diff options
| author |  netblue30 <netblue30@yahoo.com> | 2017-11-06 10:19:57 -0500 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2017-11-06 10:19:57 -0500 |
| commit | 82f373dea7247cc96b91a8e079e2aff852713841 (patch) | |
| tree | 6c5e725db84fcf5fe67382f0f0bed836e0d92e6a /src | |
| parent | private-lib fix (diff) | |
| download | firejail-82f373dea7247cc96b91a8e079e2aff852713841.tar.gz firejail-82f373dea7247cc96b91a8e079e2aff852713841.tar.zst firejail-82f373dea7247cc96b91a8e079e2aff852713841.zip | |
private-bin cleanup
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/fs_bin.c | 37 |
1 files changed, 18 insertions, 19 deletions
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index eaa7362cf..a17c8dac0 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
| @@ -99,17 +99,17 @@ static char *check_dir_or_file(const char *name) { | |||
| 99 | static int valid_full_path_file(const char *name) { | 99 | static int valid_full_path_file(const char *name) { |
| 100 | assert(name); | 100 | assert(name); |
| 101 | 101 | ||
| 102 | char *full_name = realpath(name, NULL); | 102 | char *real_path = realpath(name, NULL); |
| 103 | if (!full_name) | 103 | if (!real_path) |
| 104 | goto errexit; | 104 | goto errexit; |
| 105 | char *fname = strrchr(full_name, '/'); | 105 | char *fname = strrchr(real_path, '/'); |
| 106 | if (!fname) | 106 | if (!fname) |
| 107 | goto errexit; | 107 | goto errexit; |
| 108 | if (*(++fname) == '\0') | 108 | if (*(++fname) == '\0') |
| 109 | goto errexit; | 109 | goto errexit; |
| 110 | 110 | ||
| 111 | int i = 0; | ||
| 112 | int found = 0; | 111 | int found = 0; |
| 112 | int i = 0; | ||
| 113 | while (paths[i]) { | 113 | while (paths[i]) { |
| 114 | // private-bin-no-local can be disabled in /etc/firejail/firejail.config | 114 | // private-bin-no-local can be disabled in /etc/firejail/firejail.config |
| 115 | if (checkcfg(CFG_PRIVATE_BIN_NO_LOCAL) && strstr(paths[i], "local/")) { | 115 | if (checkcfg(CFG_PRIVATE_BIN_NO_LOCAL) && strstr(paths[i], "local/")) { |
| @@ -118,31 +118,33 @@ static int valid_full_path_file(const char *name) { | |||
| 118 | } | 118 | } |
| 119 | 119 | ||
| 120 | // check file | 120 | // check file |
| 121 | char *full_name2; | 121 | char *path; |
| 122 | if (asprintf(&full_name2, "%s/%s", paths[i], fname) == -1) | 122 | if (asprintf(&path, "%s/%s", paths[i], fname) == -1) |
| 123 | errExit("asprintf"); | 123 | errExit("asprintf"); |
| 124 | 124 | ||
| 125 | if (strcmp(full_name, full_name2) == 0) { | 125 | if (strcmp(real_path, path) == 0) { |
| 126 | free(full_name2); | 126 | free(path); |
| 127 | found = 1; | 127 | // checking access |
| 128 | if (access(real_path, X_OK) == 0) | ||
| 129 | found = 1; | ||
| 128 | break; | 130 | break; |
| 129 | } | 131 | } |
| 130 | 132 | ||
| 131 | free(full_name2); | 133 | free(path); |
| 132 | i++; | 134 | i++; |
| 133 | } | 135 | } |
| 134 | 136 | ||
| 135 | if (!found) | 137 | if (!found) |
| 136 | goto errexit; | 138 | goto errexit; |
| 137 | 139 | ||
| 138 | free(full_name); | 140 | free(real_path); |
| 139 | return 1; | 141 | return 1; |
| 140 | 142 | ||
| 141 | errexit: | 143 | errexit: |
| 142 | if (arg_debug) | 144 | if (arg_debug) |
| 143 | fwarning("file %s not found\n", name); | 145 | fwarning("file %s not found\n", name); |
| 144 | if (full_name) | 146 | if (real_path) |
| 145 | free(full_name); | 147 | free(real_path); |
| 146 | return 0; | 148 | return 0; |
| 147 | } | 149 | } |
| 148 | 150 | ||
| @@ -171,13 +173,9 @@ static void duplicate(char *fname, FILE *fplist) { | |||
| 171 | char *full_path; | 173 | char *full_path; |
| 172 | if (*fname == '/') { | 174 | if (*fname == '/') { |
| 173 | // If the absolute filename is indicated, directly use it. This | 175 | // If the absolute filename is indicated, directly use it. This |
| 174 | // is required for the following three cases: | 176 | // is required for the following cases: |
| 175 | // - if user's $PATH order is not the same as the above | 177 | // - if user's $PATH order is not the same as the above |
| 176 | // paths[] variable order | 178 | // paths[] variable order |
| 177 | // - if for example /usr/bin/which is a symlink to /bin/which, | ||
| 178 | // because in this case the result is a symlink pointing to | ||
| 179 | // itself due to the file name being the same. | ||
| 180 | |||
| 181 | if (!valid_full_path_file(fname)) | 179 | if (!valid_full_path_file(fname)) |
| 182 | return; | 180 | return; |
| 183 | 181 | ||
| @@ -207,6 +205,7 @@ static void duplicate(char *fname, FILE *fplist) { | |||
| 207 | char *actual_path = realpath(full_path, NULL); | 205 | char *actual_path = realpath(full_path, NULL); |
| 208 | if (actual_path) { | 206 | if (actual_path) { |
| 209 | if (valid_full_path_file(actual_path)) { | 207 | if (valid_full_path_file(actual_path)) { |
| 208 | // copy the real file pointed by symlink | ||
| 210 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, actual_path, RUN_BIN_DIR); | 209 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, actual_path, RUN_BIN_DIR); |
| 211 | char *f = strrchr(actual_path, '/'); | 210 | char *f = strrchr(actual_path, '/'); |
| 212 | if (f && *(++f) !='\0') | 211 | if (f && *(++f) !='\0') |
| @@ -215,7 +214,7 @@ static void duplicate(char *fname, FILE *fplist) { | |||
| 215 | free(actual_path); | 214 | free(actual_path); |
| 216 | } | 215 | } |
| 217 | } | 216 | } |
| 218 | 217 | // copy a file or a symlink | |
| 219 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR); | 218 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR); |
| 220 | } | 219 | } |
| 221 | free(full_path); | 220 | free(full_path); |