diff options
| -rw-r--r-- | RELNOTES | 4 | ||||
| -rw-r--r-- | src/firejail/profile.c | 17 |
2 files changed, 8 insertions, 13 deletions
| @@ -1,5 +1,7 @@ | |||
| 1 | firejail (0.9.65) baseline; urgency=low | 1 | firejail (0.9.65) baseline; urgency=low |
| 2 | * allow --tmpfs and --bind inside $HOME for unprivileged users | 2 | * allow --tmpfs inside $HOME for unprivileged users |
| 3 | * --disable-usertmpfs compile time option | ||
| 4 | -- netblue30 <netblue30@yahoo.com> Wed, 21 Oct 2020 08:00:00 -0500 | ||
| 3 | 5 | ||
| 4 | firejail (0.9.64) baseline; urgency=low | 6 | firejail (0.9.64) baseline; urgency=low |
| 5 | * replaced --nowrap option with --wrap in firemon | 7 | * replaced --nowrap option with --wrap in firemon |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 4942f99ff..11a74ddd3 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
| @@ -1415,6 +1415,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
| 1415 | if (strncmp(ptr, "bind ", 5) == 0) { | 1415 | if (strncmp(ptr, "bind ", 5) == 0) { |
| 1416 | if (checkcfg(CFG_BIND)) { | 1416 | if (checkcfg(CFG_BIND)) { |
| 1417 | // extract two directories | 1417 | // extract two directories |
| 1418 | if (getuid() != 0) { | ||
| 1419 | fprintf(stderr, "Error: --bind option is available only if running as root\n"); | ||
| 1420 | exit(1); | ||
| 1421 | } | ||
| 1422 | |||
| 1418 | char *dname1 = ptr + 5; | 1423 | char *dname1 = ptr + 5; |
| 1419 | char *dname2 = split_comma(dname1); // this inserts a '0 to separate the two dierctories | 1424 | char *dname2 = split_comma(dname1); // this inserts a '0 to separate the two dierctories |
| 1420 | if (dname2 == NULL) { | 1425 | if (dname2 == NULL) { |
| @@ -1429,18 +1434,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
| 1429 | fprintf(stderr, "Error: invalid file name.\n"); | 1434 | fprintf(stderr, "Error: invalid file name.\n"); |
| 1430 | exit(1); | 1435 | exit(1); |
| 1431 | } | 1436 | } |
| 1432 | if (getuid() != 0) { | ||
| 1433 | char *resolved_path1 = realpath(dname1, NULL); | ||
| 1434 | char *resolved_path2 = realpath(dname2, NULL); | ||
| 1435 | assert(resolved_path1 && resolved_path2); | ||
| 1436 | if (strncmp(cfg.homedir, resolved_path1, strlen(cfg.homedir)) != 0 | ||
| 1437 | || strncmp(cfg.homedir, resolved_path2, strlen(cfg.homedir)) != 0) { | ||
| 1438 | fprintf(stderr, "Error: bind outside $HOME is only available for root\n"); | ||
| 1439 | exit(1); | ||
| 1440 | } | ||
| 1441 | free(resolved_path1); | ||
| 1442 | free(resolved_path2); | ||
| 1443 | } | ||
| 1444 | if (is_link(dname1) || is_link(dname2)) { | 1437 | if (is_link(dname1) || is_link(dname2)) { |
| 1445 | fprintf(stderr, "Symbolic links are not allowed for bind command\n"); | 1438 | fprintf(stderr, "Symbolic links are not allowed for bind command\n"); |
| 1446 | exit(1); | 1439 | exit(1); |