From 6144229605177764b7f3f3450c1a47f56595dc9e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 27 Oct 2016 10:16:07 -0400 Subject: security: overwrite /etc/resolv.conf --- src/firejail/main.c | 8 ++++++++ src/firejail/util.c | 8 +++++++- 2 files changed, 15 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/firejail/main.c b/src/firejail/main.c index b5a97c71e..f41d5fcd3 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1605,6 +1605,14 @@ int main(int argc, char **argv) { return 1; } + // don't allow "--chroot=/" + char *rpath = realpath(cfg.chrootdir, NULL); + if (rpath == NULL || strcmp(rpath, "/") == 0) { + fprintf(stderr, "Error: invalid chroot directory\n"); + exit(1); + } + free(rpath); + // check chroot directory structure if (fs_check_chroot_dir(cfg.chrootdir)) { fprintf(stderr, "Error: invalid chroot\n"); diff --git a/src/firejail/util.c b/src/firejail/util.c index f38b02fd0..4b2e09953 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -171,11 +171,17 @@ void logerr(const char *msg) { } -// return -1 if error, 0 if no error +// return -1 if error, 0 if no error; if destname already exists, return error int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) { assert(srcname); assert(destname); + struct stat s; + if (stat(destname, &s) == 0) { + fprintf(stderr, "Error: file %s already exists\n", destname); + return -1; + } + // open source int src = open(srcname, O_RDONLY); if (src < 0) { -- cgit v1.2.3-70-g09d2