diff options
| -rw-r--r-- | README | 1 | ||||
| -rw-r--r-- | src/fcopy/main.c | 16 | ||||
| -rw-r--r-- | src/firejail/fs_bin.c | 2 | ||||
| -rwxr-xr-x | test/fcopy/cmdline.exp | 8 | ||||
| -rwxr-xr-x | test/fs/private-home.exp | 2 |
5 files changed, 16 insertions, 13 deletions
| @@ -111,6 +111,7 @@ Zack Weinberg (https://github.com/zackw) | |||
| 111 | - rework X11 display number assignment | 111 | - rework X11 display number assignment |
| 112 | - rework X11 xorg processing | 112 | - rework X11 xorg processing |
| 113 | - rework fcopy, --follow-link support in fcopy | 113 | - rework fcopy, --follow-link support in fcopy |
| 114 | - follow link support in --private-bin | ||
| 114 | Igor Bukanov (https://github.com/ibukanov) | 115 | Igor Bukanov (https://github.com/ibukanov) |
| 115 | - found/fiixed privilege escalation in --hosts-file option | 116 | - found/fiixed privilege escalation in --hosts-file option |
| 116 | Cat (https://github.com/ecat3) | 117 | Cat (https://github.com/ecat3) |
diff --git a/src/fcopy/main.c b/src/fcopy/main.c index 089152efc..9f19b6dd8 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c | |||
| @@ -23,6 +23,8 @@ | |||
| 23 | #include <ftw.h> | 23 | #include <ftw.h> |
| 24 | #include <errno.h> | 24 | #include <errno.h> |
| 25 | 25 | ||
| 26 | static int arg_follow_link = 0; | ||
| 27 | |||
| 26 | 28 | ||
| 27 | #define COPY_LIMIT (500 * 1024 *1024) | 29 | #define COPY_LIMIT (500 * 1024 *1024) |
| 28 | static int size_limit_reached = 0; | 30 | static int size_limit_reached = 0; |
| @@ -221,7 +223,7 @@ static void duplicate_dir(const char *src, const char *dest, struct stat *s) { | |||
| 221 | } | 223 | } |
| 222 | 224 | ||
| 223 | static void duplicate_file(const char *src, const char *dest, struct stat *s) { | 225 | static void duplicate_file(const char *src, const char *dest, struct stat *s) { |
| 224 | char *rsrc = check(src); // we drop the result and use the original name | 226 | char *rsrc = check(src); |
| 225 | char *rdest = check(dest); | 227 | char *rdest = check(dest); |
| 226 | uid_t uid = s->st_uid; | 228 | uid_t uid = s->st_uid; |
| 227 | gid_t gid = s->st_gid; | 229 | gid_t gid = s->st_gid; |
| @@ -229,7 +231,7 @@ static void duplicate_file(const char *src, const char *dest, struct stat *s) { | |||
| 229 | 231 | ||
| 230 | // build destination file name | 232 | // build destination file name |
| 231 | char *name; | 233 | char *name; |
| 232 | char *ptr = strrchr(src, '/'); | 234 | char *ptr = (arg_follow_link)? strrchr(src, '/'): strrchr(rsrc, '/'); |
| 233 | ptr++; | 235 | ptr++; |
| 234 | if (asprintf(&name, "%s/%s", rdest, ptr) == -1) | 236 | if (asprintf(&name, "%s/%s", rdest, ptr) == -1) |
| 235 | errExit("asprintf"); | 237 | errExit("asprintf"); |
| @@ -251,7 +253,7 @@ static void duplicate_link(const char *src, const char *dest, struct stat *s) { | |||
| 251 | 253 | ||
| 252 | // build destination file name | 254 | // build destination file name |
| 253 | char *name; | 255 | char *name; |
| 254 | // char *ptr = strrchr(rsrc, '/'); | 256 | // char *ptr = strrchr(rsrc, '/'); |
| 255 | char *ptr = strrchr(src, '/'); | 257 | char *ptr = strrchr(src, '/'); |
| 256 | ptr++; | 258 | ptr++; |
| 257 | if (asprintf(&name, "%s/%s", rdest, ptr) == -1) | 259 | if (asprintf(&name, "%s/%s", rdest, ptr) == -1) |
| @@ -287,19 +289,19 @@ printf("\n"); | |||
| 287 | #endif | 289 | #endif |
| 288 | char *src; | 290 | char *src; |
| 289 | char *dest; | 291 | char *dest; |
| 290 | int follow_link; | ||
| 291 | 292 | ||
| 292 | if (argc == 3) { | 293 | if (argc == 3) { |
| 293 | src = argv[1]; | 294 | src = argv[1]; |
| 294 | dest = argv[2]; | 295 | dest = argv[2]; |
| 295 | follow_link = 0; | 296 | arg_follow_link = 0; |
| 296 | } | 297 | } |
| 297 | else if (argc == 4 && !strcmp(argv[1], "--follow-link")) { | 298 | else if (argc == 4 && !strcmp(argv[1], "--follow-link")) { |
| 298 | src = argv[2]; | 299 | src = argv[2]; |
| 299 | dest = argv[3]; | 300 | dest = argv[3]; |
| 300 | follow_link = 1; | 301 | arg_follow_link = 1; |
| 301 | } | 302 | } |
| 302 | else { | 303 | else { |
| 304 | fprintf(stderr, "Error: arguments missing\n"); | ||
| 303 | usage(); | 305 | usage(); |
| 304 | exit(1); | 306 | exit(1); |
| 305 | } | 307 | } |
| @@ -334,7 +336,7 @@ printf("\n"); | |||
| 334 | } | 336 | } |
| 335 | 337 | ||
| 336 | // copy files | 338 | // copy files |
| 337 | if ((follow_link ? stat : lstat)(src, &s) == -1) { | 339 | if ((arg_follow_link ? stat : lstat)(src, &s) == -1) { |
| 338 | fprintf(stderr, "Error fcopy: src %s: %s\n", src, strerror(errno)); | 340 | fprintf(stderr, "Error fcopy: src %s: %s\n", src, strerror(errno)); |
| 339 | exit(1); | 341 | exit(1); |
| 340 | } | 342 | } |
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 547978b47..3473fca4c 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
| @@ -111,7 +111,7 @@ static void duplicate(char *fname) { | |||
| 111 | errExit("asprintf"); | 111 | errExit("asprintf"); |
| 112 | 112 | ||
| 113 | // copy the file | 113 | // copy the file |
| 114 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR); | 114 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, RUN_BIN_DIR); |
| 115 | fs_logger2("clone", fname); | 115 | fs_logger2("clone", fname); |
| 116 | free(full_path); | 116 | free(full_path); |
| 117 | } | 117 | } |
diff --git a/test/fcopy/cmdline.exp b/test/fcopy/cmdline.exp index 3ea33b01b..10dd8da58 100755 --- a/test/fcopy/cmdline.exp +++ b/test/fcopy/cmdline.exp | |||
| @@ -10,7 +10,7 @@ match_max 100000 | |||
| 10 | send -- "/usr/lib/firejail/fcopy\r" | 10 | send -- "/usr/lib/firejail/fcopy\r" |
| 11 | expect { | 11 | expect { |
| 12 | timeout {puts "TESTING ERROR 0\n";exit} | 12 | timeout {puts "TESTING ERROR 0\n";exit} |
| 13 | "files missing" | 13 | "arguments missing" |
| 14 | } | 14 | } |
| 15 | expect { | 15 | expect { |
| 16 | timeout {puts "TESTING ERROR 1\n";exit} | 16 | timeout {puts "TESTING ERROR 1\n";exit} |
| @@ -21,7 +21,7 @@ after 100 | |||
| 21 | send -- "/usr/lib/firejail/fcopy foo\r" | 21 | send -- "/usr/lib/firejail/fcopy foo\r" |
| 22 | expect { | 22 | expect { |
| 23 | timeout {puts "TESTING ERROR 2\n";exit} | 23 | timeout {puts "TESTING ERROR 2\n";exit} |
| 24 | "files missing" | 24 | "arguments missing" |
| 25 | } | 25 | } |
| 26 | expect { | 26 | expect { |
| 27 | timeout {puts "TESTING ERROR 3\n";exit} | 27 | timeout {puts "TESTING ERROR 3\n";exit} |
| @@ -32,14 +32,14 @@ after 100 | |||
| 32 | send -- "/usr/lib/firejail/fcopy f%oo1 foo2\r" | 32 | send -- "/usr/lib/firejail/fcopy f%oo1 foo2\r" |
| 33 | expect { | 33 | expect { |
| 34 | timeout {puts "TESTING ERROR 4\n";exit} | 34 | timeout {puts "TESTING ERROR 4\n";exit} |
| 35 | "invalid file name" | 35 | "invalid source file name" |
| 36 | } | 36 | } |
| 37 | after 100 | 37 | after 100 |
| 38 | 38 | ||
| 39 | send -- "/usr/lib/firejail/fcopy foo1 f,oo2\r" | 39 | send -- "/usr/lib/firejail/fcopy foo1 f,oo2\r" |
| 40 | expect { | 40 | expect { |
| 41 | timeout {puts "TESTING ERROR 5\n";exit} | 41 | timeout {puts "TESTING ERROR 5\n";exit} |
| 42 | "invalid file name" | 42 | "invalid dest file name" |
| 43 | } | 43 | } |
| 44 | after 100 | 44 | after 100 |
| 45 | 45 | ||
diff --git a/test/fs/private-home.exp b/test/fs/private-home.exp index f2f30914d..259eb4f9e 100755 --- a/test/fs/private-home.exp +++ b/test/fs/private-home.exp | |||
| @@ -89,7 +89,7 @@ expect { | |||
| 89 | "Child process initialized" | 89 | "Child process initialized" |
| 90 | } | 90 | } |
| 91 | after 100 | 91 | after 100 |
| 92 | send -- "file file ~/_firejail_test_link2\r" | 92 | send -- "file ~/_firejail_test_link2\r" |
| 93 | expect { | 93 | expect { |
| 94 | timeout {puts "TESTING ERROR 11\n";exit} | 94 | timeout {puts "TESTING ERROR 11\n";exit} |
| 95 | "broken symbolic link" | 95 | "broken symbolic link" |