diff options
-rw-r--r-- | src/firejail/chroot.c | 5 | ||||
-rw-r--r-- | src/firejail/firejail.h | 3 | ||||
-rw-r--r-- | src/firejail/main.c | 10 | ||||
-rw-r--r-- | src/firejail/preproc.c | 13 |
4 files changed, 23 insertions, 8 deletions
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c index ffa6c8b51..67097852e 100644 --- a/src/firejail/chroot.c +++ b/src/firejail/chroot.c | |||
@@ -273,7 +273,10 @@ void fs_chroot(const char *rootdir) { | |||
273 | errExit("mounting /proc"); | 273 | errExit("mounting /proc"); |
274 | 274 | ||
275 | // create all other /run/firejail files and directories | 275 | // create all other /run/firejail files and directories |
276 | preproc_build_firejail_dir(); | 276 | preproc_build_firejail_dir_unlocked(); |
277 | preproc_lock_firejail_dir(); | ||
278 | preproc_build_firejail_dir_locked(); | ||
279 | preproc_unlock_firejail_dir(); | ||
277 | 280 | ||
278 | // update /var directory in order to support multiple sandboxes running on the same root directory | 281 | // update /var directory in order to support multiple sandboxes running on the same root directory |
279 | // if (!arg_private_dev) | 282 | // if (!arg_private_dev) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 273cebd45..736af018d 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -435,7 +435,8 @@ void preproc_lock_firejail_dir(void); | |||
435 | void preproc_unlock_firejail_dir(void); | 435 | void preproc_unlock_firejail_dir(void); |
436 | void preproc_lock_firejail_network_dir(void); | 436 | void preproc_lock_firejail_network_dir(void); |
437 | void preproc_unlock_firejail_network_dir(void); | 437 | void preproc_unlock_firejail_network_dir(void); |
438 | void preproc_build_firejail_dir(void); | 438 | void preproc_build_firejail_dir_unlocked(void); |
439 | void preproc_build_firejail_dir_locked(void); | ||
439 | void preproc_mount_mnt_dir(void); | 440 | void preproc_mount_mnt_dir(void); |
440 | void preproc_clean_run(void); | 441 | void preproc_clean_run(void); |
441 | 442 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index f00b46640..acbb4bf38 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1166,13 +1166,13 @@ int main(int argc, char **argv, char **envp) { | |||
1166 | #endif | 1166 | #endif |
1167 | 1167 | ||
1168 | // build /run/firejail directory structure | 1168 | // build /run/firejail directory structure |
1169 | preproc_build_firejail_dir(); | 1169 | preproc_build_firejail_dir_unlocked(); |
1170 | preproc_lock_firejail_dir(); | ||
1171 | preproc_build_firejail_dir_locked(); | ||
1170 | const char *container_name = env_get("container"); | 1172 | const char *container_name = env_get("container"); |
1171 | if (!container_name || strcmp(container_name, "firejail")) { | 1173 | if (!container_name || strcmp(container_name, "firejail")) |
1172 | preproc_lock_firejail_dir(); | ||
1173 | preproc_clean_run(); | 1174 | preproc_clean_run(); |
1174 | preproc_unlock_firejail_dir(); | 1175 | preproc_unlock_firejail_dir(); |
1175 | } | ||
1176 | 1176 | ||
1177 | delete_run_files(getpid()); | 1177 | delete_run_files(getpid()); |
1178 | atexit(clear_atexit); | 1178 | atexit(clear_atexit); |
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index 335c4b0ba..e0ca2141f 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -109,7 +109,10 @@ void preproc_unlock_firejail_network_dir(void) { | |||
109 | } | 109 | } |
110 | 110 | ||
111 | // build /run/firejail directory | 111 | // build /run/firejail directory |
112 | void preproc_build_firejail_dir(void) { | 112 | // |
113 | // Note: This creates the base directory of the rundir lockfile; | ||
114 | // it should be called before preproc_lock_firejail_dir(). | ||
115 | void preproc_build_firejail_dir_unlocked(void) { | ||
113 | struct stat s; | 116 | struct stat s; |
114 | 117 | ||
115 | // CentOS 6 doesn't have /run directory | 118 | // CentOS 6 doesn't have /run directory |
@@ -118,6 +121,14 @@ void preproc_build_firejail_dir(void) { | |||
118 | } | 121 | } |
119 | 122 | ||
120 | create_empty_dir_as_root(RUN_FIREJAIL_DIR, 0755); | 123 | create_empty_dir_as_root(RUN_FIREJAIL_DIR, 0755); |
124 | } | ||
125 | |||
126 | // build directory hierarchy under /run/firejail | ||
127 | // | ||
128 | // Note: Remounts have timing hazards. This function should | ||
129 | // only be called after acquiring the directory lock via | ||
130 | // preproc_lock_firejail_dir(). | ||
131 | void preproc_build_firejail_dir_locked(void) { | ||
121 | create_empty_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755); | 132 | create_empty_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755); |
122 | create_empty_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755); | 133 | create_empty_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755); |
123 | create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755); | 134 | create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755); |