diff options
-rw-r--r-- | src/firejail/appimage.c | 6 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs.c | 29 | ||||
-rw-r--r-- | src/firejail/fs_home.c | 17 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 55 | ||||
-rw-r--r-- | src/firejail/preproc.c | 24 | ||||
-rw-r--r-- | src/firejail/pulseaudio.c | 18 | ||||
-rw-r--r-- | src/firejail/restrict_users.c | 6 | ||||
-rw-r--r-- | src/firejail/util.c | 23 | ||||
-rw-r--r-- | src/firejail/x11.c | 24 |
10 files changed, 73 insertions, 130 deletions
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 176326a2b..96c054048 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c | |||
@@ -98,10 +98,8 @@ void appimage_set(const char *appimage_path) { | |||
98 | fprintf(stderr, "Error: cannot create appimage mount point\n"); | 98 | fprintf(stderr, "Error: cannot create appimage mount point\n"); |
99 | exit(1); | 99 | exit(1); |
100 | } | 100 | } |
101 | if (chmod(mntdir, 0700) == -1) | 101 | if (set_perms(mntdir, getuid(), getgid(), 0700)) |
102 | errExit("chmod"); | 102 | errExit("set_perms"); |
103 | if (chown(mntdir, getuid(), getgid()) == -1) | ||
104 | errExit("chown"); | ||
105 | EUID_USER(); | 103 | EUID_USER(); |
106 | ASSERT_PERMS(mntdir, getuid(), getgid(), 0700); | 104 | ASSERT_PERMS(mntdir, getuid(), getgid(), 0700); |
107 | 105 | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 435405fd9..282271a64 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -460,6 +460,7 @@ int remove_directory(const char *path); | |||
460 | void flush_stdin(void); | 460 | void flush_stdin(void); |
461 | void create_empty_dir_as_root(const char *dir, mode_t mode); | 461 | void create_empty_dir_as_root(const char *dir, mode_t mode); |
462 | void create_empty_file_as_root(const char *dir, mode_t mode); | 462 | void create_empty_file_as_root(const char *dir, mode_t mode); |
463 | int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode); | ||
463 | 464 | ||
464 | // fs_var.c | 465 | // fs_var.c |
465 | void fs_var_log(void); // mounting /var/log | 466 | void fs_var_log(void); // mounting /var/log |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 65b0773ca..3a2fd8c38 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -273,11 +273,8 @@ void fs_blacklist(void) { | |||
273 | if (mount(dname1, dname2, NULL, MS_BIND|MS_REC, NULL) < 0) | 273 | if (mount(dname1, dname2, NULL, MS_BIND|MS_REC, NULL) < 0) |
274 | errExit("mount bind"); | 274 | errExit("mount bind"); |
275 | /* coverity[toctou] */ | 275 | /* coverity[toctou] */ |
276 | if (chown(dname2, s.st_uid, s.st_gid) == -1) | 276 | if (set_perms(dname2, s.st_uid, s.st_gid,s.st_mode)) |
277 | errExit("mount-bind chown"); | 277 | errExit("set_perms"); |
278 | /* coverity[toctou] */ | ||
279 | if (chmod(dname2, s.st_mode) == -1) | ||
280 | errExit("mount-bind chmod"); | ||
281 | 278 | ||
282 | entry = entry->next; | 279 | entry = entry->next; |
283 | continue; | 280 | continue; |
@@ -773,10 +770,8 @@ void fs_overlayfs(void) { | |||
773 | errExit("mkdir"); | 770 | errExit("mkdir"); |
774 | } | 771 | } |
775 | 772 | ||
776 | if (chown(odiff, 0, 0) < 0) | 773 | if (set_perms(odiff, 0, 0, 0755)) |
777 | errExit("chown"); | 774 | errExit("set_perms"); |
778 | if (chmod(odiff, 0755) < 0) | ||
779 | errExit("chmod"); | ||
780 | 775 | ||
781 | char *owork; | 776 | char *owork; |
782 | if(asprintf(&owork, "%s/owork", basedir) == -1) | 777 | if(asprintf(&owork, "%s/owork", basedir) == -1) |
@@ -788,10 +783,8 @@ void fs_overlayfs(void) { | |||
788 | errExit("mkdir"); | 783 | errExit("mkdir"); |
789 | } | 784 | } |
790 | 785 | ||
791 | if (chown(owork, 0, 0) < 0) | 786 | if (set_perms(owork, 0, 0, 0755)) |
792 | errExit("chown"); | 787 | errExit("chown"); |
793 | if (chmod(owork, 0755) < 0) | ||
794 | errExit("chmod"); | ||
795 | 788 | ||
796 | // mount overlayfs | 789 | // mount overlayfs |
797 | if (arg_debug) | 790 | if (arg_debug) |
@@ -850,10 +843,8 @@ void fs_overlayfs(void) { | |||
850 | errExit("mkdir"); | 843 | errExit("mkdir"); |
851 | } | 844 | } |
852 | 845 | ||
853 | if (chown(hdiff, 0, 0) < 0) | 846 | if (set_perms(hdiff, 0, 0, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH)) |
854 | errExit("chown"); | 847 | errExit("set_perms"); |
855 | if (chmod(hdiff, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0) | ||
856 | errExit("chmod"); | ||
857 | 848 | ||
858 | if(asprintf(&hwork, "%s/hwork", basedir) == -1) | 849 | if(asprintf(&hwork, "%s/hwork", basedir) == -1) |
859 | errExit("asprintf"); | 850 | errExit("asprintf"); |
@@ -864,10 +855,8 @@ void fs_overlayfs(void) { | |||
864 | errExit("mkdir"); | 855 | errExit("mkdir"); |
865 | } | 856 | } |
866 | 857 | ||
867 | if (chown(hwork, 0, 0) < 0) | 858 | if (set_perms(hwork, 0, 0, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH)) |
868 | errExit("chown"); | 859 | errExit("set_perms"); |
869 | if (chmod(hwork, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0) | ||
870 | errExit("chmod"); | ||
871 | 860 | ||
872 | // no homedir in overlay so now mount another overlay for /home | 861 | // no homedir in overlay so now mount another overlay for /home |
873 | if (asprintf(&option, "lowerdir=/home,upperdir=%s,workdir=%s", hdiff, hwork) == -1) | 862 | if (asprintf(&option, "lowerdir=/home,upperdir=%s,workdir=%s", hdiff, hwork) == -1) |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index a2532c367..91fbe592a 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -398,15 +398,8 @@ int fs_copydir(const char *path, const struct stat *st, int ftype, struct FTW *s | |||
398 | else if (ftype == FTW_D) { | 398 | else if (ftype == FTW_D) { |
399 | if (mkdir(dest, s.st_mode) == -1) | 399 | if (mkdir(dest, s.st_mode) == -1) |
400 | errExit("mkdir"); | 400 | errExit("mkdir"); |
401 | if (chmod(dest, s.st_mode) < 0) { | 401 | if (set_perms(dest, firejail_uid, firejail_gid, s.st_mode)) |
402 | fprintf(stderr, "Error: cannot change mode for %s\n", path); | 402 | errExit("set_perms"); |
403 | exit(1); | ||
404 | } | ||
405 | if (chown(dest, firejail_uid, firejail_gid) < 0) { | ||
406 | fprintf(stderr, "Error: cannot change ownership for %s\n", path); | ||
407 | exit(1); | ||
408 | } | ||
409 | |||
410 | #if 0 | 403 | #if 0 |
411 | struct stat s2; | 404 | struct stat s2; |
412 | if (stat(dest, &s2) == 0) { | 405 | if (stat(dest, &s2) == 0) { |
@@ -590,10 +583,8 @@ void fs_private_home_list(void) { | |||
590 | int rv = mkdir(RUN_HOME_DIR, 0755); | 583 | int rv = mkdir(RUN_HOME_DIR, 0755); |
591 | if (rv == -1) | 584 | if (rv == -1) |
592 | errExit("mkdir"); | 585 | errExit("mkdir"); |
593 | if (chown(RUN_HOME_DIR, u, g) < 0) | 586 | if (set_perms(RUN_HOME_DIR, u, g, 0755)) |
594 | errExit("chown"); | 587 | errExit("set_perms"); |
595 | if (chmod(RUN_HOME_DIR, 0755) < 0) | ||
596 | errExit("chmod"); | ||
597 | ASSERT_PERMS(RUN_HOME_DIR, u, g, 0755); | 588 | ASSERT_PERMS(RUN_HOME_DIR, u, g, 0755); |
598 | 589 | ||
599 | fs_logger_print(); // save the current log | 590 | fs_logger_print(); // save the current log |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 9cd8f7681..9d8021219 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -157,10 +157,8 @@ static int mkpath(const char* path, mode_t mode) { | |||
157 | } | 157 | } |
158 | } | 158 | } |
159 | else { | 159 | else { |
160 | if (chmod(file_path, mode) == -1) | 160 | if (set_perms(file_path, uid, gid, mode)) |
161 | errExit("chmod"); | 161 | errExit("set_perms"); |
162 | if (chown(file_path, uid, gid) == -1) | ||
163 | errExit("chown"); | ||
164 | done = 1; | 162 | done = 1; |
165 | } | 163 | } |
166 | 164 | ||
@@ -535,11 +533,8 @@ void fs_whitelist(void) { | |||
535 | int rv = mkdir(RUN_WHITELIST_HOME_USER_DIR, 0755); | 533 | int rv = mkdir(RUN_WHITELIST_HOME_USER_DIR, 0755); |
536 | if (rv == -1) | 534 | if (rv == -1) |
537 | errExit("mkdir"); | 535 | errExit("mkdir"); |
538 | if (chown(RUN_WHITELIST_HOME_USER_DIR, getuid(), getgid()) < 0) | 536 | if (set_perms(RUN_WHITELIST_HOME_USER_DIR, getuid(), getgid(), 0755)) |
539 | errExit("chown"); | 537 | errExit("set_perms"); |
540 | if (chmod(RUN_WHITELIST_HOME_USER_DIR, 0755) < 0) | ||
541 | errExit("chmod"); | ||
542 | |||
543 | if (mount(cfg.homedir, RUN_WHITELIST_HOME_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 538 | if (mount(cfg.homedir, RUN_WHITELIST_HOME_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
544 | errExit("mount bind"); | 539 | errExit("mount bind"); |
545 | 540 | ||
@@ -553,10 +548,8 @@ void fs_whitelist(void) { | |||
553 | int rv = mkdir(RUN_WHITELIST_TMP_DIR, 1777); | 548 | int rv = mkdir(RUN_WHITELIST_TMP_DIR, 1777); |
554 | if (rv == -1) | 549 | if (rv == -1) |
555 | errExit("mkdir"); | 550 | errExit("mkdir"); |
556 | if (chown(RUN_WHITELIST_TMP_DIR, 0, 0) < 0) | 551 | if (set_perms(RUN_WHITELIST_TMP_DIR, 0, 0, 1777)) |
557 | errExit("chown"); | 552 | errExit("set_perms"); |
558 | if (chmod(RUN_WHITELIST_TMP_DIR, 1777) < 0) | ||
559 | errExit("chmod"); | ||
560 | 553 | ||
561 | if (mount("/tmp", RUN_WHITELIST_TMP_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 554 | if (mount("/tmp", RUN_WHITELIST_TMP_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
562 | errExit("mount bind"); | 555 | errExit("mount bind"); |
@@ -578,10 +571,8 @@ void fs_whitelist(void) { | |||
578 | int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, 0755); | 571 | int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, 0755); |
579 | if (rv == -1) | 572 | if (rv == -1) |
580 | errExit("mkdir"); | 573 | errExit("mkdir"); |
581 | if (chown(RUN_WHITELIST_MEDIA_DIR, 0, 0) < 0) | 574 | if (set_perms(RUN_WHITELIST_MEDIA_DIR, 0, 0, 0755)) |
582 | errExit("chown"); | 575 | errExit("set_perms"); |
583 | if (chmod(RUN_WHITELIST_MEDIA_DIR, 0755) < 0) | ||
584 | errExit("chmod"); | ||
585 | 576 | ||
586 | if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 577 | if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
587 | errExit("mount bind"); | 578 | errExit("mount bind"); |
@@ -606,10 +597,8 @@ void fs_whitelist(void) { | |||
606 | int rv = mkdir(RUN_WHITELIST_MNT_DIR, 0755); | 597 | int rv = mkdir(RUN_WHITELIST_MNT_DIR, 0755); |
607 | if (rv == -1) | 598 | if (rv == -1) |
608 | errExit("mkdir"); | 599 | errExit("mkdir"); |
609 | if (chown(RUN_WHITELIST_MNT_DIR, 0, 0) < 0) | 600 | if (set_perms(RUN_WHITELIST_MNT_DIR, 0, 0, 0755)) |
610 | errExit("chown"); | 601 | errExit("set_perms"); |
611 | if (chmod(RUN_WHITELIST_MNT_DIR, 0755) < 0) | ||
612 | errExit("chmod"); | ||
613 | 602 | ||
614 | if (mount("/mnt", RUN_WHITELIST_MNT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 603 | if (mount("/mnt", RUN_WHITELIST_MNT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
615 | errExit("mount bind"); | 604 | errExit("mount bind"); |
@@ -632,10 +621,8 @@ void fs_whitelist(void) { | |||
632 | int rv = mkdir(RUN_WHITELIST_VAR_DIR, 0755); | 621 | int rv = mkdir(RUN_WHITELIST_VAR_DIR, 0755); |
633 | if (rv == -1) | 622 | if (rv == -1) |
634 | errExit("mkdir"); | 623 | errExit("mkdir"); |
635 | if (chown(RUN_WHITELIST_VAR_DIR, 0, 0) < 0) | 624 | if (set_perms(RUN_WHITELIST_VAR_DIR, 0, 0, 0755)) |
636 | errExit("chown"); | 625 | errExit("set_perms"); |
637 | if (chmod(RUN_WHITELIST_VAR_DIR, 0755) < 0) | ||
638 | errExit("chmod"); | ||
639 | 626 | ||
640 | if (mount("/var", RUN_WHITELIST_VAR_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 627 | if (mount("/var", RUN_WHITELIST_VAR_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
641 | errExit("mount bind"); | 628 | errExit("mount bind"); |
@@ -654,10 +641,8 @@ void fs_whitelist(void) { | |||
654 | int rv = mkdir(RUN_WHITELIST_DEV_DIR, 0755); | 641 | int rv = mkdir(RUN_WHITELIST_DEV_DIR, 0755); |
655 | if (rv == -1) | 642 | if (rv == -1) |
656 | errExit("mkdir"); | 643 | errExit("mkdir"); |
657 | if (chown(RUN_WHITELIST_DEV_DIR, 0, 0) < 0) | 644 | if (set_perms(RUN_WHITELIST_DEV_DIR, 0, 0, 0755)) |
658 | errExit("chown"); | 645 | errExit("set_perms"); |
659 | if (chmod(RUN_WHITELIST_DEV_DIR, 0755) < 0) | ||
660 | errExit("chmod"); | ||
661 | 646 | ||
662 | if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC, "mode=755,gid=0") < 0) | 647 | if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC, "mode=755,gid=0") < 0) |
663 | errExit("mount bind"); | 648 | errExit("mount bind"); |
@@ -676,10 +661,8 @@ void fs_whitelist(void) { | |||
676 | int rv = mkdir(RUN_WHITELIST_OPT_DIR, 0755); | 661 | int rv = mkdir(RUN_WHITELIST_OPT_DIR, 0755); |
677 | if (rv == -1) | 662 | if (rv == -1) |
678 | errExit("mkdir"); | 663 | errExit("mkdir"); |
679 | if (chown(RUN_WHITELIST_OPT_DIR, 0, 0) < 0) | 664 | if (set_perms(RUN_WHITELIST_OPT_DIR, 0, 0, 0755)) |
680 | errExit("chown"); | 665 | errExit("set_perms"); |
681 | if (chmod(RUN_WHITELIST_OPT_DIR, 0755) < 0) | ||
682 | errExit("chmod"); | ||
683 | 666 | ||
684 | if (mount("/opt", RUN_WHITELIST_OPT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 667 | if (mount("/opt", RUN_WHITELIST_OPT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
685 | errExit("mount bind"); | 668 | errExit("mount bind"); |
@@ -701,10 +684,8 @@ void fs_whitelist(void) { | |||
701 | int rv = mkdir(RUN_WHITELIST_SRV_DIR, 0755); | 684 | int rv = mkdir(RUN_WHITELIST_SRV_DIR, 0755); |
702 | if (rv == -1) | 685 | if (rv == -1) |
703 | errExit("mkdir"); | 686 | errExit("mkdir"); |
704 | if (chown(RUN_WHITELIST_SRV_DIR, 0, 0) < 0) | 687 | if (set_perms(RUN_WHITELIST_SRV_DIR, 0, 0, 0755)) |
705 | errExit("chown"); | 688 | errExit("set_perms"); |
706 | if (chmod(RUN_WHITELIST_SRV_DIR, 0755) < 0) | ||
707 | errExit("chmod"); | ||
708 | 689 | ||
709 | if (mount("/srv", RUN_WHITELIST_SRV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 690 | if (mount("/srv", RUN_WHITELIST_SRV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
710 | errExit("mount bind"); | 691 | errExit("mount bind"); |
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index 2873571a9..fe5f2eb44 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -78,31 +78,23 @@ void preproc_mount_mnt_dir(void) { | |||
78 | // create all seccomp files | 78 | // create all seccomp files |
79 | // as root, create RUN_SECCOMP_I386 file | 79 | // as root, create RUN_SECCOMP_I386 file |
80 | create_empty_file_as_root(RUN_SECCOMP_I386, 0644); | 80 | create_empty_file_as_root(RUN_SECCOMP_I386, 0644); |
81 | if (chown(RUN_SECCOMP_I386, getuid(), getgid()) == -1) | 81 | if (set_perms(RUN_SECCOMP_I386, getuid(), getgid(), 0644)) |
82 | errExit("chown"); | 82 | errExit("set_perms"); |
83 | if (chmod(RUN_SECCOMP_I386, 0644) == -1) | ||
84 | errExit("chmod"); | ||
85 | 83 | ||
86 | // as root, create RUN_SECCOMP_AMD64 file | 84 | // as root, create RUN_SECCOMP_AMD64 file |
87 | create_empty_file_as_root(RUN_SECCOMP_AMD64, 0644); | 85 | create_empty_file_as_root(RUN_SECCOMP_AMD64, 0644); |
88 | if (chown(RUN_SECCOMP_AMD64, getuid(), getgid()) == -1) | 86 | if (set_perms(RUN_SECCOMP_AMD64, getuid(), getgid(), 0644)) |
89 | errExit("chown"); | 87 | errExit("set_perms"); |
90 | if (chmod(RUN_SECCOMP_AMD64, 0644) == -1) | ||
91 | errExit("chmod"); | ||
92 | 88 | ||
93 | // as root, create RUN_SECCOMP file | 89 | // as root, create RUN_SECCOMP file |
94 | create_empty_file_as_root(RUN_SECCOMP_CFG, 0644); | 90 | create_empty_file_as_root(RUN_SECCOMP_CFG, 0644); |
95 | if (chown(RUN_SECCOMP_CFG, getuid(), getgid()) == -1) | 91 | if (set_perms(RUN_SECCOMP_CFG, getuid(), getgid(), 0644)) |
96 | errExit("chown"); | 92 | errExit("set_perms"); |
97 | if (chmod(RUN_SECCOMP_CFG, 0644) == -1) | ||
98 | errExit("chmod"); | ||
99 | 93 | ||
100 | // as root, create RUN_SECCOMP_PROTOCOL file | 94 | // as root, create RUN_SECCOMP_PROTOCOL file |
101 | create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644); | 95 | create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644); |
102 | if (chown(RUN_SECCOMP_PROTOCOL, getuid(), getgid()) == -1) | 96 | if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644)) |
103 | errExit("chown"); | 97 | errExit("set_perms"); |
104 | if (chmod(RUN_SECCOMP_PROTOCOL, 0644) == -1) | ||
105 | errExit("chmod"); | ||
106 | } | 98 | } |
107 | } | 99 | } |
108 | 100 | ||
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index e1a58c1c8..c76505591 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -106,10 +106,8 @@ void pulseaudio_init(void) { | |||
106 | // create the new user pulseaudio directory | 106 | // create the new user pulseaudio directory |
107 | int rv = mkdir(RUN_PULSE_DIR, 0700); | 107 | int rv = mkdir(RUN_PULSE_DIR, 0700); |
108 | (void) rv; // in --chroot mode the directory can already be there | 108 | (void) rv; // in --chroot mode the directory can already be there |
109 | if (chown(RUN_PULSE_DIR, getuid(), getgid()) < 0) | 109 | if (set_perms(RUN_PULSE_DIR, getuid(), getgid(), 0700)) |
110 | errExit("chown"); | 110 | errExit("set_perms"); |
111 | if (chmod(RUN_PULSE_DIR, 0700) < 0) | ||
112 | errExit("chmod"); | ||
113 | 111 | ||
114 | // create the new client.conf file | 112 | // create the new client.conf file |
115 | char *pulsecfg = NULL; | 113 | char *pulsecfg = NULL; |
@@ -131,10 +129,8 @@ void pulseaudio_init(void) { | |||
131 | if (stat(dir1, &s) == -1) { | 129 | if (stat(dir1, &s) == -1) { |
132 | int rv = mkdir(dir1, 0755); | 130 | int rv = mkdir(dir1, 0755); |
133 | if (rv == 0) { | 131 | if (rv == 0) { |
134 | rv = chown(dir1, getuid(), getgid()); | 132 | if (set_perms(dir1, getuid(), getgid(), 0755)) |
135 | (void) rv; | 133 | ; // do nothing |
136 | rv = chmod(dir1, 0755); | ||
137 | (void) rv; | ||
138 | } | 134 | } |
139 | } | 135 | } |
140 | free(dir1); | 136 | free(dir1); |
@@ -143,10 +139,8 @@ void pulseaudio_init(void) { | |||
143 | if (stat(dir1, &s) == -1) { | 139 | if (stat(dir1, &s) == -1) { |
144 | int rv = mkdir(dir1, 0700); | 140 | int rv = mkdir(dir1, 0700); |
145 | if (rv == 0) { | 141 | if (rv == 0) { |
146 | rv = chown(dir1, getuid(), getgid()); | 142 | if (set_perms(dir1, getuid(), getgid(), 0700)) |
147 | (void) rv; | 143 | ; // do nothing |
148 | rv = chmod(dir1, 0700); | ||
149 | (void) rv; | ||
150 | } | 144 | } |
151 | } | 145 | } |
152 | free(dir1); | 146 | free(dir1); |
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 57e84e5cc..393851148 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -95,10 +95,8 @@ static void sanitize_home(void) { | |||
95 | fs_logger2("mkdir", cfg.homedir); | 95 | fs_logger2("mkdir", cfg.homedir); |
96 | 96 | ||
97 | // set mode and ownership | 97 | // set mode and ownership |
98 | if (chown(cfg.homedir, s.st_uid, s.st_gid) == -1) | 98 | if (set_perms(cfg.homedir, s.st_uid, s.st_gid, s.st_mode)) |
99 | errExit("chown"); | 99 | errExit("set_perms"); |
100 | if (chmod(cfg.homedir, s.st_mode) == -1) | ||
101 | errExit("chmod"); | ||
102 | 100 | ||
103 | // mount user home directory | 101 | // mount user home directory |
104 | if (mount(RUN_WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0) | 102 | if (mount(RUN_WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0) |
diff --git a/src/firejail/util.c b/src/firejail/util.c index a7712441e..3424d8ab6 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -100,10 +100,8 @@ int mkpath_as_root(const char* path) { | |||
100 | } | 100 | } |
101 | } | 101 | } |
102 | else { | 102 | else { |
103 | if (chmod(file_path, 0755) == -1) | 103 | if (set_perms(file_path, 0, 0, 0755)) |
104 | errExit("chmod"); | 104 | errExit("set_perms"); |
105 | if (chown(file_path, 0, 0) == -1) | ||
106 | errExit("chown"); | ||
107 | done = 1; | 105 | done = 1; |
108 | } | 106 | } |
109 | 107 | ||
@@ -699,10 +697,8 @@ void create_empty_dir_as_root(const char *dir, mode_t mode) { | |||
699 | printf("Creating empty %s directory\n", dir); | 697 | printf("Creating empty %s directory\n", dir); |
700 | if (mkdir(dir, mode) == -1) | 698 | if (mkdir(dir, mode) == -1) |
701 | errExit("mkdir"); | 699 | errExit("mkdir"); |
702 | if (chmod(dir, mode) == -1) | 700 | if (set_perms(dir, 0, 0, mode)) |
703 | errExit("chmod"); | 701 | errExit("set_perms"); |
704 | if (chown(dir, 0, 0) == -1) | ||
705 | errExit("chown"); | ||
706 | ASSERT_PERMS(dir, 0, 0, mode); | 702 | ASSERT_PERMS(dir, 0, 0, mode); |
707 | } | 703 | } |
708 | } | 704 | } |
@@ -725,3 +721,14 @@ void create_empty_file_as_root(const char *fname, mode_t mode) { | |||
725 | } | 721 | } |
726 | } | 722 | } |
727 | 723 | ||
724 | // return 1 if error | ||
725 | int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode) { | ||
726 | assert(fname); | ||
727 | if (chmod(fname, mode) == -1) | ||
728 | return 1; | ||
729 | if (chown(fname, uid, gid) == -1) | ||
730 | return 1; | ||
731 | return 0; | ||
732 | } | ||
733 | |||
734 | |||
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 2b1121958..9da6d3e30 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -137,10 +137,8 @@ void fs_x11(void) { | |||
137 | int rv = mkdir(RUN_WHITELIST_X11_DIR, 1777); | 137 | int rv = mkdir(RUN_WHITELIST_X11_DIR, 1777); |
138 | if (rv == -1) | 138 | if (rv == -1) |
139 | errExit("mkdir"); | 139 | errExit("mkdir"); |
140 | if (chown(RUN_WHITELIST_X11_DIR, 0, 0) < 0) | 140 | if (set_perms(RUN_WHITELIST_X11_DIR, 0, 0, 1777)) |
141 | errExit("chown"); | 141 | errExit("set_perms"); |
142 | if (chmod(RUN_WHITELIST_X11_DIR, 1777) < 0) | ||
143 | errExit("chmod"); | ||
144 | 142 | ||
145 | if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 143 | if (mount("/tmp/.X11-unix", RUN_WHITELIST_X11_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
146 | errExit("mount bind"); | 144 | errExit("mount bind"); |
@@ -706,10 +704,8 @@ void x11_xorg(void) { | |||
706 | fprintf(stderr, "Error: cannot create the new .Xauthority file\n"); | 704 | fprintf(stderr, "Error: cannot create the new .Xauthority file\n"); |
707 | exit(1); | 705 | exit(1); |
708 | } | 706 | } |
709 | if (chown(tmpfname, getuid(), getgid()) == -1) | 707 | if (set_perms(tmpfname, getuid(), getgid(), 0600)) |
710 | errExit("chown"); | 708 | errExit("set_perms"); |
711 | if (chmod(tmpfname, 0600) == -1) | ||
712 | errExit("chmod"); | ||
713 | 709 | ||
714 | // move the temporary file in RUN_XAUTHORITY_SEC_FILE in order to have it deleted | 710 | // move the temporary file in RUN_XAUTHORITY_SEC_FILE in order to have it deleted |
715 | // automatically when the sandbox is closed | 711 | // automatically when the sandbox is closed |
@@ -717,10 +713,8 @@ void x11_xorg(void) { | |||
717 | fprintf(stderr, "Error: cannot create the new .Xauthority file\n"); | 713 | fprintf(stderr, "Error: cannot create the new .Xauthority file\n"); |
718 | exit(1); | 714 | exit(1); |
719 | } | 715 | } |
720 | if (chown(RUN_XAUTHORITY_SEC_FILE, getuid(), getgid()) == -1) | 716 | if (set_perms(RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600)) |
721 | errExit("chown"); | 717 | errExit("set_perms"); |
722 | if (chmod(RUN_XAUTHORITY_SEC_FILE, 0600) == -1) | ||
723 | errExit("chmod"); | ||
724 | unlink(tmpfname); | 718 | unlink(tmpfname); |
725 | 719 | ||
726 | // mount | 720 | // mount |
@@ -728,10 +722,8 @@ void x11_xorg(void) { | |||
728 | fprintf(stderr, "Error: cannot mount the new .Xauthority file\n"); | 722 | fprintf(stderr, "Error: cannot mount the new .Xauthority file\n"); |
729 | exit(1); | 723 | exit(1); |
730 | } | 724 | } |
731 | if (chown(dest, getuid(), getgid()) == -1) | 725 | if (set_perms(dest, getuid(), getgid(), 0600)) |
732 | errExit("chown"); | 726 | errExit("set_perms"); |
733 | if (chmod(dest, 0600) == -1) | ||
734 | errExit("chmod"); | ||
735 | free(dest); | 727 | free(dest); |
736 | #endif | 728 | #endif |
737 | } | 729 | } |