diff options
author | netblue30 <netblue30@yahoo.com> | 2016-01-24 20:31:52 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-01-24 20:31:52 -0500 |
commit | dfd660f80d8a364dc45b750a1f921adf4f2af450 (patch) | |
tree | 4690f1a4e5f5e4f6b8c94940da3cd67c5cc9ad78 /src | |
parent | testing (diff) | |
download | firejail-dfd660f80d8a364dc45b750a1f921adf4f2af450.tar.gz firejail-dfd660f80d8a364dc45b750a1f921adf4f2af450.tar.zst firejail-dfd660f80d8a364dc45b750a1f921adf4f2af450.zip |
0.9.38 testing
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs.c | 10 | ||||
-rw-r--r-- | src/firejail/fs_home.c | 24 | ||||
-rw-r--r-- | src/firejail/main.c | 2 | ||||
-rw-r--r-- | src/firejail/pulseaudio.c | 4 | ||||
-rw-r--r-- | src/firejail/restrict_users.c | 8 | ||||
-rw-r--r-- | src/firejail/shutdown.c | 6 |
6 files changed, 52 insertions, 2 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index f4c448024..cad101bf9 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -136,12 +136,18 @@ void fs_build_cp_command(void) { | |||
136 | fprintf(stderr, "Error: /bin/cp not found\n"); | 136 | fprintf(stderr, "Error: /bin/cp not found\n"); |
137 | exit(1); | 137 | exit(1); |
138 | } | 138 | } |
139 | if (is_link(fname)) { | ||
140 | fprintf(stderr, "Error: invalid /bin/cp file\n"); | ||
141 | exit(1); | ||
142 | } | ||
139 | int rv = copy_file(fname, RUN_CP_COMMAND); | 143 | int rv = copy_file(fname, RUN_CP_COMMAND); |
140 | if (rv) { | 144 | if (rv) { |
141 | fprintf(stderr, "Error: cannot access /bin/cp\n"); | 145 | fprintf(stderr, "Error: cannot access /bin/cp\n"); |
142 | exit(1); | 146 | exit(1); |
143 | } | 147 | } |
144 | /* coverity[toctou] */ | 148 | /* coverity[toctou] */ |
149 | if (chown(RUN_CP_COMMAND, 0, 0)) | ||
150 | errExit("chown"); | ||
145 | if (chmod(RUN_CP_COMMAND, 0755)) | 151 | if (chmod(RUN_CP_COMMAND, 0755)) |
146 | errExit("chmod"); | 152 | errExit("chmod"); |
147 | 153 | ||
@@ -921,6 +927,10 @@ void fs_chroot(const char *rootdir) { | |||
921 | errExit("asprintf"); | 927 | errExit("asprintf"); |
922 | if (arg_debug) | 928 | if (arg_debug) |
923 | printf("Updating /etc/resolv.conf in %s\n", fname); | 929 | printf("Updating /etc/resolv.conf in %s\n", fname); |
930 | if (is_link(fname)) { | ||
931 | fprintf(stderr, "Error: invalid %s file\n", fname); | ||
932 | exit(1); | ||
933 | } | ||
924 | if (copy_file("/etc/resolv.conf", fname) == -1) | 934 | if (copy_file("/etc/resolv.conf", fname) == -1) |
925 | fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n"); | 935 | fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n"); |
926 | 936 | ||
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 08141ed03..e42ce5255 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -41,6 +41,10 @@ static void skel(const char *homedir, uid_t u, gid_t g) { | |||
41 | if (stat(fname, &s) == 0) | 41 | if (stat(fname, &s) == 0) |
42 | return; | 42 | return; |
43 | if (stat("/etc/skel/.zshrc", &s) == 0) { | 43 | if (stat("/etc/skel/.zshrc", &s) == 0) { |
44 | if (is_link("/etc/skel/.zshrc")) { | ||
45 | fprintf(stderr, "Error: invalid /etc/skel/.zshrc file\n"); | ||
46 | exit(1); | ||
47 | } | ||
44 | if (copy_file("/etc/skel/.zshrc", fname) == 0) { | 48 | if (copy_file("/etc/skel/.zshrc", fname) == 0) { |
45 | if (chown(fname, u, g) == -1) | 49 | if (chown(fname, u, g) == -1) |
46 | errExit("chown"); | 50 | errExit("chown"); |
@@ -71,6 +75,10 @@ static void skel(const char *homedir, uid_t u, gid_t g) { | |||
71 | if (stat(fname, &s) == 0) | 75 | if (stat(fname, &s) == 0) |
72 | return; | 76 | return; |
73 | if (stat("/etc/skel/.cshrc", &s) == 0) { | 77 | if (stat("/etc/skel/.cshrc", &s) == 0) { |
78 | if (is_link("/etc/skel/.cshrc")) { | ||
79 | fprintf(stderr, "Error: invalid /etc/skel/.cshrc file\n"); | ||
80 | exit(1); | ||
81 | } | ||
74 | if (copy_file("/etc/skel/.cshrc", fname) == 0) { | 82 | if (copy_file("/etc/skel/.cshrc", fname) == 0) { |
75 | if (chown(fname, u, g) == -1) | 83 | if (chown(fname, u, g) == -1) |
76 | errExit("chown"); | 84 | errExit("chown"); |
@@ -102,6 +110,10 @@ static void skel(const char *homedir, uid_t u, gid_t g) { | |||
102 | if (stat(fname, &s) == 0) | 110 | if (stat(fname, &s) == 0) |
103 | return; | 111 | return; |
104 | if (stat("/etc/skel/.bashrc", &s) == 0) { | 112 | if (stat("/etc/skel/.bashrc", &s) == 0) { |
113 | if (is_link("/etc/skel/.bashrc")) { | ||
114 | fprintf(stderr, "Error: invalid /etc/skel/.bashrc file\n"); | ||
115 | exit(1); | ||
116 | } | ||
105 | if (copy_file("/etc/skel/.bashrc", fname) == 0) { | 117 | if (copy_file("/etc/skel/.bashrc", fname) == 0) { |
106 | /* coverity[toctou] */ | 118 | /* coverity[toctou] */ |
107 | if (chown(fname, u, g) == -1) | 119 | if (chown(fname, u, g) == -1) |
@@ -123,7 +135,12 @@ static int store_xauthority(void) { | |||
123 | errExit("asprintf"); | 135 | errExit("asprintf"); |
124 | 136 | ||
125 | struct stat s; | 137 | struct stat s; |
126 | if (stat(src, &s) == 0) { | 138 | if (stat(src, &s) == 0) { |
139 | if (is_link(src)) { | ||
140 | fprintf(stderr, "Error: invalid .Xauthority file\n"); | ||
141 | exit(1); | ||
142 | } | ||
143 | |||
127 | int rv = copy_file(src, dest); | 144 | int rv = copy_file(src, dest); |
128 | if (rv) { | 145 | if (rv) { |
129 | fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); | 146 | fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); |
@@ -146,6 +163,11 @@ static int store_asoundrc(void) { | |||
146 | 163 | ||
147 | struct stat s; | 164 | struct stat s; |
148 | if (stat(src, &s) == 0) { | 165 | if (stat(src, &s) == 0) { |
166 | if (is_link(src)) { | ||
167 | fprintf(stderr, "Error: invalid .asoundrc file\n"); | ||
168 | exit(1); | ||
169 | } | ||
170 | |||
149 | int rv = copy_file(src, dest); | 171 | int rv = copy_file(src, dest); |
150 | if (rv) { | 172 | if (rv) { |
151 | fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n"); | 173 | fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n"); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 7afbf9ce3..014ea8cae 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -300,7 +300,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
300 | if (read_pid(argv[i] + 12, &pid) == 0) | 300 | if (read_pid(argv[i] + 12, &pid) == 0) |
301 | bandwidth_pid(pid, cmd, dev, down, up); | 301 | bandwidth_pid(pid, cmd, dev, down, up); |
302 | else | 302 | else |
303 | bandwidth_name(argv[i] + 12, cmd, dev, down, up); | 303 | bandwidth_name(argv[i] + 12, cmd, dev, down, up); |
304 | exit(0); | 304 | exit(0); |
305 | } | 305 | } |
306 | 306 | ||
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index 29f3bc4f0..a3348baf4 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -104,6 +104,10 @@ void pulseaudio_init(void) { | |||
104 | char *pulsecfg = NULL; | 104 | char *pulsecfg = NULL; |
105 | if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1) | 105 | if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1) |
106 | errExit("asprintf"); | 106 | errExit("asprintf"); |
107 | if (is_link("/etc/pulse/client.conf")) { | ||
108 | fprintf(stderr, "Error: invalid /etc/pulse/client.conf file\n"); | ||
109 | exit(1); | ||
110 | } | ||
107 | if (copy_file("/etc/pulse/client.conf", pulsecfg)) | 111 | if (copy_file("/etc/pulse/client.conf", pulsecfg)) |
108 | errExit("copy_file"); | 112 | errExit("copy_file"); |
109 | FILE *fp = fopen(pulsecfg, "a+"); | 113 | FILE *fp = fopen(pulsecfg, "a+"); |
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index aa6a5d268..88dd38021 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -115,6 +115,10 @@ static void sanitize_passwd(void) { | |||
115 | return; | 115 | return; |
116 | if (arg_debug) | 116 | if (arg_debug) |
117 | printf("Sanitizing /etc/passwd\n"); | 117 | printf("Sanitizing /etc/passwd\n"); |
118 | if (is_link("/etc/passwd")) { | ||
119 | fprintf(stderr, "Error: invalid /etc/passwd\n"); | ||
120 | exit(1); | ||
121 | } | ||
118 | 122 | ||
119 | FILE *fpin = NULL; | 123 | FILE *fpin = NULL; |
120 | FILE *fpout = NULL; | 124 | FILE *fpout = NULL; |
@@ -248,6 +252,10 @@ static void sanitize_group(void) { | |||
248 | return; | 252 | return; |
249 | if (arg_debug) | 253 | if (arg_debug) |
250 | printf("Sanitizing /etc/group\n"); | 254 | printf("Sanitizing /etc/group\n"); |
255 | if (is_link("/etc/group")) { | ||
256 | fprintf(stderr, "Error: invalid /etc/group\n"); | ||
257 | exit(1); | ||
258 | } | ||
251 | 259 | ||
252 | FILE *fpin = NULL; | 260 | FILE *fpin = NULL; |
253 | FILE *fpout = NULL; | 261 | FILE *fpout = NULL; |
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c index 131f663d4..edaac7eb9 100644 --- a/src/firejail/shutdown.c +++ b/src/firejail/shutdown.c | |||
@@ -54,8 +54,14 @@ void shut(pid_t pid) { | |||
54 | printf("Switching to pid %u, the first child process inside the sandbox\n", (unsigned) pid); | 54 | printf("Switching to pid %u, the first child process inside the sandbox\n", (unsigned) pid); |
55 | } | 55 | } |
56 | } | 56 | } |
57 | else { | ||
58 | fprintf(stderr, "Error: this is not a firejail sandbox\n"); | ||
59 | exit(1); | ||
60 | } | ||
57 | free(comm); | 61 | free(comm); |
58 | } | 62 | } |
63 | else | ||
64 | errExit("/proc/PID/comm"); | ||
59 | 65 | ||
60 | // check privileges for non-root users | 66 | // check privileges for non-root users |
61 | uid_t uid = getuid(); | 67 | uid_t uid = getuid(); |