From 376649641db6e198974360bc1aef6890f4eeb01f Mon Sep 17 00:00:00 2001 From: smitsohu Date: Fri, 6 Jul 2018 15:57:39 +0200 Subject: fix f57dd4a1437e1e6a1096012345067c2ac8bbb9d2 (mountinfo, fslogger) --- src/firejail/fs_whitelist.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 9fbe45726..24c83adee 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -281,28 +281,28 @@ static void whitelist_path(ProfileEntry *entry) { assert(wfile); // check if the file exists, confirm again there is no symlink + struct stat wfilestat; +#ifndef TEST_MOUNTINFO EUID_USER(); int fd = safe_fd(wfile, O_PATH|O_NOFOLLOW|O_CLOEXEC); + EUID_ROOT(); if (fd == -1) { free(wfile); - EUID_ROOT(); return; } - struct stat wfilestat; if (fstat(fd, &wfilestat) == -1) errExit("fstat"); + close(fd); if (S_ISLNK(wfilestat.st_mode)) { - fprintf(stderr, "Error: unexpected symbolic link %s\n", path); - exit(1); + free(wfile); + return; } - close(fd); +#endif if (arg_debug || arg_debug_whitelists) printf("Whitelisting %s\n", path); - fs_logger2("whitelist", path); // create the path if necessary - EUID_ROOT(); struct stat s; if (stat(path, &s) == -1) { mkpath(path, 0755); @@ -329,6 +329,8 @@ static void whitelist_path(ProfileEntry *entry) { } } + fs_logger2("whitelist", path); + // get a file descriptor for path; if path contains anything other than directories // or a regular file, assume it is whitelisted already int fd3 = safe_fd(path, O_PATH|O_NOFOLLOW|O_CLOEXEC); @@ -356,8 +358,8 @@ static void whitelist_path(ProfileEntry *entry) { // check the last mount operation MountData *mptr = get_last_mount(); // will do exit(1) if the mount cannot be found - if (strncmp(mptr->dir, path, strlen(path)) != 0) - errLogExit("invalid whitelist mount"); + //if (strncmp(mptr->dir, path, strlen(path)) != 0) - temporarily disabled, problems with paths that have empty spaces + // errLogExit("invalid whitelist mount"); // No mounts are allowed on top level directories. A destination such as "/etc" is very bad! // - there should be more than one '/' char in dest string if (mptr->dir == strrchr(mptr->dir, '/')) @@ -549,7 +551,7 @@ void fs_whitelist(void) { // both path and absolute path are under /home if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) == 0) { - // entire home directory is not allowed + // avoid naming issues, also entire home dirs are not allowed if (*(fname + strlen(cfg.homedir)) != '/') goto errexit; } -- cgit v1.2.3-54-g00ecf