From 8e36b250be87422bf3ea01628c09da14c71b1686 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Sun, 14 Mar 2021 01:44:15 +0100 Subject: simplify initial /home and /run/user cleaning mount without stash locations, only using the file descriptors --- src/firejail/restrict_users.c | 63 +++++++++++++++++-------------------------- src/include/rundefs.h | 2 -- 2 files changed, 24 insertions(+), 41 deletions(-) (limited to 'src') diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index f86f39397..a0ca4c02c 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c @@ -72,7 +72,7 @@ static void sanitize_home(void) { if (arg_debug) printf("Cleaning /home directory\n"); - // keep a copy of the user home directory + // open user home directory in order to keep it around int fd = safe_fd(cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); if (fd == -1) goto errout; @@ -82,25 +82,16 @@ static void sanitize_home(void) { close(fd); goto errout; } - char *proc; - if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) - errExit("asprintf"); - if (mkdir(RUN_WHITELIST_HOME_DIR, 0755) == -1) - errExit("mkdir"); - if (mount(proc, RUN_WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - free(proc); - close(fd); - // mount tmpfs in the new home + // mount tmpfs on /home if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) errExit("mount tmpfs"); selinux_relabel_path("/home", "/home"); fs_logger("tmpfs /home"); - // create user home directory + // create new user home directory if (mkdir(cfg.homedir, 0755) == -1) { - if (mkpath_as_root(cfg.homedir)) + if (mkpath_as_root(cfg.homedir) == -1) errExit("mkpath"); if (mkdir(cfg.homedir, 0755) == -1) errExit("mkdir"); @@ -112,17 +103,17 @@ static void sanitize_home(void) { errExit("set_perms"); selinux_relabel_path(cfg.homedir, cfg.homedir); - // mount user home directory - if (mount(RUN_WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0) + // bring back real user home directory + char *proc; + if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) + errExit("asprintf"); + if (mount(proc, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); + free(proc); + close(fd); - // mask home dir under /run - if (mount("tmpfs", RUN_WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mount tmpfs"); - fs_logger2("tmpfs", RUN_WHITELIST_HOME_DIR); if (!arg_private) fs_logger2("whitelist", cfg.homedir); - return; errout: @@ -137,22 +128,15 @@ static void sanitize_run(void) { if (asprintf(&runuser, "/run/user/%u", getuid()) == -1) errExit("asprintf"); - struct stat s; - if (stat(runuser, &s) == -1) { - // cannot find /user/run/$UID directory, just return + // open /run/user/$UID directory in order to keep it around + int fd = open(runuser, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + if (fd == -1) { if (arg_debug) - printf("Cannot find %s directory\n", runuser); + printf("Cannot open %s directory\n", runuser); free(runuser); return; } - if (mkdir(RUN_WHITELIST_RUN_DIR, 0755) == -1) - errExit("mkdir"); - - // keep a copy of the /run/user/$UID directory - if (mount(runuser, RUN_WHITELIST_RUN_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); - // mount tmpfs on /run/user if (mount("tmpfs", "/run/user", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) errExit("mount tmpfs"); @@ -162,22 +146,23 @@ static void sanitize_run(void) { // create new user directory if (mkdir(runuser, 0700) == -1) errExit("mkdir"); - selinux_relabel_path(runuser, runuser); fs_logger2("mkdir", runuser); // set mode and ownership if (set_perms(runuser, getuid(), getgid(), 0700)) errExit("set_perms"); + selinux_relabel_path(runuser, runuser); - // mount /run/user/$UID directory - if (mount(RUN_WHITELIST_RUN_DIR, runuser, NULL, MS_BIND|MS_REC, NULL) < 0) + // bring back real run/user/$UID directory + char *proc; + if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) + errExit("asprintf"); + if (mount(proc, runuser, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); + free(proc); + close(fd); - // mask mirrored /run/user/$UID directory - if (mount("tmpfs", RUN_WHITELIST_RUN_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mount tmpfs"); - fs_logger2("tmpfs", RUN_WHITELIST_RUN_DIR); - + fs_logger2("whitelist", runuser); free(runuser); } diff --git a/src/include/rundefs.h b/src/include/rundefs.h index 5749c66e4..d14f6782f 100644 --- a/src/include/rundefs.h +++ b/src/include/rundefs.h @@ -84,8 +84,6 @@ #define RUN_DEVLOG_FILE RUN_MNT_DIR "/devlog" #define RUN_WHITELIST_X11_DIR RUN_MNT_DIR "/orig-x11" -#define RUN_WHITELIST_HOME_DIR RUN_MNT_DIR "/orig-home" // default home directory masking -#define RUN_WHITELIST_RUN_DIR RUN_MNT_DIR "/orig-run" // default run directory masking #define RUN_WHITELIST_HOME_USER_DIR RUN_MNT_DIR "/orig-home-user" // home directory whitelisting #define RUN_WHITELIST_RUN_USER_DIR RUN_MNT_DIR "/orig-run-user" // run directory whitelisting #define RUN_WHITELIST_TMP_DIR RUN_MNT_DIR "/orig-tmp" -- cgit v1.2.3-54-g00ecf