diff options
-rw-r--r-- | src/firejail/fs_whitelist.c | 56 |
1 files changed, 23 insertions, 33 deletions
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index d67087616..d52b3996a 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -306,10 +306,10 @@ static void whitelist_path(ProfileEntry *entry) { | |||
306 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MODULE_DIR, fname) == -1) | 306 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MODULE_DIR, fname) == -1) |
307 | errExit("asprintf"); | 307 | errExit("asprintf"); |
308 | } | 308 | } |
309 | assert(wfile); | ||
309 | 310 | ||
310 | // check if the file exists | 311 | // check if the file exists |
311 | EUID_USER(); | 312 | EUID_USER(); |
312 | assert(wfile); | ||
313 | struct stat s; | 313 | struct stat s; |
314 | if (stat(wfile, &s) == 0) { | 314 | if (stat(wfile, &s) == 0) { |
315 | if (arg_debug || arg_debug_whitelists) | 315 | if (arg_debug || arg_debug_whitelists) |
@@ -919,38 +919,28 @@ void fs_whitelist(void) { | |||
919 | 919 | ||
920 | //printf("here %d#%s#\n", __LINE__, entry->data); | 920 | //printf("here %d#%s#\n", __LINE__, entry->data); |
921 | // whitelist the real file | 921 | // whitelist the real file |
922 | if (strcmp(entry->data, "whitelist /run") == 0 && | 922 | whitelist_path(entry); |
923 | (strcmp(entry->link, "/var/run") == 0 || strcmp(entry->link, "/var/lock") == 0)) { | 923 | |
924 | int rv = symlink(entry->data + 10, entry->link); | 924 | // create the link if any |
925 | if (rv) | 925 | if (entry->link) { |
926 | fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link); | 926 | // if the link is already there, do not bother |
927 | else if (arg_debug || arg_debug_whitelists) | 927 | struct stat s; |
928 | printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10); | 928 | if (stat(entry->link, &s) != 0) { |
929 | } | 929 | // create the path if necessary |
930 | else { | 930 | mkpath(entry->link, s.st_mode); |
931 | whitelist_path(entry); | 931 | |
932 | 932 | int rv = symlink(entry->data + 10, entry->link); | |
933 | // create the link if any | 933 | if (rv) |
934 | if (entry->link) { | 934 | fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link); |
935 | // if the link is already there, do not bother | 935 | else if (arg_debug || arg_debug_whitelists) |
936 | struct stat s; | 936 | printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10); |
937 | if (stat(entry->link, &s) != 0) { | 937 | |
938 | // create the path if necessary | 938 | // check again for files in /tmp directory |
939 | mkpath(entry->link, s.st_mode); | 939 | if (strncmp(entry->link, "/tmp/", 5) == 0) { |
940 | 940 | char *path = realpath(entry->link, NULL); | |
941 | int rv = symlink(entry->data + 10, entry->link); | 941 | if (path == NULL || strncmp(path, "/tmp/", 5) != 0) |
942 | if (rv) | 942 | errLogExit("invalid whitelist symlink %s\n", entry->link); |
943 | fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link); | 943 | free(path); |
944 | else if (arg_debug || arg_debug_whitelists) | ||
945 | printf("Created symbolic link %s -> %s\n", entry->link, entry->data + 10); | ||
946 | |||
947 | // check again for files in /tmp directory | ||
948 | if (strncmp(entry->link, "/tmp/", 5) == 0) { | ||
949 | char *path = realpath(entry->link, NULL); | ||
950 | if (path == NULL || strncmp(path, "/tmp/", 5) != 0) | ||
951 | errLogExit("invalid whitelist symlink %s\n", entry->link); | ||
952 | free(path); | ||
953 | } | ||
954 | } | 944 | } |
955 | } | 945 | } |
956 | } | 946 | } |