diff options
author | smitsohu <smitsohu@gmail.com> | 2020-04-21 01:31:51 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2020-04-21 01:31:51 +0200 |
commit | 49cceecbf06eb0a3fad38b1fbbb3a3968e1c99f5 (patch) | |
tree | 503802c551300da8fe564ce6e9deb14f76c7f7b3 /src | |
parent | relaxing symlink restrictions (diff) | |
download | firejail-49cceecbf06eb0a3fad38b1fbbb3a3968e1c99f5.tar.gz firejail-49cceecbf06eb0a3fad38b1fbbb3a3968e1c99f5.tar.zst firejail-49cceecbf06eb0a3fad38b1fbbb3a3968e1c99f5.zip |
resolve conflict between private and allusers options - #3185
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs_home.c | 65 |
1 files changed, 31 insertions, 34 deletions
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 381ee6178..ff6d78bf2 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -352,20 +352,6 @@ void fs_private(void) { | |||
352 | int xflag = store_xauthority(); | 352 | int xflag = store_xauthority(); |
353 | int aflag = store_asoundrc(); | 353 | int aflag = store_asoundrc(); |
354 | 354 | ||
355 | // mask /home | ||
356 | if (u == 0 && arg_allusers) // allow --allusers when starting the sandbox as root | ||
357 | ; | ||
358 | else { | ||
359 | if (arg_debug) | ||
360 | printf("Mounting a new /home directory\n"); | ||
361 | if (arg_allusers) | ||
362 | fwarning("allusers option disabled by private or whitelist option\n"); | ||
363 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=755,gid=0") < 0) | ||
364 | errExit("mounting /home directory"); | ||
365 | selinux_relabel_path("/home", "/home"); | ||
366 | fs_logger("tmpfs /home"); | ||
367 | } | ||
368 | |||
369 | // mask /root | 355 | // mask /root |
370 | if (arg_debug) | 356 | if (arg_debug) |
371 | printf("Mounting a new /root directory\n"); | 357 | printf("Mounting a new /root directory\n"); |
@@ -373,28 +359,39 @@ void fs_private(void) { | |||
373 | errExit("mounting /root directory"); | 359 | errExit("mounting /root directory"); |
374 | fs_logger("tmpfs /root"); | 360 | fs_logger("tmpfs /root"); |
375 | 361 | ||
376 | if (u != 0) { | 362 | if (arg_allusers) { |
377 | if (strncmp(homedir, "/home/", 6) == 0) { | 363 | if (u != 0) |
378 | // create /home/user | 364 | fs_tmpfs(homedir, 1); // check if directory is owned by the current user |
379 | if (arg_debug) | 365 | } |
380 | printf("Create a new user directory\n"); | 366 | else { // mask /home |
381 | if (mkdir(homedir, S_IRWXU) == -1) { | 367 | if (arg_debug) |
382 | if (mkpath_as_root(homedir) == -1) | 368 | printf("Mounting a new /home directory\n"); |
383 | errExit("mkpath"); | 369 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=755,gid=0") < 0) |
384 | if (mkdir(homedir, S_IRWXU) == -1 && errno != EEXIST) | 370 | errExit("mounting /home directory"); |
385 | errExit("mkdir"); | 371 | selinux_relabel_path("/home", "/home"); |
386 | } | 372 | fs_logger("tmpfs /home"); |
387 | if (chown(homedir, u, g) < 0) | ||
388 | errExit("chown"); | ||
389 | selinux_relabel_path(homedir, homedir); | ||
390 | 373 | ||
391 | fs_logger2("mkdir", homedir); | 374 | if (u != 0) { |
392 | fs_logger2("tmpfs", homedir); | 375 | if (strncmp(homedir, "/home/", 6) == 0) { |
376 | // create /home/user | ||
377 | if (arg_debug) | ||
378 | printf("Create a new user directory\n"); | ||
379 | if (mkdir(homedir, S_IRWXU) == -1) { | ||
380 | if (mkpath_as_root(homedir) == -1) | ||
381 | errExit("mkpath"); | ||
382 | if (mkdir(homedir, S_IRWXU) == -1 && errno != EEXIST) | ||
383 | errExit("mkdir"); | ||
384 | } | ||
385 | if (chown(homedir, u, g) < 0) | ||
386 | errExit("chown"); | ||
387 | |||
388 | selinux_relabel_path(homedir, homedir); | ||
389 | fs_logger2("mkdir", homedir); | ||
390 | fs_logger2("tmpfs", homedir); | ||
391 | } | ||
392 | else | ||
393 | fs_tmpfs(homedir, 1); // check if directory is owned by the current user | ||
393 | } | 394 | } |
394 | else | ||
395 | // user directory is outside /home, mask it as well | ||
396 | // check if directory is owned by the current user | ||
397 | fs_tmpfs(homedir, 1); | ||
398 | } | 395 | } |
399 | 396 | ||
400 | skel(homedir, u, g); | 397 | skel(homedir, u, g); |