diff options
author | smitsohu <smitsohu@gmail.com> | 2022-07-12 11:54:15 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2022-07-12 11:54:15 +0200 |
commit | 5a991622e2f9a4fb587926d96a5ca41f29d67139 (patch) | |
tree | da97ad164034385f3b1935ebb48fb0b0bd75eb5d /src | |
parent | minor sandbox lock improvements (diff) | |
download | firejail-5a991622e2f9a4fb587926d96a5ca41f29d67139.tar.gz firejail-5a991622e2f9a4fb587926d96a5ca41f29d67139.tar.zst firejail-5a991622e2f9a4fb587926d96a5ca41f29d67139.zip |
always assert runfile mode and ownership
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/preproc.c | 74 |
1 files changed, 15 insertions, 59 deletions
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index c117150b8..031e42d1d 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -27,74 +27,30 @@ static int tmpfs_mounted = 0; | |||
27 | 27 | ||
28 | // build /run/firejail directory | 28 | // build /run/firejail directory |
29 | void preproc_build_firejail_dir(void) { | 29 | void preproc_build_firejail_dir(void) { |
30 | struct stat s; | ||
31 | |||
32 | // CentOS 6 doesn't have /run directory | 30 | // CentOS 6 doesn't have /run directory |
33 | if (stat(RUN_FIREJAIL_BASEDIR, &s)) { | 31 | create_empty_dir_as_root(RUN_FIREJAIL_BASEDIR, 0755); |
34 | create_empty_dir_as_root(RUN_FIREJAIL_BASEDIR, 0755); | 32 | create_empty_dir_as_root(RUN_FIREJAIL_DIR, 0755); |
35 | } | 33 | create_empty_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755); |
36 | 34 | create_empty_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755); | |
37 | if (stat(RUN_FIREJAIL_DIR, &s)) { | 35 | create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755); |
38 | create_empty_dir_as_root(RUN_FIREJAIL_DIR, 0755); | 36 | create_empty_dir_as_root(RUN_FIREJAIL_PROFILE_DIR, 0755); |
39 | } | 37 | create_empty_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755); |
38 | create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755); | ||
39 | create_empty_dir_as_root(RUN_FIREJAIL_LIB_DIR, 0755); | ||
40 | create_empty_dir_as_root(RUN_MNT_DIR, 0755); | ||
40 | 41 | ||
41 | // restricted search permission | 42 | // restricted search permission |
42 | // only root should be able to lock files in this directory | 43 | // only root should be able to lock files in this directory |
43 | if (stat(RUN_FIREJAIL_SANDBOX_DIR, &s)) { | 44 | create_empty_dir_as_root(RUN_FIREJAIL_SANDBOX_DIR, 0700); |
44 | create_empty_dir_as_root(RUN_FIREJAIL_SANDBOX_DIR, 0700); | ||
45 | } | ||
46 | |||
47 | if (stat(RUN_FIREJAIL_NETWORK_DIR, &s)) { | ||
48 | create_empty_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755); | ||
49 | } | ||
50 | 45 | ||
51 | if (stat(RUN_FIREJAIL_BANDWIDTH_DIR, &s)) { | 46 | create_empty_dir_as_root(RUN_FIREJAIL_DBUS_DIR, 0755); |
52 | create_empty_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755); | 47 | fs_remount(RUN_FIREJAIL_DBUS_DIR, MOUNT_NOEXEC, 0); |
53 | } | ||
54 | |||
55 | if (stat(RUN_FIREJAIL_NAME_DIR, &s)) { | ||
56 | create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755); | ||
57 | } | ||
58 | |||
59 | if (stat(RUN_FIREJAIL_PROFILE_DIR, &s)) { | ||
60 | create_empty_dir_as_root(RUN_FIREJAIL_PROFILE_DIR, 0755); | ||
61 | } | ||
62 | |||
63 | if (stat(RUN_FIREJAIL_X11_DIR, &s)) { | ||
64 | create_empty_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755); | ||
65 | } | ||
66 | 48 | ||
67 | if (stat(RUN_FIREJAIL_DBUS_DIR, &s)) { | 49 | create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR); |
68 | create_empty_dir_as_root(RUN_FIREJAIL_DBUS_DIR, 0755); | 50 | fs_remount(RUN_RO_DIR, MOUNT_READONLY, 0); |
69 | if (arg_debug) | ||
70 | printf("Remounting the " RUN_FIREJAIL_DBUS_DIR | ||
71 | " directory as noexec\n"); | ||
72 | if (mount(RUN_FIREJAIL_DBUS_DIR, RUN_FIREJAIL_DBUS_DIR, NULL, | ||
73 | MS_BIND, NULL) == -1) | ||
74 | errExit("mounting " RUN_FIREJAIL_DBUS_DIR); | ||
75 | if (mount(NULL, RUN_FIREJAIL_DBUS_DIR, NULL, | ||
76 | MS_REMOUNT | MS_BIND | MS_NOSUID | MS_NOEXEC | MS_NODEV, | ||
77 | "mode=755,gid=0") == -1) | ||
78 | errExit("remounting " RUN_FIREJAIL_DBUS_DIR); | ||
79 | } | ||
80 | |||
81 | if (stat(RUN_FIREJAIL_APPIMAGE_DIR, &s)) { | ||
82 | create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755); | ||
83 | } | ||
84 | |||
85 | if (stat(RUN_FIREJAIL_LIB_DIR, &s)) { | ||
86 | create_empty_dir_as_root(RUN_FIREJAIL_LIB_DIR, 0755); | ||
87 | } | ||
88 | |||
89 | if (stat(RUN_MNT_DIR, &s)) { | ||
90 | create_empty_dir_as_root(RUN_MNT_DIR, 0755); | ||
91 | } | ||
92 | 51 | ||
93 | create_empty_file_as_root(RUN_RO_FILE, S_IRUSR); | 52 | create_empty_file_as_root(RUN_RO_FILE, S_IRUSR); |
94 | fs_remount(RUN_RO_FILE, MOUNT_READONLY, 0); | 53 | fs_remount(RUN_RO_FILE, MOUNT_READONLY, 0); |
95 | |||
96 | create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR); | ||
97 | fs_remount(RUN_RO_DIR, MOUNT_READONLY, 0); | ||
98 | } | 54 | } |
99 | 55 | ||
100 | // build /run/firejail/mnt directory | 56 | // build /run/firejail/mnt directory |