From 4b41e0c27ba4727fccba5009b3bf7085fb132846 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Thu, 24 Feb 2022 19:29:19 +0100 Subject: fix --whitelist=/run/* --- src/firejail/fs_whitelist.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index c515b59f5..2acde5837 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -592,10 +592,6 @@ void fs_whitelist(void) { if (strstr(new_name, "..")) whitelist_error(new_name); - // /run/firejail is not allowed - if (strncmp(new_name, RUN_FIREJAIL_DIR, strlen(RUN_FIREJAIL_DIR)) == 0) - whitelist_error(new_name); - TopDir *current_top = NULL; if (!nowhitelist_flag) { // extract whitelist top level directory @@ -617,6 +613,13 @@ void fs_whitelist(void) { free(dir); } + // /run/firejail directory is internal and not allowed + if (strncmp(new_name, RUN_FIREJAIL_DIR, strlen(RUN_FIREJAIL_DIR)) == 0) { + entry = entry->next; + free(new_name); + continue; + } + // extract resolved path of the file // realpath function will fail with ENOENT if the file is not found or with EACCES if user has no permission // special processing for /dev/fd, /dev/stdin, /dev/stdout and /dev/stderr @@ -653,9 +656,13 @@ void fs_whitelist(void) { continue; } - // /run/firejail is not allowed - if (strncmp(fname, RUN_FIREJAIL_DIR, strlen(RUN_FIREJAIL_DIR)) == 0) - whitelist_error(fname); + // /run/firejail directory is internal and not allowed + if (strncmp(fname, RUN_FIREJAIL_DIR, strlen(RUN_FIREJAIL_DIR)) == 0) { + entry = entry->next; + free(new_name); + free(fname); + continue; + } if (nowhitelist_flag) { // store the path in nowhitelist array -- cgit v1.2.3-70-g09d2