diff options
| author |  netblue30 <netblue30@yahoo.com> | 2017-08-30 11:08:37 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2017-08-30 11:08:37 -0400 |
| commit | 12d64e7151e633f50e86b283c24cf85db7f1db41 (patch) | |
| tree | d41ca03cfc415abf85bf7057258307ee448dd158 /src | |
| parent | fix seccomp secondary filter printing on i386 platform (diff) | |
| download | firejail-12d64e7151e633f50e86b283c24cf85db7f1db41.tar.gz firejail-12d64e7151e633f50e86b283c24cf85db7f1db41.tar.zst firejail-12d64e7151e633f50e86b283c24cf85db7f1db41.zip | |
removed zsh from travis test suite, fixed handling of /dev/shm whitelist for Debian wheezy and Ubuntu 14.04
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/fs_whitelist.c | 19 |
1 files changed, 13 insertions, 6 deletions
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 480df1766..dad8545a0 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
| @@ -368,12 +368,12 @@ void fs_whitelist(void) { | |||
| 368 | // replace ~/ or ${HOME} into /home/username | 368 | // replace ~/ or ${HOME} into /home/username |
| 369 | new_name = expand_home(dataptr, cfg.homedir); | 369 | new_name = expand_home(dataptr, cfg.homedir); |
| 370 | assert(new_name); | 370 | assert(new_name); |
| 371 | if (arg_debug) | 371 | if (arg_debug || arg_debug_whitelists) |
| 372 | fprintf(stderr, "Debug %d: new_name #%s#, %s\n", __LINE__, new_name, (nowhitelist_flag)? "nowhitelist": "whitelist"); | 372 | fprintf(stderr, "Debug %d: new_name #%s#, %s\n", __LINE__, new_name, (nowhitelist_flag)? "nowhitelist": "whitelist"); |
| 373 | 373 | ||
| 374 | // valid path referenced to filesystem root | 374 | // valid path referenced to filesystem root |
| 375 | if (*new_name != '/') { | 375 | if (*new_name != '/') { |
| 376 | if (arg_debug) | 376 | if (arg_debug || arg_debug_whitelists) |
| 377 | fprintf(stderr, "Debug %d: \n", __LINE__); | 377 | fprintf(stderr, "Debug %d: \n", __LINE__); |
| 378 | goto errexit; | 378 | goto errexit; |
| 379 | } | 379 | } |
| @@ -417,6 +417,8 @@ void fs_whitelist(void) { | |||
| 417 | entry->data = EMPTY_STRING; | 417 | entry->data = EMPTY_STRING; |
| 418 | continue; | 418 | continue; |
| 419 | } | 419 | } |
| 420 | else if (arg_debug_whitelists) | ||
| 421 | printf("real path %s\n", fname); | ||
| 420 | 422 | ||
| 421 | if (nowhitelist_flag) { | 423 | if (nowhitelist_flag) { |
| 422 | // store the path in nowhitelist array | 424 | // store the path in nowhitelist array |
| @@ -501,9 +503,15 @@ void fs_whitelist(void) { | |||
| 501 | else if (strncmp(new_name, "/dev/", 5) == 0) { | 503 | else if (strncmp(new_name, "/dev/", 5) == 0) { |
| 502 | entry->dev_dir = 1; | 504 | entry->dev_dir = 1; |
| 503 | dev_dir = 1; | 505 | dev_dir = 1; |
| 504 | // both path and absolute path are under /dev | 506 | |
| 505 | if (strncmp(fname, "/dev/", 5) != 0) { | 507 | // special handling for /dev/shm |
| 506 | goto errexit; | 508 | // on some platforms (Debian wheezy, Ubuntu 14.04), it is a symlink to /run/shm |
| 509 | if (strcmp(new_name, "/dev/shm") == 0 && strcmp(fname, "/run/shm") == 0); | ||
| 510 | else { | ||
| 511 | // both path and absolute path are under /dev | ||
| 512 | if (strncmp(fname, "/dev/", 5) != 0) { | ||
| 513 | goto errexit; | ||
| 514 | } | ||
| 507 | } | 515 | } |
| 508 | } | 516 | } |
| 509 | else if (strncmp(new_name, "/opt/", 5) == 0) { | 517 | else if (strncmp(new_name, "/opt/", 5) == 0) { |
| @@ -708,7 +716,6 @@ void fs_whitelist(void) { | |||
| 708 | } | 716 | } |
| 709 | 717 | ||
| 710 | 718 | ||
| 711 | |||
| 712 | // go through profile rules again, and interpret whitelist commands | 719 | // go through profile rules again, and interpret whitelist commands |
| 713 | entry = cfg.profile; | 720 | entry = cfg.profile; |
| 714 | while (entry) { | 721 | while (entry) { |