diff options
-rw-r--r-- | src/firejail/fs_whitelist.c | 38 | ||||
-rwxr-xr-x | test/fs/private-etc-empty.exp | 9 |
2 files changed, 28 insertions, 19 deletions
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 33037da29..11e626b6e 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -554,24 +554,30 @@ void fs_whitelist(void) { | |||
554 | 554 | ||
555 | // /media mountpoint | 555 | // /media mountpoint |
556 | if (media_dir) { | 556 | if (media_dir) { |
557 | // keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR | 557 | // some distros don't have a /media directory |
558 | int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, 0755); | 558 | struct stat s; |
559 | if (rv == -1) | 559 | if (stat("/media", &s) == 0) { |
560 | errExit("mkdir"); | 560 | // keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR |
561 | if (chown(RUN_WHITELIST_MEDIA_DIR, 0, 0) < 0) | 561 | int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, 0755); |
562 | errExit("chown"); | 562 | if (rv == -1) |
563 | if (chmod(RUN_WHITELIST_MEDIA_DIR, 0755) < 0) | 563 | errExit("mkdir"); |
564 | errExit("chmod"); | 564 | if (chown(RUN_WHITELIST_MEDIA_DIR, 0, 0) < 0) |
565 | errExit("chown"); | ||
566 | if (chmod(RUN_WHITELIST_MEDIA_DIR, 0755) < 0) | ||
567 | errExit("chmod"); | ||
565 | 568 | ||
566 | if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 569 | if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
567 | errExit("mount bind"); | 570 | errExit("mount bind"); |
568 | 571 | ||
569 | // mount tmpfs on /media | 572 | // mount tmpfs on /media |
570 | if (arg_debug || arg_debug_whitelists) | 573 | if (arg_debug || arg_debug_whitelists) |
571 | printf("Mounting tmpfs on /media directory\n"); | 574 | printf("Mounting tmpfs on /media directory\n"); |
572 | if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 575 | if (mount("tmpfs", "/media", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
573 | errExit("mounting tmpfs on /media"); | 576 | errExit("mounting tmpfs on /media"); |
574 | fs_logger("tmpfs /media"); | 577 | fs_logger("tmpfs /media"); |
578 | } | ||
579 | else | ||
580 | media_dir = 0; | ||
575 | } | 581 | } |
576 | 582 | ||
577 | // /var mountpoint | 583 | // /var mountpoint |
diff --git a/test/fs/private-etc-empty.exp b/test/fs/private-etc-empty.exp index 2ab634afd..5ddce8678 100755 --- a/test/fs/private-etc-empty.exp +++ b/test/fs/private-etc-empty.exp | |||
@@ -3,7 +3,7 @@ | |||
3 | # Copyright (C) 2014-2016 Firejail Authors | 3 | # Copyright (C) 2014-2016 Firejail Authors |
4 | # License GPL v2 | 4 | # License GPL v2 |
5 | 5 | ||
6 | set timeout 30 | 6 | set timeout 10 |
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
@@ -17,7 +17,8 @@ sleep 1 | |||
17 | send -- "ls -l /etc | wc -l\r" | 17 | send -- "ls -l /etc | wc -l\r" |
18 | expect { | 18 | expect { |
19 | timeout {puts "TESTING ERROR 1\n";exit} | 19 | timeout {puts "TESTING ERROR 1\n";exit} |
20 | "0" | 20 | "0" {puts "Debian\n"} |
21 | "1" {puts "Arch\n"} | ||
21 | } | 22 | } |
22 | send -- "exit\r" | 23 | send -- "exit\r" |
23 | sleep 1 | 24 | sleep 1 |
@@ -32,7 +33,9 @@ sleep 1 | |||
32 | send -- "ls -l /etc | wc -l\r" | 33 | send -- "ls -l /etc | wc -l\r" |
33 | expect { | 34 | expect { |
34 | timeout {puts "TESTING ERROR 1\n";exit} | 35 | timeout {puts "TESTING ERROR 1\n";exit} |
35 | "0" | 36 | "0" {puts "Debian\n"} |
37 | "1" {puts "Arch\n"} | ||
38 | |||
36 | } | 39 | } |
37 | 40 | ||
38 | after 100 | 41 | after 100 |