diff options
| author |  smitsohu <smitsohu@gmail.com> | 2021-06-06 11:08:01 +0200 |
|---|---|---|
| committer | smitsohu <smitsohu@gmail.com> | 2021-06-06 11:08:01 +0200 |
| commit | 9678da00301562464464099b9d7cfd76424fbb23 (patch) | |
| tree | db011c18c43e9f6c5090da2479341797e2e2f66e | |
| parent | rpm: fix man page location in spec file (diff) | |
| download | firejail-9678da00301562464464099b9d7cfd76424fbb23.tar.gz firejail-9678da00301562464464099b9d7cfd76424fbb23.tar.zst firejail-9678da00301562464464099b9d7cfd76424fbb23.zip | |
cleanup
| -rw-r--r-- | src/firejail/firejail.h | 2 | ||||
| -rw-r--r-- | src/firejail/fs_whitelist.c | 13 | ||||
| -rw-r--r-- | src/firejail/main.c | 2 | ||||
| -rw-r--r-- | src/firejail/util.c | 18 |
4 files changed, 16 insertions, 19 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 495b0bebc..a5c44739e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -530,7 +530,7 @@ int has_handler(pid_t pid, int signal); | |||
| 530 | void enter_network_namespace(pid_t pid); | 530 | void enter_network_namespace(pid_t pid); |
| 531 | int read_pid(const char *name, pid_t *pid); | 531 | int read_pid(const char *name, pid_t *pid); |
| 532 | pid_t require_pid(const char *name); | 532 | pid_t require_pid(const char *name); |
| 533 | void check_homedir(void); | 533 | void check_homedir(const char *dir); |
| 534 | 534 | ||
| 535 | // Get info regarding the last kernel mount operation from /proc/self/mountinfo | 535 | // Get info regarding the last kernel mount operation from /proc/self/mountinfo |
| 536 | // The return value points to a static area, and will be overwritten by subsequent calls. | 536 | // The return value points to a static area, and will be overwritten by subsequent calls. |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 9a7a1bac7..258f023f6 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
| @@ -304,7 +304,6 @@ static void globbing(const char *pattern) { | |||
| 304 | } | 304 | } |
| 305 | 305 | ||
| 306 | // mount tmpfs on all top level directories | 306 | // mount tmpfs on all top level directories |
| 307 | // home directories *inside* /run/user/$UID are not fully supported | ||
| 308 | static void tmpfs_topdirs(const TopDir *topdirs) { | 307 | static void tmpfs_topdirs(const TopDir *topdirs) { |
| 309 | int tmpfs_home = 0; | 308 | int tmpfs_home = 0; |
| 310 | int tmpfs_runuser = 0; | 309 | int tmpfs_runuser = 0; |
| @@ -335,6 +334,7 @@ static void tmpfs_topdirs(const TopDir *topdirs) { | |||
| 335 | 334 | ||
| 336 | // mount tmpfs | 335 | // mount tmpfs |
| 337 | fs_tmpfs(topdirs[i].path, 0); | 336 | fs_tmpfs(topdirs[i].path, 0); |
| 337 | selinux_relabel_path(topdirs[i].path, topdirs[i].path); | ||
| 338 | 338 | ||
| 339 | // init tmpfs | 339 | // init tmpfs |
| 340 | if (strcmp(topdirs[i].path, "/run") == 0) { | 340 | if (strcmp(topdirs[i].path, "/run") == 0) { |
| @@ -384,8 +384,6 @@ static void tmpfs_topdirs(const TopDir *topdirs) { | |||
| 384 | const char *rel = cfg.homedir + topdir_len + 1; | 384 | const char *rel = cfg.homedir + topdir_len + 1; |
| 385 | whitelist_file(topdirs[i].fd, rel, cfg.homedir); | 385 | whitelist_file(topdirs[i].fd, rel, cfg.homedir); |
| 386 | } | 386 | } |
| 387 | |||
| 388 | selinux_relabel_path(topdirs[i].path, topdirs[i].path); | ||
| 389 | } | 387 | } |
| 390 | 388 | ||
| 391 | // user home directory | 389 | // user home directory |
| @@ -467,9 +465,9 @@ static TopDir *add_topdir(const char *dir, TopDir *topdirs, const char *path) { | |||
| 467 | errExit("strdup"); | 465 | errExit("strdup"); |
| 468 | 466 | ||
| 469 | // open the directory, don't follow symbolic links | 467 | // open the directory, don't follow symbolic links |
| 470 | rv->fd = safer_openat(-1, rv->path, O_PATH|O_NOFOLLOW|O_DIRECTORY|O_CLOEXEC); | 468 | rv->fd = safer_openat(-1, dir, O_PATH|O_NOFOLLOW|O_DIRECTORY|O_CLOEXEC); |
| 471 | if (rv->fd == -1) { | 469 | if (rv->fd == -1) { |
| 472 | fprintf(stderr, "Error: cannot open %s\n", rv->path); | 470 | fprintf(stderr, "Error: cannot open %s\n", dir); |
| 473 | exit(1); | 471 | exit(1); |
| 474 | } | 472 | } |
| 475 | 473 | ||
| @@ -750,10 +748,11 @@ void fs_whitelist(void) { | |||
| 750 | } | 748 | } |
| 751 | 749 | ||
| 752 | // create the link if any | 750 | // create the link if any |
| 753 | if (link) | 751 | if (link) { |
| 754 | whitelist_symlink(link, file); | 752 | whitelist_symlink(link, file); |
| 753 | free(link); | ||
| 754 | } | ||
| 755 | 755 | ||
| 756 | free(link); | ||
| 757 | free(file); | 756 | free(file); |
| 758 | free(entry->wparam); | 757 | free(entry->wparam); |
| 759 | entry->wparam = NULL; | 758 | entry->wparam = NULL; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 51e10a304..7ec2d6114 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -259,8 +259,8 @@ static void init_cfg(int argc, char **argv) { | |||
| 259 | fprintf(stderr, "Error: user %s doesn't have a user directory assigned\n", cfg.username); | 259 | fprintf(stderr, "Error: user %s doesn't have a user directory assigned\n", cfg.username); |
| 260 | exit(1); | 260 | exit(1); |
| 261 | } | 261 | } |
| 262 | check_homedir(pw->pw_dir); | ||
| 262 | cfg.homedir = clean_pathname(pw->pw_dir); | 263 | cfg.homedir = clean_pathname(pw->pw_dir); |
| 263 | check_homedir(); | ||
| 264 | 264 | ||
| 265 | // initialize random number generator | 265 | // initialize random number generator |
| 266 | sandbox_pid = getpid(); | 266 | sandbox_pid = getpid(); |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 6a7318c4b..b41a65c1d 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
| @@ -447,15 +447,13 @@ int is_link(const char *fname) { | |||
| 447 | if (*fname == '\0') | 447 | if (*fname == '\0') |
| 448 | return 0; | 448 | return 0; |
| 449 | 449 | ||
| 450 | char *dup = strdup(fname); | 450 | // remove trailing slashes |
| 451 | if (!dup) | 451 | char *tmp = clean_pathname(fname); |
| 452 | errExit("strdup"); | ||
| 453 | trim_trailing_slash_or_dot(dup); | ||
| 454 | 452 | ||
| 455 | char c; | 453 | char c; |
| 456 | ssize_t rv = readlink(dup, &c, 1); | 454 | ssize_t rv = readlink(tmp, &c, 1); |
| 455 | free(tmp); | ||
| 457 | 456 | ||
| 458 | free(dup); | ||
| 459 | return (rv != -1); | 457 | return (rv != -1); |
| 460 | } | 458 | } |
| 461 | 459 | ||
| @@ -1319,14 +1317,14 @@ static int has_link(const char *dir) { | |||
| 1319 | return 0; | 1317 | return 0; |
| 1320 | } | 1318 | } |
| 1321 | 1319 | ||
| 1322 | void check_homedir(void) { | 1320 | void check_homedir(const char *dir) { |
| 1323 | assert(cfg.homedir); | 1321 | assert(dir); |
| 1324 | if (cfg.homedir[0] != '/') { | 1322 | if (dir[0] != '/') { |
| 1325 | fprintf(stderr, "Error: invalid user directory \"%s\"\n", cfg.homedir); | 1323 | fprintf(stderr, "Error: invalid user directory \"%s\"\n", cfg.homedir); |
| 1326 | exit(1); | 1324 | exit(1); |
| 1327 | } | 1325 | } |
| 1328 | // symlinks are rejected in many places | 1326 | // symlinks are rejected in many places |
| 1329 | if (has_link(cfg.homedir)) { | 1327 | if (has_link(dir)) { |
| 1330 | fprintf(stderr, "No full support for symbolic links in path of user directory.\n" | 1328 | fprintf(stderr, "No full support for symbolic links in path of user directory.\n" |
| 1331 | "Please provide resolved path in password database (/etc/passwd).\n\n"); | 1329 | "Please provide resolved path in password database (/etc/passwd).\n\n"); |
| 1332 | } | 1330 | } |