diff options
Diffstat (limited to 'src/firejail/fs_whitelist.c')
| -rw-r--r-- | src/firejail/fs_whitelist.c | 13 |
1 files changed, 6 insertions, 7 deletions
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 9a7a1bac7..258f023f6 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
| @@ -304,7 +304,6 @@ static void globbing(const char *pattern) { | |||
| 304 | } | 304 | } |
| 305 | 305 | ||
| 306 | // mount tmpfs on all top level directories | 306 | // mount tmpfs on all top level directories |
| 307 | // home directories *inside* /run/user/$UID are not fully supported | ||
| 308 | static void tmpfs_topdirs(const TopDir *topdirs) { | 307 | static void tmpfs_topdirs(const TopDir *topdirs) { |
| 309 | int tmpfs_home = 0; | 308 | int tmpfs_home = 0; |
| 310 | int tmpfs_runuser = 0; | 309 | int tmpfs_runuser = 0; |
| @@ -335,6 +334,7 @@ static void tmpfs_topdirs(const TopDir *topdirs) { | |||
| 335 | 334 | ||
| 336 | // mount tmpfs | 335 | // mount tmpfs |
| 337 | fs_tmpfs(topdirs[i].path, 0); | 336 | fs_tmpfs(topdirs[i].path, 0); |
| 337 | selinux_relabel_path(topdirs[i].path, topdirs[i].path); | ||
| 338 | 338 | ||
| 339 | // init tmpfs | 339 | // init tmpfs |
| 340 | if (strcmp(topdirs[i].path, "/run") == 0) { | 340 | if (strcmp(topdirs[i].path, "/run") == 0) { |
| @@ -384,8 +384,6 @@ static void tmpfs_topdirs(const TopDir *topdirs) { | |||
| 384 | const char *rel = cfg.homedir + topdir_len + 1; | 384 | const char *rel = cfg.homedir + topdir_len + 1; |
| 385 | whitelist_file(topdirs[i].fd, rel, cfg.homedir); | 385 | whitelist_file(topdirs[i].fd, rel, cfg.homedir); |
| 386 | } | 386 | } |
| 387 | |||
| 388 | selinux_relabel_path(topdirs[i].path, topdirs[i].path); | ||
| 389 | } | 387 | } |
| 390 | 388 | ||
| 391 | // user home directory | 389 | // user home directory |
| @@ -467,9 +465,9 @@ static TopDir *add_topdir(const char *dir, TopDir *topdirs, const char *path) { | |||
| 467 | errExit("strdup"); | 465 | errExit("strdup"); |
| 468 | 466 | ||
| 469 | // open the directory, don't follow symbolic links | 467 | // open the directory, don't follow symbolic links |
| 470 | rv->fd = safer_openat(-1, rv->path, O_PATH|O_NOFOLLOW|O_DIRECTORY|O_CLOEXEC); | 468 | rv->fd = safer_openat(-1, dir, O_PATH|O_NOFOLLOW|O_DIRECTORY|O_CLOEXEC); |
| 471 | if (rv->fd == -1) { | 469 | if (rv->fd == -1) { |
| 472 | fprintf(stderr, "Error: cannot open %s\n", rv->path); | 470 | fprintf(stderr, "Error: cannot open %s\n", dir); |
| 473 | exit(1); | 471 | exit(1); |
| 474 | } | 472 | } |
| 475 | 473 | ||
| @@ -750,10 +748,11 @@ void fs_whitelist(void) { | |||
| 750 | } | 748 | } |
| 751 | 749 | ||
| 752 | // create the link if any | 750 | // create the link if any |
| 753 | if (link) | 751 | if (link) { |
| 754 | whitelist_symlink(link, file); | 752 | whitelist_symlink(link, file); |
| 753 | free(link); | ||
| 754 | } | ||
| 755 | 755 | ||
| 756 | free(link); | ||
| 757 | free(file); | 756 | free(file); |
| 758 | free(entry->wparam); | 757 | free(entry->wparam); |
| 759 | entry->wparam = NULL; | 758 | entry->wparam = NULL; |