aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2015-11-23 19:45:01 -0500
committerLibravatar netblue30 <netblue30@yahoo.com>2015-11-23 19:45:01 -0500
commitcf5e634e36c86f76518be29e625869b69b39796e (patch)
tree1719004bad2386d83a6243f258382346c7bf1266 /src
parenttodo (diff)
downloadfirejail-cf5e634e36c86f76518be29e625869b69b39796e.tar.gz
firejail-cf5e634e36c86f76518be29e625869b69b39796e.tar.zst
firejail-cf5e634e36c86f76518be29e625869b69b39796e.zip
fixes
Diffstat (limited to 'src')
-rw-r--r--src/firejail/cgroup.c4
-rw-r--r--src/firejail/cpu.c6
-rw-r--r--src/firejail/firejail.h67
-rw-r--r--src/firejail/fs.c56
-rw-r--r--src/firejail/fs_bin.c12
-rw-r--r--src/firejail/fs_dev.c16
-rw-r--r--src/firejail/fs_etc.c12
-rw-r--r--src/firejail/fs_home.c14
-rw-r--r--src/firejail/fs_hostname.c30
-rw-r--r--src/firejail/fs_trace.c8
-rw-r--r--src/firejail/fs_whitelist.c78
-rw-r--r--src/firejail/join.c8
-rw-r--r--src/firejail/main.c2
-rw-r--r--src/firejail/protocol.c8
-rw-r--r--src/firejail/pulseaudio.c12
-rw-r--r--src/firejail/restrict_users.c24
-rw-r--r--src/firejail/sandbox.c4
-rw-r--r--src/firejail/seccomp.c8
18 files changed, 185 insertions, 184 deletions
diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c
index aab7be0fd..186fe04a8 100644
--- a/src/firejail/cgroup.c
+++ b/src/firejail/cgroup.c
@@ -26,13 +26,13 @@ void save_cgroup(void) {
26 if (cfg.cgroup == NULL) 26 if (cfg.cgroup == NULL)
27 return; 27 return;
28 28
29 FILE *fp = fopen(CGROUP_CFG, "w"); 29 FILE *fp = fopen(RUN_CGROUP_CFG, "w");
30 if (fp) { 30 if (fp) {
31 fprintf(fp, "%s", cfg.cgroup); 31 fprintf(fp, "%s", cfg.cgroup);
32 fflush(0); 32 fflush(0);
33 if (fclose(fp)) 33 if (fclose(fp))
34 goto errout; 34 goto errout;
35 if (chown(CGROUP_CFG, 0, 0) < 0) 35 if (chown(RUN_CGROUP_CFG, 0, 0) < 0)
36 errExit("chown"); 36 errExit("chown");
37 } 37 }
38 else 38 else
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c
index 343bc8971..c7ef2f4b3 100644
--- a/src/firejail/cpu.c
+++ b/src/firejail/cpu.c
@@ -73,13 +73,13 @@ void save_cpu(void) {
73 if (cfg.cpus == 0) 73 if (cfg.cpus == 0)
74 return; 74 return;
75 75
76 FILE *fp = fopen(CPU_CFG, "w"); 76 FILE *fp = fopen(RUN_CPU_CFG, "w");
77 if (fp) { 77 if (fp) {
78 fprintf(fp, "%x\n", cfg.cpus); 78 fprintf(fp, "%x\n", cfg.cpus);
79 fclose(fp); 79 fclose(fp);
80 if (chmod(CPU_CFG, 0600) < 0) 80 if (chmod(RUN_CPU_CFG, 0600) < 0)
81 errExit("chmod"); 81 errExit("chmod");
82 if (chown(CPU_CFG, 0, 0) < 0) 82 if (chown(RUN_CPU_CFG, 0, 0) < 0)
83 errExit("chown"); 83 errExit("chown");
84 } 84 }
85 else { 85 else {
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 9ba3b78ab..3ede58df6 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -22,39 +22,40 @@
22#include "../include/common.h" 22#include "../include/common.h"
23 23
24// filesystem 24// filesystem
25#define FIREJAIL_DIR "/run/firejail" 25#define RUN_FIREJAIL_DIR "/run/firejail"
26#define NETWORK_LOCK_FILE "/run/firejail/firejail.lock" 26#define RUN_NETWORK_LOCK_FILE "/run/firejail/firejail.lock"
27#define RO_DIR "/run/firejail/firejail.ro.dir" 27#define RUN_RO_DIR "/run/firejail/firejail.ro.dir"
28#define RO_FILE "/run/firejail/firejail.ro.file" 28#define RUN_RO_FILE "/run/firejail/firejail.ro.file"
29#define MNT_DIR "/run/firejail/mnt" // a tmpfs is mounted on this directory before any of the files below are created 29#define RUN_MNT_DIR "/run/firejail/mnt" // a tmpfs is mounted on this directory before any of the files below are created
30#define SECCOMP_CFG "/run/firejail/mnt/seccomp" 30#define RUN_SECCOMP_CFG "/run/firejail/mnt/seccomp"
31#define CGROUP_CFG "/run/firejail/mnt/cgroup" 31#define RUN_CGROUP_CFG "/run/firejail/mnt/cgroup"
32#define CPU_CFG "/run/firejail/mnt/cpu" 32#define RUN_CPU_CFG "/run/firejail/mnt/cpu"
33#define GROUPS_CFG "/run/firejail/mnt/groups" 33#define RUN_GROUPS_CFG "/run/firejail/mnt/groups"
34#define PROTOCOL_CFG "/run/firejail/mnt/protocol" 34#define RUN_PROTOCOL_CFG "/run/firejail/mnt/protocol"
35#define CP_COMMAND "/run/firejail/mnt/cp" 35#define RUN_CP_COMMAND "/run/firejail/mnt/cp"
36#define HOME_DIR "/run/firejail/mnt/home" 36#define RUN_HOME_DIR "/run/firejail/mnt/home"
37#define ETC_DIR "/run/firejail/mnt/etc" 37#define RUN_ETC_DIR "/run/firejail/mnt/etc"
38#define BIN_DIR "/run/firejail/mnt/bin" 38#define RUN_BIN_DIR "/run/firejail/mnt/bin"
39#define DRI_DIR "/run/firejail/mnt/dri" 39#define RUN_DRI_DIR "/run/firejail/mnt/dri"
40#define PULSE_DIR "/run/firejail/mnt/pulse" 40#define RUN_PULSE_DIR "/run/firejail/mnt/pulse"
41#define DEVLOG_FILE "/run/firejail/mnt/devlog" 41#define RUN_DEVLOG_FILE "/run/firejail/mnt/devlog"
42 42
43#define WHITELIST_HOME_DIR "/run/firejail/mnt/orig-home" // default home directory masking 43#define RUN_WHITELIST_HOME_DIR "/run/firejail/mnt/orig-home" // default home directory masking
44#define WHITELIST_HOME_USER_DIR "/run/firejail/mnt/orig-home-user" // home directory whitelisting 44#define RUN_WHITELIST_HOME_USER_DIR "/run/firejail/mnt/orig-home-user" // home directory whitelisting
45#define WHITELIST_TMP_DIR "/run/firejail/mnt/orig-tmp" 45#define RUN_WHITELIST_TMP_DIR "/run/firejail/mnt/orig-tmp"
46#define WHITELIST_MEDIA_DIR "/run/firejail/mnt/orig-media" 46#define RUN_WHITELIST_MEDIA_DIR "/run/firejail/mnt/orig-media"
47#define WHITELIST_VAR_DIR "/run/firejail/mnt/orig-var" 47#define RUN_WHITELIST_VAR_DIR "/run/firejail/mnt/orig-var"
48#define WHITELIST_DEV_DIR "/run/firejail/mnt/orig-dev" 48#define RUN_WHITELIST_DEV_DIR "/run/firejail/mnt/orig-dev"
49#define WHITELIST_OPT_DIR "/run/firejail/mnt/orig-opt" 49#define RUN_WHITELIST_OPT_DIR "/run/firejail/mnt/orig-opt"
50 50
51#define XAUTHORITY_FILE "/run/firejail/mnt/.Xauthority" 51#define RUN_XAUTHORITY_FILE "/run/firejail/mnt/.Xauthority"
52#define HOSTNAME_FILE "/run/firejail/mnt/hostname" 52#define RUN_HOSTNAME_FILE "/run/firejail/mnt/hostname"
53#define RESOLVCONF_FILE "/run/firejail/mnt/resolv.conf" 53#define RUN_HOSTS_FILE "/run/firejail/mnt/hosts"
54#define LDPRELOAD_FILE "/run/firejail/mnt/ld.so.preload" 54#define RUN_RESOLVCONF_FILE "/run/firejail/mnt/resolv.conf"
55#define UTMP_FILE "/run/firejail/mnt/utmp" 55#define RUN_LDPRELOAD_FILE "/run/firejail/mnt/ld.so.preload"
56#define PASSWD_FILE "/run/firejail/mnt/passwd" 56#define RUN_UTMP_FILE "/run/firejail/mnt/utmp"
57#define GROUP_FILE "/run/firejail/mnt/group" 57#define RUN_PASSWD_FILE "/run/firejail/mnt/passwd"
58#define RUN_GROUP_FILE "/run/firejail/mnt/group"
58 59
59// profiles 60// profiles
60#define DEFAULT_USER_PROFILE "generic" 61#define DEFAULT_USER_PROFILE "generic"
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 5ddbcec34..e442bc705 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -30,12 +30,12 @@
30static void create_empty_dir(void) { 30static void create_empty_dir(void) {
31 struct stat s; 31 struct stat s;
32 32
33 if (stat(RO_DIR, &s)) { 33 if (stat(RUN_RO_DIR, &s)) {
34 /* coverity[toctou] */ 34 /* coverity[toctou] */
35 int rv = mkdir(RO_DIR, S_IRUSR | S_IXUSR); 35 int rv = mkdir(RUN_RO_DIR, S_IRUSR | S_IXUSR);
36 if (rv == -1) 36 if (rv == -1)
37 errExit("mkdir"); 37 errExit("mkdir");
38 if (chown(RO_DIR, 0, 0) < 0) 38 if (chown(RUN_RO_DIR, 0, 0) < 0)
39 errExit("chown"); 39 errExit("chown");
40 } 40 }
41} 41}
@@ -43,15 +43,15 @@ static void create_empty_dir(void) {
43static void create_empty_file(void) { 43static void create_empty_file(void) {
44 struct stat s; 44 struct stat s;
45 45
46 if (stat(RO_FILE, &s)) { 46 if (stat(RUN_RO_FILE, &s)) {
47 /* coverity[toctou] */ 47 /* coverity[toctou] */
48 FILE *fp = fopen(RO_FILE, "w"); 48 FILE *fp = fopen(RUN_RO_FILE, "w");
49 if (!fp) 49 if (!fp)
50 errExit("fopen"); 50 errExit("fopen");
51 fclose(fp); 51 fclose(fp);
52 if (chown(RO_FILE, 0, 0) < 0) 52 if (chown(RUN_RO_FILE, 0, 0) < 0)
53 errExit("chown"); 53 errExit("chown");
54 if (chmod(RO_FILE, S_IRUSR) < 0) 54 if (chmod(RUN_RO_FILE, S_IRUSR) < 0)
55 errExit("chown"); 55 errExit("chown");
56 } 56 }
57} 57}
@@ -60,21 +60,21 @@ static void create_empty_file(void) {
60void fs_build_firejail_dir(void) { 60void fs_build_firejail_dir(void) {
61 struct stat s; 61 struct stat s;
62 62
63 if (stat(FIREJAIL_DIR, &s)) { 63 if (stat(RUN_FIREJAIL_DIR, &s)) {
64 if (arg_debug) 64 if (arg_debug)
65 printf("Creating %s directory\n", FIREJAIL_DIR); 65 printf("Creating %s directory\n", RUN_FIREJAIL_DIR);
66 /* coverity[toctou] */ 66 /* coverity[toctou] */
67 int rv = mkdir(FIREJAIL_DIR, S_IRWXU | S_IRWXG | S_IRWXO); 67 int rv = mkdir(RUN_FIREJAIL_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
68 if (rv == -1) 68 if (rv == -1)
69 errExit("mkdir"); 69 errExit("mkdir");
70 if (chown(FIREJAIL_DIR, 0, 0) < 0) 70 if (chown(RUN_FIREJAIL_DIR, 0, 0) < 0)
71 errExit("chown"); 71 errExit("chown");
72 if (chmod(FIREJAIL_DIR, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0) 72 if (chmod(RUN_FIREJAIL_DIR, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0)
73 errExit("chmod"); 73 errExit("chmod");
74 } 74 }
75 else { // check /tmp/firejail directory belongs to root end exit if doesn't! 75 else { // check /tmp/firejail directory belongs to root end exit if doesn't!
76 if (s.st_uid != 0 || s.st_gid != 0) { 76 if (s.st_uid != 0 || s.st_gid != 0) {
77 fprintf(stderr, "Error: non-root %s directory, exiting...\n", FIREJAIL_DIR); 77 fprintf(stderr, "Error: non-root %s directory, exiting...\n", RUN_FIREJAIL_DIR);
78 exit(1); 78 exit(1);
79 } 79 }
80 } 80 }
@@ -96,16 +96,16 @@ void fs_build_mnt_dir(void) {
96 fs_build_firejail_dir(); 96 fs_build_firejail_dir();
97 97
98 // create /run/firejail/mnt directory 98 // create /run/firejail/mnt directory
99 if (stat(MNT_DIR, &s)) { 99 if (stat(RUN_MNT_DIR, &s)) {
100 if (arg_debug) 100 if (arg_debug)
101 printf("Creating %s directory\n", MNT_DIR); 101 printf("Creating %s directory\n", RUN_MNT_DIR);
102 /* coverity[toctou] */ 102 /* coverity[toctou] */
103 int rv = mkdir(MNT_DIR, S_IRWXU | S_IRWXG | S_IRWXO); 103 int rv = mkdir(RUN_MNT_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
104 if (rv == -1) 104 if (rv == -1)
105 errExit("mkdir"); 105 errExit("mkdir");
106 if (chown(MNT_DIR, 0, 0) < 0) 106 if (chown(RUN_MNT_DIR, 0, 0) < 0)
107 errExit("chown"); 107 errExit("chown");
108 if (chmod(MNT_DIR, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0) 108 if (chmod(RUN_MNT_DIR, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0)
109 errExit("chmod"); 109 errExit("chmod");
110 } 110 }
111 111
@@ -113,8 +113,8 @@ void fs_build_mnt_dir(void) {
113 if (!tmpfs_mounted) { 113 if (!tmpfs_mounted) {
114 // mount tmpfs on top of /run/firejail/mnt 114 // mount tmpfs on top of /run/firejail/mnt
115 if (arg_debug) 115 if (arg_debug)
116 printf("Mounting tmpfs on %s directory\n", MNT_DIR); 116 printf("Mounting tmpfs on %s directory\n", RUN_MNT_DIR);
117 if (mount("tmpfs", MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 117 if (mount("tmpfs", RUN_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
118 errExit("mounting /tmp/firejail/mnt"); 118 errExit("mounting /tmp/firejail/mnt");
119 tmpfs_mounted = 1; 119 tmpfs_mounted = 1;
120 } 120 }
@@ -124,7 +124,7 @@ void fs_build_mnt_dir(void) {
124void fs_build_cp_command(void) { 124void fs_build_cp_command(void) {
125 struct stat s; 125 struct stat s;
126 fs_build_mnt_dir(); 126 fs_build_mnt_dir();
127 if (stat(CP_COMMAND, &s)) { 127 if (stat(RUN_CP_COMMAND, &s)) {
128 char* fname = realpath("/bin/cp", NULL); 128 char* fname = realpath("/bin/cp", NULL);
129 if (fname == NULL) { 129 if (fname == NULL) {
130 fprintf(stderr, "Error: /bin/cp not found\n"); 130 fprintf(stderr, "Error: /bin/cp not found\n");
@@ -134,13 +134,13 @@ void fs_build_cp_command(void) {
134 fprintf(stderr, "Error: /bin/cp not found\n"); 134 fprintf(stderr, "Error: /bin/cp not found\n");
135 exit(1); 135 exit(1);
136 } 136 }
137 int rv = copy_file(fname, CP_COMMAND); 137 int rv = copy_file(fname, RUN_CP_COMMAND);
138 if (rv) { 138 if (rv) {
139 fprintf(stderr, "Error: cannot access /bin/cp\n"); 139 fprintf(stderr, "Error: cannot access /bin/cp\n");
140 exit(1); 140 exit(1);
141 } 141 }
142 /* coverity[toctou] */ 142 /* coverity[toctou] */
143 if (chmod(CP_COMMAND, 0755)) 143 if (chmod(RUN_CP_COMMAND, 0755))
144 errExit("chmod"); 144 errExit("chmod");
145 145
146 free(fname); 146 free(fname);
@@ -149,7 +149,7 @@ void fs_build_cp_command(void) {
149 149
150// delete the temporary cp command 150// delete the temporary cp command
151void fs_delete_cp_command(void) { 151void fs_delete_cp_command(void) {
152 unlink(CP_COMMAND); 152 unlink(RUN_CP_COMMAND);
153} 153}
154 154
155//*********************************************** 155//***********************************************
@@ -205,11 +205,11 @@ static void disable_file(OPERATION op, const char *filename) {
205 if (arg_debug) 205 if (arg_debug)
206 printf("Disable %s\n", fname); 206 printf("Disable %s\n", fname);
207 if (S_ISDIR(s.st_mode)) { 207 if (S_ISDIR(s.st_mode)) {
208 if (mount(RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) 208 if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
209 errExit("disable file"); 209 errExit("disable file");
210 } 210 }
211 else { 211 else {
212 if (mount(RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0) 212 if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
213 errExit("disable file"); 213 errExit("disable file");
214 } 214 }
215 last_disable = SUCCESSFUL; 215 last_disable = SUCCESSFUL;
@@ -649,7 +649,7 @@ void fs_overlayfs(void) {
649 fs_build_mnt_dir(); 649 fs_build_mnt_dir();
650 650
651 char *oroot; 651 char *oroot;
652 if(asprintf(&oroot, "%s/oroot", MNT_DIR) == -1) 652 if(asprintf(&oroot, "%s/oroot", RUN_MNT_DIR) == -1)
653 errExit("asprintf"); 653 errExit("asprintf");
654 if (mkdir(oroot, S_IRWXU | S_IRWXG | S_IRWXO)) 654 if (mkdir(oroot, S_IRWXU | S_IRWXG | S_IRWXO))
655 errExit("mkdir"); 655 errExit("mkdir");
@@ -658,7 +658,7 @@ void fs_overlayfs(void) {
658 if (chmod(oroot, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0) 658 if (chmod(oroot, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0)
659 errExit("chmod"); 659 errExit("chmod");
660 660
661 char *basedir = MNT_DIR; 661 char *basedir = RUN_MNT_DIR;
662 if (arg_overlay_keep) { 662 if (arg_overlay_keep) {
663 // set base for working and diff directories 663 // set base for working and diff directories
664 basedir = cfg.overlay_dir; 664 basedir = cfg.overlay_dir;
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index 0105716b2..38b9b06ca 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -137,7 +137,7 @@ static void duplicate(char *fname) {
137 char *actual_path = realpath(full_path, NULL); 137 char *actual_path = realpath(full_path, NULL);
138 if (actual_path) { 138 if (actual_path) {
139 // copy the file 139 // copy the file
140 if (asprintf(&cmd, "%s -a %s %s/%s", CP_COMMAND, actual_path, BIN_DIR, fname) == -1) 140 if (asprintf(&cmd, "%s -a %s %s/%s", RUN_CP_COMMAND, actual_path, RUN_BIN_DIR, fname) == -1)
141 errExit("asprintf"); 141 errExit("asprintf");
142 if (arg_debug) 142 if (arg_debug)
143 printf("%s\n", cmd); 143 printf("%s\n", cmd);
@@ -168,12 +168,12 @@ void fs_private_bin_list(void) {
168 168
169 // create /tmp/firejail/mnt/bin directory 169 // create /tmp/firejail/mnt/bin directory
170 fs_build_mnt_dir(); 170 fs_build_mnt_dir();
171 int rv = mkdir(BIN_DIR, S_IRWXU | S_IRWXG | S_IRWXO); 171 int rv = mkdir(RUN_BIN_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
172 if (rv == -1) 172 if (rv == -1)
173 errExit("mkdir"); 173 errExit("mkdir");
174 if (chown(BIN_DIR, 0, 0) < 0) 174 if (chown(RUN_BIN_DIR, 0, 0) < 0)
175 errExit("chown"); 175 errExit("chown");
176 if (chmod(BIN_DIR, 0755) < 0) 176 if (chmod(RUN_BIN_DIR, 0755) < 0)
177 errExit("chmod"); 177 errExit("chmod");
178 178
179 // copy the list of files in the new etc directory 179 // copy the list of files in the new etc directory
@@ -211,8 +211,8 @@ void fs_private_bin_list(void) {
211 i = 0; 211 i = 0;
212 while (paths[i]) { 212 while (paths[i]) {
213 if (arg_debug) 213 if (arg_debug)
214 printf("Mount-bind %s on top of %s\n", BIN_DIR, paths[i]); 214 printf("Mount-bind %s on top of %s\n", RUN_BIN_DIR, paths[i]);
215 if (mount(BIN_DIR, paths[i], NULL, MS_BIND|MS_REC, NULL) < 0) 215 if (mount(RUN_BIN_DIR, paths[i], NULL, MS_BIND|MS_REC, NULL) < 0)
216 errExit("mount bind"); 216 errExit("mount bind");
217 i++; 217 i++;
218 } 218 }
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 469cf48ab..86e0918e1 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -76,16 +76,16 @@ void fs_private_dev(void){
76 fs_build_mnt_dir(); 76 fs_build_mnt_dir();
77 if (have_dri) { 77 if (have_dri) {
78 /* coverity[toctou] */ 78 /* coverity[toctou] */
79 rv = mkdir(DRI_DIR, 0755); 79 rv = mkdir(RUN_DRI_DIR, 0755);
80 if (rv == -1) 80 if (rv == -1)
81 errExit("mkdir"); 81 errExit("mkdir");
82 if (chown(DRI_DIR, 0, 0) < 0) 82 if (chown(RUN_DRI_DIR, 0, 0) < 0)
83 errExit("chown"); 83 errExit("chown");
84 if (chmod(DRI_DIR, 0755) < 0) 84 if (chmod(RUN_DRI_DIR, 0755) < 0)
85 errExit("chmod"); 85 errExit("chmod");
86 86
87 // keep a copy of /dev/dri under DRI_DIR 87 // keep a copy of /dev/dri under DRI_DIR
88 if (mount("/dev/dri", DRI_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) 88 if (mount("/dev/dri", RUN_DRI_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
89 errExit("mounting /dev/dri"); 89 errExit("mounting /dev/dri");
90 } 90 }
91 91
@@ -93,13 +93,13 @@ void fs_private_dev(void){
93 int have_devlog = 0; 93 int have_devlog = 0;
94 if (stat("/dev/log", &s) == 0) { 94 if (stat("/dev/log", &s) == 0) {
95 have_devlog = 1; 95 have_devlog = 1;
96 FILE *fp = fopen(DEVLOG_FILE, "w"); 96 FILE *fp = fopen(RUN_DEVLOG_FILE, "w");
97 if (!fp) 97 if (!fp)
98 have_devlog = 0; 98 have_devlog = 0;
99 else { 99 else {
100 fprintf(fp, "\n"); 100 fprintf(fp, "\n");
101 fclose(fp); 101 fclose(fp);
102 if (mount("/dev/log", DEVLOG_FILE, NULL, MS_BIND|MS_REC, NULL) < 0) 102 if (mount("/dev/log", RUN_DEVLOG_FILE, NULL, MS_BIND|MS_REC, NULL) < 0)
103 errExit("mounting /dev/log"); 103 errExit("mounting /dev/log");
104 } 104 }
105 } 105 }
@@ -114,7 +114,7 @@ void fs_private_dev(void){
114 if (fp) { 114 if (fp) {
115 fprintf(fp, "\n"); 115 fprintf(fp, "\n");
116 fclose(fp); 116 fclose(fp);
117 if (mount(DEVLOG_FILE, "/dev/log", NULL, MS_BIND|MS_REC, NULL) < 0) 117 if (mount(RUN_DEVLOG_FILE, "/dev/log", NULL, MS_BIND|MS_REC, NULL) < 0)
118 errExit("mounting /dev/log"); 118 errExit("mounting /dev/log");
119 } 119 }
120 } 120 }
@@ -129,7 +129,7 @@ void fs_private_dev(void){
129 errExit("chown"); 129 errExit("chown");
130 if (chmod("/dev/dri",0755) < 0) 130 if (chmod("/dev/dri",0755) < 0)
131 errExit("chmod"); 131 errExit("chmod");
132 if (mount(DRI_DIR, "/dev/dri", NULL, MS_BIND|MS_REC, NULL) < 0) 132 if (mount(RUN_DRI_DIR, "/dev/dri", NULL, MS_BIND|MS_REC, NULL) < 0)
133 errExit("mounting /dev/dri"); 133 errExit("mounting /dev/dri");
134 } 134 }
135 135
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index f9088f1ba..28e337abc 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -76,7 +76,7 @@ static void duplicate(char *fname) {
76 char *cmd; 76 char *cmd;
77 77
78 // copy the file - this code assumes ETC_DIR is actually MNT_DIR/etc 78 // copy the file - this code assumes ETC_DIR is actually MNT_DIR/etc
79 if (asprintf(&cmd, "%s -a --parents /etc/%s %s", CP_COMMAND, fname, MNT_DIR) == -1) 79 if (asprintf(&cmd, "%s -a --parents /etc/%s %s", RUN_CP_COMMAND, fname, RUN_MNT_DIR) == -1)
80 errExit("asprintf"); 80 errExit("asprintf");
81 if (arg_debug) 81 if (arg_debug)
82 printf("%s\n", cmd); 82 printf("%s\n", cmd);
@@ -98,12 +98,12 @@ void fs_private_etc_list(void) {
98 98
99 // create /tmp/firejail/mnt/etc directory 99 // create /tmp/firejail/mnt/etc directory
100 fs_build_mnt_dir(); 100 fs_build_mnt_dir();
101 int rv = mkdir(ETC_DIR, S_IRWXU | S_IRWXG | S_IRWXO); 101 int rv = mkdir(RUN_ETC_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
102 if (rv == -1) 102 if (rv == -1)
103 errExit("mkdir"); 103 errExit("mkdir");
104 if (chown(ETC_DIR, 0, 0) < 0) 104 if (chown(RUN_ETC_DIR, 0, 0) < 0)
105 errExit("chown"); 105 errExit("chown");
106 if (chmod(ETC_DIR, 0755) < 0) 106 if (chmod(RUN_ETC_DIR, 0755) < 0)
107 errExit("chmod"); 107 errExit("chmod");
108 108
109 // copy the list of files in the new etc directory 109 // copy the list of files in the new etc directory
@@ -138,8 +138,8 @@ void fs_private_etc_list(void) {
138 waitpid(child, NULL, 0); 138 waitpid(child, NULL, 0);
139 139
140 if (arg_debug) 140 if (arg_debug)
141 printf("Mount-bind %s on top of /etc\n", ETC_DIR); 141 printf("Mount-bind %s on top of /etc\n", RUN_ETC_DIR);
142 if (mount(ETC_DIR, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0) 142 if (mount(RUN_ETC_DIR, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0)
143 errExit("mount bind"); 143 errExit("mount bind");
144 144
145} 145}
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 63c03a8db..23f036bd7 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -113,7 +113,7 @@ static int store_xauthority(void) {
113 fs_build_mnt_dir(); 113 fs_build_mnt_dir();
114 114
115 char *src; 115 char *src;
116 char *dest = XAUTHORITY_FILE; 116 char *dest = RUN_XAUTHORITY_FILE;
117 if (asprintf(&src, "%s/.Xauthority", cfg.homedir) == -1) 117 if (asprintf(&src, "%s/.Xauthority", cfg.homedir) == -1)
118 errExit("asprintf"); 118 errExit("asprintf");
119 119
@@ -132,7 +132,7 @@ static int store_xauthority(void) {
132 132
133static void copy_xauthority(void) { 133static void copy_xauthority(void) {
134 // copy XAUTHORITY_FILE in the new home directory 134 // copy XAUTHORITY_FILE in the new home directory
135 char *src = XAUTHORITY_FILE ; 135 char *src = RUN_XAUTHORITY_FILE ;
136 char *dest; 136 char *dest;
137 if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1) 137 if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1)
138 errExit("asprintf"); 138 errExit("asprintf");
@@ -370,7 +370,7 @@ static void duplicate(char *name) {
370 } 370 }
371 371
372 // copy the file 372 // copy the file
373 if (asprintf(&cmd, "%s -a --parents \"%s\" %s", CP_COMMAND, fname, HOME_DIR) == -1) 373 if (asprintf(&cmd, "%s -a --parents \"%s\" %s", RUN_CP_COMMAND, fname, RUN_HOME_DIR) == -1)
374 errExit("asprintf"); 374 errExit("asprintf");
375 if (arg_debug) 375 if (arg_debug)
376 printf("%s\n", cmd); 376 printf("%s\n", cmd);
@@ -405,12 +405,12 @@ void fs_private_home_list(void) {
405 405
406 // create /tmp/firejail/mnt/home directory 406 // create /tmp/firejail/mnt/home directory
407 fs_build_mnt_dir(); 407 fs_build_mnt_dir();
408 int rv = mkdir(HOME_DIR, S_IRWXU | S_IRWXG | S_IRWXO); 408 int rv = mkdir(RUN_HOME_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
409 if (rv == -1) 409 if (rv == -1)
410 errExit("mkdir"); 410 errExit("mkdir");
411 if (chown(HOME_DIR, u, g) < 0) 411 if (chown(RUN_HOME_DIR, u, g) < 0)
412 errExit("chown"); 412 errExit("chown");
413 if (chmod(HOME_DIR, 0755) < 0) 413 if (chmod(RUN_HOME_DIR, 0755) < 0)
414 errExit("chmod"); 414 errExit("chmod");
415 415
416 // copy the list of files in the new home directory 416 // copy the list of files in the new home directory
@@ -448,7 +448,7 @@ void fs_private_home_list(void) {
448 448
449 // mount bind private_homedir on top of homedir 449 // mount bind private_homedir on top of homedir
450 char *newhome; 450 char *newhome;
451 if (asprintf(&newhome, "%s%s", HOME_DIR, cfg.homedir) == -1) 451 if (asprintf(&newhome, "%s%s", RUN_HOME_DIR, cfg.homedir) == -1)
452 errExit("asprintf"); 452 errExit("asprintf");
453 453
454 if (arg_debug) 454 if (arg_debug)
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
index 5a79526b6..eb3861d1b 100644
--- a/src/firejail/fs_hostname.c
+++ b/src/firejail/fs_hostname.c
@@ -34,22 +34,22 @@ void fs_hostname(const char *hostname) {
34 if (arg_debug) 34 if (arg_debug)
35 printf("Creating a new /etc/hostname file\n"); 35 printf("Creating a new /etc/hostname file\n");
36 36
37 FILE *fp = fopen(HOSTNAME_FILE, "w"); 37 FILE *fp = fopen(RUN_HOSTNAME_FILE, "w");
38 if (!fp) { 38 if (!fp) {
39 fprintf(stderr, "Error: cannot create %s\n", HOSTNAME_FILE); 39 fprintf(stderr, "Error: cannot create %s\n", RUN_HOSTNAME_FILE);
40 exit(1); 40 exit(1);
41 } 41 }
42 fprintf(fp, "%s\n", hostname); 42 fprintf(fp, "%s\n", hostname);
43 fclose(fp); 43 fclose(fp);
44 44
45 // mode and owner 45 // mode and owner
46 if (chown(HOSTNAME_FILE, 0, 0) < 0) 46 if (chown(RUN_HOSTNAME_FILE, 0, 0) < 0)
47 errExit("chown"); 47 errExit("chown");
48 if (chmod(HOSTNAME_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) 48 if (chmod(RUN_HOSTNAME_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0)
49 errExit("chmod"); 49 errExit("chmod");
50 50
51 // bind-mount the file on top of /etc/hostname 51 // bind-mount the file on top of /etc/hostname
52 if (mount(HOSTNAME_FILE, "/etc/hostname", NULL, MS_BIND|MS_REC, NULL) < 0) 52 if (mount(RUN_HOSTNAME_FILE, "/etc/hostname", NULL, MS_BIND|MS_REC, NULL) < 0)
53 errExit("mount bind /etc/hostname"); 53 errExit("mount bind /etc/hostname");
54 } 54 }
55 55
@@ -64,9 +64,9 @@ void fs_hostname(const char *hostname) {
64 fprintf(stderr, "Error: cannot open /etc/hosts\n"); 64 fprintf(stderr, "Error: cannot open /etc/hosts\n");
65 exit(1); 65 exit(1);
66 } 66 }
67 FILE *fp2 = fopen(HOSTNAME_FILE, "w"); 67 FILE *fp2 = fopen(RUN_HOSTS_FILE, "w");
68 if (!fp2) { 68 if (!fp2) {
69 fprintf(stderr, "Error: cannot create %s\n", HOSTNAME_FILE); 69 fprintf(stderr, "Error: cannot create %s\n", RUN_HOSTS_FILE);
70 exit(1); 70 exit(1);
71 } 71 }
72 72
@@ -90,13 +90,13 @@ void fs_hostname(const char *hostname) {
90 fclose(fp2); 90 fclose(fp2);
91 91
92 // mode and owner 92 // mode and owner
93 if (chown(HOSTNAME_FILE, 0, 0) < 0) 93 if (chown(RUN_HOSTS_FILE, 0, 0) < 0)
94 errExit("chown"); 94 errExit("chown");
95 if (chmod(HOSTNAME_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) 95 if (chmod(RUN_HOSTS_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0)
96 errExit("chmod"); 96 errExit("chmod");
97 97
98 // bind-mount the file on top of /etc/hostname 98 // bind-mount the file on top of /etc/hostname
99 if (mount(HOSTNAME_FILE, "/etc/hosts", NULL, MS_BIND|MS_REC, NULL) < 0) 99 if (mount(RUN_HOSTS_FILE, "/etc/hosts", NULL, MS_BIND|MS_REC, NULL) < 0)
100 errExit("mount bind /etc/hosts"); 100 errExit("mount bind /etc/hosts");
101 } 101 }
102} 102}
@@ -112,9 +112,9 @@ void fs_resolvconf(void) {
112 if (stat("/etc/resolv.conf", &s) == 0) { 112 if (stat("/etc/resolv.conf", &s) == 0) {
113 if (arg_debug) 113 if (arg_debug)
114 printf("Creating a new /etc/resolv.conf file\n"); 114 printf("Creating a new /etc/resolv.conf file\n");
115 FILE *fp = fopen(RESOLVCONF_FILE, "w"); 115 FILE *fp = fopen(RUN_RESOLVCONF_FILE, "w");
116 if (!fp) { 116 if (!fp) {
117 fprintf(stderr, "Error: cannot create %s\n", RESOLVCONF_FILE); 117 fprintf(stderr, "Error: cannot create %s\n", RUN_RESOLVCONF_FILE);
118 exit(1); 118 exit(1);
119 } 119 }
120 120
@@ -127,13 +127,13 @@ void fs_resolvconf(void) {
127 fclose(fp); 127 fclose(fp);
128 128
129 // mode and owner 129 // mode and owner
130 if (chown(RESOLVCONF_FILE, 0, 0) < 0) 130 if (chown(RUN_RESOLVCONF_FILE, 0, 0) < 0)
131 errExit("chown"); 131 errExit("chown");
132 if (chmod(RESOLVCONF_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) 132 if (chmod(RUN_RESOLVCONF_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0)
133 errExit("chmod"); 133 errExit("chmod");
134 134
135 // bind-mount the file on top of /etc/hostname 135 // bind-mount the file on top of /etc/hostname
136 if (mount(RESOLVCONF_FILE, "/etc/resolv.conf", NULL, MS_BIND|MS_REC, NULL) < 0) 136 if (mount(RUN_RESOLVCONF_FILE, "/etc/resolv.conf", NULL, MS_BIND|MS_REC, NULL) < 0)
137 errExit("mount bind /etc/resolv.conf"); 137 errExit("mount bind /etc/resolv.conf");
138 } 138 }
139 else { 139 else {
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index 2b0f52a98..f4f5d3e81 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -53,20 +53,20 @@ void fs_trace(void) {
53 if (arg_debug) 53 if (arg_debug)
54 printf("Create the new ld.so.preload file\n"); 54 printf("Create the new ld.so.preload file\n");
55 55
56 FILE *fp = fopen(LDPRELOAD_FILE, "w"); 56 FILE *fp = fopen(RUN_LDPRELOAD_FILE, "w");
57 if (!fp) 57 if (!fp)
58 errExit("fopen"); 58 errExit("fopen");
59 fprintf(fp, "%s/firejail/libtrace.so\n", LIBDIR); 59 fprintf(fp, "%s/firejail/libtrace.so\n", LIBDIR);
60 fclose(fp); 60 fclose(fp);
61 if (chown(LDPRELOAD_FILE, 0, 0) < 0) 61 if (chown(RUN_LDPRELOAD_FILE, 0, 0) < 0)
62 errExit("chown"); 62 errExit("chown");
63 if (chmod(LDPRELOAD_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) 63 if (chmod(RUN_LDPRELOAD_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0)
64 errExit("chmod"); 64 errExit("chmod");
65 65
66 // mount the new preload file 66 // mount the new preload file
67 if (arg_debug) 67 if (arg_debug)
68 printf("Mount the new ld.so.preload file\n"); 68 printf("Mount the new ld.so.preload file\n");
69 if (mount(LDPRELOAD_FILE, "/etc/ld.so.preload", NULL, MS_BIND|MS_REC, NULL) < 0) 69 if (mount(RUN_LDPRELOAD_FILE, "/etc/ld.so.preload", NULL, MS_BIND|MS_REC, NULL) < 0)
70 errExit("mount bind ls.so.preload"); 70 errExit("mount bind ls.so.preload");
71} 71}
72 72
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 9016e3923..a38539078 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -83,7 +83,7 @@ static void whitelist_path(ProfileEntry *entry) {
83 exit(1); 83 exit(1);
84 } 84 }
85 85
86 if (asprintf(&wfile, "%s/%s", WHITELIST_HOME_USER_DIR, fname) == -1) 86 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1)
87 errExit("asprintf"); 87 errExit("asprintf");
88 } 88 }
89 else if (entry->tmp_dir) { 89 else if (entry->tmp_dir) {
@@ -93,7 +93,7 @@ static void whitelist_path(ProfileEntry *entry) {
93 exit(1); 93 exit(1);
94 } 94 }
95 95
96 if (asprintf(&wfile, "%s/%s", WHITELIST_TMP_DIR, fname) == -1) 96 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_TMP_DIR, fname) == -1)
97 errExit("asprintf"); 97 errExit("asprintf");
98 } 98 }
99 else if (entry->media_dir) { 99 else if (entry->media_dir) {
@@ -103,7 +103,7 @@ static void whitelist_path(ProfileEntry *entry) {
103 exit(1); 103 exit(1);
104 } 104 }
105 105
106 if (asprintf(&wfile, "%s/%s", WHITELIST_MEDIA_DIR, fname) == -1) 106 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MEDIA_DIR, fname) == -1)
107 errExit("asprintf"); 107 errExit("asprintf");
108 } 108 }
109 else if (entry->var_dir) { 109 else if (entry->var_dir) {
@@ -113,7 +113,7 @@ static void whitelist_path(ProfileEntry *entry) {
113 exit(1); 113 exit(1);
114 } 114 }
115 115
116 if (asprintf(&wfile, "%s/%s", WHITELIST_VAR_DIR, fname) == -1) 116 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_VAR_DIR, fname) == -1)
117 errExit("asprintf"); 117 errExit("asprintf");
118 } 118 }
119 else if (entry->dev_dir) { 119 else if (entry->dev_dir) {
@@ -123,7 +123,7 @@ static void whitelist_path(ProfileEntry *entry) {
123 exit(1); 123 exit(1);
124 } 124 }
125 125
126 if (asprintf(&wfile, "%s/%s", WHITELIST_DEV_DIR, fname) == -1) 126 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_DEV_DIR, fname) == -1)
127 errExit("asprintf"); 127 errExit("asprintf");
128 } 128 }
129 else if (entry->opt_dir) { 129 else if (entry->opt_dir) {
@@ -133,7 +133,7 @@ static void whitelist_path(ProfileEntry *entry) {
133 exit(1); 133 exit(1);
134 } 134 }
135 135
136 if (asprintf(&wfile, "%s/%s", WHITELIST_OPT_DIR, fname) == -1) 136 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1)
137 errExit("asprintf"); 137 errExit("asprintf");
138 } 138 }
139 139
@@ -315,16 +315,16 @@ void fs_whitelist(void) {
315 315
316 // /home/user 316 // /home/user
317 if (home_dir) { 317 if (home_dir) {
318 // keep a copy of real home dir in WHITELIST_HOME_USER_DIR 318 // keep a copy of real home dir in RUN_WHITELIST_HOME_USER_DIR
319 int rv = mkdir(WHITELIST_HOME_USER_DIR, S_IRWXU | S_IRWXG | S_IRWXO); 319 int rv = mkdir(RUN_WHITELIST_HOME_USER_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
320 if (rv == -1) 320 if (rv == -1)
321 errExit("mkdir"); 321 errExit("mkdir");
322 if (chown(WHITELIST_HOME_USER_DIR, getuid(), getgid()) < 0) 322 if (chown(RUN_WHITELIST_HOME_USER_DIR, getuid(), getgid()) < 0)
323 errExit("chown"); 323 errExit("chown");
324 if (chmod(WHITELIST_HOME_USER_DIR, 0755) < 0) 324 if (chmod(RUN_WHITELIST_HOME_USER_DIR, 0755) < 0)
325 errExit("chmod"); 325 errExit("chmod");
326 326
327 if (mount(cfg.homedir, WHITELIST_HOME_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) 327 if (mount(cfg.homedir, RUN_WHITELIST_HOME_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
328 errExit("mount bind"); 328 errExit("mount bind");
329 329
330 // mount a tmpfs and initialize /home/user 330 // mount a tmpfs and initialize /home/user
@@ -334,15 +334,15 @@ void fs_whitelist(void) {
334 // /tmp mountpoint 334 // /tmp mountpoint
335 if (tmp_dir) { 335 if (tmp_dir) {
336 // keep a copy of real /tmp directory in WHITELIST_TMP_DIR 336 // keep a copy of real /tmp directory in WHITELIST_TMP_DIR
337 int rv = mkdir(WHITELIST_TMP_DIR, S_IRWXU | S_IRWXG | S_IRWXO); 337 int rv = mkdir(RUN_WHITELIST_TMP_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
338 if (rv == -1) 338 if (rv == -1)
339 errExit("mkdir"); 339 errExit("mkdir");
340 if (chown(WHITELIST_TMP_DIR, 0, 0) < 0) 340 if (chown(RUN_WHITELIST_TMP_DIR, 0, 0) < 0)
341 errExit("chown"); 341 errExit("chown");
342 if (chmod(WHITELIST_TMP_DIR, 0777) < 0) 342 if (chmod(RUN_WHITELIST_TMP_DIR, 0777) < 0)
343 errExit("chmod"); 343 errExit("chmod");
344 344
345 if (mount("/tmp", WHITELIST_TMP_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) 345 if (mount("/tmp", RUN_WHITELIST_TMP_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
346 errExit("mount bind"); 346 errExit("mount bind");
347 347
348 // mount tmpfs on /tmp 348 // mount tmpfs on /tmp
@@ -354,16 +354,16 @@ void fs_whitelist(void) {
354 354
355 // /media mountpoint 355 // /media mountpoint
356 if (media_dir) { 356 if (media_dir) {
357 // keep a copy of real /media directory in WHITELIST_MEDIA_DIR 357 // keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR
358 int rv = mkdir(WHITELIST_MEDIA_DIR, S_IRWXU | S_IRWXG | S_IRWXO); 358 int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
359 if (rv == -1) 359 if (rv == -1)
360 errExit("mkdir"); 360 errExit("mkdir");
361 if (chown(WHITELIST_MEDIA_DIR, 0, 0) < 0) 361 if (chown(RUN_WHITELIST_MEDIA_DIR, 0, 0) < 0)
362 errExit("chown"); 362 errExit("chown");
363 if (chmod(WHITELIST_MEDIA_DIR, 0755) < 0) 363 if (chmod(RUN_WHITELIST_MEDIA_DIR, 0755) < 0)
364 errExit("chmod"); 364 errExit("chmod");
365 365
366 if (mount("/media", WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) 366 if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
367 errExit("mount bind"); 367 errExit("mount bind");
368 368
369 // mount tmpfs on /media 369 // mount tmpfs on /media
@@ -375,16 +375,16 @@ void fs_whitelist(void) {
375 375
376 // /media mountpoint 376 // /media mountpoint
377 if (var_dir) { 377 if (var_dir) {
378 // keep a copy of real /var directory in WHITELIST_VAR_DIR 378 // keep a copy of real /var directory in RUN_WHITELIST_VAR_DIR
379 int rv = mkdir(WHITELIST_VAR_DIR, S_IRWXU | S_IRWXG | S_IRWXO); 379 int rv = mkdir(RUN_WHITELIST_VAR_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
380 if (rv == -1) 380 if (rv == -1)
381 errExit("mkdir"); 381 errExit("mkdir");
382 if (chown(WHITELIST_VAR_DIR, 0, 0) < 0) 382 if (chown(RUN_WHITELIST_VAR_DIR, 0, 0) < 0)
383 errExit("chown"); 383 errExit("chown");
384 if (chmod(WHITELIST_VAR_DIR, 0755) < 0) 384 if (chmod(RUN_WHITELIST_VAR_DIR, 0755) < 0)
385 errExit("chmod"); 385 errExit("chmod");
386 386
387 if (mount("/var", WHITELIST_VAR_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) 387 if (mount("/var", RUN_WHITELIST_VAR_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
388 errExit("mount bind"); 388 errExit("mount bind");
389 389
390 // mount tmpfs on /var 390 // mount tmpfs on /var
@@ -396,16 +396,16 @@ void fs_whitelist(void) {
396 396
397 // /dev mountpoint 397 // /dev mountpoint
398 if (dev_dir) { 398 if (dev_dir) {
399 // keep a copy of real /dev directory in WHITELIST_DEV_DIR 399 // keep a copy of real /dev directory in RUN_WHITELIST_DEV_DIR
400 int rv = mkdir(WHITELIST_DEV_DIR, S_IRWXU | S_IRWXG | S_IRWXO); 400 int rv = mkdir(RUN_WHITELIST_DEV_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
401 if (rv == -1) 401 if (rv == -1)
402 errExit("mkdir"); 402 errExit("mkdir");
403 if (chown(WHITELIST_DEV_DIR, 0, 0) < 0) 403 if (chown(RUN_WHITELIST_DEV_DIR, 0, 0) < 0)
404 errExit("chown"); 404 errExit("chown");
405 if (chmod(WHITELIST_DEV_DIR, 0755) < 0) 405 if (chmod(RUN_WHITELIST_DEV_DIR, 0755) < 0)
406 errExit("chmod"); 406 errExit("chmod");
407 407
408 if (mount("/dev", WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) 408 if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
409 errExit("mount bind"); 409 errExit("mount bind");
410 410
411 // mount tmpfs on /dev 411 // mount tmpfs on /dev
@@ -417,16 +417,16 @@ void fs_whitelist(void) {
417 417
418 // /opt mountpoint 418 // /opt mountpoint
419 if (opt_dir) { 419 if (opt_dir) {
420 // keep a copy of real /opt directory in WHITELIST_DEV_DIR 420 // keep a copy of real /opt directory in RUN_WHITELIST_DEV_DIR
421 int rv = mkdir(WHITELIST_OPT_DIR, S_IRWXU | S_IRWXG | S_IRWXO); 421 int rv = mkdir(RUN_WHITELIST_OPT_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
422 if (rv == -1) 422 if (rv == -1)
423 errExit("mkdir"); 423 errExit("mkdir");
424 if (chown(WHITELIST_OPT_DIR, 0, 0) < 0) 424 if (chown(RUN_WHITELIST_OPT_DIR, 0, 0) < 0)
425 errExit("chown"); 425 errExit("chown");
426 if (chmod(WHITELIST_OPT_DIR, 0755) < 0) 426 if (chmod(RUN_WHITELIST_OPT_DIR, 0755) < 0)
427 errExit("chmod"); 427 errExit("chmod");
428 428
429 if (mount("/opt", WHITELIST_OPT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) 429 if (mount("/opt", RUN_WHITELIST_OPT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
430 errExit("mount bind"); 430 errExit("mount bind");
431 431
432 // mount tmpfs on /opt 432 // mount tmpfs on /opt
@@ -468,15 +468,15 @@ void fs_whitelist(void) {
468 entry = entry->next; 468 entry = entry->next;
469 } 469 }
470 470
471 // mask the real home directory, currently mounted on WHITELIST_HOME_DIR 471 // mask the real home directory, currently mounted on RUN_WHITELIST_HOME_DIR
472 if (home_dir) { 472 if (home_dir) {
473 if (mount("tmpfs", WHITELIST_HOME_USER_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 473 if (mount("tmpfs", RUN_WHITELIST_HOME_USER_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
474 errExit("mount tmpfs"); 474 errExit("mount tmpfs");
475 } 475 }
476 476
477 // mask the real /tmp directory, currently mounted on WHITELIST_TMP_DIR 477 // mask the real /tmp directory, currently mounted on RUN_WHITELIST_TMP_DIR
478 if (tmp_dir) { 478 if (tmp_dir) {
479 if (mount("tmpfs", WHITELIST_TMP_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 479 if (mount("tmpfs", RUN_WHITELIST_TMP_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
480 errExit("mount tmpfs"); 480 errExit("mount tmpfs");
481 } 481 }
482 482
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 64e092197..8b3c196c7 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -69,7 +69,7 @@ static void extract_command(int argc, char **argv, int index) {
69 69
70static void extract_nogroups(pid_t pid) { 70static void extract_nogroups(pid_t pid) {
71 char *fname; 71 char *fname;
72 if (asprintf(&fname, "/proc/%d/root%s", pid, GROUPS_CFG) == -1) 72 if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_GROUPS_CFG) == -1)
73 errExit("asprintf"); 73 errExit("asprintf");
74 74
75 struct stat s; 75 struct stat s;
@@ -82,7 +82,7 @@ static void extract_nogroups(pid_t pid) {
82 82
83static void extract_cpu(pid_t pid) { 83static void extract_cpu(pid_t pid) {
84 char *fname; 84 char *fname;
85 if (asprintf(&fname, "/proc/%d/root%s", pid, CPU_CFG) == -1) 85 if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_CPU_CFG) == -1)
86 errExit("asprintf"); 86 errExit("asprintf");
87 87
88 struct stat s; 88 struct stat s;
@@ -96,7 +96,7 @@ static void extract_cpu(pid_t pid) {
96 96
97static void extract_cgroup(pid_t pid) { 97static void extract_cgroup(pid_t pid) {
98 char *fname; 98 char *fname;
99 if (asprintf(&fname, "/proc/%d/root%s", pid, CGROUP_CFG) == -1) 99 if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_CGROUP_CFG) == -1)
100 errExit("asprintf"); 100 errExit("asprintf");
101 101
102 struct stat s; 102 struct stat s;
@@ -281,7 +281,7 @@ void join(pid_t pid, const char *homedir, int argc, char **argv, int index) {
281 caps_set(caps); 281 caps_set(caps);
282#ifdef HAVE_SECCOMP 282#ifdef HAVE_SECCOMP
283 // set protocol filter 283 // set protocol filter
284 protocol_filter_load(PROTOCOL_CFG); 284 protocol_filter_load(RUN_PROTOCOL_CFG);
285 if (cfg.protocol) { 285 if (cfg.protocol) {
286 protocol_filter(); 286 protocol_filter();
287 } 287 }
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 1495d7516..891653587 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1263,7 +1263,7 @@ int main(int argc, char **argv) {
1263 1263
1264 // check and assign an IP address - for macvlan it will be done again in the sandbox! 1264 // check and assign an IP address - for macvlan it will be done again in the sandbox!
1265 if (any_bridge_configured()) { 1265 if (any_bridge_configured()) {
1266 lockfd = open(NETWORK_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); 1266 lockfd = open(RUN_NETWORK_LOCK_FILE, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR);
1267 if (lockfd != -1) { 1267 if (lockfd != -1) {
1268 int rv = fchown(lockfd, 0, 0); 1268 int rv = fchown(lockfd, 0, 0);
1269 (void) rv; 1269 (void) rv;
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c
index 8ee5fd3b8..b5d50b4fc 100644
--- a/src/firejail/protocol.c
+++ b/src/firejail/protocol.c
@@ -261,16 +261,16 @@ void protocol_filter_save(void) {
261 // save protocol filter configuration in PROTOCOL_CFG 261 // save protocol filter configuration in PROTOCOL_CFG
262 fs_build_mnt_dir(); 262 fs_build_mnt_dir();
263 263
264 FILE *fp = fopen(PROTOCOL_CFG, "w"); 264 FILE *fp = fopen(RUN_PROTOCOL_CFG, "w");
265 if (!fp) 265 if (!fp)
266 errExit("fopen"); 266 errExit("fopen");
267 fprintf(fp, "%s\n", cfg.protocol); 267 fprintf(fp, "%s\n", cfg.protocol);
268 fclose(fp); 268 fclose(fp);
269 269
270 if (chmod(PROTOCOL_CFG, 0600) < 0) 270 if (chmod(RUN_PROTOCOL_CFG, 0600) < 0)
271 errExit("chmod"); 271 errExit("chmod");
272 272
273 if (chown(PROTOCOL_CFG, 0, 0) < 0) 273 if (chown(RUN_PROTOCOL_CFG, 0, 0) < 0)
274 errExit("chown"); 274 errExit("chown");
275 275
276} 276}
@@ -354,7 +354,7 @@ void protocol_print_filter(pid_t pid) {
354 354
355 // find the seccomp filter 355 // find the seccomp filter
356 char *fname; 356 char *fname;
357 if (asprintf(&fname, "/proc/%d/root%s", pid, PROTOCOL_CFG) == -1) 357 if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_PROTOCOL_CFG) == -1)
358 errExit("asprintf"); 358 errExit("asprintf");
359 359
360 struct stat s; 360 struct stat s;
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index 0e1edea14..6ead5799c 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -38,11 +38,11 @@ static void disable_file(const char *path, const char *file) {
38 printf("Disable%s\n", fname); 38 printf("Disable%s\n", fname);
39 39
40 if (S_ISDIR(s.st_mode)) { 40 if (S_ISDIR(s.st_mode)) {
41 if (mount(RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) 41 if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
42 errExit("disable file"); 42 errExit("disable file");
43 } 43 }
44 else { 44 else {
45 if (mount(RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0) 45 if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
46 errExit("disable file"); 46 errExit("disable file");
47 } 47 }
48 48
@@ -92,16 +92,16 @@ void pulseaudio_init(void) {
92 92
93 // create the new user pulseaudio directory 93 // create the new user pulseaudio directory
94 fs_build_mnt_dir(); 94 fs_build_mnt_dir();
95 int rv = mkdir(PULSE_DIR, S_IRWXU | S_IRWXG | S_IRWXO); 95 int rv = mkdir(RUN_PULSE_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
96 (void) rv; // in --chroot mode the directory canalready be there 96 (void) rv; // in --chroot mode the directory canalready be there
97 if (chown(PULSE_DIR, getuid(), getgid()) < 0) 97 if (chown(RUN_PULSE_DIR, getuid(), getgid()) < 0)
98 errExit("chown"); 98 errExit("chown");
99 if (chmod(PULSE_DIR, 0700) < 0) 99 if (chmod(RUN_PULSE_DIR, 0700) < 0)
100 errExit("chmod"); 100 errExit("chmod");
101 101
102 // create the new client.conf file 102 // create the new client.conf file
103 char *pulsecfg = NULL; 103 char *pulsecfg = NULL;
104 if (asprintf(&pulsecfg, "%s/client.conf", PULSE_DIR) == -1) 104 if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1)
105 errExit("asprintf"); 105 errExit("asprintf");
106 if (copy_file("/etc/pulse/client.conf", pulsecfg)) 106 if (copy_file("/etc/pulse/client.conf", pulsecfg))
107 errExit("copy_file"); 107 errExit("copy_file");
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index d2d106f27..733dbef41 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -73,11 +73,11 @@ static void sanitize_home(void) {
73 } 73 }
74 74
75 fs_build_mnt_dir(); 75 fs_build_mnt_dir();
76 if (mkdir(WHITELIST_HOME_DIR, 0755) == -1) 76 if (mkdir(RUN_WHITELIST_HOME_DIR, 0755) == -1)
77 errExit("mkdir"); 77 errExit("mkdir");
78 78
79 // keep a copy of the user home directory 79 // keep a copy of the user home directory
80 if (mount(cfg.homedir, WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) 80 if (mount(cfg.homedir, RUN_WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
81 errExit("mount bind"); 81 errExit("mount bind");
82 82
83 // mount tmpfs in the new home 83 // mount tmpfs in the new home
@@ -95,11 +95,11 @@ static void sanitize_home(void) {
95 errExit("chmod"); 95 errExit("chmod");
96 96
97 // mount user home directory 97 // mount user home directory
98 if (mount(WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0) 98 if (mount(RUN_WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0)
99 errExit("mount bind"); 99 errExit("mount bind");
100 100
101 // mask home dir under /run 101 // mask home dir under /run
102 if (mount("tmpfs", WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 102 if (mount("tmpfs", RUN_WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
103 errExit("mount tmpfs"); 103 errExit("mount tmpfs");
104} 104}
105 105
@@ -118,7 +118,7 @@ static void sanitize_passwd(void) {
118 fpin = fopen("/etc/passwd", "r"); 118 fpin = fopen("/etc/passwd", "r");
119 if (!fpin) 119 if (!fpin)
120 goto errout; 120 goto errout;
121 fpout = fopen(PASSWD_FILE, "w"); 121 fpout = fopen(RUN_PASSWD_FILE, "w");
122 if (!fpout) 122 if (!fpout)
123 goto errout; 123 goto errout;
124 124
@@ -172,13 +172,13 @@ static void sanitize_passwd(void) {
172 } 172 }
173 fclose(fpin); 173 fclose(fpin);
174 fclose(fpout); 174 fclose(fpout);
175 if (chown(PASSWD_FILE, 0, 0) == -1) 175 if (chown(RUN_PASSWD_FILE, 0, 0) == -1)
176 errExit("chown"); 176 errExit("chown");
177 if (chmod(PASSWD_FILE, 0644) == -1) 177 if (chmod(RUN_PASSWD_FILE, 0644) == -1)
178 errExit("chmod"); 178 errExit("chmod");
179 179
180 // mount-bind tne new password file 180 // mount-bind tne new password file
181 if (mount(PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0) 181 if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0)
182 errExit("mount"); 182 errExit("mount");
183 183
184 return; 184 return;
@@ -249,7 +249,7 @@ static void sanitize_group(void) {
249 fpin = fopen("/etc/group", "r"); 249 fpin = fopen("/etc/group", "r");
250 if (!fpin) 250 if (!fpin)
251 goto errout; 251 goto errout;
252 fpout = fopen(GROUP_FILE, "w"); 252 fpout = fopen(RUN_GROUP_FILE, "w");
253 if (!fpout) 253 if (!fpout)
254 goto errout; 254 goto errout;
255 255
@@ -298,13 +298,13 @@ static void sanitize_group(void) {
298 } 298 }
299 fclose(fpin); 299 fclose(fpin);
300 fclose(fpout); 300 fclose(fpout);
301 if (chown(GROUP_FILE, 0, 0) == -1) 301 if (chown(RUN_GROUP_FILE, 0, 0) == -1)
302 errExit("chown"); 302 errExit("chown");
303 if (chmod(GROUP_FILE, 0644) == -1) 303 if (chmod(RUN_GROUP_FILE, 0644) == -1)
304 errExit("chmod"); 304 errExit("chmod");
305 305
306 // mount-bind tne new group file 306 // mount-bind tne new group file
307 if (mount(GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0) 307 if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0)
308 errExit("mount"); 308 errExit("mount");
309 309
310 return; 310 return;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index dd444f0b9..2827ca9d3 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -48,11 +48,11 @@ void save_nogroups(void) {
48 if (arg_nogroups == 0) 48 if (arg_nogroups == 0)
49 return; 49 return;
50 50
51 FILE *fp = fopen(GROUPS_CFG, "w"); 51 FILE *fp = fopen(RUN_GROUPS_CFG, "w");
52 if (fp) { 52 if (fp) {
53 fprintf(fp, "\n"); 53 fprintf(fp, "\n");
54 fclose(fp); 54 fclose(fp);
55 if (chown(GROUPS_CFG, 0, 0) < 0) 55 if (chown(RUN_GROUPS_CFG, 0, 0) < 0)
56 errExit("chown"); 56 errExit("chown");
57 } 57 }
58 else { 58 else {
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index a3efa54df..eb6e489dd 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -266,7 +266,7 @@ static void write_seccomp_file(void) {
266 fs_build_mnt_dir(); 266 fs_build_mnt_dir();
267 assert(sfilter); 267 assert(sfilter);
268 268
269 int fd = open(SECCOMP_CFG, O_CREAT | O_WRONLY, S_IRUSR | S_IWUSR); 269 int fd = open(RUN_SECCOMP_CFG, O_CREAT | O_WRONLY, S_IRUSR | S_IWUSR);
270 if (fd == -1) 270 if (fd == -1)
271 errExit("open"); 271 errExit("open");
272 272
@@ -279,7 +279,7 @@ static void write_seccomp_file(void) {
279 exit(1); 279 exit(1);
280 } 280 }
281 close(fd); 281 close(fd);
282 if (chown(SECCOMP_CFG, 0, 0) < 0) 282 if (chown(RUN_SECCOMP_CFG, 0, 0) < 0)
283 errExit("chown"); 283 errExit("chown");
284} 284}
285 285
@@ -690,7 +690,7 @@ int seccomp_filter_errno(void) {
690 690
691void seccomp_set(void) { 691void seccomp_set(void) {
692 // read seccomp filter from /tmp/firejail/mnt/seccomp 692 // read seccomp filter from /tmp/firejail/mnt/seccomp
693 read_seccomp_file(SECCOMP_CFG); 693 read_seccomp_file(RUN_SECCOMP_CFG);
694 694
695 // apply filter 695 // apply filter
696 struct sock_fprog prog = { 696 struct sock_fprog prog = {
@@ -751,7 +751,7 @@ void seccomp_print_filter(pid_t pid) {
751 751
752 // find the seccomp filter 752 // find the seccomp filter
753 char *fname; 753 char *fname;
754 if (asprintf(&fname, "/proc/%d/root%s", pid, SECCOMP_CFG) == -1) 754 if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_SECCOMP_CFG) == -1)
755 errExit("asprintf"); 755 errExit("asprintf");
756 756
757 struct stat s; 757 struct stat s;
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-29 08:31:20 +0000