diff options
author | smitsohu <smitsohu@gmail.com> | 2018-10-17 18:50:09 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2018-10-17 18:50:09 +0200 |
commit | d0a8395d4037ed9f0576a8d7a041e432e5c5afba (patch) | |
tree | 63b92fbc31b5b34f9bebefc586b53e7fd5eb52d9 /src/firejail/fs.c | |
parent | improve clean_pathname function (diff) | |
download | firejail-d0a8395d4037ed9f0576a8d7a041e432e5c5afba.tar.gz firejail-d0a8395d4037ed9f0576a8d7a041e432e5c5afba.tar.zst firejail-d0a8395d4037ed9f0576a8d7a041e432e5c5afba.zip |
improve some error messages
Diffstat (limited to 'src/firejail/fs.c')
-rw-r--r-- | src/firejail/fs.c | 102 |
1 files changed, 60 insertions, 42 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index f70c5ac8a..3ce2c7571 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -1195,73 +1195,78 @@ void fs_check_chroot_dir(const char *rootdir) { | |||
1195 | } | 1195 | } |
1196 | 1196 | ||
1197 | // check /dev | 1197 | // check /dev |
1198 | fd = openat(parentfd, "dev", O_PATH|O_CLOEXEC); | 1198 | char *dir = "dev"; |
1199 | fd = openat(parentfd, dir, O_PATH|O_CLOEXEC); | ||
1199 | if (fd == -1) { | 1200 | if (fd == -1) { |
1200 | fprintf(stderr, "Error: cannot open /dev in chroot directory\n"); | 1201 | if (errno == ENOENT) |
1201 | exit(1); | 1202 | goto error1; |
1203 | else | ||
1204 | goto error2; | ||
1202 | } | 1205 | } |
1203 | if (fstat(fd, &s) == -1) | 1206 | if (fstat(fd, &s) == -1) |
1204 | errExit("fstat"); | 1207 | errExit("fstat"); |
1205 | if (!S_ISDIR(s.st_mode) || s.st_uid != 0) { | 1208 | if (!S_ISDIR(s.st_mode) || s.st_uid != 0) |
1206 | fprintf(stderr, "Error: chroot /dev should be a directory owned by root\n"); | 1209 | goto error3; |
1207 | exit(1); | ||
1208 | } | ||
1209 | close(fd); | 1210 | close(fd); |
1210 | 1211 | ||
1211 | // check /var/tmp | 1212 | // check /var/tmp |
1212 | fd = openat(parentfd, "var/tmp", O_PATH|O_CLOEXEC); | 1213 | dir = "var/tmp"; |
1214 | fd = openat(parentfd, dir, O_PATH|O_CLOEXEC); | ||
1213 | if (fd == -1) { | 1215 | if (fd == -1) { |
1214 | fprintf(stderr, "Error: cannot open /var/tmp in chroot directory\n"); | 1216 | if (errno == ENOENT) |
1215 | exit(1); | 1217 | goto error1; |
1218 | else | ||
1219 | goto error2; | ||
1216 | } | 1220 | } |
1217 | if (fstat(fd, &s) == -1) | 1221 | if (fstat(fd, &s) == -1) |
1218 | errExit("fstat"); | 1222 | errExit("fstat"); |
1219 | if (!S_ISDIR(s.st_mode) || s.st_uid != 0) { | 1223 | if (!S_ISDIR(s.st_mode) || s.st_uid != 0) |
1220 | fprintf(stderr, "Error: chroot /var/tmp should be a directory owned by root\n"); | 1224 | goto error3; |
1221 | exit(1); | ||
1222 | } | ||
1223 | close(fd); | 1225 | close(fd); |
1224 | 1226 | ||
1225 | // check /proc | 1227 | // check /proc |
1226 | fd = openat(parentfd, "proc", O_PATH|O_CLOEXEC); | 1228 | dir = "proc"; |
1229 | fd = openat(parentfd, dir, O_PATH|O_CLOEXEC); | ||
1227 | if (fd == -1) { | 1230 | if (fd == -1) { |
1228 | fprintf(stderr, "Error: cannot open /proc in chroot directory\n"); | 1231 | if (errno == ENOENT) |
1229 | exit(1); | 1232 | goto error1; |
1233 | else | ||
1234 | goto error2; | ||
1230 | } | 1235 | } |
1231 | if (fstat(fd, &s) == -1) | 1236 | if (fstat(fd, &s) == -1) |
1232 | errExit("fstat"); | 1237 | errExit("fstat"); |
1233 | if (!S_ISDIR(s.st_mode) || s.st_uid != 0) { | 1238 | if (!S_ISDIR(s.st_mode) || s.st_uid != 0) |
1234 | fprintf(stderr, "Error: chroot /proc should be a directory owned by root\n"); | 1239 | goto error3; |
1235 | exit(1); | ||
1236 | } | ||
1237 | close(fd); | 1240 | close(fd); |
1238 | 1241 | ||
1239 | // check /tmp | 1242 | // check /tmp |
1240 | fd = openat(parentfd, "tmp", O_PATH|O_CLOEXEC); | 1243 | dir = "tmp"; |
1244 | fd = openat(parentfd, dir, O_PATH|O_CLOEXEC); | ||
1241 | if (fd == -1) { | 1245 | if (fd == -1) { |
1242 | fprintf(stderr, "Error: cannot open /tmp in chroot directory\n"); | 1246 | if (errno == ENOENT) |
1243 | exit(1); | 1247 | goto error1; |
1248 | else | ||
1249 | goto error2; | ||
1244 | } | 1250 | } |
1245 | if (fstat(fd, &s) == -1) | 1251 | if (fstat(fd, &s) == -1) |
1246 | errExit("fstat"); | 1252 | errExit("fstat"); |
1247 | if (!S_ISDIR(s.st_mode) || s.st_uid != 0) { | 1253 | if (!S_ISDIR(s.st_mode) || s.st_uid != 0) |
1248 | fprintf(stderr, "Error: chroot /tmp should be a directory owned by root\n"); | 1254 | goto error3; |
1249 | exit(1); | ||
1250 | } | ||
1251 | close(fd); | 1255 | close(fd); |
1252 | 1256 | ||
1253 | // check /etc | 1257 | // check /etc |
1254 | fd = openat(parentfd, "etc", O_PATH|O_CLOEXEC); | 1258 | dir = "etc"; |
1259 | fd = openat(parentfd, dir, O_PATH|O_CLOEXEC); | ||
1255 | if (fd == -1) { | 1260 | if (fd == -1) { |
1256 | fprintf(stderr, "Error: cannot open /etc in chroot directory\n"); | 1261 | if (errno == ENOENT) |
1257 | exit(1); | 1262 | goto error1; |
1263 | else | ||
1264 | goto error2; | ||
1258 | } | 1265 | } |
1259 | if (fstat(fd, &s) == -1) | 1266 | if (fstat(fd, &s) == -1) |
1260 | errExit("fstat"); | 1267 | errExit("fstat"); |
1261 | if (!S_ISDIR(s.st_mode) || s.st_uid != 0) { | 1268 | if (!S_ISDIR(s.st_mode) || s.st_uid != 0) |
1262 | fprintf(stderr, "Error: chroot /etc should be a directory owned by root\n"); | 1269 | goto error3; |
1263 | exit(1); | ||
1264 | } | ||
1265 | if (((S_IWGRP|S_IWOTH) & s.st_mode) != 0) { | 1270 | if (((S_IWGRP|S_IWOTH) & s.st_mode) != 0) { |
1266 | fprintf(stderr, "Error: only root user should be given write permission on chroot /etc\n"); | 1271 | fprintf(stderr, "Error: only root user should be given write permission on chroot /etc\n"); |
1267 | exit(1); | 1272 | exit(1); |
@@ -1298,21 +1303,34 @@ void fs_check_chroot_dir(const char *rootdir) { | |||
1298 | 1303 | ||
1299 | // check x11 socket directory | 1304 | // check x11 socket directory |
1300 | if (getenv("FIREJAIL_X11")) { | 1305 | if (getenv("FIREJAIL_X11")) { |
1301 | fd = openat(parentfd, "tmp/.X11-unix", O_PATH|O_CLOEXEC); | 1306 | dir = "tmp/.X11-unix"; |
1307 | fd = openat(parentfd, dir, O_PATH|O_CLOEXEC); | ||
1302 | if (fd == -1) { | 1308 | if (fd == -1) { |
1303 | fprintf(stderr, "Error: cannot open /tmp/.X11-unix in chroot directory\n"); | 1309 | if (errno == ENOENT) |
1304 | exit(1); | 1310 | goto error1; |
1311 | else | ||
1312 | goto error2; | ||
1305 | } | 1313 | } |
1306 | if (fstat(fd, &s) == -1) | 1314 | if (fstat(fd, &s) == -1) |
1307 | errExit("fstat"); | 1315 | errExit("fstat"); |
1308 | if (!S_ISDIR(s.st_mode) || s.st_uid != 0) { | 1316 | if (!S_ISDIR(s.st_mode) || s.st_uid != 0) |
1309 | fprintf(stderr, "Error: chroot /tmp/.X11-unix should be a directory owned by root\n"); | 1317 | goto error3; |
1310 | exit(1); | ||
1311 | } | ||
1312 | close(fd); | 1318 | close(fd); |
1313 | } | 1319 | } |
1314 | 1320 | ||
1315 | close(parentfd); | 1321 | close(parentfd); |
1322 | return; | ||
1323 | |||
1324 | error1: | ||
1325 | fprintf(stderr, "Error: cannot find /%s in chroot directory\n", dir); | ||
1326 | exit(1); | ||
1327 | error2: | ||
1328 | perror("open"); | ||
1329 | fprintf(stderr, "Error: cannot open /%s in chroot directory\n", dir); | ||
1330 | exit(1); | ||
1331 | error3: | ||
1332 | fprintf(stderr, "Error: chroot /%s should be a directory owned by root\n", dir); | ||
1333 | exit(1); | ||
1316 | } | 1334 | } |
1317 | 1335 | ||
1318 | // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf | 1336 | // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf |