diff options
author | startx2017 <vradu.startx@yandex.com> | 2017-11-02 09:12:08 -0400 |
---|---|---|
committer | startx2017 <vradu.startx@yandex.com> | 2017-11-02 09:12:08 -0400 |
commit | 601068247adcb0f947c8098a1533de749accc02e (patch) | |
tree | 3c23f6e032da11a19f3b369365da966237edb4ec /src | |
parent | fix --dns issue #1621 (diff) | |
download | firejail-601068247adcb0f947c8098a1533de749accc02e.tar.gz firejail-601068247adcb0f947c8098a1533de749accc02e.tar.zst firejail-601068247adcb0f947c8098a1533de749accc02e.zip |
fixing filesystem reporting for firetools
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs_bin.c | 22 | ||||
-rw-r--r-- | src/firejail/fs_dev.c | 4 | ||||
-rw-r--r-- | src/firejail/fs_home.c | 5 | ||||
-rw-r--r-- | src/firejail/fs_lib.c | 16 | ||||
-rw-r--r-- | src/firejail/pulseaudio.c | 7 |
5 files changed, 51 insertions, 3 deletions
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 6bd7ecd17..eaa7362cf 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
@@ -146,6 +146,19 @@ errexit: | |||
146 | return 0; | 146 | return 0; |
147 | } | 147 | } |
148 | 148 | ||
149 | static void report_duplication(const char *fname) { | ||
150 | // report the file on all bin paths | ||
151 | int i = 0; | ||
152 | while (paths[i]) { | ||
153 | char *p; | ||
154 | if (asprintf(&p, "%s/%s", paths[i], fname) == -1) | ||
155 | errExit("asprintf"); | ||
156 | fs_logger2("clone", p); | ||
157 | free(p); | ||
158 | i++; | ||
159 | } | ||
160 | } | ||
161 | |||
149 | static void duplicate(char *fname, FILE *fplist) { | 162 | static void duplicate(char *fname, FILE *fplist) { |
150 | assert(fname); | 163 | assert(fname); |
151 | 164 | ||
@@ -193,17 +206,20 @@ static void duplicate(char *fname, FILE *fplist) { | |||
193 | if (is_link(full_path)) { | 206 | if (is_link(full_path)) { |
194 | char *actual_path = realpath(full_path, NULL); | 207 | char *actual_path = realpath(full_path, NULL); |
195 | if (actual_path) { | 208 | if (actual_path) { |
196 | if (valid_full_path_file(actual_path)) | 209 | if (valid_full_path_file(actual_path)) { |
197 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, actual_path, RUN_BIN_DIR); | 210 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, actual_path, RUN_BIN_DIR); |
211 | char *f = strrchr(actual_path, '/'); | ||
212 | if (f && *(++f) !='\0') | ||
213 | report_duplication(f); | ||
214 | } | ||
198 | free(actual_path); | 215 | free(actual_path); |
199 | } | 216 | } |
200 | } | 217 | } |
201 | 218 | ||
202 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR); | 219 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR); |
203 | } | 220 | } |
204 | |||
205 | fs_logger2("clone", fname); | ||
206 | free(full_path); | 221 | free(full_path); |
222 | report_duplication(fname); | ||
207 | } | 223 | } |
208 | 224 | ||
209 | static void globbing(char *fname, FILE *fplist) { | 225 | static void globbing(char *fname, FILE *fplist) { |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 0dbbb65a0..d839a0786 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -131,6 +131,7 @@ static void create_char_dev(const char *path, mode_t mode, int major, int minor) | |||
131 | if (chmod(path, mode) < 0) | 131 | if (chmod(path, mode) < 0) |
132 | goto errexit; | 132 | goto errexit; |
133 | ASSERT_PERMS(path, 0, 0, mode); | 133 | ASSERT_PERMS(path, 0, 0, mode); |
134 | fs_logger2("create", path); | ||
134 | 135 | ||
135 | return; | 136 | return; |
136 | 137 | ||
@@ -144,6 +145,7 @@ static void create_link(const char *oldpath, const char *newpath) { | |||
144 | goto errexit; | 145 | goto errexit; |
145 | if (chown(newpath, 0, 0) < 0) | 146 | if (chown(newpath, 0, 0) < 0) |
146 | goto errexit; | 147 | goto errexit; |
148 | fs_logger2("create", newpath); | ||
147 | return; | 149 | return; |
148 | 150 | ||
149 | errexit: | 151 | errexit: |
@@ -205,6 +207,7 @@ void fs_private_dev(void){ | |||
205 | printf("Create /dev/shm directory\n"); | 207 | printf("Create /dev/shm directory\n"); |
206 | mkdir_attr("/dev/shm", 01777, 0, 0); | 208 | mkdir_attr("/dev/shm", 01777, 0, 0); |
207 | fs_logger("mkdir /dev/shm"); | 209 | fs_logger("mkdir /dev/shm"); |
210 | fs_logger("create /dev/shm"); | ||
208 | 211 | ||
209 | // create default devices | 212 | // create default devices |
210 | create_char_dev("/dev/zero", 0666, 1, 5); // mknod -m 666 /dev/zero c 1 5 | 213 | create_char_dev("/dev/zero", 0666, 1, 5); // mknod -m 666 /dev/zero c 1 5 |
@@ -227,6 +230,7 @@ void fs_private_dev(void){ | |||
227 | // pseudo-terminal | 230 | // pseudo-terminal |
228 | mkdir_attr("/dev/pts", 0755, 0, 0); | 231 | mkdir_attr("/dev/pts", 0755, 0, 0); |
229 | fs_logger("mkdir /dev/pts"); | 232 | fs_logger("mkdir /dev/pts"); |
233 | fs_logger("create /dev/pts"); | ||
230 | create_char_dev("/dev/pts/ptmx", 0666, 5, 2); //"mknod -m 666 /dev/pts/ptmx c 5 2"); | 234 | create_char_dev("/dev/pts/ptmx", 0666, 5, 2); //"mknod -m 666 /dev/pts/ptmx c 5 2"); |
231 | fs_logger("mknod /dev/pts/ptmx"); | 235 | fs_logger("mknod /dev/pts/ptmx"); |
232 | create_link("/dev/pts/ptmx", "/dev/ptmx"); | 236 | create_link("/dev/pts/ptmx", "/dev/ptmx"); |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 6d3818ccb..5a39fab48 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -50,6 +50,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) { | |||
50 | if (stat("/etc/skel/.zshrc", &s) == 0) { | 50 | if (stat("/etc/skel/.zshrc", &s) == 0) { |
51 | copy_file_as_user("/etc/skel/.zshrc", fname, u, g, 0644); // regular user | 51 | copy_file_as_user("/etc/skel/.zshrc", fname, u, g, 0644); // regular user |
52 | fs_logger("clone /etc/skel/.zshrc"); | 52 | fs_logger("clone /etc/skel/.zshrc"); |
53 | fs_logger2("clone", fname); | ||
53 | } | 54 | } |
54 | else { | 55 | else { |
55 | touch_file_as_user(fname, u, g, 0644); | 56 | touch_file_as_user(fname, u, g, 0644); |
@@ -74,6 +75,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) { | |||
74 | if (stat("/etc/skel/.cshrc", &s) == 0) { | 75 | if (stat("/etc/skel/.cshrc", &s) == 0) { |
75 | copy_file_as_user("/etc/skel/.cshrc", fname, u, g, 0644); // regular user | 76 | copy_file_as_user("/etc/skel/.cshrc", fname, u, g, 0644); // regular user |
76 | fs_logger("clone /etc/skel/.cshrc"); | 77 | fs_logger("clone /etc/skel/.cshrc"); |
78 | fs_logger2("clone", fname); | ||
77 | } | 79 | } |
78 | else { | 80 | else { |
79 | touch_file_as_user(fname, u, g, 0644); | 81 | touch_file_as_user(fname, u, g, 0644); |
@@ -97,6 +99,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) { | |||
97 | if (stat("/etc/skel/.bashrc", &s) == 0) { | 99 | if (stat("/etc/skel/.bashrc", &s) == 0) { |
98 | copy_file_as_user("/etc/skel/.bashrc", fname, u, g, 0644); // regular user | 100 | copy_file_as_user("/etc/skel/.bashrc", fname, u, g, 0644); // regular user |
99 | fs_logger("clone /etc/skel/.bashrc"); | 101 | fs_logger("clone /etc/skel/.bashrc"); |
102 | fs_logger2("clone", fname); | ||
100 | } | 103 | } |
101 | free(fname); | 104 | free(fname); |
102 | } | 105 | } |
@@ -312,6 +315,7 @@ void fs_private(void) { | |||
312 | if (chown(homedir, u, g) < 0) | 315 | if (chown(homedir, u, g) < 0) |
313 | errExit("chown"); | 316 | errExit("chown"); |
314 | fs_logger2("mkdir", homedir); | 317 | fs_logger2("mkdir", homedir); |
318 | fs_logger2("tmpfs", homedir); | ||
315 | } | 319 | } |
316 | 320 | ||
317 | skel(homedir, u, g); | 321 | skel(homedir, u, g); |
@@ -500,6 +504,7 @@ void fs_private_home_list(void) { | |||
500 | 504 | ||
501 | if (mount(RUN_HOME_DIR, homedir, NULL, MS_BIND|MS_REC, NULL) < 0) | 505 | if (mount(RUN_HOME_DIR, homedir, NULL, MS_BIND|MS_REC, NULL) < 0) |
502 | errExit("mount bind"); | 506 | errExit("mount bind"); |
507 | fs_logger2("tmpfs", homedir); | ||
503 | 508 | ||
504 | if (uid != 0) { | 509 | if (uid != 0) { |
505 | // mask /root | 510 | // mask /root |
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 18739c554..56a66742a 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -43,6 +43,21 @@ extern void fslib_install_system(void); | |||
43 | static int lib_cnt = 0; | 43 | static int lib_cnt = 0; |
44 | static int dir_cnt = 0; | 44 | static int dir_cnt = 0; |
45 | 45 | ||
46 | static void report_duplication(const char *full_path) { | ||
47 | char *fname = strrchr(full_path, '/'); | ||
48 | if (fname && *(++fname) != '\0') { | ||
49 | // report the file on all bin paths | ||
50 | int i = 0; | ||
51 | while (lib_paths[i]) { | ||
52 | char *p; | ||
53 | if (asprintf(&p, "%s/%s", lib_paths[i], fname) == -1) | ||
54 | errExit("asprintf"); | ||
55 | fs_logger2("clone", p); | ||
56 | free(p); | ||
57 | i++; | ||
58 | } | ||
59 | } | ||
60 | } | ||
46 | 61 | ||
47 | static char *build_dest_dir(const char *full_path) { | 62 | static char *build_dest_dir(const char *full_path) { |
48 | assert(full_path); | 63 | assert(full_path); |
@@ -81,6 +96,7 @@ void fslib_duplicate(const char *full_path) { | |||
81 | printf("copying %s to private %s\n", full_path, dest_dir); | 96 | printf("copying %s to private %s\n", full_path, dest_dir); |
82 | 97 | ||
83 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, dest_dir); | 98 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, dest_dir); |
99 | report_duplication(full_path); | ||
84 | lib_cnt++; | 100 | lib_cnt++; |
85 | } | 101 | } |
86 | 102 | ||
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index 2f8cd5f7d..6768b525b 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -147,6 +147,7 @@ void pulseaudio_init(void) { | |||
147 | } | 147 | } |
148 | // wait for the child to finish | 148 | // wait for the child to finish |
149 | waitpid(child, NULL, 0); | 149 | waitpid(child, NULL, 0); |
150 | fs_logger2("create", dir1); | ||
150 | } | 151 | } |
151 | else { | 152 | else { |
152 | // make sure the directory is owned by the user | 153 | // make sure the directory is owned by the user |
@@ -179,6 +180,7 @@ void pulseaudio_init(void) { | |||
179 | } | 180 | } |
180 | // wait for the child to finish | 181 | // wait for the child to finish |
181 | waitpid(child, NULL, 0); | 182 | waitpid(child, NULL, 0); |
183 | fs_logger2("create", dir1); | ||
182 | } | 184 | } |
183 | else { | 185 | else { |
184 | // make sure the directory is owned by the user | 186 | // make sure the directory is owned by the user |
@@ -199,6 +201,11 @@ void pulseaudio_init(void) { | |||
199 | mount(NULL, homeusercfg, NULL, MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_BIND|MS_REMOUNT, NULL) < 0) | 201 | mount(NULL, homeusercfg, NULL, MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_BIND|MS_REMOUNT, NULL) < 0) |
200 | errExit("mount pulseaudio"); | 202 | errExit("mount pulseaudio"); |
201 | fs_logger2("tmpfs", homeusercfg); | 203 | fs_logger2("tmpfs", homeusercfg); |
204 | char *p; | ||
205 | if (asprintf(&p, "%s/client.conf", homeusercfg) == -1) | ||
206 | errExit("asprintf"); | ||
207 | fs_logger2("create", p); | ||
208 | free(p); | ||
202 | } | 209 | } |
203 | else { | 210 | else { |
204 | // set environment | 211 | // set environment |