From a67dd36c4bf86536a163975fdb53db078e6bfed9 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 11 Jun 2018 12:55:56 -0400 Subject: removed CFG_CHROOT_DESKTOP config option --- src/firejail/checkcfg.c | 8 --- src/firejail/firejail.h | 1 - src/firejail/fs.c | 138 +++++++++++++++++++++++------------------------- 3 files changed, 67 insertions(+), 80 deletions(-) (limited to 'src') diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index ac3ad7cd8..68e93e16e 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -331,14 +331,6 @@ int checkcfg(int val) { else goto errout; } - else if (strncmp(ptr, "chroot-desktop ", 15) == 0) { - if (strcmp(ptr + 15, "yes") == 0) - cfg_val[CFG_CHROOT_DESKTOP] = 1; - else if (strcmp(ptr + 15, "no") == 0) - cfg_val[CFG_CHROOT_DESKTOP] = 0; - else - goto errout; - } else if (strncmp(ptr, "private-bin-no-local ", 21) == 0) { if (strcmp(ptr + 21, "yes") == 0) cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 1; diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 18d66b983..e2a780d77 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -740,7 +740,6 @@ enum { CFG_WHITELIST, CFG_XEPHYR_WINDOW_TITLE, CFG_OVERLAYFS, - CFG_CHROOT_DESKTOP, CFG_PRIVATE_HOME, CFG_PRIVATE_BIN_NO_LOCAL, CFG_FIREJAIL_PROMPT, diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 4e411c5ee..2546ab0bb 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -1199,63 +1199,61 @@ void fs_check_chroot_dir(const char *rootdir) { void fs_chroot(const char *rootdir) { assert(rootdir); - if (checkcfg(CFG_CHROOT_DESKTOP)) { - // mount-bind a /dev in rootdir - char *newdev; - if (asprintf(&newdev, "%s/dev", rootdir) == -1) + // mount-bind a /dev in rootdir + char *newdev; + if (asprintf(&newdev, "%s/dev", rootdir) == -1) + errExit("asprintf"); + if (arg_debug) + printf("Mounting /dev on %s\n", newdev); + if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mounting /dev"); + free(newdev); + + // x11 + if (getenv("FIREJAIL_X11")) { + char *newx11; + if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1) errExit("asprintf"); if (arg_debug) - printf("Mounting /dev on %s\n", newdev); - if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mounting /dev"); - free(newdev); - - // x11 - if (getenv("FIREJAIL_X11")) { - char *newx11; - if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1) - errExit("asprintf"); - if (arg_debug) - printf("Mounting /tmp/.X11-unix on %s\n", newx11); - if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mounting /tmp/.X11-unix"); - free(newx11); - } + printf("Mounting /tmp/.X11-unix on %s\n", newx11); + if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mounting /tmp/.X11-unix"); + free(newx11); + } - // some older distros don't have a /run directory - // create one by default - // create /run/firejail directory in chroot - char *rundir; - if (asprintf(&rundir, "%s/run", rootdir) == -1) - errExit("asprintf"); - if (is_link(rundir)) { - fprintf(stderr, "Error: invalid run directory inside chroot\n"); - exit(1); - } - create_empty_dir_as_root(rundir, 0755); - free(rundir); - if (asprintf(&rundir, "%s/run/firejail", rootdir) == -1) - errExit("asprintf"); - create_empty_dir_as_root(rundir, 0755); - free(rundir); + // some older distros don't have a /run directory + // create one by default + // create /run/firejail directory in chroot + char *rundir; + if (asprintf(&rundir, "%s/run", rootdir) == -1) + errExit("asprintf"); + if (is_link(rundir)) { + fprintf(stderr, "Error: invalid run directory inside chroot\n"); + exit(1); + } + create_empty_dir_as_root(rundir, 0755); + free(rundir); + if (asprintf(&rundir, "%s/run/firejail", rootdir) == -1) + errExit("asprintf"); + create_empty_dir_as_root(rundir, 0755); + free(rundir); - // create /run/firejail/mnt directory in chroot and mount the current one - if (asprintf(&rundir, "%s%s", rootdir, RUN_MNT_DIR) == -1) - errExit("asprintf"); - create_empty_dir_as_root(rundir, 0755); - if (mount(RUN_MNT_DIR, rundir, NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind"); + // create /run/firejail/mnt directory in chroot and mount the current one + if (asprintf(&rundir, "%s%s", rootdir, RUN_MNT_DIR) == -1) + errExit("asprintf"); + create_empty_dir_as_root(rundir, 0755); + if (mount(RUN_MNT_DIR, rundir, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mount bind"); - // copy /etc/resolv.conf in chroot directory - char *fname; - if (asprintf(&fname, "%s/etc/resolv.conf", rootdir) == -1) - errExit("asprintf"); - if (arg_debug) - printf("Updating /etc/resolv.conf in %s\n", fname); - unlink(fname); - if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1) // root needed - fwarning("/etc/resolv.conf not initialized\n"); - } + // copy /etc/resolv.conf in chroot directory + char *fname; + if (asprintf(&fname, "%s/etc/resolv.conf", rootdir) == -1) + errExit("asprintf"); + if (arg_debug) + printf("Updating /etc/resolv.conf in %s\n", fname); + unlink(fname); + if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1) // root needed + fwarning("/etc/resolv.conf not initialized\n"); // chroot into the new directory #ifdef HAVE_GCOV @@ -1275,30 +1273,28 @@ void fs_chroot(const char *rootdir) { // create all other /run/firejail files and directories preproc_build_firejail_dir(); - if (checkcfg(CFG_CHROOT_DESKTOP)) { - // update /var directory in order to support multiple sandboxes running on the same root directory + // update /var directory in order to support multiple sandboxes running on the same root directory // if (!arg_private_dev) // fs_dev_shm(); - fs_var_lock(); - if (!arg_keep_var_tmp) - fs_var_tmp(); - if (!arg_writable_var_log) - fs_var_log(); - else - fs_rdwr("/var/log"); + fs_var_lock(); + if (!arg_keep_var_tmp) + fs_var_tmp(); + if (!arg_writable_var_log) + fs_var_log(); + else + fs_rdwr("/var/log"); - fs_var_lib(); - fs_var_cache(); - fs_var_utmp(); - fs_machineid(); + fs_var_lib(); + fs_var_cache(); + fs_var_utmp(); + fs_machineid(); - // don't leak user information - restrict_users(); + // don't leak user information + restrict_users(); - // when starting as root, firejail config is not disabled; - if (getuid() != 0) - disable_config(); - } + // when starting as root, firejail config is not disabled; + if (getuid() != 0) + disable_config(); } #endif -- cgit v1.2.3-54-g00ecf