diff options
-rw-r--r-- | src/firejail/fs.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 56aab8871..5cce383e2 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -157,13 +157,16 @@ typedef enum { | |||
157 | OPERATION_MAX | 157 | OPERATION_MAX |
158 | } OPERATION; | 158 | } OPERATION; |
159 | 159 | ||
160 | 160 | typedef enum { | |
161 | 161 | UNSUCCESSFUL, | |
162 | SUCCESSFUL | ||
163 | } LAST_DISABLE_OPERATION; | ||
164 | LAST_DISABLE_OPERATION last_disable = UNSUCCESSFUL; | ||
162 | 165 | ||
163 | static void disable_file(OPERATION op, const char *filename) { | 166 | static void disable_file(OPERATION op, const char *filename) { |
164 | assert(filename); | 167 | assert(filename); |
165 | assert(op <OPERATION_MAX); | 168 | assert(op <OPERATION_MAX); |
166 | 169 | last_disable = UNSUCCESSFUL; | |
167 | 170 | ||
168 | // rebuild /run/firejail directory in case tmpfs was mounted on top of /run | 171 | // rebuild /run/firejail directory in case tmpfs was mounted on top of /run |
169 | fs_build_firejail_dir(); | 172 | fs_build_firejail_dir(); |
@@ -204,12 +207,14 @@ static void disable_file(OPERATION op, const char *filename) { | |||
204 | if (mount(RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | 207 | if (mount(RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0) |
205 | errExit("disable file"); | 208 | errExit("disable file"); |
206 | } | 209 | } |
210 | last_disable = SUCCESSFUL; | ||
207 | } | 211 | } |
208 | } | 212 | } |
209 | else if (op == MOUNT_READONLY) { | 213 | else if (op == MOUNT_READONLY) { |
210 | if (arg_debug) | 214 | if (arg_debug) |
211 | printf("Mounting read-only %s\n", fname); | 215 | printf("Mounting read-only %s\n", fname); |
212 | fs_rdonly(fname); | 216 | fs_rdonly(fname); |
217 | // todo: last_disable = SUCCESSFUL; | ||
213 | } | 218 | } |
214 | else if (op == MOUNT_TMPFS) { | 219 | else if (op == MOUNT_TMPFS) { |
215 | if (S_ISDIR(s.st_mode)) { | 220 | if (S_ISDIR(s.st_mode)) { |
@@ -221,6 +226,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
221 | /* coverity[toctou] */ | 226 | /* coverity[toctou] */ |
222 | if (chown(fname, s.st_uid, s.st_gid) == -1) | 227 | if (chown(fname, s.st_uid, s.st_gid) == -1) |
223 | errExit("mounting tmpfs chmod"); | 228 | errExit("mounting tmpfs chmod"); |
229 | last_disable = SUCCESSFUL; | ||
224 | } | 230 | } |
225 | else | 231 | else |
226 | printf("Warning: %s is not a directory; cannot mount a tmpfs on top of it.\n", fname); | 232 | printf("Warning: %s is not a directory; cannot mount a tmpfs on top of it.\n", fname); |
@@ -382,6 +388,8 @@ void fs_blacklist(void) { | |||
382 | char newname[strlen(*path) + fname_len + 1]; | 388 | char newname[strlen(*path) + fname_len + 1]; |
383 | sprintf(newname, "%s%s", *path, fname); | 389 | sprintf(newname, "%s%s", *path, fname); |
384 | globbing(op, newname, (const char**)noblacklist, noblacklist_c); | 390 | globbing(op, newname, (const char**)noblacklist, noblacklist_c); |
391 | if (last_disable == SUCCESSFUL) | ||
392 | break; | ||
385 | } | 393 | } |
386 | } | 394 | } |
387 | else | 395 | else |