diff options
author | smitsohu <smitsohu@gmail.com> | 2018-10-01 17:13:12 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2018-10-01 17:13:12 +0200 |
commit | bdf8118dd69a6ef734b3fdefccfc7374398723f5 (patch) | |
tree | 6c3ef2353a2da1a221f0438784e0292232973efe /src | |
parent | tests: skip audit.exp if tests are already running in a pid namespace (diff) | |
download | firejail-bdf8118dd69a6ef734b3fdefccfc7374398723f5.tar.gz firejail-bdf8118dd69a6ef734b3fdefccfc7374398723f5.tar.zst firejail-bdf8118dd69a6ef734b3fdefccfc7374398723f5.zip |
mount empty home if macro can't be whitelisted
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 16 | ||||
-rw-r--r-- | src/firejail/macros.c | 2 |
3 files changed, 12 insertions, 7 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 389bdbbcb..1b34a882d 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -498,6 +498,7 @@ char *expand_home(const char *path, const char *homedir); | |||
498 | char *resolve_macro(const char *name); | 498 | char *resolve_macro(const char *name); |
499 | void invalid_filename(const char *fname, int globbing); | 499 | void invalid_filename(const char *fname, int globbing); |
500 | int is_macro(const char *name); | 500 | int is_macro(const char *name); |
501 | int macro_id(const char *name); | ||
501 | 502 | ||
502 | 503 | ||
503 | // util.c | 504 | // util.c |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 86a901506..2d4640430 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -372,12 +372,16 @@ void fs_whitelist(void) { | |||
372 | assert(new_name); | 372 | assert(new_name); |
373 | 373 | ||
374 | // skip command if resolving the macro was not successful | 374 | // skip command if resolving the macro was not successful |
375 | if (is_macro(new_name)) { | 375 | if (is_macro(new_name) && macro_id(new_name) > -1) { |
376 | if (!nowhitelist_flag && !arg_quiet && !arg_private) { | 376 | // mount empty home directory and print a warning |
377 | fprintf(stderr, "***\n"); | 377 | if (!nowhitelist_flag && !arg_private) { |
378 | fprintf(stderr, "*** Warning: cannot whitelist %s directory\n", new_name); | 378 | home_dir = 1; |
379 | fprintf(stderr, "*** Any file saved in this directory will be lost when the sandbox is closed.\n"); | 379 | if (!arg_quiet) { |
380 | fprintf(stderr, "***\n"); | 380 | fprintf(stderr, "***\n"); |
381 | fprintf(stderr, "*** Warning: cannot whitelist %s directory\n", new_name); | ||
382 | fprintf(stderr, "*** Any file saved in this directory will be lost when the sandbox is closed.\n"); | ||
383 | fprintf(stderr, "***\n"); | ||
384 | } | ||
381 | } | 385 | } |
382 | entry->data = EMPTY_STRING; | 386 | entry->data = EMPTY_STRING; |
383 | entry = entry->next; | 387 | entry = entry->next; |
diff --git a/src/firejail/macros.c b/src/firejail/macros.c index 27893938f..4bf3d3589 100644 --- a/src/firejail/macros.c +++ b/src/firejail/macros.c | |||
@@ -69,7 +69,7 @@ Macro macro[] = { | |||
69 | }; | 69 | }; |
70 | 70 | ||
71 | // return -1 if not found | 71 | // return -1 if not found |
72 | static int macro_id(const char *name) { | 72 | int macro_id(const char *name) { |
73 | int i = 0; | 73 | int i = 0; |
74 | while (macro[i].name != NULL) { | 74 | while (macro[i].name != NULL) { |
75 | if (strcmp(name, macro[i].name) == 0) | 75 | if (strcmp(name, macro[i].name) == 0) |