diff options
Diffstat (limited to 'src/firejail/fs.c')
-rw-r--r-- | src/firejail/fs.c | 59 |
1 files changed, 6 insertions, 53 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index aec1698b0..ad84b2222 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -539,49 +539,6 @@ void fs_proc_sys_dev_boot(void) { | |||
539 | } | 539 | } |
540 | } | 540 | } |
541 | 541 | ||
542 | static void sanitize_home(void) { | ||
543 | assert(getuid() != 0); // this code works only for regular users | ||
544 | |||
545 | if (arg_debug) | ||
546 | printf("Cleaning /home directory\n"); | ||
547 | |||
548 | struct stat s; | ||
549 | if (stat(cfg.homedir, &s) == -1) { | ||
550 | // cannot find home directory, just return | ||
551 | fprintf(stderr, "Warning: cannot find home directory\n"); | ||
552 | return; | ||
553 | } | ||
554 | |||
555 | fs_build_mnt_dir(); | ||
556 | if (mkdir(WHITELIST_HOME_DIR, 0755) == -1) | ||
557 | errExit("mkdir"); | ||
558 | |||
559 | // keep a copy of the user home directory | ||
560 | if (mount(cfg.homedir, WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
561 | errExit("mount bind"); | ||
562 | |||
563 | // mount tmpfs in the new home | ||
564 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | ||
565 | errExit("mount tmpfs"); | ||
566 | |||
567 | // create user home directory | ||
568 | if (mkdir(cfg.homedir, 0755) == -1) | ||
569 | errExit("mkdir"); | ||
570 | |||
571 | // set mode and ownership | ||
572 | if (chown(cfg.homedir, s.st_uid, s.st_gid) == -1) | ||
573 | errExit("chown"); | ||
574 | if (chmod(cfg.homedir, s.st_mode) == -1) | ||
575 | errExit("chmod"); | ||
576 | |||
577 | // mount user home directory | ||
578 | if (mount(WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
579 | errExit("mount bind"); | ||
580 | |||
581 | // mask home dir under /run | ||
582 | if (mount("tmpfs", WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | ||
583 | errExit("mount tmpfs"); | ||
584 | } | ||
585 | 542 | ||
586 | // build a basic read-only filesystem | 543 | // build a basic read-only filesystem |
587 | void fs_basic_fs(void) { | 544 | void fs_basic_fs(void) { |
@@ -605,9 +562,8 @@ void fs_basic_fs(void) { | |||
605 | fs_var_cache(); | 562 | fs_var_cache(); |
606 | fs_var_utmp(); | 563 | fs_var_utmp(); |
607 | 564 | ||
608 | // only in user mode | 565 | // don't leak user information |
609 | if (getuid()) | 566 | restrict_users(); |
610 | sanitize_home(); | ||
611 | } | 567 | } |
612 | 568 | ||
613 | 569 | ||
@@ -751,9 +707,8 @@ void fs_overlayfs(void) { | |||
751 | fs_var_cache(); | 707 | fs_var_cache(); |
752 | fs_var_utmp(); | 708 | fs_var_utmp(); |
753 | 709 | ||
754 | // only in user mode | 710 | // don't leak user information |
755 | if (getuid()) | 711 | restrict_users(); |
756 | sanitize_home(); | ||
757 | 712 | ||
758 | // cleanup and exit | 713 | // cleanup and exit |
759 | free(option); | 714 | free(option); |
@@ -874,10 +829,8 @@ void fs_chroot(const char *rootdir) { | |||
874 | fs_var_cache(); | 829 | fs_var_cache(); |
875 | fs_var_utmp(); | 830 | fs_var_utmp(); |
876 | 831 | ||
877 | // only in user mode | 832 | // don't leak user information |
878 | if (getuid()) | 833 | restrict_users(); |
879 | sanitize_home(); | ||
880 | |||
881 | } | 834 | } |
882 | #endif | 835 | #endif |
883 | 836 | ||