diff options
author | netblue30 <netblue30@yahoo.com> | 2018-05-03 11:25:59 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2018-05-03 11:25:59 -0400 |
commit | c875f1007508c166a66fd0cbf5132068982e8700 (patch) | |
tree | 5cf71fef0c8edada79835b528329d6fbc8f2b8dc /src | |
parent | Edit README.md with new option (diff) | |
download | firejail-c875f1007508c166a66fd0cbf5132068982e8700.tar.gz firejail-c875f1007508c166a66fd0cbf5132068982e8700.tar.zst firejail-c875f1007508c166a66fd0cbf5132068982e8700.zip |
moving get_mount_info from /proc/self/mounts to /proc/slef/mountinfo
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 7 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 11 | ||||
-rw-r--r-- | src/firejail/util.c | 55 |
3 files changed, 57 insertions, 16 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 84f535575..7544b642a 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -525,12 +525,13 @@ unsigned extract_timeout(const char *str); | |||
525 | void disable_file_or_dir(const char *fname); | 525 | void disable_file_or_dir(const char *fname); |
526 | void disable_file_path(const char *path, const char *file); | 526 | void disable_file_path(const char *path, const char *file); |
527 | 527 | ||
528 | // Get info regarding the last kernel mount operation. | 528 | // Get info regarding the last kernel mount operation from /proc/self/mountinfo |
529 | // The return value points to a static area, and will be overwritten by subsequent calls. | 529 | // The return value points to a static area, and will be overwritten by subsequent calls. |
530 | // The function does an exit(1) if anything goes wrong. | 530 | // The function does an exit(1) if anything goes wrong. |
531 | typedef struct { | 531 | typedef struct { |
532 | char *fsname; | 532 | char *fsname; // the pathname of the directory in the filesystem which forms the root of this mount |
533 | char *dir; | 533 | char *dir; // mount destination |
534 | char *fstype; // filesystem type | ||
534 | } MountData; | 535 | } MountData; |
535 | MountData *get_last_mount(void); | 536 | MountData *get_last_mount(void); |
536 | 537 | ||
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 60bb0f6ed..754714943 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -27,6 +27,12 @@ | |||
27 | #include <fcntl.h> | 27 | #include <fcntl.h> |
28 | #include <errno.h> | 28 | #include <errno.h> |
29 | 29 | ||
30 | // mountinfo functionality test; | ||
31 | // 1. enable TEST_MOUNTINFO definition | ||
32 | // 2. set a symlink in /tmp: ln -s /etc /tmp/etc | ||
33 | // 3. run firejail --debug --whitelist=/tmp/etc | ||
34 | //#define TEST_MOUNTINFO | ||
35 | |||
30 | static char *dentry[] = { | 36 | static char *dentry[] = { |
31 | "Downloads", | 37 | "Downloads", |
32 | "Загрузки", | 38 | "Загрузки", |
@@ -204,8 +210,10 @@ static void whitelist_path(ProfileEntry *entry) { | |||
204 | } | 210 | } |
205 | else if (entry->tmp_dir) { | 211 | else if (entry->tmp_dir) { |
206 | fname = path + 5; // strlen("/tmp/") | 212 | fname = path + 5; // strlen("/tmp/") |
213 | #ifndef TEST_MOUNTINFO | ||
207 | if (*fname == '\0') | 214 | if (*fname == '\0') |
208 | goto errexit; | 215 | goto errexit; |
216 | #endif | ||
209 | 217 | ||
210 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_TMP_DIR, fname) == -1) | 218 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_TMP_DIR, fname) == -1) |
211 | errExit("asprintf"); | 219 | errExit("asprintf"); |
@@ -516,10 +524,13 @@ void fs_whitelist(void) { | |||
516 | else if (strncmp(new_name, "/tmp/", 5) == 0) { | 524 | else if (strncmp(new_name, "/tmp/", 5) == 0) { |
517 | entry->tmp_dir = 1; | 525 | entry->tmp_dir = 1; |
518 | tmp_dir = 1; | 526 | tmp_dir = 1; |
527 | |||
528 | #ifndef TEST_MOUNTINFO | ||
519 | // both path and absolute path are under /tmp | 529 | // both path and absolute path are under /tmp |
520 | if (strncmp(fname, "/tmp/", 5) != 0) { | 530 | if (strncmp(fname, "/tmp/", 5) != 0) { |
521 | goto errexit; | 531 | goto errexit; |
522 | } | 532 | } |
533 | #endif | ||
523 | } | 534 | } |
524 | else if (strncmp(new_name, "/media/", 7) == 0) { | 535 | else if (strncmp(new_name, "/media/", 7) == 0) { |
525 | entry->media_dir = 1; | 536 | entry->media_dir = 1; |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 28ad6b990..d6835569d 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -1037,32 +1037,61 @@ static MountData mdata; | |||
1037 | // The return value points to a static area, and will be overwritten by subsequent calls. | 1037 | // The return value points to a static area, and will be overwritten by subsequent calls. |
1038 | // The function does an exit(1) if anything goes wrong. | 1038 | // The function does an exit(1) if anything goes wrong. |
1039 | MountData *get_last_mount(void) { | 1039 | MountData *get_last_mount(void) { |
1040 | // open /proc/self/mounts | 1040 | // open /proc/self/mountinfo |
1041 | FILE *fp = fopen("/proc/self/mounts", "r"); | 1041 | FILE *fp = fopen("/proc/self/mountinfo", "r"); |
1042 | if (!fp) | 1042 | if (!fp) |
1043 | goto errexit; | 1043 | goto errexit; |
1044 | 1044 | ||
1045 | mbuf[0] = '\0'; | 1045 | mbuf[0] = '\0'; |
1046 | while (fgets(mbuf, MAX_BUF, fp)); | 1046 | while (fgets(mbuf, MAX_BUF, fp)); |
1047 | fclose(fp); | 1047 | fclose(fp); |
1048 | if (arg_debug || arg_debug_whitelists) | 1048 | if (arg_debug) |
1049 | printf("%s", mbuf); | 1049 | printf("%s", mbuf); |
1050 | 1050 | ||
1051 | // extract filesystem name and directory | 1051 | // extract filesystem name, directory and filesystem type |
1052 | mdata.fsname = mbuf; | 1052 | // examples: |
1053 | mdata.dir = strstr(mbuf, " "); | 1053 | // 587 543 8:1 /tmp /etc rw,relatime master:1 - ext4 /dev/sda1 rw,errors=remount-ro,data=ordered |
1054 | if (!mdata.dir) | 1054 | // mdata.fsname: /tmp |
1055 | // mdata.dir: /etc | ||
1056 | // mdata.fstype: ext4 | ||
1057 | // 585 564 0:76 / /home/netblue/.cache rw,nosuid,nodev - tmpfs tmpfs rw | ||
1058 | // mdata.fsname: / | ||
1059 | // mdata.dir: /home/netblue/.cache | ||
1060 | // mdata.fstype: tmpfs | ||
1061 | memset(&mdata, 0, sizeof(mdata)); | ||
1062 | char *ptr = strtok(mbuf, " "); | ||
1063 | if (!ptr) | ||
1055 | goto errexit; | 1064 | goto errexit; |
1056 | *mdata.dir = '\0'; | 1065 | |
1057 | mdata.dir++; | 1066 | int cnt = 1; |
1058 | char *end = strstr(mdata.dir, " "); | 1067 | while ((ptr = strtok(NULL, " ")) != NULL) { |
1059 | if (!end) | 1068 | cnt++; |
1069 | if (cnt == 4) | ||
1070 | mdata.fsname = ptr; | ||
1071 | else if (cnt == 5) { | ||
1072 | mdata.dir = ptr; | ||
1073 | break; | ||
1074 | } | ||
1075 | } | ||
1076 | |||
1077 | ptr = strtok(NULL, "-"); | ||
1078 | if (!ptr) | ||
1079 | goto errexit; | ||
1080 | |||
1081 | ptr = strtok(NULL, " "); | ||
1082 | if (!ptr) | ||
1060 | goto errexit; | 1083 | goto errexit; |
1061 | *end = '\0'; | 1084 | mdata.fstype = ptr++; |
1062 | 1085 | ||
1086 | if (mdata.fsname == NULL || | ||
1087 | mdata.dir == NULL || | ||
1088 | mdata.fstype == NULL) | ||
1089 | goto errexit; | ||
1090 | if (arg_debug) | ||
1091 | printf("fsname=%s dir=%s fstype=%s\n", mdata.fsname, mdata.dir, mdata.fstype); | ||
1063 | return &mdata; | 1092 | return &mdata; |
1064 | 1093 | ||
1065 | errexit: | 1094 | errexit: |
1066 | fprintf(stderr, "Error: cannot read /proc/self/mounts"); | 1095 | fprintf(stderr, "Error: cannot read /proc/self/mountinfo\n"); |
1067 | exit(1); | 1096 | exit(1); |
1068 | } | 1097 | } |