diff options
author | smitsohu <smitsohu@gmail.com> | 2021-06-06 11:08:01 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2021-06-06 11:08:01 +0200 |
commit | 9678da00301562464464099b9d7cfd76424fbb23 (patch) | |
tree | db011c18c43e9f6c5090da2479341797e2e2f66e /src | |
parent | rpm: fix man page location in spec file (diff) | |
download | firejail-9678da00301562464464099b9d7cfd76424fbb23.tar.gz firejail-9678da00301562464464099b9d7cfd76424fbb23.tar.zst firejail-9678da00301562464464099b9d7cfd76424fbb23.zip |
cleanup
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 13 | ||||
-rw-r--r-- | src/firejail/main.c | 2 | ||||
-rw-r--r-- | src/firejail/util.c | 18 |
4 files changed, 16 insertions, 19 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 495b0bebc..a5c44739e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -530,7 +530,7 @@ int has_handler(pid_t pid, int signal); | |||
530 | void enter_network_namespace(pid_t pid); | 530 | void enter_network_namespace(pid_t pid); |
531 | int read_pid(const char *name, pid_t *pid); | 531 | int read_pid(const char *name, pid_t *pid); |
532 | pid_t require_pid(const char *name); | 532 | pid_t require_pid(const char *name); |
533 | void check_homedir(void); | 533 | void check_homedir(const char *dir); |
534 | 534 | ||
535 | // Get info regarding the last kernel mount operation from /proc/self/mountinfo | 535 | // Get info regarding the last kernel mount operation from /proc/self/mountinfo |
536 | // The return value points to a static area, and will be overwritten by subsequent calls. | 536 | // The return value points to a static area, and will be overwritten by subsequent calls. |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 9a7a1bac7..258f023f6 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -304,7 +304,6 @@ static void globbing(const char *pattern) { | |||
304 | } | 304 | } |
305 | 305 | ||
306 | // mount tmpfs on all top level directories | 306 | // mount tmpfs on all top level directories |
307 | // home directories *inside* /run/user/$UID are not fully supported | ||
308 | static void tmpfs_topdirs(const TopDir *topdirs) { | 307 | static void tmpfs_topdirs(const TopDir *topdirs) { |
309 | int tmpfs_home = 0; | 308 | int tmpfs_home = 0; |
310 | int tmpfs_runuser = 0; | 309 | int tmpfs_runuser = 0; |
@@ -335,6 +334,7 @@ static void tmpfs_topdirs(const TopDir *topdirs) { | |||
335 | 334 | ||
336 | // mount tmpfs | 335 | // mount tmpfs |
337 | fs_tmpfs(topdirs[i].path, 0); | 336 | fs_tmpfs(topdirs[i].path, 0); |
337 | selinux_relabel_path(topdirs[i].path, topdirs[i].path); | ||
338 | 338 | ||
339 | // init tmpfs | 339 | // init tmpfs |
340 | if (strcmp(topdirs[i].path, "/run") == 0) { | 340 | if (strcmp(topdirs[i].path, "/run") == 0) { |
@@ -384,8 +384,6 @@ static void tmpfs_topdirs(const TopDir *topdirs) { | |||
384 | const char *rel = cfg.homedir + topdir_len + 1; | 384 | const char *rel = cfg.homedir + topdir_len + 1; |
385 | whitelist_file(topdirs[i].fd, rel, cfg.homedir); | 385 | whitelist_file(topdirs[i].fd, rel, cfg.homedir); |
386 | } | 386 | } |
387 | |||
388 | selinux_relabel_path(topdirs[i].path, topdirs[i].path); | ||
389 | } | 387 | } |
390 | 388 | ||
391 | // user home directory | 389 | // user home directory |
@@ -467,9 +465,9 @@ static TopDir *add_topdir(const char *dir, TopDir *topdirs, const char *path) { | |||
467 | errExit("strdup"); | 465 | errExit("strdup"); |
468 | 466 | ||
469 | // open the directory, don't follow symbolic links | 467 | // open the directory, don't follow symbolic links |
470 | rv->fd = safer_openat(-1, rv->path, O_PATH|O_NOFOLLOW|O_DIRECTORY|O_CLOEXEC); | 468 | rv->fd = safer_openat(-1, dir, O_PATH|O_NOFOLLOW|O_DIRECTORY|O_CLOEXEC); |
471 | if (rv->fd == -1) { | 469 | if (rv->fd == -1) { |
472 | fprintf(stderr, "Error: cannot open %s\n", rv->path); | 470 | fprintf(stderr, "Error: cannot open %s\n", dir); |
473 | exit(1); | 471 | exit(1); |
474 | } | 472 | } |
475 | 473 | ||
@@ -750,10 +748,11 @@ void fs_whitelist(void) { | |||
750 | } | 748 | } |
751 | 749 | ||
752 | // create the link if any | 750 | // create the link if any |
753 | if (link) | 751 | if (link) { |
754 | whitelist_symlink(link, file); | 752 | whitelist_symlink(link, file); |
753 | free(link); | ||
754 | } | ||
755 | 755 | ||
756 | free(link); | ||
757 | free(file); | 756 | free(file); |
758 | free(entry->wparam); | 757 | free(entry->wparam); |
759 | entry->wparam = NULL; | 758 | entry->wparam = NULL; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 51e10a304..7ec2d6114 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -259,8 +259,8 @@ static void init_cfg(int argc, char **argv) { | |||
259 | fprintf(stderr, "Error: user %s doesn't have a user directory assigned\n", cfg.username); | 259 | fprintf(stderr, "Error: user %s doesn't have a user directory assigned\n", cfg.username); |
260 | exit(1); | 260 | exit(1); |
261 | } | 261 | } |
262 | check_homedir(pw->pw_dir); | ||
262 | cfg.homedir = clean_pathname(pw->pw_dir); | 263 | cfg.homedir = clean_pathname(pw->pw_dir); |
263 | check_homedir(); | ||
264 | 264 | ||
265 | // initialize random number generator | 265 | // initialize random number generator |
266 | sandbox_pid = getpid(); | 266 | sandbox_pid = getpid(); |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 6a7318c4b..b41a65c1d 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -447,15 +447,13 @@ int is_link(const char *fname) { | |||
447 | if (*fname == '\0') | 447 | if (*fname == '\0') |
448 | return 0; | 448 | return 0; |
449 | 449 | ||
450 | char *dup = strdup(fname); | 450 | // remove trailing slashes |
451 | if (!dup) | 451 | char *tmp = clean_pathname(fname); |
452 | errExit("strdup"); | ||
453 | trim_trailing_slash_or_dot(dup); | ||
454 | 452 | ||
455 | char c; | 453 | char c; |
456 | ssize_t rv = readlink(dup, &c, 1); | 454 | ssize_t rv = readlink(tmp, &c, 1); |
455 | free(tmp); | ||
457 | 456 | ||
458 | free(dup); | ||
459 | return (rv != -1); | 457 | return (rv != -1); |
460 | } | 458 | } |
461 | 459 | ||
@@ -1319,14 +1317,14 @@ static int has_link(const char *dir) { | |||
1319 | return 0; | 1317 | return 0; |
1320 | } | 1318 | } |
1321 | 1319 | ||
1322 | void check_homedir(void) { | 1320 | void check_homedir(const char *dir) { |
1323 | assert(cfg.homedir); | 1321 | assert(dir); |
1324 | if (cfg.homedir[0] != '/') { | 1322 | if (dir[0] != '/') { |
1325 | fprintf(stderr, "Error: invalid user directory \"%s\"\n", cfg.homedir); | 1323 | fprintf(stderr, "Error: invalid user directory \"%s\"\n", cfg.homedir); |
1326 | exit(1); | 1324 | exit(1); |
1327 | } | 1325 | } |
1328 | // symlinks are rejected in many places | 1326 | // symlinks are rejected in many places |
1329 | if (has_link(cfg.homedir)) { | 1327 | if (has_link(dir)) { |
1330 | fprintf(stderr, "No full support for symbolic links in path of user directory.\n" | 1328 | fprintf(stderr, "No full support for symbolic links in path of user directory.\n" |
1331 | "Please provide resolved path in password database (/etc/passwd).\n\n"); | 1329 | "Please provide resolved path in password database (/etc/passwd).\n\n"); |
1332 | } | 1330 | } |