blacklist multiple times fix

author: netblue30 <netblue30@yahoo.com> 2015-11-17 11:10:53 -0500
committer: netblue30 <netblue30@yahoo.com> 2015-11-17 11:10:53 -0500
commit: 7480755574eec2360d86c503066e808729982047 (patch)
tree: 7ac5283d16fbb4eac2c96981b26a9354631a9ebd /src
parent: allow mixing of whitelist and private (diff)
download: firejail-7480755574eec2360d86c503066e808729982047.tar.gz
firejail-7480755574eec2360d86c503066e808729982047.tar.zst
firejail-7480755574eec2360d86c503066e808729982047.zip
1 files changed, 11 insertions, 3 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 56aab8871..5cce383e2 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -157,13 +157,16 @@ typedef enum {
        OPERATION_MAX
 } OPERATION;
+typedef enum {
+        UNSUCCESSFUL,
+        SUCCESSFUL
+} LAST_DISABLE_OPERATION;
+LAST_DISABLE_OPERATION last_disable = UNSUCCESSFUL;
 static void disable_file(OPERATION op, const char *filename) {
        assert(filename);
        assert(op <OPERATION_MAX);
-        
+        last_disable = UNSUCCESSFUL;
        
        // rebuild /run/firejail directory in case tmpfs was mounted on top of /run
        fs_build_firejail_dir();
@@ -204,12 +207,14 @@ static void disable_file(OPERATION op, const char *filename) {
                                if (mount(RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
                                        errExit("disable file");
                        }
+                        last_disable = SUCCESSFUL;
                }
        }
        else if (op == MOUNT_READONLY) {
                if (arg_debug)
                        printf("Mounting read-only %s\n", fname);
                fs_rdonly(fname);
+// todo: last_disable = SUCCESSFUL;
        }
        else if (op == MOUNT_TMPFS) {
                if (S_ISDIR(s.st_mode)) {
@@ -221,6 +226,7 @@ static void disable_file(OPERATION op, const char *filename) {
                        /* coverity[toctou] */
                        if (chown(fname, s.st_uid, s.st_gid) == -1)
                                errExit("mounting tmpfs chmod");
+                        last_disable = SUCCESSFUL;
                }
                else
                        printf("Warning: %s is not a directory; cannot mount a tmpfs on top of it.\n", fname);
@@ -382,6 +388,8 @@ void fs_blacklist(void) {
                                        char newname[strlen(*path) + fname_len + 1];
                                        sprintf(newname, "%s%s", *path, fname);
                                        globbing(op, newname, (const char**)noblacklist, noblacklist_c);
+                                        if  (last_disable == SUCCESSFUL)
+                                                break;
                                }
                        }
                        else
author	netblue30 <netblue30@yahoo.com>	2015-11-17 11:10:53 -0500
committer	netblue30 <netblue30@yahoo.com>	2015-11-17 11:10:53 -0500
commit	7480755574eec2360d86c503066e808729982047 (patch)
tree	7ac5283d16fbb4eac2c96981b26a9354631a9ebd /src
parent	allow mixing of whitelist and private (diff)
download	firejail-7480755574eec2360d86c503066e808729982047.tar.gz firejail-7480755574eec2360d86c503066e808729982047.tar.zst firejail-7480755574eec2360d86c503066e808729982047.zip

diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 56aab8871..5cce383e2 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -157,13 +157,16 @@ typedef enum {
157	OPERATION_MAX	157	OPERATION_MAX
158	} OPERATION;	158	} OPERATION;
159		159
160		160	typedef enum {
161		161	UNSUCCESSFUL,
		162	SUCCESSFUL
		163	} LAST_DISABLE_OPERATION;
		164	LAST_DISABLE_OPERATION last_disable = UNSUCCESSFUL;
162		165
163	static void disable_file(OPERATION op, const char *filename) {	166	static void disable_file(OPERATION op, const char *filename) {
164	assert(filename);	167	assert(filename);
165	assert(op <OPERATION_MAX);	168	assert(op <OPERATION_MAX);
166		169	last_disable = UNSUCCESSFUL;
167		170
168	// rebuild /run/firejail directory in case tmpfs was mounted on top of /run	171	// rebuild /run/firejail directory in case tmpfs was mounted on top of /run
169	fs_build_firejail_dir();	172	fs_build_firejail_dir();
@@ -204,12 +207,14 @@ static void disable_file(OPERATION op, const char *filename) {
204	if (mount(RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)	207	if (mount(RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
205	errExit("disable file");	208	errExit("disable file");
206	}	209	}
		210	last_disable = SUCCESSFUL;
207	}	211	}
208	}	212	}
209	else if (op == MOUNT_READONLY) {	213	else if (op == MOUNT_READONLY) {
210	if (arg_debug)	214	if (arg_debug)
211	printf("Mounting read-only %s\n", fname);	215	printf("Mounting read-only %s\n", fname);
212	fs_rdonly(fname);	216	fs_rdonly(fname);
		217	// todo: last_disable = SUCCESSFUL;
213	}	218	}
214	else if (op == MOUNT_TMPFS) {	219	else if (op == MOUNT_TMPFS) {
215	if (S_ISDIR(s.st_mode)) {	220	if (S_ISDIR(s.st_mode)) {
@@ -221,6 +226,7 @@ static void disable_file(OPERATION op, const char *filename) {
221	/* coverity[toctou] */	226	/* coverity[toctou] */
222	if (chown(fname, s.st_uid, s.st_gid) == -1)	227	if (chown(fname, s.st_uid, s.st_gid) == -1)
223	errExit("mounting tmpfs chmod");	228	errExit("mounting tmpfs chmod");
		229	last_disable = SUCCESSFUL;
224	}	230	}
225	else	231	else
226	printf("Warning: %s is not a directory; cannot mount a tmpfs on top of it.\n", fname);	232	printf("Warning: %s is not a directory; cannot mount a tmpfs on top of it.\n", fname);
@@ -382,6 +388,8 @@ void fs_blacklist(void) {
382	char newname[strlen(*path) + fname_len + 1];	388	char newname[strlen(*path) + fname_len + 1];
383	sprintf(newname, "%s%s", *path, fname);	389	sprintf(newname, "%s%s", *path, fname);
384	globbing(op, newname, (const char**)noblacklist, noblacklist_c);	390	globbing(op, newname, (const char**)noblacklist, noblacklist_c);
		391	if (last_disable == SUCCESSFUL)
		392	break;
385	}	393	}
386	}	394	}
387	else	395	else