From 8073b14dddbb76f64ab5262b537847fd70018799 Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Sun, 7 Oct 2018 03:03:15 +0200
Subject: clean /run/user directory

---
 src/firejail/firejail.h       |  1 +
 src/firejail/restrict_users.c | 51 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+)

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 1b34a882d..40155b155 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -74,6 +74,7 @@
 
 #define RUN_WHITELIST_X11_DIR	"/run/firejail/mnt/orig-x11"
 #define RUN_WHITELIST_HOME_DIR	"/run/firejail/mnt/orig-home"	// default home directory masking
+#define RUN_WHITELIST_RUN_DIR	"/run/firejail/mnt/orig-run"	// default run directory masking
 #define RUN_WHITELIST_HOME_USER_DIR	"/run/firejail/mnt/orig-home-user"	// home directory whitelisting
 #define RUN_WHITELIST_TMP_DIR	"/run/firejail/mnt/orig-tmp"
 #define RUN_WHITELIST_MEDIA_DIR	"/run/firejail/mnt/orig-media"
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index fa672eccb..4ffec4c7f 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -113,6 +113,56 @@ static void sanitize_home(void) {
 
 }
 
+static void sanitize_run(void) {
+	if (arg_debug)
+		printf("Cleaning /run/user directory\n");
+
+	char *runuser;
+	if (asprintf(&runuser, "/run/user/%u", getuid()) == -1)
+		errExit("asprintf");
+
+	struct stat s;
+	if (stat(runuser, &s) == -1) {
+		// cannot find /user/run/$UID directory, just return
+		if (arg_debug)
+			printf("Cannot find %s directory\n", runuser);
+		free(runuser);
+		return;
+	}
+
+	if (mkdir(RUN_WHITELIST_RUN_DIR, 0755) == -1)
+		errExit("mkdir");
+
+	// keep a copy of the /run/user/$UID directory
+	if (mount(runuser, RUN_WHITELIST_RUN_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
+		errExit("mount bind");
+
+	// mount tmpfs on /run/user
+	if (mount("tmpfs", "/run/user", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+		errExit("mount tmpfs");
+	fs_logger("tmpfs /run/user");
+
+	// create new user directory
+	if (mkdir(runuser, 0700) == -1)
+		errExit("mkdir");
+	fs_logger2("mkdir", runuser);
+
+	// set mode and ownership
+	if (set_perms(runuser, getuid(), getgid(), 0700))
+		errExit("set_perms");
+
+	// mount user home directory
+	if (mount(RUN_WHITELIST_RUN_DIR, runuser, NULL, MS_BIND|MS_REC, NULL) < 0)
+		errExit("mount bind");
+
+	// mask mirrored /run/user/$UID directory
+	if (mount("tmpfs", RUN_WHITELIST_RUN_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+		errExit("mount tmpfs");
+	fs_logger2("tmpfs", RUN_WHITELIST_RUN_DIR);
+
+	free(runuser);
+}
+
 static void sanitize_passwd(void) {
 	struct stat s;
 	if (stat("/etc/passwd", &s) == -1)
@@ -352,6 +402,7 @@ void restrict_users(void) {
 				errExit("mount tmpfs");
 			fs_logger("tmpfs /home");
 		}
+		sanitize_run();
 		sanitize_passwd();
 		sanitize_group();
 	}
-- 
cgit v1.2.3-70-g09d2