summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorLibravatar smitsohu <smitsohu@gmail.com>2019-02-23 18:35:41 +0100
committerLibravatar smitsohu <smitsohu@gmail.com>2019-02-23 18:37:23 +0100
commit94b8f2cd3bf5237e78f33757332deb56580eed04 (patch)
tree2a1e8d6ef5b2970b845c82b8a7e00872a32f6f83 /src
parentmisc cleanup (diff)
downloadfirejail-94b8f2cd3bf5237e78f33757332deb56580eed04.tar.gz
firejail-94b8f2cd3bf5237e78f33757332deb56580eed04.tar.zst
firejail-94b8f2cd3bf5237e78f33757332deb56580eed04.zip
add whitelist support for /run/user/$uid
plus some minor cleanup (MS_REC has no effect with tmpfs mounts)
Diffstat (limited to 'src')
-rw-r--r--src/firejail/firejail.h2
-rw-r--r--src/firejail/fs_whitelist.c112
2 files changed, 86 insertions, 28 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 1372c3ca3..01ddf2a14 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -78,6 +78,7 @@
78#define RUN_WHITELIST_HOME_DIR "/run/firejail/mnt/orig-home" // default home directory masking 78#define RUN_WHITELIST_HOME_DIR "/run/firejail/mnt/orig-home" // default home directory masking
79#define RUN_WHITELIST_RUN_DIR "/run/firejail/mnt/orig-run" // default run directory masking 79#define RUN_WHITELIST_RUN_DIR "/run/firejail/mnt/orig-run" // default run directory masking
80#define RUN_WHITELIST_HOME_USER_DIR "/run/firejail/mnt/orig-home-user" // home directory whitelisting 80#define RUN_WHITELIST_HOME_USER_DIR "/run/firejail/mnt/orig-home-user" // home directory whitelisting
81#define RUN_WHITELIST_RUN_USER_DIR "/run/firejail/mnt/orig-run-user" // run directory whitelisting
81#define RUN_WHITELIST_TMP_DIR "/run/firejail/mnt/orig-tmp" 82#define RUN_WHITELIST_TMP_DIR "/run/firejail/mnt/orig-tmp"
82#define RUN_WHITELIST_MEDIA_DIR "/run/firejail/mnt/orig-media" 83#define RUN_WHITELIST_MEDIA_DIR "/run/firejail/mnt/orig-media"
83#define RUN_WHITELIST_MNT_DIR "/run/firejail/mnt/orig-mnt" 84#define RUN_WHITELIST_MNT_DIR "/run/firejail/mnt/orig-mnt"
@@ -211,6 +212,7 @@ typedef struct profile_entry_t {
211 unsigned etc_dir:1; // whitelist in /etc directory 212 unsigned etc_dir:1; // whitelist in /etc directory
212 unsigned share_dir:1; // whitelist in /usr/share directory 213 unsigned share_dir:1; // whitelist in /usr/share directory
213 unsigned module_dir:1; // whitelist in /sys/module directory 214 unsigned module_dir:1; // whitelist in /sys/module directory
215 unsigned run_dir:1; // whitelist in /run/user/$uid directory
214}ProfileEntry; 216}ProfileEntry;
215 217
216typedef struct config_t { 218typedef struct config_t {
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 913fc71ba..d128065d3 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -34,17 +34,19 @@
34 34
35#define EMPTY_STRING ("") 35#define EMPTY_STRING ("")
36static size_t homedir_len; // cache length of homedir string 36static size_t homedir_len; // cache length of homedir string
37static size_t runuser_len; // cache length of runuser string
38static char *runuser;
37 39
38 40
39static int mkpath(const char* path, mode_t mode) { 41static int mkpath(const char* path, mode_t mode) {
40 assert(path && *path); 42 assert(path && *path);
41 mode |= 0111; 43 mode |= 0111;
42 44
43 // create directories with uid/gid as root or as current user if inside home directory 45 // create directories with uid/gid as root or as current user if inside home or run directory
44 int userhome = 0; 46 int userprivs = 0;
45 if (strncmp(path, cfg.homedir, homedir_len) == 0) { 47 if (strncmp(path, cfg.homedir, homedir_len) == 0 || strncmp(path, runuser, runuser_len) == 0) {
46 EUID_USER(); 48 EUID_USER();
47 userhome = 1; 49 userprivs = 1;
48 } 50 }
49 51
50 // work on a copy of the path 52 // work on a copy of the path
@@ -74,7 +76,7 @@ static int mkpath(const char* path, mode_t mode) {
74 perror("mkdir"); 76 perror("mkdir");
75 close(parentfd); 77 close(parentfd);
76 free(dup); 78 free(dup);
77 if (userhome) { 79 if (userprivs) {
78 EUID_ROOT(); 80 EUID_ROOT();
79 } 81 }
80 return -1; 82 return -1;
@@ -89,7 +91,7 @@ static int mkpath(const char* path, mode_t mode) {
89 perror("open"); 91 perror("open");
90 close(parentfd); 92 close(parentfd);
91 free(dup); 93 free(dup);
92 if (userhome) { 94 if (userprivs) {
93 EUID_ROOT(); 95 EUID_ROOT();
94 } 96 }
95 return -1; 97 return -1;
@@ -104,7 +106,7 @@ static int mkpath(const char* path, mode_t mode) {
104 fs_logger2("mkpath", path); 106 fs_logger2("mkpath", path);
105 107
106 free(dup); 108 free(dup);
107 if (userhome) { 109 if (userprivs) {
108 EUID_ROOT(); 110 EUID_ROOT();
109 } 111 }
110 return fd; 112 return fd;
@@ -199,6 +201,12 @@ static void whitelist_path(ProfileEntry *entry) {
199 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MODULE_DIR, fname) == -1) 201 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MODULE_DIR, fname) == -1)
200 errExit("asprintf"); 202 errExit("asprintf");
201 } 203 }
204 else if (entry->run_dir) {
205 fname = path + runuser_len + 1; // strlen("/run/user/$uid/")
206
207 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_RUN_USER_DIR, fname) == -1)
208 errExit("asprintf");
209 }
202 assert(wfile); 210 assert(wfile);
203 211
204 if (arg_debug || arg_debug_whitelists) 212 if (arg_debug || arg_debug_whitelists)
@@ -325,7 +333,11 @@ void fs_whitelist(void) {
325 if (!entry) 333 if (!entry)
326 return; 334 return;
327 335
336 if (asprintf(&runuser, "/run/user/%u", getuid()) == -1)
337 errExit("asprintf");
338 runuser_len = strlen(runuser);
328 homedir_len = strlen(cfg.homedir); 339 homedir_len = strlen(cfg.homedir);
340
329 char *new_name = NULL; 341 char *new_name = NULL;
330 int home_dir = 0; // /home/user directory flag 342 int home_dir = 0; // /home/user directory flag
331 int tmp_dir = 0; // /tmp directory flag 343 int tmp_dir = 0; // /tmp directory flag
@@ -338,6 +350,7 @@ void fs_whitelist(void) {
338 int etc_dir = 0; // /etc directory flag 350 int etc_dir = 0; // /etc directory flag
339 int share_dir = 0; // /usr/share directory flag 351 int share_dir = 0; // /usr/share directory flag
340 int module_dir = 0; // /sys/module directory flag 352 int module_dir = 0; // /sys/module directory flag
353 int run_dir = 0; // /run/user/$uid directory flag
341 354
342 size_t nowhitelist_c = 0; 355 size_t nowhitelist_c = 0;
343 size_t nowhitelist_m = 32; 356 size_t nowhitelist_m = 32;
@@ -449,6 +462,8 @@ void fs_whitelist(void) {
449 share_dir = 1; 462 share_dir = 1;
450 else if (strncmp(new_name, "/sys/module/", 12) == 0) 463 else if (strncmp(new_name, "/sys/module/", 12) == 0)
451 module_dir = 1; 464 module_dir = 1;
465 else if (strncmp(new_name, runuser, runuser_len) == 0 && new_name[runuser_len] == '/')
466 run_dir = 1;
452 } 467 }
453 468
454 entry->data = EMPTY_STRING; 469 entry->data = EMPTY_STRING;
@@ -624,6 +639,15 @@ void fs_whitelist(void) {
624 goto errexit; 639 goto errexit;
625 } 640 }
626 } 641 }
642 else if (strncmp(new_name, runuser, runuser_len) == 0 && new_name[runuser_len] == '/') {
643 entry->run_dir = 1;
644 run_dir = 1;
645 // both path and absolute path are under /run/user/$uid
646 if (strncmp(fname, runuser, runuser_len) != 0 || fname[runuser_len] != '/') {
647 free(fname);
648 goto errexit;
649 }
650 }
627 else { 651 else {
628 free(fname); 652 free(fname);
629 goto errexit; 653 goto errexit;
@@ -704,7 +728,7 @@ void fs_whitelist(void) {
704 // mount tmpfs on /tmp 728 // mount tmpfs on /tmp
705 if (arg_debug || arg_debug_whitelists) 729 if (arg_debug || arg_debug_whitelists)
706 printf("Mounting tmpfs on /tmp directory\n"); 730 printf("Mounting tmpfs on /tmp directory\n");
707 if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) 731 if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=1777,gid=0") < 0)
708 errExit("mounting tmpfs on /tmp"); 732 errExit("mounting tmpfs on /tmp");
709 fs_logger("tmpfs /tmp"); 733 fs_logger("tmpfs /tmp");
710 } 734 }
@@ -721,7 +745,7 @@ void fs_whitelist(void) {
721 // mount tmpfs on /media 745 // mount tmpfs on /media
722 if (arg_debug || arg_debug_whitelists) 746 if (arg_debug || arg_debug_whitelists)
723 printf("Mounting tmpfs on /media directory\n"); 747 printf("Mounting tmpfs on /media directory\n");
724 if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 748 if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0)
725 errExit("mounting tmpfs on /media"); 749 errExit("mounting tmpfs on /media");
726 fs_logger("tmpfs /media"); 750 fs_logger("tmpfs /media");
727 } 751 }
@@ -741,7 +765,7 @@ void fs_whitelist(void) {
741 // mount tmpfs on /mnt 765 // mount tmpfs on /mnt
742 if (arg_debug || arg_debug_whitelists) 766 if (arg_debug || arg_debug_whitelists)
743 printf("Mounting tmpfs on /mnt directory\n"); 767 printf("Mounting tmpfs on /mnt directory\n");
744 if (mount("tmpfs", "/mnt", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 768 if (mount("tmpfs", "/mnt", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0)
745 errExit("mounting tmpfs on /mnt"); 769 errExit("mounting tmpfs on /mnt");
746 fs_logger("tmpfs /mnt"); 770 fs_logger("tmpfs /mnt");
747 } 771 }
@@ -760,7 +784,7 @@ void fs_whitelist(void) {
760 // mount tmpfs on /var 784 // mount tmpfs on /var
761 if (arg_debug || arg_debug_whitelists) 785 if (arg_debug || arg_debug_whitelists)
762 printf("Mounting tmpfs on /var directory\n"); 786 printf("Mounting tmpfs on /var directory\n");
763 if (mount("tmpfs", "/var", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 787 if (mount("tmpfs", "/var", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0)
764 errExit("mounting tmpfs on /var"); 788 errExit("mounting tmpfs on /var");
765 fs_logger("tmpfs /var"); 789 fs_logger("tmpfs /var");
766 } 790 }
@@ -775,7 +799,7 @@ void fs_whitelist(void) {
775 // mount tmpfs on /dev 799 // mount tmpfs on /dev
776 if (arg_debug || arg_debug_whitelists) 800 if (arg_debug || arg_debug_whitelists)
777 printf("Mounting tmpfs on /dev directory\n"); 801 printf("Mounting tmpfs on /dev directory\n");
778 if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 802 if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0)
779 errExit("mounting tmpfs on /dev"); 803 errExit("mounting tmpfs on /dev");
780 fs_logger("tmpfs /dev"); 804 fs_logger("tmpfs /dev");
781 } 805 }
@@ -792,7 +816,7 @@ void fs_whitelist(void) {
792 // mount tmpfs on /opt 816 // mount tmpfs on /opt
793 if (arg_debug || arg_debug_whitelists) 817 if (arg_debug || arg_debug_whitelists)
794 printf("Mounting tmpfs on /opt directory\n"); 818 printf("Mounting tmpfs on /opt directory\n");
795 if (mount("tmpfs", "/opt", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 819 if (mount("tmpfs", "/opt", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0)
796 errExit("mounting tmpfs on /opt"); 820 errExit("mounting tmpfs on /opt");
797 fs_logger("tmpfs /opt"); 821 fs_logger("tmpfs /opt");
798 } 822 }
@@ -812,7 +836,7 @@ void fs_whitelist(void) {
812 // mount tmpfs on /srv 836 // mount tmpfs on /srv
813 if (arg_debug || arg_debug_whitelists) 837 if (arg_debug || arg_debug_whitelists)
814 printf("Mounting tmpfs on /srv directory\n"); 838 printf("Mounting tmpfs on /srv directory\n");
815 if (mount("tmpfs", "/srv", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 839 if (mount("tmpfs", "/srv", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0)
816 errExit("mounting tmpfs on /srv"); 840 errExit("mounting tmpfs on /srv");
817 fs_logger("tmpfs /srv"); 841 fs_logger("tmpfs /srv");
818 } 842 }
@@ -832,7 +856,7 @@ void fs_whitelist(void) {
832 // mount tmpfs on /srv 856 // mount tmpfs on /srv
833 if (arg_debug || arg_debug_whitelists) 857 if (arg_debug || arg_debug_whitelists)
834 printf("Mounting tmpfs on /etc directory\n"); 858 printf("Mounting tmpfs on /etc directory\n");
835 if (mount("tmpfs", "/etc", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 859 if (mount("tmpfs", "/etc", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0)
836 errExit("mounting tmpfs on /etc"); 860 errExit("mounting tmpfs on /etc");
837 fs_logger("tmpfs /etc"); 861 fs_logger("tmpfs /etc");
838 } 862 }
@@ -852,7 +876,7 @@ void fs_whitelist(void) {
852 // mount tmpfs on /srv 876 // mount tmpfs on /srv
853 if (arg_debug || arg_debug_whitelists) 877 if (arg_debug || arg_debug_whitelists)
854 printf("Mounting tmpfs on /usr/share directory\n"); 878 printf("Mounting tmpfs on /usr/share directory\n");
855 if (mount("tmpfs", "/usr/share", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 879 if (mount("tmpfs", "/usr/share", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0)
856 errExit("mounting tmpfs on /usr/share"); 880 errExit("mounting tmpfs on /usr/share");
857 fs_logger("tmpfs /usr/share"); 881 fs_logger("tmpfs /usr/share");
858 } 882 }
@@ -872,7 +896,7 @@ void fs_whitelist(void) {
872 // mount tmpfs on /sys/module 896 // mount tmpfs on /sys/module
873 if (arg_debug || arg_debug_whitelists) 897 if (arg_debug || arg_debug_whitelists)
874 printf("Mounting tmpfs on /sys/module directory\n"); 898 printf("Mounting tmpfs on /sys/module directory\n");
875 if (mount("tmpfs", "/sys/module", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 899 if (mount("tmpfs", "/sys/module", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0)
876 errExit("mounting tmpfs on /sys/module"); 900 errExit("mounting tmpfs on /sys/module");
877 fs_logger("tmpfs /sys/module"); 901 fs_logger("tmpfs /sys/module");
878 } 902 }
@@ -880,6 +904,30 @@ void fs_whitelist(void) {
880 module_dir = 0; 904 module_dir = 0;
881 } 905 }
882 906
907 // /run/user mountpoint
908 if (run_dir) {
909 // check if /run/user/$uid directory exists
910 if (stat(runuser, &s) == 0) {
911 // keep a copy of real /run/user/$uid directory in RUN_WHITELIST_RUN_USER_DIR
912 mkdir_attr(RUN_WHITELIST_RUN_USER_DIR, 0700, getuid(), getgid());
913 if (mount(runuser, RUN_WHITELIST_RUN_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
914 errExit("mount bind");
915
916 // mount tmpfs on /run/user/$uid
917 if (arg_debug || arg_debug_whitelists)
918 printf("Mounting tmpfs on %s directory\n", runuser);
919 char *options;
920 if (asprintf(&options, "mode=700,uid=%u,gid=%u", getuid(), getgid()) == -1)
921 errExit("asprintf");
922 if (mount("tmpfs", runuser, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, options) < 0)
923 errExit("mounting tmpfs on /run/user/<uid>");
924 free(options);
925 fs_logger2("tmpfs", runuser);
926 }
927 else
928 run_dir = 0;
929 }
930
883 931
884 // go through profile rules again, and interpret whitelist commands 932 // go through profile rules again, and interpret whitelist commands
885 entry = cfg.profile; 933 entry = cfg.profile;
@@ -931,81 +979,89 @@ void fs_whitelist(void) {
931 979
932 // mask the real home directory, currently mounted on RUN_WHITELIST_HOME_DIR 980 // mask the real home directory, currently mounted on RUN_WHITELIST_HOME_DIR
933 if (home_dir) { 981 if (home_dir) {
934 if (mount("tmpfs", RUN_WHITELIST_HOME_USER_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 982 if (mount("tmpfs", RUN_WHITELIST_HOME_USER_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0)
935 errExit("mount tmpfs"); 983 errExit("mount tmpfs");
936 fs_logger2("tmpfs", RUN_WHITELIST_HOME_USER_DIR); 984 fs_logger2("tmpfs", RUN_WHITELIST_HOME_USER_DIR);
937 } 985 }
938 986
939 // mask the real /tmp directory, currently mounted on RUN_WHITELIST_TMP_DIR 987 // mask the real /tmp directory, currently mounted on RUN_WHITELIST_TMP_DIR
940 if (tmp_dir) { 988 if (tmp_dir) {
941 if (mount("tmpfs", RUN_WHITELIST_TMP_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 989 if (mount("tmpfs", RUN_WHITELIST_TMP_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0)
942 errExit("mount tmpfs"); 990 errExit("mount tmpfs");
943 fs_logger2("tmpfs", RUN_WHITELIST_TMP_DIR); 991 fs_logger2("tmpfs", RUN_WHITELIST_TMP_DIR);
944 } 992 }
945 993
946 // mask the real /var directory, currently mounted on RUN_WHITELIST_VAR_DIR 994 // mask the real /var directory, currently mounted on RUN_WHITELIST_VAR_DIR
947 if (var_dir) { 995 if (var_dir) {
948 if (mount("tmpfs", RUN_WHITELIST_VAR_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 996 if (mount("tmpfs", RUN_WHITELIST_VAR_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0)
949 errExit("mount tmpfs"); 997 errExit("mount tmpfs");
950 fs_logger2("tmpfs", RUN_WHITELIST_VAR_DIR); 998 fs_logger2("tmpfs", RUN_WHITELIST_VAR_DIR);
951 } 999 }
952 1000
953 // mask the real /opt directory, currently mounted on RUN_WHITELIST_OPT_DIR 1001 // mask the real /opt directory, currently mounted on RUN_WHITELIST_OPT_DIR
954 if (opt_dir) { 1002 if (opt_dir) {
955 if (mount("tmpfs", RUN_WHITELIST_OPT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 1003 if (mount("tmpfs", RUN_WHITELIST_OPT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0)
956 errExit("mount tmpfs"); 1004 errExit("mount tmpfs");
957 fs_logger2("tmpfs", RUN_WHITELIST_OPT_DIR); 1005 fs_logger2("tmpfs", RUN_WHITELIST_OPT_DIR);
958 } 1006 }
959 1007
960 // mask the real /dev directory, currently mounted on RUN_WHITELIST_DEV_DIR 1008 // mask the real /dev directory, currently mounted on RUN_WHITELIST_DEV_DIR
961 if (dev_dir) { 1009 if (dev_dir) {
962 if (mount("tmpfs", RUN_WHITELIST_DEV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 1010 if (mount("tmpfs", RUN_WHITELIST_DEV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0)
963 errExit("mount tmpfs"); 1011 errExit("mount tmpfs");
964 fs_logger2("tmpfs", RUN_WHITELIST_DEV_DIR); 1012 fs_logger2("tmpfs", RUN_WHITELIST_DEV_DIR);
965 } 1013 }
966 1014
967 // mask the real /media directory, currently mounted on RUN_WHITELIST_MEDIA_DIR 1015 // mask the real /media directory, currently mounted on RUN_WHITELIST_MEDIA_DIR
968 if (media_dir) { 1016 if (media_dir) {
969 if (mount("tmpfs", RUN_WHITELIST_MEDIA_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 1017 if (mount("tmpfs", RUN_WHITELIST_MEDIA_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0)
970 errExit("mount tmpfs"); 1018 errExit("mount tmpfs");
971 fs_logger2("tmpfs", RUN_WHITELIST_MEDIA_DIR); 1019 fs_logger2("tmpfs", RUN_WHITELIST_MEDIA_DIR);
972 } 1020 }
973 1021
974 // mask the real /mnt directory, currently mounted on RUN_WHITELIST_MNT_DIR 1022 // mask the real /mnt directory, currently mounted on RUN_WHITELIST_MNT_DIR
975 if (mnt_dir) { 1023 if (mnt_dir) {
976 if (mount("tmpfs", RUN_WHITELIST_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 1024 if (mount("tmpfs", RUN_WHITELIST_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0)
977 errExit("mount tmpfs"); 1025 errExit("mount tmpfs");
978 fs_logger2("tmpfs", RUN_WHITELIST_MNT_DIR); 1026 fs_logger2("tmpfs", RUN_WHITELIST_MNT_DIR);
979 } 1027 }
980 1028
981 // mask the real /srv directory, currently mounted on RUN_WHITELIST_SRV_DIR 1029 // mask the real /srv directory, currently mounted on RUN_WHITELIST_SRV_DIR
982 if (srv_dir) { 1030 if (srv_dir) {
983 if (mount("tmpfs", RUN_WHITELIST_SRV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 1031 if (mount("tmpfs", RUN_WHITELIST_SRV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0)
984 errExit("mount tmpfs"); 1032 errExit("mount tmpfs");
985 fs_logger2("tmpfs", RUN_WHITELIST_SRV_DIR); 1033 fs_logger2("tmpfs", RUN_WHITELIST_SRV_DIR);
986 } 1034 }
987 1035
988 // mask the real /etc directory, currently mounted on RUN_WHITELIST_ETC_DIR 1036 // mask the real /etc directory, currently mounted on RUN_WHITELIST_ETC_DIR
989 if (etc_dir) { 1037 if (etc_dir) {
990 if (mount("tmpfs", RUN_WHITELIST_ETC_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 1038 if (mount("tmpfs", RUN_WHITELIST_ETC_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0)
991 errExit("mount tmpfs"); 1039 errExit("mount tmpfs");
992 fs_logger2("tmpfs", RUN_WHITELIST_ETC_DIR); 1040 fs_logger2("tmpfs", RUN_WHITELIST_ETC_DIR);
993 } 1041 }
994 1042
995 // mask the real /usr/share directory, currently mounted on RUN_WHITELIST_SHARE_DIR 1043 // mask the real /usr/share directory, currently mounted on RUN_WHITELIST_SHARE_DIR
996 if (share_dir) { 1044 if (share_dir) {
997 if (mount("tmpfs", RUN_WHITELIST_SHARE_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 1045 if (mount("tmpfs", RUN_WHITELIST_SHARE_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0)
998 errExit("mount tmpfs"); 1046 errExit("mount tmpfs");
999 fs_logger2("tmpfs", RUN_WHITELIST_SHARE_DIR); 1047 fs_logger2("tmpfs", RUN_WHITELIST_SHARE_DIR);
1000 } 1048 }
1001 1049
1002 // mask the real /sys/module directory, currently mounted on RUN_WHITELIST_MODULE_DIR 1050 // mask the real /sys/module directory, currently mounted on RUN_WHITELIST_MODULE_DIR
1003 if (module_dir) { 1051 if (module_dir) {
1004 if (mount("tmpfs", RUN_WHITELIST_MODULE_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 1052 if (mount("tmpfs", RUN_WHITELIST_MODULE_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0)
1005 errExit("mount tmpfs"); 1053 errExit("mount tmpfs");
1006 fs_logger2("tmpfs", RUN_WHITELIST_MODULE_DIR); 1054 fs_logger2("tmpfs", RUN_WHITELIST_MODULE_DIR);
1007 } 1055 }
1008 1056
1057 // mask the real /run/user/$uid directory, currently mounted on RUN_WHITELIST_MODULE_DIR
1058 if (run_dir) {
1059 if (mount("tmpfs", RUN_WHITELIST_RUN_USER_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0)
1060 errExit("mount tmpfs");
1061 fs_logger2("tmpfs", RUN_WHITELIST_RUN_USER_DIR);
1062 }
1063
1064 free(runuser);
1009 return; 1065 return;
1010 1066
1011errexit: 1067errexit:
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-04 15:40:36 +0000