diff options
author | smitsohu <smitsohu@gmail.com> | 2021-06-08 18:24:22 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-06-08 18:24:22 +0200 |
commit | 5e30eb49355f5620cc2f99100a0890cfed02ccd4 (patch) | |
tree | 0852f5402f9785dc1ebdd236eb31a9c40b02adf4 /src/firejail/fs_lib.c | |
parent | fixup 9678da00301562464464099b9d7cfd76424fbb23 (diff) | |
parent | add more EUID switching (diff) | |
download | firejail-5e30eb49355f5620cc2f99100a0890cfed02ccd4.tar.gz firejail-5e30eb49355f5620cc2f99100a0890cfed02ccd4.tar.zst firejail-5e30eb49355f5620cc2f99100a0890cfed02ccd4.zip |
Merge pull request #4349 from smitsohu/misc
Misc hardening + refactoring
Diffstat (limited to 'src/firejail/fs_lib.c')
-rw-r--r-- | src/firejail/fs_lib.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 5df356d04..9d7a17cf3 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -178,8 +178,7 @@ void fslib_mount(const char *full_path) { | |||
178 | 178 | ||
179 | if (*full_path == '\0' || | 179 | if (*full_path == '\0' || |
180 | !valid_full_path(full_path) || | 180 | !valid_full_path(full_path) || |
181 | access(full_path, F_OK) != 0 || | 181 | stat_as_user(full_path, &s) != 0 || |
182 | stat(full_path, &s) != 0 || | ||
183 | s.st_uid != 0) | 182 | s.st_uid != 0) |
184 | return; | 183 | return; |
185 | 184 | ||
@@ -203,7 +202,7 @@ void fslib_mount_libs(const char *full_path, unsigned user) { | |||
203 | } | 202 | } |
204 | 203 | ||
205 | if (arg_debug || arg_debug_private_lib) | 204 | if (arg_debug || arg_debug_private_lib) |
206 | printf(" fslib_mount_libs %s (parse as %s)\n", full_path, user ? "user" : "root"); | 205 | printf(" fslib_mount_libs %s\n", full_path); |
207 | // create an empty RUN_LIB_FILE and allow the user to write to it | 206 | // create an empty RUN_LIB_FILE and allow the user to write to it |
208 | unlink(RUN_LIB_FILE); // in case is there | 207 | unlink(RUN_LIB_FILE); // in case is there |
209 | create_empty_file_as_root(RUN_LIB_FILE, 0644); | 208 | create_empty_file_as_root(RUN_LIB_FILE, 0644); |
@@ -212,7 +211,7 @@ void fslib_mount_libs(const char *full_path, unsigned user) { | |||
212 | 211 | ||
213 | // run fldd to extract the list of files | 212 | // run fldd to extract the list of files |
214 | if (arg_debug || arg_debug_private_lib) | 213 | if (arg_debug || arg_debug_private_lib) |
215 | printf(" running fldd %s\n", full_path); | 214 | printf(" running fldd %s as %s\n", full_path, user ? "user" : "root"); |
216 | unsigned mask; | 215 | unsigned mask; |
217 | if (user) | 216 | if (user) |
218 | mask = SBOX_USER; | 217 | mask = SBOX_USER; |
@@ -246,7 +245,7 @@ static void load_library(const char *fname) { | |||
246 | 245 | ||
247 | // existing file owned by root | 246 | // existing file owned by root |
248 | struct stat s; | 247 | struct stat s; |
249 | if (!access(fname, F_OK) && stat(fname, &s) == 0 && s.st_uid == 0) { | 248 | if (stat_as_user(fname, &s) == 0 && s.st_uid == 0) { |
250 | // load directories, regular 64 bit libraries, and 64 bit executables | 249 | // load directories, regular 64 bit libraries, and 64 bit executables |
251 | if (S_ISDIR(s.st_mode)) | 250 | if (S_ISDIR(s.st_mode)) |
252 | fslib_mount(fname); | 251 | fslib_mount(fname); |
@@ -286,19 +285,21 @@ static void install_list_entry(const char *lib) { | |||
286 | #define DO_GLOBBING | 285 | #define DO_GLOBBING |
287 | #ifdef DO_GLOBBING | 286 | #ifdef DO_GLOBBING |
288 | // globbing | 287 | // globbing |
288 | EUID_USER(); | ||
289 | glob_t globbuf; | 289 | glob_t globbuf; |
290 | int globerr = glob(fname, GLOB_NOCHECK | GLOB_NOSORT | GLOB_PERIOD, NULL, &globbuf); | 290 | int globerr = glob(fname, GLOB_NOCHECK | GLOB_NOSORT | GLOB_PERIOD, NULL, &globbuf); |
291 | if (globerr) { | 291 | if (globerr) { |
292 | fprintf(stderr, "Error: failed to glob private-lib pattern %s\n", fname); | 292 | fprintf(stderr, "Error: failed to glob private-lib pattern %s\n", fname); |
293 | exit(1); | 293 | exit(1); |
294 | } | 294 | } |
295 | EUID_ROOT(); | ||
295 | size_t j; | 296 | size_t j; |
296 | for (j = 0; j < globbuf.gl_pathc; j++) { | 297 | for (j = 0; j < globbuf.gl_pathc; j++) { |
297 | assert(globbuf.gl_pathv[j]); | 298 | assert(globbuf.gl_pathv[j]); |
298 | //printf("glob %s\n", globbuf.gl_pathv[j]); | 299 | //printf("glob %s\n", globbuf.gl_pathv[j]); |
299 | // GLOB_NOCHECK - no pattern matched returns the original pattern; try to load it anyway | 300 | // GLOB_NOCHECK - no pattern matched returns the original pattern; try to load it anyway |
300 | 301 | ||
301 | // foobar/* includes foobar/. and foobar/.. | 302 | // foobar/* expands to foobar/. and foobar/.. |
302 | const char *base = gnu_basename(globbuf.gl_pathv[j]); | 303 | const char *base = gnu_basename(globbuf.gl_pathv[j]); |
303 | if (strcmp(base, ".") == 0 || strcmp(base, "..") == 0) | 304 | if (strcmp(base, ".") == 0 || strcmp(base, "..") == 0) |
304 | continue; | 305 | continue; |