diff options
| author |  smitsohu <smitsohu@gmail.com> | 2018-08-31 15:21:04 +0200 |
|---|---|---|
| committer | smitsohu <smitsohu@gmail.com> | 2018-08-31 15:21:04 +0200 |
| commit | 2f5a792944480334f349a43b8f70f2ba681ea582 (patch) | |
| tree | bf3cb663eae025442c7505c48b8f7fc4c5f713b6 /src | |
| parent | added whois and dig profiles (diff) | |
| download | firejail-2f5a792944480334f349a43b8f70f2ba681ea582.tar.gz firejail-2f5a792944480334f349a43b8f70f2ba681ea582.tar.zst firejail-2f5a792944480334f349a43b8f70f2ba681ea582.zip | |
reduce number of chown/chmod calls in fs_chroot
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/fs.c | 27 |
1 files changed, 17 insertions, 10 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index ed0131b1d..bd71a6912 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
| @@ -1171,7 +1171,7 @@ void fs_check_chroot_dir(const char *rootdir) { | |||
| 1171 | exit(1); | 1171 | exit(1); |
| 1172 | } | 1172 | } |
| 1173 | if ((S_IWOTH & s.st_mode) != 0) { | 1173 | if ((S_IWOTH & s.st_mode) != 0) { |
| 1174 | fprintf(stderr, "Error: chroot directory is not allowed to be world-writable\n"); | 1174 | fprintf(stderr, "Error: chroot directory should not be world-writable\n"); |
| 1175 | exit(1); | 1175 | exit(1); |
| 1176 | } | 1176 | } |
| 1177 | 1177 | ||
| @@ -1239,7 +1239,7 @@ void fs_check_chroot_dir(const char *rootdir) { | |||
| 1239 | exit(1); | 1239 | exit(1); |
| 1240 | } | 1240 | } |
| 1241 | if ((S_IWOTH & s.st_mode) != 0) { | 1241 | if ((S_IWOTH & s.st_mode) != 0) { |
| 1242 | fprintf(stderr, "Error: chroot /etc is not allowed to be world-writable\n"); | 1242 | fprintf(stderr, "Error: chroot /etc should not be world-writable\n"); |
| 1243 | exit(1); | 1243 | exit(1); |
| 1244 | } | 1244 | } |
| 1245 | free(name); | 1245 | free(name); |
| @@ -1331,24 +1331,32 @@ void fs_chroot(const char *rootdir) { | |||
| 1331 | exit(1); | 1331 | exit(1); |
| 1332 | } | 1332 | } |
| 1333 | if ((S_IWOTH & s.st_mode) != 0) { | 1333 | if ((S_IWOTH & s.st_mode) != 0) { |
| 1334 | fprintf(stderr, "Error: chroot /run is not allowed to be world-writable\n"); | 1334 | fprintf(stderr, "Error: chroot /run should not be world-writable\n"); |
| 1335 | exit(1); | 1335 | exit(1); |
| 1336 | } | 1336 | } |
| 1337 | } | 1337 | } |
| 1338 | else | 1338 | else { |
| 1339 | create_empty_dir_as_root(rundir, 0755); | 1339 | // several sandboxes could race to create /run |
| 1340 | if (mkdir(rundir, 0755) == -1 && errno != EEXIST) | ||
| 1341 | errExit("mkdir"); | ||
| 1342 | ASSERT_PERMS(rundir, 0, 0, 0755); | ||
| 1343 | } | ||
| 1340 | free(rundir); | 1344 | free(rundir); |
| 1341 | 1345 | ||
| 1342 | // create /run/firejail directory in chroot | 1346 | // create /run/firejail directory in chroot |
| 1343 | if (asprintf(&rundir, "%s/run/firejail", rootdir) == -1) | 1347 | if (asprintf(&rundir, "%s/run/firejail", rootdir) == -1) |
| 1344 | errExit("asprintf"); | 1348 | errExit("asprintf"); |
| 1345 | create_empty_dir_as_root(rundir, 0755); | 1349 | if (mkdir(rundir, 0755) == -1 && errno != EEXIST) |
| 1350 | errExit("mkdir"); | ||
| 1351 | ASSERT_PERMS(rundir, 0, 0, 0755); | ||
| 1346 | free(rundir); | 1352 | free(rundir); |
| 1347 | 1353 | ||
| 1348 | // create /run/firejail/mnt directory in chroot and mount the current one | 1354 | // create /run/firejail/mnt directory in chroot and mount the current one |
| 1349 | if (asprintf(&rundir, "%s%s", rootdir, RUN_MNT_DIR) == -1) | 1355 | if (asprintf(&rundir, "%s%s", rootdir, RUN_MNT_DIR) == -1) |
| 1350 | errExit("asprintf"); | 1356 | errExit("asprintf"); |
| 1351 | create_empty_dir_as_root(rundir, 0755); | 1357 | if (mkdir(rundir, 0755) == -1 && errno != EEXIST) |
| 1358 | errExit("mkdir"); | ||
| 1359 | ASSERT_PERMS(rundir, 0, 0, 0755); | ||
| 1352 | if (mount(RUN_MNT_DIR, rundir, NULL, MS_BIND|MS_REC, NULL) < 0) | 1360 | if (mount(RUN_MNT_DIR, rundir, NULL, MS_BIND|MS_REC, NULL) < 0) |
| 1353 | errExit("mount bind"); | 1361 | errExit("mount bind"); |
| 1354 | free(rundir); | 1362 | free(rundir); |
| @@ -1373,7 +1381,8 @@ void fs_chroot(const char *rootdir) { | |||
| 1373 | if (arg_debug) | 1381 | if (arg_debug) |
| 1374 | printf("Chrooting into %s\n", rootdir); | 1382 | printf("Chrooting into %s\n", rootdir); |
| 1375 | char *oroot = RUN_OVERLAY_ROOT; | 1383 | char *oroot = RUN_OVERLAY_ROOT; |
| 1376 | mkdir_attr(oroot, 0755, 0, 0); | 1384 | if (mkdir(oroot, 0755) == -1) |
| 1385 | errExit("mkdir"); | ||
| 1377 | if (mount(rootdir, oroot, NULL, MS_BIND|MS_REC, NULL) < 0) | 1386 | if (mount(rootdir, oroot, NULL, MS_BIND|MS_REC, NULL) < 0) |
| 1378 | errExit("mounting rootdir oroot"); | 1387 | errExit("mounting rootdir oroot"); |
| 1379 | if (chroot(oroot) < 0) | 1388 | if (chroot(oroot) < 0) |
| @@ -1390,8 +1399,6 @@ void fs_chroot(const char *rootdir) { | |||
| 1390 | fs_var_tmp(); | 1399 | fs_var_tmp(); |
| 1391 | if (!arg_writable_var_log) | 1400 | if (!arg_writable_var_log) |
| 1392 | fs_var_log(); | 1401 | fs_var_log(); |
| 1393 | else | ||
| 1394 | fs_rdwr("/var/log"); | ||
| 1395 | 1402 | ||
| 1396 | fs_var_lib(); | 1403 | fs_var_lib(); |
| 1397 | fs_var_cache(); | 1404 | fs_var_cache(); |