diff options
author | smitsohu <smitsohu@gmail.com> | 2019-11-14 16:19:00 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2019-11-14 16:19:00 +0100 |
commit | acbf707889ae241bfd476f5371df4599103b6606 (patch) | |
tree | 8c37c5547d55b00a56b3fafb256ebbd4acacae82 /src | |
parent | simplify private option ownership checks and make them more consistent (diff) | |
download | firejail-acbf707889ae241bfd476f5371df4599103b6606.tar.gz firejail-acbf707889ae241bfd476f5371df4599103b6606.tar.zst firejail-acbf707889ae241bfd476f5371df4599103b6606.zip |
blacklist private-home runtime directory
as far as possible avoid creating locations in the file system
that are both writable and executable
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs.c | 2 | ||||
-rw-r--r-- | src/firejail/fs_home.c | 19 |
2 files changed, 14 insertions, 7 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 3e802efb5..1f0ccac1a 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -447,7 +447,7 @@ void fs_tmpfs(const char *dir, unsigned check_owner) { | |||
447 | // get a file descriptor for dir, fails if there is any symlink | 447 | // get a file descriptor for dir, fails if there is any symlink |
448 | int fd = safe_fd(dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | 448 | int fd = safe_fd(dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
449 | if (fd == -1) | 449 | if (fd == -1) |
450 | errExit("safe_fd"); | 450 | errExit("while opening directory"); |
451 | struct stat s; | 451 | struct stat s; |
452 | if (fstat(fd, &s) == -1) | 452 | if (fstat(fd, &s) == -1) |
453 | errExit("fstat"); | 453 | errExit("fstat"); |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 060152e55..1ff8c2722 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -312,7 +312,7 @@ void fs_private_homedir(void) { | |||
312 | if (arg_debug) | 312 | if (arg_debug) |
313 | printf("Mounting a new /root directory\n"); | 313 | printf("Mounting a new /root directory\n"); |
314 | if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=700,gid=0") < 0) | 314 | if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=700,gid=0") < 0) |
315 | errExit("mounting home directory"); | 315 | errExit("mounting /root directory"); |
316 | fs_logger("tmpfs /root"); | 316 | fs_logger("tmpfs /root"); |
317 | } | 317 | } |
318 | if (u == 0 || strncmp(homedir, "/home/", 6) != 0) { | 318 | if (u == 0 || strncmp(homedir, "/home/", 6) != 0) { |
@@ -320,7 +320,7 @@ void fs_private_homedir(void) { | |||
320 | if (arg_debug) | 320 | if (arg_debug) |
321 | printf("Mounting a new /home directory\n"); | 321 | printf("Mounting a new /home directory\n"); |
322 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=755,gid=0") < 0) | 322 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=755,gid=0") < 0) |
323 | errExit("mounting home directory"); | 323 | errExit("mounting /home directory"); |
324 | fs_logger("tmpfs /home"); | 324 | fs_logger("tmpfs /home"); |
325 | } | 325 | } |
326 | 326 | ||
@@ -354,7 +354,7 @@ void fs_private(void) { | |||
354 | if (arg_allusers) | 354 | if (arg_allusers) |
355 | fwarning("allusers option disabled by private or whitelist option\n"); | 355 | fwarning("allusers option disabled by private or whitelist option\n"); |
356 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=755,gid=0") < 0) | 356 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=755,gid=0") < 0) |
357 | errExit("mounting home directory"); | 357 | errExit("mounting /home directory"); |
358 | fs_logger("tmpfs /home"); | 358 | fs_logger("tmpfs /home"); |
359 | } | 359 | } |
360 | 360 | ||
@@ -362,7 +362,7 @@ void fs_private(void) { | |||
362 | if (arg_debug) | 362 | if (arg_debug) |
363 | printf("Mounting a new /root directory\n"); | 363 | printf("Mounting a new /root directory\n"); |
364 | if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=700,gid=0") < 0) | 364 | if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=700,gid=0") < 0) |
365 | errExit("mounting root directory"); | 365 | errExit("mounting /root directory"); |
366 | fs_logger("tmpfs /root"); | 366 | fs_logger("tmpfs /root"); |
367 | 367 | ||
368 | if (u != 0) { | 368 | if (u != 0) { |
@@ -593,19 +593,26 @@ void fs_private_home_list(void) { | |||
593 | errLogExit("invalid private-home mount"); | 593 | errLogExit("invalid private-home mount"); |
594 | fs_logger2("tmpfs", homedir); | 594 | fs_logger2("tmpfs", homedir); |
595 | 595 | ||
596 | // blacklist RUN_HOME_DIR, it is writable and not noexec | ||
597 | if (mount(RUN_RO_DIR, RUN_HOME_DIR, NULL, MS_BIND, NULL) < 0) | ||
598 | errExit("blacklisting " RUN_HOME_DIR); | ||
599 | fs_logger2("tmpfs", RUN_HOME_DIR); | ||
600 | |||
596 | if (uid != 0) { | 601 | if (uid != 0) { |
597 | // mask /root | 602 | // mask /root |
598 | if (arg_debug) | 603 | if (arg_debug) |
599 | printf("Mounting a new /root directory\n"); | 604 | printf("Mounting a new /root directory\n"); |
600 | if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=700,gid=0") < 0) | 605 | if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=700,gid=0") < 0) |
601 | errExit("mounting home directory"); | 606 | errExit("mounting /root directory"); |
607 | fs_logger("tmpfs /root"); | ||
602 | } | 608 | } |
603 | if (uid == 0 || strncmp(homedir, "/home/", 6) != 0) { | 609 | if (uid == 0 || strncmp(homedir, "/home/", 6) != 0) { |
604 | // mask /home | 610 | // mask /home |
605 | if (arg_debug) | 611 | if (arg_debug) |
606 | printf("Mounting a new /home directory\n"); | 612 | printf("Mounting a new /home directory\n"); |
607 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) | 613 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) |
608 | errExit("mounting home directory"); | 614 | errExit("mounting /home directory"); |
615 | fs_logger("tmpfs /home"); | ||
609 | } | 616 | } |
610 | 617 | ||
611 | skel(homedir, uid, gid); | 618 | skel(homedir, uid, gid); |