diff options
Diffstat (limited to 'src/firejail/run_files.c')
| -rw-r--r-- | src/firejail/run_files.c | 20 |
1 files changed, 13 insertions, 7 deletions
diff --git a/src/firejail/run_files.c b/src/firejail/run_files.c index 8b8bbae12..6724e2cd8 100644 --- a/src/firejail/run_files.c +++ b/src/firejail/run_files.c | |||
| @@ -164,7 +164,8 @@ void set_profile_run_file(pid_t pid, const char *fname) { | |||
| 164 | free(runfile); | 164 | free(runfile); |
| 165 | } | 165 | } |
| 166 | 166 | ||
| 167 | int set_sandbox_run_file(pid_t pid, pid_t child) { | 167 | static int sandbox_run_file_fd = -1; |
| 168 | void set_sandbox_run_file(pid_t pid, pid_t child) { | ||
| 168 | char *runfile; | 169 | char *runfile; |
| 169 | if (asprintf(&runfile, "%s/%d", RUN_FIREJAIL_SANDBOX_DIR, pid) == -1) | 170 | if (asprintf(&runfile, "%s/%d", RUN_FIREJAIL_SANDBOX_DIR, pid) == -1) |
| 170 | errExit("asprintf"); | 171 | errExit("asprintf"); |
| @@ -172,8 +173,8 @@ int set_sandbox_run_file(pid_t pid, pid_t child) { | |||
| 172 | EUID_ROOT(); | 173 | EUID_ROOT(); |
| 173 | // the file is deleted first | 174 | // the file is deleted first |
| 174 | // this file should be opened with O_CLOEXEC set | 175 | // this file should be opened with O_CLOEXEC set |
| 175 | int fd = open(runfile, O_CREAT | O_WRONLY | O_TRUNC | O_CLOEXEC, S_IRUSR | S_IWUSR); | 176 | sandbox_run_file_fd = open(runfile, O_CREAT | O_WRONLY | O_TRUNC | O_CLOEXEC, S_IRUSR | S_IWUSR); |
| 176 | if (fd < 0) { | 177 | if (sandbox_run_file_fd < 0) { |
| 177 | fprintf(stderr, "Error: cannot create %s\n", runfile); | 178 | fprintf(stderr, "Error: cannot create %s\n", runfile); |
| 178 | exit(1); | 179 | exit(1); |
| 179 | } | 180 | } |
| @@ -185,7 +186,7 @@ int set_sandbox_run_file(pid_t pid, pid_t child) { | |||
| 185 | size_t len = strlen(buf); | 186 | size_t len = strlen(buf); |
| 186 | size_t done = 0; | 187 | size_t done = 0; |
| 187 | while (done != len) { | 188 | while (done != len) { |
| 188 | ssize_t rv = write(fd, buf + done, len - done); | 189 | ssize_t rv = write(sandbox_run_file_fd, buf + done, len - done); |
| 189 | if (rv < 0) | 190 | if (rv < 0) |
| 190 | errExit("write"); | 191 | errExit("write"); |
| 191 | done += rv; | 192 | done += rv; |
| @@ -193,14 +194,19 @@ int set_sandbox_run_file(pid_t pid, pid_t child) { | |||
| 193 | 194 | ||
| 194 | // set exclusive lock on the file | 195 | // set exclusive lock on the file |
| 195 | // the lock is never inherited, and is released if this process dies ungracefully | 196 | // the lock is never inherited, and is released if this process dies ungracefully |
| 196 | struct flock sandboxlock = { | 197 | struct flock sandbox_lock = { |
| 197 | .l_type = F_WRLCK, | 198 | .l_type = F_WRLCK, |
| 198 | .l_whence = SEEK_SET, | 199 | .l_whence = SEEK_SET, |
| 199 | .l_start = 0, | 200 | .l_start = 0, |
| 200 | .l_len = 0, | 201 | .l_len = 0, |
| 201 | }; | 202 | }; |
| 202 | if (fcntl(fd, F_SETLK, &sandboxlock) < 0) | 203 | if (fcntl(sandbox_run_file_fd, F_SETLK, &sandbox_lock) < 0) |
| 203 | errExit("fcntl"); | 204 | errExit("fcntl"); |
| 205 | } | ||
| 206 | |||
| 207 | void release_sandbox_run_file_lock(void) { | ||
| 208 | assert(sandbox_run_file_fd > -1); | ||
| 204 | 209 | ||
| 205 | return fd; | 210 | close(sandbox_run_file_fd); |
| 211 | sandbox_run_file_fd = -1; | ||
| 206 | } | 212 | } |