From 9c9506f40b6e73e7ba9acbf676b1867c2b3e407f Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Thu, 10 Nov 2016 08:12:32 -0500
Subject: bug: mkdir and mkfile are not applied to private directories

---
 src/firejail/fs.c      | 14 ++++++++++++++
 src/firejail/profile.c |  4 ++--
 src/firejail/sandbox.c |  2 +-
 src/firejail/sbox.c    |  2 +-
 4 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index dbd7eced7..4556f0a82 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -348,6 +348,20 @@ void fs_blacklist(void) {
 			ptr = entry->data + 6;
 			op = MOUNT_TMPFS;
 		}			
+		else if (strncmp(entry->data, "mkdir ", 6) == 0) {
+			EUID_USER();
+			fs_mkdir(entry->data + 6);
+			EUID_ROOT();
+			entry = entry->next;
+			continue;
+		}			
+		else if (strncmp(entry->data, "mkfile ", 7) == 0) {
+			EUID_USER();
+			fs_mkfile(entry->data + 7);
+			EUID_ROOT();
+			entry = entry->next;
+			continue;
+		}			
 		else {
 			fprintf(stderr, "Error: invalid profile line %s\n", entry->data);
 			entry = entry->next;
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index f3a7eb727..0fd45d1ef 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -105,12 +105,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 	// mkdir 
 	if (strncmp(ptr, "mkdir ", 6) == 0) {
 		fs_mkdir(ptr + 6);
-		return 0;
+		return 1;	// process mkdir again while applying blacklists
 	}
 	// mkfile 
 	if (strncmp(ptr, "mkfile ", 7) == 0) {
 		fs_mkfile(ptr + 7);
-		return 0;
+		return 1;	// process mkfile again while applying blacklists
 	}
 	// sandbox name
 	else if (strncmp(ptr, "name ", 5) == 0) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 6b7f7f003..109daf552 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -734,7 +734,7 @@ int sandbox(void* sandbox_arg) {
 		fs_whitelist();
 	
 	// ... followed by blacklist commands
-	fs_blacklist();
+	fs_blacklist(); // mkdir and mkfile are processed all over again
 	
 	//****************************
 	// install trace
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index bca72c14a..430ffb86e 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -142,7 +142,7 @@ int sbox_run(unsigned filter, int num, ...) {
 		for (i = 3; i < max; i++)
 			close(i); // close open files
 		if ((filter & SBOX_ALLOW_STDIN) == 0) {
-		int fd = open("/dev/null",O_RDWR, 0);
+			int fd = open("/dev/null",O_RDWR, 0);
 			if (fd != -1) {
 				dup2 (fd, STDIN_FILENO);
 				if (fd > 2)
-- 
cgit v1.2.3-70-g09d2