tweaks

author: smitsohu <smitsohu@gmail.com> 2022-07-12 14:00:51 +0200
committer: smitsohu <smitsohu@gmail.com> 2022-07-12 14:00:51 +0200
commit: 56aebe3c27a9cc2c8e479fd630a5d1e01d9d2190 (patch)
tree: 77687864b69732ceda8bcfbe12eba3b25ef68e88 /src
parent: always assert runfile mode and ownership (diff)
download: firejail-56aebe3c27a9cc2c8e479fd630a5d1e01d9d2190.tar.gz
firejail-56aebe3c27a9cc2c8e479fd630a5d1e01d9d2190.tar.zst
firejail-56aebe3c27a9cc2c8e479fd630a5d1e01d9d2190.zip
4 files changed, 20 insertions, 14 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index aec320c1f..f8a23678a 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -908,7 +908,7 @@ void set_name_run_file(pid_t pid);
 void set_x11_run_file(pid_t pid, int display);
 void set_profile_run_file(pid_t pid, const char *fname);
 void set_sandbox_run_file(pid_t pid, pid_t child);
-void release_sandbox_run_file_lock(void);
+void release_sandbox_lock(void);
 // dbus.c
 int dbus_check_name(const char *name);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 539760535..ff88b9f6e 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -190,8 +190,6 @@ static void myexit(int rv) {
 }
 static void my_handler(int s) {
-        release_sandbox_run_file_lock();
        fmessage("\nParent received signal %d, shutting down the child process...\n", s);
        logsignal(s);
@@ -204,6 +202,7 @@ static void my_handler(int s) {
                        kill(child, SIGKILL);
                waitpid(child, NULL, 0);
        }
+        release_sandbox_lock();
        myexit(128 + s);
 }
@@ -3223,7 +3222,7 @@ int main(int argc, char **argv, char **envp) {
        // end of signal-safe code
        //*****************************
-        release_sandbox_run_file_lock();
+        release_sandbox_lock();
        if (WIFEXITED(status)){
                myexit(WEXITSTATUS(status));
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index 031e42d1d..b25b79a9e 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -27,8 +27,13 @@ static int tmpfs_mounted = 0;
 // build /run/firejail directory
 void preproc_build_firejail_dir(void) {
+        struct stat s;
        // CentOS 6 doesn't have /run directory
-        create_empty_dir_as_root(RUN_FIREJAIL_BASEDIR, 0755);
+        if (stat(RUN_FIREJAIL_BASEDIR, &s)) {
+                create_empty_dir_as_root(RUN_FIREJAIL_BASEDIR, 0755);
+        }
        create_empty_dir_as_root(RUN_FIREJAIL_DIR, 0755);
        create_empty_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755);
        create_empty_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755);
diff --git a/src/firejail/run_files.c b/src/firejail/run_files.c
index 6724e2cd8..212a69bc3 100644
--- a/src/firejail/run_files.c
+++ b/src/firejail/run_files.c
@@ -164,7 +164,7 @@ void set_profile_run_file(pid_t pid, const char *fname) {
        free(runfile);
 }
-static int sandbox_run_file_fd = -1;
+static int sandbox_lock_fd = -1;
 void set_sandbox_run_file(pid_t pid, pid_t child) {
        char *runfile;
        if (asprintf(&runfile, "%s/%d", RUN_FIREJAIL_SANDBOX_DIR, pid) == -1)
@@ -173,8 +173,8 @@ void set_sandbox_run_file(pid_t pid, pid_t child) {
        EUID_ROOT();
        // the file is deleted first
        // this file should be opened with O_CLOEXEC set
-        sandbox_run_file_fd = open(runfile, O_CREAT | O_WRONLY | O_TRUNC | O_CLOEXEC, S_IRUSR | S_IWUSR);
+        int fd = open(runfile, O_CREAT | O_WRONLY | O_TRUNC | O_CLOEXEC, S_IRUSR | S_IWUSR);
-        if (sandbox_run_file_fd < 0) {
+        if (fd < 0) {
                fprintf(stderr, "Error: cannot create %s\n", runfile);
                exit(1);
        }
@@ -186,7 +186,7 @@ void set_sandbox_run_file(pid_t pid, pid_t child) {
        size_t len = strlen(buf);
        size_t done = 0;
        while (done != len) {
-                ssize_t rv = write(sandbox_run_file_fd, buf + done, len - done);
+                ssize_t rv = write(fd, buf + done, len - done);
                if (rv < 0)
                        errExit("write");
                done += rv;
@@ -200,13 +200,15 @@ void set_sandbox_run_file(pid_t pid, pid_t child) {
                .l_start = 0,
                .l_len = 0,
        };
-        if (fcntl(sandbox_run_file_fd, F_SETLK, &sandbox_lock) < 0)
+        if (fcntl(fd, F_SETLK, &sandbox_lock) < 0)
                errExit("fcntl");
+        sandbox_lock_fd = fd;
 }
-void release_sandbox_run_file_lock(void) {
+void release_sandbox_lock(void) {
-        assert(sandbox_run_file_fd > -1);
+        assert(sandbox_lock_fd > -1);
-        close(sandbox_run_file_fd);
+        close(sandbox_lock_fd);
-        sandbox_run_file_fd = -1;
+        sandbox_lock_fd = -1;
 }
author	smitsohu <smitsohu@gmail.com>	2022-07-12 14:00:51 +0200
committer	smitsohu <smitsohu@gmail.com>	2022-07-12 14:00:51 +0200
commit	56aebe3c27a9cc2c8e479fd630a5d1e01d9d2190 (patch)
tree	77687864b69732ceda8bcfbe12eba3b25ef68e88 /src
parent	always assert runfile mode and ownership (diff)
download	firejail-56aebe3c27a9cc2c8e479fd630a5d1e01d9d2190.tar.gz firejail-56aebe3c27a9cc2c8e479fd630a5d1e01d9d2190.tar.zst firejail-56aebe3c27a9cc2c8e479fd630a5d1e01d9d2190.zip