diff options
Diffstat (limited to 'src/firejail/fs_var.c')
-rw-r--r-- | src/firejail/fs_var.c | 69 |
1 files changed, 19 insertions, 50 deletions
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index f904fa5d9..ca50685ad 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
@@ -98,10 +98,7 @@ static void build_dirs(void) { | |||
98 | // create directories under /var/log | 98 | // create directories under /var/log |
99 | DirData *ptr = dirlist; | 99 | DirData *ptr = dirlist; |
100 | while (ptr) { | 100 | while (ptr) { |
101 | if (mkdir(ptr->name, ptr->st_mode)) | 101 | mkdir_attr(ptr->name, ptr->st_mode, ptr->st_uid, ptr->st_gid); |
102 | errExit("mkdir"); | ||
103 | if (chown(ptr->name, ptr->st_uid, ptr->st_gid)) | ||
104 | errExit("chown"); | ||
105 | fs_logger2("mkdir", ptr->name); | 102 | fs_logger2("mkdir", ptr->name); |
106 | ptr = ptr->next; | 103 | ptr = ptr->next; |
107 | } | 104 | } |
@@ -121,7 +118,7 @@ void fs_var_log(void) { | |||
121 | // mount a tmpfs on top of /var/log | 118 | // mount a tmpfs on top of /var/log |
122 | if (arg_debug) | 119 | if (arg_debug) |
123 | printf("Mounting tmpfs on /var/log\n"); | 120 | printf("Mounting tmpfs on /var/log\n"); |
124 | if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 121 | if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
125 | errExit("mounting /var/log"); | 122 | errExit("mounting /var/log"); |
126 | fs_logger("tmpfs /var/log"); | 123 | fs_logger("tmpfs /var/log"); |
127 | 124 | ||
@@ -131,22 +128,16 @@ void fs_var_log(void) { | |||
131 | // create an empty /var/log/wtmp file | 128 | // create an empty /var/log/wtmp file |
132 | /* coverity[toctou] */ | 129 | /* coverity[toctou] */ |
133 | FILE *fp = fopen("/var/log/wtmp", "w"); | 130 | FILE *fp = fopen("/var/log/wtmp", "w"); |
131 | SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH); | ||
134 | if (fp) | 132 | if (fp) |
135 | fclose(fp); | 133 | fclose(fp); |
136 | if (chown("/var/log/wtmp", 0, wtmp_group) < 0) | ||
137 | errExit("chown"); | ||
138 | if (chmod("/var/log/wtmp", S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH ) < 0) | ||
139 | errExit("chmod"); | ||
140 | fs_logger("touch /var/log/wtmp"); | 134 | fs_logger("touch /var/log/wtmp"); |
141 | 135 | ||
142 | // create an empty /var/log/btmp file | 136 | // create an empty /var/log/btmp file |
143 | fp = fopen("/var/log/btmp", "w"); | 137 | fp = fopen("/var/log/btmp", "w"); |
138 | SET_PERMS_STREAM(fp, 0, wtmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP); | ||
144 | if (fp) | 139 | if (fp) |
145 | fclose(fp); | 140 | fclose(fp); |
146 | if (chown("/var/log/btmp", 0, wtmp_group) < 0) | ||
147 | errExit("chown"); | ||
148 | if (chmod("/var/log/btmp", S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP) < 0) | ||
149 | errExit("chmod"); | ||
150 | fs_logger("touch /var/log/btmp"); | 141 | fs_logger("touch /var/log/btmp"); |
151 | } | 142 | } |
152 | else | 143 | else |
@@ -160,7 +151,7 @@ void fs_var_lib(void) { | |||
160 | if (stat("/var/lib/dhcp", &s) == 0) { | 151 | if (stat("/var/lib/dhcp", &s) == 0) { |
161 | if (arg_debug) | 152 | if (arg_debug) |
162 | printf("Mounting tmpfs on /var/lib/dhcp\n"); | 153 | printf("Mounting tmpfs on /var/lib/dhcp\n"); |
163 | if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 154 | if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
164 | errExit("mounting /var/lib/dhcp"); | 155 | errExit("mounting /var/lib/dhcp"); |
165 | fs_logger("tmpfs /var/lib/dhcp"); | 156 | fs_logger("tmpfs /var/lib/dhcp"); |
166 | 157 | ||
@@ -169,11 +160,8 @@ void fs_var_lib(void) { | |||
169 | 160 | ||
170 | if (fp) { | 161 | if (fp) { |
171 | fprintf(fp, "\n"); | 162 | fprintf(fp, "\n"); |
163 | SET_PERMS_STREAM(fp, 0, 0, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); | ||
172 | fclose(fp); | 164 | fclose(fp); |
173 | if (chown("/var/lib/dhcp/dhcpd.leases", 0, 0) == -1) | ||
174 | errExit("chown"); | ||
175 | if (chmod("/var/lib/dhcp/dhcpd.leases", S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH)) | ||
176 | errExit("chmod"); | ||
177 | fs_logger("touch /var/lib/dhcp/dhcpd.leases"); | 165 | fs_logger("touch /var/lib/dhcp/dhcpd.leases"); |
178 | } | 166 | } |
179 | } | 167 | } |
@@ -182,7 +170,7 @@ void fs_var_lib(void) { | |||
182 | if (stat("/var/lib/nginx", &s) == 0) { | 170 | if (stat("/var/lib/nginx", &s) == 0) { |
183 | if (arg_debug) | 171 | if (arg_debug) |
184 | printf("Mounting tmpfs on /var/lib/nginx\n"); | 172 | printf("Mounting tmpfs on /var/lib/nginx\n"); |
185 | if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 173 | if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
186 | errExit("mounting /var/lib/nginx"); | 174 | errExit("mounting /var/lib/nginx"); |
187 | fs_logger("tmpfs /var/lib/nginx"); | 175 | fs_logger("tmpfs /var/lib/nginx"); |
188 | } | 176 | } |
@@ -191,7 +179,7 @@ void fs_var_lib(void) { | |||
191 | if (stat("/var/lib/snmp", &s) == 0) { | 179 | if (stat("/var/lib/snmp", &s) == 0) { |
192 | if (arg_debug) | 180 | if (arg_debug) |
193 | printf("Mounting tmpfs on /var/lib/snmp\n"); | 181 | printf("Mounting tmpfs on /var/lib/snmp\n"); |
194 | if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 182 | if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
195 | errExit("mounting /var/lib/snmp"); | 183 | errExit("mounting /var/lib/snmp"); |
196 | fs_logger("tmpfs /var/lib/snmp"); | 184 | fs_logger("tmpfs /var/lib/snmp"); |
197 | } | 185 | } |
@@ -200,7 +188,7 @@ void fs_var_lib(void) { | |||
200 | if (stat("/var/lib/sudo", &s) == 0) { | 188 | if (stat("/var/lib/sudo", &s) == 0) { |
201 | if (arg_debug) | 189 | if (arg_debug) |
202 | printf("Mounting tmpfs on /var/lib/sudo\n"); | 190 | printf("Mounting tmpfs on /var/lib/sudo\n"); |
203 | if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 191 | if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
204 | errExit("mounting /var/lib/sudo"); | 192 | errExit("mounting /var/lib/sudo"); |
205 | fs_logger("tmpfs /var/lib/sudo"); | 193 | fs_logger("tmpfs /var/lib/sudo"); |
206 | } | 194 | } |
@@ -212,7 +200,7 @@ void fs_var_cache(void) { | |||
212 | if (stat("/var/cache/apache2", &s) == 0) { | 200 | if (stat("/var/cache/apache2", &s) == 0) { |
213 | if (arg_debug) | 201 | if (arg_debug) |
214 | printf("Mounting tmpfs on /var/cache/apache2\n"); | 202 | printf("Mounting tmpfs on /var/cache/apache2\n"); |
215 | if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 203 | if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
216 | errExit("mounting /var/cache/apache2"); | 204 | errExit("mounting /var/cache/apache2"); |
217 | fs_logger("tmpfs /var/cache/apache2"); | 205 | fs_logger("tmpfs /var/cache/apache2"); |
218 | } | 206 | } |
@@ -220,7 +208,7 @@ void fs_var_cache(void) { | |||
220 | if (stat("/var/cache/lighttpd", &s) == 0) { | 208 | if (stat("/var/cache/lighttpd", &s) == 0) { |
221 | if (arg_debug) | 209 | if (arg_debug) |
222 | printf("Mounting tmpfs on /var/cache/lighttpd\n"); | 210 | printf("Mounting tmpfs on /var/cache/lighttpd\n"); |
223 | if (mount("tmpfs", "/var/cache/lighttpd", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 211 | if (mount("tmpfs", "/var/cache/lighttpd", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
224 | errExit("mounting /var/cache/lighttpd"); | 212 | errExit("mounting /var/cache/lighttpd"); |
225 | fs_logger("tmpfs /var/cache/lighttpd"); | 213 | fs_logger("tmpfs /var/cache/lighttpd"); |
226 | 214 | ||
@@ -232,18 +220,10 @@ void fs_var_cache(void) { | |||
232 | gid = p->pw_gid; | 220 | gid = p->pw_gid; |
233 | } | 221 | } |
234 | 222 | ||
235 | int rv = mkdir("/var/cache/lighttpd/compress", 0755); | 223 | mkdir_attr("/var/cache/lighttpd/compress", 0755, uid, gid); |
236 | if (rv == -1) | ||
237 | errExit("mkdir"); | ||
238 | if (chown("/var/cache/lighttpd/compress", uid, gid) < 0) | ||
239 | errExit("chown"); | ||
240 | fs_logger("mkdir /var/cache/lighttpd/compress"); | 224 | fs_logger("mkdir /var/cache/lighttpd/compress"); |
241 | 225 | ||
242 | rv = mkdir("/var/cache/lighttpd/uploads", 0755); | 226 | mkdir_attr("/var/cache/lighttpd/uploads", 0755, uid, gid); |
243 | if (rv == -1) | ||
244 | errExit("mkdir"); | ||
245 | if (chown("/var/cache/lighttpd/uploads", uid, gid) < 0) | ||
246 | errExit("chown"); | ||
247 | fs_logger("/var/cache/lighttpd/uploads"); | 227 | fs_logger("/var/cache/lighttpd/uploads"); |
248 | } | 228 | } |
249 | } | 229 | } |
@@ -268,7 +248,7 @@ void fs_var_lock(void) { | |||
268 | if (is_dir("/var/lock")) { | 248 | if (is_dir("/var/lock")) { |
269 | if (arg_debug) | 249 | if (arg_debug) |
270 | printf("Mounting tmpfs on /var/lock\n"); | 250 | printf("Mounting tmpfs on /var/lock\n"); |
271 | if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) | 251 | if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) |
272 | errExit("mounting /lock"); | 252 | errExit("mounting /lock"); |
273 | fs_logger("tmpfs /var/lock"); | 253 | fs_logger("tmpfs /var/lock"); |
274 | } | 254 | } |
@@ -277,16 +257,11 @@ void fs_var_lock(void) { | |||
277 | if (lnk) { | 257 | if (lnk) { |
278 | if (!is_dir(lnk)) { | 258 | if (!is_dir(lnk)) { |
279 | // create directory | 259 | // create directory |
280 | if (mkdir(lnk, S_IRWXU|S_IRWXG|S_IRWXO)) | 260 | mkdir_attr(lnk, S_IRWXU|S_IRWXG|S_IRWXO, 0, 0); |
281 | errExit("mkdir"); | ||
282 | if (chown(lnk, 0, 0)) | ||
283 | errExit("chown"); | ||
284 | if (chmod(lnk, S_IRWXU|S_IRWXG|S_IRWXO)) | ||
285 | errExit("chmod"); | ||
286 | } | 261 | } |
287 | if (arg_debug) | 262 | if (arg_debug) |
288 | printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk); | 263 | printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk); |
289 | if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) | 264 | if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) |
290 | errExit("mounting /var/lock"); | 265 | errExit("mounting /var/lock"); |
291 | free(lnk); | 266 | free(lnk); |
292 | fs_logger("tmpfs /var/lock"); | 267 | fs_logger("tmpfs /var/lock"); |
@@ -304,7 +279,7 @@ void fs_var_tmp(void) { | |||
304 | if (!is_link("/var/tmp")) { | 279 | if (!is_link("/var/tmp")) { |
305 | if (arg_debug) | 280 | if (arg_debug) |
306 | printf("Mounting tmpfs on /var/tmp\n"); | 281 | printf("Mounting tmpfs on /var/tmp\n"); |
307 | if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) | 282 | if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) |
308 | errExit("mounting /var/tmp"); | 283 | errExit("mounting /var/tmp"); |
309 | fs_logger("tmpfs /var/tmp"); | 284 | fs_logger("tmpfs /var/tmp"); |
310 | } | 285 | } |
@@ -327,9 +302,6 @@ void fs_var_utmp(void) { | |||
327 | return; | 302 | return; |
328 | } | 303 | } |
329 | 304 | ||
330 | // create /tmp/firejail/mnt directory | ||
331 | fs_build_mnt_dir(); | ||
332 | |||
333 | // create a new utmp file | 305 | // create a new utmp file |
334 | if (arg_debug) | 306 | if (arg_debug) |
335 | printf("Create the new utmp file\n"); | 307 | printf("Create the new utmp file\n"); |
@@ -353,16 +325,13 @@ void fs_var_utmp(void) { | |||
353 | 325 | ||
354 | // save new utmp file | 326 | // save new utmp file |
355 | fwrite(&u_boot, sizeof(u_boot), 1, fp); | 327 | fwrite(&u_boot, sizeof(u_boot), 1, fp); |
328 | SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH); | ||
356 | fclose(fp); | 329 | fclose(fp); |
357 | if (chown(RUN_UTMP_FILE, 0, utmp_group) < 0) | ||
358 | errExit("chown"); | ||
359 | if (chmod(RUN_UTMP_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH ) < 0) | ||
360 | errExit("chmod"); | ||
361 | 330 | ||
362 | // mount the new utmp file | 331 | // mount the new utmp file |
363 | if (arg_debug) | 332 | if (arg_debug) |
364 | printf("Mount the new utmp file\n"); | 333 | printf("Mount the new utmp file\n"); |
365 | if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_REC, NULL) < 0) | 334 | if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_NOSUID|MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) |
366 | errExit("mount bind utmp"); | 335 | errExit("mount bind utmp"); |
367 | fs_logger("create /var/run/utmp"); | 336 | fs_logger("create /var/run/utmp"); |
368 | } | 337 | } |