aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2016-01-24 20:31:52 -0500
committerLibravatar netblue30 <netblue30@yahoo.com>2016-01-24 20:31:52 -0500
commitdfd660f80d8a364dc45b750a1f921adf4f2af450 (patch)
tree4690f1a4e5f5e4f6b8c94940da3cd67c5cc9ad78 /src
parenttesting (diff)
downloadfirejail-dfd660f80d8a364dc45b750a1f921adf4f2af450.tar.gz
firejail-dfd660f80d8a364dc45b750a1f921adf4f2af450.tar.zst
firejail-dfd660f80d8a364dc45b750a1f921adf4f2af450.zip
0.9.38 testing
Diffstat (limited to 'src')
-rw-r--r--src/firejail/fs.c10
-rw-r--r--src/firejail/fs_home.c24
-rw-r--r--src/firejail/main.c2
-rw-r--r--src/firejail/pulseaudio.c4
-rw-r--r--src/firejail/restrict_users.c8
-rw-r--r--src/firejail/shutdown.c6
6 files changed, 52 insertions, 2 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index f4c448024..cad101bf9 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -136,12 +136,18 @@ void fs_build_cp_command(void) {
136 fprintf(stderr, "Error: /bin/cp not found\n"); 136 fprintf(stderr, "Error: /bin/cp not found\n");
137 exit(1); 137 exit(1);
138 } 138 }
139 if (is_link(fname)) {
140 fprintf(stderr, "Error: invalid /bin/cp file\n");
141 exit(1);
142 }
139 int rv = copy_file(fname, RUN_CP_COMMAND); 143 int rv = copy_file(fname, RUN_CP_COMMAND);
140 if (rv) { 144 if (rv) {
141 fprintf(stderr, "Error: cannot access /bin/cp\n"); 145 fprintf(stderr, "Error: cannot access /bin/cp\n");
142 exit(1); 146 exit(1);
143 } 147 }
144 /* coverity[toctou] */ 148 /* coverity[toctou] */
149 if (chown(RUN_CP_COMMAND, 0, 0))
150 errExit("chown");
145 if (chmod(RUN_CP_COMMAND, 0755)) 151 if (chmod(RUN_CP_COMMAND, 0755))
146 errExit("chmod"); 152 errExit("chmod");
147 153
@@ -921,6 +927,10 @@ void fs_chroot(const char *rootdir) {
921 errExit("asprintf"); 927 errExit("asprintf");
922 if (arg_debug) 928 if (arg_debug)
923 printf("Updating /etc/resolv.conf in %s\n", fname); 929 printf("Updating /etc/resolv.conf in %s\n", fname);
930 if (is_link(fname)) {
931 fprintf(stderr, "Error: invalid %s file\n", fname);
932 exit(1);
933 }
924 if (copy_file("/etc/resolv.conf", fname) == -1) 934 if (copy_file("/etc/resolv.conf", fname) == -1)
925 fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n"); 935 fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n");
926 936
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 08141ed03..e42ce5255 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -41,6 +41,10 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
41 if (stat(fname, &s) == 0) 41 if (stat(fname, &s) == 0)
42 return; 42 return;
43 if (stat("/etc/skel/.zshrc", &s) == 0) { 43 if (stat("/etc/skel/.zshrc", &s) == 0) {
44 if (is_link("/etc/skel/.zshrc")) {
45 fprintf(stderr, "Error: invalid /etc/skel/.zshrc file\n");
46 exit(1);
47 }
44 if (copy_file("/etc/skel/.zshrc", fname) == 0) { 48 if (copy_file("/etc/skel/.zshrc", fname) == 0) {
45 if (chown(fname, u, g) == -1) 49 if (chown(fname, u, g) == -1)
46 errExit("chown"); 50 errExit("chown");
@@ -71,6 +75,10 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
71 if (stat(fname, &s) == 0) 75 if (stat(fname, &s) == 0)
72 return; 76 return;
73 if (stat("/etc/skel/.cshrc", &s) == 0) { 77 if (stat("/etc/skel/.cshrc", &s) == 0) {
78 if (is_link("/etc/skel/.cshrc")) {
79 fprintf(stderr, "Error: invalid /etc/skel/.cshrc file\n");
80 exit(1);
81 }
74 if (copy_file("/etc/skel/.cshrc", fname) == 0) { 82 if (copy_file("/etc/skel/.cshrc", fname) == 0) {
75 if (chown(fname, u, g) == -1) 83 if (chown(fname, u, g) == -1)
76 errExit("chown"); 84 errExit("chown");
@@ -102,6 +110,10 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
102 if (stat(fname, &s) == 0) 110 if (stat(fname, &s) == 0)
103 return; 111 return;
104 if (stat("/etc/skel/.bashrc", &s) == 0) { 112 if (stat("/etc/skel/.bashrc", &s) == 0) {
113 if (is_link("/etc/skel/.bashrc")) {
114 fprintf(stderr, "Error: invalid /etc/skel/.bashrc file\n");
115 exit(1);
116 }
105 if (copy_file("/etc/skel/.bashrc", fname) == 0) { 117 if (copy_file("/etc/skel/.bashrc", fname) == 0) {
106 /* coverity[toctou] */ 118 /* coverity[toctou] */
107 if (chown(fname, u, g) == -1) 119 if (chown(fname, u, g) == -1)
@@ -123,7 +135,12 @@ static int store_xauthority(void) {
123 errExit("asprintf"); 135 errExit("asprintf");
124 136
125 struct stat s; 137 struct stat s;
126 if (stat(src, &s) == 0) { 138 if (stat(src, &s) == 0) {
139 if (is_link(src)) {
140 fprintf(stderr, "Error: invalid .Xauthority file\n");
141 exit(1);
142 }
143
127 int rv = copy_file(src, dest); 144 int rv = copy_file(src, dest);
128 if (rv) { 145 if (rv) {
129 fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); 146 fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n");
@@ -146,6 +163,11 @@ static int store_asoundrc(void) {
146 163
147 struct stat s; 164 struct stat s;
148 if (stat(src, &s) == 0) { 165 if (stat(src, &s) == 0) {
166 if (is_link(src)) {
167 fprintf(stderr, "Error: invalid .asoundrc file\n");
168 exit(1);
169 }
170
149 int rv = copy_file(src, dest); 171 int rv = copy_file(src, dest);
150 if (rv) { 172 if (rv) {
151 fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n"); 173 fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n");
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 7afbf9ce3..014ea8cae 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -300,7 +300,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
300 if (read_pid(argv[i] + 12, &pid) == 0) 300 if (read_pid(argv[i] + 12, &pid) == 0)
301 bandwidth_pid(pid, cmd, dev, down, up); 301 bandwidth_pid(pid, cmd, dev, down, up);
302 else 302 else
303 bandwidth_name(argv[i] + 12, cmd, dev, down, up); 303 bandwidth_name(argv[i] + 12, cmd, dev, down, up);
304 exit(0); 304 exit(0);
305 } 305 }
306 306
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index 29f3bc4f0..a3348baf4 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -104,6 +104,10 @@ void pulseaudio_init(void) {
104 char *pulsecfg = NULL; 104 char *pulsecfg = NULL;
105 if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1) 105 if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1)
106 errExit("asprintf"); 106 errExit("asprintf");
107 if (is_link("/etc/pulse/client.conf")) {
108 fprintf(stderr, "Error: invalid /etc/pulse/client.conf file\n");
109 exit(1);
110 }
107 if (copy_file("/etc/pulse/client.conf", pulsecfg)) 111 if (copy_file("/etc/pulse/client.conf", pulsecfg))
108 errExit("copy_file"); 112 errExit("copy_file");
109 FILE *fp = fopen(pulsecfg, "a+"); 113 FILE *fp = fopen(pulsecfg, "a+");
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index aa6a5d268..88dd38021 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -115,6 +115,10 @@ static void sanitize_passwd(void) {
115 return; 115 return;
116 if (arg_debug) 116 if (arg_debug)
117 printf("Sanitizing /etc/passwd\n"); 117 printf("Sanitizing /etc/passwd\n");
118 if (is_link("/etc/passwd")) {
119 fprintf(stderr, "Error: invalid /etc/passwd\n");
120 exit(1);
121 }
118 122
119 FILE *fpin = NULL; 123 FILE *fpin = NULL;
120 FILE *fpout = NULL; 124 FILE *fpout = NULL;
@@ -248,6 +252,10 @@ static void sanitize_group(void) {
248 return; 252 return;
249 if (arg_debug) 253 if (arg_debug)
250 printf("Sanitizing /etc/group\n"); 254 printf("Sanitizing /etc/group\n");
255 if (is_link("/etc/group")) {
256 fprintf(stderr, "Error: invalid /etc/group\n");
257 exit(1);
258 }
251 259
252 FILE *fpin = NULL; 260 FILE *fpin = NULL;
253 FILE *fpout = NULL; 261 FILE *fpout = NULL;
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c
index 131f663d4..edaac7eb9 100644
--- a/src/firejail/shutdown.c
+++ b/src/firejail/shutdown.c
@@ -54,8 +54,14 @@ void shut(pid_t pid) {
54 printf("Switching to pid %u, the first child process inside the sandbox\n", (unsigned) pid); 54 printf("Switching to pid %u, the first child process inside the sandbox\n", (unsigned) pid);
55 } 55 }
56 } 56 }
57 else {
58 fprintf(stderr, "Error: this is not a firejail sandbox\n");
59 exit(1);
60 }
57 free(comm); 61 free(comm);
58 } 62 }
63 else
64 errExit("/proc/PID/comm");
59 65
60 // check privileges for non-root users 66 // check privileges for non-root users
61 uid_t uid = getuid(); 67 uid_t uid = getuid();
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-09 00:06:21 +0000