aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2016-11-29 10:04:43 -0500
committerLibravatar netblue30 <netblue30@yahoo.com>2016-11-29 10:04:43 -0500
commitd3b6581db7fcd0fb0897ada9910140f0e43f4ed1 (patch)
tree1c4409a84665834736370f89dcf915a12f173ef5 /src
parentMerge pull request #945 from Fred-Barclay/cryptocat (diff)
downloadfirejail-d3b6581db7fcd0fb0897ada9910140f0e43f4ed1.tar.gz
firejail-d3b6581db7fcd0fb0897ada9910140f0e43f4ed1.tar.zst
firejail-d3b6581db7fcd0fb0897ada9910140f0e43f4ed1.zip
testing and cleanup
Diffstat (limited to 'src')
-rw-r--r--src/firejail/fs_var.c9
-rw-r--r--src/firejail/fs_whitelist.c98
-rw-r--r--src/firejail/netfilter.c12
3 files changed, 40 insertions, 79 deletions
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index 2aa4a1b54..bdc5ecaf3 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -65,10 +65,9 @@ static void build_list(const char *srcdir) {
65 struct stat s; 65 struct stat s;
66 char *name; 66 char *name;
67 if (asprintf(&name, "%s/%s", srcdir, dir->d_name) == -1) 67 if (asprintf(&name, "%s/%s", srcdir, dir->d_name) == -1)
68 continue; 68 errExit("asprintf");
69 if (stat(name, &s) == -1) 69 if (stat(name, &s) == -1 ||
70 continue; 70 S_ISLNK(s.st_mode)) {
71 if (S_ISLNK(s.st_mode)) {
72 free(name); 71 free(name);
73 continue; 72 continue;
74 } 73 }
@@ -143,7 +142,7 @@ void fs_var_log(void) {
143 fs_logger("touch /var/log/btmp"); 142 fs_logger("touch /var/log/btmp");
144 } 143 }
145 else 144 else
146 fprintf(stderr, "Warning: cannot mount tmpfs on top of /var/log\n"); 145 fprintf(stderr, "Warning: cannot hide /var/log directory\n");
147} 146}
148 147
149void fs_var_lib(void) { 148void fs_var_lib(void) {
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 7b32021be..b10858411 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -95,34 +95,29 @@ static char *resolve_downloads(void) {
95 if (asprintf(&fname, "%s/%s", cfg.homedir, ptr1) == -1) 95 if (asprintf(&fname, "%s/%s", cfg.homedir, ptr1) == -1)
96 errExit("asprintf"); 96 errExit("asprintf");
97 97
98 if (stat(fname, &s) == -1) { 98 if (stat(fname, &s) == -1)
99 fprintf(stderr, "***\n");
100 fprintf(stderr, "*** Error: directory %s not found.\n", fname);
101 fprintf(stderr, "*** \tThis directory is configured in ~/.config/user-dirs.dirs.\n");
102 fprintf(stderr, "*** \tPlease create a Downloads directory.\n");
103 fprintf(stderr, "***\n");
104 free(fname); 99 free(fname);
105 return NULL; 100 goto errout;
106 }
107 101
108 char *rv; 102 char *rv;
109 if (asprintf(&rv, "whitelist ~/%s", ptr + 24) == -1) 103 if (asprintf(&rv, "whitelist ~/%s", ptr + 24) == -1)
110 errExit("asprintf"); 104 errExit("asprintf");
111 return rv; 105 return rv;
112 } 106 }
113 else { 107 else
114 fprintf(stderr, "***\n"); 108 goto errout;
115 fprintf(stderr, "*** Error: invalid XDG_DOWNLOAD_DIR entry in ~/.config/user-dirs.dirs.\n");
116 fprintf(stderr, "*** \tPlease specify a valid Downloads directory, example:\n");
117 fprintf(stderr, "***\n");
118 fprintf(stderr, "***\t\tXDG_DOWNLOAD_DIR=\"$HOME/Downloads\"\n");
119 fprintf(stderr, "***\n");
120 return NULL;
121 }
122 } 109 }
123 } 110 }
124 } 111 }
112
125 fclose(fp); 113 fclose(fp);
114 return NULL;
115
116errout:
117 fprintf(stderr, "***\n");
118 fprintf(stderr, "*** Error: Downloads directory was not found in user home.\n");
119 fprintf(stderr, "*** \tAny files saved by the program, will be lost when the sandbox is closed.\n");
120 fprintf(stderr, "***\n");
126 121
127 return NULL; 122 return NULL;
128} 123}
@@ -181,10 +176,8 @@ static void whitelist_path(ProfileEntry *entry) {
181 if (entry->home_dir) { 176 if (entry->home_dir) {
182 if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) { 177 if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) {
183 fname = path + strlen(cfg.homedir); 178 fname = path + strlen(cfg.homedir);
184 if (*fname == '\0') { 179 if (*fname == '\0')
185 fprintf(stderr, "Error: file %s is not in user home directory, exiting...\n", path); 180 goto errexit;
186 exit(1);
187 }
188 } 181 }
189 else 182 else
190 fname = path; 183 fname = path;
@@ -194,70 +187,56 @@ static void whitelist_path(ProfileEntry *entry) {
194 } 187 }
195 else if (entry->tmp_dir) { 188 else if (entry->tmp_dir) {
196 fname = path + 4; // strlen("/tmp") 189 fname = path + 4; // strlen("/tmp")
197 if (*fname == '\0') { 190 if (*fname == '\0')
198 fprintf(stderr, "Error: file %s is not in /tmp directory, exiting...\n", path); 191 goto errexit;
199 exit(1);
200 }
201 192
202 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_TMP_DIR, fname) == -1) 193 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_TMP_DIR, fname) == -1)
203 errExit("asprintf"); 194 errExit("asprintf");
204 } 195 }
205 else if (entry->media_dir) { 196 else if (entry->media_dir) {
206 fname = path + 6; // strlen("/media") 197 fname = path + 6; // strlen("/media")
207 if (*fname == '\0') { 198 if (*fname == '\0')
208 fprintf(stderr, "Error: file %s is not in /media directory, exiting...\n", path); 199 goto errexit;
209 exit(1);
210 }
211 200
212 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MEDIA_DIR, fname) == -1) 201 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MEDIA_DIR, fname) == -1)
213 errExit("asprintf"); 202 errExit("asprintf");
214 } 203 }
215 else if (entry->mnt_dir) { 204 else if (entry->mnt_dir) {
216 fname = path + 4; // strlen("/mnt") 205 fname = path + 4; // strlen("/mnt")
217 if (*fname == '\0') { 206 if (*fname == '\0')
218 fprintf(stderr, "Error: file %s is not in /mnt directory, exiting...\n", path); 207 goto errexit;
219 exit(1);
220 }
221 208
222 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MNT_DIR, fname) == -1) 209 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MNT_DIR, fname) == -1)
223 errExit("asprintf"); 210 errExit("asprintf");
224 } 211 }
225 else if (entry->var_dir) { 212 else if (entry->var_dir) {
226 fname = path + 4; // strlen("/var") 213 fname = path + 4; // strlen("/var")
227 if (*fname == '\0') { 214 if (*fname == '\0')
228 fprintf(stderr, "Error: file %s is not in /var directory, exiting...\n", path); 215 goto errexit;
229 exit(1);
230 }
231 216
232 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_VAR_DIR, fname) == -1) 217 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_VAR_DIR, fname) == -1)
233 errExit("asprintf"); 218 errExit("asprintf");
234 } 219 }
235 else if (entry->dev_dir) { 220 else if (entry->dev_dir) {
236 fname = path + 4; // strlen("/dev") 221 fname = path + 4; // strlen("/dev")
237 if (*fname == '\0') { 222 if (*fname == '\0')
238 fprintf(stderr, "Error: file %s is not in /dev directory, exiting...\n", path); 223 goto errexit;
239 exit(1);
240 }
241 224
242 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_DEV_DIR, fname) == -1) 225 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_DEV_DIR, fname) == -1)
243 errExit("asprintf"); 226 errExit("asprintf");
244 } 227 }
245 else if (entry->opt_dir) { 228 else if (entry->opt_dir) {
246 fname = path + 4; // strlen("/opt") 229 fname = path + 4; // strlen("/opt")
247 if (*fname == '\0') { 230 if (*fname == '\0')
248 fprintf(stderr, "Error: file %s is not in /opt directory, exiting...\n", path); 231 goto errexit;
249 exit(1);
250 }
251 232
252 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1) 233 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1)
253 errExit("asprintf"); 234 errExit("asprintf");
254 } 235 }
255 else if (entry->srv_dir) { 236 else if (entry->srv_dir) {
256 fname = path + 4; // strlen("/srv") 237 fname = path + 4; // strlen("/srv")
257 if (*fname == '\0') { 238 if (*fname == '\0')
258 fprintf(stderr, "Error: file %s is not in /srv directory, exiting...\n", path); 239 goto errexit;
259 exit(1);
260 }
261 240
262 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SRV_DIR, fname) == -1) 241 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SRV_DIR, fname) == -1)
263 errExit("asprintf"); 242 errExit("asprintf");
@@ -305,6 +284,11 @@ static void whitelist_path(ProfileEntry *entry) {
305 errExit("mount bind"); 284 errExit("mount bind");
306 285
307 free(wfile); 286 free(wfile);
287 return;
288
289errexit:
290 fprintf(stderr, "Error: file %s is not in the whitelisted directory\n", path);
291 exit(1);
308} 292}
309 293
310 294
@@ -432,8 +416,6 @@ void fs_whitelist(void) {
432 tmp_dir = 1; 416 tmp_dir = 1;
433 // both path and absolute path are under /tmp 417 // both path and absolute path are under /tmp
434 if (strncmp(fname, "/tmp/", 5) != 0) { 418 if (strncmp(fname, "/tmp/", 5) != 0) {
435 if (arg_debug)
436 fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname);
437 goto errexit; 419 goto errexit;
438 } 420 }
439 } 421 }
@@ -442,8 +424,6 @@ void fs_whitelist(void) {
442 media_dir = 1; 424 media_dir = 1;
443 // both path and absolute path are under /media 425 // both path and absolute path are under /media
444 if (strncmp(fname, "/media/", 7) != 0) { 426 if (strncmp(fname, "/media/", 7) != 0) {
445 if (arg_debug)
446 fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname);
447 goto errexit; 427 goto errexit;
448 } 428 }
449 } 429 }
@@ -452,8 +432,6 @@ void fs_whitelist(void) {
452 mnt_dir = 1; 432 mnt_dir = 1;
453 // both path and absolute path are under /mnt 433 // both path and absolute path are under /mnt
454 if (strncmp(fname, "/mnt/", 5) != 0) { 434 if (strncmp(fname, "/mnt/", 5) != 0) {
455 if (arg_debug)
456 fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname);
457 goto errexit; 435 goto errexit;
458 } 436 }
459 } 437 }
@@ -467,8 +445,6 @@ void fs_whitelist(void) {
467 else if (strcmp(new_name, "/var/lock")== 0) 445 else if (strcmp(new_name, "/var/lock")== 0)
468 ; 446 ;
469 else if (strncmp(fname, "/var/", 5) != 0) { 447 else if (strncmp(fname, "/var/", 5) != 0) {
470 if (arg_debug)
471 fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname);
472 goto errexit; 448 goto errexit;
473 } 449 }
474 } 450 }
@@ -477,8 +453,6 @@ void fs_whitelist(void) {
477 dev_dir = 1; 453 dev_dir = 1;
478 // both path and absolute path are under /dev 454 // both path and absolute path are under /dev
479 if (strncmp(fname, "/dev/", 5) != 0) { 455 if (strncmp(fname, "/dev/", 5) != 0) {
480 if (arg_debug)
481 fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname);
482 goto errexit; 456 goto errexit;
483 } 457 }
484 } 458 }
@@ -487,8 +461,6 @@ void fs_whitelist(void) {
487 opt_dir = 1; 461 opt_dir = 1;
488 // both path and absolute path are under /dev 462 // both path and absolute path are under /dev
489 if (strncmp(fname, "/opt/", 5) != 0) { 463 if (strncmp(fname, "/opt/", 5) != 0) {
490 if (arg_debug)
491 fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname);
492 goto errexit; 464 goto errexit;
493 } 465 }
494 } 466 }
@@ -497,14 +469,10 @@ void fs_whitelist(void) {
497 srv_dir = 1; 469 srv_dir = 1;
498 // both path and absolute path are under /srv 470 // both path and absolute path are under /srv
499 if (strncmp(fname, "/srv/", 5) != 0) { 471 if (strncmp(fname, "/srv/", 5) != 0) {
500 if (arg_debug)
501 fprintf(stderr, "Debug %d: fname #%s#\n", __LINE__, fname);
502 goto errexit; 472 goto errexit;
503 } 473 }
504 } 474 }
505 else { 475 else {
506 if (arg_debug)
507 fprintf(stderr, "Debug %d: \n", __LINE__);
508 goto errexit; 476 goto errexit;
509 } 477 }
510 478
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index ef4915f15..ed411313a 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -47,14 +47,8 @@ void check_netfilter_file(const char *fname) {
47 EUID_ASSERT(); 47 EUID_ASSERT();
48 invalid_filename(fname); 48 invalid_filename(fname);
49 49
50 if (is_dir(fname) || is_link(fname) || strstr(fname, "..")) { 50 if (is_dir(fname) || is_link(fname) || strstr(fname, "..") || access(fname, R_OK )) {
51 fprintf(stderr, "Error: invalid network filter file\n"); 51 fprintf(stderr, "Error: invalid network filter file %s\n", fname);
52 exit(1);
53 }
54
55 // access call checks as real UID/GID, not as effective UID/GID
56 if (access(fname, R_OK)) {
57 fprintf(stderr, "Error: cannot access network filter file\n");
58 exit(1); 52 exit(1);
59 } 53 }
60} 54}
@@ -138,7 +132,7 @@ void netfilter6(const char *fname) {
138 char *filter = read_text_file_or_exit(fname); 132 char *filter = read_text_file_or_exit(fname);
139 FILE *fp = fopen(SBOX_STDIN_FILE, "w"); 133 FILE *fp = fopen(SBOX_STDIN_FILE, "w");
140 if (!fp) { 134 if (!fp) {
141 fprintf(stderr, "Error: cannot open /tmp/netfilter6 file\n"); 135 fprintf(stderr, "Error: cannot open %s\n", SBOX_STDIN_FILE);
142 exit(1); 136 exit(1);
143 } 137 }
144 fprintf(fp, "%s\n", filter); 138 fprintf(fp, "%s\n", filter);
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-12 06:40:20 +0000