aboutsummaryrefslogtreecommitdiffstats
path: root/src/firejail/fs.c
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2016-07-19 13:03:24 -0400
committerLibravatar netblue30 <netblue30@yahoo.com>2016-07-19 13:03:24 -0400
commitafe9fe993293a27dc345f6bca2a4b7ea964120b8 (patch)
treeedc01898663f624b40f0c2b64c8a527b1d99db0b /src/firejail/fs.c
parentdefault.profile bug (diff)
downloadfirejail-afe9fe993293a27dc345f6bca2a4b7ea964120b8.tar.gz
firejail-afe9fe993293a27dc345f6bca2a4b7ea964120b8.tar.zst
firejail-afe9fe993293a27dc345f6bca2a4b7ea964120b8.zip
--read-write rework
Diffstat (limited to 'src/firejail/fs.c')
-rw-r--r--src/firejail/fs.c39
1 files changed, 36 insertions, 3 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index d426636d8..630458549 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -27,6 +27,8 @@
27#include <fcntl.h> 27#include <fcntl.h>
28#include <errno.h> 28#include <errno.h>
29 29
30static void fs_rdwr(const char *dir);
31
30static void create_empty_dir(void) { 32static void create_empty_dir(void) {
31 struct stat s; 33 struct stat s;
32 34
@@ -229,6 +231,7 @@ typedef enum {
229 MOUNT_READONLY, 231 MOUNT_READONLY,
230 MOUNT_TMPFS, 232 MOUNT_TMPFS,
231 MOUNT_NOEXEC, 233 MOUNT_NOEXEC,
234 MOUNT_RDWR,
232 OPERATION_MAX 235 OPERATION_MAX
233} OPERATION; 236} OPERATION;
234 237
@@ -331,6 +334,12 @@ static void disable_file(OPERATION op, const char *filename) {
331 fs_rdonly(fname); 334 fs_rdonly(fname);
332// todo: last_disable = SUCCESSFUL; 335// todo: last_disable = SUCCESSFUL;
333 } 336 }
337 else if (op == MOUNT_RDWR) {
338 if (arg_debug)
339 printf("Mounting read-only %s\n", fname);
340 fs_rdwr(fname);
341// todo: last_disable = SUCCESSFUL;
342 }
334 else if (op == MOUNT_NOEXEC) { 343 else if (op == MOUNT_NOEXEC) {
335 if (arg_debug) 344 if (arg_debug)
336 printf("Mounting noexec %s\n", fname); 345 printf("Mounting noexec %s\n", fname);
@@ -492,6 +501,10 @@ void fs_blacklist(void) {
492 ptr = entry->data + 10; 501 ptr = entry->data + 10;
493 op = MOUNT_READONLY; 502 op = MOUNT_READONLY;
494 } 503 }
504 else if (strncmp(entry->data, "read-write ", 11) == 0) {
505 ptr = entry->data + 11;
506 op = MOUNT_RDWR;
507 }
495 else if (strncmp(entry->data, "noexec ", 7) == 0) { 508 else if (strncmp(entry->data, "noexec ", 7) == 0) {
496 ptr = entry->data + 7; 509 ptr = entry->data + 7;
497 op = MOUNT_NOEXEC; 510 op = MOUNT_NOEXEC;
@@ -560,6 +573,29 @@ void fs_rdonly(const char *dir) {
560 } 573 }
561} 574}
562 575
576static void fs_rdwr(const char *dir) {
577 assert(dir);
578 // check directory exists
579 struct stat s;
580 int rv = stat(dir, &s);
581 if (rv == 0) {
582 // if the file is outside /home directory, allow only root user
583 uid_t u = getuid();
584 if (u != 0 && s.st_uid != u) {
585 fprintf(stderr, "Warning: you are not allowed to change %s to read-write\n", dir);
586 return;
587 }
588
589 // mount --bind /bin /bin
590 if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0)
591 errExit("mount read-write");
592 // mount --bind -o remount,rw /bin
593 if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0)
594 errExit("mount read-write");
595 fs_logger2("read-write", dir);
596 }
597}
598
563void fs_noexec(const char *dir) { 599void fs_noexec(const char *dir) {
564 assert(dir); 600 assert(dir);
565 // check directory exists 601 // check directory exists
@@ -757,9 +793,6 @@ void fs_basic_fs(void) {
757 // firejail sandboxes (firejail --force) 793 // firejail sandboxes (firejail --force)
758 if (getuid() != 0) 794 if (getuid() != 0)
759 disable_firejail_config(); 795 disable_firejail_config();
760
761 if (getuid() == 0)
762 fs_rdwr();
763} 796}
764 797
765 798
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-08-19 13:17:12 +0000