private-dev enhancements

author: netblue30 <netblue30@yahoo.com> 2017-08-11 15:05:24 -0400
committer: netblue30 <netblue30@yahoo.com> 2017-08-11 15:05:24 -0400
commit: b1479a3730a361221c271226cc56d0724ee109c4 (patch)
tree: 0c4b918641f0164ef5f67024d89da1c6e6965c3a /src/firejail/fs_dev.c
parent: fix xpra profile (diff)
download: firejail-b1479a3730a361221c271226cc56d0724ee109c4.tar.gz
firejail-b1479a3730a361221c271226cc56d0724ee109c4.tar.zst
firejail-b1479a3730a361221c271226cc56d0724ee109c4.zip
1 files changed, 34 insertions, 26 deletions
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index b6d9e364f..d94a6de5a 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -82,31 +82,39 @@ static void deventry_mount(void) {
        while (dev[i].dev_fname != NULL) {
                struct stat s;
                if (stat(dev[i].run_fname, &s) == 0) {
-                        int dir = is_dir(dev[i].run_fname);
+                        
-                        if (arg_debug)
+                        // check device type and subsystem configuration
-                                printf("mounting %s %s\n", dev[i].run_fname, (dir)? "directory": "file");
+                        if ((dev[i].type == DEV_SOUND && arg_nosound == 0) ||
-                        if (dir) {
+                            (dev[i].type == DEV_3D && arg_no3d == 0) ||
-                                mkdir_attr(dev[i].dev_fname, 0755, 0, 0);
+                            (dev[i].type == DEV_VIDEO && arg_novideo == 0) ||
-                        }
+                            (dev[i].type == DEV_TV && arg_notv == 0)) {
-                        else {
+                        
-                                struct stat s;
+                                int dir = is_dir(dev[i].run_fname);
-                                if (stat(dev[i].run_fname, &s) == -1) {
+                                if (arg_debug)
-                                        if (arg_debug)
+                                        printf("mounting %s %s\n", dev[i].run_fname, (dir)? "directory": "file");
-                                                fwarning("cannot stat %s file\n", dev[i].run_fname);
+                                if (dir) {
-                                        i++;
+                                        mkdir_attr(dev[i].dev_fname, 0755, 0, 0);
-                                        continue;
                                }
-                                FILE *fp = fopen(dev[i].dev_fname, "w");
+                                else {
-                                if (fp) {
+                                        struct stat s;
-                                        fprintf(fp, "\n");
+                                        if (stat(dev[i].run_fname, &s) == -1) {
-                                        SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode);
+                                                if (arg_debug)
-                                        fclose(fp);
+                                                        fwarning("cannot stat %s file\n", dev[i].run_fname);
+                                                i++;
+                                                continue;
+                                        }
+                                        FILE *fp = fopen(dev[i].dev_fname, "w");
+                                        if (fp) {
+                                                fprintf(fp, "\n");
+                                                SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode);
+                                                fclose(fp);
+                                        }
                                }
+        
+                                if (mount(dev[i].run_fname, dev[i].dev_fname, NULL, MS_BIND|MS_REC, NULL) < 0)
+                                        errExit("mounting dev file");
+                                fs_logger2("whitelist", dev[i].dev_fname);
                        }
-                        if (mount(dev[i].run_fname, dev[i].dev_fname, NULL, MS_BIND|MS_REC, NULL) < 0)
-                                errExit("mounting dev file");
-                        fs_logger2("whitelist", dev[i].dev_fname);
                }
                i++;
@@ -149,7 +157,7 @@ void fs_private_dev(void){
        // keep a copy of dev directory
        mkdir_attr(RUN_DEV_DIR, 0755, 0, 0);
        if (mount("/dev", RUN_DEV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mounting /dev/dri");
+                errExit("mounting /dev");
        // create DEVLOG_FILE
        int have_devlog = 0;
@@ -172,6 +180,7 @@ void fs_private_dev(void){
                errExit("mounting /dev");
        fs_logger("tmpfs /dev");
+        // optional devices: sound, video cards etc...
        deventry_mount();
        // bring back /dev/log
@@ -186,8 +195,7 @@ void fs_private_dev(void){
                }
        }
        if (mount(RUN_RO_DIR, RUN_DEV_DIR, "none", MS_BIND, "mode=400,gid=0") < 0)
-                errExit("disable /dev/snd");
+                errExit("disable run dev directory");
        // create /dev/shm
        if (arg_debug)
@@ -195,7 +203,7 @@ void fs_private_dev(void){
        mkdir_attr("/dev/shm", 01777, 0, 0);
        fs_logger("mkdir /dev/shm");
-        // create devices
+        // create default devices
        create_char_dev("/dev/zero", 0666, 1, 5); // mknod -m 666 /dev/zero c 1 5
        fs_logger("mknod /dev/zero");
        create_char_dev("/dev/null", 0666, 1, 3); // mknod -m 666 /dev/null c 1 3
author	netblue30 <netblue30@yahoo.com>	2017-08-11 15:05:24 -0400
committer	netblue30 <netblue30@yahoo.com>	2017-08-11 15:05:24 -0400
commit	b1479a3730a361221c271226cc56d0724ee109c4 (patch)
tree	0c4b918641f0164ef5f67024d89da1c6e6965c3a /src/firejail/fs_dev.c
parent	fix xpra profile (diff)
download	firejail-b1479a3730a361221c271226cc56d0724ee109c4.tar.gz firejail-b1479a3730a361221c271226cc56d0724ee109c4.tar.zst firejail-b1479a3730a361221c271226cc56d0724ee109c4.zip

diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index b6d9e364f..d94a6de5a 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c
@@ -82,31 +82,39 @@ static void deventry_mount(void) {
82	while (dev[i].dev_fname != NULL) {	82	while (dev[i].dev_fname != NULL) {
83	struct stat s;	83	struct stat s;
84	if (stat(dev[i].run_fname, &s) == 0) {	84	if (stat(dev[i].run_fname, &s) == 0) {
85	int dir = is_dir(dev[i].run_fname);	85
86	if (arg_debug)	86	// check device type and subsystem configuration
87	printf("mounting %s %s\n", dev[i].run_fname, (dir)? "directory": "file");	87	if ((dev[i].type == DEV_SOUND && arg_nosound == 0) \|\|
88	if (dir) {	88	(dev[i].type == DEV_3D && arg_no3d == 0) \|\|
89	mkdir_attr(dev[i].dev_fname, 0755, 0, 0);	89	(dev[i].type == DEV_VIDEO && arg_novideo == 0) \|\|
90	}	90	(dev[i].type == DEV_TV && arg_notv == 0)) {
91	else {	91
92	struct stat s;	92	int dir = is_dir(dev[i].run_fname);
93	if (stat(dev[i].run_fname, &s) == -1) {	93	if (arg_debug)
94	if (arg_debug)	94	printf("mounting %s %s\n", dev[i].run_fname, (dir)? "directory": "file");
95	fwarning("cannot stat %s file\n", dev[i].run_fname);	95	if (dir) {
96	i++;	96	mkdir_attr(dev[i].dev_fname, 0755, 0, 0);
97	continue;
98	}	97	}
99	FILE *fp = fopen(dev[i].dev_fname, "w");	98	else {
100	if (fp) {	99	struct stat s;
101	fprintf(fp, "\n");	100	if (stat(dev[i].run_fname, &s) == -1) {
102	SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode);	101	if (arg_debug)
103	fclose(fp);	102	fwarning("cannot stat %s file\n", dev[i].run_fname);
		103	i++;
		104	continue;
		105	}
		106	FILE *fp = fopen(dev[i].dev_fname, "w");
		107	if (fp) {
		108	fprintf(fp, "\n");
		109	SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode);
		110	fclose(fp);
		111	}
104	}	112	}
		113
		114	if (mount(dev[i].run_fname, dev[i].dev_fname, NULL, MS_BIND\|MS_REC, NULL) < 0)
		115	errExit("mounting dev file");
		116	fs_logger2("whitelist", dev[i].dev_fname);
105	}	117	}
106
107	if (mount(dev[i].run_fname, dev[i].dev_fname, NULL, MS_BIND\|MS_REC, NULL) < 0)
108	errExit("mounting dev file");
109	fs_logger2("whitelist", dev[i].dev_fname);
110	}	118	}
111		119
112	i++;	120	i++;
@@ -149,7 +157,7 @@ void fs_private_dev(void){
149	// keep a copy of dev directory	157	// keep a copy of dev directory
150	mkdir_attr(RUN_DEV_DIR, 0755, 0, 0);	158	mkdir_attr(RUN_DEV_DIR, 0755, 0, 0);
151	if (mount("/dev", RUN_DEV_DIR, NULL, MS_BIND\|MS_REC, NULL) < 0)	159	if (mount("/dev", RUN_DEV_DIR, NULL, MS_BIND\|MS_REC, NULL) < 0)
152	errExit("mounting /dev/dri");	160	errExit("mounting /dev");
153		161
154	// create DEVLOG_FILE	162	// create DEVLOG_FILE
155	int have_devlog = 0;	163	int have_devlog = 0;
@@ -172,6 +180,7 @@ void fs_private_dev(void){
172	errExit("mounting /dev");	180	errExit("mounting /dev");
173	fs_logger("tmpfs /dev");	181	fs_logger("tmpfs /dev");
174		182
		183	// optional devices: sound, video cards etc...
175	deventry_mount();	184	deventry_mount();
176		185
177	// bring back /dev/log	186	// bring back /dev/log
@@ -186,8 +195,7 @@ void fs_private_dev(void){
186	}	195	}
187	}	196	}
188	if (mount(RUN_RO_DIR, RUN_DEV_DIR, "none", MS_BIND, "mode=400,gid=0") < 0)	197	if (mount(RUN_RO_DIR, RUN_DEV_DIR, "none", MS_BIND, "mode=400,gid=0") < 0)
189	errExit("disable /dev/snd");	198	errExit("disable run dev directory");
190
191		199
192	// create /dev/shm	200	// create /dev/shm
193	if (arg_debug)	201	if (arg_debug)
@@ -195,7 +203,7 @@ void fs_private_dev(void){
195	mkdir_attr("/dev/shm", 01777, 0, 0);	203	mkdir_attr("/dev/shm", 01777, 0, 0);
196	fs_logger("mkdir /dev/shm");	204	fs_logger("mkdir /dev/shm");
197		205
198	// create devices	206	// create default devices
199	create_char_dev("/dev/zero", 0666, 1, 5); // mknod -m 666 /dev/zero c 1 5	207	create_char_dev("/dev/zero", 0666, 1, 5); // mknod -m 666 /dev/zero c 1 5
200	fs_logger("mknod /dev/zero");	208	fs_logger("mknod /dev/zero");
201	create_char_dev("/dev/null", 0666, 1, 3); // mknod -m 666 /dev/null c 1 3	209	create_char_dev("/dev/null", 0666, 1, 3); // mknod -m 666 /dev/null c 1 3