diff options
author | netblue30 <netblue30@yahoo.com> | 2016-11-10 08:12:32 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-11-10 08:12:32 -0500 |
commit | 9c9506f40b6e73e7ba9acbf676b1867c2b3e407f (patch) | |
tree | be80b976ff544860648c266e592cdcb8b14c2886 /src | |
parent | testing (diff) | |
download | firejail-9c9506f40b6e73e7ba9acbf676b1867c2b3e407f.tar.gz firejail-9c9506f40b6e73e7ba9acbf676b1867c2b3e407f.tar.zst firejail-9c9506f40b6e73e7ba9acbf676b1867c2b3e407f.zip |
bug: mkdir and mkfile are not applied to private directories
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs.c | 14 | ||||
-rw-r--r-- | src/firejail/profile.c | 4 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 2 | ||||
-rw-r--r-- | src/firejail/sbox.c | 2 |
4 files changed, 18 insertions, 4 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index dbd7eced7..4556f0a82 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -348,6 +348,20 @@ void fs_blacklist(void) { | |||
348 | ptr = entry->data + 6; | 348 | ptr = entry->data + 6; |
349 | op = MOUNT_TMPFS; | 349 | op = MOUNT_TMPFS; |
350 | } | 350 | } |
351 | else if (strncmp(entry->data, "mkdir ", 6) == 0) { | ||
352 | EUID_USER(); | ||
353 | fs_mkdir(entry->data + 6); | ||
354 | EUID_ROOT(); | ||
355 | entry = entry->next; | ||
356 | continue; | ||
357 | } | ||
358 | else if (strncmp(entry->data, "mkfile ", 7) == 0) { | ||
359 | EUID_USER(); | ||
360 | fs_mkfile(entry->data + 7); | ||
361 | EUID_ROOT(); | ||
362 | entry = entry->next; | ||
363 | continue; | ||
364 | } | ||
351 | else { | 365 | else { |
352 | fprintf(stderr, "Error: invalid profile line %s\n", entry->data); | 366 | fprintf(stderr, "Error: invalid profile line %s\n", entry->data); |
353 | entry = entry->next; | 367 | entry = entry->next; |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index f3a7eb727..0fd45d1ef 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -105,12 +105,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
105 | // mkdir | 105 | // mkdir |
106 | if (strncmp(ptr, "mkdir ", 6) == 0) { | 106 | if (strncmp(ptr, "mkdir ", 6) == 0) { |
107 | fs_mkdir(ptr + 6); | 107 | fs_mkdir(ptr + 6); |
108 | return 0; | 108 | return 1; // process mkdir again while applying blacklists |
109 | } | 109 | } |
110 | // mkfile | 110 | // mkfile |
111 | if (strncmp(ptr, "mkfile ", 7) == 0) { | 111 | if (strncmp(ptr, "mkfile ", 7) == 0) { |
112 | fs_mkfile(ptr + 7); | 112 | fs_mkfile(ptr + 7); |
113 | return 0; | 113 | return 1; // process mkfile again while applying blacklists |
114 | } | 114 | } |
115 | // sandbox name | 115 | // sandbox name |
116 | else if (strncmp(ptr, "name ", 5) == 0) { | 116 | else if (strncmp(ptr, "name ", 5) == 0) { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 6b7f7f003..109daf552 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -734,7 +734,7 @@ int sandbox(void* sandbox_arg) { | |||
734 | fs_whitelist(); | 734 | fs_whitelist(); |
735 | 735 | ||
736 | // ... followed by blacklist commands | 736 | // ... followed by blacklist commands |
737 | fs_blacklist(); | 737 | fs_blacklist(); // mkdir and mkfile are processed all over again |
738 | 738 | ||
739 | //**************************** | 739 | //**************************** |
740 | // install trace | 740 | // install trace |
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index bca72c14a..430ffb86e 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -142,7 +142,7 @@ int sbox_run(unsigned filter, int num, ...) { | |||
142 | for (i = 3; i < max; i++) | 142 | for (i = 3; i < max; i++) |
143 | close(i); // close open files | 143 | close(i); // close open files |
144 | if ((filter & SBOX_ALLOW_STDIN) == 0) { | 144 | if ((filter & SBOX_ALLOW_STDIN) == 0) { |
145 | int fd = open("/dev/null",O_RDWR, 0); | 145 | int fd = open("/dev/null",O_RDWR, 0); |
146 | if (fd != -1) { | 146 | if (fd != -1) { |
147 | dup2 (fd, STDIN_FILENO); | 147 | dup2 (fd, STDIN_FILENO); |
148 | if (fd > 2) | 148 | if (fd > 2) |