From cf70d33717a94af25ae250f0cf5ebda1f38bd27c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 16 Aug 2016 10:52:12 -0400 Subject: overlay etc. --- README | 2 ++ RELNOTES | 2 ++ src/firejail/firejail.h | 1 + src/firejail/fs.c | 38 ++++++++++++++++++++++++++++++++++++++ src/firejail/main.c | 39 ++------------------------------------- src/man/firejail.txt | 22 +++++++++++++--------- 6 files changed, 58 insertions(+), 46 deletions(-) diff --git a/README b/README index 12bb8bf49..f27a80a34 100644 --- a/README +++ b/README @@ -39,6 +39,8 @@ Aleksey Manevich (https://github.com/manevich) - Busybox support - X11 support rewrite - gether shell selection code in one place +hamzadis (https://github.com/hamzadis) + - added --overlay-named=name and --overlay-path=path Gaman Gabriel (https://github.com/stelariusinfinitek) - inox profile Laurent Declercq (https://github.com/nuxwin) diff --git a/RELNOTES b/RELNOTES index a40808c23..4e2ad9b6c 100644 --- a/RELNOTES +++ b/RELNOTES @@ -10,6 +10,8 @@ firejail (0.9.42~rc2) baseline; urgency=low * remove environment variable (--rmenv) * noexec support (--noexec) * --overlay-clean option + * --overlay-named=name option + * --overlay-path=path option * Ubuntu snap support * include /dev/snd in --private-dev * added mkfile profile command diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 9a7f89a4a..633935108 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -326,6 +326,7 @@ void fs_proc_sys_dev_boot(void); // build a basic read-only filesystem void fs_basic_fs(void); // mount overlayfs on top of / directory +char *fs_check_overlay_dir(const char *subdirname, int allow_reuse); void fs_overlayfs(void); // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf void fs_chroot(const char *rootdir); diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 484b99537..63ffa8bff 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -814,6 +814,44 @@ void fs_basic_fs(void) { } + +char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { + // create ~/.firejail directory + struct stat s; + char *dirname; + if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) + errExit("asprintf"); + if (stat(dirname, &s) == -1) { + /* coverity[toctou] */ + if (mkdir(dirname, 0700)) + errExit("mkdir"); + if (chown(dirname, getuid(), getgid()) < 0) + errExit("chown"); + if (chmod(dirname, 0700) < 0) + errExit("chmod"); + } + else if (is_link(dirname)) { + fprintf(stderr, "Error: invalid ~/.firejail directory\n"); + exit(1); + } + + free(dirname); + + // check overlay directory + if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1) + errExit("asprintf"); + if (allow_reuse == 0) { + if (stat(dirname, &s) == 0) { + fprintf(stderr, "Error: overlay directory already exists: %s\n", dirname); + exit(1); + } + } + + return dirname; +} + + + // mount overlayfs on top of / directory // mounting an overlay and chrooting into it: // diff --git a/src/firejail/main.c b/src/firejail/main.c index 1fa68e2f4..4946db2bd 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -704,41 +704,6 @@ static void delete_x11_file(pid_t pid) { free(fname); } -static char *create_and_check_overlay_dir(const char *subdirname, int allow_reuse) { - // create ~/.firejail directory - struct stat s; - char *dirname; - if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) - errExit("asprintf"); - if (stat(dirname, &s) == -1) { - /* coverity[toctou] */ - if (mkdir(dirname, 0700)) - errExit("mkdir"); - if (chown(dirname, getuid(), getgid()) < 0) - errExit("chown"); - if (chmod(dirname, 0700) < 0) - errExit("chmod"); - } - else if (is_link(dirname)) { - fprintf(stderr, "Error: invalid ~/.firejail directory\n"); - exit(1); - } - - free(dirname); - - // check overlay directory - if (asprintf(&dirname, "%s/.firejail/%s", cfg.homedir, subdirname) == -1) - errExit("asprintf"); - if (allow_reuse == 0) { - if (stat(dirname, &s) == 0) { - fprintf(stderr, "Error: overlay directory already exists: %s\n", dirname); - exit(1); - } - } - - return dirname; -} - static void detect_quiet(int argc, char **argv) { int i; @@ -1329,7 +1294,7 @@ int main(int argc, char **argv) { char *subdirname; if (asprintf(&subdirname, "%d", getpid()) == -1) errExit("asprintf"); - cfg.overlay_dir = create_and_check_overlay_dir(subdirname, arg_overlay_reuse); + cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); free(subdirname); } @@ -1352,7 +1317,7 @@ int main(int argc, char **argv) { fprintf(stderr, "Error: invalid overlay option\n"); exit(1); } - cfg.overlay_dir = create_and_check_overlay_dir(subdirname, arg_overlay_reuse); + cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); } else if (strncmp(argv[i], "--overlay-path=", 15) == 0) { if (cfg.chrootdir) { diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 3cc9a8401..732d14624 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -994,12 +994,13 @@ $ ls -l sandboxlog* \fB\-\-overlay Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, the system directories are mounted read-write. All filesystem modifications go into the overlay. -The overlay is stored in $HOME/.firejail/ directory. This option is not available on Grsecurity systems. +The overlay is stored in $HOME/.firejail/ directory. .br .br OverlayFS support is required in Linux kernel for this option to work. -OverlayFS was officially introduced in Linux kernel version 3.18 +OverlayFS was officially introduced in Linux kernel version 3.18. +This option is not available on Grsecurity systems. .br .br @@ -1012,12 +1013,13 @@ $ firejail \-\-overlay firefox Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, the system directories are mounted read-write. All filesystem modifications go into the overlay. The overlay is stored in $HOME/.firejail/ directory. The created overlay can be reused between multiple -sessions. This option is not available on Grsecurity systems. +sessions. .br .br OverlayFS support is required in Linux kernel for this option to work. -OverlayFS was officially introduced in Linux kernel version 3.18 +OverlayFS was officially introduced in Linux kernel version 3.18. +This option is not available on Grsecurity systems. .br .br @@ -1030,12 +1032,12 @@ $ firejail \-\-overlay-named=jail1 firefox Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container, the system directories are mounted read-write. All filesystem modifications go into the overlay. The overlay is stored in the specified path. The created overlay can be reused between multiple sessions. -This option is not available on Grsecurity systems. .br .br OverlayFS support is required in Linux kernel for this option to work. -OverlayFS was officially introduced in Linux kernel version 3.18 +OverlayFS was officially introduced in Linux kernel version 3.18. +This option is not available on Grsecurity systems. .br .br @@ -1046,12 +1048,13 @@ $ firejail \-\-overlay-path=~/jails/jail1 firefox .TP \fB\-\-overlay-tmpfs Mount a filesystem overlay on top of the current filesystem. All filesystem modifications go into the overlay, -and are discarded when the sandbox is closed. This option is not available on Grsecurity systems. +and are discarded when the sandbox is closed. .br .br OverlayFS support is required in Linux kernel for this option to work. -OverlayFS was officially introduced in Linux kernel version 3.18 +OverlayFS was officially introduced in Linux kernel version 3.18. +This option is not available on Grsecurity systems. .br .br @@ -1061,7 +1064,8 @@ $ firejail \-\-overlay-tmpfs firefox .TP \fB\-\-overlay-clean -Clean all overlays stored in $HOME/.firejail directory. +Clean all overlays stored in $HOME/.firejail directory. Overlays created with --overlay-path=path +outside $HOME/.firejail will not be deleted. .br .br -- cgit v1.2.3-70-g09d2