diff options
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/restrict_users.c | 51 |
2 files changed, 52 insertions, 0 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 1b34a882d..40155b155 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -74,6 +74,7 @@ | |||
74 | 74 | ||
75 | #define RUN_WHITELIST_X11_DIR "/run/firejail/mnt/orig-x11" | 75 | #define RUN_WHITELIST_X11_DIR "/run/firejail/mnt/orig-x11" |
76 | #define RUN_WHITELIST_HOME_DIR "/run/firejail/mnt/orig-home" // default home directory masking | 76 | #define RUN_WHITELIST_HOME_DIR "/run/firejail/mnt/orig-home" // default home directory masking |
77 | #define RUN_WHITELIST_RUN_DIR "/run/firejail/mnt/orig-run" // default run directory masking | ||
77 | #define RUN_WHITELIST_HOME_USER_DIR "/run/firejail/mnt/orig-home-user" // home directory whitelisting | 78 | #define RUN_WHITELIST_HOME_USER_DIR "/run/firejail/mnt/orig-home-user" // home directory whitelisting |
78 | #define RUN_WHITELIST_TMP_DIR "/run/firejail/mnt/orig-tmp" | 79 | #define RUN_WHITELIST_TMP_DIR "/run/firejail/mnt/orig-tmp" |
79 | #define RUN_WHITELIST_MEDIA_DIR "/run/firejail/mnt/orig-media" | 80 | #define RUN_WHITELIST_MEDIA_DIR "/run/firejail/mnt/orig-media" |
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index fa672eccb..4ffec4c7f 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -113,6 +113,56 @@ static void sanitize_home(void) { | |||
113 | 113 | ||
114 | } | 114 | } |
115 | 115 | ||
116 | static void sanitize_run(void) { | ||
117 | if (arg_debug) | ||
118 | printf("Cleaning /run/user directory\n"); | ||
119 | |||
120 | char *runuser; | ||
121 | if (asprintf(&runuser, "/run/user/%u", getuid()) == -1) | ||
122 | errExit("asprintf"); | ||
123 | |||
124 | struct stat s; | ||
125 | if (stat(runuser, &s) == -1) { | ||
126 | // cannot find /user/run/$UID directory, just return | ||
127 | if (arg_debug) | ||
128 | printf("Cannot find %s directory\n", runuser); | ||
129 | free(runuser); | ||
130 | return; | ||
131 | } | ||
132 | |||
133 | if (mkdir(RUN_WHITELIST_RUN_DIR, 0755) == -1) | ||
134 | errExit("mkdir"); | ||
135 | |||
136 | // keep a copy of the /run/user/$UID directory | ||
137 | if (mount(runuser, RUN_WHITELIST_RUN_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
138 | errExit("mount bind"); | ||
139 | |||
140 | // mount tmpfs on /run/user | ||
141 | if (mount("tmpfs", "/run/user", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | ||
142 | errExit("mount tmpfs"); | ||
143 | fs_logger("tmpfs /run/user"); | ||
144 | |||
145 | // create new user directory | ||
146 | if (mkdir(runuser, 0700) == -1) | ||
147 | errExit("mkdir"); | ||
148 | fs_logger2("mkdir", runuser); | ||
149 | |||
150 | // set mode and ownership | ||
151 | if (set_perms(runuser, getuid(), getgid(), 0700)) | ||
152 | errExit("set_perms"); | ||
153 | |||
154 | // mount user home directory | ||
155 | if (mount(RUN_WHITELIST_RUN_DIR, runuser, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
156 | errExit("mount bind"); | ||
157 | |||
158 | // mask mirrored /run/user/$UID directory | ||
159 | if (mount("tmpfs", RUN_WHITELIST_RUN_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | ||
160 | errExit("mount tmpfs"); | ||
161 | fs_logger2("tmpfs", RUN_WHITELIST_RUN_DIR); | ||
162 | |||
163 | free(runuser); | ||
164 | } | ||
165 | |||
116 | static void sanitize_passwd(void) { | 166 | static void sanitize_passwd(void) { |
117 | struct stat s; | 167 | struct stat s; |
118 | if (stat("/etc/passwd", &s) == -1) | 168 | if (stat("/etc/passwd", &s) == -1) |
@@ -352,6 +402,7 @@ void restrict_users(void) { | |||
352 | errExit("mount tmpfs"); | 402 | errExit("mount tmpfs"); |
353 | fs_logger("tmpfs /home"); | 403 | fs_logger("tmpfs /home"); |
354 | } | 404 | } |
405 | sanitize_run(); | ||
355 | sanitize_passwd(); | 406 | sanitize_passwd(); |
356 | sanitize_group(); | 407 | sanitize_group(); |
357 | } | 408 | } |