diff options
author | smitsohu <smitsohu@gmail.com> | 2019-06-17 03:46:11 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2019-06-17 03:46:11 +0200 |
commit | dba9dff9c52e436a37c82a72ec82c95bcd9684ce (patch) | |
tree | b0e77cb4190e2adc377964b617f4ef5402b902c1 /src/firejail/fs.c | |
parent | tighten gnome-maps (diff) | |
download | firejail-dba9dff9c52e436a37c82a72ec82c95bcd9684ce.tar.gz firejail-dba9dff9c52e436a37c82a72ec82c95bcd9684ce.tar.zst firejail-dba9dff9c52e436a37c82a72ec82c95bcd9684ce.zip |
streamline remounting (ro,rw,noexec)
Diffstat (limited to 'src/firejail/fs.c')
-rw-r--r-- | src/firejail/fs.c | 215 |
1 files changed, 58 insertions, 157 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index f3ef97aeb..36683003f 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -39,24 +39,17 @@ | |||
39 | //#define TEST_NO_BLACKLIST_MATCHING | 39 | //#define TEST_NO_BLACKLIST_MATCHING |
40 | 40 | ||
41 | 41 | ||
42 | static int mount_warning = 0; | ||
43 | static void fs_rdwr(const char *dir); | ||
44 | static void fs_rdwr_rec(const char *dir); | ||
45 | |||
46 | |||
47 | |||
48 | //*********************************************** | 42 | //*********************************************** |
49 | // process profile file | 43 | // process profile file |
50 | //*********************************************** | 44 | //*********************************************** |
51 | typedef enum { | 45 | static char *opstr[] = { |
52 | BLACKLIST_FILE, | 46 | [BLACKLIST_FILE] = "blacklist", |
53 | BLACKLIST_NOLOG, | 47 | [BLACKLIST_NOLOG] = "blacklist-nolog", |
54 | MOUNT_READONLY, | 48 | [MOUNT_READONLY] = "read-only", |
55 | MOUNT_TMPFS, | 49 | [MOUNT_TMPFS] = "tmpfs", |
56 | MOUNT_NOEXEC, | 50 | [MOUNT_NOEXEC] = "noexec", |
57 | MOUNT_RDWR, | 51 | [MOUNT_RDWR] = "read-write", |
58 | OPERATION_MAX | 52 | }; |
59 | } OPERATION; | ||
60 | 53 | ||
61 | typedef enum { | 54 | typedef enum { |
62 | UNSUCCESSFUL, | 55 | UNSUCCESSFUL, |
@@ -153,17 +146,9 @@ static void disable_file(OPERATION op, const char *filename) { | |||
153 | fs_logger2("blacklist-nolog", fname); | 146 | fs_logger2("blacklist-nolog", fname); |
154 | } | 147 | } |
155 | } | 148 | } |
156 | else if (op == MOUNT_READONLY) { | 149 | else if (op == MOUNT_READONLY | op == MOUNT_RDWR | op == MOUNT_NOEXEC) { |
157 | fs_rdonly_rec(fname); | 150 | fs_remount_rec(fname, op); |
158 | // todo: last_disable = SUCCESSFUL; | 151 | // todo: last_disable = SUCCESSFUL; |
159 | } | ||
160 | else if (op == MOUNT_RDWR) { | ||
161 | fs_rdwr_rec(fname); | ||
162 | // todo: last_disable = SUCCESSFUL; | ||
163 | } | ||
164 | else if (op == MOUNT_NOEXEC) { | ||
165 | fs_noexec_rec(fname); | ||
166 | // todo: last_disable = SUCCESSFUL; | ||
167 | } | 152 | } |
168 | else if (op == MOUNT_TMPFS) { | 153 | else if (op == MOUNT_TMPFS) { |
169 | if (S_ISDIR(s.st_mode)) { | 154 | if (S_ISDIR(s.st_mode)) { |
@@ -493,145 +478,60 @@ void fs_tmpfs(const char *dir, unsigned check_owner) { | |||
493 | close(fd); | 478 | close(fd); |
494 | } | 479 | } |
495 | 480 | ||
496 | // remount directory read-only | 481 | void fs_remount(const char *dir, OPERATION op) { |
497 | void fs_rdonly(const char *dir) { | ||
498 | assert(dir); | 482 | assert(dir); |
499 | // check directory exists | 483 | // check directory exists |
500 | struct stat s; | 484 | struct stat s; |
501 | int rv = stat(dir, &s); | 485 | int rv = stat(dir, &s); |
502 | if (rv == 0) { | 486 | if (rv == 0) { |
487 | if (op == MOUNT_RDWR) { | ||
488 | // allow only user owned directories, except the user is root | ||
489 | if (getuid() != 0 && s.st_uid != getuid()) { | ||
490 | fwarning("you are not allowed to change %s to read-write\n", dir); | ||
491 | return; | ||
492 | } | ||
493 | } | ||
503 | unsigned long flags = 0; | 494 | unsigned long flags = 0; |
504 | get_mount_flags(dir, &flags); | 495 | if (get_mount_flags(dir, &flags) != 0) { |
505 | if ((flags & MS_RDONLY) == MS_RDONLY) | 496 | fwarning("not remounting %s\n", dir); |
506 | return; | 497 | return; |
507 | flags |= MS_RDONLY; | ||
508 | if (arg_debug) | ||
509 | printf("Mounting read-only %s\n", dir); | ||
510 | // mount --bind /bin /bin | ||
511 | // mount --bind -o remount,ro /bin | ||
512 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || | ||
513 | mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0) | ||
514 | errExit("mount read-only"); | ||
515 | fs_logger2("read-only", dir); | ||
516 | } | ||
517 | } | ||
518 | |||
519 | // remount directory read-only recursively | ||
520 | void fs_rdonly_rec(const char *dir) { | ||
521 | assert(dir); | ||
522 | // get mount point of the directory | ||
523 | int mountid = get_mount_id(dir); | ||
524 | if (mountid == -1) | ||
525 | return; | ||
526 | if (mountid == -2) { | ||
527 | // falling back to a simple remount on old kernels | ||
528 | if (!mount_warning) { | ||
529 | fwarning("read-only, read-write and noexec options are not applied recursively\n"); | ||
530 | mount_warning = 1; | ||
531 | } | 498 | } |
532 | fs_rdonly(dir); | 499 | if (op == MOUNT_RDWR) { |
533 | return; | 500 | if ((flags & MS_RDONLY) == 0) |
534 | } | 501 | return; |
535 | // build array with all mount points that need to get remounted | 502 | flags &= ~MS_RDONLY; |
536 | char **arr = build_mount_array(mountid, dir); | ||
537 | assert(arr); | ||
538 | // remount | ||
539 | char **tmp = arr; | ||
540 | while (*tmp) { | ||
541 | fs_rdonly(*tmp); | ||
542 | free(*tmp++); | ||
543 | } | ||
544 | free(arr); | ||
545 | } | ||
546 | |||
547 | // remount directory read-write | ||
548 | static void fs_rdwr(const char *dir) { | ||
549 | assert(dir); | ||
550 | // check directory exists | ||
551 | struct stat s; | ||
552 | int rv = stat(dir, &s); | ||
553 | if (rv == 0) { | ||
554 | // allow only user owned directories, except the user is root | ||
555 | uid_t u = getuid(); | ||
556 | if (u != 0 && s.st_uid != u) { | ||
557 | fwarning("you are not allowed to change %s to read-write\n", dir); | ||
558 | return; | ||
559 | } | 503 | } |
560 | unsigned long flags = 0; | 504 | else if (op == MOUNT_NOEXEC) { |
561 | get_mount_flags(dir, &flags); | 505 | if ((flags & (MS_NOEXEC|MS_NODEV|MS_NOSUID)) == (MS_NOEXEC|MS_NODEV|MS_NOSUID)) |
562 | if ((flags & MS_RDONLY) == 0) | 506 | return; |
563 | return; | 507 | flags |= MS_NOEXEC|MS_NODEV|MS_NOSUID; |
564 | flags &= ~MS_RDONLY; | 508 | } |
509 | else if (op == MOUNT_READONLY) { | ||
510 | if ((flags & MS_RDONLY) == MS_RDONLY) | ||
511 | return; | ||
512 | flags |= MS_RDONLY; | ||
513 | } | ||
514 | else | ||
515 | assert(0); | ||
516 | |||
565 | if (arg_debug) | 517 | if (arg_debug) |
566 | printf("Mounting read-write %s\n", dir); | 518 | printf("Mounting %s %s\n", opstr[op], dir); |
567 | // mount --bind /bin /bin | 519 | // mount --bind /bin /bin |
568 | // mount --bind -o remount,rw /bin | 520 | // mount --bind -o remount,rw /bin |
569 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || | 521 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || |
570 | mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0) | 522 | mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0) |
571 | errExit("mount read-write"); | 523 | errExit("remounting"); |
572 | fs_logger2("read-write", dir); | ||
573 | // run a sanity check on /proc/self/mountinfo | 524 | // run a sanity check on /proc/self/mountinfo |
574 | MountData *mptr = get_last_mount(); | 525 | MountData *mptr = get_last_mount(); |
575 | size_t len = strlen(dir); | 526 | size_t len = strlen(dir); |
576 | if (strncmp(mptr->dir, dir, len) != 0 || | 527 | if (strncmp(mptr->dir, dir, len) != 0 || |
577 | (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/')) | 528 | (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/')) |
578 | errLogExit("invalid read-write mount"); | 529 | errLogExit("invalid %s mount", opstr[op]); |
579 | } | 530 | fs_logger2(opstr[op], dir); |
580 | } | ||
581 | |||
582 | // remount directory read-write recursively | ||
583 | static void fs_rdwr_rec(const char *dir) { | ||
584 | assert(dir); | ||
585 | // get mount point of the directory | ||
586 | int mountid = get_mount_id(dir); | ||
587 | if (mountid == -1) | ||
588 | return; | ||
589 | if (mountid == -2) { | ||
590 | // falling back to a simple remount on old kernels | ||
591 | if (!mount_warning) { | ||
592 | fwarning("read-only, read-write and noexec options are not applied recursively\n"); | ||
593 | mount_warning = 1; | ||
594 | } | ||
595 | fs_rdwr(dir); | ||
596 | return; | ||
597 | } | ||
598 | // build array with all mount points that need to get remounted | ||
599 | char **arr = build_mount_array(mountid, dir); | ||
600 | assert(arr); | ||
601 | // remount | ||
602 | char **tmp = arr; | ||
603 | while (*tmp) { | ||
604 | fs_rdwr(*tmp); | ||
605 | free(*tmp++); | ||
606 | } | ||
607 | free(arr); | ||
608 | } | ||
609 | |||
610 | // remount directory noexec, nodev, nosuid | ||
611 | void fs_noexec(const char *dir) { | ||
612 | assert(dir); | ||
613 | // check directory exists | ||
614 | struct stat s; | ||
615 | int rv = stat(dir, &s); | ||
616 | if (rv == 0) { | ||
617 | unsigned long flags = 0; | ||
618 | get_mount_flags(dir, &flags); | ||
619 | if ((flags & (MS_NOEXEC|MS_NODEV|MS_NOSUID)) == (MS_NOEXEC|MS_NODEV|MS_NOSUID)) | ||
620 | return; | ||
621 | flags |= MS_NOEXEC|MS_NODEV|MS_NOSUID; | ||
622 | if (arg_debug) | ||
623 | printf("Mounting noexec %s\n", dir); | ||
624 | // mount --bind /bin /bin | ||
625 | // mount --bind -o remount,noexec /bin | ||
626 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || | ||
627 | mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0) | ||
628 | errExit("mount noexec"); | ||
629 | fs_logger2("noexec", dir); | ||
630 | } | 531 | } |
631 | } | 532 | } |
632 | 533 | ||
633 | // remount directory noexec, nodev, nosuid recursively | 534 | void fs_remount_rec(const char *dir, OPERATION op) { |
634 | void fs_noexec_rec(const char *dir) { | ||
635 | assert(dir); | 535 | assert(dir); |
636 | // get mount point of the directory | 536 | // get mount point of the directory |
637 | int mountid = get_mount_id(dir); | 537 | int mountid = get_mount_id(dir); |
@@ -639,11 +539,12 @@ void fs_noexec_rec(const char *dir) { | |||
639 | return; | 539 | return; |
640 | if (mountid == -2) { | 540 | if (mountid == -2) { |
641 | // falling back to a simple remount on old kernels | 541 | // falling back to a simple remount on old kernels |
542 | static int mount_warning = 0; | ||
642 | if (!mount_warning) { | 543 | if (!mount_warning) { |
643 | fwarning("read-only, read-write and noexec options are not applied recursively\n"); | 544 | fwarning("read-only, read-write and noexec options are not applied recursively\n"); |
644 | mount_warning = 1; | 545 | mount_warning = 1; |
645 | } | 546 | } |
646 | fs_noexec(dir); | 547 | fs_remount(dir, op); |
647 | return; | 548 | return; |
648 | } | 549 | } |
649 | // build array with all mount points that need to get remounted | 550 | // build array with all mount points that need to get remounted |
@@ -652,7 +553,7 @@ void fs_noexec_rec(const char *dir) { | |||
652 | // remount | 553 | // remount |
653 | char **tmp = arr; | 554 | char **tmp = arr; |
654 | while (*tmp) { | 555 | while (*tmp) { |
655 | fs_noexec(*tmp); | 556 | fs_remount(*tmp, op); |
656 | free(*tmp++); | 557 | free(*tmp++); |
657 | } | 558 | } |
658 | free(arr); | 559 | free(arr); |
@@ -827,22 +728,22 @@ void fs_basic_fs(void) { | |||
827 | if (arg_debug) | 728 | if (arg_debug) |
828 | printf("Basic read-only filesystem:\n"); | 729 | printf("Basic read-only filesystem:\n"); |
829 | if (!arg_writable_etc) { | 730 | if (!arg_writable_etc) { |
830 | fs_rdonly("/etc"); | 731 | fs_remount("/etc", MOUNT_READONLY); |
831 | if (uid) | 732 | if (uid) |
832 | fs_noexec("/etc"); | 733 | fs_remount("/etc", MOUNT_NOEXEC); |
833 | } | 734 | } |
834 | if (!arg_writable_var) { | 735 | if (!arg_writable_var) { |
835 | fs_rdonly("/var"); | 736 | fs_remount("/var", MOUNT_READONLY); |
836 | if (uid) | 737 | if (uid) |
837 | fs_noexec("/var"); | 738 | fs_remount("/var", MOUNT_NOEXEC); |
838 | } | 739 | } |
839 | fs_rdonly("/bin"); | 740 | fs_remount("/bin", MOUNT_READONLY); |
840 | fs_rdonly("/sbin"); | 741 | fs_remount("/sbin", MOUNT_READONLY); |
841 | fs_rdonly("/lib"); | 742 | fs_remount("/lib", MOUNT_READONLY); |
842 | fs_rdonly("/lib64"); | 743 | fs_remount("/lib64", MOUNT_READONLY); |
843 | fs_rdonly("/lib32"); | 744 | fs_remount("/lib32", MOUNT_READONLY); |
844 | fs_rdonly("/libx32"); | 745 | fs_remount("/libx32", MOUNT_READONLY); |
845 | fs_rdonly("/usr"); | 746 | fs_remount("/usr", MOUNT_READONLY); |
846 | 747 | ||
847 | // update /var directory in order to support multiple sandboxes running on the same root directory | 748 | // update /var directory in order to support multiple sandboxes running on the same root directory |
848 | fs_var_lock(); | 749 | fs_var_lock(); |
@@ -851,7 +752,7 @@ void fs_basic_fs(void) { | |||
851 | if (!arg_writable_var_log) | 752 | if (!arg_writable_var_log) |
852 | fs_var_log(); | 753 | fs_var_log(); |
853 | else | 754 | else |
854 | fs_rdwr("/var/log"); | 755 | fs_remount("/var/log", MOUNT_RDWR); |
855 | 756 | ||
856 | fs_var_lib(); | 757 | fs_var_lib(); |
857 | fs_var_cache(); | 758 | fs_var_cache(); |