diff options
author | smitsohu <smitsohu@gmail.com> | 2021-05-24 15:51:55 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2021-05-24 15:54:10 +0200 |
commit | 518633eb42f2cf118c9411f9748328cb1fb19f7a (patch) | |
tree | 101b69f304b6af92db270016c61d797f25e577d7 /src | |
parent | Merge pull request #4302 from smitsohu/whitelist2 (diff) | |
download | firejail-518633eb42f2cf118c9411f9748328cb1fb19f7a.tar.gz firejail-518633eb42f2cf118c9411f9748328cb1fb19f7a.tar.zst firejail-518633eb42f2cf118c9411f9748328cb1fb19f7a.zip |
fix firejail startup race
sandboxes can race to create RUN_RO_FILE in shared memory
similiar to #1013
regression from 825ac9cdc38c4285584e69d6f29102b149914dfe
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/util.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/firejail/util.c b/src/firejail/util.c index 2731f61dc..b15b719b7 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -1030,8 +1030,10 @@ void create_empty_file_as_root(const char *fname, mode_t mode) { | |||
1030 | if (stat(fname, &s)) { | 1030 | if (stat(fname, &s)) { |
1031 | if (arg_debug) | 1031 | if (arg_debug) |
1032 | printf("Creating empty %s file\n", fname); | 1032 | printf("Creating empty %s file\n", fname); |
1033 | 1033 | /* coverity[toctou] */ | |
1034 | FILE *fp = fopen(fname, "wxe"); | 1034 | // don't fail if file already exists. This can be the case in a race |
1035 | // condition, when two jails launch at the same time. Compare to #1013 | ||
1036 | FILE *fp = fopen(fname, "we"); | ||
1035 | if (!fp) | 1037 | if (!fp) |
1036 | errExit("fopen"); | 1038 | errExit("fopen"); |
1037 | SET_PERMS_STREAM(fp, 0, 0, mode); | 1039 | SET_PERMS_STREAM(fp, 0, 0, mode); |