diff options
author | smitsohu <smitsohu@gmail.com> | 2022-07-11 21:37:05 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2022-07-11 21:37:05 +0200 |
commit | bd86049c52a8707f6a98fed717bc03b5bfeb60f5 (patch) | |
tree | f984b6f3c42a1ffef699b386a033c29ae3cb8fb0 /src | |
parent | remove dependency on sendfile syscall (diff) | |
download | firejail-bd86049c52a8707f6a98fed717bc03b5bfeb60f5.tar.gz firejail-bd86049c52a8707f6a98fed717bc03b5bfeb60f5.tar.zst firejail-bd86049c52a8707f6a98fed717bc03b5bfeb60f5.zip |
cleanup
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/chroot.c | 28 |
1 files changed, 7 insertions, 21 deletions
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c index ccd954a93..6f484e59a 100644 --- a/src/firejail/chroot.c +++ b/src/firejail/chroot.c | |||
@@ -33,41 +33,27 @@ | |||
33 | void fs_check_chroot_dir(void) { | 33 | void fs_check_chroot_dir(void) { |
34 | EUID_ASSERT(); | 34 | EUID_ASSERT(); |
35 | assert(cfg.chrootdir); | 35 | assert(cfg.chrootdir); |
36 | if (strstr(cfg.chrootdir, "..") || | ||
37 | is_link(cfg.chrootdir)) | ||
38 | goto errout; | ||
39 | 36 | ||
40 | // check chroot dirname exists, chrooting into the root directory is not allowed | 37 | // check chroot dirname exists, chrooting into the root directory is not allowed |
41 | char *rpath = realpath(cfg.chrootdir, NULL); | 38 | char *rpath = realpath(cfg.chrootdir, NULL); |
42 | if (rpath == NULL || !is_dir(rpath) || strcmp(rpath, "/") == 0) | 39 | if (rpath == NULL || !is_dir(rpath) || strcmp(rpath, "/") == 0) { |
43 | goto errout; | 40 | fprintf(stderr, "Error: invalid chroot directory %s\n", cfg.chrootdir); |
44 | |||
45 | char *overlay; | ||
46 | if (asprintf(&overlay, "%s/.firejail", cfg.homedir) == -1) | ||
47 | errExit("asprintf"); | ||
48 | if (strncmp(rpath, overlay, strlen(overlay)) == 0) { | ||
49 | fprintf(stderr, "Error: invalid chroot directory: no directories in %s are allowed\n", overlay); | ||
50 | exit(1); | 41 | exit(1); |
51 | } | 42 | } |
52 | free(overlay); | ||
53 | 43 | ||
54 | cfg.chrootdir = rpath; | 44 | cfg.chrootdir = rpath; |
55 | return; | 45 | return; |
56 | |||
57 | errout: | ||
58 | fprintf(stderr, "Error: invalid chroot directory %s\n", cfg.chrootdir); | ||
59 | exit(1); | ||
60 | } | 46 | } |
61 | 47 | ||
62 | // copy /etc/resolv.conf or /etc/machine-id in chroot directory | 48 | // copy /etc/resolv.conf or /etc/machine-id in chroot directory |
63 | static void update_file(int parentfd, const char *relpath) { | 49 | static void update_file(int parentfd, const char *relpath) { |
64 | assert(relpath && relpath[0] && relpath[0] != '/'); | 50 | assert(relpath && relpath[0] && relpath[0] != '/'); |
65 | 51 | ||
66 | char *abspath; | 52 | int rootfd = open("/", O_PATH|O_CLOEXEC); |
67 | if (asprintf(&abspath, "/%s", relpath) == -1) | 53 | if (rootfd == -1) |
68 | errExit("asprintf"); | 54 | errExit("open"); |
69 | int in = open(abspath, O_RDONLY|O_CLOEXEC); | 55 | int in = openat(rootfd, relpath, O_RDONLY|O_CLOEXEC); |
70 | free(abspath); | 56 | close(rootfd); |
71 | if (in == -1) | 57 | if (in == -1) |
72 | goto errout; | 58 | goto errout; |
73 | 59 | ||