From 571e8a53d6f083de8c6c90cdc9e6c48c31bb2702 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sat, 7 May 2016 10:05:29 -0400 Subject: fix private-etc empty list --- src/firejail/fs_etc.c | 60 +++++++++++++++++++++------------------ src/firejail/main.c | 7 +---- src/firejail/profile.c | 7 +---- test/fs/fs.sh | 3 ++ test/fs/private-etc-empty.exp | 38 +++++++++++++++++++++++++ test/fs/private-etc-empty.profile | 1 + 6 files changed, 76 insertions(+), 40 deletions(-) create mode 100755 test/fs/private-etc-empty.exp create mode 100644 test/fs/private-etc-empty.profile diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 1a44b1305..2ff36f5d2 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -129,40 +129,44 @@ void fs_private_etc_list(void) { errExit("chmod"); fs_logger("tmpfs /etc"); - // copy the list of files in the new etc directory - // using a new child process without root privileges fs_logger_print(); // save the current log - pid_t child = fork(); - if (child < 0) - errExit("fork"); - if (child == 0) { - if (arg_debug) - printf("Copying files in the new etc directory:\n"); - // elevate privileges - files in the new /etc directory belong to root - if (setreuid(0, 0) < 0) - errExit("setreuid"); - if (setregid(0, 0) < 0) - errExit("setregid"); - - // copy the list of files in the new home directory - char *dlist = strdup(private_list); - if (!dlist) - errExit("strdup"); - - char *ptr = strtok(dlist, ","); - duplicate(ptr); + // copy the list of files in the new etc directory + // using a new child process without root privileges + if (*private_list != '\0') { + pid_t child = fork(); + if (child < 0) + errExit("fork"); + if (child == 0) { + if (arg_debug) + printf("Copying files in the new etc directory:\n"); - while ((ptr = strtok(NULL, ",")) != NULL) + // elevate privileges - files in the new /etc directory belong to root + if (setreuid(0, 0) < 0) + errExit("setreuid"); + if (setregid(0, 0) < 0) + errExit("setregid"); + + // copy the list of files in the new home directory + char *dlist = strdup(private_list); + if (!dlist) + errExit("strdup"); + + + char *ptr = strtok(dlist, ","); duplicate(ptr); - free(dlist); - fs_logger_print(); - exit(0); + + while ((ptr = strtok(NULL, ",")) != NULL) + duplicate(ptr); + free(dlist); + fs_logger_print(); + exit(0); + } + // wait for the child to finish + waitpid(child, NULL, 0); } - // wait for the child to finish - waitpid(child, NULL, 0); - + if (arg_debug) printf("Mount-bind %s on top of /etc\n", RUN_ETC_DIR); if (mount(RUN_ETC_DIR, "/etc", NULL, MS_BIND|MS_REC, NULL) < 0) diff --git a/src/firejail/main.c b/src/firejail/main.c index 7aa81a9c5..59f500e3a 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1330,12 +1330,7 @@ int main(int argc, char **argv) { exit(1); } fs_check_etc_list(); - if (*cfg.etc_private_keep != '\0') - arg_private_etc = 1; - else { - arg_private_etc = 0; - fprintf(stderr, "Warning: private-etc disabled, no file found\n"); - } + arg_private_etc = 1; } else if (strncmp(argv[i], "--private-bin=", 14) == 0) { // extract private bin list diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 2b3984a99..095e5eecc 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -611,12 +611,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } cfg.etc_private_keep = ptr + 12; fs_check_etc_list(); - if (*cfg.etc_private_keep != '\0') - arg_private_etc = 1; - else { - arg_private_etc = 0; - fprintf(stderr, "Warning: private-etc disabled, no file found\n"); - } + arg_private_etc = 1; return 0; } diff --git a/test/fs/fs.sh b/test/fs/fs.sh index 0fcffcb8e..b49aadf02 100755 --- a/test/fs/fs.sh +++ b/test/fs/fs.sh @@ -24,6 +24,9 @@ echo "TESTING: private (test/fs/private.exp)" echo "TESTING: private-etc (test/fs/private-etc.exp)" ./private-etc.exp +echo "TESTING: empty private-etc (test/fs/private-etc-empty.exp)" +./private-etc-empty.exp + echo "TESTING: private-bin (test/fs/private-bin.exp)" ./private-bin.exp diff --git a/test/fs/private-etc-empty.exp b/test/fs/private-etc-empty.exp new file mode 100755 index 000000000..13e917a5c --- /dev/null +++ b/test/fs/private-etc-empty.exp @@ -0,0 +1,38 @@ +#!/usr/bin/expect -f +# This file is part of Firejail project +# Copyright (C) 2014-2016 Firejail Authors +# License GPL v2 + +set timeout 30 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --private-etc=blablabla\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -l /etc | wc -l\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "0" +} +send -- "exit\r" +sleep 1 + +send -- "firejail --profile=private-etc-empty.profile\r" +expect { + timeout {puts "TESTING ERROR 0\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -l /etc | wc -l\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "0" +} + +puts "\nall done\n" diff --git a/test/fs/private-etc-empty.profile b/test/fs/private-etc-empty.profile new file mode 100644 index 000000000..38aa8cd68 --- /dev/null +++ b/test/fs/private-etc-empty.profile @@ -0,0 +1 @@ +private-etc blablabla -- cgit v1.2.3-54-g00ecf