diff options
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs_bin.c | 2 | ||||
-rw-r--r-- | src/firejail/fs_home.c | 11 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 2 | ||||
-rw-r--r-- | src/firejail/restrict_users.c | 2 | ||||
-rw-r--r-- | src/firejail/util.c | 34 | ||||
-rw-r--r-- | todo | 43 |
7 files changed, 88 insertions, 7 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 3ede58df6..a364de75f 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -322,6 +322,7 @@ int net_move_interface(const char *dev, unsigned pid); | |||
322 | 322 | ||
323 | // util.c | 323 | // util.c |
324 | void drop_privs(int nogroups); | 324 | void drop_privs(int nogroups); |
325 | int mkpath_as_root(const char* path); | ||
325 | void extract_command_name(const char *str); | 326 | void extract_command_name(const char *str); |
326 | void logsignal(int s); | 327 | void logsignal(int s); |
327 | void logmsg(const char *msg); | 328 | void logmsg(const char *msg); |
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 38b9b06ca..946c75d30 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
@@ -55,7 +55,7 @@ static char *check_dir_or_file(const char *name) { | |||
55 | } | 55 | } |
56 | 56 | ||
57 | if (!fname) { | 57 | if (!fname) { |
58 | fprintf(stderr, "Warning: file %s not found\n", name); | 58 | // fprintf(stderr, "Warning: file %s not found\n", name); |
59 | return NULL; | 59 | return NULL; |
60 | } | 60 | } |
61 | 61 | ||
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 23f036bd7..ca9f7b472 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -233,9 +233,12 @@ void fs_private(void) { | |||
233 | // create /home/user | 233 | // create /home/user |
234 | if (arg_debug) | 234 | if (arg_debug) |
235 | printf("Create a new user directory\n"); | 235 | printf("Create a new user directory\n"); |
236 | int rv = mkdir(homedir, S_IRWXU); | 236 | if (mkdir(homedir, S_IRWXU) == -1) { |
237 | if (rv == -1) | 237 | if (mkpath_as_root(homedir) == -1) |
238 | errExit("mkdir"); | 238 | errExit("mkpath"); |
239 | if (mkdir(homedir, S_IRWXU) == -1) | ||
240 | errExit("mkdir"); | ||
241 | } | ||
239 | if (chown(homedir, u, g) < 0) | 242 | if (chown(homedir, u, g) < 0) |
240 | errExit("chown"); | 243 | errExit("chown"); |
241 | } | 244 | } |
@@ -346,7 +349,7 @@ void fs_check_private_dir(void) { | |||
346 | exit(1); | 349 | exit(1); |
347 | } | 350 | } |
348 | if (s1.st_uid != s2.st_uid) { | 351 | if (s1.st_uid != s2.st_uid) { |
349 | printf("Error: the two home directories must have the same owner\n"); | 352 | printf("Error: --private directory should be owned by the current user\n"); |
350 | exit(1); | 353 | exit(1); |
351 | } | 354 | } |
352 | } | 355 | } |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index a38539078..d018554d5 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -75,7 +75,7 @@ static void whitelist_path(ProfileEntry *entry) { | |||
75 | assert(path); | 75 | assert(path); |
76 | const char *fname; | 76 | const char *fname; |
77 | char *wfile = NULL; | 77 | char *wfile = NULL; |
78 | 78 | ||
79 | if (entry->home_dir) { | 79 | if (entry->home_dir) { |
80 | fname = path + strlen(cfg.homedir); | 80 | fname = path + strlen(cfg.homedir); |
81 | if (*fname == '\0') { | 81 | if (*fname == '\0') { |
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 4930dd1ea..50a9a9b89 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -120,7 +120,7 @@ static void sanitize_home(void) { | |||
120 | 120 | ||
121 | // create user home directory | 121 | // create user home directory |
122 | if (mkdir(cfg.homedir, 0755) == -1) { | 122 | if (mkdir(cfg.homedir, 0755) == -1) { |
123 | if (mkpath(cfg.homedir)) | 123 | if (mkpath_as_root(cfg.homedir)) |
124 | errExit("mkpath"); | 124 | errExit("mkpath"); |
125 | if (mkdir(cfg.homedir, 0755) == -1) | 125 | if (mkdir(cfg.homedir, 0755) == -1) |
126 | errExit("mkdir"); | 126 | errExit("mkdir"); |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 89d0697fd..880e45465 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -75,6 +75,40 @@ void drop_privs(int nogroups) { | |||
75 | } | 75 | } |
76 | 76 | ||
77 | 77 | ||
78 | int mkpath_as_root(const char* path) { | ||
79 | assert(path && *path); | ||
80 | |||
81 | // work on a copy of the path | ||
82 | char *file_path = strdup(path); | ||
83 | if (!file_path) | ||
84 | errExit("strdup"); | ||
85 | |||
86 | char* p; | ||
87 | for (p=strchr(file_path+1, '/'); p; p=strchr(p+1, '/')) { | ||
88 | *p='\0'; | ||
89 | if (mkdir(file_path, 0755)==-1) { | ||
90 | if (errno != EEXIST) { | ||
91 | *p='/'; | ||
92 | free(file_path); | ||
93 | return -1; | ||
94 | } | ||
95 | } | ||
96 | else { | ||
97 | if (chmod(file_path, 0755) == -1) | ||
98 | errExit("chmod"); | ||
99 | if (chown(file_path, 0, 0) == -1) | ||
100 | errExit("chown"); | ||
101 | } | ||
102 | |||
103 | *p='/'; | ||
104 | } | ||
105 | |||
106 | free(file_path); | ||
107 | return 0; | ||
108 | } | ||
109 | |||
110 | |||
111 | |||
78 | void logsignal(int s) { | 112 | void logsignal(int s) { |
79 | if (!arg_debug) | 113 | if (!arg_debug) |
80 | return; | 114 | return; |
@@ -96,3 +96,46 @@ Warning: cannot disable /sys/power directory | |||
96 | Child process initialized | 96 | Child process initialized |
97 | 97 | ||
98 | 16. add support for --ip, --iprange, --mac and --mtu for --interface option | 98 | 16. add support for --ip, --iprange, --mac and --mtu for --interface option |
99 | |||
100 | 17. private-home clashing with blacklist | ||
101 | $ firejail --private-home=.mozilla | ||
102 | Reading profile /etc/firejail/generic.profile | ||
103 | Reading profile /etc/firejail/disable-mgmt.inc | ||
104 | Reading profile /etc/firejail/disable-secret.inc | ||
105 | Reading profile /etc/firejail/disable-common.inc | ||
106 | |||
107 | ** Note: you can use --noprofile to disable generic.profile ** | ||
108 | |||
109 | Parent pid 8193, child pid 8194 | ||
110 | /run/firejail/mnt/cp: cannot access `/home/netblue/.mozilla': Permission denied | ||
111 | Error system cp -a --parents:duplicate(381): No such file or directory | ||
112 | Child process initialized | ||
113 | $ ls -la | ||
114 | total 4 | ||
115 | drwx------ 3 test test 100 Nov 25 07:59 . | ||
116 | drwxr-xr-x 3 65534 65534 60 Nov 25 07:59 .. | ||
117 | -rw-r--r-- 1 test test 3392 Nov 25 07:59 .bashrc | ||
118 | dr-x------ 2 65534 65534 40 Nov 24 17:53 .mozilla | ||
119 | -rw------- 1 test test 0 Nov 25 07:59 .Xauthority | ||
120 | |||
121 | |||
122 | |||
123 | |||
124 | 18. whitelist clashing with blacklist | ||
125 | $ firejail --whitelist=~/.mozilla | ||
126 | Reading profile /etc/firejail/generic.profile | ||
127 | Reading profile /etc/firejail/disable-mgmt.inc | ||
128 | Reading profile /etc/firejail/disable-secret.inc | ||
129 | Reading profile /etc/firejail/disable-common.inc | ||
130 | |||
131 | ** Note: you can use --noprofile to disable generic.profile ** | ||
132 | |||
133 | Parent pid 9440, child pid 9441 | ||
134 | Child process initialized | ||
135 | $ ls -al | ||
136 | total 8 | ||
137 | drwx------ 3 netblue netblue 100 Nov 25 08:09 . | ||
138 | drwxr-xr-x 3 65534 65534 60 Nov 25 08:09 .. | ||
139 | -rw-r--r-- 1 netblue netblue 3392 Nov 25 08:09 .bashrc | ||
140 | dr-x------ 2 65534 65534 40 Nov 24 17:53 .mozilla | ||
141 | -rw------- 1 netblue netblue 51 Nov 25 08:09 .Xauthority | ||