diff options
Diffstat (limited to 'src/firejail/fs_whitelist.c')
-rw-r--r-- | src/firejail/fs_whitelist.c | 13 |
1 files changed, 6 insertions, 7 deletions
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 9a7a1bac7..258f023f6 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -304,7 +304,6 @@ static void globbing(const char *pattern) { | |||
304 | } | 304 | } |
305 | 305 | ||
306 | // mount tmpfs on all top level directories | 306 | // mount tmpfs on all top level directories |
307 | // home directories *inside* /run/user/$UID are not fully supported | ||
308 | static void tmpfs_topdirs(const TopDir *topdirs) { | 307 | static void tmpfs_topdirs(const TopDir *topdirs) { |
309 | int tmpfs_home = 0; | 308 | int tmpfs_home = 0; |
310 | int tmpfs_runuser = 0; | 309 | int tmpfs_runuser = 0; |
@@ -335,6 +334,7 @@ static void tmpfs_topdirs(const TopDir *topdirs) { | |||
335 | 334 | ||
336 | // mount tmpfs | 335 | // mount tmpfs |
337 | fs_tmpfs(topdirs[i].path, 0); | 336 | fs_tmpfs(topdirs[i].path, 0); |
337 | selinux_relabel_path(topdirs[i].path, topdirs[i].path); | ||
338 | 338 | ||
339 | // init tmpfs | 339 | // init tmpfs |
340 | if (strcmp(topdirs[i].path, "/run") == 0) { | 340 | if (strcmp(topdirs[i].path, "/run") == 0) { |
@@ -384,8 +384,6 @@ static void tmpfs_topdirs(const TopDir *topdirs) { | |||
384 | const char *rel = cfg.homedir + topdir_len + 1; | 384 | const char *rel = cfg.homedir + topdir_len + 1; |
385 | whitelist_file(topdirs[i].fd, rel, cfg.homedir); | 385 | whitelist_file(topdirs[i].fd, rel, cfg.homedir); |
386 | } | 386 | } |
387 | |||
388 | selinux_relabel_path(topdirs[i].path, topdirs[i].path); | ||
389 | } | 387 | } |
390 | 388 | ||
391 | // user home directory | 389 | // user home directory |
@@ -467,9 +465,9 @@ static TopDir *add_topdir(const char *dir, TopDir *topdirs, const char *path) { | |||
467 | errExit("strdup"); | 465 | errExit("strdup"); |
468 | 466 | ||
469 | // open the directory, don't follow symbolic links | 467 | // open the directory, don't follow symbolic links |
470 | rv->fd = safer_openat(-1, rv->path, O_PATH|O_NOFOLLOW|O_DIRECTORY|O_CLOEXEC); | 468 | rv->fd = safer_openat(-1, dir, O_PATH|O_NOFOLLOW|O_DIRECTORY|O_CLOEXEC); |
471 | if (rv->fd == -1) { | 469 | if (rv->fd == -1) { |
472 | fprintf(stderr, "Error: cannot open %s\n", rv->path); | 470 | fprintf(stderr, "Error: cannot open %s\n", dir); |
473 | exit(1); | 471 | exit(1); |
474 | } | 472 | } |
475 | 473 | ||
@@ -750,10 +748,11 @@ void fs_whitelist(void) { | |||
750 | } | 748 | } |
751 | 749 | ||
752 | // create the link if any | 750 | // create the link if any |
753 | if (link) | 751 | if (link) { |
754 | whitelist_symlink(link, file); | 752 | whitelist_symlink(link, file); |
753 | free(link); | ||
754 | } | ||
755 | 755 | ||
756 | free(link); | ||
757 | free(file); | 756 | free(file); |
758 | free(entry->wparam); | 757 | free(entry->wparam); |
759 | entry->wparam = NULL; | 758 | entry->wparam = NULL; |