1 files changed, 95 insertions, 1 deletions
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index 2c7d4264d..e0ca2141f 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -18,15 +18,101 @@
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include <sys/file.h>
 #include <sys/mount.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <dirent.h>
+#include <fcntl.h>
 static int tmpfs_mounted = 0;
+static void preproc_lock_file(const char *path, int *lockfd_ptr) {
+        assert(path != NULL);
+        assert(lockfd_ptr != NULL);
+        long pid = (long)getpid();
+        if (arg_debug)
+                fprintf(stderr, "pid=%ld: locking %s ...\n", pid, path);
+        if (*lockfd_ptr != -1) {
+                if (arg_debug)
+                        fprintf(stderr, "pid=%ld: already locked %s\n", pid, path);
+                return;
+        }
+        int lockfd = open(path, O_WRONLY | O_CREAT | O_CLOEXEC, S_IRUSR | S_IWUSR);
+        if (lockfd == -1) {
+                fprintf(stderr, "Error: cannot create a lockfile at %s\n", path);
+                errExit("open");
+        }
+        if (fchown(lockfd, 0, 0) == -1) {
+                fprintf(stderr, "Error: cannot chown root:root %s\n", path);
+                errExit("fchown");
+        }
+        if (flock(lockfd, LOCK_EX) == -1) {
+                fprintf(stderr, "Error: cannot lock %s\n", path);
+                errExit("flock");
+        }
+        *lockfd_ptr = lockfd;
+        if (arg_debug)
+                fprintf(stderr, "pid=%ld: locked %s\n", pid, path);
+}
+static void preproc_unlock_file(const char *path, int *lockfd_ptr) {
+        assert(path != NULL);
+        assert(lockfd_ptr != NULL);
+        long pid = (long)getpid();
+        if (arg_debug)
+                fprintf(stderr, "pid=%ld: unlocking %s ...\n", pid, path);
+        int lockfd = *lockfd_ptr;
+        if (lockfd == -1) {
+                if (arg_debug)
+                        fprintf(stderr, "pid=%ld: already unlocked %s\n", pid, path);
+                return;
+        }
+        if (flock(lockfd, LOCK_UN) == -1) {
+                fprintf(stderr, "Error: cannot unlock %s\n", path);
+                errExit("flock");
+        }
+        if (close(lockfd) == -1) {
+                fprintf(stderr, "Error: cannot close %s\n", path);
+                errExit("close");
+        }
+        *lockfd_ptr = -1;
+        if (arg_debug)
+                fprintf(stderr, "pid=%ld: unlocked %s\n", pid, path);
+}
+void preproc_lock_firejail_dir(void) {
+        preproc_lock_file(RUN_DIRECTORY_LOCK_FILE, &lockfd_directory);
+}
+void preproc_unlock_firejail_dir(void) {
+        preproc_unlock_file(RUN_DIRECTORY_LOCK_FILE, &lockfd_directory);
+}
+void preproc_lock_firejail_network_dir(void) {
+        preproc_lock_file(RUN_NETWORK_LOCK_FILE, &lockfd_network);
+}
+void preproc_unlock_firejail_network_dir(void) {
+        preproc_unlock_file(RUN_NETWORK_LOCK_FILE, &lockfd_network);
+}
 // build /run/firejail directory
-void preproc_build_firejail_dir(void) {
+//
+// Note: This creates the base directory of the rundir lockfile;
+// it should be called before preproc_lock_firejail_dir().
+void preproc_build_firejail_dir_unlocked(void) {
        struct stat s;
        // CentOS 6 doesn't have /run directory
@@ -35,6 +121,14 @@ void preproc_build_firejail_dir(void) {
        }
        create_empty_dir_as_root(RUN_FIREJAIL_DIR, 0755);
+}
+// build directory hierarchy under /run/firejail
+//
+// Note: Remounts have timing hazards. This function should
+// only be called after acquiring the directory lock via
+// preproc_lock_firejail_dir().
+void preproc_build_firejail_dir_locked(void) {
        create_empty_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755);
        create_empty_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755);
        create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755);

diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index 2c7d4264d..e0ca2141f 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c
@@ -18,15 +18,101 @@
18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.	18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19	*/	19	*/
20	#include "firejail.h"	20	#include "firejail.h"
		21	#include <sys/file.h>
21	#include <sys/mount.h>	22	#include <sys/mount.h>
22	#include <sys/stat.h>	23	#include <sys/stat.h>
23	#include <sys/types.h>	24	#include <sys/types.h>
24	#include <dirent.h>	25	#include <dirent.h>
		26	#include <fcntl.h>
25		27
26	static int tmpfs_mounted = 0;	28	static int tmpfs_mounted = 0;
27		29
		30	static void preproc_lock_file(const char path, int lockfd_ptr) {
		31	assert(path != NULL);
		32	assert(lockfd_ptr != NULL);
		33
		34	long pid = (long)getpid();
		35	if (arg_debug)
		36	fprintf(stderr, "pid=%ld: locking %s ...\n", pid, path);
		37
		38	if (*lockfd_ptr != -1) {
		39	if (arg_debug)
		40	fprintf(stderr, "pid=%ld: already locked %s\n", pid, path);
		41	return;
		42	}
		43
		44	int lockfd = open(path, O_WRONLY \| O_CREAT \| O_CLOEXEC, S_IRUSR \| S_IWUSR);
		45	if (lockfd == -1) {
		46	fprintf(stderr, "Error: cannot create a lockfile at %s\n", path);
		47	errExit("open");
		48	}
		49
		50	if (fchown(lockfd, 0, 0) == -1) {
		51	fprintf(stderr, "Error: cannot chown root:root %s\n", path);
		52	errExit("fchown");
		53	}
		54
		55	if (flock(lockfd, LOCK_EX) == -1) {
		56	fprintf(stderr, "Error: cannot lock %s\n", path);
		57	errExit("flock");
		58	}
		59
		60	*lockfd_ptr = lockfd;
		61	if (arg_debug)
		62	fprintf(stderr, "pid=%ld: locked %s\n", pid, path);
		63	}
		64
		65	static void preproc_unlock_file(const char path, int lockfd_ptr) {
		66	assert(path != NULL);
		67	assert(lockfd_ptr != NULL);
		68
		69	long pid = (long)getpid();
		70	if (arg_debug)
		71	fprintf(stderr, "pid=%ld: unlocking %s ...\n", pid, path);
		72
		73	int lockfd = *lockfd_ptr;
		74	if (lockfd == -1) {
		75	if (arg_debug)
		76	fprintf(stderr, "pid=%ld: already unlocked %s\n", pid, path);
		77	return;
		78	}
		79
		80	if (flock(lockfd, LOCK_UN) == -1) {
		81	fprintf(stderr, "Error: cannot unlock %s\n", path);
		82	errExit("flock");
		83	}
		84
		85	if (close(lockfd) == -1) {
		86	fprintf(stderr, "Error: cannot close %s\n", path);
		87	errExit("close");
		88	}
		89
		90	*lockfd_ptr = -1;
		91	if (arg_debug)
		92	fprintf(stderr, "pid=%ld: unlocked %s\n", pid, path);
		93	}
		94
		95	void preproc_lock_firejail_dir(void) {
		96	preproc_lock_file(RUN_DIRECTORY_LOCK_FILE, &lockfd_directory);
		97	}
		98
		99	void preproc_unlock_firejail_dir(void) {
		100	preproc_unlock_file(RUN_DIRECTORY_LOCK_FILE, &lockfd_directory);
		101	}
		102
		103	void preproc_lock_firejail_network_dir(void) {
		104	preproc_lock_file(RUN_NETWORK_LOCK_FILE, &lockfd_network);
		105	}
		106
		107	void preproc_unlock_firejail_network_dir(void) {
		108	preproc_unlock_file(RUN_NETWORK_LOCK_FILE, &lockfd_network);
		109	}
		110
28	// build /run/firejail directory	111	// build /run/firejail directory
29	void preproc_build_firejail_dir(void) {	112	//
		113	// Note: This creates the base directory of the rundir lockfile;
		114	// it should be called before preproc_lock_firejail_dir().
		115	void preproc_build_firejail_dir_unlocked(void) {
30	struct stat s;	116	struct stat s;
31		117
32	// CentOS 6 doesn't have /run directory	118	// CentOS 6 doesn't have /run directory
@@ -35,6 +121,14 @@ void preproc_build_firejail_dir(void) {
35	}	121	}
36		122
37	create_empty_dir_as_root(RUN_FIREJAIL_DIR, 0755);	123	create_empty_dir_as_root(RUN_FIREJAIL_DIR, 0755);
		124	}
		125
		126	// build directory hierarchy under /run/firejail
		127	//
		128	// Note: Remounts have timing hazards. This function should
		129	// only be called after acquiring the directory lock via
		130	// preproc_lock_firejail_dir().
		131	void preproc_build_firejail_dir_locked(void) {
38	create_empty_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755);	132	create_empty_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755);
39	create_empty_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755);	133	create_empty_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755);
40	create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755);	134	create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755);