diff options
Diffstat (limited to 'src/firejail/fs.c')
-rw-r--r-- | src/firejail/fs.c | 72 |
1 files changed, 35 insertions, 37 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 5cce383e2..aec1698b0 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -540,50 +540,48 @@ void fs_proc_sys_dev_boot(void) { | |||
540 | } | 540 | } |
541 | 541 | ||
542 | static void sanitize_home(void) { | 542 | static void sanitize_home(void) { |
543 | // extract current /home directory data | 543 | assert(getuid() != 0); // this code works only for regular users |
544 | struct dirent *dir; | 544 | |
545 | DIR *d = opendir("/home"); | 545 | if (arg_debug) |
546 | if (d == NULL) | 546 | printf("Cleaning /home directory\n"); |
547 | |||
548 | struct stat s; | ||
549 | if (stat(cfg.homedir, &s) == -1) { | ||
550 | // cannot find home directory, just return | ||
551 | fprintf(stderr, "Warning: cannot find home directory\n"); | ||
547 | return; | 552 | return; |
548 | |||
549 | while ((dir = readdir(d))) { | ||
550 | if(strcmp(dir->d_name, "." ) == 0 || strcmp(dir->d_name, ".." ) == 0) | ||
551 | continue; | ||
552 | |||
553 | if (dir->d_type == DT_DIR ) { | ||
554 | // get properties | ||
555 | struct stat s; | ||
556 | char *name; | ||
557 | if (asprintf(&name, "/home/%s", dir->d_name) == -1) | ||
558 | continue; | ||
559 | if (stat(name, &s) == -1) | ||
560 | continue; | ||
561 | if (S_ISLNK(s.st_mode)) { | ||
562 | free(name); | ||
563 | continue; | ||
564 | } | ||
565 | |||
566 | if (strcmp(name, cfg.homedir) == 0) | ||
567 | continue; | ||
568 | |||
569 | // printf("directory %u %u:%u #%s#\n", | ||
570 | // s.st_mode, | ||
571 | // s.st_uid, | ||
572 | // s.st_gid, | ||
573 | // name); | ||
574 | |||
575 | // disable directory | ||
576 | disable_file(BLACKLIST_FILE, name); | ||
577 | free(name); | ||
578 | } | ||
579 | } | 553 | } |
580 | closedir(d); | 554 | |
581 | } | 555 | fs_build_mnt_dir(); |
556 | if (mkdir(WHITELIST_HOME_DIR, 0755) == -1) | ||
557 | errExit("mkdir"); | ||
558 | |||
559 | // keep a copy of the user home directory | ||
560 | if (mount(cfg.homedir, WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
561 | errExit("mount bind"); | ||
582 | 562 | ||
563 | // mount tmpfs in the new home | ||
564 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | ||
565 | errExit("mount tmpfs"); | ||
583 | 566 | ||
567 | // create user home directory | ||
568 | if (mkdir(cfg.homedir, 0755) == -1) | ||
569 | errExit("mkdir"); | ||
584 | 570 | ||
571 | // set mode and ownership | ||
572 | if (chown(cfg.homedir, s.st_uid, s.st_gid) == -1) | ||
573 | errExit("chown"); | ||
574 | if (chmod(cfg.homedir, s.st_mode) == -1) | ||
575 | errExit("chmod"); | ||
585 | 576 | ||
577 | // mount user home directory | ||
578 | if (mount(WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
579 | errExit("mount bind"); | ||
586 | 580 | ||
581 | // mask home dir under /run | ||
582 | if (mount("tmpfs", WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | ||
583 | errExit("mount tmpfs"); | ||
584 | } | ||
587 | 585 | ||
588 | // build a basic read-only filesystem | 586 | // build a basic read-only filesystem |
589 | void fs_basic_fs(void) { | 587 | void fs_basic_fs(void) { |