diff options
Diffstat (limited to 'src/firejail/main.c')
| -rw-r--r-- | src/firejail/main.c | 44 |
1 files changed, 11 insertions, 33 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index 0ce18ab01..acbb4bf38 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -63,6 +63,8 @@ gid_t firejail_gid = 0; | |||
| 63 | static char child_stack[STACK_SIZE] __attribute__((aligned(STACK_ALIGNMENT))); // space for child's stack | 63 | static char child_stack[STACK_SIZE] __attribute__((aligned(STACK_ALIGNMENT))); // space for child's stack |
| 64 | 64 | ||
| 65 | Config cfg; // configuration | 65 | Config cfg; // configuration |
| 66 | int lockfd_directory = -1; | ||
| 67 | int lockfd_network = -1; | ||
| 66 | int arg_private = 0; // mount private /home and /tmp directoryu | 68 | int arg_private = 0; // mount private /home and /tmp directoryu |
| 67 | int arg_private_cache = 0; // mount private home/.cache | 69 | int arg_private_cache = 0; // mount private home/.cache |
| 68 | int arg_debug = 0; // print debug messages | 70 | int arg_debug = 0; // print debug messages |
| @@ -1056,8 +1058,6 @@ static int check_postexec(const char *list) { | |||
| 1056 | int main(int argc, char **argv, char **envp) { | 1058 | int main(int argc, char **argv, char **envp) { |
| 1057 | int i; | 1059 | int i; |
| 1058 | int prog_index = -1; // index in argv where the program command starts | 1060 | int prog_index = -1; // index in argv where the program command starts |
| 1059 | int lockfd_network = -1; | ||
| 1060 | int lockfd_directory = -1; | ||
| 1061 | int custom_profile = 0; // custom profile loaded | 1061 | int custom_profile = 0; // custom profile loaded |
| 1062 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) | 1062 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) |
| 1063 | char **ptr; | 1063 | char **ptr; |
| @@ -1166,19 +1166,13 @@ int main(int argc, char **argv, char **envp) { | |||
| 1166 | #endif | 1166 | #endif |
| 1167 | 1167 | ||
| 1168 | // build /run/firejail directory structure | 1168 | // build /run/firejail directory structure |
| 1169 | preproc_build_firejail_dir(); | 1169 | preproc_build_firejail_dir_unlocked(); |
| 1170 | preproc_lock_firejail_dir(); | ||
| 1171 | preproc_build_firejail_dir_locked(); | ||
| 1170 | const char *container_name = env_get("container"); | 1172 | const char *container_name = env_get("container"); |
| 1171 | if (!container_name || strcmp(container_name, "firejail")) { | 1173 | if (!container_name || strcmp(container_name, "firejail")) |
| 1172 | lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR); | ||
| 1173 | if (lockfd_directory != -1) { | ||
| 1174 | int rv = fchown(lockfd_directory, 0, 0); | ||
| 1175 | (void) rv; | ||
| 1176 | flock(lockfd_directory, LOCK_EX); | ||
| 1177 | } | ||
| 1178 | preproc_clean_run(); | 1174 | preproc_clean_run(); |
| 1179 | flock(lockfd_directory, LOCK_UN); | 1175 | preproc_unlock_firejail_dir(); |
| 1180 | close(lockfd_directory); | ||
| 1181 | } | ||
| 1182 | 1176 | ||
| 1183 | delete_run_files(getpid()); | 1177 | delete_run_files(getpid()); |
| 1184 | atexit(clear_atexit); | 1178 | atexit(clear_atexit); |
| @@ -2990,12 +2984,7 @@ int main(int argc, char **argv, char **envp) { | |||
| 2990 | // check and assign an IP address - for macvlan it will be done again in the sandbox! | 2984 | // check and assign an IP address - for macvlan it will be done again in the sandbox! |
| 2991 | if (any_bridge_configured()) { | 2985 | if (any_bridge_configured()) { |
| 2992 | EUID_ROOT(); | 2986 | EUID_ROOT(); |
| 2993 | lockfd_network = open(RUN_NETWORK_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR); | 2987 | preproc_lock_firejail_network_dir(); |
| 2994 | if (lockfd_network != -1) { | ||
| 2995 | int rv = fchown(lockfd_network, 0, 0); | ||
| 2996 | (void) rv; | ||
| 2997 | flock(lockfd_network, LOCK_EX); | ||
| 2998 | } | ||
| 2999 | 2988 | ||
| 3000 | if (cfg.bridge0.configured && cfg.bridge0.arg_ip_none == 0) | 2989 | if (cfg.bridge0.configured && cfg.bridge0.arg_ip_none == 0) |
| 3001 | check_network(&cfg.bridge0); | 2990 | check_network(&cfg.bridge0); |
| @@ -3024,21 +3013,13 @@ int main(int argc, char **argv, char **envp) { | |||
| 3024 | 3013 | ||
| 3025 | // set name and x11 run files | 3014 | // set name and x11 run files |
| 3026 | EUID_ROOT(); | 3015 | EUID_ROOT(); |
| 3027 | lockfd_directory = open(RUN_DIRECTORY_LOCK_FILE, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR); | 3016 | preproc_lock_firejail_dir(); |
| 3028 | if (lockfd_directory != -1) { | ||
| 3029 | int rv = fchown(lockfd_directory, 0, 0); | ||
| 3030 | (void) rv; | ||
| 3031 | flock(lockfd_directory, LOCK_EX); | ||
| 3032 | } | ||
| 3033 | if (cfg.name) | 3017 | if (cfg.name) |
| 3034 | set_name_run_file(sandbox_pid); | 3018 | set_name_run_file(sandbox_pid); |
| 3035 | int display = x11_display(); | 3019 | int display = x11_display(); |
| 3036 | if (display > 0) | 3020 | if (display > 0) |
| 3037 | set_x11_run_file(sandbox_pid, display); | 3021 | set_x11_run_file(sandbox_pid, display); |
| 3038 | if (lockfd_directory != -1) { | 3022 | preproc_unlock_firejail_dir(); |
| 3039 | flock(lockfd_directory, LOCK_UN); | ||
| 3040 | close(lockfd_directory); | ||
| 3041 | } | ||
| 3042 | EUID_USER(); | 3023 | EUID_USER(); |
| 3043 | 3024 | ||
| 3044 | #ifdef HAVE_DBUSPROXY | 3025 | #ifdef HAVE_DBUSPROXY |
| @@ -3276,10 +3257,7 @@ int main(int argc, char **argv, char **envp) { | |||
| 3276 | close(parent_to_child_fds[1]); | 3257 | close(parent_to_child_fds[1]); |
| 3277 | 3258 | ||
| 3278 | EUID_ROOT(); | 3259 | EUID_ROOT(); |
| 3279 | if (lockfd_network != -1) { | 3260 | preproc_unlock_firejail_network_dir(); |
| 3280 | flock(lockfd_network, LOCK_UN); | ||
| 3281 | close(lockfd_network); | ||
| 3282 | } | ||
| 3283 | EUID_USER(); | 3261 | EUID_USER(); |
| 3284 | 3262 | ||
| 3285 | // lock netfilter firewall | 3263 | // lock netfilter firewall |