diff options
author | smitsohu <smitsohu@gmail.com> | 2019-02-23 18:35:41 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2019-02-23 18:37:23 +0100 |
commit | 94b8f2cd3bf5237e78f33757332deb56580eed04 (patch) | |
tree | 2a1e8d6ef5b2970b845c82b8a7e00872a32f6f83 /src | |
parent | misc cleanup (diff) | |
download | firejail-94b8f2cd3bf5237e78f33757332deb56580eed04.tar.gz firejail-94b8f2cd3bf5237e78f33757332deb56580eed04.tar.zst firejail-94b8f2cd3bf5237e78f33757332deb56580eed04.zip |
add whitelist support for /run/user/$uid
plus some minor cleanup (MS_REC has no effect with tmpfs mounts)
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 112 |
2 files changed, 86 insertions, 28 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 1372c3ca3..01ddf2a14 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -78,6 +78,7 @@ | |||
78 | #define RUN_WHITELIST_HOME_DIR "/run/firejail/mnt/orig-home" // default home directory masking | 78 | #define RUN_WHITELIST_HOME_DIR "/run/firejail/mnt/orig-home" // default home directory masking |
79 | #define RUN_WHITELIST_RUN_DIR "/run/firejail/mnt/orig-run" // default run directory masking | 79 | #define RUN_WHITELIST_RUN_DIR "/run/firejail/mnt/orig-run" // default run directory masking |
80 | #define RUN_WHITELIST_HOME_USER_DIR "/run/firejail/mnt/orig-home-user" // home directory whitelisting | 80 | #define RUN_WHITELIST_HOME_USER_DIR "/run/firejail/mnt/orig-home-user" // home directory whitelisting |
81 | #define RUN_WHITELIST_RUN_USER_DIR "/run/firejail/mnt/orig-run-user" // run directory whitelisting | ||
81 | #define RUN_WHITELIST_TMP_DIR "/run/firejail/mnt/orig-tmp" | 82 | #define RUN_WHITELIST_TMP_DIR "/run/firejail/mnt/orig-tmp" |
82 | #define RUN_WHITELIST_MEDIA_DIR "/run/firejail/mnt/orig-media" | 83 | #define RUN_WHITELIST_MEDIA_DIR "/run/firejail/mnt/orig-media" |
83 | #define RUN_WHITELIST_MNT_DIR "/run/firejail/mnt/orig-mnt" | 84 | #define RUN_WHITELIST_MNT_DIR "/run/firejail/mnt/orig-mnt" |
@@ -211,6 +212,7 @@ typedef struct profile_entry_t { | |||
211 | unsigned etc_dir:1; // whitelist in /etc directory | 212 | unsigned etc_dir:1; // whitelist in /etc directory |
212 | unsigned share_dir:1; // whitelist in /usr/share directory | 213 | unsigned share_dir:1; // whitelist in /usr/share directory |
213 | unsigned module_dir:1; // whitelist in /sys/module directory | 214 | unsigned module_dir:1; // whitelist in /sys/module directory |
215 | unsigned run_dir:1; // whitelist in /run/user/$uid directory | ||
214 | }ProfileEntry; | 216 | }ProfileEntry; |
215 | 217 | ||
216 | typedef struct config_t { | 218 | typedef struct config_t { |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 913fc71ba..d128065d3 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -34,17 +34,19 @@ | |||
34 | 34 | ||
35 | #define EMPTY_STRING ("") | 35 | #define EMPTY_STRING ("") |
36 | static size_t homedir_len; // cache length of homedir string | 36 | static size_t homedir_len; // cache length of homedir string |
37 | static size_t runuser_len; // cache length of runuser string | ||
38 | static char *runuser; | ||
37 | 39 | ||
38 | 40 | ||
39 | static int mkpath(const char* path, mode_t mode) { | 41 | static int mkpath(const char* path, mode_t mode) { |
40 | assert(path && *path); | 42 | assert(path && *path); |
41 | mode |= 0111; | 43 | mode |= 0111; |
42 | 44 | ||
43 | // create directories with uid/gid as root or as current user if inside home directory | 45 | // create directories with uid/gid as root or as current user if inside home or run directory |
44 | int userhome = 0; | 46 | int userprivs = 0; |
45 | if (strncmp(path, cfg.homedir, homedir_len) == 0) { | 47 | if (strncmp(path, cfg.homedir, homedir_len) == 0 || strncmp(path, runuser, runuser_len) == 0) { |
46 | EUID_USER(); | 48 | EUID_USER(); |
47 | userhome = 1; | 49 | userprivs = 1; |
48 | } | 50 | } |
49 | 51 | ||
50 | // work on a copy of the path | 52 | // work on a copy of the path |
@@ -74,7 +76,7 @@ static int mkpath(const char* path, mode_t mode) { | |||
74 | perror("mkdir"); | 76 | perror("mkdir"); |
75 | close(parentfd); | 77 | close(parentfd); |
76 | free(dup); | 78 | free(dup); |
77 | if (userhome) { | 79 | if (userprivs) { |
78 | EUID_ROOT(); | 80 | EUID_ROOT(); |
79 | } | 81 | } |
80 | return -1; | 82 | return -1; |
@@ -89,7 +91,7 @@ static int mkpath(const char* path, mode_t mode) { | |||
89 | perror("open"); | 91 | perror("open"); |
90 | close(parentfd); | 92 | close(parentfd); |
91 | free(dup); | 93 | free(dup); |
92 | if (userhome) { | 94 | if (userprivs) { |
93 | EUID_ROOT(); | 95 | EUID_ROOT(); |
94 | } | 96 | } |
95 | return -1; | 97 | return -1; |
@@ -104,7 +106,7 @@ static int mkpath(const char* path, mode_t mode) { | |||
104 | fs_logger2("mkpath", path); | 106 | fs_logger2("mkpath", path); |
105 | 107 | ||
106 | free(dup); | 108 | free(dup); |
107 | if (userhome) { | 109 | if (userprivs) { |
108 | EUID_ROOT(); | 110 | EUID_ROOT(); |
109 | } | 111 | } |
110 | return fd; | 112 | return fd; |
@@ -199,6 +201,12 @@ static void whitelist_path(ProfileEntry *entry) { | |||
199 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MODULE_DIR, fname) == -1) | 201 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MODULE_DIR, fname) == -1) |
200 | errExit("asprintf"); | 202 | errExit("asprintf"); |
201 | } | 203 | } |
204 | else if (entry->run_dir) { | ||
205 | fname = path + runuser_len + 1; // strlen("/run/user/$uid/") | ||
206 | |||
207 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_RUN_USER_DIR, fname) == -1) | ||
208 | errExit("asprintf"); | ||
209 | } | ||
202 | assert(wfile); | 210 | assert(wfile); |
203 | 211 | ||
204 | if (arg_debug || arg_debug_whitelists) | 212 | if (arg_debug || arg_debug_whitelists) |
@@ -325,7 +333,11 @@ void fs_whitelist(void) { | |||
325 | if (!entry) | 333 | if (!entry) |
326 | return; | 334 | return; |
327 | 335 | ||
336 | if (asprintf(&runuser, "/run/user/%u", getuid()) == -1) | ||
337 | errExit("asprintf"); | ||
338 | runuser_len = strlen(runuser); | ||
328 | homedir_len = strlen(cfg.homedir); | 339 | homedir_len = strlen(cfg.homedir); |
340 | |||
329 | char *new_name = NULL; | 341 | char *new_name = NULL; |
330 | int home_dir = 0; // /home/user directory flag | 342 | int home_dir = 0; // /home/user directory flag |
331 | int tmp_dir = 0; // /tmp directory flag | 343 | int tmp_dir = 0; // /tmp directory flag |
@@ -338,6 +350,7 @@ void fs_whitelist(void) { | |||
338 | int etc_dir = 0; // /etc directory flag | 350 | int etc_dir = 0; // /etc directory flag |
339 | int share_dir = 0; // /usr/share directory flag | 351 | int share_dir = 0; // /usr/share directory flag |
340 | int module_dir = 0; // /sys/module directory flag | 352 | int module_dir = 0; // /sys/module directory flag |
353 | int run_dir = 0; // /run/user/$uid directory flag | ||
341 | 354 | ||
342 | size_t nowhitelist_c = 0; | 355 | size_t nowhitelist_c = 0; |
343 | size_t nowhitelist_m = 32; | 356 | size_t nowhitelist_m = 32; |
@@ -449,6 +462,8 @@ void fs_whitelist(void) { | |||
449 | share_dir = 1; | 462 | share_dir = 1; |
450 | else if (strncmp(new_name, "/sys/module/", 12) == 0) | 463 | else if (strncmp(new_name, "/sys/module/", 12) == 0) |
451 | module_dir = 1; | 464 | module_dir = 1; |
465 | else if (strncmp(new_name, runuser, runuser_len) == 0 && new_name[runuser_len] == '/') | ||
466 | run_dir = 1; | ||
452 | } | 467 | } |
453 | 468 | ||
454 | entry->data = EMPTY_STRING; | 469 | entry->data = EMPTY_STRING; |
@@ -624,6 +639,15 @@ void fs_whitelist(void) { | |||
624 | goto errexit; | 639 | goto errexit; |
625 | } | 640 | } |
626 | } | 641 | } |
642 | else if (strncmp(new_name, runuser, runuser_len) == 0 && new_name[runuser_len] == '/') { | ||
643 | entry->run_dir = 1; | ||
644 | run_dir = 1; | ||
645 | // both path and absolute path are under /run/user/$uid | ||
646 | if (strncmp(fname, runuser, runuser_len) != 0 || fname[runuser_len] != '/') { | ||
647 | free(fname); | ||
648 | goto errexit; | ||
649 | } | ||
650 | } | ||
627 | else { | 651 | else { |
628 | free(fname); | 652 | free(fname); |
629 | goto errexit; | 653 | goto errexit; |
@@ -704,7 +728,7 @@ void fs_whitelist(void) { | |||
704 | // mount tmpfs on /tmp | 728 | // mount tmpfs on /tmp |
705 | if (arg_debug || arg_debug_whitelists) | 729 | if (arg_debug || arg_debug_whitelists) |
706 | printf("Mounting tmpfs on /tmp directory\n"); | 730 | printf("Mounting tmpfs on /tmp directory\n"); |
707 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) | 731 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=1777,gid=0") < 0) |
708 | errExit("mounting tmpfs on /tmp"); | 732 | errExit("mounting tmpfs on /tmp"); |
709 | fs_logger("tmpfs /tmp"); | 733 | fs_logger("tmpfs /tmp"); |
710 | } | 734 | } |
@@ -721,7 +745,7 @@ void fs_whitelist(void) { | |||
721 | // mount tmpfs on /media | 745 | // mount tmpfs on /media |
722 | if (arg_debug || arg_debug_whitelists) | 746 | if (arg_debug || arg_debug_whitelists) |
723 | printf("Mounting tmpfs on /media directory\n"); | 747 | printf("Mounting tmpfs on /media directory\n"); |
724 | if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 748 | if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) |
725 | errExit("mounting tmpfs on /media"); | 749 | errExit("mounting tmpfs on /media"); |
726 | fs_logger("tmpfs /media"); | 750 | fs_logger("tmpfs /media"); |
727 | } | 751 | } |
@@ -741,7 +765,7 @@ void fs_whitelist(void) { | |||
741 | // mount tmpfs on /mnt | 765 | // mount tmpfs on /mnt |
742 | if (arg_debug || arg_debug_whitelists) | 766 | if (arg_debug || arg_debug_whitelists) |
743 | printf("Mounting tmpfs on /mnt directory\n"); | 767 | printf("Mounting tmpfs on /mnt directory\n"); |
744 | if (mount("tmpfs", "/mnt", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 768 | if (mount("tmpfs", "/mnt", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) |
745 | errExit("mounting tmpfs on /mnt"); | 769 | errExit("mounting tmpfs on /mnt"); |
746 | fs_logger("tmpfs /mnt"); | 770 | fs_logger("tmpfs /mnt"); |
747 | } | 771 | } |
@@ -760,7 +784,7 @@ void fs_whitelist(void) { | |||
760 | // mount tmpfs on /var | 784 | // mount tmpfs on /var |
761 | if (arg_debug || arg_debug_whitelists) | 785 | if (arg_debug || arg_debug_whitelists) |
762 | printf("Mounting tmpfs on /var directory\n"); | 786 | printf("Mounting tmpfs on /var directory\n"); |
763 | if (mount("tmpfs", "/var", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 787 | if (mount("tmpfs", "/var", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) |
764 | errExit("mounting tmpfs on /var"); | 788 | errExit("mounting tmpfs on /var"); |
765 | fs_logger("tmpfs /var"); | 789 | fs_logger("tmpfs /var"); |
766 | } | 790 | } |
@@ -775,7 +799,7 @@ void fs_whitelist(void) { | |||
775 | // mount tmpfs on /dev | 799 | // mount tmpfs on /dev |
776 | if (arg_debug || arg_debug_whitelists) | 800 | if (arg_debug || arg_debug_whitelists) |
777 | printf("Mounting tmpfs on /dev directory\n"); | 801 | printf("Mounting tmpfs on /dev directory\n"); |
778 | if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 802 | if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) |
779 | errExit("mounting tmpfs on /dev"); | 803 | errExit("mounting tmpfs on /dev"); |
780 | fs_logger("tmpfs /dev"); | 804 | fs_logger("tmpfs /dev"); |
781 | } | 805 | } |
@@ -792,7 +816,7 @@ void fs_whitelist(void) { | |||
792 | // mount tmpfs on /opt | 816 | // mount tmpfs on /opt |
793 | if (arg_debug || arg_debug_whitelists) | 817 | if (arg_debug || arg_debug_whitelists) |
794 | printf("Mounting tmpfs on /opt directory\n"); | 818 | printf("Mounting tmpfs on /opt directory\n"); |
795 | if (mount("tmpfs", "/opt", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 819 | if (mount("tmpfs", "/opt", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) |
796 | errExit("mounting tmpfs on /opt"); | 820 | errExit("mounting tmpfs on /opt"); |
797 | fs_logger("tmpfs /opt"); | 821 | fs_logger("tmpfs /opt"); |
798 | } | 822 | } |
@@ -812,7 +836,7 @@ void fs_whitelist(void) { | |||
812 | // mount tmpfs on /srv | 836 | // mount tmpfs on /srv |
813 | if (arg_debug || arg_debug_whitelists) | 837 | if (arg_debug || arg_debug_whitelists) |
814 | printf("Mounting tmpfs on /srv directory\n"); | 838 | printf("Mounting tmpfs on /srv directory\n"); |
815 | if (mount("tmpfs", "/srv", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 839 | if (mount("tmpfs", "/srv", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) |
816 | errExit("mounting tmpfs on /srv"); | 840 | errExit("mounting tmpfs on /srv"); |
817 | fs_logger("tmpfs /srv"); | 841 | fs_logger("tmpfs /srv"); |
818 | } | 842 | } |
@@ -832,7 +856,7 @@ void fs_whitelist(void) { | |||
832 | // mount tmpfs on /srv | 856 | // mount tmpfs on /srv |
833 | if (arg_debug || arg_debug_whitelists) | 857 | if (arg_debug || arg_debug_whitelists) |
834 | printf("Mounting tmpfs on /etc directory\n"); | 858 | printf("Mounting tmpfs on /etc directory\n"); |
835 | if (mount("tmpfs", "/etc", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 859 | if (mount("tmpfs", "/etc", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) |
836 | errExit("mounting tmpfs on /etc"); | 860 | errExit("mounting tmpfs on /etc"); |
837 | fs_logger("tmpfs /etc"); | 861 | fs_logger("tmpfs /etc"); |
838 | } | 862 | } |
@@ -852,7 +876,7 @@ void fs_whitelist(void) { | |||
852 | // mount tmpfs on /srv | 876 | // mount tmpfs on /srv |
853 | if (arg_debug || arg_debug_whitelists) | 877 | if (arg_debug || arg_debug_whitelists) |
854 | printf("Mounting tmpfs on /usr/share directory\n"); | 878 | printf("Mounting tmpfs on /usr/share directory\n"); |
855 | if (mount("tmpfs", "/usr/share", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 879 | if (mount("tmpfs", "/usr/share", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) |
856 | errExit("mounting tmpfs on /usr/share"); | 880 | errExit("mounting tmpfs on /usr/share"); |
857 | fs_logger("tmpfs /usr/share"); | 881 | fs_logger("tmpfs /usr/share"); |
858 | } | 882 | } |
@@ -872,7 +896,7 @@ void fs_whitelist(void) { | |||
872 | // mount tmpfs on /sys/module | 896 | // mount tmpfs on /sys/module |
873 | if (arg_debug || arg_debug_whitelists) | 897 | if (arg_debug || arg_debug_whitelists) |
874 | printf("Mounting tmpfs on /sys/module directory\n"); | 898 | printf("Mounting tmpfs on /sys/module directory\n"); |
875 | if (mount("tmpfs", "/sys/module", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 899 | if (mount("tmpfs", "/sys/module", "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) |
876 | errExit("mounting tmpfs on /sys/module"); | 900 | errExit("mounting tmpfs on /sys/module"); |
877 | fs_logger("tmpfs /sys/module"); | 901 | fs_logger("tmpfs /sys/module"); |
878 | } | 902 | } |
@@ -880,6 +904,30 @@ void fs_whitelist(void) { | |||
880 | module_dir = 0; | 904 | module_dir = 0; |
881 | } | 905 | } |
882 | 906 | ||
907 | // /run/user mountpoint | ||
908 | if (run_dir) { | ||
909 | // check if /run/user/$uid directory exists | ||
910 | if (stat(runuser, &s) == 0) { | ||
911 | // keep a copy of real /run/user/$uid directory in RUN_WHITELIST_RUN_USER_DIR | ||
912 | mkdir_attr(RUN_WHITELIST_RUN_USER_DIR, 0700, getuid(), getgid()); | ||
913 | if (mount(runuser, RUN_WHITELIST_RUN_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
914 | errExit("mount bind"); | ||
915 | |||
916 | // mount tmpfs on /run/user/$uid | ||
917 | if (arg_debug || arg_debug_whitelists) | ||
918 | printf("Mounting tmpfs on %s directory\n", runuser); | ||
919 | char *options; | ||
920 | if (asprintf(&options, "mode=700,uid=%u,gid=%u", getuid(), getgid()) == -1) | ||
921 | errExit("asprintf"); | ||
922 | if (mount("tmpfs", runuser, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, options) < 0) | ||
923 | errExit("mounting tmpfs on /run/user/<uid>"); | ||
924 | free(options); | ||
925 | fs_logger2("tmpfs", runuser); | ||
926 | } | ||
927 | else | ||
928 | run_dir = 0; | ||
929 | } | ||
930 | |||
883 | 931 | ||
884 | // go through profile rules again, and interpret whitelist commands | 932 | // go through profile rules again, and interpret whitelist commands |
885 | entry = cfg.profile; | 933 | entry = cfg.profile; |
@@ -931,81 +979,89 @@ void fs_whitelist(void) { | |||
931 | 979 | ||
932 | // mask the real home directory, currently mounted on RUN_WHITELIST_HOME_DIR | 980 | // mask the real home directory, currently mounted on RUN_WHITELIST_HOME_DIR |
933 | if (home_dir) { | 981 | if (home_dir) { |
934 | if (mount("tmpfs", RUN_WHITELIST_HOME_USER_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 982 | if (mount("tmpfs", RUN_WHITELIST_HOME_USER_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) |
935 | errExit("mount tmpfs"); | 983 | errExit("mount tmpfs"); |
936 | fs_logger2("tmpfs", RUN_WHITELIST_HOME_USER_DIR); | 984 | fs_logger2("tmpfs", RUN_WHITELIST_HOME_USER_DIR); |
937 | } | 985 | } |
938 | 986 | ||
939 | // mask the real /tmp directory, currently mounted on RUN_WHITELIST_TMP_DIR | 987 | // mask the real /tmp directory, currently mounted on RUN_WHITELIST_TMP_DIR |
940 | if (tmp_dir) { | 988 | if (tmp_dir) { |
941 | if (mount("tmpfs", RUN_WHITELIST_TMP_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 989 | if (mount("tmpfs", RUN_WHITELIST_TMP_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) |
942 | errExit("mount tmpfs"); | 990 | errExit("mount tmpfs"); |
943 | fs_logger2("tmpfs", RUN_WHITELIST_TMP_DIR); | 991 | fs_logger2("tmpfs", RUN_WHITELIST_TMP_DIR); |
944 | } | 992 | } |
945 | 993 | ||
946 | // mask the real /var directory, currently mounted on RUN_WHITELIST_VAR_DIR | 994 | // mask the real /var directory, currently mounted on RUN_WHITELIST_VAR_DIR |
947 | if (var_dir) { | 995 | if (var_dir) { |
948 | if (mount("tmpfs", RUN_WHITELIST_VAR_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 996 | if (mount("tmpfs", RUN_WHITELIST_VAR_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) |
949 | errExit("mount tmpfs"); | 997 | errExit("mount tmpfs"); |
950 | fs_logger2("tmpfs", RUN_WHITELIST_VAR_DIR); | 998 | fs_logger2("tmpfs", RUN_WHITELIST_VAR_DIR); |
951 | } | 999 | } |
952 | 1000 | ||
953 | // mask the real /opt directory, currently mounted on RUN_WHITELIST_OPT_DIR | 1001 | // mask the real /opt directory, currently mounted on RUN_WHITELIST_OPT_DIR |
954 | if (opt_dir) { | 1002 | if (opt_dir) { |
955 | if (mount("tmpfs", RUN_WHITELIST_OPT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 1003 | if (mount("tmpfs", RUN_WHITELIST_OPT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) |
956 | errExit("mount tmpfs"); | 1004 | errExit("mount tmpfs"); |
957 | fs_logger2("tmpfs", RUN_WHITELIST_OPT_DIR); | 1005 | fs_logger2("tmpfs", RUN_WHITELIST_OPT_DIR); |
958 | } | 1006 | } |
959 | 1007 | ||
960 | // mask the real /dev directory, currently mounted on RUN_WHITELIST_DEV_DIR | 1008 | // mask the real /dev directory, currently mounted on RUN_WHITELIST_DEV_DIR |
961 | if (dev_dir) { | 1009 | if (dev_dir) { |
962 | if (mount("tmpfs", RUN_WHITELIST_DEV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 1010 | if (mount("tmpfs", RUN_WHITELIST_DEV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) |
963 | errExit("mount tmpfs"); | 1011 | errExit("mount tmpfs"); |
964 | fs_logger2("tmpfs", RUN_WHITELIST_DEV_DIR); | 1012 | fs_logger2("tmpfs", RUN_WHITELIST_DEV_DIR); |
965 | } | 1013 | } |
966 | 1014 | ||
967 | // mask the real /media directory, currently mounted on RUN_WHITELIST_MEDIA_DIR | 1015 | // mask the real /media directory, currently mounted on RUN_WHITELIST_MEDIA_DIR |
968 | if (media_dir) { | 1016 | if (media_dir) { |
969 | if (mount("tmpfs", RUN_WHITELIST_MEDIA_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 1017 | if (mount("tmpfs", RUN_WHITELIST_MEDIA_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) |
970 | errExit("mount tmpfs"); | 1018 | errExit("mount tmpfs"); |
971 | fs_logger2("tmpfs", RUN_WHITELIST_MEDIA_DIR); | 1019 | fs_logger2("tmpfs", RUN_WHITELIST_MEDIA_DIR); |
972 | } | 1020 | } |
973 | 1021 | ||
974 | // mask the real /mnt directory, currently mounted on RUN_WHITELIST_MNT_DIR | 1022 | // mask the real /mnt directory, currently mounted on RUN_WHITELIST_MNT_DIR |
975 | if (mnt_dir) { | 1023 | if (mnt_dir) { |
976 | if (mount("tmpfs", RUN_WHITELIST_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 1024 | if (mount("tmpfs", RUN_WHITELIST_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) |
977 | errExit("mount tmpfs"); | 1025 | errExit("mount tmpfs"); |
978 | fs_logger2("tmpfs", RUN_WHITELIST_MNT_DIR); | 1026 | fs_logger2("tmpfs", RUN_WHITELIST_MNT_DIR); |
979 | } | 1027 | } |
980 | 1028 | ||
981 | // mask the real /srv directory, currently mounted on RUN_WHITELIST_SRV_DIR | 1029 | // mask the real /srv directory, currently mounted on RUN_WHITELIST_SRV_DIR |
982 | if (srv_dir) { | 1030 | if (srv_dir) { |
983 | if (mount("tmpfs", RUN_WHITELIST_SRV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 1031 | if (mount("tmpfs", RUN_WHITELIST_SRV_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) |
984 | errExit("mount tmpfs"); | 1032 | errExit("mount tmpfs"); |
985 | fs_logger2("tmpfs", RUN_WHITELIST_SRV_DIR); | 1033 | fs_logger2("tmpfs", RUN_WHITELIST_SRV_DIR); |
986 | } | 1034 | } |
987 | 1035 | ||
988 | // mask the real /etc directory, currently mounted on RUN_WHITELIST_ETC_DIR | 1036 | // mask the real /etc directory, currently mounted on RUN_WHITELIST_ETC_DIR |
989 | if (etc_dir) { | 1037 | if (etc_dir) { |
990 | if (mount("tmpfs", RUN_WHITELIST_ETC_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 1038 | if (mount("tmpfs", RUN_WHITELIST_ETC_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) |
991 | errExit("mount tmpfs"); | 1039 | errExit("mount tmpfs"); |
992 | fs_logger2("tmpfs", RUN_WHITELIST_ETC_DIR); | 1040 | fs_logger2("tmpfs", RUN_WHITELIST_ETC_DIR); |
993 | } | 1041 | } |
994 | 1042 | ||
995 | // mask the real /usr/share directory, currently mounted on RUN_WHITELIST_SHARE_DIR | 1043 | // mask the real /usr/share directory, currently mounted on RUN_WHITELIST_SHARE_DIR |
996 | if (share_dir) { | 1044 | if (share_dir) { |
997 | if (mount("tmpfs", RUN_WHITELIST_SHARE_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 1045 | if (mount("tmpfs", RUN_WHITELIST_SHARE_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) |
998 | errExit("mount tmpfs"); | 1046 | errExit("mount tmpfs"); |
999 | fs_logger2("tmpfs", RUN_WHITELIST_SHARE_DIR); | 1047 | fs_logger2("tmpfs", RUN_WHITELIST_SHARE_DIR); |
1000 | } | 1048 | } |
1001 | 1049 | ||
1002 | // mask the real /sys/module directory, currently mounted on RUN_WHITELIST_MODULE_DIR | 1050 | // mask the real /sys/module directory, currently mounted on RUN_WHITELIST_MODULE_DIR |
1003 | if (module_dir) { | 1051 | if (module_dir) { |
1004 | if (mount("tmpfs", RUN_WHITELIST_MODULE_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 1052 | if (mount("tmpfs", RUN_WHITELIST_MODULE_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) |
1005 | errExit("mount tmpfs"); | 1053 | errExit("mount tmpfs"); |
1006 | fs_logger2("tmpfs", RUN_WHITELIST_MODULE_DIR); | 1054 | fs_logger2("tmpfs", RUN_WHITELIST_MODULE_DIR); |
1007 | } | 1055 | } |
1008 | 1056 | ||
1057 | // mask the real /run/user/$uid directory, currently mounted on RUN_WHITELIST_MODULE_DIR | ||
1058 | if (run_dir) { | ||
1059 | if (mount("tmpfs", RUN_WHITELIST_RUN_USER_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0) | ||
1060 | errExit("mount tmpfs"); | ||
1061 | fs_logger2("tmpfs", RUN_WHITELIST_RUN_USER_DIR); | ||
1062 | } | ||
1063 | |||
1064 | free(runuser); | ||
1009 | return; | 1065 | return; |
1010 | 1066 | ||
1011 | errexit: | 1067 | errexit: |