diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs.c | 21 | ||||
-rw-r--r-- | src/firejail/main.c | 9 | ||||
-rw-r--r-- | src/firejail/restrict_users.c | 1 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 5 |
4 files changed, 31 insertions, 5 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index ad84b2222..c6dfdec30 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -56,7 +56,7 @@ static void create_empty_file(void) { | |||
56 | } | 56 | } |
57 | } | 57 | } |
58 | 58 | ||
59 | // build /tmp/firejail directory | 59 | // build /run/firejail directory |
60 | void fs_build_firejail_dir(void) { | 60 | void fs_build_firejail_dir(void) { |
61 | struct stat s; | 61 | struct stat s; |
62 | 62 | ||
@@ -86,11 +86,16 @@ void fs_build_firejail_dir(void) { | |||
86 | 86 | ||
87 | // build /tmp/firejail/mnt directory | 87 | // build /tmp/firejail/mnt directory |
88 | static int tmpfs_mounted = 0; | 88 | static int tmpfs_mounted = 0; |
89 | static void fs_build_remount_mnt_dir(void) { | ||
90 | tmpfs_mounted = 0; | ||
91 | fs_build_mnt_dir(); | ||
92 | } | ||
93 | |||
89 | void fs_build_mnt_dir(void) { | 94 | void fs_build_mnt_dir(void) { |
90 | struct stat s; | 95 | struct stat s; |
91 | fs_build_firejail_dir(); | 96 | fs_build_firejail_dir(); |
92 | 97 | ||
93 | // create /tmp/firejail directory | 98 | // create /run/firejail/mnt directory |
94 | if (stat(MNT_DIR, &s)) { | 99 | if (stat(MNT_DIR, &s)) { |
95 | if (arg_debug) | 100 | if (arg_debug) |
96 | printf("Creating %s directory\n", MNT_DIR); | 101 | printf("Creating %s directory\n", MNT_DIR); |
@@ -106,7 +111,7 @@ void fs_build_mnt_dir(void) { | |||
106 | 111 | ||
107 | // ... and mount tmpfs on top of it | 112 | // ... and mount tmpfs on top of it |
108 | if (!tmpfs_mounted) { | 113 | if (!tmpfs_mounted) { |
109 | // mount tmpfs on top of /tmp/firejail/mnt | 114 | // mount tmpfs on top of /run/firejail/mnt |
110 | if (arg_debug) | 115 | if (arg_debug) |
111 | printf("Mounting tmpfs on %s directory\n", MNT_DIR); | 116 | printf("Mounting tmpfs on %s directory\n", MNT_DIR); |
112 | if (mount("tmpfs", MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 117 | if (mount("tmpfs", MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
@@ -533,6 +538,14 @@ void fs_proc_sys_dev_boot(void) { | |||
533 | errExit("mounting /boot directory"); | 538 | errExit("mounting /boot directory"); |
534 | } | 539 | } |
535 | 540 | ||
541 | // disable /selinux | ||
542 | if (stat("/selinux", &s) == 0) { | ||
543 | if (arg_debug) | ||
544 | printf("Mounting a new /selinux directory\n"); | ||
545 | if (mount("tmpfs", "/selinux", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) | ||
546 | errExit("mounting /selinux directory"); | ||
547 | } | ||
548 | |||
536 | // disable /dev/port | 549 | // disable /dev/port |
537 | if (stat("/dev/port", &s) == 0) { | 550 | if (stat("/dev/port", &s) == 0) { |
538 | disable_file(BLACKLIST_FILE, "/dev/port"); | 551 | disable_file(BLACKLIST_FILE, "/dev/port"); |
@@ -818,6 +831,8 @@ void fs_chroot(const char *rootdir) { | |||
818 | printf("Chrooting into %s\n", rootdir); | 831 | printf("Chrooting into %s\n", rootdir); |
819 | if (chroot(rootdir) < 0) | 832 | if (chroot(rootdir) < 0) |
820 | errExit("chroot"); | 833 | errExit("chroot"); |
834 | // mount a new tmpfs in /run/firejail/mnt - the old one was lost in chroot | ||
835 | fs_build_remount_mnt_dir(); | ||
821 | 836 | ||
822 | // update /var directory in order to support multiple sandboxes running on the same root directory | 837 | // update /var directory in order to support multiple sandboxes running on the same root directory |
823 | if (!arg_private_dev) | 838 | if (!arg_private_dev) |
diff --git a/src/firejail/main.c b/src/firejail/main.c index c55d87364..1495d7516 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1285,6 +1285,15 @@ int main(int argc, char **argv) { | |||
1285 | if (pipe(child_to_parent_fds) < 0) | 1285 | if (pipe(child_to_parent_fds) < 0) |
1286 | errExit("pipe"); | 1286 | errExit("pipe"); |
1287 | 1287 | ||
1288 | if (arg_noroot && arg_overlay) { | ||
1289 | fprintf(stderr, "Warning: --overlay and --noroot are mutually exclusive, noroot disabled\n"); | ||
1290 | arg_noroot = 0; | ||
1291 | } | ||
1292 | else if (arg_noroot && cfg.chrootdir) { | ||
1293 | fprintf(stderr, "Warning: --overlay and --chroot are mutually exclusive, noroot disabled\n"); | ||
1294 | arg_noroot = 0; | ||
1295 | } | ||
1296 | |||
1288 | // clone environment | 1297 | // clone environment |
1289 | int flags = CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUTS | SIGCHLD; | 1298 | int flags = CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUTS | SIGCHLD; |
1290 | 1299 | ||
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index c0a14ff6f..d2d106f27 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -293,7 +293,6 @@ static void sanitize_group(void) { | |||
293 | if ((gid_t) gid != mygid) { | 293 | if ((gid_t) gid != mygid) { |
294 | continue; // skip line | 294 | continue; // skip line |
295 | } | 295 | } |
296 | fprintf(fpout, "%s", buf); | ||
297 | if (copy_line(fpout, buf, ptr)) | 296 | if (copy_line(fpout, buf, ptr)) |
298 | goto errout; | 297 | goto errout; |
299 | } | 298 | } |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index c105894bb..dd444f0b9 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -300,6 +300,9 @@ int sandbox(void* sandbox_arg) { | |||
300 | #ifdef HAVE_CHROOT | 300 | #ifdef HAVE_CHROOT |
301 | if (cfg.chrootdir) { | 301 | if (cfg.chrootdir) { |
302 | fs_chroot(cfg.chrootdir); | 302 | fs_chroot(cfg.chrootdir); |
303 | // redo cp command | ||
304 | fs_build_cp_command(); | ||
305 | |||
303 | // force caps and seccomp if not started as root | 306 | // force caps and seccomp if not started as root |
304 | if (getuid() != 0) { | 307 | if (getuid() != 0) { |
305 | // force default seccomp inside the chroot, no keep or drop list | 308 | // force default seccomp inside the chroot, no keep or drop list |
@@ -336,7 +339,7 @@ int sandbox(void* sandbox_arg) { | |||
336 | } | 339 | } |
337 | else | 340 | else |
338 | #endif | 341 | #endif |
339 | if (arg_overlay) | 342 | if (arg_overlay) |
340 | fs_overlayfs(); | 343 | fs_overlayfs(); |
341 | else | 344 | else |
342 | fs_basic_fs(); | 345 | fs_basic_fs(); |