aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2015-12-10 13:49:30 -0500
committerLibravatar netblue30 <netblue30@yahoo.com>2015-12-10 13:49:30 -0500
commitac39cb31334c7951a97c4fc9b295c39924cd7427 (patch)
treedb1898678f479797b3fd3e732982bd883f417fce /src
parentrelease 0.9.36-rc1 testing (diff)
downloadfirejail-ac39cb31334c7951a97c4fc9b295c39924cd7427.tar.gz
firejail-ac39cb31334c7951a97c4fc9b295c39924cd7427.tar.zst
firejail-ac39cb31334c7951a97c4fc9b295c39924cd7427.zip
fixes
Diffstat (limited to 'src')
-rw-r--r--src/firejail/fs_etc.c30
-rw-r--r--src/firejail/fs_trace.c6
-rw-r--r--src/firejail/main.c23
-rw-r--r--src/firejail/profile.c8
-rw-r--r--src/firejail/sandbox.c6
5 files changed, 59 insertions, 14 deletions
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index df0e92203..b82baf1ad 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -24,7 +24,8 @@
24#include <sys/wait.h> 24#include <sys/wait.h>
25#include <unistd.h> 25#include <unistd.h>
26 26
27static void check_dir_or_file(const char *name) { 27// return 0 if file not found, 1 if found
28static int check_dir_or_file(const char *name) {
28 assert(name); 29 assert(name);
29 invalid_filename(name); 30 invalid_filename(name);
30 31
@@ -35,19 +36,20 @@ static void check_dir_or_file(const char *name) {
35 if (arg_debug) 36 if (arg_debug)
36 printf("Checking %s\n", fname); 37 printf("Checking %s\n", fname);
37 if (stat(fname, &s) == -1) { 38 if (stat(fname, &s) == -1) {
38 fprintf(stderr, "Error: file %s not found.\n", fname); 39 if (arg_debug)
39 exit(1); 40 printf("Warning: file %s not found.\n", fname);
41 return 0;
40 } 42 }
41 43
42 // dir or regular file 44 // dir or regular file
43 if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode)) { 45 if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode)) {
44 free(fname); 46 free(fname);
45 return; 47 return 1;
46 } 48 }
47 49
48 if (!is_link(fname)) { 50 if (!is_link(fname)) {
49 free(fname); 51 free(fname);
50 return; 52 return 1;
51 } 53 }
52 54
53 fprintf(stderr, "Error: invalid file type, %s.\n", fname); 55 fprintf(stderr, "Error: invalid file type, %s.\n", fname);
@@ -63,11 +65,23 @@ void fs_check_etc_list(void) {
63 char *dlist = strdup(cfg.etc_private_keep); 65 char *dlist = strdup(cfg.etc_private_keep);
64 if (!dlist) 66 if (!dlist)
65 errExit("strdup"); 67 errExit("strdup");
68
69 // build a new list only with the files found
70 char *newlist = malloc(strlen(cfg.etc_private_keep) + 1);
71 if (!newlist)
72 errExit("malloc");
73 *newlist = '\0';
66 74
67 char *ptr = strtok(dlist, ","); 75 char *ptr = strtok(dlist, ",");
68 check_dir_or_file(ptr); 76 if (check_dir_or_file(ptr))
69 while ((ptr = strtok(NULL, ",")) != NULL) 77 strcat(newlist, ptr);
70 check_dir_or_file(ptr); 78 while ((ptr = strtok(NULL, ",")) != NULL) {
79 if (check_dir_or_file(ptr)) {
80 strcat(newlist, ",");
81 strcat(newlist, ptr);
82 }
83 }
84 cfg.etc_private_keep = newlist;
71 85
72 free(dlist); 86 free(dlist);
73} 87}
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index 55a1b9c7a..eec51c3f9 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -42,7 +42,7 @@ void fs_trace_preload(void) {
42 errExit("chown"); 42 errExit("chown");
43 if (chmod("/etc/ld.so.preload", S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) 43 if (chmod("/etc/ld.so.preload", S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0)
44 errExit("chmod"); 44 errExit("chmod");
45 fs_logger("touch /etc/ls.so.preload"); 45 fs_logger("touch /etc/ld.so.preload");
46 } 46 }
47} 47}
48 48
@@ -77,8 +77,8 @@ void fs_trace(void) {
77 if (arg_debug) 77 if (arg_debug)
78 printf("Mount the new ld.so.preload file\n"); 78 printf("Mount the new ld.so.preload file\n");
79 if (mount(RUN_LDPRELOAD_FILE, "/etc/ld.so.preload", NULL, MS_BIND|MS_REC, NULL) < 0) 79 if (mount(RUN_LDPRELOAD_FILE, "/etc/ld.so.preload", NULL, MS_BIND|MS_REC, NULL) < 0)
80 errExit("mount bind ls.so.preload"); 80 errExit("mount bind ld.so.preload");
81 fs_logger("create /etc/ls.so.preload"); 81 fs_logger("create /etc/ld.so.preload");
82} 82}
83 83
84 84
diff --git a/src/firejail/main.c b/src/firejail/main.c
index aad0af3e4..75b90ae81 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -831,6 +831,10 @@ int main(int argc, char **argv) {
831 831
832 // extract private home dirname 832 // extract private home dirname
833 cfg.home_private = argv[i] + 10; 833 cfg.home_private = argv[i] + 10;
834 if (*cfg.home_private == '\0') {
835 fprintf(stderr, "Error: invalid private option\n");
836 exit(1);
837 }
834 fs_check_private_dir(); 838 fs_check_private_dir();
835 arg_private = 1; 839 arg_private = 1;
836 } 840 }
@@ -842,6 +846,10 @@ int main(int argc, char **argv) {
842 846
843 // extract private home dirname 847 // extract private home dirname
844 cfg.home_private_keep = argv[i] + 15; 848 cfg.home_private_keep = argv[i] + 15;
849 if (*cfg.home_private_keep == '\0') {
850 fprintf(stderr, "Error: invalid private-home option\n");
851 exit(1);
852 }
845 fs_check_home_list(); 853 fs_check_home_list();
846 arg_private = 1; 854 arg_private = 1;
847 } 855 }
@@ -851,12 +859,25 @@ int main(int argc, char **argv) {
851 else if (strncmp(argv[i], "--private-etc=", 14) == 0) { 859 else if (strncmp(argv[i], "--private-etc=", 14) == 0) {
852 // extract private etc dirname 860 // extract private etc dirname
853 cfg.etc_private_keep = argv[i] + 14; 861 cfg.etc_private_keep = argv[i] + 14;
862 if (*cfg.etc_private_keep == '\0') {
863 fprintf(stderr, "Error: invalid private-etc option\n");
864 exit(1);
865 }
854 fs_check_etc_list(); 866 fs_check_etc_list();
855 arg_private_etc = 1; 867 if (*cfg.etc_private_keep != '\0')
868 arg_private_etc = 1;
869 else {
870 arg_private_etc = 0;
871 fprintf(stderr, "Warning: private-etc disabled, no file found\n");
872 }
856 } 873 }
857 else if (strncmp(argv[i], "--private-bin=", 14) == 0) { 874 else if (strncmp(argv[i], "--private-bin=", 14) == 0) {
858 // extract private etc dirname 875 // extract private etc dirname
859 cfg.bin_private_keep = argv[i] + 14; 876 cfg.bin_private_keep = argv[i] + 14;
877 if (*cfg.bin_private_keep == '\0') {
878 fprintf(stderr, "Error: invalid private-bin option\n");
879 exit(1);
880 }
860 fs_check_bin_list(); 881 fs_check_bin_list();
861 arg_private_bin = 1; 882 arg_private_bin = 1;
862 } 883 }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 366a56e13..244370b98 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -285,7 +285,13 @@ int profile_check_line(char *ptr, int lineno) {
285 if (strncmp(ptr, "private-etc ", 12) == 0) { 285 if (strncmp(ptr, "private-etc ", 12) == 0) {
286 cfg.etc_private_keep = ptr + 12; 286 cfg.etc_private_keep = ptr + 12;
287 fs_check_etc_list(); 287 fs_check_etc_list();
288 arg_private_etc = 1; 288 if (*cfg.etc_private_keep != '\0')
289 arg_private_etc = 1;
290 else {
291 arg_private_etc = 0;
292 fprintf(stderr, "Warning: private-etc disabled, no file found\n");
293 }
294
289 return 0; 295 return 0;
290 } 296 }
291 297
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 39f95a43a..4a1990382 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -380,8 +380,12 @@ int sandbox(void* sandbox_arg) {
380 380
381 if (arg_private_dev) 381 if (arg_private_dev)
382 fs_private_dev(); 382 fs_private_dev();
383 if (arg_private_etc) 383 if (arg_private_etc) {
384 fs_private_etc_list(); 384 fs_private_etc_list();
385 // create /etc/ld.so.preload file again
386 if (arg_trace || arg_tracelog)
387 fs_trace_preload();
388 }
385 if (arg_private_bin) 389 if (arg_private_bin)
386 fs_private_bin_list(); 390 fs_private_bin_list();
387 391
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-08 15:03:30 +0000