From 12d64e7151e633f50e86b283c24cf85db7f1db41 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 30 Aug 2017 11:08:37 -0400 Subject: removed zsh from travis test suite, fixed handling of /dev/shm whitelist for Debian wheezy and Ubuntu 14.04 --- .travis.yml | 2 +- src/firejail/fs_whitelist.c | 19 +++++++++++++------ test/fs/whitelist-dev.exp | 8 ++++---- 3 files changed, 18 insertions(+), 11 deletions(-) diff --git a/.travis.yml b/.travis.yml index 9a2c68361..4c6e41980 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,7 +3,7 @@ dist: trusty sudo: true script: - - sudo apt-get -y install expect csh zsh + - sudo apt-get -y install expect csh - ( cd firejail ; ./configure --prefix=/usr --enable-git-install && make && sudo make install && make test-travis ) - ( cd firejail ; sudo make install-strip DESTDIR=$(readlink -f appdir) ) - ( cd appdir/ ; tar cfvj ../firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2 . ) diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 480df1766..dad8545a0 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -368,12 +368,12 @@ void fs_whitelist(void) { // replace ~/ or ${HOME} into /home/username new_name = expand_home(dataptr, cfg.homedir); assert(new_name); - if (arg_debug) + if (arg_debug || arg_debug_whitelists) fprintf(stderr, "Debug %d: new_name #%s#, %s\n", __LINE__, new_name, (nowhitelist_flag)? "nowhitelist": "whitelist"); // valid path referenced to filesystem root if (*new_name != '/') { - if (arg_debug) + if (arg_debug || arg_debug_whitelists) fprintf(stderr, "Debug %d: \n", __LINE__); goto errexit; } @@ -417,6 +417,8 @@ void fs_whitelist(void) { entry->data = EMPTY_STRING; continue; } + else if (arg_debug_whitelists) + printf("real path %s\n", fname); if (nowhitelist_flag) { // store the path in nowhitelist array @@ -501,9 +503,15 @@ void fs_whitelist(void) { else if (strncmp(new_name, "/dev/", 5) == 0) { entry->dev_dir = 1; dev_dir = 1; - // both path and absolute path are under /dev - if (strncmp(fname, "/dev/", 5) != 0) { - goto errexit; + + // special handling for /dev/shm + // on some platforms (Debian wheezy, Ubuntu 14.04), it is a symlink to /run/shm + if (strcmp(new_name, "/dev/shm") == 0 && strcmp(fname, "/run/shm") == 0); + else { + // both path and absolute path are under /dev + if (strncmp(fname, "/dev/", 5) != 0) { + goto errexit; + } } } else if (strncmp(new_name, "/opt/", 5) == 0) { @@ -708,7 +716,6 @@ void fs_whitelist(void) { } - // go through profile rules again, and interpret whitelist commands entry = cfg.profile; while (entry) { diff --git a/test/fs/whitelist-dev.exp b/test/fs/whitelist-dev.exp index b064671b6..b6ae6319f 100755 --- a/test/fs/whitelist-dev.exp +++ b/test/fs/whitelist-dev.exp @@ -25,14 +25,14 @@ sleep 1 send -- "firejail --whitelist=/dev/null --whitelist=/dev/shm --whitelist=/dev/random\r" expect { - timeout {puts "TESTING ERROR 0\n";exit} + timeout {puts "TESTING ERROR 2\n";exit} "Child process initialized" } sleep 1 send -- "find /dev | wc -l\r" expect { - timeout {puts "TESTING ERROR 0.1\n";exit} + timeout {puts "TESTING ERROR 3\n";exit} "4" } after 100 @@ -41,14 +41,14 @@ sleep 1 send -- "firejail --private-dev --debug\r" expect { - timeout {puts "TESTING ERROR 2\n";exit} + timeout {puts "TESTING ERROR 4\n";exit} "Child process initialized" } sleep 1 send -- "ls -l /dev | wc -l\r" expect { - timeout {puts "TESTING ERROR 3\n";exit} + timeout {puts "TESTING ERROR 5\n";exit} "12" {puts "OK\n"} "13" {puts "OK\n"} "14" {puts "OK\n"} -- cgit v1.2.3-70-g09d2