fix whitelist /dev/fd,stdin,stdout,stderr - #1778

author: netblue30 <netblue30@yahoo.com> 2018-03-06 10:24:29 -0500
committer: netblue30 <netblue30@yahoo.com> 2018-03-06 10:24:29 -0500
commit: dda8b2dbaf85383c787b2e70982346779471a269 (patch)
tree: 65beb2a9e50b2885b03b50a90897cec5e462d034 /src
parent: bringing in /dev/fd,stdin,stdout,stderr in --private-dev (diff)
download: firejail-dda8b2dbaf85383c787b2e70982346779471a269.tar.gz
firejail-dda8b2dbaf85383c787b2e70982346779471a269.tar.zst
firejail-dda8b2dbaf85383c787b2e70982346779471a269.zip
1 files changed, 18 insertions, 1 deletions
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 6cc0a3b2b..21fa8e624 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -402,7 +402,19 @@ void fs_whitelist(void) {
                // extract the absolute path of the file
                // realpath function will fail with ENOENT if the file is not found
-                char *fname = realpath(new_name, NULL);
+                // special processing for /dev/fd, /dev/stdin, /dev/stdout and /dev/stderr
+                char *fname;
+                if (strcmp(new_name, "/dev/fd") == 0)
+                        fname = strdup("/proc/self/fd");
+                else if (strcmp(new_name, "/dev/stdin") == 0)
+                        fname = strdup("/proc/self/fd/0");
+                else if (strcmp(new_name, "/dev/stdout") == 0)
+                        fname = strdup("/proc/self/fd/1");
+                else if (strcmp(new_name, "/dev/stderr") == 0)
+                        fname = strdup("/proc/self/fd/2");
+                else
+                        fname = realpath(new_name, NULL);
                if (!fname) {
                        // file not found, blank the entry in the list and continue
                        if (arg_debug || arg_debug_whitelists) {
@@ -533,6 +545,11 @@ void fs_whitelist(void) {
                        // special handling for /dev/shm
                        // on some platforms (Debian wheezy, Ubuntu 14.04), it is a symlink to /run/shm
                        if (strcmp(new_name, "/dev/shm") == 0 && strcmp(fname, "/run/shm") == 0);
+                        // special processing for /proc/self/fd files
+                        else if (strcmp(new_name, "/dev/fd") == 0 && strcmp(fname, "/proc/self/fd") == 0);
+                        else if (strcmp(new_name, "/dev/stdin") == 0 && strcmp(fname, "/proc/self/fd/0") == 0);
+                        else if (strcmp(new_name, "/dev/stdout") == 0 && strcmp(fname, "/proc/self/fd/1") == 0);
+                        else if (strcmp(new_name, "/dev/stderr") == 0 && strcmp(fname, "/proc/self/fd/2") == 0);
                        else {
                                // both path and absolute path are under /dev
                                if (strncmp(fname, "/dev/", 5) != 0) {
author	netblue30 <netblue30@yahoo.com>	2018-03-06 10:24:29 -0500
committer	netblue30 <netblue30@yahoo.com>	2018-03-06 10:24:29 -0500
commit	dda8b2dbaf85383c787b2e70982346779471a269 (patch)
tree	65beb2a9e50b2885b03b50a90897cec5e462d034 /src
parent	bringing in /dev/fd,stdin,stdout,stderr in --private-dev (diff)
download	firejail-dda8b2dbaf85383c787b2e70982346779471a269.tar.gz firejail-dda8b2dbaf85383c787b2e70982346779471a269.tar.zst firejail-dda8b2dbaf85383c787b2e70982346779471a269.zip

diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 6cc0a3b2b..21fa8e624 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c
@@ -402,7 +402,19 @@ void fs_whitelist(void) {
402		402
403	// extract the absolute path of the file	403	// extract the absolute path of the file
404	// realpath function will fail with ENOENT if the file is not found	404	// realpath function will fail with ENOENT if the file is not found
405	char *fname = realpath(new_name, NULL);	405	// special processing for /dev/fd, /dev/stdin, /dev/stdout and /dev/stderr
		406	char *fname;
		407	if (strcmp(new_name, "/dev/fd") == 0)
		408	fname = strdup("/proc/self/fd");
		409	else if (strcmp(new_name, "/dev/stdin") == 0)
		410	fname = strdup("/proc/self/fd/0");
		411	else if (strcmp(new_name, "/dev/stdout") == 0)
		412	fname = strdup("/proc/self/fd/1");
		413	else if (strcmp(new_name, "/dev/stderr") == 0)
		414	fname = strdup("/proc/self/fd/2");
		415	else
		416	fname = realpath(new_name, NULL);
		417
406	if (!fname) {	418	if (!fname) {
407	// file not found, blank the entry in the list and continue	419	// file not found, blank the entry in the list and continue
408	if (arg_debug \|\| arg_debug_whitelists) {	420	if (arg_debug \|\| arg_debug_whitelists) {
@@ -533,6 +545,11 @@ void fs_whitelist(void) {
533	// special handling for /dev/shm	545	// special handling for /dev/shm
534	// on some platforms (Debian wheezy, Ubuntu 14.04), it is a symlink to /run/shm	546	// on some platforms (Debian wheezy, Ubuntu 14.04), it is a symlink to /run/shm
535	if (strcmp(new_name, "/dev/shm") == 0 && strcmp(fname, "/run/shm") == 0);	547	if (strcmp(new_name, "/dev/shm") == 0 && strcmp(fname, "/run/shm") == 0);
		548	// special processing for /proc/self/fd files
		549	else if (strcmp(new_name, "/dev/fd") == 0 && strcmp(fname, "/proc/self/fd") == 0);
		550	else if (strcmp(new_name, "/dev/stdin") == 0 && strcmp(fname, "/proc/self/fd/0") == 0);
		551	else if (strcmp(new_name, "/dev/stdout") == 0 && strcmp(fname, "/proc/self/fd/1") == 0);
		552	else if (strcmp(new_name, "/dev/stderr") == 0 && strcmp(fname, "/proc/self/fd/2") == 0);
536	else {	553	else {
537	// both path and absolute path are under /dev	554	// both path and absolute path are under /dev
538	if (strncmp(fname, "/dev/", 5) != 0) {	555	if (strncmp(fname, "/dev/", 5) != 0) {