diff options
author | smitsohu <smitsohu@gmail.com> | 2022-12-24 03:00:22 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2022-12-24 03:00:22 +0100 |
commit | ddc76329b5bcf24616e57e9fafa5b15f140909e0 (patch) | |
tree | 76fac17df578b71a99c6321694190930dbe6d2a3 /src | |
parent | add netlock support in profile files (diff) | |
download | firejail-ddc76329b5bcf24616e57e9fafa5b15f140909e0.tar.gz firejail-ddc76329b5bcf24616e57e9fafa5b15f140909e0.tar.zst firejail-ddc76329b5bcf24616e57e9fafa5b15f140909e0.zip |
chroot: make search permission check explicit
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/chroot.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c index 6f484e59a..72322221c 100644 --- a/src/firejail/chroot.c +++ b/src/firejail/chroot.c | |||
@@ -119,6 +119,11 @@ void fs_chroot(const char *rootdir) { | |||
119 | int parentfd = safer_openat(-1, rootdir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | 119 | int parentfd = safer_openat(-1, rootdir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
120 | if (parentfd == -1) | 120 | if (parentfd == -1) |
121 | errExit("safer_openat"); | 121 | errExit("safer_openat"); |
122 | |||
123 | if (faccessat(parentfd, ".", X_OK, 0) != 0) { | ||
124 | fprintf(stderr, "Error: no search permission on chroot directory\n"); | ||
125 | exit(1); | ||
126 | } | ||
122 | // rootdir has to be owned by root and is not allowed to be generally writable, | 127 | // rootdir has to be owned by root and is not allowed to be generally writable, |
123 | // this also excludes /tmp and friends | 128 | // this also excludes /tmp and friends |
124 | struct stat s; | 129 | struct stat s; |