diff options
author | netblue30 <netblue30@yahoo.com> | 2016-07-19 13:03:24 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-07-19 13:03:24 -0400 |
commit | afe9fe993293a27dc345f6bca2a4b7ea964120b8 (patch) | |
tree | edc01898663f624b40f0c2b64c8a527b1d99db0b /src/firejail/fs.c | |
parent | default.profile bug (diff) | |
download | firejail-afe9fe993293a27dc345f6bca2a4b7ea964120b8.tar.gz firejail-afe9fe993293a27dc345f6bca2a4b7ea964120b8.tar.zst firejail-afe9fe993293a27dc345f6bca2a4b7ea964120b8.zip |
--read-write rework
Diffstat (limited to 'src/firejail/fs.c')
-rw-r--r-- | src/firejail/fs.c | 39 |
1 files changed, 36 insertions, 3 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index d426636d8..630458549 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -27,6 +27,8 @@ | |||
27 | #include <fcntl.h> | 27 | #include <fcntl.h> |
28 | #include <errno.h> | 28 | #include <errno.h> |
29 | 29 | ||
30 | static void fs_rdwr(const char *dir); | ||
31 | |||
30 | static void create_empty_dir(void) { | 32 | static void create_empty_dir(void) { |
31 | struct stat s; | 33 | struct stat s; |
32 | 34 | ||
@@ -229,6 +231,7 @@ typedef enum { | |||
229 | MOUNT_READONLY, | 231 | MOUNT_READONLY, |
230 | MOUNT_TMPFS, | 232 | MOUNT_TMPFS, |
231 | MOUNT_NOEXEC, | 233 | MOUNT_NOEXEC, |
234 | MOUNT_RDWR, | ||
232 | OPERATION_MAX | 235 | OPERATION_MAX |
233 | } OPERATION; | 236 | } OPERATION; |
234 | 237 | ||
@@ -331,6 +334,12 @@ static void disable_file(OPERATION op, const char *filename) { | |||
331 | fs_rdonly(fname); | 334 | fs_rdonly(fname); |
332 | // todo: last_disable = SUCCESSFUL; | 335 | // todo: last_disable = SUCCESSFUL; |
333 | } | 336 | } |
337 | else if (op == MOUNT_RDWR) { | ||
338 | if (arg_debug) | ||
339 | printf("Mounting read-only %s\n", fname); | ||
340 | fs_rdwr(fname); | ||
341 | // todo: last_disable = SUCCESSFUL; | ||
342 | } | ||
334 | else if (op == MOUNT_NOEXEC) { | 343 | else if (op == MOUNT_NOEXEC) { |
335 | if (arg_debug) | 344 | if (arg_debug) |
336 | printf("Mounting noexec %s\n", fname); | 345 | printf("Mounting noexec %s\n", fname); |
@@ -492,6 +501,10 @@ void fs_blacklist(void) { | |||
492 | ptr = entry->data + 10; | 501 | ptr = entry->data + 10; |
493 | op = MOUNT_READONLY; | 502 | op = MOUNT_READONLY; |
494 | } | 503 | } |
504 | else if (strncmp(entry->data, "read-write ", 11) == 0) { | ||
505 | ptr = entry->data + 11; | ||
506 | op = MOUNT_RDWR; | ||
507 | } | ||
495 | else if (strncmp(entry->data, "noexec ", 7) == 0) { | 508 | else if (strncmp(entry->data, "noexec ", 7) == 0) { |
496 | ptr = entry->data + 7; | 509 | ptr = entry->data + 7; |
497 | op = MOUNT_NOEXEC; | 510 | op = MOUNT_NOEXEC; |
@@ -560,6 +573,29 @@ void fs_rdonly(const char *dir) { | |||
560 | } | 573 | } |
561 | } | 574 | } |
562 | 575 | ||
576 | static void fs_rdwr(const char *dir) { | ||
577 | assert(dir); | ||
578 | // check directory exists | ||
579 | struct stat s; | ||
580 | int rv = stat(dir, &s); | ||
581 | if (rv == 0) { | ||
582 | // if the file is outside /home directory, allow only root user | ||
583 | uid_t u = getuid(); | ||
584 | if (u != 0 && s.st_uid != u) { | ||
585 | fprintf(stderr, "Warning: you are not allowed to change %s to read-write\n", dir); | ||
586 | return; | ||
587 | } | ||
588 | |||
589 | // mount --bind /bin /bin | ||
590 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
591 | errExit("mount read-write"); | ||
592 | // mount --bind -o remount,rw /bin | ||
593 | if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0) | ||
594 | errExit("mount read-write"); | ||
595 | fs_logger2("read-write", dir); | ||
596 | } | ||
597 | } | ||
598 | |||
563 | void fs_noexec(const char *dir) { | 599 | void fs_noexec(const char *dir) { |
564 | assert(dir); | 600 | assert(dir); |
565 | // check directory exists | 601 | // check directory exists |
@@ -757,9 +793,6 @@ void fs_basic_fs(void) { | |||
757 | // firejail sandboxes (firejail --force) | 793 | // firejail sandboxes (firejail --force) |
758 | if (getuid() != 0) | 794 | if (getuid() != 0) |
759 | disable_firejail_config(); | 795 | disable_firejail_config(); |
760 | |||
761 | if (getuid() == 0) | ||
762 | fs_rdwr(); | ||
763 | } | 796 | } |
764 | 797 | ||
765 | 798 | ||