From 1df4a7e02322e5eb662b1e745ce9dfc9b4f22f3a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 27 Dec 2017 11:36:48 -0500 Subject: fix private-dev for Jack Audio setups - #1694 --- README | 1 + src/firejail/fs_dev.c | 96 +++++++++++++++++++++++++++++---------------------- 2 files changed, 55 insertions(+), 42 deletions(-) diff --git a/README b/README index d210bea28..10851f033 100644 --- a/README +++ b/README @@ -143,6 +143,7 @@ Daan Bakker (https://github.com/dbakker) Danil Semelenov (https://github.com/sgtpep) - blacklist the Electron Cash Wallet - blacklist s3cmd and s3fs configs + - blacklist Ethereum, Monero wallets Dara Adib (https://github.com/daradib) - ssh profile fix - evince profile fix diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 523f319ed..cc3bc72b2 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c @@ -153,6 +153,37 @@ errexit: exit(1); } +static void empty_dev_shm(void) { + // create an empty /dev/shm directory + mkdir_attr("/dev/shm", 01777, 0, 0); + fs_logger("mkdir /dev/shm"); + fs_logger("create /dev/shm"); +} + +static void process_dev_shm(void) { + // Jack audio keeps an Unix socket under (/dev/shm/jack_default_1000_0 or /dev/shm/jack/...) + // looking for jack socket + glob_t globbuf; + int globerr = glob(RUN_DEV_DIR "/shm/jack*", GLOB_NOSORT, NULL, &globbuf); + if (globerr) { + empty_dev_shm(); + return; + } + globfree(&globbuf); + + // if we got here, it means we have a jack server installed + // mount-bind the old /dev/shm + mkdir_attr("/dev/shm", 01777, 0, 0); + int rv = mount(RUN_DEV_DIR "/shm", "/dev/shm", "none", MS_BIND, "mode=01777,gid=0"); + if (rv == -1) { + fwarning("cannot mount the old /dev/shm in private-dev\n"); + dbg_test_dir(RUN_DEV_DIR "/shm"); + empty_dev_shm(); + return; + } +} + + void fs_private_dev(void){ // install a new /dev directory if (arg_debug) @@ -199,15 +230,14 @@ void fs_private_dev(void){ fs_logger("clone /dev/log"); } } - if (mount(RUN_RO_DIR, RUN_DEV_DIR, "none", MS_BIND, "mode=400,gid=0") < 0) - errExit("disable run dev directory"); - // create /dev/shm + // bring forward the current /dev/shm directory if necessary if (arg_debug) - printf("Create /dev/shm directory\n"); - mkdir_attr("/dev/shm", 01777, 0, 0); - fs_logger("mkdir /dev/shm"); - fs_logger("create /dev/shm"); + printf("Process /dev/shm directory\n"); + process_dev_shm(); + + if (mount(RUN_RO_DIR, RUN_DEV_DIR, "none", MS_BIND, "mode=400,gid=0") < 0) + errExit("disable run dev directory"); // create default devices create_char_dev("/dev/zero", 0666, 1, 5); // mknod -m 666 /dev/zero c 1 5 @@ -269,41 +299,6 @@ void fs_private_dev(void){ } -#if 0 -void fs_dev_shm(void) { - uid_t uid = getuid(); // set a new shm only if we started as root - if (uid) - return; - - if (is_dir("/dev/shm")) { - if (arg_debug) - printf("Mounting tmpfs on /dev/shm\n"); - if (mount("tmpfs", "/dev/shm", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) - errExit("mounting /dev/shm"); - fs_logger("tmpfs /dev/shm"); - } - else { - char *lnk = realpath("/dev/shm", NULL); - if (lnk) { - if (!is_dir(lnk)) { - // create directory - mkdir_attr(lnk, 01777, 0, 0); - } - if (arg_debug) - printf("Mounting tmpfs on %s on behalf of /dev/shm\n", lnk); - if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) - errExit("mounting /var/tmp"); - fs_logger2("tmpfs", lnk); - free(lnk); - } - else { - fwarning("/dev/shm not mounted\n"); - dbg_test_dir("/dev/shm"); - } - - } -} -#endif static void disable_file_or_dir(const char *fname) { if (arg_debug) @@ -330,6 +325,23 @@ void fs_dev_disable_sound(void) { disable_file_or_dir(dev[i].dev_fname); i++; } + + // disable all jack sockets in /dev/shm + glob_t globbuf; + int globerr = glob("/dev/shm/jack*", GLOB_NOSORT, NULL, &globbuf); + if (globerr) + return; + + for (i = 0; i < globbuf.gl_pathc; i++) { + char *path = globbuf.gl_pathv[i]; + assert(path); + if (is_link(path)) { + fwarning("skipping nosound for %s because it is a symbolic link\n", path); + continue; + } + disable_file_or_dir(path); + } + globfree(&globbuf); } void fs_dev_disable_video(void) { -- cgit v1.2.3-54-g00ecf