diff options
author | netblue30 <netblue30@yahoo.com> | 2017-03-25 11:44:02 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-03-25 11:44:02 -0400 |
commit | 2131e7379f1fa2531321ee4b0ea50bcb2c8156b8 (patch) | |
tree | 0363f0e9a7b0fbc0d9d23c50233c18f7de383b7b /src | |
parent | Use thunderbird instead of icedove for testing (diff) | |
download | firejail-2131e7379f1fa2531321ee4b0ea50bcb2c8156b8.tar.gz firejail-2131e7379f1fa2531321ee4b0ea50bcb2c8156b8.tar.zst firejail-2131e7379f1fa2531321ee4b0ea50bcb2c8156b8.zip |
reverted back commit 22414ad - TOCTOU condition found by Martin Carpenter
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs.c | 2 | ||||
-rw-r--r-- | src/firejail/profile.c | 15 |
2 files changed, 4 insertions, 13 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 3413febcb..e1bac33f3 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -481,6 +481,7 @@ void fs_mnt(void) { | |||
481 | 481 | ||
482 | 482 | ||
483 | void fs_cache(void) { | 483 | void fs_cache(void) { |
484 | #if 0 | ||
484 | if (arg_debug) | 485 | if (arg_debug) |
485 | printf("Deploy ~/.cache tmpfs\n"); | 486 | printf("Deploy ~/.cache tmpfs\n"); |
486 | char *cache; | 487 | char *cache; |
@@ -488,6 +489,7 @@ void fs_cache(void) { | |||
488 | errExit("asprintf"); | 489 | errExit("asprintf"); |
489 | disable_file(MOUNT_TMPFS, cache); | 490 | disable_file(MOUNT_TMPFS, cache); |
490 | free(cache); | 491 | free(cache); |
492 | #endif | ||
491 | } | 493 | } |
492 | 494 | ||
493 | // mount /proc and /sys directories | 495 | // mount /proc and /sys directories |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 4b3cab041..993acf2aa 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -970,19 +970,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
970 | ptr += 7; | 970 | ptr += 7; |
971 | else if (strncmp(ptr, "tmpfs ", 6) == 0) { | 971 | else if (strncmp(ptr, "tmpfs ", 6) == 0) { |
972 | if (getuid() != 0) { | 972 | if (getuid() != 0) { |
973 | // allow a non-root user to mount tmpfs in user home directory, links are not allowed | 973 | fprintf(stderr, "Error: tmpfs available only when running the sandbox as root\n"); |
974 | invalid_filename(ptr + 6); | 974 | exit(1); |
975 | char *newfname = expand_home(ptr + 6, cfg.homedir); | ||
976 | assert(newfname); | ||
977 | if (is_link(newfname)) { | ||
978 | fprintf(stderr, "Error: for regular user, tmpfs is not available for symbolic links\n"); | ||
979 | exit(1); | ||
980 | } | ||
981 | if (strncmp(newfname, cfg.homedir, strlen(cfg.homedir)) != 0) { | ||
982 | fprintf(stderr, "Error: for regular user, tmpfs is available only for files in user home directory\n"); | ||
983 | exit(1); | ||
984 | } | ||
985 | free(newfname); | ||
986 | } | 975 | } |
987 | ptr += 6; | 976 | ptr += 6; |
988 | } | 977 | } |