1 files changed, 35 insertions, 37 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 5cce383e2..aec1698b0 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -540,50 +540,48 @@ void fs_proc_sys_dev_boot(void) {
 }
 static void sanitize_home(void) {
-        // extract current /home directory data
+        assert(getuid() != 0);  // this code works only for regular users
-        struct dirent *dir;
+        
-        DIR *d = opendir("/home");
+        if (arg_debug)
-        if (d == NULL)
+                printf("Cleaning /home directory\n");
+        
+        struct stat s;
+        if (stat(cfg.homedir, &s) == -1) {
+                // cannot find home directory, just return
+                fprintf(stderr, "Warning: cannot find home directory\n");
                return;
-        while ((dir = readdir(d))) {
-                if(strcmp(dir->d_name, "." ) == 0 || strcmp(dir->d_name, ".." ) == 0)
-                        continue;
-                if (dir->d_type == DT_DIR ) {
-                        // get properties
-                        struct stat s;
-                        char *name;
-                        if (asprintf(&name, "/home/%s", dir->d_name) == -1)
-                                continue;
-                        if (stat(name, &s) == -1)
-                                continue;
-                        if (S_ISLNK(s.st_mode)) {
-                                free(name);
-                                continue;
-                        }
-                        
-                        if (strcmp(name, cfg.homedir) == 0)
-                                continue;
-//                      printf("directory %u %u:%u #%s#\n",
-//                              s.st_mode,
-//                              s.st_uid,
-//                              s.st_gid,
-//                              name);
-                        
-                        // disable directory
-                        disable_file(BLACKLIST_FILE, name);
-                        free(name);
-                }                       
        }
-        closedir(d);
+        
-}
+        fs_build_mnt_dir();
+        if (mkdir(WHITELIST_HOME_DIR, 0755) == -1)
+                errExit("mkdir");
+        // keep a copy of the user home directory
+        if (mount(cfg.homedir, WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
+                errExit("mount bind");
+        // mount tmpfs in the new home
+        if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                errExit("mount tmpfs");
+        // create user home directory
+        if (mkdir(cfg.homedir, 0755) == -1)
+                errExit("mkdir");
+        // set mode and ownership
+        if (chown(cfg.homedir, s.st_uid, s.st_gid) == -1)
+                errExit("chown");
+        if (chmod(cfg.homedir, s.st_mode) == -1)
+                errExit("chmod");
+        // mount user home directory
+        if (mount(WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0)
+                errExit("mount bind");
+        // mask home dir under /run
+        if (mount("tmpfs", WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                errExit("mount tmpfs");
+}
 // build a basic read-only filesystem
 void fs_basic_fs(void) {

diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 5cce383e2..aec1698b0 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -540,50 +540,48 @@ void fs_proc_sys_dev_boot(void) {
540	}	540	}
541		541
542	static void sanitize_home(void) {	542	static void sanitize_home(void) {
543	// extract current /home directory data	543	assert(getuid() != 0); // this code works only for regular users
544	struct dirent *dir;	544
545	DIR *d = opendir("/home");	545	if (arg_debug)
546	if (d == NULL)	546	printf("Cleaning /home directory\n");
		547
		548	struct stat s;
		549	if (stat(cfg.homedir, &s) == -1) {
		550	// cannot find home directory, just return
		551	fprintf(stderr, "Warning: cannot find home directory\n");
547	return;	552	return;
548
549	while ((dir = readdir(d))) {
550	if(strcmp(dir->d_name, "." ) == 0 \|\| strcmp(dir->d_name, ".." ) == 0)
551	continue;
552
553	if (dir->d_type == DT_DIR ) {
554	// get properties
555	struct stat s;
556	char *name;
557	if (asprintf(&name, "/home/%s", dir->d_name) == -1)
558	continue;
559	if (stat(name, &s) == -1)
560	continue;
561	if (S_ISLNK(s.st_mode)) {
562	free(name);
563	continue;
564	}
565
566	if (strcmp(name, cfg.homedir) == 0)
567	continue;
568
569	// printf("directory %u %u:%u #%s#\n",
570	// s.st_mode,
571	// s.st_uid,
572	// s.st_gid,
573	// name);
574
575	// disable directory
576	disable_file(BLACKLIST_FILE, name);
577	free(name);
578	}
579	}	553	}
580	closedir(d);	554
581	}	555	fs_build_mnt_dir();
		556	if (mkdir(WHITELIST_HOME_DIR, 0755) == -1)
		557	errExit("mkdir");
		558
		559	// keep a copy of the user home directory
		560	if (mount(cfg.homedir, WHITELIST_HOME_DIR, NULL, MS_BIND\|MS_REC, NULL) < 0)
		561	errExit("mount bind");
582		562
		563	// mount tmpfs in the new home
		564	if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)
		565	errExit("mount tmpfs");
583		566
		567	// create user home directory
		568	if (mkdir(cfg.homedir, 0755) == -1)
		569	errExit("mkdir");
584		570
		571	// set mode and ownership
		572	if (chown(cfg.homedir, s.st_uid, s.st_gid) == -1)
		573	errExit("chown");
		574	if (chmod(cfg.homedir, s.st_mode) == -1)
		575	errExit("chmod");
585		576
		577	// mount user home directory
		578	if (mount(WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND\|MS_REC, NULL) < 0)
		579	errExit("mount bind");
586		580
		581	// mask home dir under /run
		582	if (mount("tmpfs", WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)
		583	errExit("mount tmpfs");
		584	}
587		585
588	// build a basic read-only filesystem	586	// build a basic read-only filesystem
589	void fs_basic_fs(void) {	587	void fs_basic_fs(void) {