diff options
| author |  smitsohu <smitsohu@gmail.com> | 2020-11-20 20:04:20 +0100 |
|---|---|---|
| committer | smitsohu <smitsohu@gmail.com> | 2020-11-20 20:04:20 +0100 |
| commit | da53c4ebf0b7f5c6d07cb14dd7ec3ff3910fe180 (patch) | |
| tree | 9475d0d33b52cc178c7b88caae1f9c0727500351 | |
| parent | tmpfs testing (diff) | |
| download | firejail-da53c4ebf0b7f5c6d07cb14dd7ec3ff3910fe180.tar.gz firejail-da53c4ebf0b7f5c6d07cb14dd7ec3ff3910fe180.tar.zst firejail-da53c4ebf0b7f5c6d07cb14dd7ec3ff3910fe180.zip | |
reimplement --private-cache using --tmpfs
| -rw-r--r-- | src/firejail/fs.c | 36 | ||||
| -rw-r--r-- | src/firejail/sandbox.c | 9 | ||||
| -rwxr-xr-x | test/fs/private-cache.exp | 30 |
3 files changed, 17 insertions, 58 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 65f53bf76..0d4e496e8 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
| @@ -162,11 +162,12 @@ static void disable_file(OPERATION op, const char *filename) { | |||
| 162 | } | 162 | } |
| 163 | else if (op == MOUNT_TMPFS) { | 163 | else if (op == MOUNT_TMPFS) { |
| 164 | if (S_ISDIR(s.st_mode)) { | 164 | if (S_ISDIR(s.st_mode)) { |
| 165 | if (getuid() && | 165 | if (getuid()) { |
| 166 | (strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 || | 166 | if (strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 || |
| 167 | fname[strlen(cfg.homedir)] != '/')) { | 167 | fname[strlen(cfg.homedir)] != '/') { |
| 168 | fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n"); | 168 | fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n"); |
| 169 | exit(1); | 169 | exit(1); |
| 170 | } | ||
| 170 | } | 171 | } |
| 171 | fs_tmpfs(fname, getuid()); | 172 | fs_tmpfs(fname, getuid()); |
| 172 | last_disable = SUCCESSFUL; | 173 | last_disable = SUCCESSFUL; |
| @@ -1260,28 +1261,3 @@ void fs_private_tmp(void) { | |||
| 1260 | } | 1261 | } |
| 1261 | closedir(dir); | 1262 | closedir(dir); |
| 1262 | } | 1263 | } |
| 1263 | |||
| 1264 | // this function is called from sandbox.c before blacklist/whitelist functions | ||
| 1265 | void fs_private_cache(void) { | ||
| 1266 | char *cache; | ||
| 1267 | if (asprintf(&cache, "%s/.cache", cfg.homedir) == -1) | ||
| 1268 | errExit("asprintf"); | ||
| 1269 | // check if ~/.cache is a valid destination | ||
| 1270 | struct stat s; | ||
| 1271 | if (lstat(cache, &s) == -1) { | ||
| 1272 | fwarning("skipping private-cache: cannot find %s\n", cache); | ||
| 1273 | free(cache); | ||
| 1274 | return; | ||
| 1275 | } | ||
| 1276 | if (!S_ISDIR(s.st_mode)) { | ||
| 1277 | if (S_ISLNK(s.st_mode)) | ||
| 1278 | fwarning("skipping private-cache: %s is a symbolic link\n", cache); | ||
| 1279 | else | ||
| 1280 | fwarning("skipping private-cache: %s is not a directory\n", cache); | ||
| 1281 | free(cache); | ||
| 1282 | return; | ||
| 1283 | } | ||
| 1284 | // do the mount | ||
| 1285 | fs_tmpfs(cache, getuid()); // check ownership of ~/.cache | ||
| 1286 | free(cache); | ||
| 1287 | } | ||
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 8bfe76603..41951f38f 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -923,12 +923,9 @@ int sandbox(void* sandbox_arg) { | |||
| 923 | 923 | ||
| 924 | #ifdef HAVE_USERTMPFS | 924 | #ifdef HAVE_USERTMPFS |
| 925 | if (arg_private_cache) { | 925 | if (arg_private_cache) { |
| 926 | if (cfg.chrootdir) | 926 | EUID_USER(); |
| 927 | fwarning("private-cache feature is disabled in chroot\n"); | 927 | profile_add("tmpfs ${HOME}/.cache"); |
| 928 | else if (arg_overlay) | 928 | EUID_ROOT(); |
| 929 | fwarning("private-cache feature is disabled in overlay\n"); | ||
| 930 | else | ||
| 931 | fs_private_cache(); | ||
| 932 | } | 929 | } |
| 933 | #endif | 930 | #endif |
| 934 | 931 | ||
diff --git a/test/fs/private-cache.exp b/test/fs/private-cache.exp index 0597e8921..6e4c6bd1b 100755 --- a/test/fs/private-cache.exp +++ b/test/fs/private-cache.exp | |||
| @@ -7,16 +7,17 @@ set timeout 10 | |||
| 7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
| 8 | match_max 100000 | 8 | match_max 100000 |
| 9 | 9 | ||
| 10 | if {[file exists ~/.cache]} { | 10 | send -- "mkdir --mode=700 ~/.cache\r" |
| 11 | puts "found .cache directory\n" | ||
| 12 | } else { | ||
| 13 | send -- "mkdir --mode=755 ~/.cache\r" | ||
| 14 | } | ||
| 15 | after 100 | 11 | after 100 |
| 16 | 12 | ||
| 17 | send -- "touch ~/.cache/abcdefg\r" | 13 | send -- "touch ~/.cache/abcdefg\r" |
| 18 | after 100 | 14 | after 100 |
| 19 | 15 | ||
| 16 | if { ! [file exists ~/.cache/abcdefg] } { | ||
| 17 | puts "TESTING ERROR 0\n" | ||
| 18 | exit | ||
| 19 | } | ||
| 20 | |||
| 20 | send -- "firejail --noprofile --private-cache\r" | 21 | send -- "firejail --noprofile --private-cache\r" |
| 21 | expect { | 22 | expect { |
| 22 | timeout {puts "TESTING ERROR 1\n";exit} | 23 | timeout {puts "TESTING ERROR 1\n";exit} |
| @@ -34,23 +35,8 @@ after 100 | |||
| 34 | send -- "exit\r" | 35 | send -- "exit\r" |
| 35 | sleep 1 | 36 | sleep 1 |
| 36 | 37 | ||
| 37 | send -- "rm -v ~/.cache/abcdefg\r" | 38 | # cleanup |
| 38 | expect { | 39 | send -- "rm ~/.cache/abcdefg\r" |
| 39 | timeout {puts "TESTING ERROR 3\n";exit} | ||
| 40 | "removed" | ||
| 41 | } | ||
| 42 | after 100 | 40 | after 100 |
| 43 | 41 | ||
| 44 | # redo the test with --private | ||
| 45 | |||
| 46 | send -- "firejail --noprofile --private --private-cache\r" | ||
| 47 | expect { | ||
| 48 | timeout {puts "TESTING ERROR 4\n";exit} | ||
| 49 | "Warning" | ||
| 50 | } | ||
| 51 | sleep 1 | ||
| 52 | |||
| 53 | send -- "exit\r" | ||
| 54 | sleep 1 | ||
| 55 | |||
| 56 | puts "\nall done\n" | 42 | puts "\nall done\n" |