diff options
author | smitsohu <smitsohu@gmail.com> | 2021-09-29 15:49:52 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2021-10-01 18:25:18 +0200 |
commit | 9e18bf8a10a3b9b948c15853ad716cf8e3673fcf (patch) | |
tree | 8ec3c5de5f63ae6975da6862321ef0a11b19d563 /src/firejail/fs_whitelist.c | |
parent | private-lib fixup (diff) | |
download | firejail-9e18bf8a10a3b9b948c15853ad716cf8e3673fcf.tar.gz firejail-9e18bf8a10a3b9b948c15853ad716cf8e3673fcf.tar.zst firejail-9e18bf8a10a3b9b948c15853ad716cf8e3673fcf.zip |
add more EUID improvements
Diffstat (limited to 'src/firejail/fs_whitelist.c')
-rw-r--r-- | src/firejail/fs_whitelist.c | 59 |
1 files changed, 25 insertions, 34 deletions
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 943f275de..7afebed1f 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -105,6 +105,7 @@ static int whitelist_mkpath(const char* path, mode_t mode) { | |||
105 | } | 105 | } |
106 | 106 | ||
107 | static void whitelist_file(int dirfd, const char *relpath, const char *path) { | 107 | static void whitelist_file(int dirfd, const char *relpath, const char *path) { |
108 | EUID_ASSERT(); | ||
108 | assert(relpath && path); | 109 | assert(relpath && path); |
109 | 110 | ||
110 | // open mount source, using a file descriptor that refers to the | 111 | // open mount source, using a file descriptor that refers to the |
@@ -130,12 +131,9 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) { | |||
130 | } | 131 | } |
131 | 132 | ||
132 | // create mount target as root, except if inside home or run/user/$UID directory | 133 | // create mount target as root, except if inside home or run/user/$UID directory |
133 | int userprivs = 0; | 134 | if ((strncmp(path, cfg.homedir, homedir_len) != 0 || path[homedir_len] != '/') && |
134 | if ((strncmp(path, cfg.homedir, homedir_len) == 0 && path[homedir_len] == '/') || | 135 | (strncmp(path, runuser, runuser_len) != 0 || path[runuser_len] != '/')) |
135 | (strncmp(path, runuser, runuser_len) == 0 && path[runuser_len] == '/')) { | 136 | EUID_ROOT(); |
136 | EUID_USER(); | ||
137 | userprivs = 1; | ||
138 | } | ||
139 | 137 | ||
140 | // create path of the mount target | 138 | // create path of the mount target |
141 | int fd2 = whitelist_mkpath(path, 0755); | 139 | int fd2 = whitelist_mkpath(path, 0755); |
@@ -146,8 +144,7 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) { | |||
146 | if (arg_debug || arg_debug_whitelists) | 144 | if (arg_debug || arg_debug_whitelists) |
147 | printf("Debug %d: skip whitelist %s\n", __LINE__, path); | 145 | printf("Debug %d: skip whitelist %s\n", __LINE__, path); |
148 | close(fd); | 146 | close(fd); |
149 | if (userprivs) | 147 | EUID_USER(); |
150 | EUID_ROOT(); | ||
151 | return; | 148 | return; |
152 | } | 149 | } |
153 | 150 | ||
@@ -166,8 +163,7 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) { | |||
166 | } | 163 | } |
167 | close(fd); | 164 | close(fd); |
168 | close(fd2); | 165 | close(fd2); |
169 | if (userprivs) | 166 | EUID_USER(); |
170 | EUID_ROOT(); | ||
171 | return; | 167 | return; |
172 | } | 168 | } |
173 | fd3 = openat(fd2, file, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | 169 | fd3 = openat(fd2, file, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
@@ -184,19 +180,17 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) { | |||
184 | } | 180 | } |
185 | close(fd); | 181 | close(fd); |
186 | close(fd2); | 182 | close(fd2); |
187 | if (userprivs) | 183 | EUID_USER(); |
188 | EUID_ROOT(); | ||
189 | return; | 184 | return; |
190 | } | 185 | } |
191 | |||
192 | close(fd2); | 186 | close(fd2); |
193 | if (userprivs) | ||
194 | EUID_ROOT(); | ||
195 | 187 | ||
196 | if (arg_debug || arg_debug_whitelists) | 188 | if (arg_debug || arg_debug_whitelists) |
197 | printf("Whitelisting %s\n", path); | 189 | printf("Whitelisting %s\n", path); |
190 | EUID_ROOT(); | ||
198 | if (bind_mount_by_fd(fd, fd3)) | 191 | if (bind_mount_by_fd(fd, fd3)) |
199 | errExit("mount bind"); | 192 | errExit("mount bind"); |
193 | EUID_USER(); | ||
200 | // check the last mount operation | 194 | // check the last mount operation |
201 | MountData *mptr = get_last_mount(); // will do exit(1) if the mount cannot be found | 195 | MountData *mptr = get_last_mount(); // will do exit(1) if the mount cannot be found |
202 | #ifdef TEST_MOUNTINFO | 196 | #ifdef TEST_MOUNTINFO |
@@ -219,22 +213,19 @@ static void whitelist_file(int dirfd, const char *relpath, const char *path) { | |||
219 | } | 213 | } |
220 | 214 | ||
221 | static void whitelist_symlink(const char *link, const char *target) { | 215 | static void whitelist_symlink(const char *link, const char *target) { |
216 | EUID_ASSERT(); | ||
222 | assert(link && target); | 217 | assert(link && target); |
223 | 218 | ||
224 | // create files as root, except if inside home or run/user/$UID directory | 219 | // create files as root, except if inside home or run/user/$UID directory |
225 | int userprivs = 0; | 220 | if ((strncmp(link, cfg.homedir, homedir_len) != 0 || link[homedir_len] != '/') && |
226 | if ((strncmp(link, cfg.homedir, homedir_len) == 0 && link[homedir_len] == '/') || | 221 | (strncmp(link, runuser, runuser_len) != 0 || link[runuser_len] != '/')) |
227 | (strncmp(link, runuser, runuser_len) == 0 && link[runuser_len] == '/')) { | 222 | EUID_ROOT(); |
228 | EUID_USER(); | ||
229 | userprivs = 1; | ||
230 | } | ||
231 | 223 | ||
232 | int fd = whitelist_mkpath(link, 0755); | 224 | int fd = whitelist_mkpath(link, 0755); |
233 | if (fd == -1) { | 225 | if (fd == -1) { |
234 | if (arg_debug || arg_debug_whitelists) | 226 | if (arg_debug || arg_debug_whitelists) |
235 | printf("Debug %d: cannot create symbolic link %s\n", __LINE__, link); | 227 | printf("Debug %d: cannot create symbolic link %s\n", __LINE__, link); |
236 | if (userprivs) | 228 | EUID_USER(); |
237 | EUID_ROOT(); | ||
238 | return; | 229 | return; |
239 | } | 230 | } |
240 | 231 | ||
@@ -252,8 +243,7 @@ static void whitelist_symlink(const char *link, const char *target) { | |||
252 | printf("Created symbolic link %s -> %s\n", link, target); | 243 | printf("Created symbolic link %s -> %s\n", link, target); |
253 | 244 | ||
254 | close(fd); | 245 | close(fd); |
255 | if (userprivs) | 246 | EUID_USER(); |
256 | EUID_ROOT(); | ||
257 | } | 247 | } |
258 | 248 | ||
259 | static void globbing(const char *pattern) { | 249 | static void globbing(const char *pattern) { |
@@ -330,10 +320,11 @@ static void tmpfs_topdirs(const TopDir *topdirs) { | |||
330 | // init tmpfs | 320 | // init tmpfs |
331 | if (strcmp(topdirs[i].path, "/run") == 0) { | 321 | if (strcmp(topdirs[i].path, "/run") == 0) { |
332 | // restore /run/firejail directory | 322 | // restore /run/firejail directory |
333 | if (mkdir(RUN_FIREJAIL_DIR, 0755) == -1) | 323 | EUID_ROOT(); |
334 | errExit("mkdir"); | 324 | mkdir_attr(RUN_FIREJAIL_DIR, 0755, 0, 0); |
335 | if (bind_mount_fd_to_path(fd, RUN_FIREJAIL_DIR)) | 325 | if (bind_mount_fd_to_path(fd, RUN_FIREJAIL_DIR)) |
336 | errExit("mount bind"); | 326 | errExit("mount bind"); |
327 | EUID_USER(); | ||
337 | close(fd); | 328 | close(fd); |
338 | fs_logger2("whitelist", RUN_FIREJAIL_DIR); | 329 | fs_logger2("whitelist", RUN_FIREJAIL_DIR); |
339 | 330 | ||
@@ -351,12 +342,14 @@ static void tmpfs_topdirs(const TopDir *topdirs) { | |||
351 | errExit("asprintf"); | 342 | errExit("asprintf"); |
352 | if (strcmp(env, pamtmpdir) == 0) { | 343 | if (strcmp(env, pamtmpdir) == 0) { |
353 | // create empty user-owned /tmp/user/$UID directory | 344 | // create empty user-owned /tmp/user/$UID directory |
345 | EUID_ROOT(); | ||
354 | mkdir_attr("/tmp/user", 0711, 0, 0); | 346 | mkdir_attr("/tmp/user", 0711, 0, 0); |
355 | selinux_relabel_path("/tmp/user", "/tmp/user"); | 347 | selinux_relabel_path("/tmp/user", "/tmp/user"); |
356 | fs_logger("mkdir /tmp/user"); | 348 | fs_logger("mkdir /tmp/user"); |
357 | mkdir_attr(pamtmpdir, 0700, getuid(), 0); | 349 | mkdir_attr(pamtmpdir, 0700, getuid(), 0); |
358 | selinux_relabel_path(pamtmpdir, pamtmpdir); | 350 | selinux_relabel_path(pamtmpdir, pamtmpdir); |
359 | fs_logger2("mkdir", pamtmpdir); | 351 | fs_logger2("mkdir", pamtmpdir); |
352 | EUID_USER(); | ||
360 | } | 353 | } |
361 | free(pamtmpdir); | 354 | free(pamtmpdir); |
362 | } | 355 | } |
@@ -374,11 +367,8 @@ static void tmpfs_topdirs(const TopDir *topdirs) { | |||
374 | } | 367 | } |
375 | 368 | ||
376 | // user home directory | 369 | // user home directory |
377 | if (tmpfs_home) { | 370 | if (tmpfs_home) |
378 | EUID_USER(); | ||
379 | fs_private(); // checks owner if outside /home | 371 | fs_private(); // checks owner if outside /home |
380 | EUID_ROOT(); | ||
381 | } | ||
382 | 372 | ||
383 | // /run/user/$UID directory | 373 | // /run/user/$UID directory |
384 | if (tmpfs_runuser) { | 374 | if (tmpfs_runuser) { |
@@ -402,6 +392,7 @@ static int reject_topdir(const char *dir) { | |||
402 | // keep track of whitelist top level directories by adding them to an array | 392 | // keep track of whitelist top level directories by adding them to an array |
403 | // open each directory | 393 | // open each directory |
404 | static TopDir *add_topdir(const char *dir, TopDir *topdirs, const char *path) { | 394 | static TopDir *add_topdir(const char *dir, TopDir *topdirs, const char *path) { |
395 | EUID_ASSERT(); | ||
405 | assert(dir && path); | 396 | assert(dir && path); |
406 | 397 | ||
407 | // /proc and /sys are not allowed | 398 | // /proc and /sys are not allowed |
@@ -516,6 +507,8 @@ static char *extract_topdir(const char *path) { | |||
516 | } | 507 | } |
517 | 508 | ||
518 | void fs_whitelist(void) { | 509 | void fs_whitelist(void) { |
510 | EUID_ASSERT(); | ||
511 | |||
519 | ProfileEntry *entry = cfg.profile; | 512 | ProfileEntry *entry = cfg.profile; |
520 | if (!entry) | 513 | if (!entry) |
521 | return; | 514 | return; |
@@ -536,7 +529,6 @@ void fs_whitelist(void) { | |||
536 | errExit("calloc"); | 529 | errExit("calloc"); |
537 | 530 | ||
538 | // verify whitelist files, extract symbolic links, etc. | 531 | // verify whitelist files, extract symbolic links, etc. |
539 | EUID_USER(); | ||
540 | while (entry) { | 532 | while (entry) { |
541 | int nowhitelist_flag = 0; | 533 | int nowhitelist_flag = 0; |
542 | 534 | ||
@@ -630,7 +622,7 @@ void fs_whitelist(void) { | |||
630 | if (!fname) { | 622 | if (!fname) { |
631 | if (arg_debug || arg_debug_whitelists) { | 623 | if (arg_debug || arg_debug_whitelists) { |
632 | printf("Removed path: %s\n", entry->data); | 624 | printf("Removed path: %s\n", entry->data); |
633 | printf("\texpanded: %s\n", new_name); | 625 | printf("\tnew_name: %s\n", new_name); |
634 | printf("\trealpath: (null)\n"); | 626 | printf("\trealpath: (null)\n"); |
635 | printf("\t%s\n", strerror(errno)); | 627 | printf("\t%s\n", strerror(errno)); |
636 | } | 628 | } |
@@ -712,7 +704,6 @@ void fs_whitelist(void) { | |||
712 | free(nowhitelist); | 704 | free(nowhitelist); |
713 | 705 | ||
714 | // mount tmpfs on all top level directories | 706 | // mount tmpfs on all top level directories |
715 | EUID_ROOT(); | ||
716 | tmpfs_topdirs(topdirs); | 707 | tmpfs_topdirs(topdirs); |
717 | 708 | ||
718 | // go through profile rules again, and interpret whitelist commands | 709 | // go through profile rules again, and interpret whitelist commands |