diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs.c | 66 | ||||
-rw-r--r-- | src/firejail/util.c | 38 |
3 files changed, 42 insertions, 63 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index a4aa20667..c0072debe 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -540,6 +540,7 @@ uid_t pid_get_uid(pid_t pid); | |||
540 | uid_t get_group_id(const char *group); | 540 | uid_t get_group_id(const char *group); |
541 | int remove_overlay_directory(void); | 541 | int remove_overlay_directory(void); |
542 | void flush_stdin(void); | 542 | void flush_stdin(void); |
543 | void create_empty_dir_as_user(const char *dir, mode_t mode); | ||
543 | void create_empty_dir_as_root(const char *dir, mode_t mode); | 544 | void create_empty_dir_as_root(const char *dir, mode_t mode); |
544 | void create_empty_file_as_root(const char *dir, mode_t mode); | 545 | void create_empty_file_as_root(const char *dir, mode_t mode); |
545 | int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode); | 546 | int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode); |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 49074f525..c689a49fa 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -767,26 +767,7 @@ void fs_proc_sys_dev_boot(void) { | |||
767 | char *fnamegpg; | 767 | char *fnamegpg; |
768 | if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1) | 768 | if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1) |
769 | errExit("asprintf"); | 769 | errExit("asprintf"); |
770 | if (stat(fnamegpg, &s) == -1) { | 770 | create_empty_dir_as_user(fnamegpg, 0700); |
771 | pid_t child = fork(); | ||
772 | if (child < 0) | ||
773 | errExit("fork"); | ||
774 | if (child == 0) { | ||
775 | // drop privileges | ||
776 | drop_privs(0); | ||
777 | if (mkdir(fnamegpg, 0700) == 0) { | ||
778 | if (chmod(fnamegpg, 0700) == -1) | ||
779 | {;} // do nothing | ||
780 | } | ||
781 | #ifdef HAVE_GCOV | ||
782 | __gcov_flush(); | ||
783 | #endif | ||
784 | _exit(0); | ||
785 | } | ||
786 | // wait for the child to finish | ||
787 | waitpid(child, NULL, 0); | ||
788 | fs_logger2("create", fnamegpg); | ||
789 | } | ||
790 | if (stat(fnamegpg, &s) == 0) | 771 | if (stat(fnamegpg, &s) == 0) |
791 | disable_file(BLACKLIST_FILE, fnamegpg); | 772 | disable_file(BLACKLIST_FILE, fnamegpg); |
792 | free(fnamegpg); | 773 | free(fnamegpg); |
@@ -795,26 +776,7 @@ void fs_proc_sys_dev_boot(void) { | |||
795 | char *fnamesysd; | 776 | char *fnamesysd; |
796 | if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) | 777 | if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) |
797 | errExit("asprintf"); | 778 | errExit("asprintf"); |
798 | if (stat(fnamesysd, &s) == -1) { | 779 | create_empty_dir_as_user(fnamesysd, 0755); |
799 | pid_t child = fork(); | ||
800 | if (child < 0) | ||
801 | errExit("fork"); | ||
802 | if (child == 0) { | ||
803 | // drop privileges | ||
804 | drop_privs(0); | ||
805 | if (mkdir(fnamesysd, 0755) == 0) { | ||
806 | if (chmod(fnamesysd, 0755) == -1) | ||
807 | {;} // do nothing | ||
808 | } | ||
809 | #ifdef HAVE_GCOV | ||
810 | __gcov_flush(); | ||
811 | #endif | ||
812 | _exit(0); | ||
813 | } | ||
814 | // wait for the child to finish | ||
815 | waitpid(child, NULL, 0); | ||
816 | fs_logger2("create", fnamesysd); | ||
817 | } | ||
818 | if (stat(fnamesysd, &s) == 0) | 780 | if (stat(fnamesysd, &s) == 0) |
819 | disable_file(BLACKLIST_FILE, fnamesysd); | 781 | disable_file(BLACKLIST_FILE, fnamesysd); |
820 | free(fnamesysd); | 782 | free(fnamesysd); |
@@ -924,31 +886,11 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { | |||
924 | } | 886 | } |
925 | else { | 887 | else { |
926 | // create ~/.firejail directory | 888 | // create ~/.firejail directory |
927 | pid_t child = fork(); | 889 | create_empty_dir_as_user(dirname, 0700); |
928 | if (child < 0) | ||
929 | errExit("fork"); | ||
930 | if (child == 0) { | ||
931 | // drop privileges | ||
932 | drop_privs(0); | ||
933 | |||
934 | // create directory | ||
935 | if (mkdir(dirname, 0700)) | ||
936 | errExit("mkdir"); | ||
937 | if (chmod(dirname, 0700) == -1) | ||
938 | errExit("chmod"); | ||
939 | ASSERT_PERMS(dirname, getuid(), getgid(), 0700); | ||
940 | #ifdef HAVE_GCOV | ||
941 | __gcov_flush(); | ||
942 | #endif | ||
943 | _exit(0); | ||
944 | } | ||
945 | // wait for the child to finish | ||
946 | waitpid(child, NULL, 0); | ||
947 | if (stat(dirname, &s) == -1) { | 890 | if (stat(dirname, &s) == -1) { |
948 | fprintf(stderr, "Error: cannot create ~/.firejail directory\n"); | 891 | fprintf(stderr, "Error: cannot create directory %s\n", dirname); |
949 | exit(1); | 892 | exit(1); |
950 | } | 893 | } |
951 | fs_logger2("create", dirname); | ||
952 | } | 894 | } |
953 | free(dirname); | 895 | free(dirname); |
954 | 896 | ||
diff --git a/src/firejail/util.c b/src/firejail/util.c index 47b237911..9af41ffe2 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -961,6 +961,42 @@ void flush_stdin(void) { | |||
961 | } | 961 | } |
962 | } | 962 | } |
963 | 963 | ||
964 | void create_empty_dir_as_user(const char *dir, mode_t mode) { | ||
965 | assert(dir); | ||
966 | mode &= 07777; | ||
967 | struct stat s; | ||
968 | |||
969 | if (stat(dir, &s)) { | ||
970 | if (arg_debug) | ||
971 | printf("Creating empty %s directory\n", dir); | ||
972 | pid_t child = fork(); | ||
973 | if (child < 0) | ||
974 | errExit("fork"); | ||
975 | if (child == 0) { | ||
976 | // drop privileges | ||
977 | drop_privs(0); | ||
978 | |||
979 | if (mkdir(dir, mode) == 0) { | ||
980 | if (chmod(dir, mode) == -1) | ||
981 | {;} // do nothing | ||
982 | } | ||
983 | else if (errno != EEXIST && arg_debug) { | ||
984 | char *str; | ||
985 | if (asprintf(&str, "Directory %s not created", dir) == -1) | ||
986 | errExit("asprintf"); | ||
987 | perror(str); | ||
988 | } | ||
989 | #ifdef HAVE_GCOV | ||
990 | __gcov_flush(); | ||
991 | #endif | ||
992 | _exit(0); | ||
993 | } | ||
994 | waitpid(child, NULL, 0); | ||
995 | if (stat(dir, &s) == 0) | ||
996 | fs_logger2("create", dir); | ||
997 | } | ||
998 | } | ||
999 | |||
964 | void create_empty_dir_as_root(const char *dir, mode_t mode) { | 1000 | void create_empty_dir_as_root(const char *dir, mode_t mode) { |
965 | assert(dir); | 1001 | assert(dir); |
966 | mode &= 07777; | 1002 | mode &= 07777; |
@@ -1262,4 +1298,4 @@ void enter_network_namespace(pid_t pid) { | |||
1262 | fprintf(stderr, "Error: cannot join the network namespace\n"); | 1298 | fprintf(stderr, "Error: cannot join the network namespace\n"); |
1263 | exit(1); | 1299 | exit(1); |
1264 | } | 1300 | } |
1265 | } \ No newline at end of file | 1301 | } |