diff options
author | smitsohu <smitsohu@gmail.com> | 2020-04-22 14:31:22 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2020-04-22 14:31:22 +0200 |
commit | 1c2c772f0ee05fdd42e462eacc92e79c201df110 (patch) | |
tree | d1fa74a33b4aee743ebb4838854ec98ef779e35d /src | |
parent | small fixes (diff) | |
download | firejail-1c2c772f0ee05fdd42e462eacc92e79c201df110.tar.gz firejail-1c2c772f0ee05fdd42e462eacc92e79c201df110.tar.zst firejail-1c2c772f0ee05fdd42e462eacc92e79c201df110.zip |
selinux relabeling, little things
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs_home.c | 9 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 2 | ||||
-rw-r--r-- | src/firejail/restrict_users.c | 6 |
3 files changed, 10 insertions, 7 deletions
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index ff6d78bf2..af891d61f 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -357,11 +357,14 @@ void fs_private(void) { | |||
357 | printf("Mounting a new /root directory\n"); | 357 | printf("Mounting a new /root directory\n"); |
358 | if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=700,gid=0") < 0) | 358 | if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=700,gid=0") < 0) |
359 | errExit("mounting /root directory"); | 359 | errExit("mounting /root directory"); |
360 | selinux_relabel_path("/root", "/root"); | ||
360 | fs_logger("tmpfs /root"); | 361 | fs_logger("tmpfs /root"); |
361 | 362 | ||
362 | if (arg_allusers) { | 363 | if (arg_allusers) { |
363 | if (u != 0) | 364 | if (u != 0) |
364 | fs_tmpfs(homedir, 1); // check if directory is owned by the current user | 365 | // mask user home directory |
366 | // the directory should be owned by the current user | ||
367 | fs_tmpfs(homedir, 1); | ||
365 | } | 368 | } |
366 | else { // mask /home | 369 | else { // mask /home |
367 | if (arg_debug) | 370 | if (arg_debug) |
@@ -390,7 +393,9 @@ void fs_private(void) { | |||
390 | fs_logger2("tmpfs", homedir); | 393 | fs_logger2("tmpfs", homedir); |
391 | } | 394 | } |
392 | else | 395 | else |
393 | fs_tmpfs(homedir, 1); // check if directory is owned by the current user | 396 | // mask user home directory |
397 | // the directory should be owned by the current user | ||
398 | fs_tmpfs(homedir, 1); | ||
394 | } | 399 | } |
395 | } | 400 | } |
396 | 401 | ||
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 3f3075570..1d7552339 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -1070,7 +1070,7 @@ void fs_whitelist(void) { | |||
1070 | free(proc); | 1070 | free(proc); |
1071 | close(fd); | 1071 | close(fd); |
1072 | 1072 | ||
1073 | // mount a tmpfs and initialize home directory, overrides --allusers | 1073 | // mount a tmpfs and initialize home directory |
1074 | fs_private(); | 1074 | fs_private(); |
1075 | } | 1075 | } |
1076 | else | 1076 | else |
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 804b45339..c12227406 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -72,10 +72,6 @@ static void sanitize_home(void) { | |||
72 | 72 | ||
73 | if (arg_debug) | 73 | if (arg_debug) |
74 | printf("Cleaning /home directory\n"); | 74 | printf("Cleaning /home directory\n"); |
75 | |||
76 | if (mkdir(RUN_WHITELIST_HOME_DIR, 0755) == -1) | ||
77 | errExit("mkdir"); | ||
78 | |||
79 | // keep a copy of the user home directory | 75 | // keep a copy of the user home directory |
80 | int fd = safe_fd(cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | 76 | int fd = safe_fd(cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
81 | if (fd == -1) { | 77 | if (fd == -1) { |
@@ -90,6 +86,8 @@ static void sanitize_home(void) { | |||
90 | char *proc; | 86 | char *proc; |
91 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | 87 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) |
92 | errExit("asprintf"); | 88 | errExit("asprintf"); |
89 | if (mkdir(RUN_WHITELIST_HOME_DIR, 0755) == -1) | ||
90 | errExit("mkdir"); | ||
93 | if (mount(proc, RUN_WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 91 | if (mount(proc, RUN_WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
94 | errExit("mount bind"); | 92 | errExit("mount bind"); |
95 | free(proc); | 93 | free(proc); |