diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/fids/main.c | 19 | ||||
| -rw-r--r-- | src/firejail/seccomp.c | 6 |
2 files changed, 16 insertions, 9 deletions
diff --git a/src/fids/main.c b/src/fids/main.c index c899b55e1..8f9bc1ea0 100644 --- a/src/fids/main.c +++ b/src/fids/main.c | |||
| @@ -210,22 +210,29 @@ static void process_config(const char *fname) { | |||
| 210 | exit(1); | 210 | exit(1); |
| 211 | } | 211 | } |
| 212 | 212 | ||
| 213 | // make sure the file is owned by root | 213 | fprintf(stderr, "Opening config file %s\n", fname); |
| 214 | struct stat s; | 214 | int fd = open(fname, O_RDONLY|O_CLOEXEC); |
| 215 | if (stat(fname, &s)) { | 215 | if (fd < 0) { |
| 216 | if (include_level == 1) { | 216 | if (include_level == 1) { |
| 217 | fprintf(stderr, "Error ids: config file not found\n"); | 217 | fprintf(stderr, "Error ids: cannot open config file %s\n", fname); |
| 218 | exit(1); | 218 | exit(1); |
| 219 | } | 219 | } |
| 220 | return; | 220 | return; |
| 221 | } | 221 | } |
| 222 | |||
| 223 | // make sure the file is owned by root | ||
| 224 | struct stat s; | ||
| 225 | if (fstat(fd, &s)) { | ||
| 226 | fprintf(stderr, "Error ids: cannot stat config file %s\n", fname); | ||
| 227 | exit(1); | ||
| 228 | } | ||
| 222 | if (s.st_uid || s.st_gid) { | 229 | if (s.st_uid || s.st_gid) { |
| 223 | fprintf(stderr, "Error ids: config file not owned by root\n"); | 230 | fprintf(stderr, "Error ids: config file not owned by root\n"); |
| 224 | exit(1); | 231 | exit(1); |
| 225 | } | 232 | } |
| 226 | 233 | ||
| 227 | fprintf(stderr, "Loading %s config file\n", fname); | 234 | fprintf(stderr, "Loading config file %s\n", fname); |
| 228 | FILE *fp = fopen(fname, "r"); | 235 | FILE *fp = fdopen(fd, "r"); |
| 229 | if (!fp) { | 236 | if (!fp) { |
| 230 | fprintf(stderr, "Error fids: cannot open config file %s\n", fname); | 237 | fprintf(stderr, "Error fids: cannot open config file %s\n", fname); |
| 231 | exit(1); | 238 | exit(1); |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 3d9bf9082..e02be29f1 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
| @@ -435,11 +435,11 @@ void seccomp_print_filter(pid_t pid) { | |||
| 435 | if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_SECCOMP_LIST) == -1) | 435 | if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_SECCOMP_LIST) == -1) |
| 436 | errExit("asprintf"); | 436 | errExit("asprintf"); |
| 437 | 437 | ||
| 438 | struct stat s; | 438 | int fd = open(fname, O_RDONLY|O_CLOEXEC); |
| 439 | if (stat(fname, &s) == -1) | 439 | if (fd < 0) |
| 440 | goto errexit; | 440 | goto errexit; |
| 441 | 441 | ||
| 442 | FILE *fp = fopen(fname, "re"); | 442 | FILE *fp = fdopen(fd, "r"); |
| 443 | if (!fp) | 443 | if (!fp) |
| 444 | goto errexit; | 444 | goto errexit; |
| 445 | free(fname); | 445 | free(fname); |