aboutsummaryrefslogtreecommitdiffstats
path: root/src/firejail/netfilter.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/firejail/netfilter.c')
-rw-r--r--src/firejail/netfilter.c12
1 files changed, 3 insertions, 9 deletions
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index ef4915f15..ed411313a 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -47,14 +47,8 @@ void check_netfilter_file(const char *fname) {
47 EUID_ASSERT(); 47 EUID_ASSERT();
48 invalid_filename(fname); 48 invalid_filename(fname);
49 49
50 if (is_dir(fname) || is_link(fname) || strstr(fname, "..")) { 50 if (is_dir(fname) || is_link(fname) || strstr(fname, "..") || access(fname, R_OK )) {
51 fprintf(stderr, "Error: invalid network filter file\n"); 51 fprintf(stderr, "Error: invalid network filter file %s\n", fname);
52 exit(1);
53 }
54
55 // access call checks as real UID/GID, not as effective UID/GID
56 if (access(fname, R_OK)) {
57 fprintf(stderr, "Error: cannot access network filter file\n");
58 exit(1); 52 exit(1);
59 } 53 }
60} 54}
@@ -138,7 +132,7 @@ void netfilter6(const char *fname) {
138 char *filter = read_text_file_or_exit(fname); 132 char *filter = read_text_file_or_exit(fname);
139 FILE *fp = fopen(SBOX_STDIN_FILE, "w"); 133 FILE *fp = fopen(SBOX_STDIN_FILE, "w");
140 if (!fp) { 134 if (!fp) {
141 fprintf(stderr, "Error: cannot open /tmp/netfilter6 file\n"); 135 fprintf(stderr, "Error: cannot open %s\n", SBOX_STDIN_FILE);
142 exit(1); 136 exit(1);
143 } 137 }
144 fprintf(fp, "%s\n", filter); 138 fprintf(fp, "%s\n", filter);
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-02 19:59:36 +0000