diff options
author | netblue30 <netblue30@yahoo.com> | 2016-11-13 10:47:20 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-11-13 10:47:20 -0500 |
commit | 63e16bfcd9f79c63f3801f51df4840f74fa6f41b (patch) | |
tree | fa62784ad7ff5becbb4856ed84264cb5d4de8828 /src | |
parent | set_perms cleanup (diff) | |
download | firejail-63e16bfcd9f79c63f3801f51df4840f74fa6f41b.tar.gz firejail-63e16bfcd9f79c63f3801f51df4840f74fa6f41b.tar.zst firejail-63e16bfcd9f79c63f3801f51df4840f74fa6f41b.zip |
major cleanup and testing
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/appimage.c | 8 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs.c | 101 | ||||
-rw-r--r-- | src/firejail/fs_bin.c | 6 | ||||
-rw-r--r-- | src/firejail/fs_dev.c | 32 | ||||
-rw-r--r-- | src/firejail/fs_etc.c | 6 | ||||
-rw-r--r-- | src/firejail/fs_var.c | 23 | ||||
-rw-r--r-- | src/firejail/join.c | 14 | ||||
-rw-r--r-- | src/firejail/util.c | 36 |
9 files changed, 80 insertions, 147 deletions
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 96c054048..a658173eb 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c | |||
@@ -94,14 +94,8 @@ void appimage_set(const char *appimage_path) { | |||
94 | if (asprintf(&mntdir, "%s/.appimage-%u", RUN_FIREJAIL_APPIMAGE_DIR, getpid()) == -1) | 94 | if (asprintf(&mntdir, "%s/.appimage-%u", RUN_FIREJAIL_APPIMAGE_DIR, getpid()) == -1) |
95 | errExit("asprintf"); | 95 | errExit("asprintf"); |
96 | EUID_ROOT(); | 96 | EUID_ROOT(); |
97 | if (mkdir(mntdir, 0700) == -1) { | 97 | mkdir_attr(mntdir, 0700, getuid(), getgid()); |
98 | fprintf(stderr, "Error: cannot create appimage mount point\n"); | ||
99 | exit(1); | ||
100 | } | ||
101 | if (set_perms(mntdir, getuid(), getgid(), 0700)) | ||
102 | errExit("set_perms"); | ||
103 | EUID_USER(); | 98 | EUID_USER(); |
104 | ASSERT_PERMS(mntdir, getuid(), getgid(), 0700); | ||
105 | 99 | ||
106 | // mount | 100 | // mount |
107 | char *mode; | 101 | char *mode; |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 282271a64..d7ba539e6 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -461,6 +461,7 @@ void flush_stdin(void); | |||
461 | void create_empty_dir_as_root(const char *dir, mode_t mode); | 461 | void create_empty_dir_as_root(const char *dir, mode_t mode); |
462 | void create_empty_file_as_root(const char *dir, mode_t mode); | 462 | void create_empty_file_as_root(const char *dir, mode_t mode); |
463 | int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode); | 463 | int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode); |
464 | void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid); | ||
464 | 465 | ||
465 | // fs_var.c | 466 | // fs_var.c |
466 | void fs_var_log(void); // mounting /var/log | 467 | void fs_var_log(void); // mounting /var/log |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 3a2fd8c38..7ff7e3c59 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -247,21 +247,13 @@ void fs_blacklist(void) { | |||
247 | 247 | ||
248 | // process bind command | 248 | // process bind command |
249 | if (strncmp(entry->data, "bind ", 5) == 0) { | 249 | if (strncmp(entry->data, "bind ", 5) == 0) { |
250 | struct stat s; | ||
250 | char *dname1 = entry->data + 5; | 251 | char *dname1 = entry->data + 5; |
251 | char *dname2 = split_comma(dname1); | 252 | char *dname2 = split_comma(dname1); |
252 | if (dname2 == NULL) { | 253 | if (dname2 == NULL || |
253 | fprintf(stderr, "Error: second directory missing in bind command\n"); | 254 | stat(dname1, &s) == -1 || |
254 | entry = entry->next; | 255 | stat(dname2, &s) == -1) { |
255 | continue; | 256 | fprintf(stderr, "Error: invalid bind command, directory missing\n"); |
256 | } | ||
257 | struct stat s; | ||
258 | if (stat(dname1, &s) == -1) { | ||
259 | fprintf(stderr, "Error: cannot find %s for bind command\n", dname1); | ||
260 | entry = entry->next; | ||
261 | continue; | ||
262 | } | ||
263 | if (stat(dname2, &s) == -1) { | ||
264 | fprintf(stderr, "Error: cannot find %s for bind command\n", dname2); | ||
265 | entry = entry->next; | 257 | entry = entry->next; |
266 | continue; | 258 | continue; |
267 | } | 259 | } |
@@ -410,10 +402,9 @@ void fs_rdonly(const char *dir) { | |||
410 | int rv = stat(dir, &s); | 402 | int rv = stat(dir, &s); |
411 | if (rv == 0) { | 403 | if (rv == 0) { |
412 | // mount --bind /bin /bin | 404 | // mount --bind /bin /bin |
413 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
414 | errExit("mount read-only"); | ||
415 | // mount --bind -o remount,ro /bin | 405 | // mount --bind -o remount,ro /bin |
416 | if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL) < 0) | 406 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || |
407 | mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL) < 0) | ||
417 | errExit("mount read-only"); | 408 | errExit("mount read-only"); |
418 | fs_logger2("read-only", dir); | 409 | fs_logger2("read-only", dir); |
419 | } | 410 | } |
@@ -428,15 +419,15 @@ static void fs_rdwr(const char *dir) { | |||
428 | // if the file is outside /home directory, allow only root user | 419 | // if the file is outside /home directory, allow only root user |
429 | uid_t u = getuid(); | 420 | uid_t u = getuid(); |
430 | if (u != 0 && s.st_uid != u) { | 421 | if (u != 0 && s.st_uid != u) { |
431 | fprintf(stderr, "Warning: you are not allowed to change %s to read-write\n", dir); | 422 | if (!arg_quiet) |
423 | fprintf(stderr, "Warning: you are not allowed to change %s to read-write\n", dir); | ||
432 | return; | 424 | return; |
433 | } | 425 | } |
434 | 426 | ||
435 | // mount --bind /bin /bin | 427 | // mount --bind /bin /bin |
436 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
437 | errExit("mount read-write"); | ||
438 | // mount --bind -o remount,rw /bin | 428 | // mount --bind -o remount,rw /bin |
439 | if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0) | 429 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || |
430 | mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0) | ||
440 | errExit("mount read-write"); | 431 | errExit("mount read-write"); |
441 | fs_logger2("read-write", dir); | 432 | fs_logger2("read-write", dir); |
442 | } | 433 | } |
@@ -449,37 +440,16 @@ void fs_noexec(const char *dir) { | |||
449 | int rv = stat(dir, &s); | 440 | int rv = stat(dir, &s); |
450 | if (rv == 0) { | 441 | if (rv == 0) { |
451 | // mount --bind /bin /bin | 442 | // mount --bind /bin /bin |
452 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
453 | errExit("mount noexec"); | ||
454 | // mount --bind -o remount,ro /bin | 443 | // mount --bind -o remount,ro /bin |
455 | if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_REC, NULL) < 0) | 444 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || |
456 | errExit("mount read-only"); | 445 | mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_REC, NULL) < 0) |
446 | errExit("mount noexec"); | ||
457 | fs_logger2("noexec", dir); | 447 | fs_logger2("noexec", dir); |
458 | } | 448 | } |
459 | } | 449 | } |
460 | 450 | ||
461 | 451 | ||
462 | 452 | ||
463 | void fs_rdonly_noexit(const char *dir) { | ||
464 | assert(dir); | ||
465 | // check directory exists | ||
466 | struct stat s; | ||
467 | int rv = stat(dir, &s); | ||
468 | if (rv == 0) { | ||
469 | int merr = 0; | ||
470 | // mount --bind /bin /bin | ||
471 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
472 | merr = 1; | ||
473 | // mount --bind -o remount,ro /bin | ||
474 | if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL) < 0) | ||
475 | merr = 1; | ||
476 | if (merr) | ||
477 | fprintf(stderr, "Warning: cannot mount %s read-only\n", dir); | ||
478 | else | ||
479 | fs_logger2("read-only", dir); | ||
480 | } | ||
481 | } | ||
482 | |||
483 | // mount /proc and /sys directories | 453 | // mount /proc and /sys directories |
484 | void fs_proc_sys_dev_boot(void) { | 454 | void fs_proc_sys_dev_boot(void) { |
485 | if (arg_debug) | 455 | if (arg_debug) |
@@ -489,10 +459,8 @@ void fs_proc_sys_dev_boot(void) { | |||
489 | fs_logger("remount /proc"); | 459 | fs_logger("remount /proc"); |
490 | 460 | ||
491 | // remount /proc/sys readonly | 461 | // remount /proc/sys readonly |
492 | if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0) | 462 | if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0 || |
493 | errExit("mounting /proc/sys"); | 463 | mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_REC, NULL) < 0) |
494 | |||
495 | if (mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_REC, NULL) < 0) | ||
496 | errExit("mounting /proc/sys"); | 464 | errExit("mounting /proc/sys"); |
497 | fs_logger("read-only /proc/sys"); | 465 | fs_logger("read-only /proc/sys"); |
498 | 466 | ||
@@ -646,12 +614,7 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { | |||
646 | if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) | 614 | if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) |
647 | errExit("asprintf"); | 615 | errExit("asprintf"); |
648 | if (stat(dirname, &s) == -1) { | 616 | if (stat(dirname, &s) == -1) { |
649 | /* coverity[toctou] */ | 617 | mkdir_attr(dirname, 0700, 0, 0); |
650 | if (mkdir(dirname, 0700)) | ||
651 | errExit("mkdir"); | ||
652 | if (chmod(dirname, 0700) == -1) | ||
653 | errExit("chmod"); | ||
654 | ASSERT_PERMS(dirname, getuid(), getgid(), 0700); | ||
655 | } | 618 | } |
656 | else if (is_link(dirname)) { | 619 | else if (is_link(dirname)) { |
657 | fprintf(stderr, "Error: invalid ~/.firejail directory\n"); | 620 | fprintf(stderr, "Error: invalid ~/.firejail directory\n"); |
@@ -733,11 +696,7 @@ void fs_overlayfs(void) { | |||
733 | char *oroot; | 696 | char *oroot; |
734 | if(asprintf(&oroot, "%s/oroot", RUN_MNT_DIR) == -1) | 697 | if(asprintf(&oroot, "%s/oroot", RUN_MNT_DIR) == -1) |
735 | errExit("asprintf"); | 698 | errExit("asprintf"); |
736 | if (mkdir(oroot, 0755)) | 699 | mkdir_attr(oroot, 0755, 0, 0); |
737 | errExit("mkdir"); | ||
738 | if (chmod(oroot, 0755) == -1) | ||
739 | errExit("chmod"); | ||
740 | ASSERT_PERMS(oroot, 0, 0, 0755); | ||
741 | 700 | ||
742 | struct stat s; | 701 | struct stat s; |
743 | char *basedir = RUN_MNT_DIR; | 702 | char *basedir = RUN_MNT_DIR; |
@@ -766,11 +725,9 @@ void fs_overlayfs(void) { | |||
766 | 725 | ||
767 | // no need to check arg_overlay_reuse | 726 | // no need to check arg_overlay_reuse |
768 | if (stat(odiff, &s) != 0) { | 727 | if (stat(odiff, &s) != 0) { |
769 | if (mkdir(odiff, 0755)) | 728 | mkdir_attr(odiff, 0755, 0, 0); |
770 | errExit("mkdir"); | ||
771 | } | 729 | } |
772 | 730 | else if (set_perms(odiff, 0, 0, 0755)) | |
773 | if (set_perms(odiff, 0, 0, 0755)) | ||
774 | errExit("set_perms"); | 731 | errExit("set_perms"); |
775 | 732 | ||
776 | char *owork; | 733 | char *owork; |
@@ -779,11 +736,9 @@ void fs_overlayfs(void) { | |||
779 | 736 | ||
780 | // no need to check arg_overlay_reuse | 737 | // no need to check arg_overlay_reuse |
781 | if (stat(owork, &s) != 0) { | 738 | if (stat(owork, &s) != 0) { |
782 | if (mkdir(owork, 0755)) | 739 | mkdir_attr(owork, 0755, 0, 0); |
783 | errExit("mkdir"); | ||
784 | } | 740 | } |
785 | 741 | else if (set_perms(owork, 0, 0, 0755)) | |
786 | if (set_perms(owork, 0, 0, 0755)) | ||
787 | errExit("chown"); | 742 | errExit("chown"); |
788 | 743 | ||
789 | // mount overlayfs | 744 | // mount overlayfs |
@@ -839,11 +794,9 @@ void fs_overlayfs(void) { | |||
839 | 794 | ||
840 | // no need to check arg_overlay_reuse | 795 | // no need to check arg_overlay_reuse |
841 | if (stat(hdiff, &s) != 0) { | 796 | if (stat(hdiff, &s) != 0) { |
842 | if (mkdir(hdiff, S_IRWXU | S_IRWXG | S_IRWXO)) | 797 | mkdir_attr(hdiff, S_IRWXU | S_IRWXG | S_IRWXO, 0, 0); |
843 | errExit("mkdir"); | ||
844 | } | 798 | } |
845 | 799 | else if (set_perms(hdiff, 0, 0, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH)) | |
846 | if (set_perms(hdiff, 0, 0, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH)) | ||
847 | errExit("set_perms"); | 800 | errExit("set_perms"); |
848 | 801 | ||
849 | if(asprintf(&hwork, "%s/hwork", basedir) == -1) | 802 | if(asprintf(&hwork, "%s/hwork", basedir) == -1) |
@@ -851,11 +804,9 @@ void fs_overlayfs(void) { | |||
851 | 804 | ||
852 | // no need to check arg_overlay_reuse | 805 | // no need to check arg_overlay_reuse |
853 | if (stat(hwork, &s) != 0) { | 806 | if (stat(hwork, &s) != 0) { |
854 | if (mkdir(hwork, S_IRWXU | S_IRWXG | S_IRWXO)) | 807 | mkdir_attr(hwork, S_IRWXU | S_IRWXG | S_IRWXO, 0, 0); |
855 | errExit("mkdir"); | ||
856 | } | 808 | } |
857 | 809 | else if (set_perms(hwork, 0, 0, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH)) | |
858 | if (set_perms(hwork, 0, 0, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH)) | ||
859 | errExit("set_perms"); | 810 | errExit("set_perms"); |
860 | 811 | ||
861 | // no homedir in overlay so now mount another overlay for /home | 812 | // no homedir in overlay so now mount another overlay for /home |
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index c906e32c0..6cc1bf3ab 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
@@ -212,11 +212,7 @@ void fs_private_bin_list(void) { | |||
212 | assert(private_list); | 212 | assert(private_list); |
213 | 213 | ||
214 | // create /run/firejail/mnt/bin directory | 214 | // create /run/firejail/mnt/bin directory |
215 | if (mkdir(RUN_BIN_DIR, 0755) == -1) | 215 | mkdir_attr(RUN_BIN_DIR, 0755, 0, 0); |
216 | errExit("mkdir"); | ||
217 | if (chmod(RUN_BIN_DIR, 0755) == -1) | ||
218 | errExit("chmod"); | ||
219 | ASSERT_PERMS(RUN_BIN_DIR, 0, 0, 0755); | ||
220 | 216 | ||
221 | // copy the list of files in the new etc directory | 217 | // copy the list of files in the new etc directory |
222 | // using a new child process without root privileges | 218 | // using a new child process without root privileges |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index ef5d67b55..d710e98f2 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -65,11 +65,7 @@ static void deventry_mount(void) { | |||
65 | if (arg_debug) | 65 | if (arg_debug) |
66 | printf("mounting %s %s\n", dev[i].run_fname, (dir)? "directory": "file"); | 66 | printf("mounting %s %s\n", dev[i].run_fname, (dir)? "directory": "file"); |
67 | if (dir) { | 67 | if (dir) { |
68 | if (mkdir(dev[i].dev_fname, 0755) == -1) | 68 | mkdir_attr(dev[i].dev_fname, 0755, 0, 0); |
69 | errExit("mkdir"); | ||
70 | if (chmod(dev[i].dev_fname, 0755) == -1) | ||
71 | errExit("chmod"); | ||
72 | ASSERT_PERMS(dev[i].dev_fname, 0, 0, 0755); | ||
73 | } | 69 | } |
74 | else { | 70 | else { |
75 | struct stat s; | 71 | struct stat s; |
@@ -130,11 +126,7 @@ void fs_private_dev(void){ | |||
130 | 126 | ||
131 | // create DRI_DIR | 127 | // create DRI_DIR |
132 | // keep a copy of dev directory | 128 | // keep a copy of dev directory |
133 | if (mkdir(RUN_DEV_DIR, 0755) == -1) | 129 | mkdir_attr(RUN_DEV_DIR, 0755, 0, 0); |
134 | errExit("mkdir"); | ||
135 | if (chmod(RUN_DEV_DIR, 0755) == -1) | ||
136 | errExit("chmod"); | ||
137 | ASSERT_PERMS(RUN_DEV_DIR, 0, 0, 0755); | ||
138 | if (mount("/dev", RUN_DEV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 130 | if (mount("/dev", RUN_DEV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
139 | errExit("mounting /dev/dri"); | 131 | errExit("mounting /dev/dri"); |
140 | 132 | ||
@@ -179,12 +171,7 @@ void fs_private_dev(void){ | |||
179 | // create /dev/shm | 171 | // create /dev/shm |
180 | if (arg_debug) | 172 | if (arg_debug) |
181 | printf("Create /dev/shm directory\n"); | 173 | printf("Create /dev/shm directory\n"); |
182 | if (mkdir("/dev/shm", 01777) == -1) | 174 | mkdir_attr("/dev/shm", 01777, 0, 0); |
183 | errExit("mkdir"); | ||
184 | // mkdir sets only the file permission bits | ||
185 | if (chmod("/dev/shm", 01777) < 0) | ||
186 | errExit("chmod"); | ||
187 | ASSERT_PERMS("/dev/shm", 0, 0, 01777); | ||
188 | fs_logger("mkdir /dev/shm"); | 175 | fs_logger("mkdir /dev/shm"); |
189 | 176 | ||
190 | // create devices | 177 | // create devices |
@@ -206,11 +193,7 @@ void fs_private_dev(void){ | |||
206 | #endif | 193 | #endif |
207 | 194 | ||
208 | // pseudo-terminal | 195 | // pseudo-terminal |
209 | if (mkdir("/dev/pts", 0755) == -1) | 196 | mkdir_attr("/dev/pts", 0755, 0, 0); |
210 | errExit("mkdir"); | ||
211 | if (chmod("/dev/pts", 0755) == -1) | ||
212 | errExit("chmod"); | ||
213 | ASSERT_PERMS("/dev/pts", 0, 0, 0755); | ||
214 | fs_logger("mkdir /dev/pts"); | 197 | fs_logger("mkdir /dev/pts"); |
215 | create_char_dev("/dev/pts/ptmx", 0666, 5, 2); //"mknod -m 666 /dev/pts/ptmx c 5 2"); | 198 | create_char_dev("/dev/pts/ptmx", 0666, 5, 2); //"mknod -m 666 /dev/pts/ptmx c 5 2"); |
216 | fs_logger("mknod /dev/pts/ptmx"); | 199 | fs_logger("mknod /dev/pts/ptmx"); |
@@ -260,12 +243,7 @@ void fs_dev_shm(void) { | |||
260 | if (lnk) { | 243 | if (lnk) { |
261 | if (!is_dir(lnk)) { | 244 | if (!is_dir(lnk)) { |
262 | // create directory | 245 | // create directory |
263 | if (mkdir(lnk, 01777)) | 246 | mkdir_attr(lnk, 01777, 0, 0); |
264 | errExit("mkdir"); | ||
265 | // mkdir sets only the file permission bits | ||
266 | if (chmod(lnk, 01777)) | ||
267 | errExit("chmod"); | ||
268 | ASSERT_PERMS(lnk, 0, 0, 01777); | ||
269 | } | 247 | } |
270 | if (arg_debug) | 248 | if (arg_debug) |
271 | printf("Mounting tmpfs on %s on behalf of /dev/shm\n", lnk); | 249 | printf("Mounting tmpfs on %s on behalf of /dev/shm\n", lnk); |
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index ebcde29a3..7e18840fd 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -132,11 +132,7 @@ void fs_private_etc_list(void) { | |||
132 | } | 132 | } |
133 | 133 | ||
134 | // create /run/firejail/mnt/etc directory | 134 | // create /run/firejail/mnt/etc directory |
135 | if (mkdir(RUN_ETC_DIR, 0755) == -1) | 135 | mkdir_attr(RUN_ETC_DIR, 0755, 0, 0); |
136 | errExit("mkdir"); | ||
137 | if (chmod(RUN_ETC_DIR, 0755) == -1) | ||
138 | errExit("chmod"); | ||
139 | ASSERT_PERMS(RUN_ETC_DIR, 0, 0, 0755); | ||
140 | fs_logger("tmpfs /etc"); | 136 | fs_logger("tmpfs /etc"); |
141 | 137 | ||
142 | fs_logger_print(); // save the current log | 138 | fs_logger_print(); // save the current log |
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 4ff00f3ba..ca50685ad 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
@@ -98,10 +98,7 @@ static void build_dirs(void) { | |||
98 | // create directories under /var/log | 98 | // create directories under /var/log |
99 | DirData *ptr = dirlist; | 99 | DirData *ptr = dirlist; |
100 | while (ptr) { | 100 | while (ptr) { |
101 | if (mkdir(ptr->name, ptr->st_mode)) | 101 | mkdir_attr(ptr->name, ptr->st_mode, ptr->st_uid, ptr->st_gid); |
102 | errExit("mkdir"); | ||
103 | if (chown(ptr->name, ptr->st_uid, ptr->st_gid)) | ||
104 | errExit("chown"); | ||
105 | fs_logger2("mkdir", ptr->name); | 102 | fs_logger2("mkdir", ptr->name); |
106 | ptr = ptr->next; | 103 | ptr = ptr->next; |
107 | } | 104 | } |
@@ -223,18 +220,10 @@ void fs_var_cache(void) { | |||
223 | gid = p->pw_gid; | 220 | gid = p->pw_gid; |
224 | } | 221 | } |
225 | 222 | ||
226 | int rv = mkdir("/var/cache/lighttpd/compress", 0755); | 223 | mkdir_attr("/var/cache/lighttpd/compress", 0755, uid, gid); |
227 | if (rv == -1) | ||
228 | errExit("mkdir"); | ||
229 | if (chown("/var/cache/lighttpd/compress", uid, gid) < 0) | ||
230 | errExit("chown"); | ||
231 | fs_logger("mkdir /var/cache/lighttpd/compress"); | 224 | fs_logger("mkdir /var/cache/lighttpd/compress"); |
232 | 225 | ||
233 | rv = mkdir("/var/cache/lighttpd/uploads", 0755); | 226 | mkdir_attr("/var/cache/lighttpd/uploads", 0755, uid, gid); |
234 | if (rv == -1) | ||
235 | errExit("mkdir"); | ||
236 | if (chown("/var/cache/lighttpd/uploads", uid, gid) < 0) | ||
237 | errExit("chown"); | ||
238 | fs_logger("/var/cache/lighttpd/uploads"); | 227 | fs_logger("/var/cache/lighttpd/uploads"); |
239 | } | 228 | } |
240 | } | 229 | } |
@@ -268,11 +257,7 @@ void fs_var_lock(void) { | |||
268 | if (lnk) { | 257 | if (lnk) { |
269 | if (!is_dir(lnk)) { | 258 | if (!is_dir(lnk)) { |
270 | // create directory | 259 | // create directory |
271 | if (mkdir(lnk, S_IRWXU|S_IRWXG|S_IRWXO)) | 260 | mkdir_attr(lnk, S_IRWXU|S_IRWXG|S_IRWXO, 0, 0); |
272 | errExit("mkdir"); | ||
273 | if (chmod(lnk, S_IRWXU|S_IRWXG|S_IRWXO)) | ||
274 | errExit("chmod"); | ||
275 | ASSERT_PERMS(lnk, 0, 0, S_IRWXU|S_IRWXG|S_IRWXO); | ||
276 | } | 261 | } |
277 | if (arg_debug) | 262 | if (arg_debug) |
278 | printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk); | 263 | printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk); |
diff --git a/src/firejail/join.c b/src/firejail/join.c index 899166447..628002d35 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -229,15 +229,11 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
229 | exit(1); | 229 | exit(1); |
230 | } | 230 | } |
231 | else { | 231 | else { |
232 | if (join_namespace(pid, "ipc")) | 232 | if (join_namespace(pid, "ipc") || |
233 | exit(1); | 233 | join_namespace(pid, "net") || |
234 | if (join_namespace(pid, "net")) | 234 | join_namespace(pid, "pid") || |
235 | exit(1); | 235 | join_namespace(pid, "uts") || |
236 | if (join_namespace(pid, "pid")) | 236 | join_namespace(pid, "mnt")) |
237 | exit(1); | ||
238 | if (join_namespace(pid, "uts")) | ||
239 | exit(1); | ||
240 | if (join_namespace(pid, "mnt")) | ||
241 | exit(1); | 237 | exit(1); |
242 | } | 238 | } |
243 | 239 | ||
diff --git a/src/firejail/util.c b/src/firejail/util.c index 3424d8ab6..d928c6b42 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -731,4 +731,40 @@ int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode) { | |||
731 | return 0; | 731 | return 0; |
732 | } | 732 | } |
733 | 733 | ||
734 | void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) { | ||
735 | assert(fname); | ||
736 | mode &= 07777; | ||
737 | #if 0 | ||
738 | printf("fname %s, uid %d, gid %d, mode %x - ", fname, uid, gid, (unsigned) mode); | ||
739 | if (S_ISLNK(mode)) | ||
740 | printf("l"); | ||
741 | else if (S_ISDIR(mode)) | ||
742 | printf("d"); | ||
743 | else if (S_ISCHR(mode)) | ||
744 | printf("c"); | ||
745 | else if (S_ISBLK(mode)) | ||
746 | printf("b"); | ||
747 | else if (S_ISSOCK(mode)) | ||
748 | printf("s"); | ||
749 | else | ||
750 | printf("-"); | ||
751 | printf( (mode & S_IRUSR) ? "r" : "-"); | ||
752 | printf( (mode & S_IWUSR) ? "w" : "-"); | ||
753 | printf( (mode & S_IXUSR) ? "x" : "-"); | ||
754 | printf( (mode & S_IRGRP) ? "r" : "-"); | ||
755 | printf( (mode & S_IWGRP) ? "w" : "-"); | ||
756 | printf( (mode & S_IXGRP) ? "x" : "-"); | ||
757 | printf( (mode & S_IROTH) ? "r" : "-"); | ||
758 | printf( (mode & S_IWOTH) ? "w" : "-"); | ||
759 | printf( (mode & S_IXOTH) ? "x" : "-"); | ||
760 | printf("\n"); | ||
761 | #endif | ||
762 | if (mkdir(fname, mode) == -1 || | ||
763 | chmod(fname, mode) == -1 || | ||
764 | chown(fname, uid, gid)) { | ||
765 | fprintf(stderr, "Error: failed to create %s directory\n", fname); | ||
766 | errExit("mkdir/chmod"); | ||
767 | } | ||
734 | 768 | ||
769 | ASSERT_PERMS(fname, uid, gid, mode); | ||
770 | } | ||