diff options
-rw-r--r-- | src/firejail/fs_dev.c | 60 |
1 files changed, 34 insertions, 26 deletions
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index b6d9e364f..d94a6de5a 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -82,31 +82,39 @@ static void deventry_mount(void) { | |||
82 | while (dev[i].dev_fname != NULL) { | 82 | while (dev[i].dev_fname != NULL) { |
83 | struct stat s; | 83 | struct stat s; |
84 | if (stat(dev[i].run_fname, &s) == 0) { | 84 | if (stat(dev[i].run_fname, &s) == 0) { |
85 | int dir = is_dir(dev[i].run_fname); | 85 | |
86 | if (arg_debug) | 86 | // check device type and subsystem configuration |
87 | printf("mounting %s %s\n", dev[i].run_fname, (dir)? "directory": "file"); | 87 | if ((dev[i].type == DEV_SOUND && arg_nosound == 0) || |
88 | if (dir) { | 88 | (dev[i].type == DEV_3D && arg_no3d == 0) || |
89 | mkdir_attr(dev[i].dev_fname, 0755, 0, 0); | 89 | (dev[i].type == DEV_VIDEO && arg_novideo == 0) || |
90 | } | 90 | (dev[i].type == DEV_TV && arg_notv == 0)) { |
91 | else { | 91 | |
92 | struct stat s; | 92 | int dir = is_dir(dev[i].run_fname); |
93 | if (stat(dev[i].run_fname, &s) == -1) { | 93 | if (arg_debug) |
94 | if (arg_debug) | 94 | printf("mounting %s %s\n", dev[i].run_fname, (dir)? "directory": "file"); |
95 | fwarning("cannot stat %s file\n", dev[i].run_fname); | 95 | if (dir) { |
96 | i++; | 96 | mkdir_attr(dev[i].dev_fname, 0755, 0, 0); |
97 | continue; | ||
98 | } | 97 | } |
99 | FILE *fp = fopen(dev[i].dev_fname, "w"); | 98 | else { |
100 | if (fp) { | 99 | struct stat s; |
101 | fprintf(fp, "\n"); | 100 | if (stat(dev[i].run_fname, &s) == -1) { |
102 | SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode); | 101 | if (arg_debug) |
103 | fclose(fp); | 102 | fwarning("cannot stat %s file\n", dev[i].run_fname); |
103 | i++; | ||
104 | continue; | ||
105 | } | ||
106 | FILE *fp = fopen(dev[i].dev_fname, "w"); | ||
107 | if (fp) { | ||
108 | fprintf(fp, "\n"); | ||
109 | SET_PERMS_STREAM(fp, s.st_uid, s.st_gid, s.st_mode); | ||
110 | fclose(fp); | ||
111 | } | ||
104 | } | 112 | } |
113 | |||
114 | if (mount(dev[i].run_fname, dev[i].dev_fname, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
115 | errExit("mounting dev file"); | ||
116 | fs_logger2("whitelist", dev[i].dev_fname); | ||
105 | } | 117 | } |
106 | |||
107 | if (mount(dev[i].run_fname, dev[i].dev_fname, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
108 | errExit("mounting dev file"); | ||
109 | fs_logger2("whitelist", dev[i].dev_fname); | ||
110 | } | 118 | } |
111 | 119 | ||
112 | i++; | 120 | i++; |
@@ -149,7 +157,7 @@ void fs_private_dev(void){ | |||
149 | // keep a copy of dev directory | 157 | // keep a copy of dev directory |
150 | mkdir_attr(RUN_DEV_DIR, 0755, 0, 0); | 158 | mkdir_attr(RUN_DEV_DIR, 0755, 0, 0); |
151 | if (mount("/dev", RUN_DEV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 159 | if (mount("/dev", RUN_DEV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
152 | errExit("mounting /dev/dri"); | 160 | errExit("mounting /dev"); |
153 | 161 | ||
154 | // create DEVLOG_FILE | 162 | // create DEVLOG_FILE |
155 | int have_devlog = 0; | 163 | int have_devlog = 0; |
@@ -172,6 +180,7 @@ void fs_private_dev(void){ | |||
172 | errExit("mounting /dev"); | 180 | errExit("mounting /dev"); |
173 | fs_logger("tmpfs /dev"); | 181 | fs_logger("tmpfs /dev"); |
174 | 182 | ||
183 | // optional devices: sound, video cards etc... | ||
175 | deventry_mount(); | 184 | deventry_mount(); |
176 | 185 | ||
177 | // bring back /dev/log | 186 | // bring back /dev/log |
@@ -186,8 +195,7 @@ void fs_private_dev(void){ | |||
186 | } | 195 | } |
187 | } | 196 | } |
188 | if (mount(RUN_RO_DIR, RUN_DEV_DIR, "none", MS_BIND, "mode=400,gid=0") < 0) | 197 | if (mount(RUN_RO_DIR, RUN_DEV_DIR, "none", MS_BIND, "mode=400,gid=0") < 0) |
189 | errExit("disable /dev/snd"); | 198 | errExit("disable run dev directory"); |
190 | |||
191 | 199 | ||
192 | // create /dev/shm | 200 | // create /dev/shm |
193 | if (arg_debug) | 201 | if (arg_debug) |
@@ -195,7 +203,7 @@ void fs_private_dev(void){ | |||
195 | mkdir_attr("/dev/shm", 01777, 0, 0); | 203 | mkdir_attr("/dev/shm", 01777, 0, 0); |
196 | fs_logger("mkdir /dev/shm"); | 204 | fs_logger("mkdir /dev/shm"); |
197 | 205 | ||
198 | // create devices | 206 | // create default devices |
199 | create_char_dev("/dev/zero", 0666, 1, 5); // mknod -m 666 /dev/zero c 1 5 | 207 | create_char_dev("/dev/zero", 0666, 1, 5); // mknod -m 666 /dev/zero c 1 5 |
200 | fs_logger("mknod /dev/zero"); | 208 | fs_logger("mknod /dev/zero"); |
201 | create_char_dev("/dev/null", 0666, 1, 3); // mknod -m 666 /dev/null c 1 3 | 209 | create_char_dev("/dev/null", 0666, 1, 3); // mknod -m 666 /dev/null c 1 3 |