files in the new etc directory
-        // using a new child process without root privileges
        fs_logger_print();      // save the current log
-        pid_t child = fork();
-        if (child < 0)
-                errExit("fork");
-        if (child == 0) {
-                if (arg_debug)
-                        printf("Copying files in the new etc directory:\n");
-                // elevate privileges - files in the new /etc directory belong to root
-                if (setreuid(0, 0) < 0)
-                        errExit("setreuid");
-                if (setregid(0, 0) < 0)
-                        errExit("setregid");
-                
-                // copy the list of files in the new home directory
-                char *dlist = strdup(private_list);
-                if (!dlist)
-                        errExit("strdup");
-        
-                char *ptr = strtok(dlist, ",");
+        // copy the list of files in the new etc directory
-                duplicate(ptr);
+        // using a new child process without root privileges
+        if (*private_list != '\0') {
+                pid_t child = fork();
+                if (child < 0)
+                        errExit("fork");
+                if (child == 0) {
+                        if (arg_debug)
+                                printf("Copying files in the new etc directory:\n");
        
-                while ((ptr = strtok(NULL, ",")) != NULL)
+                        // elevate privileges - files in the new /etc directory belong to root
+                        if (setreuid(0, 0) < 0)
+                                errExit("setreuid");
+                        if (setregid(0, 0) < 0)
+                                errExit("setregid");
+                        
+                        // copy the list of files in the new home directory
+                        char *dlist = strdup(private_list);
+                        if (!dlist)
+                                errExit("strdup");
+                
+        
+                        char *ptr = strtok(dlist, ",");
                        duplicate(ptr);
-                free(dlist);    
+                
-                fs_logger_print();
+                        while ((ptr = strtok(NULL, ",")) != NULL)
-                exit(0);
+                                duplicate(ptr);
+                        free(dlist);    
+                        fs_logger_print();
+                        exit(0);
+                }
+                // wait for the child to finish
+                waitpid(child, NULL, 0);
        }
-        // wait for the child to finish
+        
-        waitpid(child, NULL, 0);
        if (arg_debug)
                printf("Mount-bind %s on top of /etc\n", RUN_ETC_DIR);
        if (mount(RUN_ETC_DIR, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 7aa81a9c5..59f500e3a 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1330,12 +1330,7 @@ int main(int argc, char **argv) {
                                exit(1);
                        }
                        fs_check_etc_list();
-                        if (*cfg.etc_private_keep != '\0')
+                        arg_private_etc = 1;
-                                arg_private_etc = 1;
-                        else {
-                                arg_private_etc = 0;
-                                fprintf(stderr, "Warning: private-etc disabled, no file found\n");
-                        }
                }
                else if (strncmp(argv[i], "--private-bin=", 14) == 0) {
                        // extract private bin list
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 2b3984a99..095e5eecc 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -611,12 +611,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                }
                cfg.etc_private_keep = ptr + 12;
                fs_check_etc_list();
-                if (*cfg.etc_private_keep != '\0')
+                arg_private_etc = 1;
-                        arg_private_etc = 1;
-                else {
-                        arg_private_etc = 0;
-                        fprintf(stderr, "Warning: private-etc disabled, no file found\n");
-                }
                
                return 0;
        }
diff --git a/test/fs/fs.sh b/test/fs/fs.sh
index 0fcffcb8e..b49aadf02 100755
--- a/test/fs/fs.sh
+++ b/test/fs/fs.sh
@@ -24,6 +24,9 @@ echo "TESTING: private (test/fs/private.exp)"
 echo "TESTING: private-etc (test/fs/private-etc.exp)"
 ./private-etc.exp
+echo "TESTING: empty private-etc (test/fs/private-etc-empty.exp)"
+./private-etc-empty.exp
 echo "TESTING: private-bin (test/fs/private-bin.exp)"
 ./private-bin.exp
diff --git a/test/fs/private-etc-empty.exp b/test/fs/private-etc-empty.exp
new file mode 100755
index 000000000..13e917a5c
--- /dev/null
+++ b/test/fs/private-etc-empty.exp
@@ -0,0 +1,38 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2016 Firejail Authors
+# License GPL v2
+set timeout 30
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --private-etc=blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls -l /etc | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "0"
+}
+send -- "exit\r"
+sleep 1
+send -- "firejail --profile=private-etc-empty.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls -l /etc | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "0"
+}
+puts "\nall done\n"
diff --git a/test/fs/private-etc-empty.profile b/test/fs/private-etc-empty.profile
new file mode 100644
index 000000000..38aa8cd68
--- /dev/null
+++ b/test/fs/private-etc-empty.profile
@@ -0,0 +1 @@
+private-etc blablabla
author	netblue30 <netblue30@yahoo.com>	2016-05-07 10:05:29 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-05-07 10:05:29 -0400
commit	571e8a53d6f083de8c6c90cdc9e6c48c31bb2702 (patch)
tree	53f63b3f9ec76c2d958246fe8e184b71615604d4
parent	Merge pull request #502 from Fred-Barclay/xapps (diff)
download	firejail-571e8a53d6f083de8c6c90cdc9e6c48c31bb2702.tar.gz firejail-571e8a53d6f083de8c6c90cdc9e6c48c31bb2702.tar.zst firejail-571e8a53d6f083de8c6c90cdc9e6c48c31bb2702.zip

diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 1a44b1305..2ff36f5d2 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c
@@ -129,40 +129,44 @@ void fs_private_etc_list(void) {
129	errExit("chmod");	129	errExit("chmod");
130	fs_logger("tmpfs /etc");	130	fs_logger("tmpfs /etc");
131		131
132	// copy the list of files in the new etc directory
133	// using a new child process without root privileges
134	fs_logger_print(); // save the current log	132	fs_logger_print(); // save the current log
135	pid_t child = fork();
136	if (child < 0)
137	errExit("fork");
138	if (child == 0) {
139	if (arg_debug)
140	printf("Copying files in the new etc directory:\n");
141		133
142	// elevate privileges - files in the new /etc directory belong to root
143	if (setreuid(0, 0) < 0)
144	errExit("setreuid");
145	if (setregid(0, 0) < 0)
146	errExit("setregid");
147
148	// copy the list of files in the new home directory
149	char *dlist = strdup(private_list);
150	if (!dlist)
151	errExit("strdup");
152
153		134
154	char *ptr = strtok(dlist, ",");	135	// copy the list of files in the new etc directory
155	duplicate(ptr);	136	// using a new child process without root privileges
		137	if (*private_list != '\0') {
		138	pid_t child = fork();
		139	if (child < 0)
		140	errExit("fork");
		141	if (child == 0) {
		142	if (arg_debug)
		143	printf("Copying files in the new etc directory:\n");
156		144
157	while ((ptr = strtok(NULL, ",")) != NULL)	145	// elevate privileges - files in the new /etc directory belong to root
		146	if (setreuid(0, 0) < 0)
		147	errExit("setreuid");
		148	if (setregid(0, 0) < 0)
		149	errExit("setregid");
		150
		151	// copy the list of files in the new home directory
		152	char *dlist = strdup(private_list);
		153	if (!dlist)
		154	errExit("strdup");
		155
		156
		157	char *ptr = strtok(dlist, ",");
158	duplicate(ptr);	158	duplicate(ptr);
159	free(dlist);	159
160	fs_logger_print();	160	while ((ptr = strtok(NULL, ",")) != NULL)
161	exit(0);	161	duplicate(ptr);
		162	free(dlist);
		163	fs_logger_print();
		164	exit(0);
		165	}
		166	// wait for the child to finish
		167	waitpid(child, NULL, 0);
162	}	168	}
163	// wait for the child to finish	169
164	waitpid(child, NULL, 0);
165
166	if (arg_debug)	170	if (arg_debug)
167	printf("Mount-bind %s on top of /etc\n", RUN_ETC_DIR);	171	printf("Mount-bind %s on top of /etc\n", RUN_ETC_DIR);
168	if (mount(RUN_ETC_DIR, "/etc", NULL, MS_BIND\|MS_REC, NULL) < 0)	172	if (mount(RUN_ETC_DIR, "/etc", NULL, MS_BIND\|MS_REC, NULL) < 0)


diff --git a/src/firejail/main.c b/src/firejail/main.c index 7aa81a9c5..59f500e3a 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -1330,12 +1330,7 @@ int main(int argc, char **argv) {
1330	exit(1);	1330	exit(1);
1331	}	1331	}
1332	fs_check_etc_list();	1332	fs_check_etc_list();
1333	if (*cfg.etc_private_keep != '\0')	1333	arg_private_etc = 1;
1334	arg_private_etc = 1;
1335	else {
1336	arg_private_etc = 0;
1337	fprintf(stderr, "Warning: private-etc disabled, no file found\n");
1338	}
1339	}	1334	}
1340	else if (strncmp(argv[i], "--private-bin=", 14) == 0) {	1335	else if (strncmp(argv[i], "--private-bin=", 14) == 0) {
1341	// extract private bin list	1336	// extract private bin list


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 2b3984a99..095e5eecc 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -611,12 +611,7 @@ int profile_check_line(char ptr, int lineno, const char fname) {
611	}	611	}
612	cfg.etc_private_keep = ptr + 12;	612	cfg.etc_private_keep = ptr + 12;
613	fs_check_etc_list();	613	fs_check_etc_list();
614	if (*cfg.etc_private_keep != '\0')	614	arg_private_etc = 1;
615	arg_private_etc = 1;
616	else {
617	arg_private_etc = 0;
618	fprintf(stderr, "Warning: private-etc disabled, no file found\n");
619	}
620		615
621	return 0;	616	return 0;
622	}	617	}


diff --git a/test/fs/fs.sh b/test/fs/fs.sh index 0fcffcb8e..b49aadf02 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh
@@ -24,6 +24,9 @@ echo "TESTING: private (test/fs/private.exp)"
24	echo "TESTING: private-etc (test/fs/private-etc.exp)"	24	echo "TESTING: private-etc (test/fs/private-etc.exp)"
25	./private-etc.exp	25	./private-etc.exp
26		26
		27	echo "TESTING: empty private-etc (test/fs/private-etc-empty.exp)"
		28	./private-etc-empty.exp
		29
27	echo "TESTING: private-bin (test/fs/private-bin.exp)"	30	echo "TESTING: private-bin (test/fs/private-bin.exp)"
28	./private-bin.exp	31	./private-bin.exp
29		32


diff --git a/test/fs/private-etc-empty.exp b/test/fs/private-etc-empty.exp new file mode 100755 index 000000000..13e917a5c --- /dev/null +++ b/test/fs/private-etc-empty.exp
@@ -0,0 +1,38 @@
		1	#!/usr/bin/expect -f
		2	# This file is part of Firejail project
		3	# Copyright (C) 2014-2016 Firejail Authors
		4	# License GPL v2
		5
		6	set timeout 30
		7	spawn $env(SHELL)
		8	match_max 100000
		9
		10	send -- "firejail --private-etc=blablabla\r"
		11	expect {
		12	timeout {puts "TESTING ERROR 0\n";exit}
		13	"Child process initialized"
		14	}
		15	sleep 1
		16
		17	send -- "ls -l /etc \| wc -l\r"
		18	expect {
		19	timeout {puts "TESTING ERROR 1\n";exit}
		20	"0"
		21	}
		22	send -- "exit\r"
		23	sleep 1
		24
		25	send -- "firejail --profile=private-etc-empty.profile\r"
		26	expect {
		27	timeout {puts "TESTING ERROR 0\n";exit}
		28	"Child process initialized"
		29	}
		30	sleep 1
		31
		32	send -- "ls -l /etc \| wc -l\r"
		33	expect {
		34	timeout {puts "TESTING ERROR 1\n";exit}
		35	"0"
		36	}
		37
		38	puts "\nall done\n"


diff --git a/test/fs/private-etc-empty.profile b/test/fs/private-etc-empty.profile new file mode 100644 index 000000000..38aa8cd68 --- /dev/null +++ b/test/fs/private-etc-empty.profile
@@ -0,0 +1 @@
			private-etc blablabla