diff options
author | smitsohu <smitsohu@gmail.com> | 2019-09-17 14:38:24 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2019-09-17 14:38:24 +0200 |
commit | 528f6a67ea4f5d2796f2e68432e92fc6d8999976 (patch) | |
tree | 03fe1a90115e4a3d569da39647954f20be52a42b /src/firejail/fs_trace.c | |
parent | Add allow-perl.inc to w3m.profile (#2965) (diff) | |
download | firejail-528f6a67ea4f5d2796f2e68432e92fc6d8999976.tar.gz firejail-528f6a67ea4f5d2796f2e68432e92fc6d8999976.tar.zst firejail-528f6a67ea4f5d2796f2e68432e92fc6d8999976.zip |
move to fd based trace file mount
Diffstat (limited to 'src/firejail/fs_trace.c')
-rw-r--r-- | src/firejail/fs_trace.c | 33 |
1 files changed, 25 insertions, 8 deletions
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 2a7c83049..9ade0bdc3 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c | |||
@@ -46,21 +46,38 @@ void fs_trace_preload(void) { | |||
46 | printf("Creating an empty trace log file: %s\n", arg_tracefile); | 46 | printf("Creating an empty trace log file: %s\n", arg_tracefile); |
47 | // create a bind mounted trace logfile that the sandbox can see | 47 | // create a bind mounted trace logfile that the sandbox can see |
48 | EUID_USER(); | 48 | EUID_USER(); |
49 | FILE *fp = fopen(arg_tracefile, "w"); | 49 | int fd = open(arg_tracefile, O_CREAT|O_RDWR, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); |
50 | if (!fp) | 50 | if (fd == -1) { |
51 | errExit("fopen"); | 51 | perror("open"); |
52 | SET_PERMS_STREAM(fp, firejail_uid, firejail_gid, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); | 52 | fprintf(stderr, "Error: cannot open trace log file %s\n", arg_tracefile); |
53 | fclose(fp); | 53 | exit(1); |
54 | } | ||
55 | if (fstat(fd, &s) == -1) | ||
56 | errExit("fstat"); | ||
57 | if (!S_ISREG(s.st_mode)) { | ||
58 | fprintf(stderr, "Error: cannot write trace log: %s is no regular file\n", arg_tracefile); | ||
59 | exit(1); | ||
60 | } | ||
61 | if (ftruncate(fd, 0) == -1) | ||
62 | errExit("ftruncate"); | ||
54 | EUID_ROOT(); | 63 | EUID_ROOT(); |
55 | fp = fopen(RUN_TRACE_FILE, "w"); | 64 | FILE *fp = fopen(RUN_TRACE_FILE, "w"); |
56 | if (!fp) | 65 | if (!fp) |
57 | errExit("fopen " RUN_TRACE_FILE); | 66 | errExit("fopen " RUN_TRACE_FILE); |
58 | fclose(fp); | 67 | fclose(fp); |
59 | fs_logger2("touch ", arg_tracefile); | 68 | fs_logger2("touch ", arg_tracefile); |
60 | if (mount(arg_tracefile, RUN_TRACE_FILE, NULL, MS_BIND|MS_REC, NULL) < 0) | 69 | // mount using the symbolic link in /proc/self/fd |
61 | errExit("mount bind " RUN_TRACE_FILE); | ||
62 | if (arg_debug) | 70 | if (arg_debug) |
63 | printf("Bind mount %s to %s\n", arg_tracefile, RUN_TRACE_FILE); | 71 | printf("Bind mount %s to %s\n", arg_tracefile, RUN_TRACE_FILE); |
72 | char *proc; | ||
73 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | ||
74 | errExit("asprintf"); | ||
75 | if (mount(proc, RUN_TRACE_FILE, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
76 | errExit("mount bind " RUN_TRACE_FILE); | ||
77 | free(proc); | ||
78 | close(fd); | ||
79 | // now that RUN_TRACE_FILE is user-writable, mount it noexec | ||
80 | fs_remount(RUN_TRACE_FILE, MOUNT_NOEXEC, 0); | ||
64 | } | 81 | } |
65 | } | 82 | } |
66 | 83 | ||