aboutsummaryrefslogtreecommitdiffstats
path: root/src/firejail/fs_home.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/firejail/fs_home.c')
-rw-r--r--src/firejail/fs_home.c14
1 files changed, 14 insertions, 0 deletions
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index bdfaba480..bec22e5a6 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -60,6 +60,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
60 touch_file_as_user(fname, 0644); 60 touch_file_as_user(fname, 0644);
61 fs_logger2("touch", fname); 61 fs_logger2("touch", fname);
62 } 62 }
63 selinux_relabel_path(fname, fname);
63 free(fname); 64 free(fname);
64 } 65 }
65 // csh 66 // csh
@@ -85,6 +86,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
85 touch_file_as_user(fname, 0644); 86 touch_file_as_user(fname, 0644);
86 fs_logger2("touch", fname); 87 fs_logger2("touch", fname);
87 } 88 }
89 selinux_relabel_path(fname, fname);
88 free(fname); 90 free(fname);
89 } 91 }
90 // bash etc. 92 // bash etc.
@@ -105,6 +107,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
105 fs_logger("clone /etc/skel/.bashrc"); 107 fs_logger("clone /etc/skel/.bashrc");
106 fs_logger2("clone", fname); 108 fs_logger2("clone", fname);
107 } 109 }
110 selinux_relabel_path(fname, fname);
108 free(fname); 111 free(fname);
109 } 112 }
110} 113}
@@ -139,6 +142,7 @@ static int store_xauthority(void) {
139 142
140 copy_file_as_user(src, dest, getuid(), getgid(), 0600); // regular user 143 copy_file_as_user(src, dest, getuid(), getgid(), 0600); // regular user
141 fs_logger2("clone", dest); 144 fs_logger2("clone", dest);
145 selinux_relabel_path(dest, src);
142 free(src); 146 free(src);
143 return 1; // file copied 147 return 1; // file copied
144 } 148 }
@@ -185,6 +189,7 @@ static int store_asoundrc(void) {
185 errExit("fopen"); 189 errExit("fopen");
186 190
187 copy_file_as_user(src, dest, getuid(), getgid(), 0644); // regular user 191 copy_file_as_user(src, dest, getuid(), getgid(), 0644); // regular user
192 selinux_relabel_path(dest, src);
188 fs_logger2("clone", dest); 193 fs_logger2("clone", dest);
189 free(src); 194 free(src);
190 return 1; // file copied 195 return 1; // file copied
@@ -208,6 +213,7 @@ static void copy_xauthority(void) {
208 } 213 }
209 214
210 copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user 215 copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user
216 selinux_relabel_path(dest, src);
211 fs_logger2("clone", dest); 217 fs_logger2("clone", dest);
212 free(dest); 218 free(dest);
213 219
@@ -313,6 +319,7 @@ void fs_private_homedir(void) {
313 printf("Mounting a new /root directory\n"); 319 printf("Mounting a new /root directory\n");
314 if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=700,gid=0") < 0) 320 if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=700,gid=0") < 0)
315 errExit("mounting /root directory"); 321 errExit("mounting /root directory");
322 selinux_relabel_path("/root", "/root");
316 fs_logger("tmpfs /root"); 323 fs_logger("tmpfs /root");
317 } 324 }
318 if (u == 0 && !arg_allusers) { 325 if (u == 0 && !arg_allusers) {
@@ -321,6 +328,7 @@ void fs_private_homedir(void) {
321 printf("Mounting a new /home directory\n"); 328 printf("Mounting a new /home directory\n");
322 if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=755,gid=0") < 0) 329 if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=755,gid=0") < 0)
323 errExit("mounting /home directory"); 330 errExit("mounting /home directory");
331 selinux_relabel_path("/home", "/home");
324 fs_logger("tmpfs /home"); 332 fs_logger("tmpfs /home");
325 } 333 }
326 334
@@ -355,6 +363,7 @@ void fs_private(void) {
355 fwarning("allusers option disabled by private or whitelist option\n"); 363 fwarning("allusers option disabled by private or whitelist option\n");
356 if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=755,gid=0") < 0) 364 if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=755,gid=0") < 0)
357 errExit("mounting /home directory"); 365 errExit("mounting /home directory");
366 selinux_relabel_path("/home", "/home");
358 fs_logger("tmpfs /home"); 367 fs_logger("tmpfs /home");
359 } 368 }
360 369
@@ -378,6 +387,8 @@ void fs_private(void) {
378 } 387 }
379 if (chown(homedir, u, g) < 0) 388 if (chown(homedir, u, g) < 0)
380 errExit("chown"); 389 errExit("chown");
390 selinux_relabel_path(homedir, homedir);
391
381 fs_logger2("mkdir", homedir); 392 fs_logger2("mkdir", homedir);
382 fs_logger2("tmpfs", homedir); 393 fs_logger2("tmpfs", homedir);
383 } 394 }
@@ -542,6 +553,7 @@ void fs_private_home_list(void) {
542 553
543 // create /run/firejail/mnt/home directory 554 // create /run/firejail/mnt/home directory
544 mkdir_attr(RUN_HOME_DIR, 0755, uid, gid); 555 mkdir_attr(RUN_HOME_DIR, 0755, uid, gid);
556 selinux_relabel_path(RUN_HOME_DIR, "/home");
545 fs_logger_print(); // save the current log 557 fs_logger_print(); // save the current log
546 558
547 if (arg_debug) 559 if (arg_debug)
@@ -604,6 +616,7 @@ void fs_private_home_list(void) {
604 printf("Mounting a new /root directory\n"); 616 printf("Mounting a new /root directory\n");
605 if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=700,gid=0") < 0) 617 if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=700,gid=0") < 0)
606 errExit("mounting /root directory"); 618 errExit("mounting /root directory");
619 selinux_relabel_path("/root", "/root");
607 fs_logger("tmpfs /root"); 620 fs_logger("tmpfs /root");
608 } 621 }
609 if (uid == 0 && !arg_allusers) { 622 if (uid == 0 && !arg_allusers) {
@@ -612,6 +625,7 @@ void fs_private_home_list(void) {
612 printf("Mounting a new /home directory\n"); 625 printf("Mounting a new /home directory\n");
613 if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) 626 if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0)
614 errExit("mounting /home directory"); 627 errExit("mounting /home directory");
628 selinux_relabel_path("/home", "/home");
615 fs_logger("tmpfs /home"); 629 fs_logger("tmpfs /home");
616 } 630 }
617 631
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-01 18:40:57 +0000