fixes

author: netblue30 <netblue30@yahoo.com> 2016-03-09 09:51:47 -0500
committer: netblue30 <netblue30@yahoo.com> 2016-03-09 09:51:47 -0500
commit: dc3564b18f1eafde1ccf46e722f8c2a9c1ee8555 (patch)
tree: 6178c2c6fc5912a63f5d54b1e3562d7049270418 /src
parent: fs work (diff)
download: firejail-dc3564b18f1eafde1ccf46e722f8c2a9c1ee8555.tar.gz
firejail-dc3564b18f1eafde1ccf46e722f8c2a9c1ee8555.tar.zst
firejail-dc3564b18f1eafde1ccf46e722f8c2a9c1ee8555.zip
5 files changed, 39 insertions, 3 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index b526b5e00..9c4dcc9a6 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -369,6 +369,7 @@ char *expand_home(const char *path, const char* homedir);
 const char *gnu_basename(const char *path);
 uid_t pid_get_uid(pid_t pid);
 void invalid_filename(const char *fname);
+uid_t get_tty_gid(void);
 // fs_var.c
 void fs_var_log(void);  // mounting /var/log
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 5c645b8da..2fd450391 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -178,9 +178,21 @@ void fs_private_dev(void){
        create_char_dev("/dev/pts/ptmx", 0666, 5, 2); //"mknod -m 666 /dev/pts/ptmx c 5 2");
        fs_logger("mknod /dev/pts/ptmx");
        create_link("/dev/pts/ptmx", "/dev/ptmx");
+// code before github issue #351
        // mount -vt devpts -o newinstance -o ptmxmode=0666 devpts //dev/pts
-        if (mount("devpts", "/dev/pts", "devpts", MS_MGC_VAL,  "newinstance,ptmxmode=0666") < 0)
+//      if (mount("devpts", "/dev/pts", "devpts", MS_MGC_VAL,  "newinstance,ptmxmode=0666") < 0)
+//              errExit("mounting /dev/pts");
+        // mount /dev/pts
+        gid_t ttygid = get_tty_gid();
+        char *data;
+        if (asprintf(&data, "newinstance,gid=%d,mode=620,ptmxmode=0666", (int) ttygid) == -1)
+                errExit("asprintf");
+        if (mount("devpts", "/dev/pts", "devpts", MS_MGC_VAL,  data) < 0)
                errExit("mounting /dev/pts");
+        free(data);
        fs_logger("clone /dev/pts");
 #if 0
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index b814af445..90ef43a62 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -255,6 +255,12 @@ void ls(pid_t pid, const char *path) {
                exit(1);
        }
+        // access chek is performed with the real UID
+        if (access(fname, R_OK) == -1) {
+                fprintf(stderr, "Error: Cannot access file %s\n", fname);
+                exit(1);
+        }
        // list directory contents
        struct stat s;
        if (stat(fname, &s) == -1) {
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 68606a313..e2f197a92 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1746,8 +1746,15 @@ int main(int argc, char **argv) {
                if (asprintf(&map_path, "/proc/%d/gid_map", child) == -1)
                        errExit("asprintf");
                gid_t gid = getgid();
-                if (asprintf(&map, "%d %d 1", gid, gid) == -1)
+                gid_t ttygid = get_tty_gid();
-                        errExit("asprintf");
+                if (ttygid == 0)  {
+                        if (asprintf(&map, "%d %d 1", gid, gid) == -1)
+                                errExit("asprintf");
+                }
+                else {
+                        if (asprintf(&map, "%d %d 1\n%d %d 1", gid, gid, ttygid, ttygid) == -1)
+                                errExit("asprintf");
+                }
                EUID_ROOT();
                update_map(map, map_path);
                EUID_USER();
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 3463095f9..c62f4285c 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -629,3 +629,13 @@ void invalid_filename(const char *fname) {
                exit(1);
        }
 }
+uid_t get_tty_gid(void) {
+        // find tty group id
+        gid_t ttygid = 0;
+        struct group *g = getgrnam("tty");
+        if (g)
+                ttygid = g->gr_gid;
+        return ttygid;
+}
author	netblue30 <netblue30@yahoo.com>	2016-03-09 09:51:47 -0500
committer	netblue30 <netblue30@yahoo.com>	2016-03-09 09:51:47 -0500
commit	dc3564b18f1eafde1ccf46e722f8c2a9c1ee8555 (patch)
tree	6178c2c6fc5912a63f5d54b1e3562d7049270418 /src
parent	fs work (diff)
download	firejail-dc3564b18f1eafde1ccf46e722f8c2a9c1ee8555.tar.gz firejail-dc3564b18f1eafde1ccf46e722f8c2a9c1ee8555.tar.zst firejail-dc3564b18f1eafde1ccf46e722f8c2a9c1ee8555.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index b526b5e00..9c4dcc9a6 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -369,6 +369,7 @@ char expand_home(const char path, const char* homedir);
369	const char gnu_basename(const char path);	369	const char gnu_basename(const char path);
370	uid_t pid_get_uid(pid_t pid);	370	uid_t pid_get_uid(pid_t pid);
371	void invalid_filename(const char *fname);	371	void invalid_filename(const char *fname);
		372	uid_t get_tty_gid(void);
372		373
373	// fs_var.c	374	// fs_var.c
374	void fs_var_log(void); // mounting /var/log	375	void fs_var_log(void); // mounting /var/log


diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 5c645b8da..2fd450391 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c
@@ -178,9 +178,21 @@ void fs_private_dev(void){
178	create_char_dev("/dev/pts/ptmx", 0666, 5, 2); //"mknod -m 666 /dev/pts/ptmx c 5 2");	178	create_char_dev("/dev/pts/ptmx", 0666, 5, 2); //"mknod -m 666 /dev/pts/ptmx c 5 2");
179	fs_logger("mknod /dev/pts/ptmx");	179	fs_logger("mknod /dev/pts/ptmx");
180	create_link("/dev/pts/ptmx", "/dev/ptmx");	180	create_link("/dev/pts/ptmx", "/dev/ptmx");
		181
		182	// code before github issue #351
181	// mount -vt devpts -o newinstance -o ptmxmode=0666 devpts //dev/pts	183	// mount -vt devpts -o newinstance -o ptmxmode=0666 devpts //dev/pts
182	if (mount("devpts", "/dev/pts", "devpts", MS_MGC_VAL, "newinstance,ptmxmode=0666") < 0)	184	// if (mount("devpts", "/dev/pts", "devpts", MS_MGC_VAL, "newinstance,ptmxmode=0666") < 0)
		185	// errExit("mounting /dev/pts");
		186
		187
		188	// mount /dev/pts
		189	gid_t ttygid = get_tty_gid();
		190	char *data;
		191	if (asprintf(&data, "newinstance,gid=%d,mode=620,ptmxmode=0666", (int) ttygid) == -1)
		192	errExit("asprintf");
		193	if (mount("devpts", "/dev/pts", "devpts", MS_MGC_VAL, data) < 0)
183	errExit("mounting /dev/pts");	194	errExit("mounting /dev/pts");
		195	free(data);
184	fs_logger("clone /dev/pts");	196	fs_logger("clone /dev/pts");
185		197
186	#if 0	198	#if 0


diff --git a/src/firejail/ls.c b/src/firejail/ls.c index b814af445..90ef43a62 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c
@@ -255,6 +255,12 @@ void ls(pid_t pid, const char *path) {
255	exit(1);	255	exit(1);
256	}	256	}
257		257
		258	// access chek is performed with the real UID
		259	if (access(fname, R_OK) == -1) {
		260	fprintf(stderr, "Error: Cannot access file %s\n", fname);
		261	exit(1);
		262	}
		263
258	// list directory contents	264	// list directory contents
259	struct stat s;	265	struct stat s;
260	if (stat(fname, &s) == -1) {	266	if (stat(fname, &s) == -1) {


diff --git a/src/firejail/main.c b/src/firejail/main.c index 68606a313..e2f197a92 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -1746,8 +1746,15 @@ int main(int argc, char **argv) {
1746	if (asprintf(&map_path, "/proc/%d/gid_map", child) == -1)	1746	if (asprintf(&map_path, "/proc/%d/gid_map", child) == -1)
1747	errExit("asprintf");	1747	errExit("asprintf");
1748	gid_t gid = getgid();	1748	gid_t gid = getgid();
1749	if (asprintf(&map, "%d %d 1", gid, gid) == -1)	1749	gid_t ttygid = get_tty_gid();
1750	errExit("asprintf");	1750	if (ttygid == 0) {
		1751	if (asprintf(&map, "%d %d 1", gid, gid) == -1)
		1752	errExit("asprintf");
		1753	}
		1754	else {
		1755	if (asprintf(&map, "%d %d 1\n%d %d 1", gid, gid, ttygid, ttygid) == -1)
		1756	errExit("asprintf");
		1757	}
1751	EUID_ROOT();	1758	EUID_ROOT();
1752	update_map(map, map_path);	1759	update_map(map, map_path);
1753	EUID_USER();	1760	EUID_USER();


diff --git a/src/firejail/util.c b/src/firejail/util.c index 3463095f9..c62f4285c 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c
@@ -629,3 +629,13 @@ void invalid_filename(const char *fname) {
629	exit(1);	629	exit(1);
630	}	630	}
631	}	631	}
		632
		633	uid_t get_tty_gid(void) {
		634	// find tty group id
		635	gid_t ttygid = 0;
		636	struct group *g = getgrnam("tty");
		637	if (g)
		638	ttygid = g->gr_gid;
		639
		640	return ttygid;
		641	}