diff options
author | netblue30 <netblue30@yahoo.com> | 2015-10-11 11:24:02 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2015-10-11 11:24:02 -0400 |
commit | f4171a91412f89d509e6d1371fd81b4ecd89c11d (patch) | |
tree | 89882fc26af43bc4149109c029380209792698d9 /src | |
parent | Merge pull request #81 from pyther/rpm (diff) | |
download | firejail-f4171a91412f89d509e6d1371fd81b4ecd89c11d.tar.gz firejail-f4171a91412f89d509e6d1371fd81b4ecd89c11d.tar.zst firejail-f4171a91412f89d509e6d1371fd81b4ecd89c11d.zip |
--private-bin
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 4 | ||||
-rw-r--r-- | src/firejail/fs.c | 10 | ||||
-rw-r--r-- | src/firejail/fs_bin.c | 5 | ||||
-rw-r--r-- | src/firejail/fs_var.c | 2 | ||||
-rw-r--r-- | src/firejail/profile.c | 8 |
5 files changed, 20 insertions, 9 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 64cf3ccef..cbc4086fb 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -407,5 +407,9 @@ void errno_print(void); | |||
407 | // pulseaudio.c | 407 | // pulseaudio.c |
408 | void pulseaudio_init(void); | 408 | void pulseaudio_init(void); |
409 | 409 | ||
410 | // fs_bin.c | ||
411 | void fs_check_bin_list(void); | ||
412 | void fs_private_bin_list(void); | ||
413 | |||
410 | #endif | 414 | #endif |
411 | 415 | ||
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 54086e0bb..b3748de51 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -435,23 +435,23 @@ void fs_proc_sys_dev_boot(void) { | |||
435 | if (arg_debug) | 435 | if (arg_debug) |
436 | printf("Disable /sys/firmware directory\n"); | 436 | printf("Disable /sys/firmware directory\n"); |
437 | if (mount("tmpfs", "/sys/firmware", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 437 | if (mount("tmpfs", "/sys/firmware", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
438 | errExit("disable /sys/firmware directory"); | 438 | fprintf(stderr, "Warning: cannot disable /sys/firmware directory\n"); |
439 | if (arg_debug) | 439 | if (arg_debug) |
440 | printf("Disable /sys/hypervisor directory\n"); | 440 | printf("Disable /sys/hypervisor directory\n"); |
441 | if (mount("tmpfs", "/sys/hypervisor", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 441 | if (mount("tmpfs", "/sys/hypervisor", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
442 | errExit("disable /sys/hypervisor directory"); | 442 | fprintf(stderr, "Warning: cannot disable /sys/hypervisor directory\n"); |
443 | if (arg_debug) | 443 | if (arg_debug) |
444 | printf("Disable /sys/fs directory\n"); | 444 | printf("Disable /sys/fs directory\n"); |
445 | if (mount("tmpfs", "/sys/fs", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 445 | if (mount("tmpfs", "/sys/fs", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
446 | errExit("disable /sys/fs directory"); | 446 | fprintf(stderr, "Warning: cannot disable /sys/fs directory\n"); |
447 | if (arg_debug) | 447 | if (arg_debug) |
448 | printf("Disable /sys/module directory\n"); | 448 | printf("Disable /sys/module directory\n"); |
449 | if (mount("tmpfs", "/sys/module", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 449 | if (mount("tmpfs", "/sys/module", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
450 | errExit("disable /sys/module directory"); | 450 | fprintf(stderr, "Warning: cannot disable /sys/module directory\n"); |
451 | if (arg_debug) | 451 | if (arg_debug) |
452 | printf("Disable /sys/power directory\n"); | 452 | printf("Disable /sys/power directory\n"); |
453 | if (mount("tmpfs", "/sys/power", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 453 | if (mount("tmpfs", "/sys/power", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
454 | errExit("disable /sys/power directory"); | 454 | fprintf(stderr, "Warning: cannot disable /sys/power directory\n"); |
455 | 455 | ||
456 | 456 | ||
457 | 457 | ||
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 4b3292b6c..dcfdadb6b 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
@@ -44,9 +44,9 @@ static char *check_dir_or_file(const char *name) { | |||
44 | errExit("asprintf"); | 44 | errExit("asprintf"); |
45 | if (arg_debug) | 45 | if (arg_debug) |
46 | printf("Checking %s/%s\n", paths[i], name); | 46 | printf("Checking %s/%s\n", paths[i], name); |
47 | if (stat(fname, &s) == 0) | 47 | if (stat(fname, &s) == 0 && !S_ISDIR(s.st_mode)) // do not allow directories |
48 | break; // file found | 48 | break; // file found |
49 | 49 | ||
50 | free(fname); | 50 | free(fname); |
51 | fname = NULL; | 51 | fname = NULL; |
52 | i++; | 52 | i++; |
@@ -99,7 +99,6 @@ void fs_check_bin_list(void) { | |||
99 | else | 99 | else |
100 | notfound = 1; | 100 | notfound = 1; |
101 | } | 101 | } |
102 | printf("here %d: newlist #%s#\n", __LINE__, newlist); | ||
103 | 102 | ||
104 | if (*newlist == '\0') { | 103 | if (*newlist == '\0') { |
105 | fprintf(stderr, "Warning: no --private-bin list executable found, option disabled\n"); | 104 | fprintf(stderr, "Warning: no --private-bin list executable found, option disabled\n"); |
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 3200c5282..93625633a 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
@@ -146,7 +146,7 @@ void fs_var_log(void) { | |||
146 | errExit("chmod"); | 146 | errExit("chmod"); |
147 | } | 147 | } |
148 | else | 148 | else |
149 | fprintf(stderr, "Warning: cannot mount tmpfs in top of /var/log\n"); | 149 | fprintf(stderr, "Warning: cannot mount tmpfs on top of /var/log\n"); |
150 | } | 150 | } |
151 | 151 | ||
152 | void fs_var_lib(void) { | 152 | void fs_var_lib(void) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 2863b454e..5b18cc179 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -257,6 +257,14 @@ int profile_check_line(char *ptr, int lineno) { | |||
257 | return 0; | 257 | return 0; |
258 | } | 258 | } |
259 | 259 | ||
260 | // private /bin list of files | ||
261 | if (strncmp(ptr, "private-bin ", 12) == 0) { | ||
262 | cfg.bin_private_keep = ptr + 12; | ||
263 | fs_check_bin_list(); | ||
264 | arg_private_bin = 1; | ||
265 | return 0; | ||
266 | } | ||
267 | |||
260 | // filesystem bind | 268 | // filesystem bind |
261 | if (strncmp(ptr, "bind ", 5) == 0) { | 269 | if (strncmp(ptr, "bind ", 5) == 0) { |
262 | if (getuid() != 0) { | 270 | if (getuid() != 0) { |