aboutsummaryrefslogtreecommitdiffstats
path: root/src/firejail/fs_var.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/firejail/fs_var.c')
-rw-r--r--src/firejail/fs_var.c69
1 files changed, 19 insertions, 50 deletions
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index f904fa5d9..ca50685ad 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -98,10 +98,7 @@ static void build_dirs(void) {
98 // create directories under /var/log 98 // create directories under /var/log
99 DirData *ptr = dirlist; 99 DirData *ptr = dirlist;
100 while (ptr) { 100 while (ptr) {
101 if (mkdir(ptr->name, ptr->st_mode)) 101 mkdir_attr(ptr->name, ptr->st_mode, ptr->st_uid, ptr->st_gid);
102 errExit("mkdir");
103 if (chown(ptr->name, ptr->st_uid, ptr->st_gid))
104 errExit("chown");
105 fs_logger2("mkdir", ptr->name); 102 fs_logger2("mkdir", ptr->name);
106 ptr = ptr->next; 103 ptr = ptr->next;
107 } 104 }
@@ -121,7 +118,7 @@ void fs_var_log(void) {
121 // mount a tmpfs on top of /var/log 118 // mount a tmpfs on top of /var/log
122 if (arg_debug) 119 if (arg_debug)
123 printf("Mounting tmpfs on /var/log\n"); 120 printf("Mounting tmpfs on /var/log\n");
124 if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 121 if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
125 errExit("mounting /var/log"); 122 errExit("mounting /var/log");
126 fs_logger("tmpfs /var/log"); 123 fs_logger("tmpfs /var/log");
127 124
@@ -131,22 +128,16 @@ void fs_var_log(void) {
131 // create an empty /var/log/wtmp file 128 // create an empty /var/log/wtmp file
132 /* coverity[toctou] */ 129 /* coverity[toctou] */
133 FILE *fp = fopen("/var/log/wtmp", "w"); 130 FILE *fp = fopen("/var/log/wtmp", "w");
131 SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH);
134 if (fp) 132 if (fp)
135 fclose(fp); 133 fclose(fp);
136 if (chown("/var/log/wtmp", 0, wtmp_group) < 0)
137 errExit("chown");
138 if (chmod("/var/log/wtmp", S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH ) < 0)
139 errExit("chmod");
140 fs_logger("touch /var/log/wtmp"); 134 fs_logger("touch /var/log/wtmp");
141 135
142 // create an empty /var/log/btmp file 136 // create an empty /var/log/btmp file
143 fp = fopen("/var/log/btmp", "w"); 137 fp = fopen("/var/log/btmp", "w");
138 SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP);
144 if (fp) 139 if (fp)
145 fclose(fp); 140 fclose(fp);
146 if (chown("/var/log/btmp", 0, wtmp_group) < 0)
147 errExit("chown");
148 if (chmod("/var/log/btmp", S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP) < 0)
149 errExit("chmod");
150 fs_logger("touch /var/log/btmp"); 141 fs_logger("touch /var/log/btmp");
151 } 142 }
152 else 143 else
@@ -160,7 +151,7 @@ void fs_var_lib(void) {
160 if (stat("/var/lib/dhcp", &s) == 0) { 151 if (stat("/var/lib/dhcp", &s) == 0) {
161 if (arg_debug) 152 if (arg_debug)
162 printf("Mounting tmpfs on /var/lib/dhcp\n"); 153 printf("Mounting tmpfs on /var/lib/dhcp\n");
163 if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 154 if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
164 errExit("mounting /var/lib/dhcp"); 155 errExit("mounting /var/lib/dhcp");
165 fs_logger("tmpfs /var/lib/dhcp"); 156 fs_logger("tmpfs /var/lib/dhcp");
166 157
@@ -169,11 +160,8 @@ void fs_var_lib(void) {
169 160
170 if (fp) { 161 if (fp) {
171 fprintf(fp, "\n"); 162 fprintf(fp, "\n");
163 SET_PERMS_STREAM(fp, 0, 0, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
172 fclose(fp); 164 fclose(fp);
173 if (chown("/var/lib/dhcp/dhcpd.leases", 0, 0) == -1)
174 errExit("chown");
175 if (chmod("/var/lib/dhcp/dhcpd.leases", S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH))
176 errExit("chmod");
177 fs_logger("touch /var/lib/dhcp/dhcpd.leases"); 165 fs_logger("touch /var/lib/dhcp/dhcpd.leases");
178 } 166 }
179 } 167 }
@@ -182,7 +170,7 @@ void fs_var_lib(void) {
182 if (stat("/var/lib/nginx", &s) == 0) { 170 if (stat("/var/lib/nginx", &s) == 0) {
183 if (arg_debug) 171 if (arg_debug)
184 printf("Mounting tmpfs on /var/lib/nginx\n"); 172 printf("Mounting tmpfs on /var/lib/nginx\n");
185 if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 173 if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
186 errExit("mounting /var/lib/nginx"); 174 errExit("mounting /var/lib/nginx");
187 fs_logger("tmpfs /var/lib/nginx"); 175 fs_logger("tmpfs /var/lib/nginx");
188 } 176 }
@@ -191,7 +179,7 @@ void fs_var_lib(void) {
191 if (stat("/var/lib/snmp", &s) == 0) { 179 if (stat("/var/lib/snmp", &s) == 0) {
192 if (arg_debug) 180 if (arg_debug)
193 printf("Mounting tmpfs on /var/lib/snmp\n"); 181 printf("Mounting tmpfs on /var/lib/snmp\n");
194 if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 182 if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
195 errExit("mounting /var/lib/snmp"); 183 errExit("mounting /var/lib/snmp");
196 fs_logger("tmpfs /var/lib/snmp"); 184 fs_logger("tmpfs /var/lib/snmp");
197 } 185 }
@@ -200,7 +188,7 @@ void fs_var_lib(void) {
200 if (stat("/var/lib/sudo", &s) == 0) { 188 if (stat("/var/lib/sudo", &s) == 0) {
201 if (arg_debug) 189 if (arg_debug)
202 printf("Mounting tmpfs on /var/lib/sudo\n"); 190 printf("Mounting tmpfs on /var/lib/sudo\n");
203 if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 191 if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
204 errExit("mounting /var/lib/sudo"); 192 errExit("mounting /var/lib/sudo");
205 fs_logger("tmpfs /var/lib/sudo"); 193 fs_logger("tmpfs /var/lib/sudo");
206 } 194 }
@@ -212,7 +200,7 @@ void fs_var_cache(void) {
212 if (stat("/var/cache/apache2", &s) == 0) { 200 if (stat("/var/cache/apache2", &s) == 0) {
213 if (arg_debug) 201 if (arg_debug)
214 printf("Mounting tmpfs on /var/cache/apache2\n"); 202 printf("Mounting tmpfs on /var/cache/apache2\n");
215 if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 203 if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
216 errExit("mounting /var/cache/apache2"); 204 errExit("mounting /var/cache/apache2");
217 fs_logger("tmpfs /var/cache/apache2"); 205 fs_logger("tmpfs /var/cache/apache2");
218 } 206 }
@@ -220,7 +208,7 @@ void fs_var_cache(void) {
220 if (stat("/var/cache/lighttpd", &s) == 0) { 208 if (stat("/var/cache/lighttpd", &s) == 0) {
221 if (arg_debug) 209 if (arg_debug)
222 printf("Mounting tmpfs on /var/cache/lighttpd\n"); 210 printf("Mounting tmpfs on /var/cache/lighttpd\n");
223 if (mount("tmpfs", "/var/cache/lighttpd", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 211 if (mount("tmpfs", "/var/cache/lighttpd", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
224 errExit("mounting /var/cache/lighttpd"); 212 errExit("mounting /var/cache/lighttpd");
225 fs_logger("tmpfs /var/cache/lighttpd"); 213 fs_logger("tmpfs /var/cache/lighttpd");
226 214
@@ -232,18 +220,10 @@ void fs_var_cache(void) {
232 gid = p->pw_gid; 220 gid = p->pw_gid;
233 } 221 }
234 222
235 int rv = mkdir("/var/cache/lighttpd/compress", 0755); 223 mkdir_attr("/var/cache/lighttpd/compress", 0755, uid, gid);
236 if (rv == -1)
237 errExit("mkdir");
238 if (chown("/var/cache/lighttpd/compress", uid, gid) < 0)
239 errExit("chown");
240 fs_logger("mkdir /var/cache/lighttpd/compress"); 224 fs_logger("mkdir /var/cache/lighttpd/compress");
241 225
242 rv = mkdir("/var/cache/lighttpd/uploads", 0755); 226 mkdir_attr("/var/cache/lighttpd/uploads", 0755, uid, gid);
243 if (rv == -1)
244 errExit("mkdir");
245 if (chown("/var/cache/lighttpd/uploads", uid, gid) < 0)
246 errExit("chown");
247 fs_logger("/var/cache/lighttpd/uploads"); 227 fs_logger("/var/cache/lighttpd/uploads");
248 } 228 }
249} 229}
@@ -268,7 +248,7 @@ void fs_var_lock(void) {
268 if (is_dir("/var/lock")) { 248 if (is_dir("/var/lock")) {
269 if (arg_debug) 249 if (arg_debug)
270 printf("Mounting tmpfs on /var/lock\n"); 250 printf("Mounting tmpfs on /var/lock\n");
271 if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) 251 if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0)
272 errExit("mounting /lock"); 252 errExit("mounting /lock");
273 fs_logger("tmpfs /var/lock"); 253 fs_logger("tmpfs /var/lock");
274 } 254 }
@@ -277,16 +257,11 @@ void fs_var_lock(void) {
277 if (lnk) { 257 if (lnk) {
278 if (!is_dir(lnk)) { 258 if (!is_dir(lnk)) {
279 // create directory 259 // create directory
280 if (mkdir(lnk, S_IRWXU|S_IRWXG|S_IRWXO)) 260 mkdir_attr(lnk, S_IRWXU|S_IRWXG|S_IRWXO, 0, 0);
281 errExit("mkdir");
282 if (chown(lnk, 0, 0))
283 errExit("chown");
284 if (chmod(lnk, S_IRWXU|S_IRWXG|S_IRWXO))
285 errExit("chmod");
286 } 261 }
287 if (arg_debug) 262 if (arg_debug)
288 printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk); 263 printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk);
289 if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) 264 if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0)
290 errExit("mounting /var/lock"); 265 errExit("mounting /var/lock");
291 free(lnk); 266 free(lnk);
292 fs_logger("tmpfs /var/lock"); 267 fs_logger("tmpfs /var/lock");
@@ -304,7 +279,7 @@ void fs_var_tmp(void) {
304 if (!is_link("/var/tmp")) { 279 if (!is_link("/var/tmp")) {
305 if (arg_debug) 280 if (arg_debug)
306 printf("Mounting tmpfs on /var/tmp\n"); 281 printf("Mounting tmpfs on /var/tmp\n");
307 if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) 282 if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0)
308 errExit("mounting /var/tmp"); 283 errExit("mounting /var/tmp");
309 fs_logger("tmpfs /var/tmp"); 284 fs_logger("tmpfs /var/tmp");
310 } 285 }
@@ -327,9 +302,6 @@ void fs_var_utmp(void) {
327 return; 302 return;
328 } 303 }
329 304
330 // create /tmp/firejail/mnt directory
331 fs_build_mnt_dir();
332
333 // create a new utmp file 305 // create a new utmp file
334 if (arg_debug) 306 if (arg_debug)
335 printf("Create the new utmp file\n"); 307 printf("Create the new utmp file\n");
@@ -353,16 +325,13 @@ void fs_var_utmp(void) {
353 325
354 // save new utmp file 326 // save new utmp file
355 fwrite(&u_boot, sizeof(u_boot), 1, fp); 327 fwrite(&u_boot, sizeof(u_boot), 1, fp);
328 SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH);
356 fclose(fp); 329 fclose(fp);
357 if (chown(RUN_UTMP_FILE, 0, utmp_group) < 0)
358 errExit("chown");
359 if (chmod(RUN_UTMP_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH ) < 0)
360 errExit("chmod");
361 330
362 // mount the new utmp file 331 // mount the new utmp file
363 if (arg_debug) 332 if (arg_debug)
364 printf("Mount the new utmp file\n"); 333 printf("Mount the new utmp file\n");
365 if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_REC, NULL) < 0) 334 if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_NOSUID|MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
366 errExit("mount bind utmp"); 335 errExit("mount bind utmp");
367 fs_logger("create /var/run/utmp"); 336 fs_logger("create /var/run/utmp");
368} 337}
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-07 18:57:20 +0000