aboutsummaryrefslogtreecommitdiffstats
path: root/src/firejail/fs_home.c
diff options
context:
space:
mode:
authorLibravatar smitsohu <smitsohu@gmail.com>2020-04-21 01:31:51 +0200
committerLibravatar smitsohu <smitsohu@gmail.com>2020-04-21 01:31:51 +0200
commit49cceecbf06eb0a3fad38b1fbbb3a3968e1c99f5 (patch)
tree503802c551300da8fe564ce6e9deb14f76c7f7b3 /src/firejail/fs_home.c
parentrelaxing symlink restrictions (diff)
downloadfirejail-49cceecbf06eb0a3fad38b1fbbb3a3968e1c99f5.tar.gz
firejail-49cceecbf06eb0a3fad38b1fbbb3a3968e1c99f5.tar.zst
firejail-49cceecbf06eb0a3fad38b1fbbb3a3968e1c99f5.zip
resolve conflict between private and allusers options - #3185
Diffstat (limited to 'src/firejail/fs_home.c')
-rw-r--r--src/firejail/fs_home.c65
1 files changed, 31 insertions, 34 deletions
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 381ee6178..ff6d78bf2 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -352,20 +352,6 @@ void fs_private(void) {
352 int xflag = store_xauthority(); 352 int xflag = store_xauthority();
353 int aflag = store_asoundrc(); 353 int aflag = store_asoundrc();
354 354
355 // mask /home
356 if (u == 0 && arg_allusers) // allow --allusers when starting the sandbox as root
357 ;
358 else {
359 if (arg_debug)
360 printf("Mounting a new /home directory\n");
361 if (arg_allusers)
362 fwarning("allusers option disabled by private or whitelist option\n");
363 if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=755,gid=0") < 0)
364 errExit("mounting /home directory");
365 selinux_relabel_path("/home", "/home");
366 fs_logger("tmpfs /home");
367 }
368
369 // mask /root 355 // mask /root
370 if (arg_debug) 356 if (arg_debug)
371 printf("Mounting a new /root directory\n"); 357 printf("Mounting a new /root directory\n");
@@ -373,28 +359,39 @@ void fs_private(void) {
373 errExit("mounting /root directory"); 359 errExit("mounting /root directory");
374 fs_logger("tmpfs /root"); 360 fs_logger("tmpfs /root");
375 361
376 if (u != 0) { 362 if (arg_allusers) {
377 if (strncmp(homedir, "/home/", 6) == 0) { 363 if (u != 0)
378 // create /home/user 364 fs_tmpfs(homedir, 1); // check if directory is owned by the current user
379 if (arg_debug) 365 }
380 printf("Create a new user directory\n"); 366 else { // mask /home
381 if (mkdir(homedir, S_IRWXU) == -1) { 367 if (arg_debug)
382 if (mkpath_as_root(homedir) == -1) 368 printf("Mounting a new /home directory\n");
383 errExit("mkpath"); 369 if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=755,gid=0") < 0)
384 if (mkdir(homedir, S_IRWXU) == -1 && errno != EEXIST) 370 errExit("mounting /home directory");
385 errExit("mkdir"); 371 selinux_relabel_path("/home", "/home");
386 } 372 fs_logger("tmpfs /home");
387 if (chown(homedir, u, g) < 0)
388 errExit("chown");
389 selinux_relabel_path(homedir, homedir);
390 373
391 fs_logger2("mkdir", homedir); 374 if (u != 0) {
392 fs_logger2("tmpfs", homedir); 375 if (strncmp(homedir, "/home/", 6) == 0) {
376 // create /home/user
377 if (arg_debug)
378 printf("Create a new user directory\n");
379 if (mkdir(homedir, S_IRWXU) == -1) {
380 if (mkpath_as_root(homedir) == -1)
381 errExit("mkpath");
382 if (mkdir(homedir, S_IRWXU) == -1 && errno != EEXIST)
383 errExit("mkdir");
384 }
385 if (chown(homedir, u, g) < 0)
386 errExit("chown");
387
388 selinux_relabel_path(homedir, homedir);
389 fs_logger2("mkdir", homedir);
390 fs_logger2("tmpfs", homedir);
391 }
392 else
393 fs_tmpfs(homedir, 1); // check if directory is owned by the current user
393 } 394 }
394 else
395 // user directory is outside /home, mask it as well
396 // check if directory is owned by the current user
397 fs_tmpfs(homedir, 1);
398 } 395 }
399 396
400 skel(homedir, u, g); 397 skel(homedir, u, g);
generated by cgit v1.2.3-54-g00ecf (git 2.45.1) at 2024-06-03 17:43:40 +0000