diff options
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 5 | ||||
-rw-r--r-- | src/firejail/preproc.c | 7 | ||||
-rw-r--r-- | src/firejail/run_files.c | 20 |
4 files changed, 20 insertions, 14 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index aec320c1f..f8a23678a 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -908,7 +908,7 @@ void set_name_run_file(pid_t pid); | |||
908 | void set_x11_run_file(pid_t pid, int display); | 908 | void set_x11_run_file(pid_t pid, int display); |
909 | void set_profile_run_file(pid_t pid, const char *fname); | 909 | void set_profile_run_file(pid_t pid, const char *fname); |
910 | void set_sandbox_run_file(pid_t pid, pid_t child); | 910 | void set_sandbox_run_file(pid_t pid, pid_t child); |
911 | void release_sandbox_run_file_lock(void); | 911 | void release_sandbox_lock(void); |
912 | 912 | ||
913 | // dbus.c | 913 | // dbus.c |
914 | int dbus_check_name(const char *name); | 914 | int dbus_check_name(const char *name); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 539760535..ff88b9f6e 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -190,8 +190,6 @@ static void myexit(int rv) { | |||
190 | } | 190 | } |
191 | 191 | ||
192 | static void my_handler(int s) { | 192 | static void my_handler(int s) { |
193 | release_sandbox_run_file_lock(); | ||
194 | |||
195 | fmessage("\nParent received signal %d, shutting down the child process...\n", s); | 193 | fmessage("\nParent received signal %d, shutting down the child process...\n", s); |
196 | logsignal(s); | 194 | logsignal(s); |
197 | 195 | ||
@@ -204,6 +202,7 @@ static void my_handler(int s) { | |||
204 | kill(child, SIGKILL); | 202 | kill(child, SIGKILL); |
205 | waitpid(child, NULL, 0); | 203 | waitpid(child, NULL, 0); |
206 | } | 204 | } |
205 | release_sandbox_lock(); | ||
207 | myexit(128 + s); | 206 | myexit(128 + s); |
208 | } | 207 | } |
209 | 208 | ||
@@ -3223,7 +3222,7 @@ int main(int argc, char **argv, char **envp) { | |||
3223 | // end of signal-safe code | 3222 | // end of signal-safe code |
3224 | //***************************** | 3223 | //***************************** |
3225 | 3224 | ||
3226 | release_sandbox_run_file_lock(); | 3225 | release_sandbox_lock(); |
3227 | 3226 | ||
3228 | if (WIFEXITED(status)){ | 3227 | if (WIFEXITED(status)){ |
3229 | myexit(WEXITSTATUS(status)); | 3228 | myexit(WEXITSTATUS(status)); |
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index 031e42d1d..b25b79a9e 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -27,8 +27,13 @@ static int tmpfs_mounted = 0; | |||
27 | 27 | ||
28 | // build /run/firejail directory | 28 | // build /run/firejail directory |
29 | void preproc_build_firejail_dir(void) { | 29 | void preproc_build_firejail_dir(void) { |
30 | struct stat s; | ||
31 | |||
30 | // CentOS 6 doesn't have /run directory | 32 | // CentOS 6 doesn't have /run directory |
31 | create_empty_dir_as_root(RUN_FIREJAIL_BASEDIR, 0755); | 33 | if (stat(RUN_FIREJAIL_BASEDIR, &s)) { |
34 | create_empty_dir_as_root(RUN_FIREJAIL_BASEDIR, 0755); | ||
35 | } | ||
36 | |||
32 | create_empty_dir_as_root(RUN_FIREJAIL_DIR, 0755); | 37 | create_empty_dir_as_root(RUN_FIREJAIL_DIR, 0755); |
33 | create_empty_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755); | 38 | create_empty_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755); |
34 | create_empty_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755); | 39 | create_empty_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755); |
diff --git a/src/firejail/run_files.c b/src/firejail/run_files.c index 6724e2cd8..212a69bc3 100644 --- a/src/firejail/run_files.c +++ b/src/firejail/run_files.c | |||
@@ -164,7 +164,7 @@ void set_profile_run_file(pid_t pid, const char *fname) { | |||
164 | free(runfile); | 164 | free(runfile); |
165 | } | 165 | } |
166 | 166 | ||
167 | static int sandbox_run_file_fd = -1; | 167 | static int sandbox_lock_fd = -1; |
168 | void set_sandbox_run_file(pid_t pid, pid_t child) { | 168 | void set_sandbox_run_file(pid_t pid, pid_t child) { |
169 | char *runfile; | 169 | char *runfile; |
170 | if (asprintf(&runfile, "%s/%d", RUN_FIREJAIL_SANDBOX_DIR, pid) == -1) | 170 | if (asprintf(&runfile, "%s/%d", RUN_FIREJAIL_SANDBOX_DIR, pid) == -1) |
@@ -173,8 +173,8 @@ void set_sandbox_run_file(pid_t pid, pid_t child) { | |||
173 | EUID_ROOT(); | 173 | EUID_ROOT(); |
174 | // the file is deleted first | 174 | // the file is deleted first |
175 | // this file should be opened with O_CLOEXEC set | 175 | // this file should be opened with O_CLOEXEC set |
176 | sandbox_run_file_fd = open(runfile, O_CREAT | O_WRONLY | O_TRUNC | O_CLOEXEC, S_IRUSR | S_IWUSR); | 176 | int fd = open(runfile, O_CREAT | O_WRONLY | O_TRUNC | O_CLOEXEC, S_IRUSR | S_IWUSR); |
177 | if (sandbox_run_file_fd < 0) { | 177 | if (fd < 0) { |
178 | fprintf(stderr, "Error: cannot create %s\n", runfile); | 178 | fprintf(stderr, "Error: cannot create %s\n", runfile); |
179 | exit(1); | 179 | exit(1); |
180 | } | 180 | } |
@@ -186,7 +186,7 @@ void set_sandbox_run_file(pid_t pid, pid_t child) { | |||
186 | size_t len = strlen(buf); | 186 | size_t len = strlen(buf); |
187 | size_t done = 0; | 187 | size_t done = 0; |
188 | while (done != len) { | 188 | while (done != len) { |
189 | ssize_t rv = write(sandbox_run_file_fd, buf + done, len - done); | 189 | ssize_t rv = write(fd, buf + done, len - done); |
190 | if (rv < 0) | 190 | if (rv < 0) |
191 | errExit("write"); | 191 | errExit("write"); |
192 | done += rv; | 192 | done += rv; |
@@ -200,13 +200,15 @@ void set_sandbox_run_file(pid_t pid, pid_t child) { | |||
200 | .l_start = 0, | 200 | .l_start = 0, |
201 | .l_len = 0, | 201 | .l_len = 0, |
202 | }; | 202 | }; |
203 | if (fcntl(sandbox_run_file_fd, F_SETLK, &sandbox_lock) < 0) | 203 | if (fcntl(fd, F_SETLK, &sandbox_lock) < 0) |
204 | errExit("fcntl"); | 204 | errExit("fcntl"); |
205 | |||
206 | sandbox_lock_fd = fd; | ||
205 | } | 207 | } |
206 | 208 | ||
207 | void release_sandbox_run_file_lock(void) { | 209 | void release_sandbox_lock(void) { |
208 | assert(sandbox_run_file_fd > -1); | 210 | assert(sandbox_lock_fd > -1); |
209 | 211 | ||
210 | close(sandbox_run_file_fd); | 212 | close(sandbox_lock_fd); |
211 | sandbox_run_file_fd = -1; | 213 | sandbox_lock_fd = -1; |
212 | } | 214 | } |