fs_home.c: improve EUID switching, fix selinux relabeling

author: smitsohu <smitsohu@gmail.com> 2021-06-26 12:35:48 +0200
committer: smitsohu <smitsohu@gmail.com> 2021-06-26 16:18:52 +0200
commit: 771dccecba69e134cbf425ad036b2d1fa01f1ccc (patch)
tree: 957db49aee8e29d9658a71da9fdfc7d4424a499a /src
parent: copy_file_as_user function: drop not needed arguments (diff)
download: firejail-771dccecba69e134cbf425ad036b2d1fa01f1ccc.tar.gz
firejail-771dccecba69e134cbf425ad036b2d1fa01f1ccc.tar.zst
firejail-771dccecba69e134cbf425ad036b2d1fa01f1ccc.zip
5 files changed, 61 insertions, 29 deletions
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 04f1a0898..1c4f9e07e 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -35,11 +35,12 @@
 #endif
 static void skel(const char *homedir) {
-        char *fname;
+        EUID_ASSERT();
        // zsh
        if (!arg_shell_none && (strcmp(cfg.shell,"/usr/bin/zsh") == 0 || strcmp(cfg.shell,"/bin/zsh") == 0)) {
                // copy skel files
+                char *fname;
                if (asprintf(&fname, "%s/.zshrc", homedir) == -1)
                        errExit("asprintf");
                // don't copy it if we already have the file
@@ -64,6 +65,7 @@ static void skel(const char *homedir) {
        // csh
        else if (!arg_shell_none && strcmp(cfg.shell,"/bin/csh") == 0) {
                // copy skel files
+                char *fname;
                if (asprintf(&fname, "%s/.cshrc", homedir) == -1)
                        errExit("asprintf");
                // don't copy it if we already have the file
@@ -88,6 +90,7 @@ static void skel(const char *homedir) {
        // bash etc.
        else {
                // copy skel files
+                char *fname;
                if (asprintf(&fname, "%s/.bashrc", homedir) == -1)
                        errExit("asprintf");
                // don't copy it if we already have the file
@@ -108,6 +111,7 @@ static void skel(const char *homedir) {
 }
 static int store_xauthority(void) {
+        EUID_ASSERT();
        if (arg_x11_block)
                return 0;
@@ -118,7 +122,7 @@ static int store_xauthority(void) {
                errExit("asprintf");
        struct stat s;
-        if (lstat_as_user(src, &s) == 0) {
+        if (lstat(src, &s) == 0) {
                if (S_ISLNK(s.st_mode)) {
                        fwarning("invalid .Xauthority file\n");
                        free(src);
@@ -126,6 +130,7 @@ static int store_xauthority(void) {
                }
                // create an empty file as root, and change ownership to user
+                EUID_ROOT();
                FILE *fp = fopen(dest, "we");
                if (fp) {
                        fprintf(fp, "\n");
@@ -134,10 +139,11 @@ static int store_xauthority(void) {
                }
                else
                        errExit("fopen");
+                EUID_USER();
                copy_file_as_user(src, dest, 0600); // regular user
-                fs_logger2("clone", dest);
                selinux_relabel_path(dest, src);
+                fs_logger2("clone", dest);
                free(src);
                return 1; // file copied
        }
@@ -147,6 +153,7 @@ static int store_xauthority(void) {
 }
 static int store_asoundrc(void) {
+        EUID_ASSERT();
        if (arg_nosound)
                return 0;
@@ -157,11 +164,11 @@ static int store_asoundrc(void) {
                errExit("asprintf");
        struct stat s;
-        if (lstat_as_user(src, &s) == 0) {
+        if (lstat(src, &s) == 0) {
                if (S_ISLNK(s.st_mode)) {
                        // make sure the real path of the file is inside the home directory
                        /* coverity[toctou] */
-                        char *rp = realpath_as_user(src);
+                        char *rp = realpath(src, NULL);
                        if (!rp) {
                                fprintf(stderr, "Error: Cannot access %s\n", src);
                                exit(1);
@@ -174,6 +181,7 @@ static int store_asoundrc(void) {
                }
                // create an empty file as root, and change ownership to user
+                EUID_ROOT();
                FILE *fp = fopen(dest, "we");
                if (fp) {
                        fprintf(fp, "\n");
@@ -182,10 +190,11 @@ static int store_asoundrc(void) {
                }
                else
                        errExit("fopen");
+                EUID_USER();
                copy_file_as_user(src, dest, 0644); // regular user
-                selinux_relabel_path(dest, src);
                fs_logger2("clone", dest);
+                selinux_relabel_path(dest, src);
                free(src);
                return 1; // file copied
        }
@@ -195,6 +204,7 @@ static int store_asoundrc(void) {
 }
 static void copy_xauthority(void) {
+        EUID_ASSERT();
        // copy XAUTHORITY_FILE in the new home directory
        char *src = RUN_XAUTHORITY_FILE ;
        char *dest;
@@ -208,15 +218,17 @@ static void copy_xauthority(void) {
        }
        copy_file_as_user(src, dest, S_IRUSR | S_IWUSR); // regular user
-        selinux_relabel_path(dest, src);
        fs_logger2("clone", dest);
+        selinux_relabel_path(dest, dest);
        free(dest);
-        // delete the temporary file
+        EUID_ROOT();
-        unlink(src);
+        unlink(src); // delete the temporary file
+        EUID_USER();
 }
 static void copy_asoundrc(void) {
+        EUID_ASSERT();
        // copy ASOUNDRC_FILE in the new home directory
        char *src = RUN_ASOUNDRC_FILE ;
        char *dest;
@@ -230,12 +242,13 @@ static void copy_asoundrc(void) {
        }
        copy_file_as_user(src, dest, S_IRUSR | S_IWUSR); // regular user
-        selinux_relabel_path(dest, src);
        fs_logger2("clone", dest);
+        selinux_relabel_path(dest, dest);
        free(dest);
-        // delete the temporary file
+        EUID_ROOT();
-        unlink(src);
+        unlink(src); // delete the temporary file
+        EUID_USER();
 }
 // private mode (--private=homedir):
@@ -248,18 +261,18 @@ void fs_private_homedir(void) {
        char *private_homedir = cfg.home_private;
        assert(homedir);
        assert(private_homedir);
+        EUID_ASSERT();
-        int xflag = store_xauthority();
-        int aflag = store_asoundrc();
        uid_t u = getuid();
        // gid_t g = getgid();
+        int xflag = store_xauthority();
+        int aflag = store_asoundrc();
        // mount bind private_homedir on top of homedir
        if (arg_debug)
                printf("Mount-bind %s on top of %s\n", private_homedir, homedir);
        // get file descriptors for homedir and private_homedir, fails if there is any symlink
-        EUID_USER();
        int src = safer_openat(-1, private_homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
        if (src == -1)
                errExit("opening private directory");
@@ -287,6 +300,7 @@ void fs_private_homedir(void) {
        EUID_ROOT();
        if (bind_mount_by_fd(src, dst))
                errExit("mount bind");
+        EUID_USER();
        // check /proc/self/mountinfo to confirm the mount is ok
        MountData *mptr = get_last_mount();
@@ -305,6 +319,7 @@ void fs_private_homedir(void) {
 //      if (chmod(homedir, s.st_mode) == -1)
 //              errExit("mount-bind chmod");
+        EUID_ROOT();
        if (u != 0) {
                // mask /root
                if (arg_debug)
@@ -323,6 +338,7 @@ void fs_private_homedir(void) {
                selinux_relabel_path("/home", "/home");
                fs_logger("tmpfs /home");
        }
+        EUID_USER();
        skel(homedir);
        if (xflag)
@@ -339,6 +355,7 @@ void fs_private_homedir(void) {
 void fs_private(void) {
        char *homedir = cfg.homedir;
        assert(homedir);
+        EUID_ASSERT();
        uid_t u = getuid();
        gid_t g = getgid();
@@ -346,6 +363,7 @@ void fs_private(void) {
        int xflag = store_xauthority();
        int aflag = store_asoundrc();
+        EUID_ROOT();
        // mask /root
        if (arg_debug)
                printf("Mounting a new /root directory\n");
@@ -388,6 +406,7 @@ void fs_private(void) {
                selinux_relabel_path(homedir, homedir);
        }
+        EUID_USER();
        skel(homedir);
        if (xflag)
@@ -531,26 +550,29 @@ static void duplicate(char *name) {
 //      set skel files,
 //      restore .Xauthority
 void fs_private_home_list(void) {
-        timetrace_start();
        char *homedir = cfg.homedir;
        char *private_list = cfg.home_private_keep;
        assert(homedir);
        assert(private_list);
+        EUID_ASSERT();
-        int xflag = store_xauthority();
+        timetrace_start();
-        int aflag = store_asoundrc();
        uid_t uid = getuid();
        gid_t gid = getgid();
+        int xflag = store_xauthority();
+        int aflag = store_asoundrc();
        // create /run/firejail/mnt/home directory
+        EUID_ROOT();
        mkdir_attr(RUN_HOME_DIR, 0755, uid, gid);
        selinux_relabel_path(RUN_HOME_DIR, homedir);
        fs_logger_print();      // save the current log
+        EUID_USER();
        // copy the list of files in the new home directory
-        EUID_USER();
        if (arg_debug)
                printf("Copying files in the new home:\n");
        char *dlist = strdup(cfg.home_private_keep);
@@ -589,6 +611,7 @@ void fs_private_home_list(void) {
        if (bind_mount_path_to_fd(RUN_HOME_DIR, fd))
                errExit("mount bind");
        close(fd);
+        EUID_USER();
        // check /proc/self/mountinfo to confirm the mount is ok
        MountData *mptr = get_last_mount();
@@ -596,11 +619,7 @@ void fs_private_home_list(void) {
                errLogExit("invalid private-home mount");
        fs_logger2("tmpfs", homedir);
-        // mask RUN_HOME_DIR, it is writable and not noexec
+        EUID_ROOT();
-        if (mount("tmpfs", RUN_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
-                errExit("mounting tmpfs");
-        fs_logger2("tmpfs", RUN_HOME_DIR);
        if (uid != 0) {
                // mask /root
                if (arg_debug)
@@ -620,6 +639,11 @@ void fs_private_home_list(void) {
                fs_logger("tmpfs /home");
        }
+        // mask RUN_HOME_DIR, it is writable and not noexec
+        if (mount("tmpfs", RUN_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
+                errExit("mounting tmpfs");
+        EUID_USER();
        skel(homedir);
        if (xflag)
                copy_xauthority();
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 370035a4d..7588f69b7 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -374,9 +374,12 @@ static void tmpfs_topdirs(const TopDir *topdirs) {
        }
        // user home directory
-        if (tmpfs_home)
+        if (tmpfs_home) {
                // checks owner if outside /home
+                EUID_USER();
                fs_private();
+                EUID_ROOT();
+        }
        // /run/user/$UID directory
        if (tmpfs_runuser) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index e06ba3617..95be3335f 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -840,6 +840,7 @@ int sandbox(void* sandbox_arg) {
        // private mode
        //****************************
        if (arg_private) {
+                EUID_USER();
                if (cfg.home_private) { // --private=
                        if (cfg.chrootdir)
                                fwarning("private=directory feature is disabled in chroot\n");
@@ -858,6 +859,7 @@ int sandbox(void* sandbox_arg) {
                }
                else // --private
                        fs_private();
+                EUID_ROOT();
        }
        if (arg_private_dev)
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 0921736f1..8fcaf3f7b 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -1231,6 +1231,7 @@ unsigned extract_timeout(const char *str) {
 }
 void disable_file_or_dir(const char *fname) {
+        assert(geteuid() == 0);
        assert(fname);
        EUID_USER();
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 0619ff380..896aa2fd3 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1290,9 +1290,11 @@ void x11_xorg(void) {
        if (envar) {
                char *rp = realpath(envar, NULL);
                if (rp) {
-                        if (strcmp(rp, dest) != 0)
+                        if (strcmp(rp, dest) != 0) {
-                                // disable_file_or_dir returns with EUID 0
+                                EUID_ROOT();
                                disable_file_or_dir(rp);
+                                EUID_USER();
+                        }
                        free(rp);
                }
        }
author	smitsohu <smitsohu@gmail.com>	2021-06-26 12:35:48 +0200
committer	smitsohu <smitsohu@gmail.com>	2021-06-26 16:18:52 +0200
commit	771dccecba69e134cbf425ad036b2d1fa01f1ccc (patch)
tree	957db49aee8e29d9658a71da9fdfc7d4424a499a /src
parent	copy_file_as_user function: drop not needed arguments (diff)
download	firejail-771dccecba69e134cbf425ad036b2d1fa01f1ccc.tar.gz firejail-771dccecba69e134cbf425ad036b2d1fa01f1ccc.tar.zst firejail-771dccecba69e134cbf425ad036b2d1fa01f1ccc.zip

diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 04f1a0898..1c4f9e07e 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c
@@ -35,11 +35,12 @@
35	#endif	35	#endif
36		36
37	static void skel(const char *homedir) {	37	static void skel(const char *homedir) {
38	char *fname;	38	EUID_ASSERT();
39		39
40	// zsh	40	// zsh
41	if (!arg_shell_none && (strcmp(cfg.shell,"/usr/bin/zsh") == 0 \|\| strcmp(cfg.shell,"/bin/zsh") == 0)) {	41	if (!arg_shell_none && (strcmp(cfg.shell,"/usr/bin/zsh") == 0 \|\| strcmp(cfg.shell,"/bin/zsh") == 0)) {
42	// copy skel files	42	// copy skel files
		43	char *fname;
43	if (asprintf(&fname, "%s/.zshrc", homedir) == -1)	44	if (asprintf(&fname, "%s/.zshrc", homedir) == -1)
44	errExit("asprintf");	45	errExit("asprintf");
45	// don't copy it if we already have the file	46	// don't copy it if we already have the file
@@ -64,6 +65,7 @@ static void skel(const char *homedir) {
64	// csh	65	// csh
65	else if (!arg_shell_none && strcmp(cfg.shell,"/bin/csh") == 0) {	66	else if (!arg_shell_none && strcmp(cfg.shell,"/bin/csh") == 0) {
66	// copy skel files	67	// copy skel files
		68	char *fname;
67	if (asprintf(&fname, "%s/.cshrc", homedir) == -1)	69	if (asprintf(&fname, "%s/.cshrc", homedir) == -1)
68	errExit("asprintf");	70	errExit("asprintf");
69	// don't copy it if we already have the file	71	// don't copy it if we already have the file
@@ -88,6 +90,7 @@ static void skel(const char *homedir) {
88	// bash etc.	90	// bash etc.
89	else {	91	else {
90	// copy skel files	92	// copy skel files
		93	char *fname;
91	if (asprintf(&fname, "%s/.bashrc", homedir) == -1)	94	if (asprintf(&fname, "%s/.bashrc", homedir) == -1)
92	errExit("asprintf");	95	errExit("asprintf");
93	// don't copy it if we already have the file	96	// don't copy it if we already have the file
@@ -108,6 +111,7 @@ static void skel(const char *homedir) {
108	}	111	}
109		112
110	static int store_xauthority(void) {	113	static int store_xauthority(void) {
		114	EUID_ASSERT();
111	if (arg_x11_block)	115	if (arg_x11_block)
112	return 0;	116	return 0;
113		117
@@ -118,7 +122,7 @@ static int store_xauthority(void) {
118	errExit("asprintf");	122	errExit("asprintf");
119		123
120	struct stat s;	124	struct stat s;
121	if (lstat_as_user(src, &s) == 0) {	125	if (lstat(src, &s) == 0) {
122	if (S_ISLNK(s.st_mode)) {	126	if (S_ISLNK(s.st_mode)) {
123	fwarning("invalid .Xauthority file\n");	127	fwarning("invalid .Xauthority file\n");
124	free(src);	128	free(src);
@@ -126,6 +130,7 @@ static int store_xauthority(void) {
126	}	130	}
127		131
128	// create an empty file as root, and change ownership to user	132	// create an empty file as root, and change ownership to user
		133	EUID_ROOT();
129	FILE *fp = fopen(dest, "we");	134	FILE *fp = fopen(dest, "we");
130	if (fp) {	135	if (fp) {
131	fprintf(fp, "\n");	136	fprintf(fp, "\n");
@@ -134,10 +139,11 @@ static int store_xauthority(void) {
134	}	139	}
135	else	140	else
136	errExit("fopen");	141	errExit("fopen");
		142	EUID_USER();
137		143
138	copy_file_as_user(src, dest, 0600); // regular user	144	copy_file_as_user(src, dest, 0600); // regular user
139	fs_logger2("clone", dest);
140	selinux_relabel_path(dest, src);	145	selinux_relabel_path(dest, src);
		146	fs_logger2("clone", dest);
141	free(src);	147	free(src);
142	return 1; // file copied	148	return 1; // file copied
143	}	149	}
@@ -147,6 +153,7 @@ static int store_xauthority(void) {
147	}	153	}
148		154
149	static int store_asoundrc(void) {	155	static int store_asoundrc(void) {
		156	EUID_ASSERT();
150	if (arg_nosound)	157	if (arg_nosound)
151	return 0;	158	return 0;
152		159
@@ -157,11 +164,11 @@ static int store_asoundrc(void) {
157	errExit("asprintf");	164	errExit("asprintf");
158		165
159	struct stat s;	166	struct stat s;
160	if (lstat_as_user(src, &s) == 0) {	167	if (lstat(src, &s) == 0) {
161	if (S_ISLNK(s.st_mode)) {	168	if (S_ISLNK(s.st_mode)) {
162	// make sure the real path of the file is inside the home directory	169	// make sure the real path of the file is inside the home directory
163	/* coverity[toctou] */	170	/* coverity[toctou] */
164	char *rp = realpath_as_user(src);	171	char *rp = realpath(src, NULL);
165	if (!rp) {	172	if (!rp) {
166	fprintf(stderr, "Error: Cannot access %s\n", src);	173	fprintf(stderr, "Error: Cannot access %s\n", src);
167	exit(1);	174	exit(1);
@@ -174,6 +181,7 @@ static int store_asoundrc(void) {
174	}	181	}
175		182
176	// create an empty file as root, and change ownership to user	183	// create an empty file as root, and change ownership to user
		184	EUID_ROOT();
177	FILE *fp = fopen(dest, "we");	185	FILE *fp = fopen(dest, "we");
178	if (fp) {	186	if (fp) {
179	fprintf(fp, "\n");	187	fprintf(fp, "\n");
@@ -182,10 +190,11 @@ static int store_asoundrc(void) {
182	}	190	}
183	else	191	else
184	errExit("fopen");	192	errExit("fopen");
		193	EUID_USER();
185		194
186	copy_file_as_user(src, dest, 0644); // regular user	195	copy_file_as_user(src, dest, 0644); // regular user
187	selinux_relabel_path(dest, src);
188	fs_logger2("clone", dest);	196	fs_logger2("clone", dest);
		197	selinux_relabel_path(dest, src);
189	free(src);	198	free(src);
190	return 1; // file copied	199	return 1; // file copied
191	}	200	}
@@ -195,6 +204,7 @@ static int store_asoundrc(void) {
195	}	204	}
196		205
197	static void copy_xauthority(void) {	206	static void copy_xauthority(void) {
		207	EUID_ASSERT();
198	// copy XAUTHORITY_FILE in the new home directory	208	// copy XAUTHORITY_FILE in the new home directory
199	char *src = RUN_XAUTHORITY_FILE ;	209	char *src = RUN_XAUTHORITY_FILE ;
200	char *dest;	210	char *dest;
@@ -208,15 +218,17 @@ static void copy_xauthority(void) {
208	}	218	}
209		219
210	copy_file_as_user(src, dest, S_IRUSR \| S_IWUSR); // regular user	220	copy_file_as_user(src, dest, S_IRUSR \| S_IWUSR); // regular user
211	selinux_relabel_path(dest, src);
212	fs_logger2("clone", dest);	221	fs_logger2("clone", dest);
		222	selinux_relabel_path(dest, dest);
213	free(dest);	223	free(dest);
214		224
215	// delete the temporary file	225	EUID_ROOT();
216	unlink(src);	226	unlink(src); // delete the temporary file
		227	EUID_USER();
217	}	228	}
218		229
219	static void copy_asoundrc(void) {	230	static void copy_asoundrc(void) {
		231	EUID_ASSERT();
220	// copy ASOUNDRC_FILE in the new home directory	232	// copy ASOUNDRC_FILE in the new home directory
221	char *src = RUN_ASOUNDRC_FILE ;	233	char *src = RUN_ASOUNDRC_FILE ;
222	char *dest;	234	char *dest;
@@ -230,12 +242,13 @@ static void copy_asoundrc(void) {
230	}	242	}
231		243
232	copy_file_as_user(src, dest, S_IRUSR \| S_IWUSR); // regular user	244	copy_file_as_user(src, dest, S_IRUSR \| S_IWUSR); // regular user
233	selinux_relabel_path(dest, src);
234	fs_logger2("clone", dest);	245	fs_logger2("clone", dest);
		246	selinux_relabel_path(dest, dest);
235	free(dest);	247	free(dest);
236		248
237	// delete the temporary file	249	EUID_ROOT();
238	unlink(src);	250	unlink(src); // delete the temporary file
		251	EUID_USER();
239	}	252	}
240		253
241	// private mode (--private=homedir):	254	// private mode (--private=homedir):
@@ -248,18 +261,18 @@ void fs_private_homedir(void) {
248	char *private_homedir = cfg.home_private;	261	char *private_homedir = cfg.home_private;
249	assert(homedir);	262	assert(homedir);
250	assert(private_homedir);	263	assert(private_homedir);
251		264	EUID_ASSERT();
252	int xflag = store_xauthority();
253	int aflag = store_asoundrc();
254		265
255	uid_t u = getuid();	266	uid_t u = getuid();
256	// gid_t g = getgid();	267	// gid_t g = getgid();
257		268
		269	int xflag = store_xauthority();
		270	int aflag = store_asoundrc();
		271
258	// mount bind private_homedir on top of homedir	272	// mount bind private_homedir on top of homedir
259	if (arg_debug)	273	if (arg_debug)
260	printf("Mount-bind %s on top of %s\n", private_homedir, homedir);	274	printf("Mount-bind %s on top of %s\n", private_homedir, homedir);
261	// get file descriptors for homedir and private_homedir, fails if there is any symlink	275	// get file descriptors for homedir and private_homedir, fails if there is any symlink
262	EUID_USER();
263	int src = safer_openat(-1, private_homedir, O_PATH\|O_DIRECTORY\|O_NOFOLLOW\|O_CLOEXEC);	276	int src = safer_openat(-1, private_homedir, O_PATH\|O_DIRECTORY\|O_NOFOLLOW\|O_CLOEXEC);
264	if (src == -1)	277	if (src == -1)
265	errExit("opening private directory");	278	errExit("opening private directory");
@@ -287,6 +300,7 @@ void fs_private_homedir(void) {
287	EUID_ROOT();	300	EUID_ROOT();
288	if (bind_mount_by_fd(src, dst))	301	if (bind_mount_by_fd(src, dst))
289	errExit("mount bind");	302	errExit("mount bind");
		303	EUID_USER();
290		304
291	// check /proc/self/mountinfo to confirm the mount is ok	305	// check /proc/self/mountinfo to confirm the mount is ok
292	MountData *mptr = get_last_mount();	306	MountData *mptr = get_last_mount();
@@ -305,6 +319,7 @@ void fs_private_homedir(void) {
305	// if (chmod(homedir, s.st_mode) == -1)	319	// if (chmod(homedir, s.st_mode) == -1)
306	// errExit("mount-bind chmod");	320	// errExit("mount-bind chmod");
307		321
		322	EUID_ROOT();
308	if (u != 0) {	323	if (u != 0) {
309	// mask /root	324	// mask /root
310	if (arg_debug)	325	if (arg_debug)
@@ -323,6 +338,7 @@ void fs_private_homedir(void) {
323	selinux_relabel_path("/home", "/home");	338	selinux_relabel_path("/home", "/home");
324	fs_logger("tmpfs /home");	339	fs_logger("tmpfs /home");
325	}	340	}
		341	EUID_USER();
326		342
327	skel(homedir);	343	skel(homedir);
328	if (xflag)	344	if (xflag)
@@ -339,6 +355,7 @@ void fs_private_homedir(void) {
339	void fs_private(void) {	355	void fs_private(void) {
340	char *homedir = cfg.homedir;	356	char *homedir = cfg.homedir;
341	assert(homedir);	357	assert(homedir);
		358	EUID_ASSERT();
342		359
343	uid_t u = getuid();	360	uid_t u = getuid();
344	gid_t g = getgid();	361	gid_t g = getgid();
@@ -346,6 +363,7 @@ void fs_private(void) {
346	int xflag = store_xauthority();	363	int xflag = store_xauthority();
347	int aflag = store_asoundrc();	364	int aflag = store_asoundrc();
348		365
		366	EUID_ROOT();
349	// mask /root	367	// mask /root
350	if (arg_debug)	368	if (arg_debug)
351	printf("Mounting a new /root directory\n");	369	printf("Mounting a new /root directory\n");
@@ -388,6 +406,7 @@ void fs_private(void) {
388		406
389	selinux_relabel_path(homedir, homedir);	407	selinux_relabel_path(homedir, homedir);
390	}	408	}
		409	EUID_USER();
391		410
392	skel(homedir);	411	skel(homedir);
393	if (xflag)	412	if (xflag)
@@ -531,26 +550,29 @@ static void duplicate(char *name) {
531	// set skel files,	550	// set skel files,
532	// restore .Xauthority	551	// restore .Xauthority
533	void fs_private_home_list(void) {	552	void fs_private_home_list(void) {
534	timetrace_start();
535
536	char *homedir = cfg.homedir;	553	char *homedir = cfg.homedir;
537	char *private_list = cfg.home_private_keep;	554	char *private_list = cfg.home_private_keep;
538	assert(homedir);	555	assert(homedir);
539	assert(private_list);	556	assert(private_list);
		557	EUID_ASSERT();
540		558
541	int xflag = store_xauthority();	559	timetrace_start();
542	int aflag = store_asoundrc();
543		560
544	uid_t uid = getuid();	561	uid_t uid = getuid();
545	gid_t gid = getgid();	562	gid_t gid = getgid();
546		563
		564	int xflag = store_xauthority();
		565	int aflag = store_asoundrc();
		566
547	// create /run/firejail/mnt/home directory	567	// create /run/firejail/mnt/home directory
		568	EUID_ROOT();
548	mkdir_attr(RUN_HOME_DIR, 0755, uid, gid);	569	mkdir_attr(RUN_HOME_DIR, 0755, uid, gid);
549	selinux_relabel_path(RUN_HOME_DIR, homedir);	570	selinux_relabel_path(RUN_HOME_DIR, homedir);
		571
550	fs_logger_print(); // save the current log	572	fs_logger_print(); // save the current log
		573	EUID_USER();
551		574
552	// copy the list of files in the new home directory	575	// copy the list of files in the new home directory
553	EUID_USER();
554	if (arg_debug)	576	if (arg_debug)
555	printf("Copying files in the new home:\n");	577	printf("Copying files in the new home:\n");
556	char *dlist = strdup(cfg.home_private_keep);	578	char *dlist = strdup(cfg.home_private_keep);
@@ -589,6 +611,7 @@ void fs_private_home_list(void) {
589	if (bind_mount_path_to_fd(RUN_HOME_DIR, fd))	611	if (bind_mount_path_to_fd(RUN_HOME_DIR, fd))
590	errExit("mount bind");	612	errExit("mount bind");
591	close(fd);	613	close(fd);
		614	EUID_USER();
592		615
593	// check /proc/self/mountinfo to confirm the mount is ok	616	// check /proc/self/mountinfo to confirm the mount is ok
594	MountData *mptr = get_last_mount();	617	MountData *mptr = get_last_mount();
@@ -596,11 +619,7 @@ void fs_private_home_list(void) {
596	errLogExit("invalid private-home mount");	619	errLogExit("invalid private-home mount");
597	fs_logger2("tmpfs", homedir);	620	fs_logger2("tmpfs", homedir);
598		621
599	// mask RUN_HOME_DIR, it is writable and not noexec	622	EUID_ROOT();
600	if (mount("tmpfs", RUN_HOME_DIR, "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME, "mode=755,gid=0") < 0)
601	errExit("mounting tmpfs");
602	fs_logger2("tmpfs", RUN_HOME_DIR);
603
604	if (uid != 0) {	623	if (uid != 0) {
605	// mask /root	624	// mask /root
606	if (arg_debug)	625	if (arg_debug)
@@ -620,6 +639,11 @@ void fs_private_home_list(void) {
620	fs_logger("tmpfs /home");	639	fs_logger("tmpfs /home");
621	}	640	}
622		641
		642	// mask RUN_HOME_DIR, it is writable and not noexec
		643	if (mount("tmpfs", RUN_HOME_DIR, "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME, "mode=755,gid=0") < 0)
		644	errExit("mounting tmpfs");
		645	EUID_USER();
		646
623	skel(homedir);	647	skel(homedir);
624	if (xflag)	648	if (xflag)
625	copy_xauthority();	649	copy_xauthority();


diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 370035a4d..7588f69b7 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c
@@ -374,9 +374,12 @@ static void tmpfs_topdirs(const TopDir *topdirs) {
374	}	374	}
375		375
376	// user home directory	376	// user home directory
377	if (tmpfs_home)	377	if (tmpfs_home) {
378	// checks owner if outside /home	378	// checks owner if outside /home
		379	EUID_USER();
379	fs_private();	380	fs_private();
		381	EUID_ROOT();
		382	}
380		383
381	// /run/user/$UID directory	384	// /run/user/$UID directory
382	if (tmpfs_runuser) {	385	if (tmpfs_runuser) {


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index e06ba3617..95be3335f 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -840,6 +840,7 @@ int sandbox(void* sandbox_arg) {
840	// private mode	840	// private mode
841	//****************************	841	//****************************
842	if (arg_private) {	842	if (arg_private) {
		843	EUID_USER();
843	if (cfg.home_private) { // --private=	844	if (cfg.home_private) { // --private=
844	if (cfg.chrootdir)	845	if (cfg.chrootdir)
845	fwarning("private=directory feature is disabled in chroot\n");	846	fwarning("private=directory feature is disabled in chroot\n");
@@ -858,6 +859,7 @@ int sandbox(void* sandbox_arg) {
858	}	859	}
859	else // --private	860	else // --private
860	fs_private();	861	fs_private();
		862	EUID_ROOT();
861	}	863	}
862		864
863	if (arg_private_dev)	865	if (arg_private_dev)


diff --git a/src/firejail/util.c b/src/firejail/util.c index 0921736f1..8fcaf3f7b 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c
@@ -1231,6 +1231,7 @@ unsigned extract_timeout(const char *str) {
1231	}	1231	}
1232		1232
1233	void disable_file_or_dir(const char *fname) {	1233	void disable_file_or_dir(const char *fname) {
		1234	assert(geteuid() == 0);
1234	assert(fname);	1235	assert(fname);
1235		1236
1236	EUID_USER();	1237	EUID_USER();


diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 0619ff380..896aa2fd3 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c
@@ -1290,9 +1290,11 @@ void x11_xorg(void) {
1290	if (envar) {	1290	if (envar) {
1291	char *rp = realpath(envar, NULL);	1291	char *rp = realpath(envar, NULL);
1292	if (rp) {	1292	if (rp) {
1293	if (strcmp(rp, dest) != 0)	1293	if (strcmp(rp, dest) != 0) {
1294	// disable_file_or_dir returns with EUID 0	1294	EUID_ROOT();
1295	disable_file_or_dir(rp);	1295	disable_file_or_dir(rp);
		1296	EUID_USER();
		1297	}
1296	free(rp);	1298	free(rp);
1297	}	1299	}
1298	}	1300	}