diff options
-rw-r--r-- | README | 1 | ||||
-rw-r--r-- | RELNOTES | 3 | ||||
-rw-r--r-- | src/firejail/fs_mkdir.c | 28 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 14 | ||||
-rwxr-xr-x | test/fs/mkdir.exp | 26 | ||||
-rw-r--r-- | test/fs/mkdir.profile | 4 |
6 files changed, 60 insertions, 16 deletions
@@ -37,6 +37,7 @@ Maintainer: | |||
37 | Committers | 37 | Committers |
38 | - chiraag-nataraj (https://github.com/chiraag-nataraj) | 38 | - chiraag-nataraj (https://github.com/chiraag-nataraj) |
39 | - crass (https://github.com/crass) | 39 | - crass (https://github.com/crass) |
40 | - curiosityseeker (https://github.com/curiosityseeker) | ||
40 | - glitsj16 (https://github.com/glitsj16) | 41 | - glitsj16 (https://github.com/glitsj16) |
41 | - Fred-Barclay (https://github.com/Fred-Barclay) | 42 | - Fred-Barclay (https://github.com/Fred-Barclay) |
42 | - Kristóf Marussy (https://github.com/kris7t) | 43 | - Kristóf Marussy (https://github.com/kris7t) |
@@ -7,9 +7,10 @@ firejail (0.9.63) baseline; urgency=low | |||
7 | /etc/firejail/firejail.config file. | 7 | /etc/firejail/firejail.config file. |
8 | * DHCP client support | 8 | * DHCP client support |
9 | * SELinux labeling support | 9 | * SELinux labeling support |
10 | * 32-bit seccomp filter | 10 | * custom 32-bit seccomp filter support |
11 | * restrict ${RUNUSER} in serveral profiles | 11 | * restrict ${RUNUSER} in serveral profiles |
12 | * whitelist globbing | 12 | * whitelist globbing |
13 | * mkdir and mkfile support for /run/user directory | ||
13 | * new condition: HAS_NOSOUND | 14 | * new condition: HAS_NOSOUND |
14 | * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster | 15 | * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster |
15 | * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl | 16 | * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl |
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index eb660df90..0e213f2f8 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c | |||
@@ -25,6 +25,22 @@ | |||
25 | #include <sys/wait.h> | 25 | #include <sys/wait.h> |
26 | #include <string.h> | 26 | #include <string.h> |
27 | 27 | ||
28 | |||
29 | static void check(const char *fname) { | ||
30 | // manufacture /run/user directory | ||
31 | char *runuser; | ||
32 | if (asprintf(&runuser, "/run/user/%d/", getuid()) == -1) | ||
33 | errExit("asprintf"); | ||
34 | |||
35 | if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0 && | ||
36 | strncmp(fname, "/tmp", 4) != 0 && | ||
37 | strncmp(fname, runuser, strlen(runuser)) != 0) { | ||
38 | fprintf(stderr, "Error: only files or directories in user home, /tmp, or /run/user/<UID> are supported by mkdir\n"); | ||
39 | exit(1); | ||
40 | } | ||
41 | free(runuser); | ||
42 | } | ||
43 | |||
28 | static void mkdir_recursive(char *path) { | 44 | static void mkdir_recursive(char *path) { |
29 | char *subdir = NULL; | 45 | char *subdir = NULL; |
30 | struct stat s; | 46 | struct stat s; |
@@ -61,11 +77,7 @@ void fs_mkdir(const char *name) { | |||
61 | // check directory name | 77 | // check directory name |
62 | invalid_filename(name, 0); // no globbing | 78 | invalid_filename(name, 0); // no globbing |
63 | char *expanded = expand_macros(name); | 79 | char *expanded = expand_macros(name); |
64 | if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0 && | 80 | check(expanded); // will exit if wrong path |
65 | strncmp(expanded, "/tmp", 4) != 0) { | ||
66 | fprintf(stderr, "Error: only directories in user home or /tmp are supported by mkdir\n"); | ||
67 | exit(1); | ||
68 | } | ||
69 | 81 | ||
70 | struct stat s; | 82 | struct stat s; |
71 | if (stat(expanded, &s) == 0) { | 83 | if (stat(expanded, &s) == 0) { |
@@ -101,11 +113,7 @@ void fs_mkfile(const char *name) { | |||
101 | // check file name | 113 | // check file name |
102 | invalid_filename(name, 0); // no globbing | 114 | invalid_filename(name, 0); // no globbing |
103 | char *expanded = expand_macros(name); | 115 | char *expanded = expand_macros(name); |
104 | if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0 && | 116 | check(expanded); // will exit if wrong path |
105 | strncmp(expanded, "/tmp", 4) != 0) { | ||
106 | fprintf(stderr, "Error: only files in user home or /tmp are supported by mkfile\n"); | ||
107 | exit(1); | ||
108 | } | ||
109 | 117 | ||
110 | struct stat s; | 118 | struct stat s; |
111 | if (stat(expanded, &s) == 0) { | 119 | if (stat(expanded, &s) == 0) { |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 6405fd301..df2d2a2e8 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -211,7 +211,7 @@ Disable /mnt, /media, /run/mount and /run/media access. | |||
211 | /var/tmp directory is untouched. | 211 | /var/tmp directory is untouched. |
212 | .TP | 212 | .TP |
213 | \fBmkdir directory | 213 | \fBmkdir directory |
214 | Create a directory in user home or under /tmp before the sandbox is started. | 214 | Create a directory in user home, under /tmp, or under /run/user/<UID> before the sandbox is started. |
215 | The directory is created if it doesn't already exist. | 215 | The directory is created if it doesn't already exist. |
216 | .br | 216 | .br |
217 | 217 | ||
@@ -230,10 +230,18 @@ whitelist ~/.mozilla | |||
230 | mkdir ~/.cache/mozilla/firefox | 230 | mkdir ~/.cache/mozilla/firefox |
231 | .br | 231 | .br |
232 | whitelist ~/.cache/mozilla/firefox | 232 | whitelist ~/.cache/mozilla/firefox |
233 | .br | ||
234 | |||
235 | .br | ||
236 | For files in /run/user/<PID> use ${RUNUSER} macro: | ||
237 | .br | ||
238 | |||
239 | .br | ||
240 | mkdir ${RUNUSER}/firejail-testing | ||
233 | .TP | 241 | .TP |
234 | \fBmkfile file | 242 | \fBmkfile file |
235 | Similar to mkdir, this command creates a file in user home or under /tmp before the sandbox is started. | 243 | Similar to mkdir, this command creates an empty file in user home, or /tmp, or under /run/user/<UID> |
236 | The file is created if it doesn't already exist. | 244 | before the sandbox is started. The file is created if it doesn't already exist. |
237 | .TP | 245 | .TP |
238 | \fBnoexec file_or_directory | 246 | \fBnoexec file_or_directory |
239 | Remount the file or the directory noexec, nodev and nosuid. | 247 | Remount the file or the directory noexec, nodev and nosuid. |
diff --git a/test/fs/mkdir.exp b/test/fs/mkdir.exp index 8a7ac9d97..59005e1a2 100755 --- a/test/fs/mkdir.exp +++ b/test/fs/mkdir.exp | |||
@@ -17,10 +17,32 @@ expect { | |||
17 | send -- "rm -rf ~/.firejail_test\r" | 17 | send -- "rm -rf ~/.firejail_test\r" |
18 | after 100 | 18 | after 100 |
19 | 19 | ||
20 | send -- "firejail --profile=mkdir.profile find /tmp/.firejail_test\r" | ||
21 | expect { | ||
22 | timeout {puts "TESTING ERROR 2.1\n";exit} | ||
23 | "Warning: cannot create" { puts "TESTING ERROR 2.2\n";exit} | ||
24 | "No such file or directory" { puts "TESTING ERROR 2.3\n";exit} | ||
25 | "/tmp/.firejail_test/a/b/c/d.txt" | ||
26 | } | ||
27 | send -- "rm -rf /tmp/.firejail_test\r" | ||
28 | after 100 | ||
29 | |||
30 | set UID [exec id -u] | ||
31 | send -- "firejail --profile=mkdir.profile find /run/user/$UID/.firejail_test\r" | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 3.1\n";exit} | ||
34 | "Warning: cannot create" { puts "TESTING ERROR 3.2\n";exit} | ||
35 | "No such file or directory" { puts "TESTING ERROR 3.3\n";exit} | ||
36 | "/run/user/$UID/.firejail_test/a/b/c/d.txt" | ||
37 | } | ||
38 | send -- "rm -rf /run/user/$UID/.firejail_test\r" | ||
39 | after 100 | ||
40 | |||
41 | |||
20 | send -- "firejail --profile=mkdir2.profile\r" | 42 | send -- "firejail --profile=mkdir2.profile\r" |
21 | expect { | 43 | expect { |
22 | timeout {puts "TESTING ERROR 2\n";exit} | 44 | timeout {puts "TESTING ERROR 4\n";exit} |
23 | "only directories in user home or /tmp" | 45 | "only files or directories in user home, /tmp, or /run/user/<UID>" |
24 | } | 46 | } |
25 | after 100 | 47 | after 100 |
26 | 48 | ||
diff --git a/test/fs/mkdir.profile b/test/fs/mkdir.profile index 61b44c9ac..35c27c872 100644 --- a/test/fs/mkdir.profile +++ b/test/fs/mkdir.profile | |||
@@ -1,2 +1,6 @@ | |||
1 | mkdir ~/.firejail_test/a/b/c | 1 | mkdir ~/.firejail_test/a/b/c |
2 | mkfile ~/.firejail_test/a/b/c/d.txt | 2 | mkfile ~/.firejail_test/a/b/c/d.txt |
3 | mkdir /tmp/.firejail_test/a/b/c | ||
4 | mkfile /tmp/.firejail_test/a/b/c/d.txt | ||
5 | mkdir ${RUNUSER}/.firejail_test/a/b/c | ||
6 | mkfile ${RUNUSER}/.firejail_test/a/b/c/d.txt | ||