diff options
author | smitsohu <smitsohu@gmail.com> | 2018-08-31 15:21:04 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2018-08-31 15:21:04 +0200 |
commit | 2f5a792944480334f349a43b8f70f2ba681ea582 (patch) | |
tree | bf3cb663eae025442c7505c48b8f7fc4c5f713b6 /src | |
parent | added whois and dig profiles (diff) | |
download | firejail-2f5a792944480334f349a43b8f70f2ba681ea582.tar.gz firejail-2f5a792944480334f349a43b8f70f2ba681ea582.tar.zst firejail-2f5a792944480334f349a43b8f70f2ba681ea582.zip |
reduce number of chown/chmod calls in fs_chroot
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs.c | 27 |
1 files changed, 17 insertions, 10 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index ed0131b1d..bd71a6912 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -1171,7 +1171,7 @@ void fs_check_chroot_dir(const char *rootdir) { | |||
1171 | exit(1); | 1171 | exit(1); |
1172 | } | 1172 | } |
1173 | if ((S_IWOTH & s.st_mode) != 0) { | 1173 | if ((S_IWOTH & s.st_mode) != 0) { |
1174 | fprintf(stderr, "Error: chroot directory is not allowed to be world-writable\n"); | 1174 | fprintf(stderr, "Error: chroot directory should not be world-writable\n"); |
1175 | exit(1); | 1175 | exit(1); |
1176 | } | 1176 | } |
1177 | 1177 | ||
@@ -1239,7 +1239,7 @@ void fs_check_chroot_dir(const char *rootdir) { | |||
1239 | exit(1); | 1239 | exit(1); |
1240 | } | 1240 | } |
1241 | if ((S_IWOTH & s.st_mode) != 0) { | 1241 | if ((S_IWOTH & s.st_mode) != 0) { |
1242 | fprintf(stderr, "Error: chroot /etc is not allowed to be world-writable\n"); | 1242 | fprintf(stderr, "Error: chroot /etc should not be world-writable\n"); |
1243 | exit(1); | 1243 | exit(1); |
1244 | } | 1244 | } |
1245 | free(name); | 1245 | free(name); |
@@ -1331,24 +1331,32 @@ void fs_chroot(const char *rootdir) { | |||
1331 | exit(1); | 1331 | exit(1); |
1332 | } | 1332 | } |
1333 | if ((S_IWOTH & s.st_mode) != 0) { | 1333 | if ((S_IWOTH & s.st_mode) != 0) { |
1334 | fprintf(stderr, "Error: chroot /run is not allowed to be world-writable\n"); | 1334 | fprintf(stderr, "Error: chroot /run should not be world-writable\n"); |
1335 | exit(1); | 1335 | exit(1); |
1336 | } | 1336 | } |
1337 | } | 1337 | } |
1338 | else | 1338 | else { |
1339 | create_empty_dir_as_root(rundir, 0755); | 1339 | // several sandboxes could race to create /run |
1340 | if (mkdir(rundir, 0755) == -1 && errno != EEXIST) | ||
1341 | errExit("mkdir"); | ||
1342 | ASSERT_PERMS(rundir, 0, 0, 0755); | ||
1343 | } | ||
1340 | free(rundir); | 1344 | free(rundir); |
1341 | 1345 | ||
1342 | // create /run/firejail directory in chroot | 1346 | // create /run/firejail directory in chroot |
1343 | if (asprintf(&rundir, "%s/run/firejail", rootdir) == -1) | 1347 | if (asprintf(&rundir, "%s/run/firejail", rootdir) == -1) |
1344 | errExit("asprintf"); | 1348 | errExit("asprintf"); |
1345 | create_empty_dir_as_root(rundir, 0755); | 1349 | if (mkdir(rundir, 0755) == -1 && errno != EEXIST) |
1350 | errExit("mkdir"); | ||
1351 | ASSERT_PERMS(rundir, 0, 0, 0755); | ||
1346 | free(rundir); | 1352 | free(rundir); |
1347 | 1353 | ||
1348 | // create /run/firejail/mnt directory in chroot and mount the current one | 1354 | // create /run/firejail/mnt directory in chroot and mount the current one |
1349 | if (asprintf(&rundir, "%s%s", rootdir, RUN_MNT_DIR) == -1) | 1355 | if (asprintf(&rundir, "%s%s", rootdir, RUN_MNT_DIR) == -1) |
1350 | errExit("asprintf"); | 1356 | errExit("asprintf"); |
1351 | create_empty_dir_as_root(rundir, 0755); | 1357 | if (mkdir(rundir, 0755) == -1 && errno != EEXIST) |
1358 | errExit("mkdir"); | ||
1359 | ASSERT_PERMS(rundir, 0, 0, 0755); | ||
1352 | if (mount(RUN_MNT_DIR, rundir, NULL, MS_BIND|MS_REC, NULL) < 0) | 1360 | if (mount(RUN_MNT_DIR, rundir, NULL, MS_BIND|MS_REC, NULL) < 0) |
1353 | errExit("mount bind"); | 1361 | errExit("mount bind"); |
1354 | free(rundir); | 1362 | free(rundir); |
@@ -1373,7 +1381,8 @@ void fs_chroot(const char *rootdir) { | |||
1373 | if (arg_debug) | 1381 | if (arg_debug) |
1374 | printf("Chrooting into %s\n", rootdir); | 1382 | printf("Chrooting into %s\n", rootdir); |
1375 | char *oroot = RUN_OVERLAY_ROOT; | 1383 | char *oroot = RUN_OVERLAY_ROOT; |
1376 | mkdir_attr(oroot, 0755, 0, 0); | 1384 | if (mkdir(oroot, 0755) == -1) |
1385 | errExit("mkdir"); | ||
1377 | if (mount(rootdir, oroot, NULL, MS_BIND|MS_REC, NULL) < 0) | 1386 | if (mount(rootdir, oroot, NULL, MS_BIND|MS_REC, NULL) < 0) |
1378 | errExit("mounting rootdir oroot"); | 1387 | errExit("mounting rootdir oroot"); |
1379 | if (chroot(oroot) < 0) | 1388 | if (chroot(oroot) < 0) |
@@ -1390,8 +1399,6 @@ void fs_chroot(const char *rootdir) { | |||
1390 | fs_var_tmp(); | 1399 | fs_var_tmp(); |
1391 | if (!arg_writable_var_log) | 1400 | if (!arg_writable_var_log) |
1392 | fs_var_log(); | 1401 | fs_var_log(); |
1393 | else | ||
1394 | fs_rdwr("/var/log"); | ||
1395 | 1402 | ||
1396 | fs_var_lib(); | 1403 | fs_var_lib(); |
1397 | fs_var_cache(); | 1404 | fs_var_cache(); |