Merge pull request #4229 from smitsohu/whitelist2

Whitelist2
author: netblue30 <netblue30@protonmail.com> 2021-05-18 09:00:45 -0500
committer: GitHub <noreply@github.com> 2021-05-18 09:00:45 -0500
commit: ed7db097bd4eb387cd4583a71ba76cf126e5d8c7 (patch)
tree: 58cb4dd296e6ccdab0eb68e972f8919ebcdb5731 /src/firejail/fs_home.c
parent: Fix #4282 -- Unable to open X display when running firejail chromium command (diff)
parent: add /run whitelist support (diff)
download: firejail-ed7db097bd4eb387cd4583a71ba76cf126e5d8c7.tar.gz
firejail-ed7db097bd4eb387cd4583a71ba76cf126e5d8c7.tar.zst
firejail-ed7db097bd4eb387cd4583a71ba76cf126e5d8c7.zip
1 files changed, 3 insertions, 3 deletions
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index c7b87235a..4bcefa443 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -262,10 +262,10 @@ void fs_private_homedir(void) {
        if (arg_debug)
                printf("Mount-bind %s on top of %s\n", private_homedir, homedir);
        // get file descriptors for homedir and private_homedir, fails if there is any symlink
-        int src = safe_fd(private_homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        int src = safer_openat(-1, private_homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
        if (src == -1)
                errExit("opening private directory");
-        int dst = safe_fd(homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        int dst = safer_openat(-1, homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
        if (dst == -1)
                errExit("opening home directory");
        // both mount source and target should be owned by the user
@@ -576,7 +576,7 @@ void fs_private_home_list(void) {
        if (arg_debug)
                printf("Mount-bind %s on top of %s\n", RUN_HOME_DIR, homedir);
-        int fd = safe_fd(homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
+        int fd = safer_openat(-1, homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
        if (fd == -1)
                errExit("opening home directory");
        // home directory should be owned by the user
author	netblue30 <netblue30@protonmail.com>	2021-05-18 09:00:45 -0500
committer	GitHub <noreply@github.com>	2021-05-18 09:00:45 -0500
commit	ed7db097bd4eb387cd4583a71ba76cf126e5d8c7 (patch)
tree	58cb4dd296e6ccdab0eb68e972f8919ebcdb5731 /src/firejail/fs_home.c
parent	Fix #4282 -- Unable to open X display when running firejail chromium command (diff)
parent	add /run whitelist support (diff)
download	firejail-ed7db097bd4eb387cd4583a71ba76cf126e5d8c7.tar.gz firejail-ed7db097bd4eb387cd4583a71ba76cf126e5d8c7.tar.zst firejail-ed7db097bd4eb387cd4583a71ba76cf126e5d8c7.zip

diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index c7b87235a..4bcefa443 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c
@@ -262,10 +262,10 @@ void fs_private_homedir(void) {
262	if (arg_debug)	262	if (arg_debug)
263	printf("Mount-bind %s on top of %s\n", private_homedir, homedir);	263	printf("Mount-bind %s on top of %s\n", private_homedir, homedir);
264	// get file descriptors for homedir and private_homedir, fails if there is any symlink	264	// get file descriptors for homedir and private_homedir, fails if there is any symlink
265	int src = safe_fd(private_homedir, O_PATH\|O_DIRECTORY\|O_NOFOLLOW\|O_CLOEXEC);	265	int src = safer_openat(-1, private_homedir, O_PATH\|O_DIRECTORY\|O_NOFOLLOW\|O_CLOEXEC);
266	if (src == -1)	266	if (src == -1)
267	errExit("opening private directory");	267	errExit("opening private directory");
268	int dst = safe_fd(homedir, O_PATH\|O_DIRECTORY\|O_NOFOLLOW\|O_CLOEXEC);	268	int dst = safer_openat(-1, homedir, O_PATH\|O_DIRECTORY\|O_NOFOLLOW\|O_CLOEXEC);
269	if (dst == -1)	269	if (dst == -1)
270	errExit("opening home directory");	270	errExit("opening home directory");
271	// both mount source and target should be owned by the user	271	// both mount source and target should be owned by the user
@@ -576,7 +576,7 @@ void fs_private_home_list(void) {
576	if (arg_debug)	576	if (arg_debug)
577	printf("Mount-bind %s on top of %s\n", RUN_HOME_DIR, homedir);	577	printf("Mount-bind %s on top of %s\n", RUN_HOME_DIR, homedir);
578		578
579	int fd = safe_fd(homedir, O_PATH\|O_DIRECTORY\|O_NOFOLLOW\|O_CLOEXEC);	579	int fd = safer_openat(-1, homedir, O_PATH\|O_DIRECTORY\|O_NOFOLLOW\|O_CLOEXEC);
580	if (fd == -1)	580	if (fd == -1)
581	errExit("opening home directory");	581	errExit("opening home directory");
582	// home directory should be owned by the user	582	// home directory should be owned by the user