3 files changed, 18 insertions, 11 deletions
diff --git a/.travis.yml b/.travis.yml
index 9a2c68361..4c6e41980 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -3,7 +3,7 @@ dist: trusty
 sudo: true
 script:
-  - sudo apt-get -y install expect csh zsh
+  - sudo apt-get -y install expect csh
  - ( cd firejail ; ./configure --prefix=/usr --enable-git-install && make && sudo make install && make test-travis )
  - ( cd firejail ; sudo make install-strip DESTDIR=$(readlink -f appdir) )
  - ( cd appdir/ ; tar cfvj ../firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2 . )
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 480df1766..dad8545a0 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -368,12 +368,12 @@ void fs_whitelist(void) {
                // replace ~/ or ${HOME} into /home/username
                new_name = expand_home(dataptr, cfg.homedir);
                assert(new_name);
-                if (arg_debug)
+                if (arg_debug || arg_debug_whitelists)
                        fprintf(stderr, "Debug %d: new_name #%s#, %s\n", __LINE__, new_name, (nowhitelist_flag)? "nowhitelist": "whitelist");
                // valid path referenced to filesystem root
                if (*new_name != '/') {
-                        if (arg_debug)
+                        if (arg_debug || arg_debug_whitelists)
                                fprintf(stderr, "Debug %d: \n", __LINE__);
                        goto errexit;
                }
@@ -417,6 +417,8 @@ void fs_whitelist(void) {
                        entry->data = EMPTY_STRING;
                        continue;
                }
+                else if (arg_debug_whitelists)
+                        printf("real path %s\n", fname);
                if (nowhitelist_flag) {
                        // store the path in nowhitelist array
@@ -501,9 +503,15 @@ void fs_whitelist(void) {
                else if (strncmp(new_name, "/dev/", 5) == 0) {
                        entry->dev_dir = 1;
                        dev_dir = 1;
-                        // both path and absolute path are under /dev
-                        if (strncmp(fname, "/dev/", 5) != 0) {
+                        // special handling for /dev/shm
-                                goto errexit;
+                        // on some platforms (Debian wheezy, Ubuntu 14.04), it is a symlink to /run/shm
+                        if (strcmp(new_name, "/dev/shm") == 0 && strcmp(fname, "/run/shm") == 0);
+                        else {
+                                // both path and absolute path are under /dev
+                                if (strncmp(fname, "/dev/", 5) != 0) {
+                                        goto errexit;
+                                }
                        }
                }
                else if (strncmp(new_name, "/opt/", 5) == 0) {
@@ -708,7 +716,6 @@ void fs_whitelist(void) {
        }
        // go through profile rules again, and interpret whitelist commands
        entry = cfg.profile;
        while (entry) {
diff --git a/test/fs/whitelist-dev.exp b/test/fs/whitelist-dev.exp
index b064671b6..b6ae6319f 100755
--- a/test/fs/whitelist-dev.exp
+++ b/test/fs/whitelist-dev.exp
@@ -25,14 +25,14 @@ sleep 1
 send -- "firejail --whitelist=/dev/null --whitelist=/dev/shm --whitelist=/dev/random\r"
 expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
        "Child process initialized"
 }
 sleep 1
 send -- "find /dev | wc -l\r"
 expect {
-        timeout {puts "TESTING ERROR 0.1\n";exit}
+        timeout {puts "TESTING ERROR 3\n";exit}
        "4"
 }
 after 100
@@ -41,14 +41,14 @@ sleep 1
 send -- "firejail --private-dev --debug\r"
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
        "Child process initialized"
 }
 sleep 1
 send -- "ls -l /dev | wc -l\r"
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 5\n";exit}
        "12" {puts "OK\n"}
        "13" {puts "OK\n"}
        "14" {puts "OK\n"}

diff --git a/.travis.yml b/.travis.yml index 9a2c68361..4c6e41980 100644 --- a/.travis.yml +++ b/.travis.yml
@@ -3,7 +3,7 @@ dist: trusty
3	sudo: true	3	sudo: true
4		4
5	script:	5	script:
6	- sudo apt-get -y install expect csh zsh	6	- sudo apt-get -y install expect csh
7	- ( cd firejail ; ./configure --prefix=/usr --enable-git-install && make && sudo make install && make test-travis )	7	- ( cd firejail ; ./configure --prefix=/usr --enable-git-install && make && sudo make install && make test-travis )
8	- ( cd firejail ; sudo make install-strip DESTDIR=$(readlink -f appdir) )	8	- ( cd firejail ; sudo make install-strip DESTDIR=$(readlink -f appdir) )
9	- ( cd appdir/ ; tar cfvj ../firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2 . )	9	- ( cd appdir/ ; tar cfvj ../firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2 . )


diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 480df1766..dad8545a0 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c
@@ -368,12 +368,12 @@ void fs_whitelist(void) {
368	// replace ~/ or ${HOME} into /home/username	368	// replace ~/ or ${HOME} into /home/username
369	new_name = expand_home(dataptr, cfg.homedir);	369	new_name = expand_home(dataptr, cfg.homedir);
370	assert(new_name);	370	assert(new_name);
371	if (arg_debug)	371	if (arg_debug \|\| arg_debug_whitelists)
372	fprintf(stderr, "Debug %d: new_name #%s#, %s\n", __LINE__, new_name, (nowhitelist_flag)? "nowhitelist": "whitelist");	372	fprintf(stderr, "Debug %d: new_name #%s#, %s\n", __LINE__, new_name, (nowhitelist_flag)? "nowhitelist": "whitelist");
373		373
374	// valid path referenced to filesystem root	374	// valid path referenced to filesystem root
375	if (*new_name != '/') {	375	if (*new_name != '/') {
376	if (arg_debug)	376	if (arg_debug \|\| arg_debug_whitelists)
377	fprintf(stderr, "Debug %d: \n", __LINE__);	377	fprintf(stderr, "Debug %d: \n", __LINE__);
378	goto errexit;	378	goto errexit;
379	}	379	}
@@ -417,6 +417,8 @@ void fs_whitelist(void) {
417	entry->data = EMPTY_STRING;	417	entry->data = EMPTY_STRING;
418	continue;	418	continue;
419	}	419	}
		420	else if (arg_debug_whitelists)
		421	printf("real path %s\n", fname);
420		422
421	if (nowhitelist_flag) {	423	if (nowhitelist_flag) {
422	// store the path in nowhitelist array	424	// store the path in nowhitelist array
@@ -501,9 +503,15 @@ void fs_whitelist(void) {
501	else if (strncmp(new_name, "/dev/", 5) == 0) {	503	else if (strncmp(new_name, "/dev/", 5) == 0) {
502	entry->dev_dir = 1;	504	entry->dev_dir = 1;
503	dev_dir = 1;	505	dev_dir = 1;
504	// both path and absolute path are under /dev	506
505	if (strncmp(fname, "/dev/", 5) != 0) {	507	// special handling for /dev/shm
506	goto errexit;	508	// on some platforms (Debian wheezy, Ubuntu 14.04), it is a symlink to /run/shm
		509	if (strcmp(new_name, "/dev/shm") == 0 && strcmp(fname, "/run/shm") == 0);
		510	else {
		511	// both path and absolute path are under /dev
		512	if (strncmp(fname, "/dev/", 5) != 0) {
		513	goto errexit;
		514	}
507	}	515	}
508	}	516	}
509	else if (strncmp(new_name, "/opt/", 5) == 0) {	517	else if (strncmp(new_name, "/opt/", 5) == 0) {
@@ -708,7 +716,6 @@ void fs_whitelist(void) {
708	}	716	}
709		717
710		718
711
712	// go through profile rules again, and interpret whitelist commands	719	// go through profile rules again, and interpret whitelist commands
713	entry = cfg.profile;	720	entry = cfg.profile;
714	while (entry) {	721	while (entry) {


diff --git a/test/fs/whitelist-dev.exp b/test/fs/whitelist-dev.exp index b064671b6..b6ae6319f 100755 --- a/test/fs/whitelist-dev.exp +++ b/test/fs/whitelist-dev.exp
@@ -25,14 +25,14 @@ sleep 1
25		25
26	send -- "firejail --whitelist=/dev/null --whitelist=/dev/shm --whitelist=/dev/random\r"	26	send -- "firejail --whitelist=/dev/null --whitelist=/dev/shm --whitelist=/dev/random\r"
27	expect {	27	expect {
28	timeout {puts "TESTING ERROR 0\n";exit}	28	timeout {puts "TESTING ERROR 2\n";exit}
29	"Child process initialized"	29	"Child process initialized"
30	}	30	}
31	sleep 1	31	sleep 1
32		32
33	send -- "find /dev \| wc -l\r"	33	send -- "find /dev \| wc -l\r"
34	expect {	34	expect {
35	timeout {puts "TESTING ERROR 0.1\n";exit}	35	timeout {puts "TESTING ERROR 3\n";exit}
36	"4"	36	"4"
37	}	37	}
38	after 100	38	after 100
@@ -41,14 +41,14 @@ sleep 1
41		41
42	send -- "firejail --private-dev --debug\r"	42	send -- "firejail --private-dev --debug\r"
43	expect {	43	expect {
44	timeout {puts "TESTING ERROR 2\n";exit}	44	timeout {puts "TESTING ERROR 4\n";exit}
45	"Child process initialized"	45	"Child process initialized"
46	}	46	}
47	sleep 1	47	sleep 1
48		48
49	send -- "ls -l /dev \| wc -l\r"	49	send -- "ls -l /dev \| wc -l\r"
50	expect {	50	expect {
51	timeout {puts "TESTING ERROR 3\n";exit}	51	timeout {puts "TESTING ERROR 5\n";exit}
52	"12" {puts "OK\n"}	52	"12" {puts "OK\n"}
53	"13" {puts "OK\n"}	53	"13" {puts "OK\n"}
54	"14" {puts "OK\n"}	54	"14" {puts "OK\n"}