--private-bin

author: netblue30 <netblue30@yahoo.com> 2015-10-11 11:24:02 -0400
committer: netblue30 <netblue30@yahoo.com> 2015-10-11 11:24:02 -0400
commit: f4171a91412f89d509e6d1371fd81b4ecd89c11d (patch)
tree: 89882fc26af43bc4149109c029380209792698d9 /src
parent: Merge pull request #81 from pyther/rpm (diff)
download: firejail-f4171a91412f89d509e6d1371fd81b4ecd89c11d.tar.gz
firejail-f4171a91412f89d509e6d1371fd81b4ecd89c11d.tar.zst
firejail-f4171a91412f89d509e6d1371fd81b4ecd89c11d.zip
5 files changed, 20 insertions, 9 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 64cf3ccef..cbc4086fb 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -407,5 +407,9 @@ void errno_print(void);
 // pulseaudio.c
 void pulseaudio_init(void);
+// fs_bin.c
+void fs_check_bin_list(void);
+void fs_private_bin_list(void);
 #endif
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 54086e0bb..b3748de51 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -435,23 +435,23 @@ void fs_proc_sys_dev_boot(void) {
        if (arg_debug)
                printf("Disable /sys/firmware directory\n");
        if (mount("tmpfs", "/sys/firmware", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                errExit("disable /sys/firmware directory");
+                fprintf(stderr, "Warning: cannot disable /sys/firmware directory\n");
        if (arg_debug)
                printf("Disable /sys/hypervisor directory\n");
        if (mount("tmpfs", "/sys/hypervisor", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                errExit("disable /sys/hypervisor directory");
+                fprintf(stderr, "Warning: cannot disable /sys/hypervisor directory\n");
        if (arg_debug)
                printf("Disable /sys/fs directory\n");
        if (mount("tmpfs", "/sys/fs", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                errExit("disable /sys/fs directory");
+                fprintf(stderr, "Warning: cannot disable /sys/fs directory\n");
        if (arg_debug)
                printf("Disable /sys/module directory\n");
        if (mount("tmpfs", "/sys/module", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                errExit("disable /sys/module directory");
+                fprintf(stderr, "Warning: cannot disable /sys/module directory\n");
        if (arg_debug)
                printf("Disable /sys/power directory\n");
        if (mount("tmpfs", "/sys/power", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                errExit("disable /sys/power directory");
+                fprintf(stderr, "Warning: cannot disable /sys/power directory\n");
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index 4b3292b6c..dcfdadb6b 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -44,9 +44,9 @@ static char *check_dir_or_file(const char *name) {
                        errExit("asprintf");
                if (arg_debug)
                        printf("Checking %s/%s\n", paths[i], name);             
-                if (stat(fname, &s) == 0)
+                if (stat(fname, &s) == 0 && !S_ISDIR(s.st_mode)) // do not allow directories
                        break; // file found
-                        
+                
                free(fname);
                fname = NULL;
                i++;
@@ -99,7 +99,6 @@ void fs_check_bin_list(void) {
                else
                        notfound = 1;
        }
-printf("here %d: newlist #%s#\n", __LINE__, newlist);
        
        if (*newlist == '\0') {
                fprintf(stderr, "Warning: no --private-bin list executable found, option disabled\n");
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index 3200c5282..93625633a 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -146,7 +146,7 @@ void fs_var_log(void) {
                        errExit("chmod");
        }
        else
-                fprintf(stderr, "Warning: cannot mount tmpfs in top of /var/log\n");
+                fprintf(stderr, "Warning: cannot mount tmpfs on top of /var/log\n");
 }
 void fs_var_lib(void) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 2863b454e..5b18cc179 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -257,6 +257,14 @@ int profile_check_line(char *ptr, int lineno) {
                return 0;
        }
+        // private /bin list of files
+        if (strncmp(ptr, "private-bin ", 12) == 0) {
+                cfg.bin_private_keep = ptr + 12;
+                fs_check_bin_list();
+                arg_private_bin = 1;
+                return 0;
+        }
        // filesystem bind
        if (strncmp(ptr, "bind ", 5) == 0) {
                if (getuid() != 0) {
author	netblue30 <netblue30@yahoo.com>	2015-10-11 11:24:02 -0400
committer	netblue30 <netblue30@yahoo.com>	2015-10-11 11:24:02 -0400
commit	f4171a91412f89d509e6d1371fd81b4ecd89c11d (patch)
tree	89882fc26af43bc4149109c029380209792698d9 /src
parent	Merge pull request #81 from pyther/rpm (diff)
download	firejail-f4171a91412f89d509e6d1371fd81b4ecd89c11d.tar.gz firejail-f4171a91412f89d509e6d1371fd81b4ecd89c11d.tar.zst firejail-f4171a91412f89d509e6d1371fd81b4ecd89c11d.zip