diff options
| author |  netblue30 <netblue30@yahoo.com> | 2016-03-23 10:29:19 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2016-03-23 10:29:19 -0400 |
| commit | df87ef185c1fc89e7be03dd7006ba774d4a98149 (patch) | |
| tree | 237accf52fbf37cee8c3ea62651b28463a47a105 | |
| parent | testing (diff) | |
| download | firejail-df87ef185c1fc89e7be03dd7006ba774d4a98149.tar.gz firejail-df87ef185c1fc89e7be03dd7006ba774d4a98149.tar.zst firejail-df87ef185c1fc89e7be03dd7006ba774d4a98149.zip | |
whitelist /var fixes
| -rw-r--r-- | src/firejail/fs_whitelist.c | 47 |
1 files changed, 31 insertions, 16 deletions
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 7e61bfde5..617e61dcd 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
| @@ -422,7 +422,12 @@ void fs_whitelist(void) { | |||
| 422 | entry->var_dir = 1; | 422 | entry->var_dir = 1; |
| 423 | var_dir = 1; | 423 | var_dir = 1; |
| 424 | // both path and absolute path are under /var | 424 | // both path and absolute path are under /var |
| 425 | if (strncmp(fname, "/var/", 5) != 0) { | 425 | // exceptions: /var/run and /var/lock |
| 426 | if (strcmp(new_name, "/var/run")== 0) | ||
| 427 | ; | ||
| 428 | else if (strcmp(new_name, "/var/lock")== 0) | ||
| 429 | ; | ||
| 430 | else if (strncmp(fname, "/var/", 5) != 0) { | ||
| 426 | if (arg_debug) | 431 | if (arg_debug) |
| 427 | fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); | 432 | fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname); |
| 428 | goto errexit; | 433 | goto errexit; |
| @@ -618,21 +623,31 @@ void fs_whitelist(void) { | |||
| 618 | 623 | ||
| 619 | //printf("here %d#%s#\n", __LINE__, entry->data); | 624 | //printf("here %d#%s#\n", __LINE__, entry->data); |
| 620 | // whitelist the real file | 625 | // whitelist the real file |
| 621 | whitelist_path(entry); | 626 | if (strcmp(entry->data, "whitelist /run") == 0 && |
| 622 | 627 | (strcmp(entry->link, "/var/run") == 0 || strcmp(entry->link, "/var/lock") == 0)) { | |
| 623 | // create the link if any | 628 | int rv = symlink(entry->data + 10, entry->link); |
| 624 | if (entry->link) { | 629 | if (rv) |
| 625 | // if the link is already there, do not bother | 630 | fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link); |
| 626 | struct stat s; | 631 | else if (arg_debug || arg_debug_whitelists) |
| 627 | if (stat(entry->link, &s) != 0) { | 632 | printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10); |
| 628 | // create the path if necessary | 633 | } |
| 629 | mkpath(entry->link, s.st_mode); | 634 | else { |
| 630 | 635 | whitelist_path(entry); | |
| 631 | int rv = symlink(entry->data + 10, entry->link); | 636 | |
| 632 | if (rv) | 637 | // create the link if any |
| 633 | fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link); | 638 | if (entry->link) { |
| 634 | else if (arg_debug || arg_debug_whitelists) | 639 | // if the link is already there, do not bother |
| 635 | printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10); | 640 | struct stat s; |
| 641 | if (stat(entry->link, &s) != 0) { | ||
| 642 | // create the path if necessary | ||
| 643 | mkpath(entry->link, s.st_mode); | ||
| 644 | |||
| 645 | int rv = symlink(entry->data + 10, entry->link); | ||
| 646 | if (rv) | ||
| 647 | fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link); | ||
| 648 | else if (arg_debug || arg_debug_whitelists) | ||
| 649 | printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10); | ||
| 650 | } | ||
| 636 | } | 651 | } |
| 637 | } | 652 | } |
| 638 | 653 | ||