diff options
author | smitsohu <smitsohu@gmail.com> | 2021-03-14 01:44:15 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2021-03-14 01:46:39 +0100 |
commit | 8e36b250be87422bf3ea01628c09da14c71b1686 (patch) | |
tree | 666fabb36540ba4978192e3668b64f9481b3bdda /src | |
parent | selinux relabeling fixes (diff) | |
download | firejail-8e36b250be87422bf3ea01628c09da14c71b1686.tar.gz firejail-8e36b250be87422bf3ea01628c09da14c71b1686.tar.zst firejail-8e36b250be87422bf3ea01628c09da14c71b1686.zip |
simplify initial /home and /run/user cleaning
mount without stash locations, only using the file descriptors
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/restrict_users.c | 63 | ||||
-rw-r--r-- | src/include/rundefs.h | 2 |
2 files changed, 24 insertions, 41 deletions
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index f86f39397..a0ca4c02c 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -72,7 +72,7 @@ static void sanitize_home(void) { | |||
72 | 72 | ||
73 | if (arg_debug) | 73 | if (arg_debug) |
74 | printf("Cleaning /home directory\n"); | 74 | printf("Cleaning /home directory\n"); |
75 | // keep a copy of the user home directory | 75 | // open user home directory in order to keep it around |
76 | int fd = safe_fd(cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | 76 | int fd = safe_fd(cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
77 | if (fd == -1) | 77 | if (fd == -1) |
78 | goto errout; | 78 | goto errout; |
@@ -82,25 +82,16 @@ static void sanitize_home(void) { | |||
82 | close(fd); | 82 | close(fd); |
83 | goto errout; | 83 | goto errout; |
84 | } | 84 | } |
85 | char *proc; | ||
86 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | ||
87 | errExit("asprintf"); | ||
88 | if (mkdir(RUN_WHITELIST_HOME_DIR, 0755) == -1) | ||
89 | errExit("mkdir"); | ||
90 | if (mount(proc, RUN_WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
91 | errExit("mount bind"); | ||
92 | free(proc); | ||
93 | close(fd); | ||
94 | 85 | ||
95 | // mount tmpfs in the new home | 86 | // mount tmpfs on /home |
96 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) | 87 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) |
97 | errExit("mount tmpfs"); | 88 | errExit("mount tmpfs"); |
98 | selinux_relabel_path("/home", "/home"); | 89 | selinux_relabel_path("/home", "/home"); |
99 | fs_logger("tmpfs /home"); | 90 | fs_logger("tmpfs /home"); |
100 | 91 | ||
101 | // create user home directory | 92 | // create new user home directory |
102 | if (mkdir(cfg.homedir, 0755) == -1) { | 93 | if (mkdir(cfg.homedir, 0755) == -1) { |
103 | if (mkpath_as_root(cfg.homedir)) | 94 | if (mkpath_as_root(cfg.homedir) == -1) |
104 | errExit("mkpath"); | 95 | errExit("mkpath"); |
105 | if (mkdir(cfg.homedir, 0755) == -1) | 96 | if (mkdir(cfg.homedir, 0755) == -1) |
106 | errExit("mkdir"); | 97 | errExit("mkdir"); |
@@ -112,17 +103,17 @@ static void sanitize_home(void) { | |||
112 | errExit("set_perms"); | 103 | errExit("set_perms"); |
113 | selinux_relabel_path(cfg.homedir, cfg.homedir); | 104 | selinux_relabel_path(cfg.homedir, cfg.homedir); |
114 | 105 | ||
115 | // mount user home directory | 106 | // bring back real user home directory |
116 | if (mount(RUN_WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0) | 107 | char *proc; |
108 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | ||
109 | errExit("asprintf"); | ||
110 | if (mount(proc, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
117 | errExit("mount bind"); | 111 | errExit("mount bind"); |
112 | free(proc); | ||
113 | close(fd); | ||
118 | 114 | ||
119 | // mask home dir under /run | ||
120 | if (mount("tmpfs", RUN_WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) | ||
121 | errExit("mount tmpfs"); | ||
122 | fs_logger2("tmpfs", RUN_WHITELIST_HOME_DIR); | ||
123 | if (!arg_private) | 115 | if (!arg_private) |
124 | fs_logger2("whitelist", cfg.homedir); | 116 | fs_logger2("whitelist", cfg.homedir); |
125 | |||
126 | return; | 117 | return; |
127 | 118 | ||
128 | errout: | 119 | errout: |
@@ -137,22 +128,15 @@ static void sanitize_run(void) { | |||
137 | if (asprintf(&runuser, "/run/user/%u", getuid()) == -1) | 128 | if (asprintf(&runuser, "/run/user/%u", getuid()) == -1) |
138 | errExit("asprintf"); | 129 | errExit("asprintf"); |
139 | 130 | ||
140 | struct stat s; | 131 | // open /run/user/$UID directory in order to keep it around |
141 | if (stat(runuser, &s) == -1) { | 132 | int fd = open(runuser, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
142 | // cannot find /user/run/$UID directory, just return | 133 | if (fd == -1) { |
143 | if (arg_debug) | 134 | if (arg_debug) |
144 | printf("Cannot find %s directory\n", runuser); | 135 | printf("Cannot open %s directory\n", runuser); |
145 | free(runuser); | 136 | free(runuser); |
146 | return; | 137 | return; |
147 | } | 138 | } |
148 | 139 | ||
149 | if (mkdir(RUN_WHITELIST_RUN_DIR, 0755) == -1) | ||
150 | errExit("mkdir"); | ||
151 | |||
152 | // keep a copy of the /run/user/$UID directory | ||
153 | if (mount(runuser, RUN_WHITELIST_RUN_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
154 | errExit("mount bind"); | ||
155 | |||
156 | // mount tmpfs on /run/user | 140 | // mount tmpfs on /run/user |
157 | if (mount("tmpfs", "/run/user", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) | 141 | if (mount("tmpfs", "/run/user", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) |
158 | errExit("mount tmpfs"); | 142 | errExit("mount tmpfs"); |
@@ -162,22 +146,23 @@ static void sanitize_run(void) { | |||
162 | // create new user directory | 146 | // create new user directory |
163 | if (mkdir(runuser, 0700) == -1) | 147 | if (mkdir(runuser, 0700) == -1) |
164 | errExit("mkdir"); | 148 | errExit("mkdir"); |
165 | selinux_relabel_path(runuser, runuser); | ||
166 | fs_logger2("mkdir", runuser); | 149 | fs_logger2("mkdir", runuser); |
167 | 150 | ||
168 | // set mode and ownership | 151 | // set mode and ownership |
169 | if (set_perms(runuser, getuid(), getgid(), 0700)) | 152 | if (set_perms(runuser, getuid(), getgid(), 0700)) |
170 | errExit("set_perms"); | 153 | errExit("set_perms"); |
154 | selinux_relabel_path(runuser, runuser); | ||
171 | 155 | ||
172 | // mount /run/user/$UID directory | 156 | // bring back real run/user/$UID directory |
173 | if (mount(RUN_WHITELIST_RUN_DIR, runuser, NULL, MS_BIND|MS_REC, NULL) < 0) | 157 | char *proc; |
158 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | ||
159 | errExit("asprintf"); | ||
160 | if (mount(proc, runuser, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
174 | errExit("mount bind"); | 161 | errExit("mount bind"); |
162 | free(proc); | ||
163 | close(fd); | ||
175 | 164 | ||
176 | // mask mirrored /run/user/$UID directory | 165 | fs_logger2("whitelist", runuser); |
177 | if (mount("tmpfs", RUN_WHITELIST_RUN_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) | ||
178 | errExit("mount tmpfs"); | ||
179 | fs_logger2("tmpfs", RUN_WHITELIST_RUN_DIR); | ||
180 | |||
181 | free(runuser); | 166 | free(runuser); |
182 | } | 167 | } |
183 | 168 | ||
diff --git a/src/include/rundefs.h b/src/include/rundefs.h index 5749c66e4..d14f6782f 100644 --- a/src/include/rundefs.h +++ b/src/include/rundefs.h | |||
@@ -84,8 +84,6 @@ | |||
84 | #define RUN_DEVLOG_FILE RUN_MNT_DIR "/devlog" | 84 | #define RUN_DEVLOG_FILE RUN_MNT_DIR "/devlog" |
85 | 85 | ||
86 | #define RUN_WHITELIST_X11_DIR RUN_MNT_DIR "/orig-x11" | 86 | #define RUN_WHITELIST_X11_DIR RUN_MNT_DIR "/orig-x11" |
87 | #define RUN_WHITELIST_HOME_DIR RUN_MNT_DIR "/orig-home" // default home directory masking | ||
88 | #define RUN_WHITELIST_RUN_DIR RUN_MNT_DIR "/orig-run" // default run directory masking | ||
89 | #define RUN_WHITELIST_HOME_USER_DIR RUN_MNT_DIR "/orig-home-user" // home directory whitelisting | 87 | #define RUN_WHITELIST_HOME_USER_DIR RUN_MNT_DIR "/orig-home-user" // home directory whitelisting |
90 | #define RUN_WHITELIST_RUN_USER_DIR RUN_MNT_DIR "/orig-run-user" // run directory whitelisting | 88 | #define RUN_WHITELIST_RUN_USER_DIR RUN_MNT_DIR "/orig-run-user" // run directory whitelisting |
91 | #define RUN_WHITELIST_TMP_DIR RUN_MNT_DIR "/orig-tmp" | 89 | #define RUN_WHITELIST_TMP_DIR RUN_MNT_DIR "/orig-tmp" |