diff options
-rw-r--r-- | src/firejail/fs_whitelist.c | 32 | ||||
-rwxr-xr-x | test/test.sh | 3 | ||||
-rwxr-xr-x | test/whitelist-empty.exp | 50 |
3 files changed, 77 insertions, 8 deletions
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 22b5fb0a7..0f2d6a089 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -336,6 +336,14 @@ void fs_whitelist(void) { | |||
336 | if (arg_debug) | 336 | if (arg_debug) |
337 | fprintf(stderr, "Debug %d: new_name #%s#\n", __LINE__, new_name); | 337 | fprintf(stderr, "Debug %d: new_name #%s#\n", __LINE__, new_name); |
338 | 338 | ||
339 | // valid path referenced to filesystem root | ||
340 | if (*new_name != '/') { | ||
341 | if (arg_debug) | ||
342 | fprintf(stderr, "Debug %d: \n", __LINE__); | ||
343 | goto errexit; | ||
344 | } | ||
345 | |||
346 | |||
339 | // extract the absolute path of the file | 347 | // extract the absolute path of the file |
340 | // realpath function will fail with ENOENT if the file is not found | 348 | // realpath function will fail with ENOENT if the file is not found |
341 | char *fname = realpath(new_name, NULL); | 349 | char *fname = realpath(new_name, NULL); |
@@ -349,19 +357,27 @@ void fs_whitelist(void) { | |||
349 | perror("realpath"); | 357 | perror("realpath"); |
350 | } | 358 | } |
351 | *entry->data = '\0'; | 359 | *entry->data = '\0'; |
360 | |||
361 | // if 1 the file was not found; mount an empty directory | ||
362 | if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) | ||
363 | home_dir = 1; | ||
364 | else if (strncmp(new_name, "/tmp/", 5) == 0) | ||
365 | tmp_dir = 1; | ||
366 | else if (strncmp(new_name, "/media/", 7) == 0) | ||
367 | media_dir = 1; | ||
368 | else if (strncmp(new_name, "/var/", 5) == 0) | ||
369 | var_dir = 1; | ||
370 | else if (strncmp(new_name, "/dev/", 5) == 0) | ||
371 | dev_dir = 1; | ||
372 | else if (strncmp(new_name, "/opt/", 5) == 0) | ||
373 | opt_dir = 1; | ||
374 | |||
352 | continue; | 375 | continue; |
353 | } | 376 | } |
354 | 377 | ||
355 | // valid path referenced to filesystem root | ||
356 | if (*new_name != '/') { | ||
357 | if (arg_debug) | ||
358 | fprintf(stderr, "Debug %d: \n", __LINE__); | ||
359 | goto errexit; | ||
360 | } | ||
361 | |||
362 | // check for supported directories | 378 | // check for supported directories |
363 | if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) { | 379 | if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) { |
364 | // whitelisting home directory is disabled if --private or --private-home option is present | 380 | // whitelisting home directory is disabled if --private option is present |
365 | if (arg_private) { | 381 | if (arg_private) { |
366 | if (arg_debug || arg_debug_whitelists) | 382 | if (arg_debug || arg_debug_whitelists) |
367 | printf("Removed whitelist path %s, --private option is present\n", entry->data); | 383 | printf("Removed whitelist path %s, --private option is present\n", entry->data); |
diff --git a/test/test.sh b/test/test.sh index 6273c0a1b..ca7152b55 100755 --- a/test/test.sh +++ b/test/test.sh | |||
@@ -15,6 +15,9 @@ echo "TESTING: invalid filename" | |||
15 | echo "TESTING: environment variables" | 15 | echo "TESTING: environment variables" |
16 | ./env.exp | 16 | ./env.exp |
17 | 17 | ||
18 | echo "TESTING: whitelist empty" | ||
19 | ./whitelist-empty.exp | ||
20 | |||
18 | echo "TESTING: ignore command" | 21 | echo "TESTING: ignore command" |
19 | ./ignore.exp | 22 | ./ignore.exp |
20 | 23 | ||
diff --git a/test/whitelist-empty.exp b/test/whitelist-empty.exp new file mode 100755 index 000000000..226b019db --- /dev/null +++ b/test/whitelist-empty.exp | |||
@@ -0,0 +1,50 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 30 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "firejail --whitelist=~/blablabla --whitelist=/tmp/blablabla --whitelist=/media/blablabla --whitelist=/var/blablabla --whitelist=/dev/blablabla --whitelist=/opt/blablabla\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 0\n";exit} | ||
10 | "Child process initialized" | ||
11 | } | ||
12 | sleep 1 | ||
13 | |||
14 | send -- "ls -l ~/ | wc -l\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 1\n";exit} | ||
17 | "0" | ||
18 | } | ||
19 | |||
20 | send -- "ls -l /tmp | wc -l\r" | ||
21 | expect { | ||
22 | timeout {puts "TESTING ERROR 2\n";exit} | ||
23 | "0" | ||
24 | } | ||
25 | |||
26 | send -- "ls -l /media | wc -l\r" | ||
27 | expect { | ||
28 | timeout {puts "TESTING ERROR 3\n";exit} | ||
29 | "0" | ||
30 | } | ||
31 | |||
32 | send -- "ls -l /var | wc -l\r" | ||
33 | expect { | ||
34 | timeout {puts "TESTING ERROR 4\n";exit} | ||
35 | "0" | ||
36 | } | ||
37 | |||
38 | send -- "ls -l /dev | wc -l\r" | ||
39 | expect { | ||
40 | timeout {puts "TESTING ERROR 5\n";exit} | ||
41 | "0" | ||
42 | } | ||
43 | send -- "ls -l /opt | wc -l\r" | ||
44 | expect { | ||
45 | timeout {puts "TESTING ERROR 6\n";exit} | ||
46 | "0" | ||
47 | } | ||
48 | |||
49 | |||
50 | puts "\nall done\n" | ||