clean /run/user directory

author: smitsohu <smitsohu@gmail.com> 2018-10-07 03:03:15 +0200
committer: smitsohu <smitsohu@gmail.com> 2018-10-07 03:03:15 +0200
commit: 8073b14dddbb76f64ab5262b537847fd70018799 (patch)
tree: d883e0e8a656df1651f0e8ecff328b6ec792260e /src/firejail/restrict_users.c
parent: Merge pull request #2141 from crass/fix-appimage-hdr-calc (diff)
download: firejail-8073b14dddbb76f64ab5262b537847fd70018799.tar.gz
firejail-8073b14dddbb76f64ab5262b537847fd70018799.tar.zst
firejail-8073b14dddbb76f64ab5262b537847fd70018799.zip
1 files changed, 51 insertions, 0 deletions
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index fa672eccb..4ffec4c7f 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -113,6 +113,56 @@ static void sanitize_home(void) {
 }
+static void sanitize_run(void) {
+        if (arg_debug)
+                printf("Cleaning /run/user directory\n");
+        char *runuser;
+        if (asprintf(&runuser, "/run/user/%u", getuid()) == -1)
+                errExit("asprintf");
+        struct stat s;
+        if (stat(runuser, &s) == -1) {
+                // cannot find /user/run/$UID directory, just return
+                if (arg_debug)
+                        printf("Cannot find %s directory\n", runuser);
+                free(runuser);
+                return;
+        }
+        if (mkdir(RUN_WHITELIST_RUN_DIR, 0755) == -1)
+                errExit("mkdir");
+        // keep a copy of the /run/user/$UID directory
+        if (mount(runuser, RUN_WHITELIST_RUN_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
+                errExit("mount bind");
+        // mount tmpfs on /run/user
+        if (mount("tmpfs", "/run/user", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                errExit("mount tmpfs");
+        fs_logger("tmpfs /run/user");
+        // create new user directory
+        if (mkdir(runuser, 0700) == -1)
+                errExit("mkdir");
+        fs_logger2("mkdir", runuser);
+        // set mode and ownership
+        if (set_perms(runuser, getuid(), getgid(), 0700))
+                errExit("set_perms");
+        // mount user home directory
+        if (mount(RUN_WHITELIST_RUN_DIR, runuser, NULL, MS_BIND|MS_REC, NULL) < 0)
+                errExit("mount bind");
+        // mask mirrored /run/user/$UID directory
+        if (mount("tmpfs", RUN_WHITELIST_RUN_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                errExit("mount tmpfs");
+        fs_logger2("tmpfs", RUN_WHITELIST_RUN_DIR);
+        free(runuser);
+}
 static void sanitize_passwd(void) {
        struct stat s;
        if (stat("/etc/passwd", &s) == -1)
@@ -352,6 +402,7 @@ void restrict_users(void) {
                                errExit("mount tmpfs");
                        fs_logger("tmpfs /home");
                }
+                sanitize_run();
                sanitize_passwd();
                sanitize_group();
        }
author	smitsohu <smitsohu@gmail.com>	2018-10-07 03:03:15 +0200
committer	smitsohu <smitsohu@gmail.com>	2018-10-07 03:03:15 +0200
commit	8073b14dddbb76f64ab5262b537847fd70018799 (patch)
tree	d883e0e8a656df1651f0e8ecff328b6ec792260e /src/firejail/restrict_users.c
parent	Merge pull request #2141 from crass/fix-appimage-hdr-calc (diff)
download	firejail-8073b14dddbb76f64ab5262b537847fd70018799.tar.gz firejail-8073b14dddbb76f64ab5262b537847fd70018799.tar.zst firejail-8073b14dddbb76f64ab5262b537847fd70018799.zip

diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index fa672eccb..4ffec4c7f 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c
@@ -113,6 +113,56 @@ static void sanitize_home(void) {
113		113
114	}	114	}
115		115
		116	static void sanitize_run(void) {
		117	if (arg_debug)
		118	printf("Cleaning /run/user directory\n");
		119
		120	char *runuser;
		121	if (asprintf(&runuser, "/run/user/%u", getuid()) == -1)
		122	errExit("asprintf");
		123
		124	struct stat s;
		125	if (stat(runuser, &s) == -1) {
		126	// cannot find /user/run/$UID directory, just return
		127	if (arg_debug)
		128	printf("Cannot find %s directory\n", runuser);
		129	free(runuser);
		130	return;
		131	}
		132
		133	if (mkdir(RUN_WHITELIST_RUN_DIR, 0755) == -1)
		134	errExit("mkdir");
		135
		136	// keep a copy of the /run/user/$UID directory
		137	if (mount(runuser, RUN_WHITELIST_RUN_DIR, NULL, MS_BIND\|MS_REC, NULL) < 0)
		138	errExit("mount bind");
		139
		140	// mount tmpfs on /run/user
		141	if (mount("tmpfs", "/run/user", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)
		142	errExit("mount tmpfs");
		143	fs_logger("tmpfs /run/user");
		144
		145	// create new user directory
		146	if (mkdir(runuser, 0700) == -1)
		147	errExit("mkdir");
		148	fs_logger2("mkdir", runuser);
		149
		150	// set mode and ownership
		151	if (set_perms(runuser, getuid(), getgid(), 0700))
		152	errExit("set_perms");
		153
		154	// mount user home directory
		155	if (mount(RUN_WHITELIST_RUN_DIR, runuser, NULL, MS_BIND\|MS_REC, NULL) < 0)
		156	errExit("mount bind");
		157
		158	// mask mirrored /run/user/$UID directory
		159	if (mount("tmpfs", RUN_WHITELIST_RUN_DIR, "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)
		160	errExit("mount tmpfs");
		161	fs_logger2("tmpfs", RUN_WHITELIST_RUN_DIR);
		162
		163	free(runuser);
		164	}
		165
116	static void sanitize_passwd(void) {	166	static void sanitize_passwd(void) {
117	struct stat s;	167	struct stat s;
118	if (stat("/etc/passwd", &s) == -1)	168	if (stat("/etc/passwd", &s) == -1)
@@ -352,6 +402,7 @@ void restrict_users(void) {
352	errExit("mount tmpfs");	402	errExit("mount tmpfs");
353	fs_logger("tmpfs /home");	403	fs_logger("tmpfs /home");
354	}	404	}
		405	sanitize_run();
355	sanitize_passwd();	406	sanitize_passwd();
356	sanitize_group();	407	sanitize_group();
357	}	408	}