diff options
| author |  rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2020-10-23 11:03:46 +0200 |
|---|---|---|
| committer | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2020-10-23 11:03:46 +0200 |
| commit | fb35ad696deb7ab6a6a6be53e9842247b77f3ca3 (patch) | |
| tree | ae618e1a10a3a348243f106f680f1633de350668 /src/firejail/profile.c | |
| parent | Allow --tmpfs inside $HOME for unprivileged users (diff) | |
| download | firejail-fb35ad696deb7ab6a6a6be53e9842247b77f3ca3.tar.gz firejail-fb35ad696deb7ab6a6a6be53e9842247b77f3ca3.tar.zst firejail-fb35ad696deb7ab6a6a6be53e9842247b77f3ca3.zip | |
Likewise allow --bind inside $HOME for users
Diffstat (limited to 'src/firejail/profile.c')
| -rw-r--r-- | src/firejail/profile.c | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 8ed187b20..869183e2f 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
| @@ -1412,11 +1412,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
| 1412 | // filesystem bind | 1412 | // filesystem bind |
| 1413 | if (strncmp(ptr, "bind ", 5) == 0) { | 1413 | if (strncmp(ptr, "bind ", 5) == 0) { |
| 1414 | if (checkcfg(CFG_BIND)) { | 1414 | if (checkcfg(CFG_BIND)) { |
| 1415 | if (getuid() != 0) { | ||
| 1416 | fprintf(stderr, "Error: --bind option is available only if running as root\n"); | ||
| 1417 | exit(1); | ||
| 1418 | } | ||
| 1419 | |||
| 1420 | // extract two directories | 1415 | // extract two directories |
| 1421 | char *dname1 = ptr + 5; | 1416 | char *dname1 = ptr + 5; |
| 1422 | char *dname2 = split_comma(dname1); // this inserts a '0 to separate the two dierctories | 1417 | char *dname2 = split_comma(dname1); // this inserts a '0 to separate the two dierctories |
| @@ -1432,6 +1427,18 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
| 1432 | fprintf(stderr, "Error: invalid file name.\n"); | 1427 | fprintf(stderr, "Error: invalid file name.\n"); |
| 1433 | exit(1); | 1428 | exit(1); |
| 1434 | } | 1429 | } |
| 1430 | if (getuid() != 0) { | ||
| 1431 | char *resolved_path1 = realpath(dname1, NULL); | ||
| 1432 | char *resolved_path2 = realpath(dname2, NULL); | ||
| 1433 | assert(resolved_path1 && resolved_path2); | ||
| 1434 | if (strncmp(cfg.homedir, resolved_path1, strlen(cfg.homedir)) != 0 | ||
| 1435 | || strncmp(cfg.homedir, resolved_path2, strlen(cfg.homedir)) != 0) { | ||
| 1436 | fprintf(stderr, "Error: bind outside $HOME is only available for root\n"); | ||
| 1437 | exit(1); | ||
| 1438 | } | ||
| 1439 | free(resolved_path1); | ||
| 1440 | free(resolved_path2); | ||
| 1441 | } | ||
| 1435 | if (is_link(dname1) || is_link(dname2)) { | 1442 | if (is_link(dname1) || is_link(dname2)) { |
| 1436 | fprintf(stderr, "Symbolic links are not allowed for bind command\n"); | 1443 | fprintf(stderr, "Symbolic links are not allowed for bind command\n"); |
| 1437 | exit(1); | 1444 | exit(1); |