From 931ed3f6449f70d467f23741321e815263ca22af Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 22 Nov 2015 09:40:05 -0500 Subject: fixes --- src/firejail/fs.c | 21 ++++++++++++++++++--- src/firejail/main.c | 9 +++++++++ src/firejail/restrict_users.c | 1 - src/firejail/sandbox.c | 5 ++++- 4 files changed, 31 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/firejail/fs.c b/src/firejail/fs.c index ad84b2222..c6dfdec30 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -56,7 +56,7 @@ static void create_empty_file(void) { } } -// build /tmp/firejail directory +// build /run/firejail directory void fs_build_firejail_dir(void) { struct stat s; @@ -86,11 +86,16 @@ void fs_build_firejail_dir(void) { // build /tmp/firejail/mnt directory static int tmpfs_mounted = 0; +static void fs_build_remount_mnt_dir(void) { + tmpfs_mounted = 0; + fs_build_mnt_dir(); +} + void fs_build_mnt_dir(void) { struct stat s; fs_build_firejail_dir(); - // create /tmp/firejail directory + // create /run/firejail/mnt directory if (stat(MNT_DIR, &s)) { if (arg_debug) printf("Creating %s directory\n", MNT_DIR); @@ -106,7 +111,7 @@ void fs_build_mnt_dir(void) { // ... and mount tmpfs on top of it if (!tmpfs_mounted) { - // mount tmpfs on top of /tmp/firejail/mnt + // mount tmpfs on top of /run/firejail/mnt if (arg_debug) printf("Mounting tmpfs on %s directory\n", MNT_DIR); if (mount("tmpfs", MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) @@ -533,6 +538,14 @@ void fs_proc_sys_dev_boot(void) { errExit("mounting /boot directory"); } + // disable /selinux + if (stat("/selinux", &s) == 0) { + if (arg_debug) + printf("Mounting a new /selinux directory\n"); + if (mount("tmpfs", "/selinux", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) + errExit("mounting /selinux directory"); + } + // disable /dev/port if (stat("/dev/port", &s) == 0) { disable_file(BLACKLIST_FILE, "/dev/port"); @@ -818,6 +831,8 @@ void fs_chroot(const char *rootdir) { printf("Chrooting into %s\n", rootdir); if (chroot(rootdir) < 0) errExit("chroot"); + // mount a new tmpfs in /run/firejail/mnt - the old one was lost in chroot + fs_build_remount_mnt_dir(); // update /var directory in order to support multiple sandboxes running on the same root directory if (!arg_private_dev) diff --git a/src/firejail/main.c b/src/firejail/main.c index c55d87364..1495d7516 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1285,6 +1285,15 @@ int main(int argc, char **argv) { if (pipe(child_to_parent_fds) < 0) errExit("pipe"); + if (arg_noroot && arg_overlay) { + fprintf(stderr, "Warning: --overlay and --noroot are mutually exclusive, noroot disabled\n"); + arg_noroot = 0; + } + else if (arg_noroot && cfg.chrootdir) { + fprintf(stderr, "Warning: --overlay and --chroot are mutually exclusive, noroot disabled\n"); + arg_noroot = 0; + } + // clone environment int flags = CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUTS | SIGCHLD; diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index c0a14ff6f..d2d106f27 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c @@ -293,7 +293,6 @@ static void sanitize_group(void) { if ((gid_t) gid != mygid) { continue; // skip line } - fprintf(fpout, "%s", buf); if (copy_line(fpout, buf, ptr)) goto errout; } diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index c105894bb..dd444f0b9 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -300,6 +300,9 @@ int sandbox(void* sandbox_arg) { #ifdef HAVE_CHROOT if (cfg.chrootdir) { fs_chroot(cfg.chrootdir); + // redo cp command + fs_build_cp_command(); + // force caps and seccomp if not started as root if (getuid() != 0) { // force default seccomp inside the chroot, no keep or drop list @@ -336,7 +339,7 @@ int sandbox(void* sandbox_arg) { } else #endif - if (arg_overlay) + if (arg_overlay) fs_overlayfs(); else fs_basic_fs(); -- cgit v1.2.3-54-g00ecf