diff options
| author |  netblue30 <netblue30@protonmail.com> | 2024-04-28 10:18:05 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@protonmail.com> | 2024-04-28 10:18:05 -0400 |
| commit | 58e8b0613d47b266cb2242815de3f8e52d333ac4 (patch) | |
| tree | b696113c3ff5e7004ffea77254bce8b2561a9d5e | |
| parent | --fbuilder cleanup (diff) | |
| parent | profiles: fluffychat: remove option already present in disable-common.inc (#6... (diff) | |
| download | firejail-58e8b0613d47b266cb2242815de3f8e52d333ac4.tar.gz firejail-58e8b0613d47b266cb2242815de3f8e52d333ac4.tar.zst firejail-58e8b0613d47b266cb2242815de3f8e52d333ac4.zip | |
Merge branch 'master' of ssh://github.com/netblue30/firejail
| -rw-r--r-- | RELNOTES | 4 | ||||
| -rw-r--r-- | etc/profile-a-l/audacity.profile | 13 | ||||
| -rw-r--r-- | etc/profile-a-l/fluffychat.profile | 1 | ||||
| -rw-r--r-- | src/firejail/chroot.c | 5 | ||||
| -rw-r--r-- | src/firejail/firejail.h | 9 | ||||
| -rw-r--r-- | src/firejail/main.c | 44 | ||||
| -rw-r--r-- | src/firejail/preproc.c | 96 |
7 files changed, 127 insertions, 45 deletions
| @@ -15,7 +15,7 @@ firejail (0.9.73) baseline; urgency=low | |||
| 15 | * feature: expand simple macros in more commands (--chroot= --netfilter= | 15 | * feature: expand simple macros in more commands (--chroot= --netfilter= |
| 16 | --netfilter6= --trace=) (#6032 #6109) | 16 | --netfilter6= --trace=) (#6032 #6109) |
| 17 | * feature: add Landlock support (#5269 #6078 #6115 #6125 #6187 #6195 #6200 | 17 | * feature: add Landlock support (#5269 #6078 #6115 #6125 #6187 #6195 #6200 |
| 18 | #6228 #6260) | 18 | #6228 #6260 #6302 #6305) |
| 19 | * modif: Stop forwarding own double-dash to the shell (#5599 #5600) | 19 | * modif: Stop forwarding own double-dash to the shell (#5599 #5600) |
| 20 | * modif: Prevent sandbox name (--name=) and host name (--hostname=) | 20 | * modif: Prevent sandbox name (--name=) and host name (--hostname=) |
| 21 | from containing only digits (#5578 #5741) | 21 | from containing only digits (#5578 #5741) |
| @@ -30,6 +30,7 @@ firejail (0.9.73) baseline; urgency=low | |||
| 30 | * modif: drop deprecated 'shell' option references (#5894) | 30 | * modif: drop deprecated 'shell' option references (#5894) |
| 31 | * modif: keep pipewire group unless nosound is used (#5992 #5993) | 31 | * modif: keep pipewire group unless nosound is used (#5992 #5993) |
| 32 | * modif: fcopy: Use lstat when copying directory (#5957) | 32 | * modif: fcopy: Use lstat when copying directory (#5957) |
| 33 | * modif: populate /run/firejail while holding flock (#6307) | ||
| 33 | * removal: LTS and FIRETUNNEL support | 34 | * removal: LTS and FIRETUNNEL support |
| 34 | * bugfix: fix --hostname and --hosts-file commands | 35 | * bugfix: fix --hostname and --hosts-file commands |
| 35 | * bugfix: fix examples in firejail-local AppArmor profile (#5717) | 36 | * bugfix: fix examples in firejail-local AppArmor profile (#5717) |
| @@ -116,6 +117,7 @@ firejail (0.9.73) baseline; urgency=low | |||
| 116 | * profiles: add allow-nodejs.inc to profile.template (#6298) | 117 | * profiles: add allow-nodejs.inc to profile.template (#6298) |
| 117 | * profiles: add allow-php.inc to profile.template (#6299) | 118 | * profiles: add allow-php.inc to profile.template (#6299) |
| 118 | * profiles: clarify and add opengl-game to profile.template (#6300) | 119 | * profiles: clarify and add opengl-game to profile.template (#6300) |
| 120 | * profiles: allow-ssh: allow /etc/ssh/ssh_revoked_hosts (#6308 #6309) | ||
| 119 | * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater | 121 | * new profiles: fix-qdf, qpdf, zlib-flate, standard-notes, url-eater |
| 120 | -- netblue30 <netblue30@yahoo.com> Mon, 17 Jan 2023 09:00:00 -0500 | 122 | -- netblue30 <netblue30@yahoo.com> Mon, 17 Jan 2023 09:00:00 -0500 |
| 121 | 123 | ||
diff --git a/etc/profile-a-l/audacity.profile b/etc/profile-a-l/audacity.profile index e70215891..2893dda5a 100644 --- a/etc/profile-a-l/audacity.profile +++ b/etc/profile-a-l/audacity.profile | |||
| @@ -6,10 +6,9 @@ include audacity.local | |||
| 6 | # Persistent global definitions | 6 | # Persistent global definitions |
| 7 | include globals.local | 7 | include globals.local |
| 8 | 8 | ||
| 9 | # Add the below lines to your audacity.local if you need online plugins. | 9 | # To disable networking, add the following lines to audacity.local: |
| 10 | #ignore net none | 10 | #ignore netfilter |
| 11 | #netfilter | 11 | #net none |
| 12 | #protocol inet6 | ||
| 13 | 12 | ||
| 14 | noblacklist ${HOME}/.audacity-data | 13 | noblacklist ${HOME}/.audacity-data |
| 15 | noblacklist ${HOME}/.cache/audacity | 14 | noblacklist ${HOME}/.cache/audacity |
| @@ -34,7 +33,7 @@ allow-debuggers | |||
| 34 | ## Enabling App Armor appears to break some Fedora / Arch installs | 33 | ## Enabling App Armor appears to break some Fedora / Arch installs |
| 35 | #apparmor | 34 | #apparmor |
| 36 | caps.drop all | 35 | caps.drop all |
| 37 | net none | 36 | netfilter |
| 38 | no3d | 37 | no3d |
| 39 | nodvd | 38 | nodvd |
| 40 | nogroups | 39 | nogroups |
| @@ -44,13 +43,13 @@ noroot | |||
| 44 | notv | 43 | notv |
| 45 | nou2f | 44 | nou2f |
| 46 | novideo | 45 | novideo |
| 47 | protocol unix,inet | 46 | protocol unix,inet,inet6 |
| 48 | seccomp | 47 | seccomp |
| 49 | tracelog | 48 | tracelog |
| 50 | 49 | ||
| 51 | private-bin audacity | 50 | private-bin audacity |
| 52 | private-dev | 51 | private-dev |
| 53 | private-etc @x11 | 52 | private-etc @network,@sound,@tls-ca,@x11 |
| 54 | private-tmp | 53 | private-tmp |
| 55 | 54 | ||
| 56 | # problems on Fedora 27 | 55 | # problems on Fedora 27 |
diff --git a/etc/profile-a-l/fluffychat.profile b/etc/profile-a-l/fluffychat.profile index 1c5db09e9..63fe28f2f 100644 --- a/etc/profile-a-l/fluffychat.profile +++ b/etc/profile-a-l/fluffychat.profile | |||
| @@ -25,7 +25,6 @@ include disable-xdg.inc | |||
| 25 | # there isn't a Firefox instance running with the default profile; see #5352) | 25 | # there isn't a Firefox instance running with the default profile; see #5352) |
| 26 | noblacklist ${HOME}/.mozilla | 26 | noblacklist ${HOME}/.mozilla |
| 27 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 27 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
| 28 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
| 29 | 28 | ||
| 30 | mkdir ${HOME}/.local/share/fluffychat | 29 | mkdir ${HOME}/.local/share/fluffychat |
| 31 | whitelist ${DOWNLOADS} | 30 | whitelist ${DOWNLOADS} |
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c index ffa6c8b51..67097852e 100644 --- a/src/firejail/chroot.c +++ b/src/firejail/chroot.c | |||
| @@ -273,7 +273,10 @@ void fs_chroot(const char *rootdir) { | |||
| 273 | errExit("mounting /proc"); | 273 | errExit("mounting /proc"); |
| 274 | 274 | ||
| 275 | // create all other /run/firejail files and directories | 275 | // create all other /run/firejail files and directories |
| 276 | preproc_build_firejail_dir(); | 276 | preproc_build_firejail_dir_unlocked(); |
| 277 | preproc_lock_firejail_dir(); | ||
| 278 | preproc_build_firejail_dir_locked(); | ||
| 279 | preproc_unlock_firejail_dir(); | ||
| 277 | 280 | ||
| 278 | // update /var directory in order to support multiple sandboxes running on the same root directory | 281 | // update /var directory in order to support multiple sandboxes running on the same root directory |
| 279 | // if (!arg_private_dev) | 282 | // if (!arg_private_dev) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index b8ec4d474..736af018d 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -282,6 +282,8 @@ static inline int any_dhcp(void) { | |||
| 282 | return any_ip_dhcp() || any_ip6_dhcp(); | 282 | return any_ip_dhcp() || any_ip6_dhcp(); |
| 283 | } | 283 | } |
| 284 | 284 | ||
| 285 | extern int lockfd_directory; | ||
| 286 | extern int lockfd_network; | ||
| 285 | extern int arg_private; // mount private /home | 287 | extern int arg_private; // mount private /home |
| 286 | extern int arg_private_cache; // private home/.cache | 288 | extern int arg_private_cache; // private home/.cache |
| 287 | extern int arg_debug; // print debug messages | 289 | extern int arg_debug; // print debug messages |
| @@ -429,7 +431,12 @@ int net_get_mac(const char *ifname, unsigned char mac[6]); | |||
| 429 | void net_config_interface(const char *dev, uint32_t ip, uint32_t mask, int mtu); | 431 | void net_config_interface(const char *dev, uint32_t ip, uint32_t mask, int mtu); |
| 430 | 432 | ||
| 431 | // preproc.c | 433 | // preproc.c |
| 432 | void preproc_build_firejail_dir(void); | 434 | void preproc_lock_firejail_dir(void); |
| 435 | void preproc_unlock_firejail_dir(void); | ||
| 436 | void preproc_lock_firejail_network_dir(void); | ||
| 437 | void preproc_unlock_firejail_network_dir(void); | ||
| 438 | void preproc_build_firejail_dir_unlocked(void); | ||
| 439 | void preproc_build_firejail_dir_locked(void); | ||
| 433 | void preproc_mount_mnt_dir(void); | 440 | void preproc_mount_mnt_dir(void); |
| 434 | void preproc_clean_run(void); | 441 | void preproc_clean_run(void); |
| 435 | 442 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index 0ce18ab01..acbb4bf38 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -63,6 +63,8 @@ gid_t firejail_gid = 0; | |||
| 63 | static char child_stack[STACK_SIZE] __attribute__((aligned(STACK_ALIGNMENT))); // space for child's stack | 63 | static char child_stack[STACK_SIZE] __attribute__((aligned(STACK_ALIGNMENT))); // space for child's stack |
| 64 | 64 | ||
| 65 | Config cfg; // configuration | 65 | Config cfg; // configuration |
| 66 | int lockfd_directory = -1; | ||
| 67 | int lockfd_network = -1; | ||
| 66 | int arg_private = 0; // mount private /home and /tmp directoryu | 68 | int arg_private = 0; // mount private /home and /tmp directoryu |
| 67 | int arg_private_cache = 0; // mount private home/.cache | 69 | int arg_private_cache = 0; // mount private home/.cache |
| 68 | int arg_debug = 0; // print debug messages | 70 | int arg_debug = 0; // print debug messages |
| @@ -1056,8 +1058,6 @@ static int check_postexec(const char *list) { | |||
| 1056 | int main(int argc, char **argv, char **envp) { | 1058 | int main(int argc, char **argv, char **envp) { |
| 1057 | int i; | 1059 | int i; |
| 1058 | int prog_index = -1; // index in argv where the program command starts | 1060 | int prog_index = -1; // index in argv where the program command starts |
| 1059 | int lockfd_network = -1; | ||
| 1060 | int lockfd_directory = -1; | ||
| 1061 | int custom_profile = 0; // custom profile loaded | 1061 | int custom_profile = 0; // custom profile loaded |
| 1062 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) | 1062 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) |
| 1063 | char **ptr; | 1063 | char **ptr; |
| @@ -1166,19 +1166,13 @@ int main(int argc, char **argv, char **envp) { | |||
| 1166 | #endif | 1166 | #endif |
| 1167 | 1167 | ||
| 1168 | // build /run/firejail directory structure | 1168 | // build /run/firejail directory structure |
| 1169 | preproc_build_firejail_dir(); | 1169 | preproc_build_firejail_dir_unlocked(); |
| 1170 | preproc_lock_firejail_dir(); | ||
| 1171 | preproc_build_firejail_dir_locked(); | ||
| 1170 | const char *container_name = env_get("container"); | 1172 | const char *container_name = env_get("container"); |
| 1171 | if (!container_name || strcmp(container_name, "firejail")) { | 1173 | if (!container_name || strcmp(container_name, "firejail")) |
| 1172 | lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR); | ||
| 1173 | if (lockfd_directory != -1) { | ||
| 1174 | int rv = fchown(lockfd_directory, 0, 0); | ||
| 1175 | (void) rv; | ||
| 1176 | flock(lockfd_directory, LOCK_EX); | ||
| 1177 | } | ||
| 1178 | preproc_clean_run(); | 1174 | preproc_clean_run(); |
| 1179 | flock(lockfd_directory, LOCK_UN); | 1175 | preproc_unlock_firejail_dir(); |
| 1180 | close(lockfd_directory); | ||
| 1181 | } | ||
| 1182 | 1176 | ||
| 1183 | delete_run_files(getpid()); | 1177 | delete_run_files(getpid()); |
| 1184 | atexit(clear_atexit); | 1178 | atexit(clear_atexit); |
| @@ -2990,12 +2984,7 @@ int main(int argc, char **argv, char **envp) { | |||
| 2990 | // check and assign an IP address - for macvlan it will be done again in the sandbox! | 2984 | // check and assign an IP address - for macvlan it will be done again in the sandbox! |
| 2991 | if (any_bridge_configured()) { | 2985 | if (any_bridge_configured()) { |
| 2992 | EUID_ROOT(); | 2986 | EUID_ROOT(); |
| 2993 | lockfd_network = open(RUN_NETWORK_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR); | 2987 | preproc_lock_firejail_network_dir(); |
| 2994 | if (lockfd_network != -1) { | ||
| 2995 | int rv = fchown(lockfd_network, 0, 0); | ||
| 2996 | (void) rv; | ||
| 2997 | flock(lockfd_network, LOCK_EX); | ||
| 2998 | } | ||
| 2999 | 2988 | ||
| 3000 | if (cfg.bridge0.configured && cfg.bridge0.arg_ip_none == 0) | 2989 | if (cfg.bridge0.configured && cfg.bridge0.arg_ip_none == 0) |
| 3001 | check_network(&cfg.bridge0); | 2990 | check_network(&cfg.bridge0); |
| @@ -3024,21 +3013,13 @@ int main(int argc, char **argv, char **envp) { | |||
| 3024 | 3013 | ||
| 3025 | // set name and x11 run files | 3014 | // set name and x11 run files |
| 3026 | EUID_ROOT(); | 3015 | EUID_ROOT(); |
| 3027 | lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR); | 3016 | preproc_lock_firejail_dir(); |
| 3028 | if (lockfd_directory != -1) { | ||
| 3029 | int rv = fchown(lockfd_directory, 0, 0); | ||
| 3030 | (void) rv; | ||
| 3031 | flock(lockfd_directory, LOCK_EX); | ||
| 3032 | } | ||
| 3033 | if (cfg.name) | 3017 | if (cfg.name) |
| 3034 | set_name_run_file(sandbox_pid); | 3018 | set_name_run_file(sandbox_pid); |
| 3035 | int display = x11_display(); | 3019 | int display = x11_display(); |
| 3036 | if (display > 0) | 3020 | if (display > 0) |
| 3037 | set_x11_run_file(sandbox_pid, display); | 3021 | set_x11_run_file(sandbox_pid, display); |
| 3038 | if (lockfd_directory != -1) { | 3022 | preproc_unlock_firejail_dir(); |
| 3039 | flock(lockfd_directory, LOCK_UN); | ||
| 3040 | close(lockfd_directory); | ||
| 3041 | } | ||
| 3042 | EUID_USER(); | 3023 | EUID_USER(); |
| 3043 | 3024 | ||
| 3044 | #ifdef HAVE_DBUSPROXY | 3025 | #ifdef HAVE_DBUSPROXY |
| @@ -3276,10 +3257,7 @@ int main(int argc, char **argv, char **envp) { | |||
| 3276 | close(parent_to_child_fds[1]); | 3257 | close(parent_to_child_fds[1]); |
| 3277 | 3258 | ||
| 3278 | EUID_ROOT(); | 3259 | EUID_ROOT(); |
| 3279 | if (lockfd_network != -1) { | 3260 | preproc_unlock_firejail_network_dir(); |
| 3280 | flock(lockfd_network, LOCK_UN); | ||
| 3281 | close(lockfd_network); | ||
| 3282 | } | ||
| 3283 | EUID_USER(); | 3261 | EUID_USER(); |
| 3284 | 3262 | ||
| 3285 | // lock netfilter firewall | 3263 | // lock netfilter firewall |
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index 2c7d4264d..e0ca2141f 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
| @@ -18,15 +18,101 @@ | |||
| 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
| 19 | */ | 19 | */ |
| 20 | #include "firejail.h" | 20 | #include "firejail.h" |
| 21 | #include <sys/file.h> | ||
| 21 | #include <sys/mount.h> | 22 | #include <sys/mount.h> |
| 22 | #include <sys/stat.h> | 23 | #include <sys/stat.h> |
| 23 | #include <sys/types.h> | 24 | #include <sys/types.h> |
| 24 | #include <dirent.h> | 25 | #include <dirent.h> |
| 26 | #include <fcntl.h> | ||
| 25 | 27 | ||
| 26 | static int tmpfs_mounted = 0; | 28 | static int tmpfs_mounted = 0; |
| 27 | 29 | ||
| 30 | static void preproc_lock_file(const char *path, int *lockfd_ptr) { | ||
| 31 | assert(path != NULL); | ||
| 32 | assert(lockfd_ptr != NULL); | ||
| 33 | |||
| 34 | long pid = (long)getpid(); | ||
| 35 | if (arg_debug) | ||
| 36 | fprintf(stderr, "pid=%ld: locking %s ...\n", pid, path); | ||
| 37 | |||
| 38 | if (*lockfd_ptr != -1) { | ||
| 39 | if (arg_debug) | ||
| 40 | fprintf(stderr, "pid=%ld: already locked %s\n", pid, path); | ||
| 41 | return; | ||
| 42 | } | ||
| 43 | |||
| 44 | int lockfd = open(path, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR); | ||
| 45 | if (lockfd == -1) { | ||
| 46 | fprintf(stderr, "Error: cannot create a lockfile at %s\n", path); | ||
| 47 | errExit("open"); | ||
| 48 | } | ||
| 49 | |||
| 50 | if (fchown(lockfd, 0, 0) == -1) { | ||
| 51 | fprintf(stderr, "Error: cannot chown root:root %s\n", path); | ||
| 52 | errExit("fchown"); | ||
| 53 | } | ||
| 54 | |||
| 55 | if (flock(lockfd, LOCK_EX) == -1) { | ||
| 56 | fprintf(stderr, "Error: cannot lock %s\n", path); | ||
| 57 | errExit("flock"); | ||
| 58 | } | ||
| 59 | |||
| 60 | *lockfd_ptr = lockfd; | ||
| 61 | if (arg_debug) | ||
| 62 | fprintf(stderr, "pid=%ld: locked %s\n", pid, path); | ||
| 63 | } | ||
| 64 | |||
| 65 | static void preproc_unlock_file(const char *path, int *lockfd_ptr) { | ||
| 66 | assert(path != NULL); | ||
| 67 | assert(lockfd_ptr != NULL); | ||
| 68 | |||
| 69 | long pid = (long)getpid(); | ||
| 70 | if (arg_debug) | ||
| 71 | fprintf(stderr, "pid=%ld: unlocking %s ...\n", pid, path); | ||
| 72 | |||
| 73 | int lockfd = *lockfd_ptr; | ||
| 74 | if (lockfd == -1) { | ||
| 75 | if (arg_debug) | ||
| 76 | fprintf(stderr, "pid=%ld: already unlocked %s\n", pid, path); | ||
| 77 | return; | ||
| 78 | } | ||
| 79 | |||
| 80 | if (flock(lockfd, LOCK_UN) == -1) { | ||
| 81 | fprintf(stderr, "Error: cannot unlock %s\n", path); | ||
| 82 | errExit("flock"); | ||
| 83 | } | ||
| 84 | |||
| 85 | if (close(lockfd) == -1) { | ||
| 86 | fprintf(stderr, "Error: cannot close %s\n", path); | ||
| 87 | errExit("close"); | ||
| 88 | } | ||
| 89 | |||
| 90 | *lockfd_ptr = -1; | ||
| 91 | if (arg_debug) | ||
| 92 | fprintf(stderr, "pid=%ld: unlocked %s\n", pid, path); | ||
| 93 | } | ||
| 94 | |||
| 95 | void preproc_lock_firejail_dir(void) { | ||
| 96 | preproc_lock_file(RUN_DIRECTORY_LOCK_FILE, &lockfd_directory); | ||
| 97 | } | ||
| 98 | |||
| 99 | void preproc_unlock_firejail_dir(void) { | ||
| 100 | preproc_unlock_file(RUN_DIRECTORY_LOCK_FILE, &lockfd_directory); | ||
| 101 | } | ||
| 102 | |||
| 103 | void preproc_lock_firejail_network_dir(void) { | ||
| 104 | preproc_lock_file(RUN_NETWORK_LOCK_FILE, &lockfd_network); | ||
| 105 | } | ||
| 106 | |||
| 107 | void preproc_unlock_firejail_network_dir(void) { | ||
| 108 | preproc_unlock_file(RUN_NETWORK_LOCK_FILE, &lockfd_network); | ||
| 109 | } | ||
| 110 | |||
| 28 | // build /run/firejail directory | 111 | // build /run/firejail directory |
| 29 | void preproc_build_firejail_dir(void) { | 112 | // |
| 113 | // Note: This creates the base directory of the rundir lockfile; | ||
| 114 | // it should be called before preproc_lock_firejail_dir(). | ||
| 115 | void preproc_build_firejail_dir_unlocked(void) { | ||
| 30 | struct stat s; | 116 | struct stat s; |
| 31 | 117 | ||
| 32 | // CentOS 6 doesn't have /run directory | 118 | // CentOS 6 doesn't have /run directory |
| @@ -35,6 +121,14 @@ void preproc_build_firejail_dir(void) { | |||
| 35 | } | 121 | } |
| 36 | 122 | ||
| 37 | create_empty_dir_as_root(RUN_FIREJAIL_DIR, 0755); | 123 | create_empty_dir_as_root(RUN_FIREJAIL_DIR, 0755); |
| 124 | } | ||
| 125 | |||
| 126 | // build directory hierarchy under /run/firejail | ||
| 127 | // | ||
| 128 | // Note: Remounts have timing hazards. This function should | ||
| 129 | // only be called after acquiring the directory lock via | ||
| 130 | // preproc_lock_firejail_dir(). | ||
| 131 | void preproc_build_firejail_dir_locked(void) { | ||
| 38 | create_empty_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755); | 132 | create_empty_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755); |
| 39 | create_empty_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755); | 133 | create_empty_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755); |
| 40 | create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755); | 134 | create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755); |