fixes

author: netblue30 <netblue30@yahoo.com> 2015-11-25 08:35:25 -0500
committer: netblue30 <netblue30@yahoo.com> 2015-11-25 08:35:25 -0500
commit: a91649ccf77c2fa20206759ef986aa9967e38ea6 (patch)
tree: a82921724f471bf646e50ce365986f0e7bb847db
parent: fixes (diff)
download: firejail-a91649ccf77c2fa20206759ef986aa9967e38ea6.tar.gz
firejail-a91649ccf77c2fa20206759ef986aa9967e38ea6.tar.zst
firejail-a91649ccf77c2fa20206759ef986aa9967e38ea6.zip
7 files changed, 88 insertions, 7 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 3ede58df6..a364de75f 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -322,6 +322,7 @@ int net_move_interface(const char *dev, unsigned pid);
 // util.c
 void drop_privs(int nogroups);
+int mkpath_as_root(const char* path);
 void extract_command_name(const char *str);
 void logsignal(int s);
 void logmsg(const char *msg);
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index 38b9b06ca..946c75d30 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -55,7 +55,7 @@ static char *check_dir_or_file(const char *name) {
        }
        if (!fname) {
-                fprintf(stderr, "Warning: file %s not found\n", name);
+//              fprintf(stderr, "Warning: file %s not found\n", name);
                return NULL;
        }
        
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 23f036bd7..ca9f7b472 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -233,9 +233,12 @@ void fs_private(void) {
                // create /home/user
                if (arg_debug)
                        printf("Create a new user directory\n");
-                int rv = mkdir(homedir, S_IRWXU);
+                if (mkdir(homedir, S_IRWXU) == -1) {
-                if (rv == -1)
+                        if (mkpath_as_root(homedir) == -1)
-                        errExit("mkdir");
+                                errExit("mkpath");
+                        if (mkdir(homedir, S_IRWXU) == -1)
+                                errExit("mkdir");
+                }
                if (chown(homedir, u, g) < 0)
                        errExit("chown");
        }
@@ -346,7 +349,7 @@ void fs_check_private_dir(void) {
                exit(1);
        }
        if (s1.st_uid != s2.st_uid) {
-                printf("Error: the two home directories must have the same owner\n");
+                printf("Error: --private directory should be owned by the current user\n");
                exit(1);
        }
 }
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index a38539078..d018554d5 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -75,7 +75,7 @@ static void whitelist_path(ProfileEntry *entry) {
        assert(path);
        const char *fname;
        char *wfile = NULL;
-        
        if (entry->home_dir) {
                fname = path + strlen(cfg.homedir);
                if (*fname == '\0') {
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index 4930dd1ea..50a9a9b89 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -120,7 +120,7 @@ static void sanitize_home(void) {
        // create user home directory
        if (mkdir(cfg.homedir, 0755) == -1) {
-                if (mkpath(cfg.homedir))
+                if (mkpath_as_root(cfg.homedir))
                        errExit("mkpath");
                if (mkdir(cfg.homedir, 0755) == -1)
                        errExit("mkdir");
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 89d0697fd..880e45465 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -75,6 +75,40 @@ void drop_privs(int nogroups) {
 }
+int mkpath_as_root(const char* path) {
+        assert(path && *path);
+        
+        // work on a copy of the path
+        char *file_path = strdup(path);
+        if (!file_path)
+                errExit("strdup");
+        char* p;
+        for (p=strchr(file_path+1, '/'); p; p=strchr(p+1, '/')) {
+                *p='\0';
+                if (mkdir(file_path, 0755)==-1) {
+                        if (errno != EEXIST) {
+                                *p='/';
+                                free(file_path);
+                                return -1;
+                        }
+                }
+                else {
+                        if (chmod(file_path, 0755) == -1)
+                                errExit("chmod");
+                        if (chown(file_path, 0, 0) == -1)
+                                errExit("chown");
+                }                       
+                *p='/';
+        }
+        
+        free(file_path);
+        return 0;
+}
 void logsignal(int s) {
        if (!arg_debug)
                return;
diff --git a/todo b/todo
index f69b4f6dd..553933f00 100644
--- a/todo
+++ b/todo
@@ -96,3 +96,46 @@ Warning: cannot disable /sys/power directory
 Child process initialized
 16. add support for --ip, --iprange, --mac and --mtu for --interface option
+17. private-home clashing with blacklist
+$ firejail --private-home=.mozilla
+Reading profile /etc/firejail/generic.profile
+Reading profile /etc/firejail/disable-mgmt.inc
+Reading profile /etc/firejail/disable-secret.inc
+Reading profile /etc/firejail/disable-common.inc
+** Note: you can use --noprofile to disable generic.profile **
+Parent pid 8193, child pid 8194
+/run/firejail/mnt/cp: cannot access `/home/netblue/.mozilla': Permission denied
+Error system cp -a --parents:duplicate(381): No such file or directory
+Child process initialized
+$ ls -la
+total 4
+drwx------ 3 test  test   100 Nov 25 07:59 .
+drwxr-xr-x 3 65534 65534   60 Nov 25 07:59 ..
+-rw-r--r-- 1 test  test  3392 Nov 25 07:59 .bashrc
+dr-x------ 2 65534 65534   40 Nov 24 17:53 .mozilla
+-rw------- 1 test  test     0 Nov 25 07:59 .Xauthority
+18. whitelist clashing with blacklist
+$ firejail --whitelist=~/.mozilla
+Reading profile /etc/firejail/generic.profile
+Reading profile /etc/firejail/disable-mgmt.inc
+Reading profile /etc/firejail/disable-secret.inc
+Reading profile /etc/firejail/disable-common.inc
+** Note: you can use --noprofile to disable generic.profile **
+Parent pid 9440, child pid 9441
+Child process initialized
+$ ls -al
+total 8
+drwx------ 3 netblue netblue  100 Nov 25 08:09 .
+drwxr-xr-x 3   65534   65534   60 Nov 25 08:09 ..
+-rw-r--r-- 1 netblue netblue 3392 Nov 25 08:09 .bashrc
+dr-x------ 2   65534   65534   40 Nov 24 17:53 .mozilla
+-rw------- 1 netblue netblue   51 Nov 25 08:09 .Xauthority
author	netblue30 <netblue30@yahoo.com>	2015-11-25 08:35:25 -0500
committer	netblue30 <netblue30@yahoo.com>	2015-11-25 08:35:25 -0500
commit	a91649ccf77c2fa20206759ef986aa9967e38ea6 (patch)
tree	a82921724f471bf646e50ce365986f0e7bb847db
parent	fixes (diff)
download	firejail-a91649ccf77c2fa20206759ef986aa9967e38ea6.tar.gz firejail-a91649ccf77c2fa20206759ef986aa9967e38ea6.tar.zst firejail-a91649ccf77c2fa20206759ef986aa9967e38ea6.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 3ede58df6..a364de75f 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -322,6 +322,7 @@ int net_move_interface(const char *dev, unsigned pid);
322		322
323	// util.c	323	// util.c
324	void drop_privs(int nogroups);	324	void drop_privs(int nogroups);
		325	int mkpath_as_root(const char* path);
325	void extract_command_name(const char *str);	326	void extract_command_name(const char *str);
326	void logsignal(int s);	327	void logsignal(int s);
327	void logmsg(const char *msg);	328	void logmsg(const char *msg);


diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 38b9b06ca..946c75d30 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c
@@ -55,7 +55,7 @@ static char check_dir_or_file(const char name) {
55	}	55	}
56		56
57	if (!fname) {	57	if (!fname) {
58	fprintf(stderr, "Warning: file %s not found\n", name);	58	// fprintf(stderr, "Warning: file %s not found\n", name);
59	return NULL;	59	return NULL;
60	}	60	}
61		61


diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 23f036bd7..ca9f7b472 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c
@@ -233,9 +233,12 @@ void fs_private(void) {
233	// create /home/user	233	// create /home/user
234	if (arg_debug)	234	if (arg_debug)
235	printf("Create a new user directory\n");	235	printf("Create a new user directory\n");
236	int rv = mkdir(homedir, S_IRWXU);	236	if (mkdir(homedir, S_IRWXU) == -1) {
237	if (rv == -1)	237	if (mkpath_as_root(homedir) == -1)
238	errExit("mkdir");	238	errExit("mkpath");
		239	if (mkdir(homedir, S_IRWXU) == -1)
		240	errExit("mkdir");
		241	}
239	if (chown(homedir, u, g) < 0)	242	if (chown(homedir, u, g) < 0)
240	errExit("chown");	243	errExit("chown");
241	}	244	}
@@ -346,7 +349,7 @@ void fs_check_private_dir(void) {
346	exit(1);	349	exit(1);
347	}	350	}
348	if (s1.st_uid != s2.st_uid) {	351	if (s1.st_uid != s2.st_uid) {
349	printf("Error: the two home directories must have the same owner\n");	352	printf("Error: --private directory should be owned by the current user\n");
350	exit(1);	353	exit(1);
351	}	354	}
352	}	355	}


diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index a38539078..d018554d5 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c
@@ -75,7 +75,7 @@ static void whitelist_path(ProfileEntry *entry) {
75	assert(path);	75	assert(path);
76	const char *fname;	76	const char *fname;
77	char *wfile = NULL;	77	char *wfile = NULL;
78		78
79	if (entry->home_dir) {	79	if (entry->home_dir) {
80	fname = path + strlen(cfg.homedir);	80	fname = path + strlen(cfg.homedir);
81	if (*fname == '\0') {	81	if (*fname == '\0') {


diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 4930dd1ea..50a9a9b89 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c
@@ -120,7 +120,7 @@ static void sanitize_home(void) {
120		120
121	// create user home directory	121	// create user home directory
122	if (mkdir(cfg.homedir, 0755) == -1) {	122	if (mkdir(cfg.homedir, 0755) == -1) {
123	if (mkpath(cfg.homedir))	123	if (mkpath_as_root(cfg.homedir))
124	errExit("mkpath");	124	errExit("mkpath");
125	if (mkdir(cfg.homedir, 0755) == -1)	125	if (mkdir(cfg.homedir, 0755) == -1)
126	errExit("mkdir");	126	errExit("mkdir");


diff --git a/src/firejail/util.c b/src/firejail/util.c index 89d0697fd..880e45465 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c
@@ -75,6 +75,40 @@ void drop_privs(int nogroups) {
75	}	75	}
76		76
77		77
		78	int mkpath_as_root(const char* path) {
		79	assert(path && *path);
		80
		81	// work on a copy of the path
		82	char *file_path = strdup(path);
		83	if (!file_path)
		84	errExit("strdup");
		85
		86	char* p;
		87	for (p=strchr(file_path+1, '/'); p; p=strchr(p+1, '/')) {
		88	*p='\0';
		89	if (mkdir(file_path, 0755)==-1) {
		90	if (errno != EEXIST) {
		91	*p='/';
		92	free(file_path);
		93	return -1;
		94	}
		95	}
		96	else {
		97	if (chmod(file_path, 0755) == -1)
		98	errExit("chmod");
		99	if (chown(file_path, 0, 0) == -1)
		100	errExit("chown");
		101	}
		102
		103	*p='/';
		104	}
		105
		106	free(file_path);
		107	return 0;
		108	}
		109
		110
		111
78	void logsignal(int s) {	112	void logsignal(int s) {
79	if (!arg_debug)	113	if (!arg_debug)
80	return;	114	return;


diff --git a/todo b/todo index f69b4f6dd..553933f00 100644 --- a/todo +++ b/todo
@@ -96,3 +96,46 @@ Warning: cannot disable /sys/power directory
96	Child process initialized	96	Child process initialized
97		97
98	16. add support for --ip, --iprange, --mac and --mtu for --interface option	98	16. add support for --ip, --iprange, --mac and --mtu for --interface option
		99
		100	17. private-home clashing with blacklist
		101	$ firejail --private-home=.mozilla
		102	Reading profile /etc/firejail/generic.profile
		103	Reading profile /etc/firejail/disable-mgmt.inc
		104	Reading profile /etc/firejail/disable-secret.inc
		105	Reading profile /etc/firejail/disable-common.inc
		106
		107	Note: you can use --noprofile to disable generic.profile
		108
		109	Parent pid 8193, child pid 8194
		110	/run/firejail/mnt/cp: cannot access `/home/netblue/.mozilla': Permission denied
		111	Error system cp -a --parents:duplicate(381): No such file or directory
		112	Child process initialized
		113	$ ls -la
		114	total 4
		115	drwx------ 3 test test 100 Nov 25 07:59 .
		116	drwxr-xr-x 3 65534 65534 60 Nov 25 07:59 ..
		117	-rw-r--r-- 1 test test 3392 Nov 25 07:59 .bashrc
		118	dr-x------ 2 65534 65534 40 Nov 24 17:53 .mozilla
		119	-rw------- 1 test test 0 Nov 25 07:59 .Xauthority
		120
		121
		122
		123
		124	18. whitelist clashing with blacklist
		125	$ firejail --whitelist=~/.mozilla
		126	Reading profile /etc/firejail/generic.profile
		127	Reading profile /etc/firejail/disable-mgmt.inc
		128	Reading profile /etc/firejail/disable-secret.inc
		129	Reading profile /etc/firejail/disable-common.inc
		130
		131	Note: you can use --noprofile to disable generic.profile
		132
		133	Parent pid 9440, child pid 9441
		134	Child process initialized
		135	$ ls -al
		136	total 8
		137	drwx------ 3 netblue netblue 100 Nov 25 08:09 .
		138	drwxr-xr-x 3 65534 65534 60 Nov 25 08:09 ..
		139	-rw-r--r-- 1 netblue netblue 3392 Nov 25 08:09 .bashrc
		140	dr-x------ 2 65534 65534 40 Nov 24 17:53 .mozilla
		141	-rw------- 1 netblue netblue 51 Nov 25 08:09 .Xauthority