diff options
Diffstat (limited to 'src/firejail/fs.c')
-rw-r--r-- | src/firejail/fs.c | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 01182bd2c..bf78f8a17 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -77,7 +77,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
77 | 77 | ||
78 | EUID_ROOT(); | 78 | EUID_ROOT(); |
79 | int err = bind_mount_path_to_fd(RUN_RO_DIR, fd); | 79 | int err = bind_mount_path_to_fd(RUN_RO_DIR, fd); |
80 | if (err < 0) | 80 | if (err != 0) |
81 | err = bind_mount_path_to_fd(RUN_RO_FILE, fd); | 81 | err = bind_mount_path_to_fd(RUN_RO_FILE, fd); |
82 | EUID_USER(); | 82 | EUID_USER(); |
83 | close(fd); | 83 | close(fd); |
@@ -655,8 +655,13 @@ static void fs_remount_rec(const char *dir, OPERATION op) { | |||
655 | // resolve a path and remount it | 655 | // resolve a path and remount it |
656 | void fs_remount(const char *path, OPERATION op, int rec) { | 656 | void fs_remount(const char *path, OPERATION op, int rec) { |
657 | assert(path); | 657 | assert(path); |
658 | assert(geteuid() == 0); | 658 | |
659 | EUID_USER(); | 659 | int called_as_root = 0; |
660 | if (geteuid() == 0) | ||
661 | called_as_root = 1; | ||
662 | |||
663 | if (called_as_root) | ||
664 | EUID_USER(); | ||
660 | 665 | ||
661 | char *rpath = realpath(path, NULL); | 666 | char *rpath = realpath(path, NULL); |
662 | if (rpath) { | 667 | if (rpath) { |
@@ -666,7 +671,9 @@ void fs_remount(const char *path, OPERATION op, int rec) { | |||
666 | fs_remount_simple(rpath, op); | 671 | fs_remount_simple(rpath, op); |
667 | free(rpath); | 672 | free(rpath); |
668 | } | 673 | } |
669 | EUID_ROOT(); | 674 | |
675 | if (called_as_root) | ||
676 | EUID_ROOT(); | ||
670 | } | 677 | } |
671 | 678 | ||
672 | // Disable /mnt, /media, /run/mount and /run/media access | 679 | // Disable /mnt, /media, /run/mount and /run/media access |
@@ -821,7 +828,6 @@ void disable_config(void) { | |||
821 | 828 | ||
822 | 829 | ||
823 | // build a basic read-only filesystem | 830 | // build a basic read-only filesystem |
824 | // top level directories could be links, run no after-mount checks | ||
825 | void fs_basic_fs(void) { | 831 | void fs_basic_fs(void) { |
826 | uid_t uid = getuid(); | 832 | uid_t uid = getuid(); |
827 | 833 | ||
@@ -831,6 +837,7 @@ void fs_basic_fs(void) { | |||
831 | if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) | 837 | if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) |
832 | errExit("mounting /proc"); | 838 | errExit("mounting /proc"); |
833 | 839 | ||
840 | EUID_USER(); | ||
834 | if (arg_debug) | 841 | if (arg_debug) |
835 | printf("Basic read-only filesystem:\n"); | 842 | printf("Basic read-only filesystem:\n"); |
836 | if (!arg_writable_etc) { | 843 | if (!arg_writable_etc) { |
@@ -850,6 +857,7 @@ void fs_basic_fs(void) { | |||
850 | fs_remount("/lib64", MOUNT_READONLY, 1); | 857 | fs_remount("/lib64", MOUNT_READONLY, 1); |
851 | fs_remount("/lib32", MOUNT_READONLY, 1); | 858 | fs_remount("/lib32", MOUNT_READONLY, 1); |
852 | fs_remount("/libx32", MOUNT_READONLY, 1); | 859 | fs_remount("/libx32", MOUNT_READONLY, 1); |
860 | EUID_ROOT(); | ||
853 | 861 | ||
854 | // update /var directory in order to support multiple sandboxes running on the same root directory | 862 | // update /var directory in order to support multiple sandboxes running on the same root directory |
855 | fs_var_lock(); | 863 | fs_var_lock(); |