diff options
author | netblue30 <netblue30@yahoo.com> | 2015-11-23 19:45:01 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2015-11-23 19:45:01 -0500 |
commit | cf5e634e36c86f76518be29e625869b69b39796e (patch) | |
tree | 1719004bad2386d83a6243f258382346c7bf1266 /src | |
parent | todo (diff) | |
download | firejail-cf5e634e36c86f76518be29e625869b69b39796e.tar.gz firejail-cf5e634e36c86f76518be29e625869b69b39796e.tar.zst firejail-cf5e634e36c86f76518be29e625869b69b39796e.zip |
fixes
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/cgroup.c | 4 | ||||
-rw-r--r-- | src/firejail/cpu.c | 6 | ||||
-rw-r--r-- | src/firejail/firejail.h | 67 | ||||
-rw-r--r-- | src/firejail/fs.c | 56 | ||||
-rw-r--r-- | src/firejail/fs_bin.c | 12 | ||||
-rw-r--r-- | src/firejail/fs_dev.c | 16 | ||||
-rw-r--r-- | src/firejail/fs_etc.c | 12 | ||||
-rw-r--r-- | src/firejail/fs_home.c | 14 | ||||
-rw-r--r-- | src/firejail/fs_hostname.c | 30 | ||||
-rw-r--r-- | src/firejail/fs_trace.c | 8 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 78 | ||||
-rw-r--r-- | src/firejail/join.c | 8 | ||||
-rw-r--r-- | src/firejail/main.c | 2 | ||||
-rw-r--r-- | src/firejail/protocol.c | 8 | ||||
-rw-r--r-- | src/firejail/pulseaudio.c | 12 | ||||
-rw-r--r-- | src/firejail/restrict_users.c | 24 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 4 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 8 |
18 files changed, 185 insertions, 184 deletions
diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c index aab7be0fd..186fe04a8 100644 --- a/src/firejail/cgroup.c +++ b/src/firejail/cgroup.c | |||
@@ -26,13 +26,13 @@ void save_cgroup(void) { | |||
26 | if (cfg.cgroup == NULL) | 26 | if (cfg.cgroup == NULL) |
27 | return; | 27 | return; |
28 | 28 | ||
29 | FILE *fp = fopen(CGROUP_CFG, "w"); | 29 | FILE *fp = fopen(RUN_CGROUP_CFG, "w"); |
30 | if (fp) { | 30 | if (fp) { |
31 | fprintf(fp, "%s", cfg.cgroup); | 31 | fprintf(fp, "%s", cfg.cgroup); |
32 | fflush(0); | 32 | fflush(0); |
33 | if (fclose(fp)) | 33 | if (fclose(fp)) |
34 | goto errout; | 34 | goto errout; |
35 | if (chown(CGROUP_CFG, 0, 0) < 0) | 35 | if (chown(RUN_CGROUP_CFG, 0, 0) < 0) |
36 | errExit("chown"); | 36 | errExit("chown"); |
37 | } | 37 | } |
38 | else | 38 | else |
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c index 343bc8971..c7ef2f4b3 100644 --- a/src/firejail/cpu.c +++ b/src/firejail/cpu.c | |||
@@ -73,13 +73,13 @@ void save_cpu(void) { | |||
73 | if (cfg.cpus == 0) | 73 | if (cfg.cpus == 0) |
74 | return; | 74 | return; |
75 | 75 | ||
76 | FILE *fp = fopen(CPU_CFG, "w"); | 76 | FILE *fp = fopen(RUN_CPU_CFG, "w"); |
77 | if (fp) { | 77 | if (fp) { |
78 | fprintf(fp, "%x\n", cfg.cpus); | 78 | fprintf(fp, "%x\n", cfg.cpus); |
79 | fclose(fp); | 79 | fclose(fp); |
80 | if (chmod(CPU_CFG, 0600) < 0) | 80 | if (chmod(RUN_CPU_CFG, 0600) < 0) |
81 | errExit("chmod"); | 81 | errExit("chmod"); |
82 | if (chown(CPU_CFG, 0, 0) < 0) | 82 | if (chown(RUN_CPU_CFG, 0, 0) < 0) |
83 | errExit("chown"); | 83 | errExit("chown"); |
84 | } | 84 | } |
85 | else { | 85 | else { |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 9ba3b78ab..3ede58df6 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -22,39 +22,40 @@ | |||
22 | #include "../include/common.h" | 22 | #include "../include/common.h" |
23 | 23 | ||
24 | // filesystem | 24 | // filesystem |
25 | #define FIREJAIL_DIR "/run/firejail" | 25 | #define RUN_FIREJAIL_DIR "/run/firejail" |
26 | #define NETWORK_LOCK_FILE "/run/firejail/firejail.lock" | 26 | #define RUN_NETWORK_LOCK_FILE "/run/firejail/firejail.lock" |
27 | #define RO_DIR "/run/firejail/firejail.ro.dir" | 27 | #define RUN_RO_DIR "/run/firejail/firejail.ro.dir" |
28 | #define RO_FILE "/run/firejail/firejail.ro.file" | 28 | #define RUN_RO_FILE "/run/firejail/firejail.ro.file" |
29 | #define MNT_DIR "/run/firejail/mnt" // a tmpfs is mounted on this directory before any of the files below are created | 29 | #define RUN_MNT_DIR "/run/firejail/mnt" // a tmpfs is mounted on this directory before any of the files below are created |
30 | #define SECCOMP_CFG "/run/firejail/mnt/seccomp" | 30 | #define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp" |
31 | #define CGROUP_CFG "/run/firejail/mnt/cgroup" | 31 | #define RUN_CGROUP_CFG "/run/firejail/mnt/cgroup" |
32 | #define CPU_CFG "/run/firejail/mnt/cpu" | 32 | #define RUN_CPU_CFG "/run/firejail/mnt/cpu" |
33 | #define GROUPS_CFG "/run/firejail/mnt/groups" | 33 | #define RUN_GROUPS_CFG "/run/firejail/mnt/groups" |
34 | #define PROTOCOL_CFG "/run/firejail/mnt/protocol" | 34 | #define RUN_PROTOCOL_CFG "/run/firejail/mnt/protocol" |
35 | #define CP_COMMAND "/run/firejail/mnt/cp" | 35 | #define RUN_CP_COMMAND "/run/firejail/mnt/cp" |
36 | #define HOME_DIR "/run/firejail/mnt/home" | 36 | #define RUN_HOME_DIR "/run/firejail/mnt/home" |
37 | #define ETC_DIR "/run/firejail/mnt/etc" | 37 | #define RUN_ETC_DIR "/run/firejail/mnt/etc" |
38 | #define BIN_DIR "/run/firejail/mnt/bin" | 38 | #define RUN_BIN_DIR "/run/firejail/mnt/bin" |
39 | #define DRI_DIR "/run/firejail/mnt/dri" | 39 | #define RUN_DRI_DIR "/run/firejail/mnt/dri" |
40 | #define PULSE_DIR "/run/firejail/mnt/pulse" | 40 | #define RUN_PULSE_DIR "/run/firejail/mnt/pulse" |
41 | #define DEVLOG_FILE "/run/firejail/mnt/devlog" | 41 | #define RUN_DEVLOG_FILE "/run/firejail/mnt/devlog" |
42 | 42 | ||
43 | #define WHITELIST_HOME_DIR "/run/firejail/mnt/orig-home" // default home directory masking | 43 | #define RUN_WHITELIST_HOME_DIR "/run/firejail/mnt/orig-home" // default home directory masking |
44 | #define WHITELIST_HOME_USER_DIR "/run/firejail/mnt/orig-home-user" // home directory whitelisting | 44 | #define RUN_WHITELIST_HOME_USER_DIR "/run/firejail/mnt/orig-home-user" // home directory whitelisting |
45 | #define WHITELIST_TMP_DIR "/run/firejail/mnt/orig-tmp" | 45 | #define RUN_WHITELIST_TMP_DIR "/run/firejail/mnt/orig-tmp" |
46 | #define WHITELIST_MEDIA_DIR "/run/firejail/mnt/orig-media" | 46 | #define RUN_WHITELIST_MEDIA_DIR "/run/firejail/mnt/orig-media" |
47 | #define WHITELIST_VAR_DIR "/run/firejail/mnt/orig-var" | 47 | #define RUN_WHITELIST_VAR_DIR "/run/firejail/mnt/orig-var" |
48 | #define WHITELIST_DEV_DIR "/run/firejail/mnt/orig-dev" | 48 | #define RUN_WHITELIST_DEV_DIR "/run/firejail/mnt/orig-dev" |
49 | #define WHITELIST_OPT_DIR "/run/firejail/mnt/orig-opt" | 49 | #define RUN_WHITELIST_OPT_DIR "/run/firejail/mnt/orig-opt" |
50 | 50 | ||
51 | #define XAUTHORITY_FILE "/run/firejail/mnt/.Xauthority" | 51 | #define RUN_XAUTHORITY_FILE "/run/firejail/mnt/.Xauthority" |
52 | #define HOSTNAME_FILE "/run/firejail/mnt/hostname" | 52 | #define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname" |
53 | #define RESOLVCONF_FILE "/run/firejail/mnt/resolv.conf" | 53 | #define RUN_HOSTS_FILE "/run/firejail/mnt/hosts" |
54 | #define LDPRELOAD_FILE "/run/firejail/mnt/ld.so.preload" | 54 | #define RUN_RESOLVCONF_FILE "/run/firejail/mnt/resolv.conf" |
55 | #define UTMP_FILE "/run/firejail/mnt/utmp" | 55 | #define RUN_LDPRELOAD_FILE "/run/firejail/mnt/ld.so.preload" |
56 | #define PASSWD_FILE "/run/firejail/mnt/passwd" | 56 | #define RUN_UTMP_FILE "/run/firejail/mnt/utmp" |
57 | #define GROUP_FILE "/run/firejail/mnt/group" | 57 | #define RUN_PASSWD_FILE "/run/firejail/mnt/passwd" |
58 | #define RUN_GROUP_FILE "/run/firejail/mnt/group" | ||
58 | 59 | ||
59 | // profiles | 60 | // profiles |
60 | #define DEFAULT_USER_PROFILE "generic" | 61 | #define DEFAULT_USER_PROFILE "generic" |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 5ddbcec34..e442bc705 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -30,12 +30,12 @@ | |||
30 | static void create_empty_dir(void) { | 30 | static void create_empty_dir(void) { |
31 | struct stat s; | 31 | struct stat s; |
32 | 32 | ||
33 | if (stat(RO_DIR, &s)) { | 33 | if (stat(RUN_RO_DIR, &s)) { |
34 | /* coverity[toctou] */ | 34 | /* coverity[toctou] */ |
35 | int rv = mkdir(RO_DIR, S_IRUSR | S_IXUSR); | 35 | int rv = mkdir(RUN_RO_DIR, S_IRUSR | S_IXUSR); |
36 | if (rv == -1) | 36 | if (rv == -1) |
37 | errExit("mkdir"); | 37 | errExit("mkdir"); |
38 | if (chown(RO_DIR, 0, 0) < 0) | 38 | if (chown(RUN_RO_DIR, 0, 0) < 0) |
39 | errExit("chown"); | 39 | errExit("chown"); |
40 | } | 40 | } |
41 | } | 41 | } |
@@ -43,15 +43,15 @@ static void create_empty_dir(void) { | |||
43 | static void create_empty_file(void) { | 43 | static void create_empty_file(void) { |
44 | struct stat s; | 44 | struct stat s; |
45 | 45 | ||
46 | if (stat(RO_FILE, &s)) { | 46 | if (stat(RUN_RO_FILE, &s)) { |
47 | /* coverity[toctou] */ | 47 | /* coverity[toctou] */ |
48 | FILE *fp = fopen(RO_FILE, "w"); | 48 | FILE *fp = fopen(RUN_RO_FILE, "w"); |
49 | if (!fp) | 49 | if (!fp) |
50 | errExit("fopen"); | 50 | errExit("fopen"); |
51 | fclose(fp); | 51 | fclose(fp); |
52 | if (chown(RO_FILE, 0, 0) < 0) | 52 | if (chown(RUN_RO_FILE, 0, 0) < 0) |
53 | errExit("chown"); | 53 | errExit("chown"); |
54 | if (chmod(RO_FILE, S_IRUSR) < 0) | 54 | if (chmod(RUN_RO_FILE, S_IRUSR) < 0) |
55 | errExit("chown"); | 55 | errExit("chown"); |
56 | } | 56 | } |
57 | } | 57 | } |
@@ -60,21 +60,21 @@ static void create_empty_file(void) { | |||
60 | void fs_build_firejail_dir(void) { | 60 | void fs_build_firejail_dir(void) { |
61 | struct stat s; | 61 | struct stat s; |
62 | 62 | ||
63 | if (stat(FIREJAIL_DIR, &s)) { | 63 | if (stat(RUN_FIREJAIL_DIR, &s)) { |
64 | if (arg_debug) | 64 | if (arg_debug) |
65 | printf("Creating %s directory\n", FIREJAIL_DIR); | 65 | printf("Creating %s directory\n", RUN_FIREJAIL_DIR); |
66 | /* coverity[toctou] */ | 66 | /* coverity[toctou] */ |
67 | int rv = mkdir(FIREJAIL_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 67 | int rv = mkdir(RUN_FIREJAIL_DIR, S_IRWXU | S_IRWXG | S_IRWXO); |
68 | if (rv == -1) | 68 | if (rv == -1) |
69 | errExit("mkdir"); | 69 | errExit("mkdir"); |
70 | if (chown(FIREJAIL_DIR, 0, 0) < 0) | 70 | if (chown(RUN_FIREJAIL_DIR, 0, 0) < 0) |
71 | errExit("chown"); | 71 | errExit("chown"); |
72 | if (chmod(FIREJAIL_DIR, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0) | 72 | if (chmod(RUN_FIREJAIL_DIR, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0) |
73 | errExit("chmod"); | 73 | errExit("chmod"); |
74 | } | 74 | } |
75 | else { // check /tmp/firejail directory belongs to root end exit if doesn't! | 75 | else { // check /tmp/firejail directory belongs to root end exit if doesn't! |
76 | if (s.st_uid != 0 || s.st_gid != 0) { | 76 | if (s.st_uid != 0 || s.st_gid != 0) { |
77 | fprintf(stderr, "Error: non-root %s directory, exiting...\n", FIREJAIL_DIR); | 77 | fprintf(stderr, "Error: non-root %s directory, exiting...\n", RUN_FIREJAIL_DIR); |
78 | exit(1); | 78 | exit(1); |
79 | } | 79 | } |
80 | } | 80 | } |
@@ -96,16 +96,16 @@ void fs_build_mnt_dir(void) { | |||
96 | fs_build_firejail_dir(); | 96 | fs_build_firejail_dir(); |
97 | 97 | ||
98 | // create /run/firejail/mnt directory | 98 | // create /run/firejail/mnt directory |
99 | if (stat(MNT_DIR, &s)) { | 99 | if (stat(RUN_MNT_DIR, &s)) { |
100 | if (arg_debug) | 100 | if (arg_debug) |
101 | printf("Creating %s directory\n", MNT_DIR); | 101 | printf("Creating %s directory\n", RUN_MNT_DIR); |
102 | /* coverity[toctou] */ | 102 | /* coverity[toctou] */ |
103 | int rv = mkdir(MNT_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 103 | int rv = mkdir(RUN_MNT_DIR, S_IRWXU | S_IRWXG | S_IRWXO); |
104 | if (rv == -1) | 104 | if (rv == -1) |
105 | errExit("mkdir"); | 105 | errExit("mkdir"); |
106 | if (chown(MNT_DIR, 0, 0) < 0) | 106 | if (chown(RUN_MNT_DIR, 0, 0) < 0) |
107 | errExit("chown"); | 107 | errExit("chown"); |
108 | if (chmod(MNT_DIR, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0) | 108 | if (chmod(RUN_MNT_DIR, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0) |
109 | errExit("chmod"); | 109 | errExit("chmod"); |
110 | } | 110 | } |
111 | 111 | ||
@@ -113,8 +113,8 @@ void fs_build_mnt_dir(void) { | |||
113 | if (!tmpfs_mounted) { | 113 | if (!tmpfs_mounted) { |
114 | // mount tmpfs on top of /run/firejail/mnt | 114 | // mount tmpfs on top of /run/firejail/mnt |
115 | if (arg_debug) | 115 | if (arg_debug) |
116 | printf("Mounting tmpfs on %s directory\n", MNT_DIR); | 116 | printf("Mounting tmpfs on %s directory\n", RUN_MNT_DIR); |
117 | if (mount("tmpfs", MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 117 | if (mount("tmpfs", RUN_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
118 | errExit("mounting /tmp/firejail/mnt"); | 118 | errExit("mounting /tmp/firejail/mnt"); |
119 | tmpfs_mounted = 1; | 119 | tmpfs_mounted = 1; |
120 | } | 120 | } |
@@ -124,7 +124,7 @@ void fs_build_mnt_dir(void) { | |||
124 | void fs_build_cp_command(void) { | 124 | void fs_build_cp_command(void) { |
125 | struct stat s; | 125 | struct stat s; |
126 | fs_build_mnt_dir(); | 126 | fs_build_mnt_dir(); |
127 | if (stat(CP_COMMAND, &s)) { | 127 | if (stat(RUN_CP_COMMAND, &s)) { |
128 | char* fname = realpath("/bin/cp", NULL); | 128 | char* fname = realpath("/bin/cp", NULL); |
129 | if (fname == NULL) { | 129 | if (fname == NULL) { |
130 | fprintf(stderr, "Error: /bin/cp not found\n"); | 130 | fprintf(stderr, "Error: /bin/cp not found\n"); |
@@ -134,13 +134,13 @@ void fs_build_cp_command(void) { | |||
134 | fprintf(stderr, "Error: /bin/cp not found\n"); | 134 | fprintf(stderr, "Error: /bin/cp not found\n"); |
135 | exit(1); | 135 | exit(1); |
136 | } | 136 | } |
137 | int rv = copy_file(fname, CP_COMMAND); | 137 | int rv = copy_file(fname, RUN_CP_COMMAND); |
138 | if (rv) { | 138 | if (rv) { |
139 | fprintf(stderr, "Error: cannot access /bin/cp\n"); | 139 | fprintf(stderr, "Error: cannot access /bin/cp\n"); |
140 | exit(1); | 140 | exit(1); |
141 | } | 141 | } |
142 | /* coverity[toctou] */ | 142 | /* coverity[toctou] */ |
143 | if (chmod(CP_COMMAND, 0755)) | 143 | if (chmod(RUN_CP_COMMAND, 0755)) |
144 | errExit("chmod"); | 144 | errExit("chmod"); |
145 | 145 | ||
146 | free(fname); | 146 | free(fname); |
@@ -149,7 +149,7 @@ void fs_build_cp_command(void) { | |||
149 | 149 | ||
150 | // delete the temporary cp command | 150 | // delete the temporary cp command |
151 | void fs_delete_cp_command(void) { | 151 | void fs_delete_cp_command(void) { |
152 | unlink(CP_COMMAND); | 152 | unlink(RUN_CP_COMMAND); |
153 | } | 153 | } |
154 | 154 | ||
155 | //*********************************************** | 155 | //*********************************************** |
@@ -205,11 +205,11 @@ static void disable_file(OPERATION op, const char *filename) { | |||
205 | if (arg_debug) | 205 | if (arg_debug) |
206 | printf("Disable %s\n", fname); | 206 | printf("Disable %s\n", fname); |
207 | if (S_ISDIR(s.st_mode)) { | 207 | if (S_ISDIR(s.st_mode)) { |
208 | if (mount(RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | 208 | if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) |
209 | errExit("disable file"); | 209 | errExit("disable file"); |
210 | } | 210 | } |
211 | else { | 211 | else { |
212 | if (mount(RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | 212 | if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0) |
213 | errExit("disable file"); | 213 | errExit("disable file"); |
214 | } | 214 | } |
215 | last_disable = SUCCESSFUL; | 215 | last_disable = SUCCESSFUL; |
@@ -649,7 +649,7 @@ void fs_overlayfs(void) { | |||
649 | fs_build_mnt_dir(); | 649 | fs_build_mnt_dir(); |
650 | 650 | ||
651 | char *oroot; | 651 | char *oroot; |
652 | if(asprintf(&oroot, "%s/oroot", MNT_DIR) == -1) | 652 | if(asprintf(&oroot, "%s/oroot", RUN_MNT_DIR) == -1) |
653 | errExit("asprintf"); | 653 | errExit("asprintf"); |
654 | if (mkdir(oroot, S_IRWXU | S_IRWXG | S_IRWXO)) | 654 | if (mkdir(oroot, S_IRWXU | S_IRWXG | S_IRWXO)) |
655 | errExit("mkdir"); | 655 | errExit("mkdir"); |
@@ -658,7 +658,7 @@ void fs_overlayfs(void) { | |||
658 | if (chmod(oroot, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0) | 658 | if (chmod(oroot, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0) |
659 | errExit("chmod"); | 659 | errExit("chmod"); |
660 | 660 | ||
661 | char *basedir = MNT_DIR; | 661 | char *basedir = RUN_MNT_DIR; |
662 | if (arg_overlay_keep) { | 662 | if (arg_overlay_keep) { |
663 | // set base for working and diff directories | 663 | // set base for working and diff directories |
664 | basedir = cfg.overlay_dir; | 664 | basedir = cfg.overlay_dir; |
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 0105716b2..38b9b06ca 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
@@ -137,7 +137,7 @@ static void duplicate(char *fname) { | |||
137 | char *actual_path = realpath(full_path, NULL); | 137 | char *actual_path = realpath(full_path, NULL); |
138 | if (actual_path) { | 138 | if (actual_path) { |
139 | // copy the file | 139 | // copy the file |
140 | if (asprintf(&cmd, "%s -a %s %s/%s", CP_COMMAND, actual_path, BIN_DIR, fname) == -1) | 140 | if (asprintf(&cmd, "%s -a %s %s/%s", RUN_CP_COMMAND, actual_path, RUN_BIN_DIR, fname) == -1) |
141 | errExit("asprintf"); | 141 | errExit("asprintf"); |
142 | if (arg_debug) | 142 | if (arg_debug) |
143 | printf("%s\n", cmd); | 143 | printf("%s\n", cmd); |
@@ -168,12 +168,12 @@ void fs_private_bin_list(void) { | |||
168 | 168 | ||
169 | // create /tmp/firejail/mnt/bin directory | 169 | // create /tmp/firejail/mnt/bin directory |
170 | fs_build_mnt_dir(); | 170 | fs_build_mnt_dir(); |
171 | int rv = mkdir(BIN_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 171 | int rv = mkdir(RUN_BIN_DIR, S_IRWXU | S_IRWXG | S_IRWXO); |
172 | if (rv == -1) | 172 | if (rv == -1) |
173 | errExit("mkdir"); | 173 | errExit("mkdir"); |
174 | if (chown(BIN_DIR, 0, 0) < 0) | 174 | if (chown(RUN_BIN_DIR, 0, 0) < 0) |
175 | errExit("chown"); | 175 | errExit("chown"); |
176 | if (chmod(BIN_DIR, 0755) < 0) | 176 | if (chmod(RUN_BIN_DIR, 0755) < 0) |
177 | errExit("chmod"); | 177 | errExit("chmod"); |
178 | 178 | ||
179 | // copy the list of files in the new etc directory | 179 | // copy the list of files in the new etc directory |
@@ -211,8 +211,8 @@ void fs_private_bin_list(void) { | |||
211 | i = 0; | 211 | i = 0; |
212 | while (paths[i]) { | 212 | while (paths[i]) { |
213 | if (arg_debug) | 213 | if (arg_debug) |
214 | printf("Mount-bind %s on top of %s\n", BIN_DIR, paths[i]); | 214 | printf("Mount-bind %s on top of %s\n", RUN_BIN_DIR, paths[i]); |
215 | if (mount(BIN_DIR, paths[i], NULL, MS_BIND|MS_REC, NULL) < 0) | 215 | if (mount(RUN_BIN_DIR, paths[i], NULL, MS_BIND|MS_REC, NULL) < 0) |
216 | errExit("mount bind"); | 216 | errExit("mount bind"); |
217 | i++; | 217 | i++; |
218 | } | 218 | } |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 469cf48ab..86e0918e1 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -76,16 +76,16 @@ void fs_private_dev(void){ | |||
76 | fs_build_mnt_dir(); | 76 | fs_build_mnt_dir(); |
77 | if (have_dri) { | 77 | if (have_dri) { |
78 | /* coverity[toctou] */ | 78 | /* coverity[toctou] */ |
79 | rv = mkdir(DRI_DIR, 0755); | 79 | rv = mkdir(RUN_DRI_DIR, 0755); |
80 | if (rv == -1) | 80 | if (rv == -1) |
81 | errExit("mkdir"); | 81 | errExit("mkdir"); |
82 | if (chown(DRI_DIR, 0, 0) < 0) | 82 | if (chown(RUN_DRI_DIR, 0, 0) < 0) |
83 | errExit("chown"); | 83 | errExit("chown"); |
84 | if (chmod(DRI_DIR, 0755) < 0) | 84 | if (chmod(RUN_DRI_DIR, 0755) < 0) |
85 | errExit("chmod"); | 85 | errExit("chmod"); |
86 | 86 | ||
87 | // keep a copy of /dev/dri under DRI_DIR | 87 | // keep a copy of /dev/dri under DRI_DIR |
88 | if (mount("/dev/dri", DRI_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 88 | if (mount("/dev/dri", RUN_DRI_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
89 | errExit("mounting /dev/dri"); | 89 | errExit("mounting /dev/dri"); |
90 | } | 90 | } |
91 | 91 | ||
@@ -93,13 +93,13 @@ void fs_private_dev(void){ | |||
93 | int have_devlog = 0; | 93 | int have_devlog = 0; |
94 | if (stat("/dev/log", &s) == 0) { | 94 | if (stat("/dev/log", &s) == 0) { |
95 | have_devlog = 1; | 95 | have_devlog = 1; |
96 | FILE *fp = fopen(DEVLOG_FILE, "w"); | 96 | FILE *fp = fopen(RUN_DEVLOG_FILE, "w"); |
97 | if (!fp) | 97 | if (!fp) |
98 | have_devlog = 0; | 98 | have_devlog = 0; |
99 | else { | 99 | else { |
100 | fprintf(fp, "\n"); | 100 | fprintf(fp, "\n"); |
101 | fclose(fp); | 101 | fclose(fp); |
102 | if (mount("/dev/log", DEVLOG_FILE, NULL, MS_BIND|MS_REC, NULL) < 0) | 102 | if (mount("/dev/log", RUN_DEVLOG_FILE, NULL, MS_BIND|MS_REC, NULL) < 0) |
103 | errExit("mounting /dev/log"); | 103 | errExit("mounting /dev/log"); |
104 | } | 104 | } |
105 | } | 105 | } |
@@ -114,7 +114,7 @@ void fs_private_dev(void){ | |||
114 | if (fp) { | 114 | if (fp) { |
115 | fprintf(fp, "\n"); | 115 | fprintf(fp, "\n"); |
116 | fclose(fp); | 116 | fclose(fp); |
117 | if (mount(DEVLOG_FILE, "/dev/log", NULL, MS_BIND|MS_REC, NULL) < 0) | 117 | if (mount(RUN_DEVLOG_FILE, "/dev/log", NULL, MS_BIND|MS_REC, NULL) < 0) |
118 | errExit("mounting /dev/log"); | 118 | errExit("mounting /dev/log"); |
119 | } | 119 | } |
120 | } | 120 | } |
@@ -129,7 +129,7 @@ void fs_private_dev(void){ | |||
129 | errExit("chown"); | 129 | errExit("chown"); |
130 | if (chmod("/dev/dri",0755) < 0) | 130 | if (chmod("/dev/dri",0755) < 0) |
131 | errExit("chmod"); | 131 | errExit("chmod"); |
132 | if (mount(DRI_DIR, "/dev/dri", NULL, MS_BIND|MS_REC, NULL) < 0) | 132 | if (mount(RUN_DRI_DIR, "/dev/dri", NULL, MS_BIND|MS_REC, NULL) < 0) |
133 | errExit("mounting /dev/dri"); | 133 | errExit("mounting /dev/dri"); |
134 | } | 134 | } |
135 | 135 | ||
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index f9088f1ba..28e337abc 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -76,7 +76,7 @@ static void duplicate(char *fname) { | |||
76 | char *cmd; | 76 | char *cmd; |
77 | 77 | ||
78 | // copy the file - this code assumes ETC_DIR is actually MNT_DIR/etc | 78 | // copy the file - this code assumes ETC_DIR is actually MNT_DIR/etc |
79 | if (asprintf(&cmd, "%s -a --parents /etc/%s %s", CP_COMMAND, fname, MNT_DIR) == -1) | 79 | if (asprintf(&cmd, "%s -a --parents /etc/%s %s", RUN_CP_COMMAND, fname, RUN_MNT_DIR) == -1) |
80 | errExit("asprintf"); | 80 | errExit("asprintf"); |
81 | if (arg_debug) | 81 | if (arg_debug) |
82 | printf("%s\n", cmd); | 82 | printf("%s\n", cmd); |
@@ -98,12 +98,12 @@ void fs_private_etc_list(void) { | |||
98 | 98 | ||
99 | // create /tmp/firejail/mnt/etc directory | 99 | // create /tmp/firejail/mnt/etc directory |
100 | fs_build_mnt_dir(); | 100 | fs_build_mnt_dir(); |
101 | int rv = mkdir(ETC_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 101 | int rv = mkdir(RUN_ETC_DIR, S_IRWXU | S_IRWXG | S_IRWXO); |
102 | if (rv == -1) | 102 | if (rv == -1) |
103 | errExit("mkdir"); | 103 | errExit("mkdir"); |
104 | if (chown(ETC_DIR, 0, 0) < 0) | 104 | if (chown(RUN_ETC_DIR, 0, 0) < 0) |
105 | errExit("chown"); | 105 | errExit("chown"); |
106 | if (chmod(ETC_DIR, 0755) < 0) | 106 | if (chmod(RUN_ETC_DIR, 0755) < 0) |
107 | errExit("chmod"); | 107 | errExit("chmod"); |
108 | 108 | ||
109 | // copy the list of files in the new etc directory | 109 | // copy the list of files in the new etc directory |
@@ -138,8 +138,8 @@ void fs_private_etc_list(void) { | |||
138 | waitpid(child, NULL, 0); | 138 | waitpid(child, NULL, 0); |
139 | 139 | ||
140 | if (arg_debug) | 140 | if (arg_debug) |
141 | printf("Mount-bind %s on top of /etc\n", ETC_DIR); | 141 | printf("Mount-bind %s on top of /etc\n", RUN_ETC_DIR); |
142 | if (mount(ETC_DIR, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0) | 142 | if (mount(RUN_ETC_DIR, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0) |
143 | errExit("mount bind"); | 143 | errExit("mount bind"); |
144 | 144 | ||
145 | } | 145 | } |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 63c03a8db..23f036bd7 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -113,7 +113,7 @@ static int store_xauthority(void) { | |||
113 | fs_build_mnt_dir(); | 113 | fs_build_mnt_dir(); |
114 | 114 | ||
115 | char *src; | 115 | char *src; |
116 | char *dest = XAUTHORITY_FILE; | 116 | char *dest = RUN_XAUTHORITY_FILE; |
117 | if (asprintf(&src, "%s/.Xauthority", cfg.homedir) == -1) | 117 | if (asprintf(&src, "%s/.Xauthority", cfg.homedir) == -1) |
118 | errExit("asprintf"); | 118 | errExit("asprintf"); |
119 | 119 | ||
@@ -132,7 +132,7 @@ static int store_xauthority(void) { | |||
132 | 132 | ||
133 | static void copy_xauthority(void) { | 133 | static void copy_xauthority(void) { |
134 | // copy XAUTHORITY_FILE in the new home directory | 134 | // copy XAUTHORITY_FILE in the new home directory |
135 | char *src = XAUTHORITY_FILE ; | 135 | char *src = RUN_XAUTHORITY_FILE ; |
136 | char *dest; | 136 | char *dest; |
137 | if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1) | 137 | if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1) |
138 | errExit("asprintf"); | 138 | errExit("asprintf"); |
@@ -370,7 +370,7 @@ static void duplicate(char *name) { | |||
370 | } | 370 | } |
371 | 371 | ||
372 | // copy the file | 372 | // copy the file |
373 | if (asprintf(&cmd, "%s -a --parents \"%s\" %s", CP_COMMAND, fname, HOME_DIR) == -1) | 373 | if (asprintf(&cmd, "%s -a --parents \"%s\" %s", RUN_CP_COMMAND, fname, RUN_HOME_DIR) == -1) |
374 | errExit("asprintf"); | 374 | errExit("asprintf"); |
375 | if (arg_debug) | 375 | if (arg_debug) |
376 | printf("%s\n", cmd); | 376 | printf("%s\n", cmd); |
@@ -405,12 +405,12 @@ void fs_private_home_list(void) { | |||
405 | 405 | ||
406 | // create /tmp/firejail/mnt/home directory | 406 | // create /tmp/firejail/mnt/home directory |
407 | fs_build_mnt_dir(); | 407 | fs_build_mnt_dir(); |
408 | int rv = mkdir(HOME_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 408 | int rv = mkdir(RUN_HOME_DIR, S_IRWXU | S_IRWXG | S_IRWXO); |
409 | if (rv == -1) | 409 | if (rv == -1) |
410 | errExit("mkdir"); | 410 | errExit("mkdir"); |
411 | if (chown(HOME_DIR, u, g) < 0) | 411 | if (chown(RUN_HOME_DIR, u, g) < 0) |
412 | errExit("chown"); | 412 | errExit("chown"); |
413 | if (chmod(HOME_DIR, 0755) < 0) | 413 | if (chmod(RUN_HOME_DIR, 0755) < 0) |
414 | errExit("chmod"); | 414 | errExit("chmod"); |
415 | 415 | ||
416 | // copy the list of files in the new home directory | 416 | // copy the list of files in the new home directory |
@@ -448,7 +448,7 @@ void fs_private_home_list(void) { | |||
448 | 448 | ||
449 | // mount bind private_homedir on top of homedir | 449 | // mount bind private_homedir on top of homedir |
450 | char *newhome; | 450 | char *newhome; |
451 | if (asprintf(&newhome, "%s%s", HOME_DIR, cfg.homedir) == -1) | 451 | if (asprintf(&newhome, "%s%s", RUN_HOME_DIR, cfg.homedir) == -1) |
452 | errExit("asprintf"); | 452 | errExit("asprintf"); |
453 | 453 | ||
454 | if (arg_debug) | 454 | if (arg_debug) |
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index 5a79526b6..eb3861d1b 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c | |||
@@ -34,22 +34,22 @@ void fs_hostname(const char *hostname) { | |||
34 | if (arg_debug) | 34 | if (arg_debug) |
35 | printf("Creating a new /etc/hostname file\n"); | 35 | printf("Creating a new /etc/hostname file\n"); |
36 | 36 | ||
37 | FILE *fp = fopen(HOSTNAME_FILE, "w"); | 37 | FILE *fp = fopen(RUN_HOSTNAME_FILE, "w"); |
38 | if (!fp) { | 38 | if (!fp) { |
39 | fprintf(stderr, "Error: cannot create %s\n", HOSTNAME_FILE); | 39 | fprintf(stderr, "Error: cannot create %s\n", RUN_HOSTNAME_FILE); |
40 | exit(1); | 40 | exit(1); |
41 | } | 41 | } |
42 | fprintf(fp, "%s\n", hostname); | 42 | fprintf(fp, "%s\n", hostname); |
43 | fclose(fp); | 43 | fclose(fp); |
44 | 44 | ||
45 | // mode and owner | 45 | // mode and owner |
46 | if (chown(HOSTNAME_FILE, 0, 0) < 0) | 46 | if (chown(RUN_HOSTNAME_FILE, 0, 0) < 0) |
47 | errExit("chown"); | 47 | errExit("chown"); |
48 | if (chmod(HOSTNAME_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) | 48 | if (chmod(RUN_HOSTNAME_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) |
49 | errExit("chmod"); | 49 | errExit("chmod"); |
50 | 50 | ||
51 | // bind-mount the file on top of /etc/hostname | 51 | // bind-mount the file on top of /etc/hostname |
52 | if (mount(HOSTNAME_FILE, "/etc/hostname", NULL, MS_BIND|MS_REC, NULL) < 0) | 52 | if (mount(RUN_HOSTNAME_FILE, "/etc/hostname", NULL, MS_BIND|MS_REC, NULL) < 0) |
53 | errExit("mount bind /etc/hostname"); | 53 | errExit("mount bind /etc/hostname"); |
54 | } | 54 | } |
55 | 55 | ||
@@ -64,9 +64,9 @@ void fs_hostname(const char *hostname) { | |||
64 | fprintf(stderr, "Error: cannot open /etc/hosts\n"); | 64 | fprintf(stderr, "Error: cannot open /etc/hosts\n"); |
65 | exit(1); | 65 | exit(1); |
66 | } | 66 | } |
67 | FILE *fp2 = fopen(HOSTNAME_FILE, "w"); | 67 | FILE *fp2 = fopen(RUN_HOSTS_FILE, "w"); |
68 | if (!fp2) { | 68 | if (!fp2) { |
69 | fprintf(stderr, "Error: cannot create %s\n", HOSTNAME_FILE); | 69 | fprintf(stderr, "Error: cannot create %s\n", RUN_HOSTS_FILE); |
70 | exit(1); | 70 | exit(1); |
71 | } | 71 | } |
72 | 72 | ||
@@ -90,13 +90,13 @@ void fs_hostname(const char *hostname) { | |||
90 | fclose(fp2); | 90 | fclose(fp2); |
91 | 91 | ||
92 | // mode and owner | 92 | // mode and owner |
93 | if (chown(HOSTNAME_FILE, 0, 0) < 0) | 93 | if (chown(RUN_HOSTS_FILE, 0, 0) < 0) |
94 | errExit("chown"); | 94 | errExit("chown"); |
95 | if (chmod(HOSTNAME_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) | 95 | if (chmod(RUN_HOSTS_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) |
96 | errExit("chmod"); | 96 | errExit("chmod"); |
97 | 97 | ||
98 | // bind-mount the file on top of /etc/hostname | 98 | // bind-mount the file on top of /etc/hostname |
99 | if (mount(HOSTNAME_FILE, "/etc/hosts", NULL, MS_BIND|MS_REC, NULL) < 0) | 99 | if (mount(RUN_HOSTS_FILE, "/etc/hosts", NULL, MS_BIND|MS_REC, NULL) < 0) |
100 | errExit("mount bind /etc/hosts"); | 100 | errExit("mount bind /etc/hosts"); |
101 | } | 101 | } |
102 | } | 102 | } |
@@ -112,9 +112,9 @@ void fs_resolvconf(void) { | |||
112 | if (stat("/etc/resolv.conf", &s) == 0) { | 112 | if (stat("/etc/resolv.conf", &s) == 0) { |
113 | if (arg_debug) | 113 | if (arg_debug) |
114 | printf("Creating a new /etc/resolv.conf file\n"); | 114 | printf("Creating a new /etc/resolv.conf file\n"); |
115 | FILE *fp = fopen(RESOLVCONF_FILE, "w"); | 115 | FILE *fp = fopen(RUN_RESOLVCONF_FILE, "w"); |
116 | if (!fp) { | 116 | if (!fp) { |
117 | fprintf(stderr, "Error: cannot create %s\n", RESOLVCONF_FILE); | 117 | fprintf(stderr, "Error: cannot create %s\n", RUN_RESOLVCONF_FILE); |
118 | exit(1); | 118 | exit(1); |
119 | } | 119 | } |
120 | 120 | ||
@@ -127,13 +127,13 @@ void fs_resolvconf(void) { | |||
127 | fclose(fp); | 127 | fclose(fp); |
128 | 128 | ||
129 | // mode and owner | 129 | // mode and owner |
130 | if (chown(RESOLVCONF_FILE, 0, 0) < 0) | 130 | if (chown(RUN_RESOLVCONF_FILE, 0, 0) < 0) |
131 | errExit("chown"); | 131 | errExit("chown"); |
132 | if (chmod(RESOLVCONF_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) | 132 | if (chmod(RUN_RESOLVCONF_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) |
133 | errExit("chmod"); | 133 | errExit("chmod"); |
134 | 134 | ||
135 | // bind-mount the file on top of /etc/hostname | 135 | // bind-mount the file on top of /etc/hostname |
136 | if (mount(RESOLVCONF_FILE, "/etc/resolv.conf", NULL, MS_BIND|MS_REC, NULL) < 0) | 136 | if (mount(RUN_RESOLVCONF_FILE, "/etc/resolv.conf", NULL, MS_BIND|MS_REC, NULL) < 0) |
137 | errExit("mount bind /etc/resolv.conf"); | 137 | errExit("mount bind /etc/resolv.conf"); |
138 | } | 138 | } |
139 | else { | 139 | else { |
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 2b0f52a98..f4f5d3e81 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c | |||
@@ -53,20 +53,20 @@ void fs_trace(void) { | |||
53 | if (arg_debug) | 53 | if (arg_debug) |
54 | printf("Create the new ld.so.preload file\n"); | 54 | printf("Create the new ld.so.preload file\n"); |
55 | 55 | ||
56 | FILE *fp = fopen(LDPRELOAD_FILE, "w"); | 56 | FILE *fp = fopen(RUN_LDPRELOAD_FILE, "w"); |
57 | if (!fp) | 57 | if (!fp) |
58 | errExit("fopen"); | 58 | errExit("fopen"); |
59 | fprintf(fp, "%s/firejail/libtrace.so\n", LIBDIR); | 59 | fprintf(fp, "%s/firejail/libtrace.so\n", LIBDIR); |
60 | fclose(fp); | 60 | fclose(fp); |
61 | if (chown(LDPRELOAD_FILE, 0, 0) < 0) | 61 | if (chown(RUN_LDPRELOAD_FILE, 0, 0) < 0) |
62 | errExit("chown"); | 62 | errExit("chown"); |
63 | if (chmod(LDPRELOAD_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) | 63 | if (chmod(RUN_LDPRELOAD_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) |
64 | errExit("chmod"); | 64 | errExit("chmod"); |
65 | 65 | ||
66 | // mount the new preload file | 66 | // mount the new preload file |
67 | if (arg_debug) | 67 | if (arg_debug) |
68 | printf("Mount the new ld.so.preload file\n"); | 68 | printf("Mount the new ld.so.preload file\n"); |
69 | if (mount(LDPRELOAD_FILE, "/etc/ld.so.preload", NULL, MS_BIND|MS_REC, NULL) < 0) | 69 | if (mount(RUN_LDPRELOAD_FILE, "/etc/ld.so.preload", NULL, MS_BIND|MS_REC, NULL) < 0) |
70 | errExit("mount bind ls.so.preload"); | 70 | errExit("mount bind ls.so.preload"); |
71 | } | 71 | } |
72 | 72 | ||
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 9016e3923..a38539078 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -83,7 +83,7 @@ static void whitelist_path(ProfileEntry *entry) { | |||
83 | exit(1); | 83 | exit(1); |
84 | } | 84 | } |
85 | 85 | ||
86 | if (asprintf(&wfile, "%s/%s", WHITELIST_HOME_USER_DIR, fname) == -1) | 86 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1) |
87 | errExit("asprintf"); | 87 | errExit("asprintf"); |
88 | } | 88 | } |
89 | else if (entry->tmp_dir) { | 89 | else if (entry->tmp_dir) { |
@@ -93,7 +93,7 @@ static void whitelist_path(ProfileEntry *entry) { | |||
93 | exit(1); | 93 | exit(1); |
94 | } | 94 | } |
95 | 95 | ||
96 | if (asprintf(&wfile, "%s/%s", WHITELIST_TMP_DIR, fname) == -1) | 96 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_TMP_DIR, fname) == -1) |
97 | errExit("asprintf"); | 97 | errExit("asprintf"); |
98 | } | 98 | } |
99 | else if (entry->media_dir) { | 99 | else if (entry->media_dir) { |
@@ -103,7 +103,7 @@ static void whitelist_path(ProfileEntry *entry) { | |||
103 | exit(1); | 103 | exit(1); |
104 | } | 104 | } |
105 | 105 | ||
106 | if (asprintf(&wfile, "%s/%s", WHITELIST_MEDIA_DIR, fname) == -1) | 106 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MEDIA_DIR, fname) == -1) |
107 | errExit("asprintf"); | 107 | errExit("asprintf"); |
108 | } | 108 | } |
109 | else if (entry->var_dir) { | 109 | else if (entry->var_dir) { |
@@ -113,7 +113,7 @@ static void whitelist_path(ProfileEntry *entry) { | |||
113 | exit(1); | 113 | exit(1); |
114 | } | 114 | } |
115 | 115 | ||
116 | if (asprintf(&wfile, "%s/%s", WHITELIST_VAR_DIR, fname) == -1) | 116 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_VAR_DIR, fname) == -1) |
117 | errExit("asprintf"); | 117 | errExit("asprintf"); |
118 | } | 118 | } |
119 | else if (entry->dev_dir) { | 119 | else if (entry->dev_dir) { |
@@ -123,7 +123,7 @@ static void whitelist_path(ProfileEntry *entry) { | |||
123 | exit(1); | 123 | exit(1); |
124 | } | 124 | } |
125 | 125 | ||
126 | if (asprintf(&wfile, "%s/%s", WHITELIST_DEV_DIR, fname) == -1) | 126 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_DEV_DIR, fname) == -1) |
127 | errExit("asprintf"); | 127 | errExit("asprintf"); |
128 | } | 128 | } |
129 | else if (entry->opt_dir) { | 129 | else if (entry->opt_dir) { |
@@ -133,7 +133,7 @@ static void whitelist_path(ProfileEntry *entry) { | |||
133 | exit(1); | 133 | exit(1); |
134 | } | 134 | } |
135 | 135 | ||
136 | if (asprintf(&wfile, "%s/%s", WHITELIST_OPT_DIR, fname) == -1) | 136 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1) |
137 | errExit("asprintf"); | 137 | errExit("asprintf"); |
138 | } | 138 | } |
139 | 139 | ||
@@ -315,16 +315,16 @@ void fs_whitelist(void) { | |||
315 | 315 | ||
316 | // /home/user | 316 | // /home/user |
317 | if (home_dir) { | 317 | if (home_dir) { |
318 | // keep a copy of real home dir in WHITELIST_HOME_USER_DIR | 318 | // keep a copy of real home dir in RUN_WHITELIST_HOME_USER_DIR |
319 | int rv = mkdir(WHITELIST_HOME_USER_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 319 | int rv = mkdir(RUN_WHITELIST_HOME_USER_DIR, S_IRWXU | S_IRWXG | S_IRWXO); |
320 | if (rv == -1) | 320 | if (rv == -1) |
321 | errExit("mkdir"); | 321 | errExit("mkdir"); |
322 | if (chown(WHITELIST_HOME_USER_DIR, getuid(), getgid()) < 0) | 322 | if (chown(RUN_WHITELIST_HOME_USER_DIR, getuid(), getgid()) < 0) |
323 | errExit("chown"); | 323 | errExit("chown"); |
324 | if (chmod(WHITELIST_HOME_USER_DIR, 0755) < 0) | 324 | if (chmod(RUN_WHITELIST_HOME_USER_DIR, 0755) < 0) |
325 | errExit("chmod"); | 325 | errExit("chmod"); |
326 | 326 | ||
327 | if (mount(cfg.homedir, WHITELIST_HOME_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 327 | if (mount(cfg.homedir, RUN_WHITELIST_HOME_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
328 | errExit("mount bind"); | 328 | errExit("mount bind"); |
329 | 329 | ||
330 | // mount a tmpfs and initialize /home/user | 330 | // mount a tmpfs and initialize /home/user |
@@ -334,15 +334,15 @@ void fs_whitelist(void) { | |||
334 | // /tmp mountpoint | 334 | // /tmp mountpoint |
335 | if (tmp_dir) { | 335 | if (tmp_dir) { |
336 | // keep a copy of real /tmp directory in WHITELIST_TMP_DIR | 336 | // keep a copy of real /tmp directory in WHITELIST_TMP_DIR |
337 | int rv = mkdir(WHITELIST_TMP_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 337 | int rv = mkdir(RUN_WHITELIST_TMP_DIR, S_IRWXU | S_IRWXG | S_IRWXO); |
338 | if (rv == -1) | 338 | if (rv == -1) |
339 | errExit("mkdir"); | 339 | errExit("mkdir"); |
340 | if (chown(WHITELIST_TMP_DIR, 0, 0) < 0) | 340 | if (chown(RUN_WHITELIST_TMP_DIR, 0, 0) < 0) |
341 | errExit("chown"); | 341 | errExit("chown"); |
342 | if (chmod(WHITELIST_TMP_DIR, 0777) < 0) | 342 | if (chmod(RUN_WHITELIST_TMP_DIR, 0777) < 0) |
343 | errExit("chmod"); | 343 | errExit("chmod"); |
344 | 344 | ||
345 | if (mount("/tmp", WHITELIST_TMP_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 345 | if (mount("/tmp", RUN_WHITELIST_TMP_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
346 | errExit("mount bind"); | 346 | errExit("mount bind"); |
347 | 347 | ||
348 | // mount tmpfs on /tmp | 348 | // mount tmpfs on /tmp |
@@ -354,16 +354,16 @@ void fs_whitelist(void) { | |||
354 | 354 | ||
355 | // /media mountpoint | 355 | // /media mountpoint |
356 | if (media_dir) { | 356 | if (media_dir) { |
357 | // keep a copy of real /media directory in WHITELIST_MEDIA_DIR | 357 | // keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR |
358 | int rv = mkdir(WHITELIST_MEDIA_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 358 | int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, S_IRWXU | S_IRWXG | S_IRWXO); |
359 | if (rv == -1) | 359 | if (rv == -1) |
360 | errExit("mkdir"); | 360 | errExit("mkdir"); |
361 | if (chown(WHITELIST_MEDIA_DIR, 0, 0) < 0) | 361 | if (chown(RUN_WHITELIST_MEDIA_DIR, 0, 0) < 0) |
362 | errExit("chown"); | 362 | errExit("chown"); |
363 | if (chmod(WHITELIST_MEDIA_DIR, 0755) < 0) | 363 | if (chmod(RUN_WHITELIST_MEDIA_DIR, 0755) < 0) |
364 | errExit("chmod"); | 364 | errExit("chmod"); |
365 | 365 | ||
366 | if (mount("/media", WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 366 | if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
367 | errExit("mount bind"); | 367 | errExit("mount bind"); |
368 | 368 | ||
369 | // mount tmpfs on /media | 369 | // mount tmpfs on /media |
@@ -375,16 +375,16 @@ void fs_whitelist(void) { | |||
375 | 375 | ||
376 | // /media mountpoint | 376 | // /media mountpoint |
377 | if (var_dir) { | 377 | if (var_dir) { |
378 | // keep a copy of real /var directory in WHITELIST_VAR_DIR | 378 | // keep a copy of real /var directory in RUN_WHITELIST_VAR_DIR |
379 | int rv = mkdir(WHITELIST_VAR_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 379 | int rv = mkdir(RUN_WHITELIST_VAR_DIR, S_IRWXU | S_IRWXG | S_IRWXO); |
380 | if (rv == -1) | 380 | if (rv == -1) |
381 | errExit("mkdir"); | 381 | errExit("mkdir"); |
382 | if (chown(WHITELIST_VAR_DIR, 0, 0) < 0) | 382 | if (chown(RUN_WHITELIST_VAR_DIR, 0, 0) < 0) |
383 | errExit("chown"); | 383 | errExit("chown"); |
384 | if (chmod(WHITELIST_VAR_DIR, 0755) < 0) | 384 | if (chmod(RUN_WHITELIST_VAR_DIR, 0755) < 0) |
385 | errExit("chmod"); | 385 | errExit("chmod"); |
386 | 386 | ||
387 | if (mount("/var", WHITELIST_VAR_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 387 | if (mount("/var", RUN_WHITELIST_VAR_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
388 | errExit("mount bind"); | 388 | errExit("mount bind"); |
389 | 389 | ||
390 | // mount tmpfs on /var | 390 | // mount tmpfs on /var |
@@ -396,16 +396,16 @@ void fs_whitelist(void) { | |||
396 | 396 | ||
397 | // /dev mountpoint | 397 | // /dev mountpoint |
398 | if (dev_dir) { | 398 | if (dev_dir) { |
399 | // keep a copy of real /dev directory in WHITELIST_DEV_DIR | 399 | // keep a copy of real /dev directory in RUN_WHITELIST_DEV_DIR |
400 | int rv = mkdir(WHITELIST_DEV_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 400 | int rv = mkdir(RUN_WHITELIST_DEV_DIR, S_IRWXU | S_IRWXG | S_IRWXO); |
401 | if (rv == -1) | 401 | if (rv == -1) |
402 | errExit("mkdir"); | 402 | errExit("mkdir"); |
403 | if (chown(WHITELIST_DEV_DIR, 0, 0) < 0) | 403 | if (chown(RUN_WHITELIST_DEV_DIR, 0, 0) < 0) |
404 | errExit("chown"); | 404 | errExit("chown"); |
405 | if (chmod(WHITELIST_DEV_DIR, 0755) < 0) | 405 | if (chmod(RUN_WHITELIST_DEV_DIR, 0755) < 0) |
406 | errExit("chmod"); | 406 | errExit("chmod"); |
407 | 407 | ||
408 | if (mount("/dev", WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 408 | if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
409 | errExit("mount bind"); | 409 | errExit("mount bind"); |
410 | 410 | ||
411 | // mount tmpfs on /dev | 411 | // mount tmpfs on /dev |
@@ -417,16 +417,16 @@ void fs_whitelist(void) { | |||
417 | 417 | ||
418 | // /opt mountpoint | 418 | // /opt mountpoint |
419 | if (opt_dir) { | 419 | if (opt_dir) { |
420 | // keep a copy of real /opt directory in WHITELIST_DEV_DIR | 420 | // keep a copy of real /opt directory in RUN_WHITELIST_DEV_DIR |
421 | int rv = mkdir(WHITELIST_OPT_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 421 | int rv = mkdir(RUN_WHITELIST_OPT_DIR, S_IRWXU | S_IRWXG | S_IRWXO); |
422 | if (rv == -1) | 422 | if (rv == -1) |
423 | errExit("mkdir"); | 423 | errExit("mkdir"); |
424 | if (chown(WHITELIST_OPT_DIR, 0, 0) < 0) | 424 | if (chown(RUN_WHITELIST_OPT_DIR, 0, 0) < 0) |
425 | errExit("chown"); | 425 | errExit("chown"); |
426 | if (chmod(WHITELIST_OPT_DIR, 0755) < 0) | 426 | if (chmod(RUN_WHITELIST_OPT_DIR, 0755) < 0) |
427 | errExit("chmod"); | 427 | errExit("chmod"); |
428 | 428 | ||
429 | if (mount("/opt", WHITELIST_OPT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 429 | if (mount("/opt", RUN_WHITELIST_OPT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
430 | errExit("mount bind"); | 430 | errExit("mount bind"); |
431 | 431 | ||
432 | // mount tmpfs on /opt | 432 | // mount tmpfs on /opt |
@@ -468,15 +468,15 @@ void fs_whitelist(void) { | |||
468 | entry = entry->next; | 468 | entry = entry->next; |
469 | } | 469 | } |
470 | 470 | ||
471 | // mask the real home directory, currently mounted on WHITELIST_HOME_DIR | 471 | // mask the real home directory, currently mounted on RUN_WHITELIST_HOME_DIR |
472 | if (home_dir) { | 472 | if (home_dir) { |
473 | if (mount("tmpfs", WHITELIST_HOME_USER_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 473 | if (mount("tmpfs", RUN_WHITELIST_HOME_USER_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
474 | errExit("mount tmpfs"); | 474 | errExit("mount tmpfs"); |
475 | } | 475 | } |
476 | 476 | ||
477 | // mask the real /tmp directory, currently mounted on WHITELIST_TMP_DIR | 477 | // mask the real /tmp directory, currently mounted on RUN_WHITELIST_TMP_DIR |
478 | if (tmp_dir) { | 478 | if (tmp_dir) { |
479 | if (mount("tmpfs", WHITELIST_TMP_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 479 | if (mount("tmpfs", RUN_WHITELIST_TMP_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
480 | errExit("mount tmpfs"); | 480 | errExit("mount tmpfs"); |
481 | } | 481 | } |
482 | 482 | ||
diff --git a/src/firejail/join.c b/src/firejail/join.c index 64e092197..8b3c196c7 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -69,7 +69,7 @@ static void extract_command(int argc, char **argv, int index) { | |||
69 | 69 | ||
70 | static void extract_nogroups(pid_t pid) { | 70 | static void extract_nogroups(pid_t pid) { |
71 | char *fname; | 71 | char *fname; |
72 | if (asprintf(&fname, "/proc/%d/root%s", pid, GROUPS_CFG) == -1) | 72 | if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_GROUPS_CFG) == -1) |
73 | errExit("asprintf"); | 73 | errExit("asprintf"); |
74 | 74 | ||
75 | struct stat s; | 75 | struct stat s; |
@@ -82,7 +82,7 @@ static void extract_nogroups(pid_t pid) { | |||
82 | 82 | ||
83 | static void extract_cpu(pid_t pid) { | 83 | static void extract_cpu(pid_t pid) { |
84 | char *fname; | 84 | char *fname; |
85 | if (asprintf(&fname, "/proc/%d/root%s", pid, CPU_CFG) == -1) | 85 | if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_CPU_CFG) == -1) |
86 | errExit("asprintf"); | 86 | errExit("asprintf"); |
87 | 87 | ||
88 | struct stat s; | 88 | struct stat s; |
@@ -96,7 +96,7 @@ static void extract_cpu(pid_t pid) { | |||
96 | 96 | ||
97 | static void extract_cgroup(pid_t pid) { | 97 | static void extract_cgroup(pid_t pid) { |
98 | char *fname; | 98 | char *fname; |
99 | if (asprintf(&fname, "/proc/%d/root%s", pid, CGROUP_CFG) == -1) | 99 | if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_CGROUP_CFG) == -1) |
100 | errExit("asprintf"); | 100 | errExit("asprintf"); |
101 | 101 | ||
102 | struct stat s; | 102 | struct stat s; |
@@ -281,7 +281,7 @@ void join(pid_t pid, const char *homedir, int argc, char **argv, int index) { | |||
281 | caps_set(caps); | 281 | caps_set(caps); |
282 | #ifdef HAVE_SECCOMP | 282 | #ifdef HAVE_SECCOMP |
283 | // set protocol filter | 283 | // set protocol filter |
284 | protocol_filter_load(PROTOCOL_CFG); | 284 | protocol_filter_load(RUN_PROTOCOL_CFG); |
285 | if (cfg.protocol) { | 285 | if (cfg.protocol) { |
286 | protocol_filter(); | 286 | protocol_filter(); |
287 | } | 287 | } |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 1495d7516..891653587 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1263,7 +1263,7 @@ int main(int argc, char **argv) { | |||
1263 | 1263 | ||
1264 | // check and assign an IP address - for macvlan it will be done again in the sandbox! | 1264 | // check and assign an IP address - for macvlan it will be done again in the sandbox! |
1265 | if (any_bridge_configured()) { | 1265 | if (any_bridge_configured()) { |
1266 | lockfd = open(NETWORK_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); | 1266 | lockfd = open(RUN_NETWORK_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); |
1267 | if (lockfd != -1) { | 1267 | if (lockfd != -1) { |
1268 | int rv = fchown(lockfd, 0, 0); | 1268 | int rv = fchown(lockfd, 0, 0); |
1269 | (void) rv; | 1269 | (void) rv; |
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index 8ee5fd3b8..b5d50b4fc 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c | |||
@@ -261,16 +261,16 @@ void protocol_filter_save(void) { | |||
261 | // save protocol filter configuration in PROTOCOL_CFG | 261 | // save protocol filter configuration in PROTOCOL_CFG |
262 | fs_build_mnt_dir(); | 262 | fs_build_mnt_dir(); |
263 | 263 | ||
264 | FILE *fp = fopen(PROTOCOL_CFG, "w"); | 264 | FILE *fp = fopen(RUN_PROTOCOL_CFG, "w"); |
265 | if (!fp) | 265 | if (!fp) |
266 | errExit("fopen"); | 266 | errExit("fopen"); |
267 | fprintf(fp, "%s\n", cfg.protocol); | 267 | fprintf(fp, "%s\n", cfg.protocol); |
268 | fclose(fp); | 268 | fclose(fp); |
269 | 269 | ||
270 | if (chmod(PROTOCOL_CFG, 0600) < 0) | 270 | if (chmod(RUN_PROTOCOL_CFG, 0600) < 0) |
271 | errExit("chmod"); | 271 | errExit("chmod"); |
272 | 272 | ||
273 | if (chown(PROTOCOL_CFG, 0, 0) < 0) | 273 | if (chown(RUN_PROTOCOL_CFG, 0, 0) < 0) |
274 | errExit("chown"); | 274 | errExit("chown"); |
275 | 275 | ||
276 | } | 276 | } |
@@ -354,7 +354,7 @@ void protocol_print_filter(pid_t pid) { | |||
354 | 354 | ||
355 | // find the seccomp filter | 355 | // find the seccomp filter |
356 | char *fname; | 356 | char *fname; |
357 | if (asprintf(&fname, "/proc/%d/root%s", pid, PROTOCOL_CFG) == -1) | 357 | if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_PROTOCOL_CFG) == -1) |
358 | errExit("asprintf"); | 358 | errExit("asprintf"); |
359 | 359 | ||
360 | struct stat s; | 360 | struct stat s; |
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index 0e1edea14..6ead5799c 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -38,11 +38,11 @@ static void disable_file(const char *path, const char *file) { | |||
38 | printf("Disable%s\n", fname); | 38 | printf("Disable%s\n", fname); |
39 | 39 | ||
40 | if (S_ISDIR(s.st_mode)) { | 40 | if (S_ISDIR(s.st_mode)) { |
41 | if (mount(RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | 41 | if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) |
42 | errExit("disable file"); | 42 | errExit("disable file"); |
43 | } | 43 | } |
44 | else { | 44 | else { |
45 | if (mount(RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | 45 | if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0) |
46 | errExit("disable file"); | 46 | errExit("disable file"); |
47 | } | 47 | } |
48 | 48 | ||
@@ -92,16 +92,16 @@ void pulseaudio_init(void) { | |||
92 | 92 | ||
93 | // create the new user pulseaudio directory | 93 | // create the new user pulseaudio directory |
94 | fs_build_mnt_dir(); | 94 | fs_build_mnt_dir(); |
95 | int rv = mkdir(PULSE_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 95 | int rv = mkdir(RUN_PULSE_DIR, S_IRWXU | S_IRWXG | S_IRWXO); |
96 | (void) rv; // in --chroot mode the directory canalready be there | 96 | (void) rv; // in --chroot mode the directory canalready be there |
97 | if (chown(PULSE_DIR, getuid(), getgid()) < 0) | 97 | if (chown(RUN_PULSE_DIR, getuid(), getgid()) < 0) |
98 | errExit("chown"); | 98 | errExit("chown"); |
99 | if (chmod(PULSE_DIR, 0700) < 0) | 99 | if (chmod(RUN_PULSE_DIR, 0700) < 0) |
100 | errExit("chmod"); | 100 | errExit("chmod"); |
101 | 101 | ||
102 | // create the new client.conf file | 102 | // create the new client.conf file |
103 | char *pulsecfg = NULL; | 103 | char *pulsecfg = NULL; |
104 | if (asprintf(&pulsecfg, "%s/client.conf", PULSE_DIR) == -1) | 104 | if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1) |
105 | errExit("asprintf"); | 105 | errExit("asprintf"); |
106 | if (copy_file("/etc/pulse/client.conf", pulsecfg)) | 106 | if (copy_file("/etc/pulse/client.conf", pulsecfg)) |
107 | errExit("copy_file"); | 107 | errExit("copy_file"); |
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index d2d106f27..733dbef41 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -73,11 +73,11 @@ static void sanitize_home(void) { | |||
73 | } | 73 | } |
74 | 74 | ||
75 | fs_build_mnt_dir(); | 75 | fs_build_mnt_dir(); |
76 | if (mkdir(WHITELIST_HOME_DIR, 0755) == -1) | 76 | if (mkdir(RUN_WHITELIST_HOME_DIR, 0755) == -1) |
77 | errExit("mkdir"); | 77 | errExit("mkdir"); |
78 | 78 | ||
79 | // keep a copy of the user home directory | 79 | // keep a copy of the user home directory |
80 | if (mount(cfg.homedir, WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 80 | if (mount(cfg.homedir, RUN_WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
81 | errExit("mount bind"); | 81 | errExit("mount bind"); |
82 | 82 | ||
83 | // mount tmpfs in the new home | 83 | // mount tmpfs in the new home |
@@ -95,11 +95,11 @@ static void sanitize_home(void) { | |||
95 | errExit("chmod"); | 95 | errExit("chmod"); |
96 | 96 | ||
97 | // mount user home directory | 97 | // mount user home directory |
98 | if (mount(WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0) | 98 | if (mount(RUN_WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0) |
99 | errExit("mount bind"); | 99 | errExit("mount bind"); |
100 | 100 | ||
101 | // mask home dir under /run | 101 | // mask home dir under /run |
102 | if (mount("tmpfs", WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 102 | if (mount("tmpfs", RUN_WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
103 | errExit("mount tmpfs"); | 103 | errExit("mount tmpfs"); |
104 | } | 104 | } |
105 | 105 | ||
@@ -118,7 +118,7 @@ static void sanitize_passwd(void) { | |||
118 | fpin = fopen("/etc/passwd", "r"); | 118 | fpin = fopen("/etc/passwd", "r"); |
119 | if (!fpin) | 119 | if (!fpin) |
120 | goto errout; | 120 | goto errout; |
121 | fpout = fopen(PASSWD_FILE, "w"); | 121 | fpout = fopen(RUN_PASSWD_FILE, "w"); |
122 | if (!fpout) | 122 | if (!fpout) |
123 | goto errout; | 123 | goto errout; |
124 | 124 | ||
@@ -172,13 +172,13 @@ static void sanitize_passwd(void) { | |||
172 | } | 172 | } |
173 | fclose(fpin); | 173 | fclose(fpin); |
174 | fclose(fpout); | 174 | fclose(fpout); |
175 | if (chown(PASSWD_FILE, 0, 0) == -1) | 175 | if (chown(RUN_PASSWD_FILE, 0, 0) == -1) |
176 | errExit("chown"); | 176 | errExit("chown"); |
177 | if (chmod(PASSWD_FILE, 0644) == -1) | 177 | if (chmod(RUN_PASSWD_FILE, 0644) == -1) |
178 | errExit("chmod"); | 178 | errExit("chmod"); |
179 | 179 | ||
180 | // mount-bind tne new password file | 180 | // mount-bind tne new password file |
181 | if (mount(PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0) | 181 | if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0) |
182 | errExit("mount"); | 182 | errExit("mount"); |
183 | 183 | ||
184 | return; | 184 | return; |
@@ -249,7 +249,7 @@ static void sanitize_group(void) { | |||
249 | fpin = fopen("/etc/group", "r"); | 249 | fpin = fopen("/etc/group", "r"); |
250 | if (!fpin) | 250 | if (!fpin) |
251 | goto errout; | 251 | goto errout; |
252 | fpout = fopen(GROUP_FILE, "w"); | 252 | fpout = fopen(RUN_GROUP_FILE, "w"); |
253 | if (!fpout) | 253 | if (!fpout) |
254 | goto errout; | 254 | goto errout; |
255 | 255 | ||
@@ -298,13 +298,13 @@ static void sanitize_group(void) { | |||
298 | } | 298 | } |
299 | fclose(fpin); | 299 | fclose(fpin); |
300 | fclose(fpout); | 300 | fclose(fpout); |
301 | if (chown(GROUP_FILE, 0, 0) == -1) | 301 | if (chown(RUN_GROUP_FILE, 0, 0) == -1) |
302 | errExit("chown"); | 302 | errExit("chown"); |
303 | if (chmod(GROUP_FILE, 0644) == -1) | 303 | if (chmod(RUN_GROUP_FILE, 0644) == -1) |
304 | errExit("chmod"); | 304 | errExit("chmod"); |
305 | 305 | ||
306 | // mount-bind tne new group file | 306 | // mount-bind tne new group file |
307 | if (mount(GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0) | 307 | if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0) |
308 | errExit("mount"); | 308 | errExit("mount"); |
309 | 309 | ||
310 | return; | 310 | return; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index dd444f0b9..2827ca9d3 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -48,11 +48,11 @@ void save_nogroups(void) { | |||
48 | if (arg_nogroups == 0) | 48 | if (arg_nogroups == 0) |
49 | return; | 49 | return; |
50 | 50 | ||
51 | FILE *fp = fopen(GROUPS_CFG, "w"); | 51 | FILE *fp = fopen(RUN_GROUPS_CFG, "w"); |
52 | if (fp) { | 52 | if (fp) { |
53 | fprintf(fp, "\n"); | 53 | fprintf(fp, "\n"); |
54 | fclose(fp); | 54 | fclose(fp); |
55 | if (chown(GROUPS_CFG, 0, 0) < 0) | 55 | if (chown(RUN_GROUPS_CFG, 0, 0) < 0) |
56 | errExit("chown"); | 56 | errExit("chown"); |
57 | } | 57 | } |
58 | else { | 58 | else { |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index a3efa54df..eb6e489dd 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -266,7 +266,7 @@ static void write_seccomp_file(void) { | |||
266 | fs_build_mnt_dir(); | 266 | fs_build_mnt_dir(); |
267 | assert(sfilter); | 267 | assert(sfilter); |
268 | 268 | ||
269 | int fd = open(SECCOMP_CFG, O_CREAT | O_WRONLY, S_IRUSR | S_IWUSR); | 269 | int fd = open(RUN_SECCOMP_CFG, O_CREAT | O_WRONLY, S_IRUSR | S_IWUSR); |
270 | if (fd == -1) | 270 | if (fd == -1) |
271 | errExit("open"); | 271 | errExit("open"); |
272 | 272 | ||
@@ -279,7 +279,7 @@ static void write_seccomp_file(void) { | |||
279 | exit(1); | 279 | exit(1); |
280 | } | 280 | } |
281 | close(fd); | 281 | close(fd); |
282 | if (chown(SECCOMP_CFG, 0, 0) < 0) | 282 | if (chown(RUN_SECCOMP_CFG, 0, 0) < 0) |
283 | errExit("chown"); | 283 | errExit("chown"); |
284 | } | 284 | } |
285 | 285 | ||
@@ -690,7 +690,7 @@ int seccomp_filter_errno(void) { | |||
690 | 690 | ||
691 | void seccomp_set(void) { | 691 | void seccomp_set(void) { |
692 | // read seccomp filter from /tmp/firejail/mnt/seccomp | 692 | // read seccomp filter from /tmp/firejail/mnt/seccomp |
693 | read_seccomp_file(SECCOMP_CFG); | 693 | read_seccomp_file(RUN_SECCOMP_CFG); |
694 | 694 | ||
695 | // apply filter | 695 | // apply filter |
696 | struct sock_fprog prog = { | 696 | struct sock_fprog prog = { |
@@ -751,7 +751,7 @@ void seccomp_print_filter(pid_t pid) { | |||
751 | 751 | ||
752 | // find the seccomp filter | 752 | // find the seccomp filter |
753 | char *fname; | 753 | char *fname; |
754 | if (asprintf(&fname, "/proc/%d/root%s", pid, SECCOMP_CFG) == -1) | 754 | if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_SECCOMP_CFG) == -1) |
755 | errExit("asprintf"); | 755 | errExit("asprintf"); |
756 | 756 | ||
757 | struct stat s; | 757 | struct stat s; |