diff options
author | netblue30 <netblue30@yahoo.com> | 2017-01-12 20:10:17 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-01-12 20:10:17 -0500 |
commit | 5440bc47971bfbe0db570283973bafb0b2486e69 (patch) | |
tree | 54e9b95e20e40c64b82768d05439be58447b85bf /src | |
parent | Gentoo compile fix (diff) | |
download | firejail-5440bc47971bfbe0db570283973bafb0b2486e69.tar.gz firejail-5440bc47971bfbe0db570283973bafb0b2486e69.tar.zst firejail-5440bc47971bfbe0db570283973bafb0b2486e69.zip |
cleanup
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs.c | 36 | ||||
-rw-r--r-- | src/firejail/fs_mkdir.c | 29 | ||||
-rw-r--r-- | src/firejail/util.c | 2 |
3 files changed, 37 insertions, 30 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index d7764accd..0da4cc111 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -711,10 +711,36 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { | |||
711 | // create ~/.firejail directory | 711 | // create ~/.firejail directory |
712 | if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) | 712 | if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) |
713 | errExit("asprintf"); | 713 | errExit("asprintf"); |
714 | |||
715 | if (is_link(dirname)) { | ||
716 | fprintf(stderr, "Error: invalid ~/.firejail directory\n"); | ||
717 | exit(1); | ||
718 | } | ||
714 | if (stat(dirname, &s) == -1) { | 719 | if (stat(dirname, &s) == -1) { |
715 | mkdir_attr(dirname, 0700, 0, 0); | 720 | // create directory |
721 | pid_t child = fork(); | ||
722 | if (child < 0) | ||
723 | errExit("fork"); | ||
724 | if (child == 0) { | ||
725 | // drop privileges | ||
726 | drop_privs(0); | ||
727 | |||
728 | // create directory | ||
729 | if (mkdir(dirname, 0700)) | ||
730 | errExit("mkdir"); | ||
731 | if (chmod(dirname, 0700) == -1) | ||
732 | errExit("chmod"); | ||
733 | ASSERT_PERMS(dirname, getuid(), getgid(), 0700); | ||
734 | _exit(0); | ||
735 | } | ||
736 | // wait for the child to finish | ||
737 | waitpid(child, NULL, 0); | ||
738 | if (stat(dirname, &s) == -1) { | ||
739 | fprintf(stderr, "Error: cannot create ~/.firejail directory\n"); | ||
740 | exit(1); | ||
741 | } | ||
716 | } | 742 | } |
717 | else if (is_link(dirname)) { | 743 | else if (s.st_uid != getuid()) { |
718 | fprintf(stderr, "Error: invalid ~/.firejail directory\n"); | 744 | fprintf(stderr, "Error: invalid ~/.firejail directory\n"); |
719 | exit(1); | 745 | exit(1); |
720 | } | 746 | } |
@@ -1141,10 +1167,16 @@ void fs_chroot(const char *rootdir) { | |||
1141 | free(newx11); | 1167 | free(newx11); |
1142 | } | 1168 | } |
1143 | 1169 | ||
1170 | // some older distros don't have a /run directory | ||
1171 | // create one by default | ||
1144 | // create /run/firejail directory in chroot | 1172 | // create /run/firejail directory in chroot |
1145 | char *rundir; | 1173 | char *rundir; |
1146 | if (asprintf(&rundir, "%s/run", rootdir) == -1) | 1174 | if (asprintf(&rundir, "%s/run", rootdir) == -1) |
1147 | errExit("asprintf"); | 1175 | errExit("asprintf"); |
1176 | if (is_link(rundir)) { | ||
1177 | fprintf(stderr, "Error: invalid run directory inside chroot\n"); | ||
1178 | exit(1); | ||
1179 | } | ||
1148 | create_empty_dir_as_root(rundir, 0755); | 1180 | create_empty_dir_as_root(rundir, 0755); |
1149 | free(rundir); | 1181 | free(rundir); |
1150 | if (asprintf(&rundir, "%s/run/firejail", rootdir) == -1) | 1182 | if (asprintf(&rundir, "%s/run/firejail", rootdir) == -1) |
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index 5b6ceae90..d29f58a58 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c | |||
@@ -112,33 +112,8 @@ void fs_mkfile(const char *name) { | |||
112 | } | 112 | } |
113 | 113 | ||
114 | // create file | 114 | // create file |
115 | pid_t child = fork(); | 115 | touch_file_as_user(expanded, getuid(), getgid(), 0600); |
116 | if (child < 0) | 116 | |
117 | errExit("fork"); | ||
118 | if (child == 0) { | ||
119 | // drop privileges | ||
120 | drop_privs(0); | ||
121 | |||
122 | /* coverity[toctou] */ | ||
123 | FILE *fp = fopen(expanded, "w"); | ||
124 | if (!fp) | ||
125 | fprintf(stderr, "Warning: cannot create %s file\n", expanded); | ||
126 | else { | ||
127 | int fd = fileno(fp); | ||
128 | if (fd == -1) | ||
129 | errExit("fileno"); | ||
130 | int rv = fchmod(fd, 0600); | ||
131 | (void) rv; | ||
132 | fclose(fp); | ||
133 | } | ||
134 | #ifdef HAVE_GCOV | ||
135 | __gcov_flush(); | ||
136 | #endif | ||
137 | _exit(0); | ||
138 | } | ||
139 | // wait for the child to finish | ||
140 | waitpid(child, NULL, 0); | ||
141 | |||
142 | doexit: | 117 | doexit: |
143 | free(expanded); | 118 | free(expanded); |
144 | } | 119 | } |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 763e6b58b..10000e912 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -231,7 +231,7 @@ void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid | |||
231 | // copy, set permissions and ownership | 231 | // copy, set permissions and ownership |
232 | int rv = copy_file(srcname, destname, uid, gid, mode); // already a regular user | 232 | int rv = copy_file(srcname, destname, uid, gid, mode); // already a regular user |
233 | if (rv) | 233 | if (rv) |
234 | fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); | 234 | fprintf(stderr, "Warning: cannot copy %s\n", srcname); |
235 | #ifdef HAVE_GCOV | 235 | #ifdef HAVE_GCOV |
236 | __gcov_flush(); | 236 | __gcov_flush(); |
237 | #endif | 237 | #endif |