cleanup

author: smitsohu <smitsohu@gmail.com> 2018-06-26 12:30:01 +0200
committer: smitsohu <smitsohu@gmail.com> 2018-06-26 12:30:01 +0200
commit: d8b3009969adc0b98d3013af29cbdfbf4c8e25a0 (patch)
tree: 51da203a9bcf741595ab763a90908a7bb17dfef7 /src
parent: whitelist symlink handling, allow /var/tmp symlinks - issue #2011 (diff)
download: firejail-d8b3009969adc0b98d3013af29cbdfbf4c8e25a0.tar.gz
firejail-d8b3009969adc0b98d3013af29cbdfbf4c8e25a0.tar.zst
firejail-d8b3009969adc0b98d3013af29cbdfbf4c8e25a0.zip
1 files changed, 23 insertions, 33 deletions
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index d67087616..d52b3996a 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -306,10 +306,10 @@ static void whitelist_path(ProfileEntry *entry) {
                if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MODULE_DIR, fname) == -1)
                        errExit("asprintf");
        }
+        assert(wfile);
        // check if the file exists
        EUID_USER();
-        assert(wfile);
        struct stat s;
        if (stat(wfile, &s) == 0) {
                if (arg_debug || arg_debug_whitelists)
@@ -919,38 +919,28 @@ void fs_whitelist(void) {
 //printf("here %d#%s#\n", __LINE__, entry->data);
                // whitelist the real file
-                if (strcmp(entry->data, "whitelist /run") == 0 &&
+                whitelist_path(entry);
-                    (strcmp(entry->link, "/var/run") == 0 || strcmp(entry->link, "/var/lock") == 0)) {
-                        int rv = symlink(entry->data + 10, entry->link);
+                // create the link if any
-                        if (rv)
+                if (entry->link) {
-                                fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link);
+                        // if the link is already there, do not bother
-                        else if (arg_debug || arg_debug_whitelists)
+                        struct stat s;
-                                printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10);
+                        if (stat(entry->link, &s) != 0) {
-                }
+                                // create the path if necessary
-                else {
+                                mkpath(entry->link, s.st_mode);
-                        whitelist_path(entry);
+                                int rv = symlink(entry->data + 10, entry->link);
-                        // create the link if any
+                                if (rv)
-                        if (entry->link) {
+                                        fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link);
-                                // if the link is already there, do not bother
+                                else if (arg_debug || arg_debug_whitelists)
-                                struct stat s;
+                                        printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10);
-                                if (stat(entry->link, &s) != 0) {
-                                        // create the path if necessary
+                                // check again for files in /tmp directory
-                                        mkpath(entry->link, s.st_mode);
+                                if (strncmp(entry->link, "/tmp/", 5) == 0) {
+                                        char *path = realpath(entry->link, NULL);
-                                        int rv = symlink(entry->data + 10, entry->link);
+                                        if (path == NULL || strncmp(path, "/tmp/", 5) != 0)
-                                        if (rv)
+                                                errLogExit("invalid whitelist symlink %s\n", entry->link);
-                                                fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link);
+                                        free(path);
-                                        else if (arg_debug || arg_debug_whitelists)
-                                                printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10);
-                                        // check again for files in /tmp directory
-                                        if (strncmp(entry->link, "/tmp/", 5) == 0) {
-                                                char *path = realpath(entry->link, NULL);
-                                                if (path == NULL || strncmp(path, "/tmp/", 5) != 0)
-                                                        errLogExit("invalid whitelist symlink %s\n", entry->link);
-                                                free(path);
-                                        }
                                }
                        }
                }
author	smitsohu <smitsohu@gmail.com>	2018-06-26 12:30:01 +0200
committer	smitsohu <smitsohu@gmail.com>	2018-06-26 12:30:01 +0200
commit	d8b3009969adc0b98d3013af29cbdfbf4c8e25a0 (patch)
tree	51da203a9bcf741595ab763a90908a7bb17dfef7 /src
parent	whitelist symlink handling, allow /var/tmp symlinks - issue #2011 (diff)
download	firejail-d8b3009969adc0b98d3013af29cbdfbf4c8e25a0.tar.gz firejail-d8b3009969adc0b98d3013af29cbdfbf4c8e25a0.tar.zst firejail-d8b3009969adc0b98d3013af29cbdfbf4c8e25a0.zip

diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index d67087616..d52b3996a 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c
@@ -306,10 +306,10 @@ static void whitelist_path(ProfileEntry *entry) {
306	if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MODULE_DIR, fname) == -1)	306	if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MODULE_DIR, fname) == -1)
307	errExit("asprintf");	307	errExit("asprintf");
308	}	308	}
		309	assert(wfile);
309		310
310	// check if the file exists	311	// check if the file exists
311	EUID_USER();	312	EUID_USER();
312	assert(wfile);
313	struct stat s;	313	struct stat s;
314	if (stat(wfile, &s) == 0) {	314	if (stat(wfile, &s) == 0) {
315	if (arg_debug \|\| arg_debug_whitelists)	315	if (arg_debug \|\| arg_debug_whitelists)
@@ -919,38 +919,28 @@ void fs_whitelist(void) {
919		919
920	//printf("here %d#%s#\n", __LINE__, entry->data);	920	//printf("here %d#%s#\n", __LINE__, entry->data);
921	// whitelist the real file	921	// whitelist the real file
922	if (strcmp(entry->data, "whitelist /run") == 0 &&	922	whitelist_path(entry);
923	(strcmp(entry->link, "/var/run") == 0 \|\| strcmp(entry->link, "/var/lock") == 0)) {	923
924	int rv = symlink(entry->data + 10, entry->link);	924	// create the link if any
925	if (rv)	925	if (entry->link) {
926	fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link);	926	// if the link is already there, do not bother
927	else if (arg_debug \|\| arg_debug_whitelists)	927	struct stat s;
928	printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10);	928	if (stat(entry->link, &s) != 0) {
929	}	929	// create the path if necessary
930	else {	930	mkpath(entry->link, s.st_mode);
931	whitelist_path(entry);	931
932		932	int rv = symlink(entry->data + 10, entry->link);
933	// create the link if any	933	if (rv)
934	if (entry->link) {	934	fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link);
935	// if the link is already there, do not bother	935	else if (arg_debug \|\| arg_debug_whitelists)
936	struct stat s;	936	printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10);
937	if (stat(entry->link, &s) != 0) {	937
938	// create the path if necessary	938	// check again for files in /tmp directory
939	mkpath(entry->link, s.st_mode);	939	if (strncmp(entry->link, "/tmp/", 5) == 0) {
940		940	char *path = realpath(entry->link, NULL);
941	int rv = symlink(entry->data + 10, entry->link);	941	if (path == NULL \|\| strncmp(path, "/tmp/", 5) != 0)
942	if (rv)	942	errLogExit("invalid whitelist symlink %s\n", entry->link);
943	fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link);	943	free(path);
944	else if (arg_debug \|\| arg_debug_whitelists)
945	printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10);
946
947	// check again for files in /tmp directory
948	if (strncmp(entry->link, "/tmp/", 5) == 0) {
949	char *path = realpath(entry->link, NULL);
950	if (path == NULL \|\| strncmp(path, "/tmp/", 5) != 0)
951	errLogExit("invalid whitelist symlink %s\n", entry->link);
952	free(path);
953	}
954	}	944	}
955	}	945	}
956	}	946	}