diff options
author | netblue30 <netblue30@yahoo.com> | 2020-04-13 10:07:13 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2020-04-13 10:07:13 -0400 |
commit | 4911e36ca55d1061a47b68e54ba2229d4c2c6c1a (patch) | |
tree | f25c2b8a262168715d77dff1fbfc99ceea7ba198 /src | |
parent | Merge pull request #3347 from aerusso/pulls/documentation-globbing (diff) | |
download | firejail-4911e36ca55d1061a47b68e54ba2229d4c2c6c1a.tar.gz firejail-4911e36ca55d1061a47b68e54ba2229d4c2c6c1a.tar.zst firejail-4911e36ca55d1061a47b68e54ba2229d4c2c6c1a.zip |
suport mkdir and mkfile for /run/user/<PID> directory (#3346)
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs_mkdir.c | 28 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 14 |
2 files changed, 29 insertions, 13 deletions
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index eb660df90..0e213f2f8 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c | |||
@@ -25,6 +25,22 @@ | |||
25 | #include <sys/wait.h> | 25 | #include <sys/wait.h> |
26 | #include <string.h> | 26 | #include <string.h> |
27 | 27 | ||
28 | |||
29 | static void check(const char *fname) { | ||
30 | // manufacture /run/user directory | ||
31 | char *runuser; | ||
32 | if (asprintf(&runuser, "/run/user/%d/", getuid()) == -1) | ||
33 | errExit("asprintf"); | ||
34 | |||
35 | if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0 && | ||
36 | strncmp(fname, "/tmp", 4) != 0 && | ||
37 | strncmp(fname, runuser, strlen(runuser)) != 0) { | ||
38 | fprintf(stderr, "Error: only files or directories in user home, /tmp, or /run/user/<UID> are supported by mkdir\n"); | ||
39 | exit(1); | ||
40 | } | ||
41 | free(runuser); | ||
42 | } | ||
43 | |||
28 | static void mkdir_recursive(char *path) { | 44 | static void mkdir_recursive(char *path) { |
29 | char *subdir = NULL; | 45 | char *subdir = NULL; |
30 | struct stat s; | 46 | struct stat s; |
@@ -61,11 +77,7 @@ void fs_mkdir(const char *name) { | |||
61 | // check directory name | 77 | // check directory name |
62 | invalid_filename(name, 0); // no globbing | 78 | invalid_filename(name, 0); // no globbing |
63 | char *expanded = expand_macros(name); | 79 | char *expanded = expand_macros(name); |
64 | if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0 && | 80 | check(expanded); // will exit if wrong path |
65 | strncmp(expanded, "/tmp", 4) != 0) { | ||
66 | fprintf(stderr, "Error: only directories in user home or /tmp are supported by mkdir\n"); | ||
67 | exit(1); | ||
68 | } | ||
69 | 81 | ||
70 | struct stat s; | 82 | struct stat s; |
71 | if (stat(expanded, &s) == 0) { | 83 | if (stat(expanded, &s) == 0) { |
@@ -101,11 +113,7 @@ void fs_mkfile(const char *name) { | |||
101 | // check file name | 113 | // check file name |
102 | invalid_filename(name, 0); // no globbing | 114 | invalid_filename(name, 0); // no globbing |
103 | char *expanded = expand_macros(name); | 115 | char *expanded = expand_macros(name); |
104 | if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0 && | 116 | check(expanded); // will exit if wrong path |
105 | strncmp(expanded, "/tmp", 4) != 0) { | ||
106 | fprintf(stderr, "Error: only files in user home or /tmp are supported by mkfile\n"); | ||
107 | exit(1); | ||
108 | } | ||
109 | 117 | ||
110 | struct stat s; | 118 | struct stat s; |
111 | if (stat(expanded, &s) == 0) { | 119 | if (stat(expanded, &s) == 0) { |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 6405fd301..df2d2a2e8 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -211,7 +211,7 @@ Disable /mnt, /media, /run/mount and /run/media access. | |||
211 | /var/tmp directory is untouched. | 211 | /var/tmp directory is untouched. |
212 | .TP | 212 | .TP |
213 | \fBmkdir directory | 213 | \fBmkdir directory |
214 | Create a directory in user home or under /tmp before the sandbox is started. | 214 | Create a directory in user home, under /tmp, or under /run/user/<UID> before the sandbox is started. |
215 | The directory is created if it doesn't already exist. | 215 | The directory is created if it doesn't already exist. |
216 | .br | 216 | .br |
217 | 217 | ||
@@ -230,10 +230,18 @@ whitelist ~/.mozilla | |||
230 | mkdir ~/.cache/mozilla/firefox | 230 | mkdir ~/.cache/mozilla/firefox |
231 | .br | 231 | .br |
232 | whitelist ~/.cache/mozilla/firefox | 232 | whitelist ~/.cache/mozilla/firefox |
233 | .br | ||
234 | |||
235 | .br | ||
236 | For files in /run/user/<PID> use ${RUNUSER} macro: | ||
237 | .br | ||
238 | |||
239 | .br | ||
240 | mkdir ${RUNUSER}/firejail-testing | ||
233 | .TP | 241 | .TP |
234 | \fBmkfile file | 242 | \fBmkfile file |
235 | Similar to mkdir, this command creates a file in user home or under /tmp before the sandbox is started. | 243 | Similar to mkdir, this command creates an empty file in user home, or /tmp, or under /run/user/<UID> |
236 | The file is created if it doesn't already exist. | 244 | before the sandbox is started. The file is created if it doesn't already exist. |
237 | .TP | 245 | .TP |
238 | \fBnoexec file_or_directory | 246 | \fBnoexec file_or_directory |
239 | Remount the file or the directory noexec, nodev and nosuid. | 247 | Remount the file or the directory noexec, nodev and nosuid. |