diff options
-rw-r--r-- | src/firejail/appimage.c | 4 | ||||
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 25 | ||||
-rw-r--r-- | src/firejail/main.c | 2 |
4 files changed, 31 insertions, 2 deletions
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index dd347a714..db9382dc3 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c | |||
@@ -31,6 +31,10 @@ | |||
31 | static char *devloop = NULL; // device file | 31 | static char *devloop = NULL; // device file |
32 | static char *mntdir = NULL; // mount point in /tmp directory | 32 | static char *mntdir = NULL; // mount point in /tmp directory |
33 | 33 | ||
34 | const char *appimage_getdir(void) { | ||
35 | return mntdir; | ||
36 | } | ||
37 | |||
34 | void appimage_set(const char *appimage_path) { | 38 | void appimage_set(const char *appimage_path) { |
35 | assert(appimage_path); | 39 | assert(appimage_path); |
36 | assert(devloop == NULL); // don't call this twice! | 40 | assert(devloop == NULL); // don't call this twice! |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 6d64ce4cd..0b6e2e181 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -259,6 +259,7 @@ extern int arg_nice; // nice value configured | |||
259 | extern int arg_ipc; // enable ipc namespace | 259 | extern int arg_ipc; // enable ipc namespace |
260 | extern int arg_writable_etc; // writable etc | 260 | extern int arg_writable_etc; // writable etc |
261 | extern int arg_writable_var; // writable var | 261 | extern int arg_writable_var; // writable var |
262 | extern int arg_appimage; // appimage | ||
262 | 263 | ||
263 | extern int parent_to_child_fds[2]; | 264 | extern int parent_to_child_fds[2]; |
264 | extern int child_to_parent_fds[2]; | 265 | extern int child_to_parent_fds[2]; |
@@ -581,6 +582,7 @@ void fs_rdwr(void); | |||
581 | // appimage.c | 582 | // appimage.c |
582 | void appimage_set(const char *appimage_path); | 583 | void appimage_set(const char *appimage_path); |
583 | void appimage_clear(void); | 584 | void appimage_clear(void); |
585 | const char *appimage_getdir(void); | ||
584 | 586 | ||
585 | #endif | 587 | #endif |
586 | 588 | ||
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 617e61dcd..ba6c8cd74 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -504,7 +504,7 @@ void fs_whitelist(void) { | |||
504 | 504 | ||
505 | // /tmp mountpoint | 505 | // /tmp mountpoint |
506 | if (tmp_dir) { | 506 | if (tmp_dir) { |
507 | // keep a copy of real /tmp directory in WHITELIST_TMP_DIR | 507 | // keep a copy of real /tmp directory in |
508 | int rv = mkdir(RUN_WHITELIST_TMP_DIR, 1777); | 508 | int rv = mkdir(RUN_WHITELIST_TMP_DIR, 1777); |
509 | if (rv == -1) | 509 | if (rv == -1) |
510 | errExit("mkdir"); | 510 | errExit("mkdir"); |
@@ -522,6 +522,29 @@ void fs_whitelist(void) { | |||
522 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) | 522 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) |
523 | errExit("mounting tmpfs on /tmp"); | 523 | errExit("mounting tmpfs on /tmp"); |
524 | fs_logger("tmpfs /tmp"); | 524 | fs_logger("tmpfs /tmp"); |
525 | |||
526 | // mount appimage directory if necessary | ||
527 | if (arg_appimage) { | ||
528 | const char *dir = appimage_getdir(); | ||
529 | assert(dir); | ||
530 | char *wdir; | ||
531 | if (asprintf(&wdir, "%s/%s", RUN_WHITELIST_TMP_DIR, dir + 4) == -1) | ||
532 | errExit("asprintf"); | ||
533 | |||
534 | // create directory | ||
535 | if (mkdir(dir, 0755) < 0) | ||
536 | errExit("mkdir"); | ||
537 | if (chown(dir, getuid(), getgid()) < 0) | ||
538 | errExit("chown"); | ||
539 | if (chmod(dir, 0755) < 0) | ||
540 | errExit("chmod"); | ||
541 | |||
542 | // mount | ||
543 | if (mount(wdir, dir, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
544 | errExit("mount bind"); | ||
545 | fs_logger2("whitelist", dir); | ||
546 | free(wdir); | ||
547 | } | ||
525 | } | 548 | } |
526 | 549 | ||
527 | // /media mountpoint | 550 | // /media mountpoint |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 423df3752..9e8e1eaf0 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -99,6 +99,7 @@ int arg_nice = 0; // nice value configured | |||
99 | int arg_ipc = 0; // enable ipc namespace | 99 | int arg_ipc = 0; // enable ipc namespace |
100 | int arg_writable_etc = 0; // writable etc | 100 | int arg_writable_etc = 0; // writable etc |
101 | int arg_writable_var = 0; // writable var | 101 | int arg_writable_var = 0; // writable var |
102 | int arg_appimage = 0; // appimage | ||
102 | 103 | ||
103 | int parent_to_child_fds[2]; | 104 | int parent_to_child_fds[2]; |
104 | int child_to_parent_fds[2]; | 105 | int child_to_parent_fds[2]; |
@@ -705,7 +706,6 @@ int main(int argc, char **argv) { | |||
705 | #ifdef HAVE_SECCOMP | 706 | #ifdef HAVE_SECCOMP |
706 | int highest_errno = errno_highest_nr(); | 707 | int highest_errno = errno_highest_nr(); |
707 | #endif | 708 | #endif |
708 | int arg_appimage = 0; | ||
709 | 709 | ||
710 | // drop permissions by default and rise them when required | 710 | // drop permissions by default and rise them when required |
711 | EUID_INIT(); | 711 | EUID_INIT(); |