diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs.c | 24 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 20 |
2 files changed, 22 insertions, 22 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 164e3368b..fa212bbd5 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -64,12 +64,12 @@ void fs_build_firejail_dir(void) { | |||
64 | if (arg_debug) | 64 | if (arg_debug) |
65 | printf("Creating %s directory\n", RUN_FIREJAIL_DIR); | 65 | printf("Creating %s directory\n", RUN_FIREJAIL_DIR); |
66 | /* coverity[toctou] */ | 66 | /* coverity[toctou] */ |
67 | int rv = mkdir(RUN_FIREJAIL_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 67 | int rv = mkdir(RUN_FIREJAIL_DIR, 0755); |
68 | if (rv == -1) | 68 | if (rv == -1) |
69 | errExit("mkdir"); | 69 | errExit("mkdir"); |
70 | if (chown(RUN_FIREJAIL_DIR, 0, 0) < 0) | 70 | if (chown(RUN_FIREJAIL_DIR, 0, 0) < 0) |
71 | errExit("chown"); | 71 | errExit("chown"); |
72 | if (chmod(RUN_FIREJAIL_DIR, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0) | 72 | if (chmod(RUN_FIREJAIL_DIR, 0755) < 0) |
73 | errExit("chmod"); | 73 | errExit("chmod"); |
74 | } | 74 | } |
75 | else { // check /tmp/firejail directory belongs to root end exit if doesn't! | 75 | else { // check /tmp/firejail directory belongs to root end exit if doesn't! |
@@ -102,12 +102,12 @@ void fs_build_mnt_dir(void) { | |||
102 | if (arg_debug) | 102 | if (arg_debug) |
103 | printf("Creating %s directory\n", RUN_MNT_DIR); | 103 | printf("Creating %s directory\n", RUN_MNT_DIR); |
104 | /* coverity[toctou] */ | 104 | /* coverity[toctou] */ |
105 | int rv = mkdir(RUN_MNT_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 105 | int rv = mkdir(RUN_MNT_DIR, 0755); |
106 | if (rv == -1) | 106 | if (rv == -1) |
107 | errExit("mkdir"); | 107 | errExit("mkdir"); |
108 | if (chown(RUN_MNT_DIR, 0, 0) < 0) | 108 | if (chown(RUN_MNT_DIR, 0, 0) < 0) |
109 | errExit("chown"); | 109 | errExit("chown"); |
110 | if (chmod(RUN_MNT_DIR, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0) | 110 | if (chmod(RUN_MNT_DIR, 0755) < 0) |
111 | errExit("chmod"); | 111 | errExit("chmod"); |
112 | } | 112 | } |
113 | 113 | ||
@@ -740,18 +740,18 @@ void fs_overlayfs(void) { | |||
740 | char *oroot; | 740 | char *oroot; |
741 | if(asprintf(&oroot, "%s/oroot", RUN_MNT_DIR) == -1) | 741 | if(asprintf(&oroot, "%s/oroot", RUN_MNT_DIR) == -1) |
742 | errExit("asprintf"); | 742 | errExit("asprintf"); |
743 | if (mkdir(oroot, S_IRWXU | S_IRWXG | S_IRWXO)) | 743 | if (mkdir(oroot, 0755)) |
744 | errExit("mkdir"); | 744 | errExit("mkdir"); |
745 | if (chown(oroot, 0, 0) < 0) | 745 | if (chown(oroot, 0, 0) < 0) |
746 | errExit("chown"); | 746 | errExit("chown"); |
747 | if (chmod(oroot, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0) | 747 | if (chmod(oroot, 0755) < 0) |
748 | errExit("chmod"); | 748 | errExit("chmod"); |
749 | 749 | ||
750 | char *basedir = RUN_MNT_DIR; | 750 | char *basedir = RUN_MNT_DIR; |
751 | if (arg_overlay_keep) { | 751 | if (arg_overlay_keep) { |
752 | // set base for working and diff directories | 752 | // set base for working and diff directories |
753 | basedir = cfg.overlay_dir; | 753 | basedir = cfg.overlay_dir; |
754 | if (mkdir(basedir, S_IRWXU | S_IRWXG | S_IRWXO) != 0) { | 754 | if (mkdir(basedir, 0755) != 0) { |
755 | fprintf(stderr, "Error: cannot create overlay directory\n"); | 755 | fprintf(stderr, "Error: cannot create overlay directory\n"); |
756 | exit(1); | 756 | exit(1); |
757 | } | 757 | } |
@@ -760,21 +760,21 @@ void fs_overlayfs(void) { | |||
760 | char *odiff; | 760 | char *odiff; |
761 | if(asprintf(&odiff, "%s/odiff", basedir) == -1) | 761 | if(asprintf(&odiff, "%s/odiff", basedir) == -1) |
762 | errExit("asprintf"); | 762 | errExit("asprintf"); |
763 | if (mkdir(odiff, S_IRWXU | S_IRWXG | S_IRWXO)) | 763 | if (mkdir(odiff, 0755)) |
764 | errExit("mkdir"); | 764 | errExit("mkdir"); |
765 | if (chown(odiff, 0, 0) < 0) | 765 | if (chown(odiff, 0, 0) < 0) |
766 | errExit("chown"); | 766 | errExit("chown"); |
767 | if (chmod(odiff, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0) | 767 | if (chmod(odiff, 0755) < 0) |
768 | errExit("chmod"); | 768 | errExit("chmod"); |
769 | 769 | ||
770 | char *owork; | 770 | char *owork; |
771 | if(asprintf(&owork, "%s/owork", basedir) == -1) | 771 | if(asprintf(&owork, "%s/owork", basedir) == -1) |
772 | errExit("asprintf"); | 772 | errExit("asprintf"); |
773 | if (mkdir(owork, S_IRWXU | S_IRWXG | S_IRWXO)) | 773 | if (mkdir(owork, 0755)) |
774 | errExit("mkdir"); | 774 | errExit("mkdir"); |
775 | if (chown(owork, 0, 0) < 0) | 775 | if (chown(owork, 0, 0) < 0) |
776 | errExit("chown"); | 776 | errExit("chown"); |
777 | if (chmod(owork, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0) | 777 | if (chmod(owork, 0755) < 0) |
778 | errExit("chmod"); | 778 | errExit("chmod"); |
779 | 779 | ||
780 | // mount overlayfs | 780 | // mount overlayfs |
@@ -913,7 +913,7 @@ void fs_chroot(const char *rootdir) { | |||
913 | if (asprintf(&rundir, "%s/run", rootdir) == -1) | 913 | if (asprintf(&rundir, "%s/run", rootdir) == -1) |
914 | errExit("asprintf"); | 914 | errExit("asprintf"); |
915 | if (!is_dir(rundir)) { | 915 | if (!is_dir(rundir)) { |
916 | int rv = mkdir(rundir, S_IRWXU | S_IRWXG | S_IRWXO); | 916 | int rv = mkdir(rundir, 0755); |
917 | (void) rv; | 917 | (void) rv; |
918 | rv = chown(rundir, 0, 0); | 918 | rv = chown(rundir, 0, 0); |
919 | (void) rv; | 919 | (void) rv; |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 85a51c0c8..22b5fb0a7 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -464,7 +464,7 @@ void fs_whitelist(void) { | |||
464 | // /home/user | 464 | // /home/user |
465 | if (home_dir) { | 465 | if (home_dir) { |
466 | // keep a copy of real home dir in RUN_WHITELIST_HOME_USER_DIR | 466 | // keep a copy of real home dir in RUN_WHITELIST_HOME_USER_DIR |
467 | int rv = mkdir(RUN_WHITELIST_HOME_USER_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 467 | int rv = mkdir(RUN_WHITELIST_HOME_USER_DIR, 0755); |
468 | if (rv == -1) | 468 | if (rv == -1) |
469 | errExit("mkdir"); | 469 | errExit("mkdir"); |
470 | if (chown(RUN_WHITELIST_HOME_USER_DIR, getuid(), getgid()) < 0) | 470 | if (chown(RUN_WHITELIST_HOME_USER_DIR, getuid(), getgid()) < 0) |
@@ -482,12 +482,12 @@ void fs_whitelist(void) { | |||
482 | // /tmp mountpoint | 482 | // /tmp mountpoint |
483 | if (tmp_dir) { | 483 | if (tmp_dir) { |
484 | // keep a copy of real /tmp directory in WHITELIST_TMP_DIR | 484 | // keep a copy of real /tmp directory in WHITELIST_TMP_DIR |
485 | int rv = mkdir(RUN_WHITELIST_TMP_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 485 | int rv = mkdir(RUN_WHITELIST_TMP_DIR, 1777); |
486 | if (rv == -1) | 486 | if (rv == -1) |
487 | errExit("mkdir"); | 487 | errExit("mkdir"); |
488 | if (chown(RUN_WHITELIST_TMP_DIR, 0, 0) < 0) | 488 | if (chown(RUN_WHITELIST_TMP_DIR, 0, 0) < 0) |
489 | errExit("chown"); | 489 | errExit("chown"); |
490 | if (chmod(RUN_WHITELIST_TMP_DIR, 0777) < 0) | 490 | if (chmod(RUN_WHITELIST_TMP_DIR, 1777) < 0) |
491 | errExit("chmod"); | 491 | errExit("chmod"); |
492 | 492 | ||
493 | if (mount("/tmp", RUN_WHITELIST_TMP_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 493 | if (mount("/tmp", RUN_WHITELIST_TMP_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
@@ -496,7 +496,7 @@ void fs_whitelist(void) { | |||
496 | // mount tmpfs on /tmp | 496 | // mount tmpfs on /tmp |
497 | if (arg_debug || arg_debug_whitelists) | 497 | if (arg_debug || arg_debug_whitelists) |
498 | printf("Mounting tmpfs on /tmp directory\n"); | 498 | printf("Mounting tmpfs on /tmp directory\n"); |
499 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) | 499 | if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) |
500 | errExit("mounting tmpfs on /tmp"); | 500 | errExit("mounting tmpfs on /tmp"); |
501 | fs_logger("mount tmpfs on /tmp"); | 501 | fs_logger("mount tmpfs on /tmp"); |
502 | } | 502 | } |
@@ -504,7 +504,7 @@ void fs_whitelist(void) { | |||
504 | // /media mountpoint | 504 | // /media mountpoint |
505 | if (media_dir) { | 505 | if (media_dir) { |
506 | // keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR | 506 | // keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR |
507 | int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 507 | int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, 0755); |
508 | if (rv == -1) | 508 | if (rv == -1) |
509 | errExit("mkdir"); | 509 | errExit("mkdir"); |
510 | if (chown(RUN_WHITELIST_MEDIA_DIR, 0, 0) < 0) | 510 | if (chown(RUN_WHITELIST_MEDIA_DIR, 0, 0) < 0) |
@@ -526,7 +526,7 @@ void fs_whitelist(void) { | |||
526 | // /var mountpoint | 526 | // /var mountpoint |
527 | if (var_dir) { | 527 | if (var_dir) { |
528 | // keep a copy of real /var directory in RUN_WHITELIST_VAR_DIR | 528 | // keep a copy of real /var directory in RUN_WHITELIST_VAR_DIR |
529 | int rv = mkdir(RUN_WHITELIST_VAR_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 529 | int rv = mkdir(RUN_WHITELIST_VAR_DIR, 0755); |
530 | if (rv == -1) | 530 | if (rv == -1) |
531 | errExit("mkdir"); | 531 | errExit("mkdir"); |
532 | if (chown(RUN_WHITELIST_VAR_DIR, 0, 0) < 0) | 532 | if (chown(RUN_WHITELIST_VAR_DIR, 0, 0) < 0) |
@@ -548,7 +548,7 @@ void fs_whitelist(void) { | |||
548 | // /dev mountpoint | 548 | // /dev mountpoint |
549 | if (dev_dir) { | 549 | if (dev_dir) { |
550 | // keep a copy of real /dev directory in RUN_WHITELIST_DEV_DIR | 550 | // keep a copy of real /dev directory in RUN_WHITELIST_DEV_DIR |
551 | int rv = mkdir(RUN_WHITELIST_DEV_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 551 | int rv = mkdir(RUN_WHITELIST_DEV_DIR, 0755); |
552 | if (rv == -1) | 552 | if (rv == -1) |
553 | errExit("mkdir"); | 553 | errExit("mkdir"); |
554 | if (chown(RUN_WHITELIST_DEV_DIR, 0, 0) < 0) | 554 | if (chown(RUN_WHITELIST_DEV_DIR, 0, 0) < 0) |
@@ -556,7 +556,7 @@ void fs_whitelist(void) { | |||
556 | if (chmod(RUN_WHITELIST_DEV_DIR, 0755) < 0) | 556 | if (chmod(RUN_WHITELIST_DEV_DIR, 0755) < 0) |
557 | errExit("chmod"); | 557 | errExit("chmod"); |
558 | 558 | ||
559 | if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 559 | if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC, "mode=755,gid=0") < 0) |
560 | errExit("mount bind"); | 560 | errExit("mount bind"); |
561 | 561 | ||
562 | // mount tmpfs on /dev | 562 | // mount tmpfs on /dev |
@@ -569,8 +569,8 @@ void fs_whitelist(void) { | |||
569 | 569 | ||
570 | // /opt mountpoint | 570 | // /opt mountpoint |
571 | if (opt_dir) { | 571 | if (opt_dir) { |
572 | // keep a copy of real /opt directory in RUN_WHITELIST_DEV_DIR | 572 | // keep a copy of real /opt directory in RUN_WHITELIST_OPT_DIR |
573 | int rv = mkdir(RUN_WHITELIST_OPT_DIR, S_IRWXU | S_IRWXG | S_IRWXO); | 573 | int rv = mkdir(RUN_WHITELIST_OPT_DIR, 0755); |
574 | if (rv == -1) | 574 | if (rv == -1) |
575 | errExit("mkdir"); | 575 | errExit("mkdir"); |
576 | if (chown(RUN_WHITELIST_OPT_DIR, 0, 0) < 0) | 576 | if (chown(RUN_WHITELIST_OPT_DIR, 0, 0) < 0) |