diff options
| author |  smitsohu <smitsohu@gmail.com> | 2022-07-12 11:54:15 +0200 |
|---|---|---|
| committer | smitsohu <smitsohu@gmail.com> | 2022-07-12 11:54:15 +0200 |
| commit | 5a991622e2f9a4fb587926d96a5ca41f29d67139 (patch) | |
| tree | da97ad164034385f3b1935ebb48fb0b0bd75eb5d | |
| parent | minor sandbox lock improvements (diff) | |
| download | firejail-5a991622e2f9a4fb587926d96a5ca41f29d67139.tar.gz firejail-5a991622e2f9a4fb587926d96a5ca41f29d67139.tar.zst firejail-5a991622e2f9a4fb587926d96a5ca41f29d67139.zip | |
always assert runfile mode and ownership
| -rw-r--r-- | src/firejail/preproc.c | 74 |
1 files changed, 15 insertions, 59 deletions
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index c117150b8..031e42d1d 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
| @@ -27,74 +27,30 @@ static int tmpfs_mounted = 0; | |||
| 27 | 27 | ||
| 28 | // build /run/firejail directory | 28 | // build /run/firejail directory |
| 29 | void preproc_build_firejail_dir(void) { | 29 | void preproc_build_firejail_dir(void) { |
| 30 | struct stat s; | ||
| 31 | |||
| 32 | // CentOS 6 doesn't have /run directory | 30 | // CentOS 6 doesn't have /run directory |
| 33 | if (stat(RUN_FIREJAIL_BASEDIR, &s)) { | 31 | create_empty_dir_as_root(RUN_FIREJAIL_BASEDIR, 0755); |
| 34 | create_empty_dir_as_root(RUN_FIREJAIL_BASEDIR, 0755); | 32 | create_empty_dir_as_root(RUN_FIREJAIL_DIR, 0755); |
| 35 | } | 33 | create_empty_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755); |
| 36 | 34 | create_empty_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755); | |
| 37 | if (stat(RUN_FIREJAIL_DIR, &s)) { | 35 | create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755); |
| 38 | create_empty_dir_as_root(RUN_FIREJAIL_DIR, 0755); | 36 | create_empty_dir_as_root(RUN_FIREJAIL_PROFILE_DIR, 0755); |
| 39 | } | 37 | create_empty_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755); |
| 38 | create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755); | ||
| 39 | create_empty_dir_as_root(RUN_FIREJAIL_LIB_DIR, 0755); | ||
| 40 | create_empty_dir_as_root(RUN_MNT_DIR, 0755); | ||
| 40 | 41 | ||
| 41 | // restricted search permission | 42 | // restricted search permission |
| 42 | // only root should be able to lock files in this directory | 43 | // only root should be able to lock files in this directory |
| 43 | if (stat(RUN_FIREJAIL_SANDBOX_DIR, &s)) { | 44 | create_empty_dir_as_root(RUN_FIREJAIL_SANDBOX_DIR, 0700); |
| 44 | create_empty_dir_as_root(RUN_FIREJAIL_SANDBOX_DIR, 0700); | ||
| 45 | } | ||
| 46 | |||
| 47 | if (stat(RUN_FIREJAIL_NETWORK_DIR, &s)) { | ||
| 48 | create_empty_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755); | ||
| 49 | } | ||
| 50 | 45 | ||
| 51 | if (stat(RUN_FIREJAIL_BANDWIDTH_DIR, &s)) { | 46 | create_empty_dir_as_root(RUN_FIREJAIL_DBUS_DIR, 0755); |
| 52 | create_empty_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755); | 47 | fs_remount(RUN_FIREJAIL_DBUS_DIR, MOUNT_NOEXEC, 0); |
| 53 | } | ||
| 54 | |||
| 55 | if (stat(RUN_FIREJAIL_NAME_DIR, &s)) { | ||
| 56 | create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755); | ||
| 57 | } | ||
| 58 | |||
| 59 | if (stat(RUN_FIREJAIL_PROFILE_DIR, &s)) { | ||
| 60 | create_empty_dir_as_root(RUN_FIREJAIL_PROFILE_DIR, 0755); | ||
| 61 | } | ||
| 62 | |||
| 63 | if (stat(RUN_FIREJAIL_X11_DIR, &s)) { | ||
| 64 | create_empty_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755); | ||
| 65 | } | ||
| 66 | 48 | ||
| 67 | if (stat(RUN_FIREJAIL_DBUS_DIR, &s)) { | 49 | create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR); |
| 68 | create_empty_dir_as_root(RUN_FIREJAIL_DBUS_DIR, 0755); | 50 | fs_remount(RUN_RO_DIR, MOUNT_READONLY, 0); |
| 69 | if (arg_debug) | ||
| 70 | printf("Remounting the " RUN_FIREJAIL_DBUS_DIR | ||
| 71 | " directory as noexec\n"); | ||
| 72 | if (mount(RUN_FIREJAIL_DBUS_DIR, RUN_FIREJAIL_DBUS_DIR, NULL, | ||
| 73 | MS_BIND, NULL) == -1) | ||
| 74 | errExit("mounting " RUN_FIREJAIL_DBUS_DIR); | ||
| 75 | if (mount(NULL, RUN_FIREJAIL_DBUS_DIR, NULL, | ||
| 76 | MS_REMOUNT | MS_BIND | MS_NOSUID | MS_NOEXEC | MS_NODEV, | ||
| 77 | "mode=755,gid=0") == -1) | ||
| 78 | errExit("remounting " RUN_FIREJAIL_DBUS_DIR); | ||
| 79 | } | ||
| 80 | |||
| 81 | if (stat(RUN_FIREJAIL_APPIMAGE_DIR, &s)) { | ||
| 82 | create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755); | ||
| 83 | } | ||
| 84 | |||
| 85 | if (stat(RUN_FIREJAIL_LIB_DIR, &s)) { | ||
| 86 | create_empty_dir_as_root(RUN_FIREJAIL_LIB_DIR, 0755); | ||
| 87 | } | ||
| 88 | |||
| 89 | if (stat(RUN_MNT_DIR, &s)) { | ||
| 90 | create_empty_dir_as_root(RUN_MNT_DIR, 0755); | ||
| 91 | } | ||
| 92 | 51 | ||
| 93 | create_empty_file_as_root(RUN_RO_FILE, S_IRUSR); | 52 | create_empty_file_as_root(RUN_RO_FILE, S_IRUSR); |
| 94 | fs_remount(RUN_RO_FILE, MOUNT_READONLY, 0); | 53 | fs_remount(RUN_RO_FILE, MOUNT_READONLY, 0); |
| 95 | |||
| 96 | create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR); | ||
| 97 | fs_remount(RUN_RO_DIR, MOUNT_READONLY, 0); | ||
| 98 | } | 54 | } |
| 99 | 55 | ||
| 100 | // build /run/firejail/mnt directory | 56 | // build /run/firejail/mnt directory |