diff options
author | netblue30 <netblue30@yahoo.com> | 2016-02-08 12:58:37 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-02-08 12:58:37 -0500 |
commit | 9c0730573aa6f5cf96278704a9a8c14457f1e010 (patch) | |
tree | 0c1c05f54f2eaa146131c16bc877dec200f39931 /src | |
parent | set window title (diff) | |
download | firejail-9c0730573aa6f5cf96278704a9a8c14457f1e010.tar.gz firejail-9c0730573aa6f5cf96278704a9a8c14457f1e010.tar.zst firejail-9c0730573aa6f5cf96278704a9a8c14457f1e010.zip |
fixed whitelist problem
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs_whitelist.c | 32 |
1 files changed, 24 insertions, 8 deletions
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 22b5fb0a7..0f2d6a089 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -336,6 +336,14 @@ void fs_whitelist(void) { | |||
336 | if (arg_debug) | 336 | if (arg_debug) |
337 | fprintf(stderr, "Debug %d: new_name #%s#\n", __LINE__, new_name); | 337 | fprintf(stderr, "Debug %d: new_name #%s#\n", __LINE__, new_name); |
338 | 338 | ||
339 | // valid path referenced to filesystem root | ||
340 | if (*new_name != '/') { | ||
341 | if (arg_debug) | ||
342 | fprintf(stderr, "Debug %d: \n", __LINE__); | ||
343 | goto errexit; | ||
344 | } | ||
345 | |||
346 | |||
339 | // extract the absolute path of the file | 347 | // extract the absolute path of the file |
340 | // realpath function will fail with ENOENT if the file is not found | 348 | // realpath function will fail with ENOENT if the file is not found |
341 | char *fname = realpath(new_name, NULL); | 349 | char *fname = realpath(new_name, NULL); |
@@ -349,19 +357,27 @@ void fs_whitelist(void) { | |||
349 | perror("realpath"); | 357 | perror("realpath"); |
350 | } | 358 | } |
351 | *entry->data = '\0'; | 359 | *entry->data = '\0'; |
360 | |||
361 | // if 1 the file was not found; mount an empty directory | ||
362 | if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) | ||
363 | home_dir = 1; | ||
364 | else if (strncmp(new_name, "/tmp/", 5) == 0) | ||
365 | tmp_dir = 1; | ||
366 | else if (strncmp(new_name, "/media/", 7) == 0) | ||
367 | media_dir = 1; | ||
368 | else if (strncmp(new_name, "/var/", 5) == 0) | ||
369 | var_dir = 1; | ||
370 | else if (strncmp(new_name, "/dev/", 5) == 0) | ||
371 | dev_dir = 1; | ||
372 | else if (strncmp(new_name, "/opt/", 5) == 0) | ||
373 | opt_dir = 1; | ||
374 | |||
352 | continue; | 375 | continue; |
353 | } | 376 | } |
354 | 377 | ||
355 | // valid path referenced to filesystem root | ||
356 | if (*new_name != '/') { | ||
357 | if (arg_debug) | ||
358 | fprintf(stderr, "Debug %d: \n", __LINE__); | ||
359 | goto errexit; | ||
360 | } | ||
361 | |||
362 | // check for supported directories | 378 | // check for supported directories |
363 | if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) { | 379 | if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) { |
364 | // whitelisting home directory is disabled if --private or --private-home option is present | 380 | // whitelisting home directory is disabled if --private option is present |
365 | if (arg_private) { | 381 | if (arg_private) { |
366 | if (arg_debug || arg_debug_whitelists) | 382 | if (arg_debug || arg_debug_whitelists) |
367 | printf("Removed whitelist path %s, --private option is present\n", entry->data); | 383 | printf("Removed whitelist path %s, --private option is present\n", entry->data); |