diff options
| author |  smitsohu <smitsohu@gmail.com> | 2022-12-24 03:00:22 +0100 |
|---|---|---|
| committer | smitsohu <smitsohu@gmail.com> | 2022-12-24 03:00:22 +0100 |
| commit | ddc76329b5bcf24616e57e9fafa5b15f140909e0 (patch) | |
| tree | 76fac17df578b71a99c6321694190930dbe6d2a3 /src | |
| parent | add netlock support in profile files (diff) | |
| download | firejail-ddc76329b5bcf24616e57e9fafa5b15f140909e0.tar.gz firejail-ddc76329b5bcf24616e57e9fafa5b15f140909e0.tar.zst firejail-ddc76329b5bcf24616e57e9fafa5b15f140909e0.zip | |
chroot: make search permission check explicit
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/chroot.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c index 6f484e59a..72322221c 100644 --- a/src/firejail/chroot.c +++ b/src/firejail/chroot.c | |||
| @@ -119,6 +119,11 @@ void fs_chroot(const char *rootdir) { | |||
| 119 | int parentfd = safer_openat(-1, rootdir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | 119 | int parentfd = safer_openat(-1, rootdir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
| 120 | if (parentfd == -1) | 120 | if (parentfd == -1) |
| 121 | errExit("safer_openat"); | 121 | errExit("safer_openat"); |
| 122 | |||
| 123 | if (faccessat(parentfd, ".", X_OK, 0) != 0) { | ||
| 124 | fprintf(stderr, "Error: no search permission on chroot directory\n"); | ||
| 125 | exit(1); | ||
| 126 | } | ||
| 122 | // rootdir has to be owned by root and is not allowed to be generally writable, | 127 | // rootdir has to be owned by root and is not allowed to be generally writable, |
| 123 | // this also excludes /tmp and friends | 128 | // this also excludes /tmp and friends |
| 124 | struct stat s; | 129 | struct stat s; |