diff options
| author |  netblue30 <netblue30@yahoo.com> | 2016-02-08 12:58:37 -0500 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2016-02-08 12:58:37 -0500 |
| commit | 9c0730573aa6f5cf96278704a9a8c14457f1e010 (patch) | |
| tree | 0c1c05f54f2eaa146131c16bc877dec200f39931 /src | |
| parent | set window title (diff) | |
| download | firejail-9c0730573aa6f5cf96278704a9a8c14457f1e010.tar.gz firejail-9c0730573aa6f5cf96278704a9a8c14457f1e010.tar.zst firejail-9c0730573aa6f5cf96278704a9a8c14457f1e010.zip | |
fixed whitelist problem
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/fs_whitelist.c | 32 |
1 files changed, 24 insertions, 8 deletions
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 22b5fb0a7..0f2d6a089 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
| @@ -336,6 +336,14 @@ void fs_whitelist(void) { | |||
| 336 | if (arg_debug) | 336 | if (arg_debug) |
| 337 | fprintf(stderr, "Debug %d: new_name #%s#\n", __LINE__, new_name); | 337 | fprintf(stderr, "Debug %d: new_name #%s#\n", __LINE__, new_name); |
| 338 | 338 | ||
| 339 | // valid path referenced to filesystem root | ||
| 340 | if (*new_name != '/') { | ||
| 341 | if (arg_debug) | ||
| 342 | fprintf(stderr, "Debug %d: \n", __LINE__); | ||
| 343 | goto errexit; | ||
| 344 | } | ||
| 345 | |||
| 346 | |||
| 339 | // extract the absolute path of the file | 347 | // extract the absolute path of the file |
| 340 | // realpath function will fail with ENOENT if the file is not found | 348 | // realpath function will fail with ENOENT if the file is not found |
| 341 | char *fname = realpath(new_name, NULL); | 349 | char *fname = realpath(new_name, NULL); |
| @@ -349,19 +357,27 @@ void fs_whitelist(void) { | |||
| 349 | perror("realpath"); | 357 | perror("realpath"); |
| 350 | } | 358 | } |
| 351 | *entry->data = '\0'; | 359 | *entry->data = '\0'; |
| 360 | |||
| 361 | // if 1 the file was not found; mount an empty directory | ||
| 362 | if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) | ||
| 363 | home_dir = 1; | ||
| 364 | else if (strncmp(new_name, "/tmp/", 5) == 0) | ||
| 365 | tmp_dir = 1; | ||
| 366 | else if (strncmp(new_name, "/media/", 7) == 0) | ||
| 367 | media_dir = 1; | ||
| 368 | else if (strncmp(new_name, "/var/", 5) == 0) | ||
| 369 | var_dir = 1; | ||
| 370 | else if (strncmp(new_name, "/dev/", 5) == 0) | ||
| 371 | dev_dir = 1; | ||
| 372 | else if (strncmp(new_name, "/opt/", 5) == 0) | ||
| 373 | opt_dir = 1; | ||
| 374 | |||
| 352 | continue; | 375 | continue; |
| 353 | } | 376 | } |
| 354 | 377 | ||
| 355 | // valid path referenced to filesystem root | ||
| 356 | if (*new_name != '/') { | ||
| 357 | if (arg_debug) | ||
| 358 | fprintf(stderr, "Debug %d: \n", __LINE__); | ||
| 359 | goto errexit; | ||
| 360 | } | ||
| 361 | |||
| 362 | // check for supported directories | 378 | // check for supported directories |
| 363 | if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) { | 379 | if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) { |
| 364 | // whitelisting home directory is disabled if --private or --private-home option is present | 380 | // whitelisting home directory is disabled if --private option is present |
| 365 | if (arg_private) { | 381 | if (arg_private) { |
| 366 | if (arg_debug || arg_debug_whitelists) | 382 | if (arg_debug || arg_debug_whitelists) |
| 367 | printf("Removed whitelist path %s, --private option is present\n", entry->data); | 383 | printf("Removed whitelist path %s, --private option is present\n", entry->data); |