From ac39cb31334c7951a97c4fc9b295c39924cd7427 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 10 Dec 2015 13:49:30 -0500 Subject: fixes --- src/firejail/fs_etc.c | 30 ++++++++++++++++++++++-------- src/firejail/fs_trace.c | 6 +++--- src/firejail/main.c | 23 ++++++++++++++++++++++- src/firejail/profile.c | 8 +++++++- src/firejail/sandbox.c | 6 +++++- 5 files changed, 59 insertions(+), 14 deletions(-) (limited to 'src') diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index df0e92203..b82baf1ad 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -24,7 +24,8 @@ #include #include -static void check_dir_or_file(const char *name) { +// return 0 if file not found, 1 if found +static int check_dir_or_file(const char *name) { assert(name); invalid_filename(name); @@ -35,19 +36,20 @@ static void check_dir_or_file(const char *name) { if (arg_debug) printf("Checking %s\n", fname); if (stat(fname, &s) == -1) { - fprintf(stderr, "Error: file %s not found.\n", fname); - exit(1); + if (arg_debug) + printf("Warning: file %s not found.\n", fname); + return 0; } // dir or regular file if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode)) { free(fname); - return; + return 1; } if (!is_link(fname)) { free(fname); - return; + return 1; } fprintf(stderr, "Error: invalid file type, %s.\n", fname); @@ -63,11 +65,23 @@ void fs_check_etc_list(void) { char *dlist = strdup(cfg.etc_private_keep); if (!dlist) errExit("strdup"); + + // build a new list only with the files found + char *newlist = malloc(strlen(cfg.etc_private_keep) + 1); + if (!newlist) + errExit("malloc"); + *newlist = '\0'; char *ptr = strtok(dlist, ","); - check_dir_or_file(ptr); - while ((ptr = strtok(NULL, ",")) != NULL) - check_dir_or_file(ptr); + if (check_dir_or_file(ptr)) + strcat(newlist, ptr); + while ((ptr = strtok(NULL, ",")) != NULL) { + if (check_dir_or_file(ptr)) { + strcat(newlist, ","); + strcat(newlist, ptr); + } + } + cfg.etc_private_keep = newlist; free(dlist); } diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 55a1b9c7a..eec51c3f9 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c @@ -42,7 +42,7 @@ void fs_trace_preload(void) { errExit("chown"); if (chmod("/etc/ld.so.preload", S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH ) < 0) errExit("chmod"); - fs_logger("touch /etc/ls.so.preload"); + fs_logger("touch /etc/ld.so.preload"); } } @@ -77,8 +77,8 @@ void fs_trace(void) { if (arg_debug) printf("Mount the new ld.so.preload file\n"); if (mount(RUN_LDPRELOAD_FILE, "/etc/ld.so.preload", NULL, MS_BIND|MS_REC, NULL) < 0) - errExit("mount bind ls.so.preload"); - fs_logger("create /etc/ls.so.preload"); + errExit("mount bind ld.so.preload"); + fs_logger("create /etc/ld.so.preload"); } diff --git a/src/firejail/main.c b/src/firejail/main.c index aad0af3e4..75b90ae81 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -831,6 +831,10 @@ int main(int argc, char **argv) { // extract private home dirname cfg.home_private = argv[i] + 10; + if (*cfg.home_private == '\0') { + fprintf(stderr, "Error: invalid private option\n"); + exit(1); + } fs_check_private_dir(); arg_private = 1; } @@ -842,6 +846,10 @@ int main(int argc, char **argv) { // extract private home dirname cfg.home_private_keep = argv[i] + 15; + if (*cfg.home_private_keep == '\0') { + fprintf(stderr, "Error: invalid private-home option\n"); + exit(1); + } fs_check_home_list(); arg_private = 1; } @@ -851,12 +859,25 @@ int main(int argc, char **argv) { else if (strncmp(argv[i], "--private-etc=", 14) == 0) { // extract private etc dirname cfg.etc_private_keep = argv[i] + 14; + if (*cfg.etc_private_keep == '\0') { + fprintf(stderr, "Error: invalid private-etc option\n"); + exit(1); + } fs_check_etc_list(); - arg_private_etc = 1; + if (*cfg.etc_private_keep != '\0') + arg_private_etc = 1; + else { + arg_private_etc = 0; + fprintf(stderr, "Warning: private-etc disabled, no file found\n"); + } } else if (strncmp(argv[i], "--private-bin=", 14) == 0) { // extract private etc dirname cfg.bin_private_keep = argv[i] + 14; + if (*cfg.bin_private_keep == '\0') { + fprintf(stderr, "Error: invalid private-bin option\n"); + exit(1); + } fs_check_bin_list(); arg_private_bin = 1; } diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 366a56e13..244370b98 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -285,7 +285,13 @@ int profile_check_line(char *ptr, int lineno) { if (strncmp(ptr, "private-etc ", 12) == 0) { cfg.etc_private_keep = ptr + 12; fs_check_etc_list(); - arg_private_etc = 1; + if (*cfg.etc_private_keep != '\0') + arg_private_etc = 1; + else { + arg_private_etc = 0; + fprintf(stderr, "Warning: private-etc disabled, no file found\n"); + } + return 0; } diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 39f95a43a..4a1990382 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -380,8 +380,12 @@ int sandbox(void* sandbox_arg) { if (arg_private_dev) fs_private_dev(); - if (arg_private_etc) + if (arg_private_etc) { fs_private_etc_list(); + // create /etc/ld.so.preload file again + if (arg_trace || arg_tracelog) + fs_trace_preload(); + } if (arg_private_bin) fs_private_bin_list(); -- cgit v1.2.3-54-g00ecf