diff options
| author |  netblue30 <netblue30@protonmail.com> | 2022-01-21 08:44:14 -0500 |
|---|---|---|
| committer | netblue30 <netblue30@protonmail.com> | 2022-01-21 08:44:14 -0500 |
| commit | d0aaa89df3aa4c4d90d0a4892e21eaa7c213aab6 (patch) | |
| tree | ca224bcdabd2f3b7b7cd6c610c1e419d3dac65c0 | |
| parent | blacklist password store directory for pass package (diff) | |
| download | firejail-d0aaa89df3aa4c4d90d0a4892e21eaa7c213aab6.tar.gz firejail-d0aaa89df3aa4c4d90d0a4892e21eaa7c213aab6.tar.zst firejail-d0aaa89df3aa4c4d90d0a4892e21eaa7c213aab6.zip | |
fix attribute for /tmp/user in --private-tmp, and fix #4151
| -rw-r--r-- | src/firejail/fs_whitelist.c | 29 |
1 files changed, 21 insertions, 8 deletions
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index bdc0e277d..481a63ac2 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
| @@ -337,21 +337,34 @@ static void tmpfs_topdirs(const TopDir *topdirs) { | |||
| 337 | // fix pam-tmpdir (#2685) | 337 | // fix pam-tmpdir (#2685) |
| 338 | const char *env = env_get("TMP"); | 338 | const char *env = env_get("TMP"); |
| 339 | if (env) { | 339 | if (env) { |
| 340 | char *pamtmpdir; | 340 | // we allow TMP env set as /tmp/user/$UID and /tmp/$UID - see #4151 |
| 341 | if (asprintf(&pamtmpdir, "/tmp/user/%u", getuid()) == -1) | 341 | char *pamtmpdir1; |
| 342 | if (asprintf(&pamtmpdir1, "/tmp/user/%u", getuid()) == -1) | ||
| 342 | errExit("asprintf"); | 343 | errExit("asprintf"); |
| 343 | if (strcmp(env, pamtmpdir) == 0) { | 344 | char *pamtmpdir2; // see #4151 |
| 345 | if (asprintf(&pamtmpdir2, "/tmp/%u", getuid()) == -1) | ||
| 346 | errExit("asprintf"); | ||
| 347 | if (strcmp(env, pamtmpdir1) == 0) { | ||
| 344 | // create empty user-owned /tmp/user/$UID directory | 348 | // create empty user-owned /tmp/user/$UID directory |
| 345 | EUID_ROOT(); | 349 | EUID_ROOT(); |
| 346 | mkdir_attr("/tmp/user", 0711, 0, 0); | 350 | mkdir_attr("/tmp/user", 0755, 0, 0); |
| 347 | selinux_relabel_path("/tmp/user", "/tmp/user"); | 351 | selinux_relabel_path("/tmp/user", "/tmp/user"); |
| 348 | fs_logger("mkdir /tmp/user"); | 352 | fs_logger("mkdir /tmp/user"); |
| 349 | mkdir_attr(pamtmpdir, 0700, getuid(), 0); | 353 | mkdir_attr(pamtmpdir1, 0700, getuid(), 0); |
| 350 | selinux_relabel_path(pamtmpdir, pamtmpdir); | 354 | selinux_relabel_path(pamtmpdir1, pamtmpdir1); |
| 351 | fs_logger2("mkdir", pamtmpdir); | 355 | fs_logger2("mkdir", pamtmpdir1); |
| 356 | EUID_USER(); | ||
| 357 | } | ||
| 358 | else if (strcmp(env, pamtmpdir2) == 0) { | ||
| 359 | // create empty user-owned /tmp/user/$UID directory | ||
| 360 | EUID_ROOT(); | ||
| 361 | mkdir_attr(pamtmpdir2, 0700, getuid(), 0); | ||
| 362 | selinux_relabel_path(pamtmpdir2, pamtmpdir2); | ||
| 363 | fs_logger2("mkdir", pamtmpdir2); | ||
| 352 | EUID_USER(); | 364 | EUID_USER(); |
| 353 | } | 365 | } |
| 354 | free(pamtmpdir); | 366 | free(pamtmpdir1); |
| 367 | free(pamtmpdir2); | ||
| 355 | } | 368 | } |
| 356 | } | 369 | } |
| 357 | 370 | ||