From acbf707889ae241bfd476f5371df4599103b6606 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Thu, 14 Nov 2019 16:19:00 +0100 Subject: blacklist private-home runtime directory as far as possible avoid creating locations in the file system that are both writable and executable --- src/firejail/fs.c | 2 +- src/firejail/fs_home.c | 19 +++++++++++++------ 2 files changed, 14 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 3e802efb5..1f0ccac1a 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -447,7 +447,7 @@ void fs_tmpfs(const char *dir, unsigned check_owner) { // get a file descriptor for dir, fails if there is any symlink int fd = safe_fd(dir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); if (fd == -1) - errExit("safe_fd"); + errExit("while opening directory"); struct stat s; if (fstat(fd, &s) == -1) errExit("fstat"); diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 060152e55..1ff8c2722 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -312,7 +312,7 @@ void fs_private_homedir(void) { if (arg_debug) printf("Mounting a new /root directory\n"); if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=700,gid=0") < 0) - errExit("mounting home directory"); + errExit("mounting /root directory"); fs_logger("tmpfs /root"); } if (u == 0 || strncmp(homedir, "/home/", 6) != 0) { @@ -320,7 +320,7 @@ void fs_private_homedir(void) { if (arg_debug) printf("Mounting a new /home directory\n"); if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mounting home directory"); + errExit("mounting /home directory"); fs_logger("tmpfs /home"); } @@ -354,7 +354,7 @@ void fs_private(void) { if (arg_allusers) fwarning("allusers option disabled by private or whitelist option\n"); if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mounting home directory"); + errExit("mounting /home directory"); fs_logger("tmpfs /home"); } @@ -362,7 +362,7 @@ void fs_private(void) { if (arg_debug) printf("Mounting a new /root directory\n"); if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME, "mode=700,gid=0") < 0) - errExit("mounting root directory"); + errExit("mounting /root directory"); fs_logger("tmpfs /root"); if (u != 0) { @@ -593,19 +593,26 @@ void fs_private_home_list(void) { errLogExit("invalid private-home mount"); fs_logger2("tmpfs", homedir); + // blacklist RUN_HOME_DIR, it is writable and not noexec + if (mount(RUN_RO_DIR, RUN_HOME_DIR, NULL, MS_BIND, NULL) < 0) + errExit("blacklisting " RUN_HOME_DIR); + fs_logger2("tmpfs", RUN_HOME_DIR); + if (uid != 0) { // mask /root if (arg_debug) printf("Mounting a new /root directory\n"); if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=700,gid=0") < 0) - errExit("mounting home directory"); + errExit("mounting /root directory"); + fs_logger("tmpfs /root"); } if (uid == 0 || strncmp(homedir, "/home/", 6) != 0) { // mask /home if (arg_debug) printf("Mounting a new /home directory\n"); if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) - errExit("mounting home directory"); + errExit("mounting /home directory"); + fs_logger("tmpfs /home"); } skel(homedir, uid, gid); -- cgit v1.2.3-70-g09d2