fixed whitelist problem

author: netblue30 <netblue30@yahoo.com> 2016-02-08 12:58:37 -0500
committer: netblue30 <netblue30@yahoo.com> 2016-02-08 12:58:37 -0500
commit: 9c0730573aa6f5cf96278704a9a8c14457f1e010 (patch)
tree: 0c1c05f54f2eaa146131c16bc877dec200f39931
parent: set window title (diff)
download: firejail-9c0730573aa6f5cf96278704a9a8c14457f1e010.tar.gz
firejail-9c0730573aa6f5cf96278704a9a8c14457f1e010.tar.zst
firejail-9c0730573aa6f5cf96278704a9a8c14457f1e010.zip
3 files changed, 77 insertions, 8 deletions
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 22b5fb0a7..0f2d6a089 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -336,6 +336,14 @@ void fs_whitelist(void) {
                if (arg_debug)
                        fprintf(stderr, "Debug %d: new_name #%s#\n", __LINE__, new_name);
+                // valid path referenced to filesystem root
+                if (*new_name != '/') {
+                        if (arg_debug)
+                                fprintf(stderr, "Debug %d: \n", __LINE__);
+                        goto errexit;
+                }
                // extract the absolute path of the file
                // realpath function will fail with ENOENT if the file is not found
                char *fname = realpath(new_name, NULL);
@@ -349,19 +357,27 @@ void fs_whitelist(void) {
                                perror("realpath");
                        }
                        *entry->data = '\0';
+                        // if 1 the file was not found; mount an empty directory
+                        if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0)
+                                home_dir = 1;
+                        else if (strncmp(new_name, "/tmp/", 5) == 0)
+                                tmp_dir = 1;
+                        else if (strncmp(new_name, "/media/", 7) == 0)
+                                media_dir = 1;
+                        else if (strncmp(new_name, "/var/", 5) == 0)
+                                var_dir = 1;
+                        else if (strncmp(new_name, "/dev/", 5) == 0)
+                                dev_dir = 1;
+                        else if (strncmp(new_name, "/opt/", 5) == 0)
+                                opt_dir = 1;
                        continue;
                }
                
-                // valid path referenced to filesystem root
-                if (*new_name != '/') {
-                        if (arg_debug)
-                                fprintf(stderr, "Debug %d: \n", __LINE__);
-                        goto errexit;
-                }
                // check for supported directories
                if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) {
-                        // whitelisting home directory is disabled if --private or --private-home option is present
+                        // whitelisting home directory is disabled if --private option is present
                        if (arg_private) {
                                if (arg_debug || arg_debug_whitelists)
                                        printf("Removed whitelist path %s, --private option is present\n", entry->data);
diff --git a/test/test.sh b/test/test.sh
index 6273c0a1b..ca7152b55 100755
--- a/test/test.sh
+++ b/test/test.sh
@@ -15,6 +15,9 @@ echo "TESTING: invalid filename"
 echo "TESTING: environment variables"
 ./env.exp
+echo "TESTING: whitelist empty"
+./whitelist-empty.exp
 echo "TESTING: ignore command"
 ./ignore.exp
diff --git a/test/whitelist-empty.exp b/test/whitelist-empty.exp
new file mode 100755
index 000000000..226b019db
--- /dev/null
+++ b/test/whitelist-empty.exp
@@ -0,0 +1,50 @@
+#!/usr/bin/expect -f
+set timeout 30
+spawn $env(SHELL)
+match_max 100000
+send -- "firejail --whitelist=~/blablabla --whitelist=/tmp/blablabla --whitelist=/media/blablabla --whitelist=/var/blablabla --whitelist=/dev/blablabla --whitelist=/opt/blablabla\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        "Child process initialized"
+}
+sleep 1
+send -- "ls -l ~/ | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "0"
+}
+send -- "ls -l /tmp | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "0"
+}
+send -- "ls -l /media | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "0"
+}
+send -- "ls -l /var | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "0"
+}
+send -- "ls -l /dev | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "0"
+}
+send -- "ls -l /opt | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "0"
+}
+puts "\nall done\n"
author	netblue30 <netblue30@yahoo.com>	2016-02-08 12:58:37 -0500
committer	netblue30 <netblue30@yahoo.com>	2016-02-08 12:58:37 -0500
commit	9c0730573aa6f5cf96278704a9a8c14457f1e010 (patch)
tree	0c1c05f54f2eaa146131c16bc877dec200f39931
parent	set window title (diff)
download	firejail-9c0730573aa6f5cf96278704a9a8c14457f1e010.tar.gz firejail-9c0730573aa6f5cf96278704a9a8c14457f1e010.tar.zst firejail-9c0730573aa6f5cf96278704a9a8c14457f1e010.zip

diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 22b5fb0a7..0f2d6a089 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c
@@ -336,6 +336,14 @@ void fs_whitelist(void) {
336	if (arg_debug)	336	if (arg_debug)
337	fprintf(stderr, "Debug %d: new_name #%s#\n", __LINE__, new_name);	337	fprintf(stderr, "Debug %d: new_name #%s#\n", __LINE__, new_name);
338		338
		339	// valid path referenced to filesystem root
		340	if (*new_name != '/') {
		341	if (arg_debug)
		342	fprintf(stderr, "Debug %d: \n", __LINE__);
		343	goto errexit;
		344	}
		345
		346
339	// extract the absolute path of the file	347	// extract the absolute path of the file
340	// realpath function will fail with ENOENT if the file is not found	348	// realpath function will fail with ENOENT if the file is not found
341	char *fname = realpath(new_name, NULL);	349	char *fname = realpath(new_name, NULL);
@@ -349,19 +357,27 @@ void fs_whitelist(void) {
349	perror("realpath");	357	perror("realpath");
350	}	358	}
351	*entry->data = '\0';	359	*entry->data = '\0';
		360
		361	// if 1 the file was not found; mount an empty directory
		362	if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0)
		363	home_dir = 1;
		364	else if (strncmp(new_name, "/tmp/", 5) == 0)
		365	tmp_dir = 1;
		366	else if (strncmp(new_name, "/media/", 7) == 0)
		367	media_dir = 1;
		368	else if (strncmp(new_name, "/var/", 5) == 0)
		369	var_dir = 1;
		370	else if (strncmp(new_name, "/dev/", 5) == 0)
		371	dev_dir = 1;
		372	else if (strncmp(new_name, "/opt/", 5) == 0)
		373	opt_dir = 1;
		374
352	continue;	375	continue;
353	}	376	}
354		377
355	// valid path referenced to filesystem root
356	if (*new_name != '/') {
357	if (arg_debug)
358	fprintf(stderr, "Debug %d: \n", __LINE__);
359	goto errexit;
360	}
361
362	// check for supported directories	378	// check for supported directories
363	if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) {	379	if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) {
364	// whitelisting home directory is disabled if --private or --private-home option is present	380	// whitelisting home directory is disabled if --private option is present
365	if (arg_private) {	381	if (arg_private) {
366	if (arg_debug \|\| arg_debug_whitelists)	382	if (arg_debug \|\| arg_debug_whitelists)
367	printf("Removed whitelist path %s, --private option is present\n", entry->data);	383	printf("Removed whitelist path %s, --private option is present\n", entry->data);


diff --git a/test/test.sh b/test/test.sh index 6273c0a1b..ca7152b55 100755 --- a/test/test.sh +++ b/test/test.sh
@@ -15,6 +15,9 @@ echo "TESTING: invalid filename"
15	echo "TESTING: environment variables"	15	echo "TESTING: environment variables"
16	./env.exp	16	./env.exp
17		17
		18	echo "TESTING: whitelist empty"
		19	./whitelist-empty.exp
		20
18	echo "TESTING: ignore command"	21	echo "TESTING: ignore command"
19	./ignore.exp	22	./ignore.exp
20		23


diff --git a/test/whitelist-empty.exp b/test/whitelist-empty.exp new file mode 100755 index 000000000..226b019db --- /dev/null +++ b/test/whitelist-empty.exp
@@ -0,0 +1,50 @@
		1	#!/usr/bin/expect -f
		2
		3	set timeout 30
		4	spawn $env(SHELL)
		5	match_max 100000
		6
		7	send -- "firejail --whitelist=~/blablabla --whitelist=/tmp/blablabla --whitelist=/media/blablabla --whitelist=/var/blablabla --whitelist=/dev/blablabla --whitelist=/opt/blablabla\r"
		8	expect {
		9	timeout {puts "TESTING ERROR 0\n";exit}
		10	"Child process initialized"
		11	}
		12	sleep 1
		13
		14	send -- "ls -l ~/ \| wc -l\r"
		15	expect {
		16	timeout {puts "TESTING ERROR 1\n";exit}
		17	"0"
		18	}
		19
		20	send -- "ls -l /tmp \| wc -l\r"
		21	expect {
		22	timeout {puts "TESTING ERROR 2\n";exit}
		23	"0"
		24	}
		25
		26	send -- "ls -l /media \| wc -l\r"
		27	expect {
		28	timeout {puts "TESTING ERROR 3\n";exit}
		29	"0"
		30	}
		31
		32	send -- "ls -l /var \| wc -l\r"
		33	expect {
		34	timeout {puts "TESTING ERROR 4\n";exit}
		35	"0"
		36	}
		37
		38	send -- "ls -l /dev \| wc -l\r"
		39	expect {
		40	timeout {puts "TESTING ERROR 5\n";exit}
		41	"0"
		42	}
		43	send -- "ls -l /opt \| wc -l\r"
		44	expect {
		45	timeout {puts "TESTING ERROR 6\n";exit}
		46	"0"
		47	}
		48
		49
		50	puts "\nall done\n"