diff options
-rw-r--r-- | src/fids/main.c | 19 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 6 |
2 files changed, 16 insertions, 9 deletions
diff --git a/src/fids/main.c b/src/fids/main.c index c899b55e1..8f9bc1ea0 100644 --- a/src/fids/main.c +++ b/src/fids/main.c | |||
@@ -210,22 +210,29 @@ static void process_config(const char *fname) { | |||
210 | exit(1); | 210 | exit(1); |
211 | } | 211 | } |
212 | 212 | ||
213 | // make sure the file is owned by root | 213 | fprintf(stderr, "Opening config file %s\n", fname); |
214 | struct stat s; | 214 | int fd = open(fname, O_RDONLY|O_CLOEXEC); |
215 | if (stat(fname, &s)) { | 215 | if (fd < 0) { |
216 | if (include_level == 1) { | 216 | if (include_level == 1) { |
217 | fprintf(stderr, "Error ids: config file not found\n"); | 217 | fprintf(stderr, "Error ids: cannot open config file %s\n", fname); |
218 | exit(1); | 218 | exit(1); |
219 | } | 219 | } |
220 | return; | 220 | return; |
221 | } | 221 | } |
222 | |||
223 | // make sure the file is owned by root | ||
224 | struct stat s; | ||
225 | if (fstat(fd, &s)) { | ||
226 | fprintf(stderr, "Error ids: cannot stat config file %s\n", fname); | ||
227 | exit(1); | ||
228 | } | ||
222 | if (s.st_uid || s.st_gid) { | 229 | if (s.st_uid || s.st_gid) { |
223 | fprintf(stderr, "Error ids: config file not owned by root\n"); | 230 | fprintf(stderr, "Error ids: config file not owned by root\n"); |
224 | exit(1); | 231 | exit(1); |
225 | } | 232 | } |
226 | 233 | ||
227 | fprintf(stderr, "Loading %s config file\n", fname); | 234 | fprintf(stderr, "Loading config file %s\n", fname); |
228 | FILE *fp = fopen(fname, "r"); | 235 | FILE *fp = fdopen(fd, "r"); |
229 | if (!fp) { | 236 | if (!fp) { |
230 | fprintf(stderr, "Error fids: cannot open config file %s\n", fname); | 237 | fprintf(stderr, "Error fids: cannot open config file %s\n", fname); |
231 | exit(1); | 238 | exit(1); |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 3d9bf9082..e02be29f1 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -435,11 +435,11 @@ void seccomp_print_filter(pid_t pid) { | |||
435 | if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_SECCOMP_LIST) == -1) | 435 | if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_SECCOMP_LIST) == -1) |
436 | errExit("asprintf"); | 436 | errExit("asprintf"); |
437 | 437 | ||
438 | struct stat s; | 438 | int fd = open(fname, O_RDONLY|O_CLOEXEC); |
439 | if (stat(fname, &s) == -1) | 439 | if (fd < 0) |
440 | goto errexit; | 440 | goto errexit; |
441 | 441 | ||
442 | FILE *fp = fopen(fname, "re"); | 442 | FILE *fp = fdopen(fd, "r"); |
443 | if (!fp) | 443 | if (!fp) |
444 | goto errexit; | 444 | goto errexit; |
445 | free(fname); | 445 | free(fname); |