diff options
| author |  smitsohu <smitsohu@gmail.com> | 2019-05-24 23:37:04 +0200 |
|---|---|---|
| committer | smitsohu <smitsohu@gmail.com> | 2019-05-24 23:37:04 +0200 |
| commit | c8e3cb72d477013adb57beb03417acb0f076d739 (patch) | |
| tree | 12b774fe79bfe0c6107db222dac7d0c5fe10e0d8 /src | |
| parent | Merge pull request #2712 from apmorton/features/private-cwd (diff) | |
| download | firejail-c8e3cb72d477013adb57beb03417acb0f076d739.tar.gz firejail-c8e3cb72d477013adb57beb03417acb0f076d739.tar.zst firejail-c8e3cb72d477013adb57beb03417acb0f076d739.zip | |
small private-cwd adjustments
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/firejail.h | 2 | ||||
| -rw-r--r-- | src/firejail/fs_home.c | 8 | ||||
| -rw-r--r-- | src/firejail/main.c | 17 | ||||
| -rw-r--r-- | src/firejail/profile.c | 4 | ||||
| -rw-r--r-- | src/firejail/sandbox.c | 2 |
5 files changed, 21 insertions, 12 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index f904d65d2..bb5eb50fb 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -524,7 +524,7 @@ void fs_private_homedir(void); | |||
| 524 | // check new private home directory (--private= option) - exit if it fails | 524 | // check new private home directory (--private= option) - exit if it fails |
| 525 | void fs_check_private_dir(void); | 525 | void fs_check_private_dir(void); |
| 526 | // check new private working directory (--private-cwd= option) - exit if it fails | 526 | // check new private working directory (--private-cwd= option) - exit if it fails |
| 527 | void fs_check_private_cwd(void); | 527 | void fs_check_private_cwd(const char *dir); |
| 528 | void fs_private_home_list(void); | 528 | void fs_private_home_list(void); |
| 529 | 529 | ||
| 530 | 530 | ||
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index a1a16841a..3f6d78db4 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
| @@ -371,15 +371,15 @@ void fs_check_private_dir(void) { | |||
| 371 | } | 371 | } |
| 372 | 372 | ||
| 373 | // check new private working directory (--private-cwd= option) - exit if it fails | 373 | // check new private working directory (--private-cwd= option) - exit if it fails |
| 374 | void fs_check_private_cwd(void) { | 374 | void fs_check_private_cwd(const char *dir) { |
| 375 | EUID_ASSERT(); | 375 | EUID_ASSERT(); |
| 376 | invalid_filename(cfg.cwd, 0); // no globbing | 376 | invalid_filename(dir, 0); // no globbing |
| 377 | 377 | ||
| 378 | // Expand the working directory | 378 | // Expand the working directory |
| 379 | cfg.cwd = expand_macros(cfg.cwd); | 379 | cfg.cwd = expand_macros(dir); |
| 380 | 380 | ||
| 381 | // realpath/is_dir not used because path may not exist outside of jail | 381 | // realpath/is_dir not used because path may not exist outside of jail |
| 382 | if (!cfg.cwd) { | 382 | if (strstr(cfg.cwd, "..")) { |
| 383 | fprintf(stderr, "Error: invalid private working directory\n"); | 383 | fprintf(stderr, "Error: invalid private working directory\n"); |
| 384 | exit(1); | 384 | exit(1); |
| 385 | } | 385 | } |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 7ac88f5a5..4b46bc8ae 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -632,6 +632,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
| 632 | else if (strncmp(argv[i], "--get=", 6) == 0) { | 632 | else if (strncmp(argv[i], "--get=", 6) == 0) { |
| 633 | if (checkcfg(CFG_FILE_TRANSFER)) { | 633 | if (checkcfg(CFG_FILE_TRANSFER)) { |
| 634 | logargs(argc, argv); | 634 | logargs(argc, argv); |
| 635 | if (arg_private_cwd) { | ||
| 636 | fprintf(stderr, "Error: --get and --private-cwd options are mutually exclusive\n"); | ||
| 637 | exit(1); | ||
| 638 | } | ||
| 635 | 639 | ||
| 636 | // verify path | 640 | // verify path |
| 637 | if ((i + 2) != argc) { | 641 | if ((i + 2) != argc) { |
| @@ -656,6 +660,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
| 656 | else if (strncmp(argv[i], "--put=", 6) == 0) { | 660 | else if (strncmp(argv[i], "--put=", 6) == 0) { |
| 657 | if (checkcfg(CFG_FILE_TRANSFER)) { | 661 | if (checkcfg(CFG_FILE_TRANSFER)) { |
| 658 | logargs(argc, argv); | 662 | logargs(argc, argv); |
| 663 | if (arg_private_cwd) { | ||
| 664 | fprintf(stderr, "Error: --put and --private-cwd options are mutually exclusive\n"); | ||
| 665 | exit(1); | ||
| 666 | } | ||
| 659 | 667 | ||
| 660 | // verify path | 668 | // verify path |
| 661 | if ((i + 3) != argc) { | 669 | if ((i + 3) != argc) { |
| @@ -686,6 +694,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
| 686 | else if (strncmp(argv[i], "--ls=", 5) == 0) { | 694 | else if (strncmp(argv[i], "--ls=", 5) == 0) { |
| 687 | if (checkcfg(CFG_FILE_TRANSFER)) { | 695 | if (checkcfg(CFG_FILE_TRANSFER)) { |
| 688 | logargs(argc, argv); | 696 | logargs(argc, argv); |
| 697 | if (arg_private_cwd) { | ||
| 698 | fprintf(stderr, "Error: --ls and --private-cwd options are mutually exclusive\n"); | ||
| 699 | exit(1); | ||
| 700 | } | ||
| 689 | 701 | ||
| 690 | // verify path | 702 | // verify path |
| 691 | if ((i + 2) != argc) { | 703 | if ((i + 2) != argc) { |
| @@ -1780,13 +1792,12 @@ int main(int argc, char **argv) { | |||
| 1780 | arg_private_cwd = 1; | 1792 | arg_private_cwd = 1; |
| 1781 | } | 1793 | } |
| 1782 | else if (strncmp(argv[i], "--private-cwd=", 14) == 0) { | 1794 | else if (strncmp(argv[i], "--private-cwd=", 14) == 0) { |
| 1783 | cfg.cwd = argv[i] + 14; | 1795 | if (*(argv[i] + 14) == '\0') { |
| 1784 | if (*cfg.cwd == '\0') { | ||
| 1785 | fprintf(stderr, "Error: invalid private-cwd option\n"); | 1796 | fprintf(stderr, "Error: invalid private-cwd option\n"); |
| 1786 | exit(1); | 1797 | exit(1); |
| 1787 | } | 1798 | } |
| 1788 | 1799 | ||
| 1789 | fs_check_private_cwd(); | 1800 | fs_check_private_cwd(argv[i] + 14); |
| 1790 | arg_private_cwd = 1; | 1801 | arg_private_cwd = 1; |
| 1791 | } | 1802 | } |
| 1792 | 1803 | ||
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 8d228fae6..99d83c16a 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
| @@ -359,9 +359,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
| 359 | return 0; | 359 | return 0; |
| 360 | } | 360 | } |
| 361 | else if (strncmp(ptr, "private-cwd ", 12) == 0) { | 361 | else if (strncmp(ptr, "private-cwd ", 12) == 0) { |
| 362 | cfg.cwd = strdup(ptr + 12); | 362 | fs_check_private_cwd(ptr + 12); |
| 363 | |||
| 364 | fs_check_private_cwd(); | ||
| 365 | arg_private_cwd = 1; | 363 | arg_private_cwd = 1; |
| 366 | return 0; | 364 | return 0; |
| 367 | } | 365 | } |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 58245fa38..2c5c5fc12 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -1020,7 +1020,7 @@ int sandbox(void* sandbox_arg) { | |||
| 1020 | if (chdir(cfg.cwd) == 0) | 1020 | if (chdir(cfg.cwd) == 0) |
| 1021 | cwd = 1; | 1021 | cwd = 1; |
| 1022 | else if (arg_private_cwd) { | 1022 | else if (arg_private_cwd) { |
| 1023 | fprintf(stderr, "Error: unabled to enter private working directory: %s: %s\n", cfg.cwd, strerror(errno)); | 1023 | fprintf(stderr, "Error: unable to enter private working directory: %s: %s\n", cfg.cwd, strerror(errno)); |
| 1024 | exit(1); | 1024 | exit(1); |
| 1025 | } | 1025 | } |
| 1026 | } | 1026 | } |