diff options
| author |  Topi Miettinen <toiwoton@gmail.com> | 2017-07-30 22:33:56 +0300 |
|---|---|---|
| committer | Topi Miettinen <toiwoton@gmail.com> | 2017-07-30 22:36:16 +0300 |
| commit | 8d5b39766410b6d6eba7e6805691fceb88eca004 (patch) | |
| tree | 335b91375f891af22912ba39ec77f9d8596bbe85 /src | |
| parent | Memory-deny-write-execute feature (diff) | |
| download | firejail-8d5b39766410b6d6eba7e6805691fceb88eca004.tar.gz firejail-8d5b39766410b6d6eba7e6805691fceb88eca004.tar.zst firejail-8d5b39766410b6d6eba7e6805691fceb88eca004.zip | |
Fixes for the private-lib and memory-deny-write-execute features
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/fs_lib.c | 5 | ||||
| -rw-r--r-- | src/firejail/main.c | 14 | ||||
| -rw-r--r-- | src/firejail/profile.c | 16 |
3 files changed, 19 insertions, 16 deletions
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 4d328af7f..cc60a330f 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
| @@ -155,7 +155,6 @@ static void copy_libs_for_lib(const char *lib, const char *private_run_dir) { | |||
| 155 | 155 | ||
| 156 | void fs_private_lib(void) { | 156 | void fs_private_lib(void) { |
| 157 | char *private_list = cfg.lib_private_keep; | 157 | char *private_list = cfg.lib_private_keep; |
| 158 | assert(private_list); | ||
| 159 | 158 | ||
| 160 | // create /run/firejail/mnt/lib directory | 159 | // create /run/firejail/mnt/lib directory |
| 161 | mkdir_attr(RUN_LIB_DIR, 0755, 0, 0); | 160 | mkdir_attr(RUN_LIB_DIR, 0755, 0, 0); |
| @@ -169,9 +168,9 @@ void fs_private_lib(void) { | |||
| 169 | copy_libs_for_exe(cfg.shell, RUN_LIB_DIR); | 168 | copy_libs_for_exe(cfg.shell, RUN_LIB_DIR); |
| 170 | 169 | ||
| 171 | // for the listed libs | 170 | // for the listed libs |
| 172 | if (*private_list != '\0') { | 171 | if (private_list && *private_list != '\0') { |
| 173 | if (arg_debug) | 172 | if (arg_debug) |
| 174 | printf("Copying extra files in the new lib directory:\n"); | 173 | printf("Copying extra files (%s) in the new lib directory:\n", private_list); |
| 175 | 174 | ||
| 176 | char *dlist = strdup(private_list); | 175 | char *dlist = strdup(private_list); |
| 177 | if (!dlist) | 176 | if (!dlist) |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 561a14f5a..ff57a5693 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -1630,13 +1630,15 @@ int main(int argc, char **argv) { | |||
| 1630 | cfg.bin_private_keep = argv[i] + 14; | 1630 | cfg.bin_private_keep = argv[i] + 14; |
| 1631 | arg_private_bin = 1; | 1631 | arg_private_bin = 1; |
| 1632 | } | 1632 | } |
| 1633 | else if (strncmp(argv[i], "--private-lib=", 14) == 0) { | 1633 | else if (strncmp(argv[i], "--private-lib", 13) == 0) { |
| 1634 | // extract private lib list (if any) | 1634 | // extract private lib list (if any) |
| 1635 | if (cfg.lib_private_keep) { | 1635 | if (argv[i][13] == '=') { |
| 1636 | if (asprintf(&cfg.lib_private_keep, "%s,%s", cfg.lib_private_keep, argv[i] + 14) < 0 ) | 1636 | if (cfg.lib_private_keep) { |
| 1637 | errExit("asprintf"); | 1637 | if (argv[i][14] != '\0' && asprintf(&cfg.lib_private_keep, "%s,%s", cfg.lib_private_keep, argv[i] + 14) < 0) |
| 1638 | } else | 1638 | errExit("asprintf"); |
| 1639 | cfg.lib_private_keep = argv[i] + 14; | 1639 | } else |
| 1640 | cfg.lib_private_keep = argv[i] + 14; | ||
| 1641 | } | ||
| 1640 | arg_private_lib = 1; | 1642 | arg_private_lib = 1; |
| 1641 | } | 1643 | } |
| 1642 | else if (strcmp(argv[i], "--private-tmp") == 0) { | 1644 | else if (strcmp(argv[i], "--private-tmp") == 0) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 6d5ee349c..972f5932d 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
| @@ -596,7 +596,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
| 596 | } | 596 | } |
| 597 | 597 | ||
| 598 | // memory deny write&execute | 598 | // memory deny write&execute |
| 599 | if (strncmp(ptr, "memory-deny-write-execute ", sizeof("memory-deny-write-execute ") - 1) == 0) { | 599 | if (strcmp(ptr, "memory-deny-write-execute") == 0) { |
| 600 | #ifdef HAVE_SECCOMP | 600 | #ifdef HAVE_SECCOMP |
| 601 | if (checkcfg(CFG_SECCOMP)) | 601 | if (checkcfg(CFG_SECCOMP)) |
| 602 | arg_memory_deny_write_execute = 1; | 602 | arg_memory_deny_write_execute = 1; |
| @@ -861,12 +861,14 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
| 861 | } | 861 | } |
| 862 | 862 | ||
| 863 | // private /lib list of files | 863 | // private /lib list of files |
| 864 | if (strncmp(ptr, "private-lib ", 12) == 0) { | 864 | if (strncmp(ptr, "private-lib", 11) == 0) { |
| 865 | if (cfg.lib_private_keep) { | 865 | if (ptr[11] == ' ') { |
| 866 | if (asprintf(&cfg.lib_private_keep, "%s,%s", cfg.lib_private_keep, ptr + 12) < 0 ) | 866 | if (cfg.lib_private_keep) { |
| 867 | errExit("asprintf"); | 867 | if (ptr[12] != '\0' && asprintf(&cfg.lib_private_keep, "%s,%s", cfg.lib_private_keep, ptr + 12) < 0) |
| 868 | } else { | 868 | errExit("asprintf"); |
| 869 | cfg.lib_private_keep = ptr + 12; | 869 | } else { |
| 870 | cfg.lib_private_keep = ptr + 12; | ||
| 871 | } | ||
| 870 | } | 872 | } |
| 871 | arg_private_lib = 1; | 873 | arg_private_lib = 1; |
| 872 | return 0; | 874 | return 0; |