mount id: drop effective user id assertions

as functions operate on a file descriptor it should be safe to remove them; this sets the stage for improvements to the whitelist code
author: smitsohu <smitsohu@gmail.com> 2022-02-25 19:49:55 +0100
committer: smitsohu <smitsohu@gmail.com> 2022-02-25 19:49:55 +0100
commit: 6dfab9e2bec367a77feeac321daf3a40e34dbc67 (patch)
tree: 9d719598e13cc4dbbdcfec8c9c60fab418ac6be3 /src/firejail/mountinfo.c
parent: fix mupdf redirect profiles (#4977) (diff)
download: firejail-6dfab9e2bec367a77feeac321daf3a40e34dbc67.tar.gz
firejail-6dfab9e2bec367a77feeac321daf3a40e34dbc67.tar.zst
firejail-6dfab9e2bec367a77feeac321daf3a40e34dbc67.zip
1 files changed, 20 insertions, 19 deletions
diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c
index 7d30d21d9..56c0bda30 100644
--- a/src/firejail/mountinfo.c
+++ b/src/firejail/mountinfo.c
@@ -146,11 +146,10 @@ MountData *get_last_mount(void) {
 // Returns mount id, or -1 if fd refers to a procfs or sysfs file
 static int get_mount_id_from_handle(int fd) {
-        EUID_ASSERT();
        char *proc;
        if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
                errExit("asprintf");
        struct file_handle *fh = malloc(sizeof *fh);
        if (!fh)
                errExit("malloc");
@@ -172,40 +171,42 @@ static int get_mount_id_from_handle(int fd) {
 // Returns mount id, or -1 on kernels < 3.15
 static int get_mount_id_from_fdinfo(int fd) {
-        EUID_ASSERT();
-        int rv = -1;
        char *proc;
        if (asprintf(&proc, "/proc/self/fdinfo/%d", fd) == -1)
                errExit("asprintf");
-        EUID_ROOT();
+        int called_as_root = 0;
+        if (geteuid() == 0)
+                called_as_root = 1;
+        if (called_as_root == 0)
+                EUID_ROOT();
        FILE *fp = fopen(proc, "re");
-        EUID_USER();
+        if (!fp) {
-        if (!fp)
+                fprintf(stderr, "Error: cannot read proc file\n");
-                goto errexit;
+                exit(1);
+        }
+        if (called_as_root == 0)
+                EUID_USER();
+        int rv = -1;
        char buf[MAX_BUF];
        while (fgets(buf, MAX_BUF, fp)) {
-                if (strncmp(buf, "mnt_id:", 7) == 0) {
+                if (sscanf(buf, "mnt_id: %d", &rv) == 1)
-                        if (sscanf(buf + 7, "%d", &rv) == 1)
                                break;
-                        goto errexit;
-                }
        }
        free(proc);
        fclose(fp);
        return rv;
-errexit:
-        fprintf(stderr, "Error: cannot read proc file\n");
-        exit(1);
 }
 int get_mount_id(int fd) {
-        int rv = get_mount_id_from_fdinfo(fd);
+        int rv = get_mount_id_from_handle(fd);
        if (rv < 0)
-                rv = get_mount_id_from_handle(fd);
+                rv = get_mount_id_from_fdinfo(fd);
        return rv;
 }
author	smitsohu <smitsohu@gmail.com>	2022-02-25 19:49:55 +0100
committer	smitsohu <smitsohu@gmail.com>	2022-02-25 19:49:55 +0100
commit	6dfab9e2bec367a77feeac321daf3a40e34dbc67 (patch)
tree	9d719598e13cc4dbbdcfec8c9c60fab418ac6be3 /src/firejail/mountinfo.c
parent	fix mupdf redirect profiles (#4977) (diff)
download	firejail-6dfab9e2bec367a77feeac321daf3a40e34dbc67.tar.gz firejail-6dfab9e2bec367a77feeac321daf3a40e34dbc67.tar.zst firejail-6dfab9e2bec367a77feeac321daf3a40e34dbc67.zip

diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c index 7d30d21d9..56c0bda30 100644 --- a/src/firejail/mountinfo.c +++ b/src/firejail/mountinfo.c
@@ -146,11 +146,10 @@ MountData *get_last_mount(void) {
146		146
147	// Returns mount id, or -1 if fd refers to a procfs or sysfs file	147	// Returns mount id, or -1 if fd refers to a procfs or sysfs file
148	static int get_mount_id_from_handle(int fd) {	148	static int get_mount_id_from_handle(int fd) {
149	EUID_ASSERT();
150
151	char *proc;	149	char *proc;
152	if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)	150	if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
153	errExit("asprintf");	151	errExit("asprintf");
		152
154	struct file_handle fh = malloc(sizeof fh);	153	struct file_handle fh = malloc(sizeof fh);
155	if (!fh)	154	if (!fh)
156	errExit("malloc");	155	errExit("malloc");
@@ -172,40 +171,42 @@ static int get_mount_id_from_handle(int fd) {
172		171
173	// Returns mount id, or -1 on kernels < 3.15	172	// Returns mount id, or -1 on kernels < 3.15
174	static int get_mount_id_from_fdinfo(int fd) {	173	static int get_mount_id_from_fdinfo(int fd) {
175	EUID_ASSERT();
176	int rv = -1;
177
178	char *proc;	174	char *proc;
179	if (asprintf(&proc, "/proc/self/fdinfo/%d", fd) == -1)	175	if (asprintf(&proc, "/proc/self/fdinfo/%d", fd) == -1)
180	errExit("asprintf");	176	errExit("asprintf");
181	EUID_ROOT();	177
		178	int called_as_root = 0;
		179	if (geteuid() == 0)
		180	called_as_root = 1;
		181
		182	if (called_as_root == 0)
		183	EUID_ROOT();
		184
182	FILE *fp = fopen(proc, "re");	185	FILE *fp = fopen(proc, "re");
183	EUID_USER();	186	if (!fp) {
184	if (!fp)	187	fprintf(stderr, "Error: cannot read proc file\n");
185	goto errexit;	188	exit(1);
		189	}
186		190
		191	if (called_as_root == 0)
		192	EUID_USER();
		193
		194	int rv = -1;
187	char buf[MAX_BUF];	195	char buf[MAX_BUF];
188	while (fgets(buf, MAX_BUF, fp)) {	196	while (fgets(buf, MAX_BUF, fp)) {
189	if (strncmp(buf, "mnt_id:", 7) == 0) {	197	if (sscanf(buf, "mnt_id: %d", &rv) == 1)
190	if (sscanf(buf + 7, "%d", &rv) == 1)
191	break;	198	break;
192	goto errexit;
193	}
194	}	199	}
195		200
196	free(proc);	201	free(proc);
197	fclose(fp);	202	fclose(fp);
198	return rv;	203	return rv;
199
200	errexit:
201	fprintf(stderr, "Error: cannot read proc file\n");
202	exit(1);
203	}	204	}
204		205
205	int get_mount_id(int fd) {	206	int get_mount_id(int fd) {
206	int rv = get_mount_id_from_fdinfo(fd);	207	int rv = get_mount_id_from_handle(fd);
207	if (rv < 0)	208	if (rv < 0)
208	rv = get_mount_id_from_handle(fd);	209	rv = get_mount_id_from_fdinfo(fd);
209	return rv;	210	return rv;
210	}	211	}
211		212