diff options
author | smitsohu <smitsohu@gmail.com> | 2019-10-01 18:25:00 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2019-10-01 18:25:00 +0200 |
commit | b2a91ca47eb37581a680004411f8fa98e03ddde1 (patch) | |
tree | 69a3dacd1eccec629cc38922552a6f77c1e9e963 /src | |
parent | base checks and mounts on same file descriptor (diff) | |
download | firejail-b2a91ca47eb37581a680004411f8fa98e03ddde1.tar.gz firejail-b2a91ca47eb37581a680004411f8fa98e03ddde1.tar.zst firejail-b2a91ca47eb37581a680004411f8fa98e03ddde1.zip |
simplify chroot option parsing
this is a partial revert, back to the original code
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/chroot.c | 19 | ||||
-rw-r--r-- | src/firejail/firejail.h | 3 | ||||
-rw-r--r-- | src/firejail/main.c | 16 |
3 files changed, 20 insertions, 18 deletions
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c index 8a57dee35..f5bb11a76 100644 --- a/src/firejail/chroot.c +++ b/src/firejail/chroot.c | |||
@@ -30,17 +30,17 @@ | |||
30 | #endif | 30 | #endif |
31 | 31 | ||
32 | 32 | ||
33 | // exit if error, return resolved chroot path | 33 | // exit if error |
34 | char *fs_check_chroot_dir(const char *rootdir) { | 34 | void fs_check_chroot_dir(void) { |
35 | EUID_ASSERT(); | 35 | EUID_ASSERT(); |
36 | assert(rootdir); | 36 | assert(cfg.chrootdir); |
37 | if (strstr(rootdir, "..") || | 37 | if (strstr(cfg.chrootdir, "..") || |
38 | is_link(rootdir) || | 38 | is_link(cfg.chrootdir) || |
39 | !is_dir(rootdir)) | 39 | !is_dir(cfg.chrootdir)) |
40 | goto errout; | 40 | goto errout; |
41 | 41 | ||
42 | // check chroot dirname exists, chrooting into the root directory is not allowed | 42 | // check chroot dirname exists, chrooting into the root directory is not allowed |
43 | char *rpath = realpath(rootdir, NULL); | 43 | char *rpath = realpath(cfg.chrootdir, NULL); |
44 | if (rpath == NULL || strcmp(rpath, "/") == 0) | 44 | if (rpath == NULL || strcmp(rpath, "/") == 0) |
45 | goto errout; | 45 | goto errout; |
46 | 46 | ||
@@ -52,10 +52,11 @@ char *fs_check_chroot_dir(const char *rootdir) { | |||
52 | exit(1); | 52 | exit(1); |
53 | } | 53 | } |
54 | free(overlay); | 54 | free(overlay); |
55 | return rpath; | 55 | cfg.chrootdir = rpath; |
56 | return; | ||
56 | 57 | ||
57 | errout: | 58 | errout: |
58 | fprintf(stderr, "Error: invalid chroot directory %s\n", rootdir); | 59 | fprintf(stderr, "Error: invalid chroot directory %s\n", cfg.chrootdir); |
59 | exit(1); | 60 | exit(1); |
60 | } | 61 | } |
61 | 62 | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 487803770..fdbeb4691 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -398,9 +398,8 @@ void fs_private_cache(void); | |||
398 | void fs_mnt(const int enforce); | 398 | void fs_mnt(const int enforce); |
399 | 399 | ||
400 | // chroot.c | 400 | // chroot.c |
401 | // returns resolved chroot directory path | ||
402 | char *fs_check_chroot_dir(const char *rootdir); | ||
403 | // chroot into an existing directory; mount existing /dev and update /etc/resolv.conf | 401 | // chroot into an existing directory; mount existing /dev and update /etc/resolv.conf |
402 | void fs_check_chroot_dir(void); | ||
404 | void fs_chroot(const char *rootdir); | 403 | void fs_chroot(const char *rootdir); |
405 | 404 | ||
406 | // profile.c | 405 | // profile.c |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 5c83239ef..cbe3292ba 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1659,21 +1659,23 @@ int main(int argc, char **argv) { | |||
1659 | fprintf(stderr, "Error: --chroot option is not available on Grsecurity systems\n"); | 1659 | fprintf(stderr, "Error: --chroot option is not available on Grsecurity systems\n"); |
1660 | exit(1); | 1660 | exit(1); |
1661 | } | 1661 | } |
1662 | if (*(argv[i] + 9) == '\0') { | 1662 | // extract chroot dirname |
1663 | cfg.chrootdir = argv[i] + 9; | ||
1664 | if (*cfg.chrootdir == '\0') { | ||
1663 | fprintf(stderr, "Error: invalid chroot option\n"); | 1665 | fprintf(stderr, "Error: invalid chroot option\n"); |
1664 | exit(1); | 1666 | exit(1); |
1665 | } | 1667 | } |
1666 | invalid_filename(argv[i] + 9, 0); // no globbing | 1668 | invalid_filename(cfg.chrootdir, 0); // no globbing |
1667 | 1669 | ||
1668 | // extract chroot dirname | ||
1669 | char *tmp = argv[i] + 9; | ||
1670 | // if the directory starts with ~, expand the home directory | 1670 | // if the directory starts with ~, expand the home directory |
1671 | if (*(argv[i] + 9) == '~') { | 1671 | if (*cfg.chrootdir == '~') { |
1672 | if (asprintf(&tmp, "%s%s", cfg.homedir, argv[i] + 10) == -1) | 1672 | char *tmp; |
1673 | if (asprintf(&tmp, "%s%s", cfg.homedir, cfg.chrootdir + 1) == -1) | ||
1673 | errExit("asprintf"); | 1674 | errExit("asprintf"); |
1675 | cfg.chrootdir = tmp; | ||
1674 | } | 1676 | } |
1675 | // check chroot directory | 1677 | // check chroot directory |
1676 | cfg.chrootdir = fs_check_chroot_dir(tmp); | 1678 | fs_check_chroot_dir(); |
1677 | } | 1679 | } |
1678 | else | 1680 | else |
1679 | exit_err_feature("chroot"); | 1681 | exit_err_feature("chroot"); |