aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorLibravatar smitsohu <smitsohu@gmail.com>2019-11-14 16:19:00 +0100
committerLibravatar smitsohu <smitsohu@gmail.com>2019-11-14 16:19:00 +0100
commitacbf707889ae241bfd476f5371df4599103b6606 (patch)
tree8c37c5547d55b00a56b3fafb256ebbd4acacae82 /src
parentsimplify private option ownership checks and make them more consistent (diff)
downloadfirejail-acbf707889ae241bfd476f5371df4599103b6606.tar.gz
firejail-acbf707889ae241bfd476f5371df4599103b6606.tar.zst
firejail-acbf707889ae241bfd476f5371df4599103b6606.zip
blacklist private-home runtime directory
as far as possible avoid creating locations in the file system that are both writable and executable
Diffstat (limited to 'src')
-rw-r--r--src/firejail/fs.c2
-rw-r--r--src/firejail/fs_home.c19
2 files changed, 14 insertions, 7 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 3e802efb5..1f0ccac1a 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -447,7 +447,7 @@ void fs_tmpfs(const char *dir, unsigned check_owner) {
447 // get a file descriptor for dir, fails if there is any symlink 447 // get a file descriptor for dir, fails if there is any symlink
448 int fd = safe_fd(dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); 448 int fd = safe_fd(dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
449 if (fd == -1) 449 if (fd == -1)
450 errExit("safe_fd"); 450 errExit("while opening directory");
451 struct stat s; 451 struct stat s;
452 if (fstat(fd, &s) == -1) 452 if (fstat(fd, &s) == -1)
453 errExit("fstat"); 453 errExit("fstat");
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 060152e55..1ff8c2722 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -312,7 +312,7 @@ void fs_private_homedir(void) {
312 if (arg_debug) 312 if (arg_debug)
313 printf("Mounting a new /root directory\n"); 313 printf("Mounting a new /root directory\n");
314 if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=700,gid=0") < 0) 314 if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=700,gid=0") < 0)
315 errExit("mounting home directory"); 315 errExit("mounting /root directory");
316 fs_logger("tmpfs /root"); 316 fs_logger("tmpfs /root");
317 } 317 }
318 if (u == 0 || strncmp(homedir, "/home/", 6) != 0) { 318 if (u == 0 || strncmp(homedir, "/home/", 6) != 0) {
@@ -320,7 +320,7 @@ void fs_private_homedir(void) {
320 if (arg_debug) 320 if (arg_debug)
321 printf("Mounting a new /home directory\n"); 321 printf("Mounting a new /home directory\n");
322 if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=755,gid=0") < 0) 322 if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=755,gid=0") < 0)
323 errExit("mounting home directory"); 323 errExit("mounting /home directory");
324 fs_logger("tmpfs /home"); 324 fs_logger("tmpfs /home");
325 } 325 }
326 326
@@ -354,7 +354,7 @@ void fs_private(void) {
354 if (arg_allusers) 354 if (arg_allusers)
355 fwarning("allusers option disabled by private or whitelist option\n"); 355 fwarning("allusers option disabled by private or whitelist option\n");
356 if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=755,gid=0") < 0) 356 if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=755,gid=0") < 0)
357 errExit("mounting home directory"); 357 errExit("mounting /home directory");
358 fs_logger("tmpfs /home"); 358 fs_logger("tmpfs /home");
359 } 359 }
360 360
@@ -362,7 +362,7 @@ void fs_private(void) {
362 if (arg_debug) 362 if (arg_debug)
363 printf("Mounting a new /root directory\n"); 363 printf("Mounting a new /root directory\n");
364 if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=700,gid=0") < 0) 364 if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=700,gid=0") < 0)
365 errExit("mounting root directory"); 365 errExit("mounting /root directory");
366 fs_logger("tmpfs /root"); 366 fs_logger("tmpfs /root");
367 367
368 if (u != 0) { 368 if (u != 0) {
@@ -593,19 +593,26 @@ void fs_private_home_list(void) {
593 errLogExit("invalid private-home mount"); 593 errLogExit("invalid private-home mount");
594 fs_logger2("tmpfs", homedir); 594 fs_logger2("tmpfs", homedir);
595 595
596 // blacklist RUN_HOME_DIR, it is writable and not noexec
597 if (mount(RUN_RO_DIR, RUN_HOME_DIR, NULL, MS_BIND, NULL) < 0)
598 errExit("blacklisting " RUN_HOME_DIR);
599 fs_logger2("tmpfs", RUN_HOME_DIR);
600
596 if (uid != 0) { 601 if (uid != 0) {
597 // mask /root 602 // mask /root
598 if (arg_debug) 603 if (arg_debug)
599 printf("Mounting a new /root directory\n"); 604 printf("Mounting a new /root directory\n");
600 if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=700,gid=0") < 0) 605 if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=700,gid=0") < 0)
601 errExit("mounting home directory"); 606 errExit("mounting /root directory");
607 fs_logger("tmpfs /root");
602 } 608 }
603 if (uid == 0 || strncmp(homedir, "/home/", 6) != 0) { 609 if (uid == 0 || strncmp(homedir, "/home/", 6) != 0) {
604 // mask /home 610 // mask /home
605 if (arg_debug) 611 if (arg_debug)
606 printf("Mounting a new /home directory\n"); 612 printf("Mounting a new /home directory\n");
607 if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) 613 if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0)
608 errExit("mounting home directory"); 614 errExit("mounting /home directory");
615 fs_logger("tmpfs /home");
609 } 616 }
610 617
611 skel(homedir, uid, gid); 618 skel(homedir, uid, gid);
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-19 02:51:52 +0000