From 7e30149e2e1d31c764673273a7e27cb38f67687d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 28 Aug 2015 12:38:03 -0400 Subject: don't blacklist directory links, print a warning --- src/firejail/fs.c | 21 +++++++++++++-------- test/blacklist-link.exp | 50 +++++++++++++++++++++++++++++++++++++++++++++++++ test/blacklist3.profile | 1 + test/test.sh | 6 ++++++ 4 files changed, 70 insertions(+), 8 deletions(-) create mode 100755 test/blacklist-link.exp create mode 100644 test/blacklist3.profile diff --git a/src/firejail/fs.c b/src/firejail/fs.c index f4384faf7..1cfdbaea7 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -153,15 +153,20 @@ static void disable_file(OPERATION op, const char *filename, const char *emptydi // modify the file if (op == BLACKLIST_FILE) { - if (arg_debug) - printf("Disable %s\n", fname); - if (S_ISDIR(s.st_mode)) { - if (mount(emptydir, fname, "none", MS_BIND, "mode=400,gid=0") < 0) - errExit("disable file"); - } + // some distros put all executables under /usr/bin and make /bin a symbolic link + if (is_link(filename) && S_ISDIR(s.st_mode)) + fprintf(stderr, "Warning: %s directory link was not blacklisted\n", filename); else { - if (mount(emptyfile, fname, "none", MS_BIND, "mode=400,gid=0") < 0) - errExit("disable file"); + if (arg_debug) + printf("Disable %s\n", fname); + if (S_ISDIR(s.st_mode)) { + if (mount(emptydir, fname, "none", MS_BIND, "mode=400,gid=0") < 0) + errExit("disable file"); + } + else { + if (mount(emptyfile, fname, "none", MS_BIND, "mode=400,gid=0") < 0) + errExit("disable file"); + } } } else if (op == MOUNT_READONLY) { diff --git a/test/blacklist-link.exp b/test/blacklist-link.exp new file mode 100755 index 000000000..da52cae4a --- /dev/null +++ b/test/blacklist-link.exp @@ -0,0 +1,50 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +# blacklist a directory symlink +send -- "firejail --blacklist=auto2\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "directory link was not blacklisted" +} +expect { + timeout {puts "TESTING ERROR 1.1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "file auto2\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + "symbolic link to" +} +send -- "exit\r" +sleep 1 + +# blacklist a directory symlink from a profile file +send -- "firejail --profile=blacklist3.profile\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "directory link was not blacklisted" +} +expect { + timeout {puts "TESTING ERROR 3.1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "file auto2\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "symbolic link to" +} +send -- "exit\r" +sleep 1 + + + +puts "all done\n" + diff --git a/test/blacklist3.profile b/test/blacklist3.profile new file mode 100644 index 000000000..08f754f3f --- /dev/null +++ b/test/blacklist3.profile @@ -0,0 +1 @@ +blacklist auto2 diff --git a/test/test.sh b/test/test.sh index 8ddbc476f..8c6be8ddd 100755 --- a/test/test.sh +++ b/test/test.sh @@ -15,6 +15,12 @@ echo "TESTING: blacklist" ./blacklist.exp rm -fr dir\ with\ space +ln -s auto auto2 +echo "TESTING: blacklist directory link" +./blacklist-link.exp +rm -fr auto2 + + echo "TESTING: version" ./option_version.exp -- cgit v1.2.3-54-g00ecf