5 files changed, 49 insertions, 49 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 4f8968e4a..b29e11923 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -40,7 +40,8 @@
 #define PULSE_DIR       "/run/firejail/mnt/pulse"
 #define DEVLOG_FILE     "/run/firejail/mnt/devlog"
-#define WHITELIST_HOME_DIR      "/run/firejail/mnt/orig-home"
+#define WHITELIST_HOME_DIR      "/run/firejail/mnt/orig-home"   // default home directory masking
+#define WHITELIST_HOME_USER_DIR "/run/firejail/mnt/orig-home-user"      // home directory whitelisting
 #define WHITELIST_TMP_DIR       "/run/firejail/mnt/orig-tmp"
 #define WHITELIST_MEDIA_DIR     "/run/firejail/mnt/orig-media"
 #define WHITELIST_VAR_DIR       "/run/firejail/mnt/orig-var"
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 5cce383e2..aec1698b0 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -540,50 +540,48 @@ void fs_proc_sys_dev_boot(void) {
 }
 static void sanitize_home(void) {
-        // extract current /home directory data
+        assert(getuid() != 0);  // this code works only for regular users
-        struct dirent *dir;
+        
-        DIR *d = opendir("/home");
+        if (arg_debug)
-        if (d == NULL)
+                printf("Cleaning /home directory\n");
+        
+        struct stat s;
+        if (stat(cfg.homedir, &s) == -1) {
+                // cannot find home directory, just return
+                fprintf(stderr, "Warning: cannot find home directory\n");
                return;
-        while ((dir = readdir(d))) {
-                if(strcmp(dir->d_name, "." ) == 0 || strcmp(dir->d_name, ".." ) == 0)
-                        continue;
-                if (dir->d_type == DT_DIR ) {
-                        // get properties
-                        struct stat s;
-                        char *name;
-                        if (asprintf(&name, "/home/%s", dir->d_name) == -1)
-                                continue;
-                        if (stat(name, &s) == -1)
-                                continue;
-                        if (S_ISLNK(s.st_mode)) {
-                                free(name);
-                                continue;
-                        }
-                        
-                        if (strcmp(name, cfg.homedir) == 0)
-                                continue;
-//                      printf("directory %u %u:%u #%s#\n",
-//                              s.st_mode,
-//                              s.st_uid,
-//                              s.st_gid,
-//                              name);
-                        
-                        // disable directory
-                        disable_file(BLACKLIST_FILE, name);
-                        free(name);
-                }                       
        }
-        closedir(d);
+        
-}
+        fs_build_mnt_dir();
+        if (mkdir(WHITELIST_HOME_DIR, 0755) == -1)
+                errExit("mkdir");
+        // keep a copy of the user home directory
+        if (mount(cfg.homedir, WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
+                errExit("mount bind");
+        // mount tmpfs in the new home
+        if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                errExit("mount tmpfs");
+        // create user home directory
+        if (mkdir(cfg.homedir, 0755) == -1)
+                errExit("mkdir");
+        // set mode and ownership
+        if (chown(cfg.homedir, s.st_uid, s.st_gid) == -1)
+                errExit("chown");
+        if (chmod(cfg.homedir, s.st_mode) == -1)
+                errExit("chmod");
+        // mount user home directory
+        if (mount(WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0)
+                errExit("mount bind");
+        // mask home dir under /run
+        if (mount("tmpfs", WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                errExit("mount tmpfs");
+}
 // build a basic read-only filesystem
 void fs_basic_fs(void) {
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 9203e3d00..b081752f4 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -70,7 +70,7 @@ static void whitelist_path(ProfileEntry *entry) {
                        exit(1);
                }
        
-                if (asprintf(&wfile, "%s/%s", WHITELIST_HOME_DIR, fname) == -1)
+                if (asprintf(&wfile, "%s/%s", WHITELIST_HOME_USER_DIR, fname) == -1)
                        errExit("asprintf");
        }
        else if (entry->tmp_dir) {
@@ -284,16 +284,16 @@ void fs_whitelist(void) {
        // /home/user
        if (home_dir) {
-                // keep a copy of real home dir in WHITELIST_HOME_DIR
+                // keep a copy of real home dir in WHITELIST_HOME_USER_DIR
-                int rv = mkdir(WHITELIST_HOME_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
+                int rv = mkdir(WHITELIST_HOME_USER_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
                if (rv == -1)
                        errExit("mkdir");
-                if (chown(WHITELIST_HOME_DIR, getuid(), getgid()) < 0)
+                if (chown(WHITELIST_HOME_USER_DIR, getuid(), getgid()) < 0)
                        errExit("chown");
-                if (chmod(WHITELIST_HOME_DIR, 0755) < 0)
+                if (chmod(WHITELIST_HOME_USER_DIR, 0755) < 0)
                        errExit("chmod");
        
-                if (mount(cfg.homedir, WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
+                if (mount(cfg.homedir, WHITELIST_HOME_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
                        errExit("mount bind");
        
                // mount a tmpfs and initialize /home/user
@@ -418,7 +418,7 @@ void fs_whitelist(void) {
        // mask the real home directory, currently mounted on WHITELIST_HOME_DIR
        if (home_dir) {
-                if (mount("tmpfs", WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", WHITELIST_HOME_USER_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mount tmpfs");
        }
        
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 238205c04..5dde0bdbd 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -188,8 +188,9 @@ void usage(void) {
        printf("\t\tthe new home. All modifications are discarded when the sandbox\n");
        printf("\t\tis closed.\n\n");
-        printf("\t--private-dev - create a new /dev directory. Only null, full, zero, tty,\n");
+        printf("\t--private-dev - create a new /dev directory. Only dri, null, full, zero,\n");
-        printf("\t\tpst, ptms, random, urandom and shm devices are available.\n\n");
+        printf("\t\ttty, pst, ptms, random, urandom, log and shm devices are\n");
+        printf("\t\tavailable.\n\n");
        printf("\t--private-etc=file,directory - build a new /etc in a temporary\n");
        printf("\t\tfilesystem, and copy the files and directories in the list.\n");
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index dc518b666..370fce588 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -831,7 +831,7 @@ Example:
 $ firejail \-\-private-home=.mozilla firefox
 .TP
 \fB\-\-private-dev
-Create a new /dev directory. Only null, full, zero, tty, pts, ptmx, random, urandom and shm devices are available.
+Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available.
 .br
 .br
@@ -845,7 +845,7 @@ Child process initialized
 .br
 $ ls /dev
 .br
-full  null  ptmx  pts  random  shm  tty  urandom  zero
+dri  full  log  null  ptmx  pts  random  shm  tty  urandom  zero
 .br
 $
 .TP

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 4f8968e4a..b29e11923 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -40,7 +40,8 @@
40	#define PULSE_DIR "/run/firejail/mnt/pulse"	40	#define PULSE_DIR "/run/firejail/mnt/pulse"
41	#define DEVLOG_FILE "/run/firejail/mnt/devlog"	41	#define DEVLOG_FILE "/run/firejail/mnt/devlog"
42		42
43	#define WHITELIST_HOME_DIR "/run/firejail/mnt/orig-home"	43	#define WHITELIST_HOME_DIR "/run/firejail/mnt/orig-home" // default home directory masking
		44	#define WHITELIST_HOME_USER_DIR "/run/firejail/mnt/orig-home-user" // home directory whitelisting
44	#define WHITELIST_TMP_DIR "/run/firejail/mnt/orig-tmp"	45	#define WHITELIST_TMP_DIR "/run/firejail/mnt/orig-tmp"
45	#define WHITELIST_MEDIA_DIR "/run/firejail/mnt/orig-media"	46	#define WHITELIST_MEDIA_DIR "/run/firejail/mnt/orig-media"
46	#define WHITELIST_VAR_DIR "/run/firejail/mnt/orig-var"	47	#define WHITELIST_VAR_DIR "/run/firejail/mnt/orig-var"


diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 5cce383e2..aec1698b0 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -540,50 +540,48 @@ void fs_proc_sys_dev_boot(void) {
540	}	540	}
541		541
542	static void sanitize_home(void) {	542	static void sanitize_home(void) {
543	// extract current /home directory data	543	assert(getuid() != 0); // this code works only for regular users
544	struct dirent *dir;	544
545	DIR *d = opendir("/home");	545	if (arg_debug)
546	if (d == NULL)	546	printf("Cleaning /home directory\n");
		547
		548	struct stat s;
		549	if (stat(cfg.homedir, &s) == -1) {
		550	// cannot find home directory, just return
		551	fprintf(stderr, "Warning: cannot find home directory\n");
547	return;	552	return;
548
549	while ((dir = readdir(d))) {
550	if(strcmp(dir->d_name, "." ) == 0 \|\| strcmp(dir->d_name, ".." ) == 0)
551	continue;
552
553	if (dir->d_type == DT_DIR ) {
554	// get properties
555	struct stat s;
556	char *name;
557	if (asprintf(&name, "/home/%s", dir->d_name) == -1)
558	continue;
559	if (stat(name, &s) == -1)
560	continue;
561	if (S_ISLNK(s.st_mode)) {
562	free(name);
563	continue;
564	}
565
566	if (strcmp(name, cfg.homedir) == 0)
567	continue;
568
569	// printf("directory %u %u:%u #%s#\n",
570	// s.st_mode,
571	// s.st_uid,
572	// s.st_gid,
573	// name);
574
575	// disable directory
576	disable_file(BLACKLIST_FILE, name);
577	free(name);
578	}
579	}	553	}
580	closedir(d);	554
581	}	555	fs_build_mnt_dir();
		556	if (mkdir(WHITELIST_HOME_DIR, 0755) == -1)
		557	errExit("mkdir");
		558
		559	// keep a copy of the user home directory
		560	if (mount(cfg.homedir, WHITELIST_HOME_DIR, NULL, MS_BIND\|MS_REC, NULL) < 0)
		561	errExit("mount bind");
582		562
		563	// mount tmpfs in the new home
		564	if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)
		565	errExit("mount tmpfs");
583		566
		567	// create user home directory
		568	if (mkdir(cfg.homedir, 0755) == -1)
		569	errExit("mkdir");
584		570
		571	// set mode and ownership
		572	if (chown(cfg.homedir, s.st_uid, s.st_gid) == -1)
		573	errExit("chown");
		574	if (chmod(cfg.homedir, s.st_mode) == -1)
		575	errExit("chmod");
585		576
		577	// mount user home directory
		578	if (mount(WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND\|MS_REC, NULL) < 0)
		579	errExit("mount bind");
586		580
		581	// mask home dir under /run
		582	if (mount("tmpfs", WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)
		583	errExit("mount tmpfs");
		584	}
587		585
588	// build a basic read-only filesystem	586	// build a basic read-only filesystem
589	void fs_basic_fs(void) {	587	void fs_basic_fs(void) {


diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 9203e3d00..b081752f4 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c
@@ -70,7 +70,7 @@ static void whitelist_path(ProfileEntry *entry) {
70	exit(1);	70	exit(1);
71	}	71	}
72		72
73	if (asprintf(&wfile, "%s/%s", WHITELIST_HOME_DIR, fname) == -1)	73	if (asprintf(&wfile, "%s/%s", WHITELIST_HOME_USER_DIR, fname) == -1)
74	errExit("asprintf");	74	errExit("asprintf");
75	}	75	}
76	else if (entry->tmp_dir) {	76	else if (entry->tmp_dir) {
@@ -284,16 +284,16 @@ void fs_whitelist(void) {
284		284
285	// /home/user	285	// /home/user
286	if (home_dir) {	286	if (home_dir) {
287	// keep a copy of real home dir in WHITELIST_HOME_DIR	287	// keep a copy of real home dir in WHITELIST_HOME_USER_DIR
288	int rv = mkdir(WHITELIST_HOME_DIR, S_IRWXU \| S_IRWXG \| S_IRWXO);	288	int rv = mkdir(WHITELIST_HOME_USER_DIR, S_IRWXU \| S_IRWXG \| S_IRWXO);
289	if (rv == -1)	289	if (rv == -1)
290	errExit("mkdir");	290	errExit("mkdir");
291	if (chown(WHITELIST_HOME_DIR, getuid(), getgid()) < 0)	291	if (chown(WHITELIST_HOME_USER_DIR, getuid(), getgid()) < 0)
292	errExit("chown");	292	errExit("chown");
293	if (chmod(WHITELIST_HOME_DIR, 0755) < 0)	293	if (chmod(WHITELIST_HOME_USER_DIR, 0755) < 0)
294	errExit("chmod");	294	errExit("chmod");
295		295
296	if (mount(cfg.homedir, WHITELIST_HOME_DIR, NULL, MS_BIND\|MS_REC, NULL) < 0)	296	if (mount(cfg.homedir, WHITELIST_HOME_USER_DIR, NULL, MS_BIND\|MS_REC, NULL) < 0)
297	errExit("mount bind");	297	errExit("mount bind");
298		298
299	// mount a tmpfs and initialize /home/user	299	// mount a tmpfs and initialize /home/user
@@ -418,7 +418,7 @@ void fs_whitelist(void) {
418		418
419	// mask the real home directory, currently mounted on WHITELIST_HOME_DIR	419	// mask the real home directory, currently mounted on WHITELIST_HOME_DIR
420	if (home_dir) {	420	if (home_dir) {
421	if (mount("tmpfs", WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)	421	if (mount("tmpfs", WHITELIST_HOME_USER_DIR, "tmpfs", MS_NOSUID \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)
422	errExit("mount tmpfs");	422	errExit("mount tmpfs");
423	}	423	}
424		424


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 238205c04..5dde0bdbd 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -188,8 +188,9 @@ void usage(void) {
188	printf("\t\tthe new home. All modifications are discarded when the sandbox\n");	188	printf("\t\tthe new home. All modifications are discarded when the sandbox\n");
189	printf("\t\tis closed.\n\n");	189	printf("\t\tis closed.\n\n");
190		190
191	printf("\t--private-dev - create a new /dev directory. Only null, full, zero, tty,\n");	191	printf("\t--private-dev - create a new /dev directory. Only dri, null, full, zero,\n");
192	printf("\t\tpst, ptms, random, urandom and shm devices are available.\n\n");	192	printf("\t\ttty, pst, ptms, random, urandom, log and shm devices are\n");
		193	printf("\t\tavailable.\n\n");
193		194
194	printf("\t--private-etc=file,directory - build a new /etc in a temporary\n");	195	printf("\t--private-etc=file,directory - build a new /etc in a temporary\n");
195	printf("\t\tfilesystem, and copy the files and directories in the list.\n");	196	printf("\t\tfilesystem, and copy the files and directories in the list.\n");


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index dc518b666..370fce588 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -831,7 +831,7 @@ Example:
831	$ firejail \-\-private-home=.mozilla firefox	831	$ firejail \-\-private-home=.mozilla firefox
832	.TP	832	.TP
833	\fB\-\-private-dev	833	\fB\-\-private-dev
834	Create a new /dev directory. Only null, full, zero, tty, pts, ptmx, random, urandom and shm devices are available.	834	Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available.
835	.br	835	.br
836		836
837	.br	837	.br
@@ -845,7 +845,7 @@ Child process initialized
845	.br	845	.br
846	$ ls /dev	846	$ ls /dev
847	.br	847	.br
848	full null ptmx pts random shm tty urandom zero	848	dri full log null ptmx pts random shm tty urandom zero
849	.br	849	.br
850	$	850	$
851	.TP	851	.TP