aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorLibravatar smitsohu <smitsohu@gmail.com>2018-07-05 23:11:40 +0200
committerLibravatar smitsohu <smitsohu@gmail.com>2018-07-05 23:11:40 +0200
commit0be440a16f04dffc62286236d557a44db5bc04a8 (patch)
treec09cc1196484d9658fe5067eaa2ca2f2b0227957 /src
parentMerges + misc fixes (diff)
downloadfirejail-0be440a16f04dffc62286236d557a44db5bc04a8.tar.gz
firejail-0be440a16f04dffc62286236d557a44db5bc04a8.tar.zst
firejail-0be440a16f04dffc62286236d557a44db5bc04a8.zip
remove redundant checks in whitelist_path
Diffstat (limited to 'src')
-rw-r--r--src/firejail/fs_whitelist.c64
1 files changed, 12 insertions, 52 deletions
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index d52b3996a..d11f727ec 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -197,111 +197,83 @@ static void whitelist_path(ProfileEntry *entry) {
197 char *wfile = NULL; 197 char *wfile = NULL;
198 198
199 if (entry->home_dir) { 199 if (entry->home_dir) {
200 if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) { 200 if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) != 0)
201 fname = path + strlen(cfg.homedir);
202 if (*fname == '\0')
203 goto errexit;
204 }
205 else
206 // symlink pointing outside /home, skip the mount 201 // symlink pointing outside /home, skip the mount
207 return; 202 return;
208 203
204 fname = path + strlen(cfg.homedir);
205
209 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1) 206 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1)
210 errExit("asprintf"); 207 errExit("asprintf");
211 } 208 }
212 else if (entry->tmp_dir) { 209 else if (entry->tmp_dir) {
213 fname = path + 5; // strlen("/tmp/") 210 fname = path + 5; // strlen("/tmp/")
214#ifndef TEST_MOUNTINFO
215 if (*fname == '\0')
216 errLogExit("whitelisting /tmp problem");
217#endif
218 211
219 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_TMP_DIR, fname) == -1) 212 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_TMP_DIR, fname) == -1)
220 errExit("asprintf"); 213 errExit("asprintf");
221 } 214 }
222 else if (entry->media_dir) { 215 else if (entry->media_dir) {
223 fname = path + 7; // strlen("/media/") 216 fname = path + 7; // strlen("/media/")
224 if (*fname == '\0')
225 goto errexit;
226 217
227 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MEDIA_DIR, fname) == -1) 218 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MEDIA_DIR, fname) == -1)
228 errExit("asprintf"); 219 errExit("asprintf");
229 } 220 }
230 else if (entry->mnt_dir) { 221 else if (entry->mnt_dir) {
231 fname = path + 5; // strlen("/mnt/") 222 fname = path + 5; // strlen("/mnt/")
232 if (*fname == '\0')
233 goto errexit;
234 223
235 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MNT_DIR, fname) == -1) 224 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MNT_DIR, fname) == -1)
236 errExit("asprintf"); 225 errExit("asprintf");
237 } 226 }
238 else if (entry->var_dir) { 227 else if (entry->var_dir) {
239 if (strncmp(path, "/var/", 5) == 0) { 228 if (strncmp(path, "/var/", 5) != 0)
240 fname = path + 5; // strlen("/var/")
241 if (*fname == '\0')
242 goto errexit;
243 }
244 else
245 // symlink pointing outside /var, skip the mount 229 // symlink pointing outside /var, skip the mount
246 return; 230 return;
247 231
232 fname = path + 5; // strlen("/var/")
233
248 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_VAR_DIR, fname) == -1) 234 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_VAR_DIR, fname) == -1)
249 errExit("asprintf"); 235 errExit("asprintf");
250 } 236 }
251 else if (entry->dev_dir) { 237 else if (entry->dev_dir) {
252 if (strncmp(path, "/dev/", 5) == 0) { 238 if (strncmp(path, "/dev/", 5) != 0)
253 fname = path + 5; // strlen("/dev/")
254 if (*fname == '\0')
255 goto errexit;
256 }
257 else
258 // symlink pointing outside /dev, skip the mount 239 // symlink pointing outside /dev, skip the mount
259 return; 240 return;
260 241
242 fname = path + 5; // strlen("/dev/")
243
261 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_DEV_DIR, fname) == -1) 244 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_DEV_DIR, fname) == -1)
262 errExit("asprintf"); 245 errExit("asprintf");
263 } 246 }
264 else if (entry->opt_dir) { 247 else if (entry->opt_dir) {
265 fname = path + 5; // strlen("/opt/") 248 fname = path + 5; // strlen("/opt/")
266 if (*fname == '\0')
267 goto errexit;
268 249
269 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1) 250 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1)
270 errExit("asprintf"); 251 errExit("asprintf");
271 } 252 }
272 else if (entry->srv_dir) { 253 else if (entry->srv_dir) {
273 fname = path + 5; // strlen("/srv/") 254 fname = path + 5; // strlen("/srv/")
274 if (*fname == '\0')
275 goto errexit;
276 255
277 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SRV_DIR, fname) == -1) 256 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SRV_DIR, fname) == -1)
278 errExit("asprintf"); 257 errExit("asprintf");
279 } 258 }
280 else if (entry->etc_dir) { 259 else if (entry->etc_dir) {
281 if (strncmp(path, "/etc/", 5) == 0) { 260 if (strncmp(path, "/etc/", 5) != 0)
282 fname = path + 5; // strlen("/etc/")
283 if (*fname == '\0')
284 goto errexit;
285 }
286 else
287 // symlink pointing outside /etc, skip the mount 261 // symlink pointing outside /etc, skip the mount
288 return; 262 return;
289 263
264 fname = path + 5; // strlen("/etc/")
265
290 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_ETC_DIR, fname) == -1) 266 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_ETC_DIR, fname) == -1)
291 errExit("asprintf"); 267 errExit("asprintf");
292 } 268 }
293 else if (entry->share_dir) { 269 else if (entry->share_dir) {
294 fname = path + 11; // strlen("/usr/share/") 270 fname = path + 11; // strlen("/usr/share/")
295 if (*fname == '\0')
296 goto errexit;
297 271
298 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SHARE_DIR, fname) == -1) 272 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_SHARE_DIR, fname) == -1)
299 errExit("asprintf"); 273 errExit("asprintf");
300 } 274 }
301 else if (entry->module_dir) { 275 else if (entry->module_dir) {
302 fname = path + 12; // strlen("/sys/module/") 276 fname = path + 12; // strlen("/sys/module/")
303 if (*fname == '\0')
304 goto errexit;
305 277
306 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MODULE_DIR, fname) == -1) 278 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MODULE_DIR, fname) == -1)
307 errExit("asprintf"); 279 errExit("asprintf");
@@ -366,10 +338,6 @@ static void whitelist_path(ProfileEntry *entry) {
366 338
367 free(wfile); 339 free(wfile);
368 return; 340 return;
369
370errexit:
371 fprintf(stderr, "Error: file %s is not in the whitelisted directory\n", path);
372 exit(1);
373} 341}
374 342
375 343
@@ -934,14 +902,6 @@ void fs_whitelist(void) {
934 fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link); 902 fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link);
935 else if (arg_debug || arg_debug_whitelists) 903 else if (arg_debug || arg_debug_whitelists)
936 printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10); 904 printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10);
937
938 // check again for files in /tmp directory
939 if (strncmp(entry->link, "/tmp/", 5) == 0) {
940 char *path = realpath(entry->link, NULL);
941 if (path == NULL || strncmp(path, "/tmp/", 5) != 0)
942 errLogExit("invalid whitelist symlink %s\n", entry->link);
943 free(path);
944 }
945 } 905 }
946 } 906 }
947 907
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-03 20:44:31 +0000