diff options
| author |  startx2017 <vradu.startx@yandex.com> | 2018-03-17 10:02:31 -0400 |
|---|---|---|
| committer | startx2017 <vradu.startx@yandex.com> | 2018-03-17 10:02:31 -0400 |
| commit | d2f56e0adf116656a96fc1e0bea312f2a37235e9 (patch) | |
| tree | 7e40263af88568be32040296c06200b6112c7599 /src | |
| parent | split run files processing in a separate file - src/firejail/run_files.c (diff) | |
| download | firejail-d2f56e0adf116656a96fc1e0bea312f2a37235e9.tar.gz firejail-d2f56e0adf116656a96fc1e0bea312f2a37235e9.tar.zst firejail-d2f56e0adf116656a96fc1e0bea312f2a37235e9.zip | |
locking run file operations
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/firejail.h | 3 | ||||
| -rw-r--r-- | src/firejail/main.c | 27 |
2 files changed, 20 insertions, 10 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 27c3dd2ea..ca3cf18ac 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -36,7 +36,8 @@ | |||
| 36 | #define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network" | 36 | #define RUN_FIREJAIL_NETWORK_DIR "/run/firejail/network" |
| 37 | #define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth" | 37 | #define RUN_FIREJAIL_BANDWIDTH_DIR "/run/firejail/bandwidth" |
| 38 | #define RUN_FIREJAIL_PROFILE_DIR "/run/firejail/profile" | 38 | #define RUN_FIREJAIL_PROFILE_DIR "/run/firejail/profile" |
| 39 | #define RUN_NETWORK_LOCK_FILE "/run/firejail/firejail.lock" | 39 | #define RUN_NETWORK_LOCK_FILE "/run/firejail/firejail-network.lock" |
| 40 | #define RUN_DIRECTORY_LOCK_FILE "/run/firejail/firejail-run.lock" | ||
| 40 | #define RUN_RO_DIR "/run/firejail/firejail.ro.dir" | 41 | #define RUN_RO_DIR "/run/firejail/firejail.ro.dir" |
| 41 | #define RUN_RO_FILE "/run/firejail/firejail.ro.file" | 42 | #define RUN_RO_FILE "/run/firejail/firejail.ro.file" |
| 42 | #define RUN_MNT_DIR "/run/firejail/mnt" // a tmpfs is mounted on this directory before any of the files below are created | 43 | #define RUN_MNT_DIR "/run/firejail/mnt" // a tmpfs is mounted on this directory before any of the files below are created |
diff --git a/src/firejail/main.c b/src/firejail/main.c index ec090cdc6..dad9befd3 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -824,7 +824,8 @@ static void run_builder(int argc, char **argv) { | |||
| 824 | int main(int argc, char **argv) { | 824 | int main(int argc, char **argv) { |
| 825 | int i; | 825 | int i; |
| 826 | int prog_index = -1; // index in argv where the program command starts | 826 | int prog_index = -1; // index in argv where the program command starts |
| 827 | int lockfd = -1; | 827 | int lockfd_network = -1; |
| 828 | int lockfd_directory = -1; | ||
| 828 | int option_cgroup = 0; | 829 | int option_cgroup = 0; |
| 829 | int option_force = 0; | 830 | int option_force = 0; |
| 830 | int custom_profile = 0; // custom profile loaded | 831 | int custom_profile = 0; // custom profile loaded |
| @@ -2393,11 +2394,11 @@ int main(int argc, char **argv) { | |||
| 2393 | // check and assign an IP address - for macvlan it will be done again in the sandbox! | 2394 | // check and assign an IP address - for macvlan it will be done again in the sandbox! |
| 2394 | if (any_bridge_configured()) { | 2395 | if (any_bridge_configured()) { |
| 2395 | EUID_ROOT(); | 2396 | EUID_ROOT(); |
| 2396 | lockfd = open(RUN_NETWORK_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); | 2397 | lockfd_network = open(RUN_NETWORK_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); |
| 2397 | if (lockfd != -1) { | 2398 | if (lockfd_network != -1) { |
| 2398 | int rv = fchown(lockfd, 0, 0); | 2399 | int rv = fchown(lockfd_network, 0, 0); |
| 2399 | (void) rv; | 2400 | (void) rv; |
| 2400 | flock(lockfd, LOCK_EX); | 2401 | flock(lockfd_network, LOCK_EX); |
| 2401 | } | 2402 | } |
| 2402 | 2403 | ||
| 2403 | check_network(&cfg.bridge0); | 2404 | check_network(&cfg.bridge0); |
| @@ -2426,13 +2427,21 @@ int main(int argc, char **argv) { | |||
| 2426 | } | 2427 | } |
| 2427 | 2428 | ||
| 2428 | 2429 | ||
| 2429 | // set name file | 2430 | // set name and x11 run files |
| 2430 | EUID_ROOT(); | 2431 | EUID_ROOT(); |
| 2432 | lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); | ||
| 2433 | if (lockfd_directory != -1) { | ||
| 2434 | int rv = fchown(lockfd_directory, 0, 0); | ||
| 2435 | (void) rv; | ||
| 2436 | flock(lockfd_directory, LOCK_EX); | ||
| 2437 | } | ||
| 2431 | if (cfg.name) | 2438 | if (cfg.name) |
| 2432 | set_name_run_file(sandbox_pid); | 2439 | set_name_run_file(sandbox_pid); |
| 2433 | int display = x11_display(); | 2440 | int display = x11_display(); |
| 2434 | if (display > 0) | 2441 | if (display > 0) |
| 2435 | set_x11_run_file(sandbox_pid, display); | 2442 | set_x11_run_file(sandbox_pid, display); |
| 2443 | flock(lockfd_directory, LOCK_UN); | ||
| 2444 | close(lockfd_directory); | ||
| 2436 | EUID_USER(); | 2445 | EUID_USER(); |
| 2437 | 2446 | ||
| 2438 | // clone environment | 2447 | // clone environment |
| @@ -2573,9 +2582,9 @@ int main(int argc, char **argv) { | |||
| 2573 | close(parent_to_child_fds[1]); | 2582 | close(parent_to_child_fds[1]); |
| 2574 | 2583 | ||
| 2575 | EUID_ROOT(); | 2584 | EUID_ROOT(); |
| 2576 | if (lockfd != -1) { | 2585 | if (lockfd_network != -1) { |
| 2577 | flock(lockfd, LOCK_UN); | 2586 | flock(lockfd_network, LOCK_UN); |
| 2578 | close(lockfd); | 2587 | close(lockfd_network); |
| 2579 | } | 2588 | } |
| 2580 | 2589 | ||
| 2581 | // handle CTRL-C in parent | 2590 | // handle CTRL-C in parent |