diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs_etc.c | 60 | ||||
-rw-r--r-- | src/firejail/main.c | 7 | ||||
-rw-r--r-- | src/firejail/profile.c | 7 |
3 files changed, 34 insertions, 40 deletions
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 1a44b1305..2ff36f5d2 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -129,40 +129,44 @@ void fs_private_etc_list(void) { | |||
129 | errExit("chmod"); | 129 | errExit("chmod"); |
130 | fs_logger("tmpfs /etc"); | 130 | fs_logger("tmpfs /etc"); |
131 | 131 | ||
132 | // copy the list of files in the new etc directory | ||
133 | // using a new child process without root privileges | ||
134 | fs_logger_print(); // save the current log | 132 | fs_logger_print(); // save the current log |
135 | pid_t child = fork(); | ||
136 | if (child < 0) | ||
137 | errExit("fork"); | ||
138 | if (child == 0) { | ||
139 | if (arg_debug) | ||
140 | printf("Copying files in the new etc directory:\n"); | ||
141 | 133 | ||
142 | // elevate privileges - files in the new /etc directory belong to root | ||
143 | if (setreuid(0, 0) < 0) | ||
144 | errExit("setreuid"); | ||
145 | if (setregid(0, 0) < 0) | ||
146 | errExit("setregid"); | ||
147 | |||
148 | // copy the list of files in the new home directory | ||
149 | char *dlist = strdup(private_list); | ||
150 | if (!dlist) | ||
151 | errExit("strdup"); | ||
152 | |||
153 | 134 | ||
154 | char *ptr = strtok(dlist, ","); | 135 | // copy the list of files in the new etc directory |
155 | duplicate(ptr); | 136 | // using a new child process without root privileges |
137 | if (*private_list != '\0') { | ||
138 | pid_t child = fork(); | ||
139 | if (child < 0) | ||
140 | errExit("fork"); | ||
141 | if (child == 0) { | ||
142 | if (arg_debug) | ||
143 | printf("Copying files in the new etc directory:\n"); | ||
156 | 144 | ||
157 | while ((ptr = strtok(NULL, ",")) != NULL) | 145 | // elevate privileges - files in the new /etc directory belong to root |
146 | if (setreuid(0, 0) < 0) | ||
147 | errExit("setreuid"); | ||
148 | if (setregid(0, 0) < 0) | ||
149 | errExit("setregid"); | ||
150 | |||
151 | // copy the list of files in the new home directory | ||
152 | char *dlist = strdup(private_list); | ||
153 | if (!dlist) | ||
154 | errExit("strdup"); | ||
155 | |||
156 | |||
157 | char *ptr = strtok(dlist, ","); | ||
158 | duplicate(ptr); | 158 | duplicate(ptr); |
159 | free(dlist); | 159 | |
160 | fs_logger_print(); | 160 | while ((ptr = strtok(NULL, ",")) != NULL) |
161 | exit(0); | 161 | duplicate(ptr); |
162 | free(dlist); | ||
163 | fs_logger_print(); | ||
164 | exit(0); | ||
165 | } | ||
166 | // wait for the child to finish | ||
167 | waitpid(child, NULL, 0); | ||
162 | } | 168 | } |
163 | // wait for the child to finish | 169 | |
164 | waitpid(child, NULL, 0); | ||
165 | |||
166 | if (arg_debug) | 170 | if (arg_debug) |
167 | printf("Mount-bind %s on top of /etc\n", RUN_ETC_DIR); | 171 | printf("Mount-bind %s on top of /etc\n", RUN_ETC_DIR); |
168 | if (mount(RUN_ETC_DIR, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0) | 172 | if (mount(RUN_ETC_DIR, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0) |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 7aa81a9c5..59f500e3a 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1330,12 +1330,7 @@ int main(int argc, char **argv) { | |||
1330 | exit(1); | 1330 | exit(1); |
1331 | } | 1331 | } |
1332 | fs_check_etc_list(); | 1332 | fs_check_etc_list(); |
1333 | if (*cfg.etc_private_keep != '\0') | 1333 | arg_private_etc = 1; |
1334 | arg_private_etc = 1; | ||
1335 | else { | ||
1336 | arg_private_etc = 0; | ||
1337 | fprintf(stderr, "Warning: private-etc disabled, no file found\n"); | ||
1338 | } | ||
1339 | } | 1334 | } |
1340 | else if (strncmp(argv[i], "--private-bin=", 14) == 0) { | 1335 | else if (strncmp(argv[i], "--private-bin=", 14) == 0) { |
1341 | // extract private bin list | 1336 | // extract private bin list |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 2b3984a99..095e5eecc 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -611,12 +611,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
611 | } | 611 | } |
612 | cfg.etc_private_keep = ptr + 12; | 612 | cfg.etc_private_keep = ptr + 12; |
613 | fs_check_etc_list(); | 613 | fs_check_etc_list(); |
614 | if (*cfg.etc_private_keep != '\0') | 614 | arg_private_etc = 1; |
615 | arg_private_etc = 1; | ||
616 | else { | ||
617 | arg_private_etc = 0; | ||
618 | fprintf(stderr, "Warning: private-etc disabled, no file found\n"); | ||
619 | } | ||
620 | 615 | ||
621 | return 0; | 616 | return 0; |
622 | } | 617 | } |