diff options
| author |  smitsohu <smitsohu@gmail.com> | 2019-06-17 14:40:02 +0200 |
|---|---|---|
| committer | smitsohu <smitsohu@gmail.com> | 2019-06-17 14:40:02 +0200 |
| commit | e3cafb7fac7a8b17c8376616c93317c9d51cdda7 (patch) | |
| tree | 2ff3d356f553d9bb49906bfacd8818954492b2e5 /src/firejail/fs.c | |
| parent | cleanup (diff) | |
| download | firejail-e3cafb7fac7a8b17c8376616c93317c9d51cdda7.tar.gz firejail-e3cafb7fac7a8b17c8376616c93317c9d51cdda7.tar.zst firejail-e3cafb7fac7a8b17c8376616c93317c9d51cdda7.zip | |
no postmount checks when building basic filesystem
fixes #2782
Diffstat (limited to 'src/firejail/fs.c')
| -rw-r--r-- | src/firejail/fs.c | 49 |
1 files changed, 26 insertions, 23 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index d94f6a121..beab84dec 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
| @@ -147,7 +147,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
| 147 | } | 147 | } |
| 148 | } | 148 | } |
| 149 | else if (op == MOUNT_READONLY | op == MOUNT_RDWR | op == MOUNT_NOEXEC) { | 149 | else if (op == MOUNT_READONLY | op == MOUNT_RDWR | op == MOUNT_NOEXEC) { |
| 150 | fs_remount_rec(fname, op); | 150 | fs_remount_rec(fname, op, 1); |
| 151 | // todo: last_disable = SUCCESSFUL; | 151 | // todo: last_disable = SUCCESSFUL; |
| 152 | } | 152 | } |
| 153 | else if (op == MOUNT_TMPFS) { | 153 | else if (op == MOUNT_TMPFS) { |
| @@ -478,7 +478,7 @@ void fs_tmpfs(const char *dir, unsigned check_owner) { | |||
| 478 | close(fd); | 478 | close(fd); |
| 479 | } | 479 | } |
| 480 | 480 | ||
| 481 | void fs_remount(const char *dir, OPERATION op) { | 481 | void fs_remount(const char *dir, OPERATION op, unsigned check_mnt) { |
| 482 | assert(dir); | 482 | assert(dir); |
| 483 | // check directory exists | 483 | // check directory exists |
| 484 | struct stat s; | 484 | struct stat s; |
| @@ -519,17 +519,19 @@ void fs_remount(const char *dir, OPERATION op) { | |||
| 519 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || | 519 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || |
| 520 | mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0) | 520 | mount(NULL, dir, NULL, flags|MS_BIND|MS_REMOUNT, NULL) < 0) |
| 521 | errExit("remounting"); | 521 | errExit("remounting"); |
| 522 | // run a sanity check on /proc/self/mountinfo | 522 | if (check_mnt) { |
| 523 | MountData *mptr = get_last_mount(); | 523 | // run a sanity check on /proc/self/mountinfo |
| 524 | size_t len = strlen(dir); | 524 | MountData *mptr = get_last_mount(); |
| 525 | if (strncmp(mptr->dir, dir, len) != 0 || | 525 | size_t len = strlen(dir); |
| 526 | (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/')) | 526 | if (strncmp(mptr->dir, dir, len) != 0 || |
| 527 | errLogExit("invalid %s mount", opstr[op]); | 527 | (*(mptr->dir + len) != '\0' && *(mptr->dir + len) != '/')) |
| 528 | errLogExit("invalid %s mount", opstr[op]); | ||
| 529 | } | ||
| 528 | fs_logger2(opstr[op], dir); | 530 | fs_logger2(opstr[op], dir); |
| 529 | } | 531 | } |
| 530 | } | 532 | } |
| 531 | 533 | ||
| 532 | void fs_remount_rec(const char *dir, OPERATION op) { | 534 | void fs_remount_rec(const char *dir, OPERATION op, unsigned check_mnt) { |
| 533 | assert(dir); | 535 | assert(dir); |
| 534 | // get mount point of the directory | 536 | // get mount point of the directory |
| 535 | int mountid = get_mount_id(dir); | 537 | int mountid = get_mount_id(dir); |
| @@ -542,7 +544,7 @@ void fs_remount_rec(const char *dir, OPERATION op) { | |||
| 542 | fwarning("read-only, read-write and noexec options are not applied recursively\n"); | 544 | fwarning("read-only, read-write and noexec options are not applied recursively\n"); |
| 543 | mount_warning = 1; | 545 | mount_warning = 1; |
| 544 | } | 546 | } |
| 545 | fs_remount(dir, op); | 547 | fs_remount(dir, op, check_mnt); |
| 546 | return; | 548 | return; |
| 547 | } | 549 | } |
| 548 | // build array with all mount points that need to get remounted | 550 | // build array with all mount points that need to get remounted |
| @@ -551,7 +553,7 @@ void fs_remount_rec(const char *dir, OPERATION op) { | |||
| 551 | // remount | 553 | // remount |
| 552 | char **tmp = arr; | 554 | char **tmp = arr; |
| 553 | while (*tmp) { | 555 | while (*tmp) { |
| 554 | fs_remount(*tmp, op); | 556 | fs_remount(*tmp, op, check_mnt); |
| 555 | free(*tmp++); | 557 | free(*tmp++); |
| 556 | } | 558 | } |
| 557 | free(arr); | 559 | free(arr); |
| @@ -720,28 +722,29 @@ static void disable_config(void) { | |||
| 720 | 722 | ||
| 721 | 723 | ||
| 722 | // build a basic read-only filesystem | 724 | // build a basic read-only filesystem |
| 725 | // top level directories could be links, run no after-mount checks | ||
| 723 | void fs_basic_fs(void) { | 726 | void fs_basic_fs(void) { |
| 724 | uid_t uid = getuid(); | 727 | uid_t uid = getuid(); |
| 725 | 728 | ||
| 726 | if (arg_debug) | 729 | if (arg_debug) |
| 727 | printf("Basic read-only filesystem:\n"); | 730 | printf("Basic read-only filesystem:\n"); |
| 728 | if (!arg_writable_etc) { | 731 | if (!arg_writable_etc) { |
| 729 | fs_remount("/etc", MOUNT_READONLY); | 732 | fs_remount("/etc", MOUNT_READONLY, 0); |
| 730 | if (uid) | 733 | if (uid) |
| 731 | fs_remount("/etc", MOUNT_NOEXEC); | 734 | fs_remount("/etc", MOUNT_NOEXEC, 0); |
| 732 | } | 735 | } |
| 733 | if (!arg_writable_var) { | 736 | if (!arg_writable_var) { |
| 734 | fs_remount("/var", MOUNT_READONLY); | 737 | fs_remount("/var", MOUNT_READONLY, 0); |
| 735 | if (uid) | 738 | if (uid) |
| 736 | fs_remount("/var", MOUNT_NOEXEC); | 739 | fs_remount("/var", MOUNT_NOEXEC, 0); |
| 737 | } | 740 | } |
| 738 | fs_remount("/bin", MOUNT_READONLY); | 741 | fs_remount("/bin", MOUNT_READONLY, 0); |
| 739 | fs_remount("/sbin", MOUNT_READONLY); | 742 | fs_remount("/sbin", MOUNT_READONLY, 0); |
| 740 | fs_remount("/lib", MOUNT_READONLY); | 743 | fs_remount("/lib", MOUNT_READONLY, 0); |
| 741 | fs_remount("/lib64", MOUNT_READONLY); | 744 | fs_remount("/lib64", MOUNT_READONLY, 0); |
| 742 | fs_remount("/lib32", MOUNT_READONLY); | 745 | fs_remount("/lib32", MOUNT_READONLY, 0); |
| 743 | fs_remount("/libx32", MOUNT_READONLY); | 746 | fs_remount("/libx32", MOUNT_READONLY, 0); |
| 744 | fs_remount("/usr", MOUNT_READONLY); | 747 | fs_remount("/usr", MOUNT_READONLY, 0); |
| 745 | 748 | ||
| 746 | // update /var directory in order to support multiple sandboxes running on the same root directory | 749 | // update /var directory in order to support multiple sandboxes running on the same root directory |
| 747 | fs_var_lock(); | 750 | fs_var_lock(); |
| @@ -750,7 +753,7 @@ void fs_basic_fs(void) { | |||
| 750 | if (!arg_writable_var_log) | 753 | if (!arg_writable_var_log) |
| 751 | fs_var_log(); | 754 | fs_var_log(); |
| 752 | else | 755 | else |
| 753 | fs_remount("/var/log", MOUNT_RDWR); | 756 | fs_remount("/var/log", MOUNT_RDWR, 0); |
| 754 | 757 | ||
| 755 | fs_var_lib(); | 758 | fs_var_lib(); |
| 756 | fs_var_cache(); | 759 | fs_var_cache(); |