diff options
Diffstat (limited to 'src/firejail/fs.c')
-rw-r--r-- | src/firejail/fs.c | 33 |
1 files changed, 20 insertions, 13 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index e57038ee0..4ae7dbfa4 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -171,21 +171,28 @@ static void disable_file(OPERATION op, const char *filename) { | |||
171 | fs_remount_rec(fname, op); | 171 | fs_remount_rec(fname, op); |
172 | } | 172 | } |
173 | else if (op == MOUNT_TMPFS) { | 173 | else if (op == MOUNT_TMPFS) { |
174 | if (S_ISDIR(s.st_mode)) { | 174 | if (!S_ISDIR(s.st_mode)) { |
175 | if (getuid()) { | 175 | fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname); |
176 | if (strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 || | 176 | free(fname); |
177 | fname[strlen(cfg.homedir)] != '/') { | 177 | return; |
178 | fprintf(stderr, "Error: tmpfs outside $HOME is only available for root\n"); | 178 | } |
179 | exit(1); | 179 | |
180 | } | 180 | uid_t uid = getuid(); |
181 | if (uid != 0) { | ||
182 | // only user owned directories in user home | ||
183 | if (s.st_uid != uid || | ||
184 | strncmp(cfg.homedir, fname, strlen(cfg.homedir)) != 0 || | ||
185 | fname[strlen(cfg.homedir)] != '/') { | ||
186 | fwarning("you are not allowed to mount a tmpfs on %s\n", fname); | ||
187 | free(fname); | ||
188 | return; | ||
181 | } | 189 | } |
182 | // fs_tmpfs returns with EUID 0 | ||
183 | fs_tmpfs(fname, getuid()); | ||
184 | selinux_relabel_path(fname, fname); | ||
185 | EUID_USER(); | ||
186 | } | 190 | } |
187 | else | 191 | |
188 | fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname); | 192 | fs_tmpfs(fname, uid); |
193 | EUID_USER(); // fs_tmpfs returns with EUID 0 | ||
194 | |||
195 | selinux_relabel_path(fname, fname); | ||
189 | } | 196 | } |
190 | else | 197 | else |
191 | assert(0); | 198 | assert(0); |