1 files changed, 6 insertions, 53 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index aec1698b0..ad84b2222 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -539,49 +539,6 @@ void fs_proc_sys_dev_boot(void) {
        }
 }
-static void sanitize_home(void) {
-        assert(getuid() != 0);  // this code works only for regular users
-        
-        if (arg_debug)
-                printf("Cleaning /home directory\n");
-        
-        struct stat s;
-        if (stat(cfg.homedir, &s) == -1) {
-                // cannot find home directory, just return
-                fprintf(stderr, "Warning: cannot find home directory\n");
-                return;
-        }
-        
-        fs_build_mnt_dir();
-        if (mkdir(WHITELIST_HOME_DIR, 0755) == -1)
-                errExit("mkdir");
-        // keep a copy of the user home directory
-        if (mount(cfg.homedir, WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mount bind");
-        // mount tmpfs in the new home
-        if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                errExit("mount tmpfs");
-        // create user home directory
-        if (mkdir(cfg.homedir, 0755) == -1)
-                errExit("mkdir");
-        // set mode and ownership
-        if (chown(cfg.homedir, s.st_uid, s.st_gid) == -1)
-                errExit("chown");
-        if (chmod(cfg.homedir, s.st_mode) == -1)
-                errExit("chmod");
-        // mount user home directory
-        if (mount(WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mount bind");
-        // mask home dir under /run
-        if (mount("tmpfs", WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                errExit("mount tmpfs");
-}
 // build a basic read-only filesystem
 void fs_basic_fs(void) {
@@ -605,9 +562,8 @@ void fs_basic_fs(void) {
        fs_var_cache();
        fs_var_utmp();
-        // only in user mode
+        // don't leak user information
-        if (getuid())
+        restrict_users();
-                sanitize_home();
 }
@@ -751,9 +707,8 @@ void fs_overlayfs(void) {
        fs_var_cache();
        fs_var_utmp();
-        // only in user mode
+        // don't leak user information
-        if (getuid())
+        restrict_users();
-                sanitize_home();
        // cleanup and exit
        free(option);
@@ -874,10 +829,8 @@ void fs_chroot(const char *rootdir) {
        fs_var_cache();
        fs_var_utmp();
-        // only in user mode
+        // don't leak user information
-        if (getuid())
+        restrict_users();
-                sanitize_home();
-        
 }
 #endif

diff --git a/src/firejail/fs.c b/src/firejail/fs.c index aec1698b0..ad84b2222 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -539,49 +539,6 @@ void fs_proc_sys_dev_boot(void) {
539	}	539	}
540	}	540	}
541		541
542	static void sanitize_home(void) {
543	assert(getuid() != 0); // this code works only for regular users
544
545	if (arg_debug)
546	printf("Cleaning /home directory\n");
547
548	struct stat s;
549	if (stat(cfg.homedir, &s) == -1) {
550	// cannot find home directory, just return
551	fprintf(stderr, "Warning: cannot find home directory\n");
552	return;
553	}
554
555	fs_build_mnt_dir();
556	if (mkdir(WHITELIST_HOME_DIR, 0755) == -1)
557	errExit("mkdir");
558
559	// keep a copy of the user home directory
560	if (mount(cfg.homedir, WHITELIST_HOME_DIR, NULL, MS_BIND\|MS_REC, NULL) < 0)
561	errExit("mount bind");
562
563	// mount tmpfs in the new home
564	if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)
565	errExit("mount tmpfs");
566
567	// create user home directory
568	if (mkdir(cfg.homedir, 0755) == -1)
569	errExit("mkdir");
570
571	// set mode and ownership
572	if (chown(cfg.homedir, s.st_uid, s.st_gid) == -1)
573	errExit("chown");
574	if (chmod(cfg.homedir, s.st_mode) == -1)
575	errExit("chmod");
576
577	// mount user home directory
578	if (mount(WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND\|MS_REC, NULL) < 0)
579	errExit("mount bind");
580
581	// mask home dir under /run
582	if (mount("tmpfs", WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)
583	errExit("mount tmpfs");
584	}
585		542
586	// build a basic read-only filesystem	543	// build a basic read-only filesystem
587	void fs_basic_fs(void) {	544	void fs_basic_fs(void) {
@@ -605,9 +562,8 @@ void fs_basic_fs(void) {
605	fs_var_cache();	562	fs_var_cache();
606	fs_var_utmp();	563	fs_var_utmp();
607		564
608	// only in user mode	565	// don't leak user information
609	if (getuid())	566	restrict_users();
610	sanitize_home();
611	}	567	}
612		568
613		569
@@ -751,9 +707,8 @@ void fs_overlayfs(void) {
751	fs_var_cache();	707	fs_var_cache();
752	fs_var_utmp();	708	fs_var_utmp();
753		709
754	// only in user mode	710	// don't leak user information
755	if (getuid())	711	restrict_users();
756	sanitize_home();
757		712
758	// cleanup and exit	713	// cleanup and exit
759	free(option);	714	free(option);
@@ -874,10 +829,8 @@ void fs_chroot(const char *rootdir) {
874	fs_var_cache();	829	fs_var_cache();
875	fs_var_utmp();	830	fs_var_utmp();
876		831
877	// only in user mode	832	// don't leak user information
878	if (getuid())	833	restrict_users();
879	sanitize_home();
880
881	}	834	}
882	#endif	835	#endif
883		836