diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs_etc.c | 30 | ||||
-rw-r--r-- | src/firejail/fs_trace.c | 6 | ||||
-rw-r--r-- | src/firejail/main.c | 23 | ||||
-rw-r--r-- | src/firejail/profile.c | 8 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 6 |
5 files changed, 59 insertions, 14 deletions
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index df0e92203..b82baf1ad 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -24,7 +24,8 @@ | |||
24 | #include <sys/wait.h> | 24 | #include <sys/wait.h> |
25 | #include <unistd.h> | 25 | #include <unistd.h> |
26 | 26 | ||
27 | static void check_dir_or_file(const char *name) { | 27 | // return 0 if file not found, 1 if found |
28 | static int check_dir_or_file(const char *name) { | ||
28 | assert(name); | 29 | assert(name); |
29 | invalid_filename(name); | 30 | invalid_filename(name); |
30 | 31 | ||
@@ -35,19 +36,20 @@ static void check_dir_or_file(const char *name) { | |||
35 | if (arg_debug) | 36 | if (arg_debug) |
36 | printf("Checking %s\n", fname); | 37 | printf("Checking %s\n", fname); |
37 | if (stat(fname, &s) == -1) { | 38 | if (stat(fname, &s) == -1) { |
38 | fprintf(stderr, "Error: file %s not found.\n", fname); | 39 | if (arg_debug) |
39 | exit(1); | 40 | printf("Warning: file %s not found.\n", fname); |
41 | return 0; | ||
40 | } | 42 | } |
41 | 43 | ||
42 | // dir or regular file | 44 | // dir or regular file |
43 | if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode)) { | 45 | if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode)) { |
44 | free(fname); | 46 | free(fname); |
45 | return; | 47 | return 1; |
46 | } | 48 | } |
47 | 49 | ||
48 | if (!is_link(fname)) { | 50 | if (!is_link(fname)) { |
49 | free(fname); | 51 | free(fname); |
50 | return; | 52 | return 1; |
51 | } | 53 | } |
52 | 54 | ||
53 | fprintf(stderr, "Error: invalid file type, %s.\n", fname); | 55 | fprintf(stderr, "Error: invalid file type, %s.\n", fname); |
@@ -63,11 +65,23 @@ void fs_check_etc_list(void) { | |||
63 | char *dlist = strdup(cfg.etc_private_keep); | 65 | char *dlist = strdup(cfg.etc_private_keep); |
64 | if (!dlist) | 66 | if (!dlist) |
65 | errExit("strdup"); | 67 | errExit("strdup"); |
68 | |||
69 | // build a new list only with the files found | ||
70 | char *newlist = malloc(strlen(cfg.etc_private_keep) + 1); | ||
71 | if (!newlist) | ||
72 | errExit("malloc"); | ||
73 | *newlist = '\0'; | ||
66 | 74 | ||
67 | char *ptr = strtok(dlist, ","); | 75 | char *ptr = strtok(dlist, ","); |
68 | check_dir_or_file(ptr); | 76 | if (check_dir_or_file(ptr)) |
69 | while ((ptr = strtok(NULL, ",")) != NULL) | 77 | strcat(newlist, ptr); |
70 | check_dir_or_file(ptr); | 78 | while ((ptr = strtok(NULL, ",")) != NULL) { |
79 | if (check_dir_or_file(ptr)) { | ||
80 | strcat(newlist, ","); | ||
81 | strcat(newlist, ptr); | ||
82 | } | ||
83 | } | ||
84 | cfg.etc_private_keep = newlist; | ||
71 | 85 | ||
72 | free(dlist); | 86 | free(dlist); |
73 | } | 87 | } |
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 55a1b9c7a..eec51c3f9 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c | |||
@@ -42,7 +42,7 @@ void fs_trace_preload(void) { | |||
42 | errExit("chown"); | 42 | errExit("chown"); |
43 | if (chmod("/etc/ld.so.preload", S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) | 43 | if (chmod("/etc/ld.so.preload", S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) |
44 | errExit("chmod"); | 44 | errExit("chmod"); |
45 | fs_logger("touch /etc/ls.so.preload"); | 45 | fs_logger("touch /etc/ld.so.preload"); |
46 | } | 46 | } |
47 | } | 47 | } |
48 | 48 | ||
@@ -77,8 +77,8 @@ void fs_trace(void) { | |||
77 | if (arg_debug) | 77 | if (arg_debug) |
78 | printf("Mount the new ld.so.preload file\n"); | 78 | printf("Mount the new ld.so.preload file\n"); |
79 | if (mount(RUN_LDPRELOAD_FILE, "/etc/ld.so.preload", NULL, MS_BIND|MS_REC, NULL) < 0) | 79 | if (mount(RUN_LDPRELOAD_FILE, "/etc/ld.so.preload", NULL, MS_BIND|MS_REC, NULL) < 0) |
80 | errExit("mount bind ls.so.preload"); | 80 | errExit("mount bind ld.so.preload"); |
81 | fs_logger("create /etc/ls.so.preload"); | 81 | fs_logger("create /etc/ld.so.preload"); |
82 | } | 82 | } |
83 | 83 | ||
84 | 84 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index aad0af3e4..75b90ae81 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -831,6 +831,10 @@ int main(int argc, char **argv) { | |||
831 | 831 | ||
832 | // extract private home dirname | 832 | // extract private home dirname |
833 | cfg.home_private = argv[i] + 10; | 833 | cfg.home_private = argv[i] + 10; |
834 | if (*cfg.home_private == '\0') { | ||
835 | fprintf(stderr, "Error: invalid private option\n"); | ||
836 | exit(1); | ||
837 | } | ||
834 | fs_check_private_dir(); | 838 | fs_check_private_dir(); |
835 | arg_private = 1; | 839 | arg_private = 1; |
836 | } | 840 | } |
@@ -842,6 +846,10 @@ int main(int argc, char **argv) { | |||
842 | 846 | ||
843 | // extract private home dirname | 847 | // extract private home dirname |
844 | cfg.home_private_keep = argv[i] + 15; | 848 | cfg.home_private_keep = argv[i] + 15; |
849 | if (*cfg.home_private_keep == '\0') { | ||
850 | fprintf(stderr, "Error: invalid private-home option\n"); | ||
851 | exit(1); | ||
852 | } | ||
845 | fs_check_home_list(); | 853 | fs_check_home_list(); |
846 | arg_private = 1; | 854 | arg_private = 1; |
847 | } | 855 | } |
@@ -851,12 +859,25 @@ int main(int argc, char **argv) { | |||
851 | else if (strncmp(argv[i], "--private-etc=", 14) == 0) { | 859 | else if (strncmp(argv[i], "--private-etc=", 14) == 0) { |
852 | // extract private etc dirname | 860 | // extract private etc dirname |
853 | cfg.etc_private_keep = argv[i] + 14; | 861 | cfg.etc_private_keep = argv[i] + 14; |
862 | if (*cfg.etc_private_keep == '\0') { | ||
863 | fprintf(stderr, "Error: invalid private-etc option\n"); | ||
864 | exit(1); | ||
865 | } | ||
854 | fs_check_etc_list(); | 866 | fs_check_etc_list(); |
855 | arg_private_etc = 1; | 867 | if (*cfg.etc_private_keep != '\0') |
868 | arg_private_etc = 1; | ||
869 | else { | ||
870 | arg_private_etc = 0; | ||
871 | fprintf(stderr, "Warning: private-etc disabled, no file found\n"); | ||
872 | } | ||
856 | } | 873 | } |
857 | else if (strncmp(argv[i], "--private-bin=", 14) == 0) { | 874 | else if (strncmp(argv[i], "--private-bin=", 14) == 0) { |
858 | // extract private etc dirname | 875 | // extract private etc dirname |
859 | cfg.bin_private_keep = argv[i] + 14; | 876 | cfg.bin_private_keep = argv[i] + 14; |
877 | if (*cfg.bin_private_keep == '\0') { | ||
878 | fprintf(stderr, "Error: invalid private-bin option\n"); | ||
879 | exit(1); | ||
880 | } | ||
860 | fs_check_bin_list(); | 881 | fs_check_bin_list(); |
861 | arg_private_bin = 1; | 882 | arg_private_bin = 1; |
862 | } | 883 | } |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 366a56e13..244370b98 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -285,7 +285,13 @@ int profile_check_line(char *ptr, int lineno) { | |||
285 | if (strncmp(ptr, "private-etc ", 12) == 0) { | 285 | if (strncmp(ptr, "private-etc ", 12) == 0) { |
286 | cfg.etc_private_keep = ptr + 12; | 286 | cfg.etc_private_keep = ptr + 12; |
287 | fs_check_etc_list(); | 287 | fs_check_etc_list(); |
288 | arg_private_etc = 1; | 288 | if (*cfg.etc_private_keep != '\0') |
289 | arg_private_etc = 1; | ||
290 | else { | ||
291 | arg_private_etc = 0; | ||
292 | fprintf(stderr, "Warning: private-etc disabled, no file found\n"); | ||
293 | } | ||
294 | |||
289 | return 0; | 295 | return 0; |
290 | } | 296 | } |
291 | 297 | ||
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 39f95a43a..4a1990382 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -380,8 +380,12 @@ int sandbox(void* sandbox_arg) { | |||
380 | 380 | ||
381 | if (arg_private_dev) | 381 | if (arg_private_dev) |
382 | fs_private_dev(); | 382 | fs_private_dev(); |
383 | if (arg_private_etc) | 383 | if (arg_private_etc) { |
384 | fs_private_etc_list(); | 384 | fs_private_etc_list(); |
385 | // create /etc/ld.so.preload file again | ||
386 | if (arg_trace || arg_tracelog) | ||
387 | fs_trace_preload(); | ||
388 | } | ||
385 | if (arg_private_bin) | 389 | if (arg_private_bin) |
386 | fs_private_bin_list(); | 390 | fs_private_bin_list(); |
387 | 391 | ||