diff options
author | smitsohu <smitsohu@gmail.com> | 2018-08-25 10:29:16 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2018-08-25 10:29:16 +0200 |
commit | da76c64dcdf7f98e94a33fa74e1e0050e384ce5c (patch) | |
tree | d38487546b1e3540aac6db15a2f2ba665d13874d /src | |
parent | Add python program to more easily debug profiles (diff) | |
download | firejail-da76c64dcdf7f98e94a33fa74e1e0050e384ce5c.tar.gz firejail-da76c64dcdf7f98e94a33fa74e1e0050e384ce5c.tar.zst firejail-da76c64dcdf7f98e94a33fa74e1e0050e384ce5c.zip |
cleanup, small improvements
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/fs.c | 16 | ||||
-rw-r--r-- | src/firejail/fs_home.c | 4 | ||||
-rw-r--r-- | src/firejail/fs_mkdir.c | 2 | ||||
-rw-r--r-- | src/firejail/fs_var.c | 19 | ||||
-rw-r--r-- | src/firejail/pulseaudio.c | 4 | ||||
-rw-r--r-- | src/firejail/util.c | 12 | ||||
-rw-r--r-- | src/firejail/x11.c | 2 |
8 files changed, 22 insertions, 39 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 906ec6307..051456539 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -514,7 +514,7 @@ void logerr(const char *msg); | |||
514 | int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); | 514 | int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); |
515 | void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); | 515 | void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); |
516 | void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); | 516 | void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode); |
517 | void touch_file_as_user(const char *fname, uid_t uid, gid_t gid, mode_t mode); | 517 | void touch_file_as_user(const char *fname, mode_t mode); |
518 | int is_dir(const char *fname); | 518 | int is_dir(const char *fname); |
519 | int is_link(const char *fname); | 519 | int is_link(const char *fname); |
520 | void trim_trailing_slash_or_dot(char *path); | 520 | void trim_trailing_slash_or_dot(char *path); |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 7b138eada..d262d18bf 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -648,10 +648,10 @@ void fs_proc_sys_dev_boot(void) { | |||
648 | if (child == 0) { | 648 | if (child == 0) { |
649 | // drop privileges | 649 | // drop privileges |
650 | drop_privs(0); | 650 | drop_privs(0); |
651 | if (mkdir(fnamegpg, 0700) == -1) | 651 | if (mkdir(fnamegpg, 0700) == 0) { |
652 | {;} // do nothing | 652 | if (chmod(fnamegpg, 0700) == -1) |
653 | if (set_perms(fnamegpg, -1, -1, 0700)) | 653 | {;} // do nothing |
654 | {;} | 654 | } |
655 | #ifdef HAVE_GCOV | 655 | #ifdef HAVE_GCOV |
656 | __gcov_flush(); | 656 | __gcov_flush(); |
657 | #endif | 657 | #endif |
@@ -676,10 +676,10 @@ void fs_proc_sys_dev_boot(void) { | |||
676 | if (child == 0) { | 676 | if (child == 0) { |
677 | // drop privileges | 677 | // drop privileges |
678 | drop_privs(0); | 678 | drop_privs(0); |
679 | if (mkdir(fnamesysd, 0755) == -1) | 679 | if (mkdir(fnamesysd, 0755) == 0) { |
680 | {;} // do nothing | 680 | if (chmod(fnamesysd, 0755) == -1) |
681 | if (set_perms(fnamesysd, -1, -1, 0755)) | 681 | {;} // do nothing |
682 | {;} | 682 | } |
683 | #ifdef HAVE_GCOV | 683 | #ifdef HAVE_GCOV |
684 | __gcov_flush(); | 684 | __gcov_flush(); |
685 | #endif | 685 | #endif |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 03f3512b4..bcfc8a38a 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -53,7 +53,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) { | |||
53 | fs_logger2("clone", fname); | 53 | fs_logger2("clone", fname); |
54 | } | 54 | } |
55 | else { | 55 | else { |
56 | touch_file_as_user(fname, u, g, 0644); | 56 | touch_file_as_user(fname, 0644); |
57 | fs_logger2("touch", fname); | 57 | fs_logger2("touch", fname); |
58 | } | 58 | } |
59 | free(fname); | 59 | free(fname); |
@@ -78,7 +78,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) { | |||
78 | fs_logger2("clone", fname); | 78 | fs_logger2("clone", fname); |
79 | } | 79 | } |
80 | else { | 80 | else { |
81 | touch_file_as_user(fname, u, g, 0644); | 81 | touch_file_as_user(fname, 0644); |
82 | fs_logger2("touch", fname); | 82 | fs_logger2("touch", fname); |
83 | } | 83 | } |
84 | free(fname); | 84 | free(fname); |
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index 9d22093ee..b66068a95 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c | |||
@@ -114,7 +114,7 @@ void fs_mkfile(const char *name) { | |||
114 | } | 114 | } |
115 | 115 | ||
116 | // create file | 116 | // create file |
117 | touch_file_as_user(expanded, getuid(), getgid(), 0600); | 117 | touch_file_as_user(expanded, 0600); |
118 | 118 | ||
119 | doexit: | 119 | doexit: |
120 | free(expanded); | 120 | free(expanded); |
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 9fbbdfa8f..8c53e6161 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
@@ -255,23 +255,8 @@ void fs_var_lock(void) { | |||
255 | fs_logger("tmpfs /var/lock"); | 255 | fs_logger("tmpfs /var/lock"); |
256 | } | 256 | } |
257 | else { | 257 | else { |
258 | char *lnk = realpath("/var/lock", NULL); | 258 | fwarning("/var/lock not mounted\n"); |
259 | if (lnk) { | 259 | dbg_test_dir("/var/lock"); |
260 | if (!is_dir(lnk)) { | ||
261 | // create directory | ||
262 | mkdir_attr(lnk, S_IRWXU|S_IRWXG|S_IRWXO, 0, 0); | ||
263 | } | ||
264 | if (arg_debug) | ||
265 | printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk); | ||
266 | if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) | ||
267 | errExit("mounting /var/lock"); | ||
268 | free(lnk); | ||
269 | fs_logger("tmpfs /var/lock"); | ||
270 | } | ||
271 | else { | ||
272 | fwarning("/var/lock not mounted\n"); | ||
273 | dbg_test_dir("/var/lock"); | ||
274 | } | ||
275 | } | 260 | } |
276 | } | 261 | } |
277 | 262 | ||
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index 521f144e8..e6696ecb4 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -117,7 +117,7 @@ void pulseaudio_init(void) { | |||
117 | 117 | ||
118 | int rv = mkdir(dir1, 0755); | 118 | int rv = mkdir(dir1, 0755); |
119 | if (rv == 0) { | 119 | if (rv == 0) { |
120 | if (set_perms(dir1, getuid(), getgid(), 0755)) | 120 | if (chmod(dir1, 0755)) |
121 | {;} // do nothing | 121 | {;} // do nothing |
122 | } | 122 | } |
123 | #ifdef HAVE_GCOV | 123 | #ifdef HAVE_GCOV |
@@ -153,7 +153,7 @@ void pulseaudio_init(void) { | |||
153 | 153 | ||
154 | int rv = mkdir(dir1, 0700); | 154 | int rv = mkdir(dir1, 0700); |
155 | if (rv == 0) { | 155 | if (rv == 0) { |
156 | if (set_perms(dir1, getuid(), getgid(), 0700)) | 156 | if (chmod(dir1, 0700)) |
157 | {;} // do nothing | 157 | {;} // do nothing |
158 | } | 158 | } |
159 | #ifdef HAVE_GCOV | 159 | #ifdef HAVE_GCOV |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 86faaf8b8..050f7534a 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -156,7 +156,6 @@ int mkpath_as_root(const char* path) { | |||
156 | *p='\0'; | 156 | *p='\0'; |
157 | if (mkdir(file_path, 0755)==-1) { | 157 | if (mkdir(file_path, 0755)==-1) { |
158 | if (errno != EEXIST) { | 158 | if (errno != EEXIST) { |
159 | *p='/'; | ||
160 | free(file_path); | 159 | free(file_path); |
161 | return -1; | 160 | return -1; |
162 | } | 161 | } |
@@ -365,7 +364,7 @@ void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_ | |||
365 | } | 364 | } |
366 | 365 | ||
367 | // return -1 if error, 0 if no error | 366 | // return -1 if error, 0 if no error |
368 | void touch_file_as_user(const char *fname, uid_t uid, gid_t gid, mode_t mode) { | 367 | void touch_file_as_user(const char *fname, mode_t mode) { |
369 | pid_t child = fork(); | 368 | pid_t child = fork(); |
370 | if (child < 0) | 369 | if (child < 0) |
371 | errExit("fork"); | 370 | errExit("fork"); |
@@ -373,10 +372,10 @@ void touch_file_as_user(const char *fname, uid_t uid, gid_t gid, mode_t mode) { | |||
373 | // drop privileges | 372 | // drop privileges |
374 | drop_privs(0); | 373 | drop_privs(0); |
375 | 374 | ||
376 | FILE *fp = fopen(fname, "w"); | 375 | FILE *fp = fopen(fname, "wx"); |
377 | if (fp) { | 376 | if (fp) { |
378 | fprintf(fp, "\n"); | 377 | fprintf(fp, "\n"); |
379 | SET_PERMS_STREAM(fp, uid, gid, mode); | 378 | SET_PERMS_STREAM(fp, -1, -1, mode); |
380 | fclose(fp); | 379 | fclose(fp); |
381 | } | 380 | } |
382 | #ifdef HAVE_GCOV | 381 | #ifdef HAVE_GCOV |
@@ -922,10 +921,8 @@ void create_empty_file_as_root(const char *fname, mode_t mode) { | |||
922 | FILE *fp = fopen(fname, "w"); | 921 | FILE *fp = fopen(fname, "w"); |
923 | if (!fp) | 922 | if (!fp) |
924 | errExit("fopen"); | 923 | errExit("fopen"); |
925 | SET_PERMS_STREAM(fp, 0, 0, S_IRUSR); | 924 | SET_PERMS_STREAM(fp, 0, 0, mode); |
926 | fclose(fp); | 925 | fclose(fp); |
927 | if (chmod(fname, mode) == -1) | ||
928 | errExit("chmod"); | ||
929 | } | 926 | } |
930 | } | 927 | } |
931 | 928 | ||
@@ -1133,6 +1130,7 @@ int invalid_sandbox(const pid_t pid) { | |||
1133 | int i; | 1130 | int i; |
1134 | for (i = 0; i < MAXNODES; i++) { | 1131 | for (i = 0; i < MAXNODES; i++) { |
1135 | if (find_child(current, &next) == 1) { | 1132 | if (find_child(current, &next) == 1) { |
1133 | // found a leaf | ||
1136 | EUID_ROOT(); | 1134 | EUID_ROOT(); |
1137 | char *comm = pid_proc_comm(current); | 1135 | char *comm = pid_proc_comm(current); |
1138 | EUID_USER(); | 1136 | EUID_USER(); |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index e40ca0f05..7d02701c9 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -1168,7 +1168,7 @@ void x11_xorg(void) { | |||
1168 | if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1) | 1168 | if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1) |
1169 | errExit("asprintf"); | 1169 | errExit("asprintf"); |
1170 | if (lstat(dest, &s) == -1) | 1170 | if (lstat(dest, &s) == -1) |
1171 | touch_file_as_user(dest, getuid(), getgid(), 0600); | 1171 | touch_file_as_user(dest, 0600); |
1172 | 1172 | ||
1173 | // get a file descriptor for .Xauthority | 1173 | // get a file descriptor for .Xauthority |
1174 | fd = safe_fd(dest, O_PATH|O_NOFOLLOW|O_CLOEXEC); | 1174 | fd = safe_fd(dest, O_PATH|O_NOFOLLOW|O_CLOEXEC); |