From b843c5313dee1ff5145dafbcfd54c888b902ea22 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 13 Jun 2016 08:34:01 -0400 Subject: appimage whitlist fix --- src/firejail/appimage.c | 4 ++++ src/firejail/firejail.h | 2 ++ src/firejail/fs_whitelist.c | 25 ++++++++++++++++++++++++- src/firejail/main.c | 2 +- 4 files changed, 31 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index dd347a714..db9382dc3 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c @@ -31,6 +31,10 @@ static char *devloop = NULL; // device file static char *mntdir = NULL; // mount point in /tmp directory +const char *appimage_getdir(void) { + return mntdir; +} + void appimage_set(const char *appimage_path) { assert(appimage_path); assert(devloop == NULL); // don't call this twice! diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 6d64ce4cd..0b6e2e181 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -259,6 +259,7 @@ extern int arg_nice; // nice value configured extern int arg_ipc; // enable ipc namespace extern int arg_writable_etc; // writable etc extern int arg_writable_var; // writable var +extern int arg_appimage; // appimage extern int parent_to_child_fds[2]; extern int child_to_parent_fds[2]; @@ -581,6 +582,7 @@ void fs_rdwr(void); // appimage.c void appimage_set(const char *appimage_path); void appimage_clear(void); +const char *appimage_getdir(void); #endif diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 617e61dcd..ba6c8cd74 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -504,7 +504,7 @@ void fs_whitelist(void) { // /tmp mountpoint if (tmp_dir) { - // keep a copy of real /tmp directory in WHITELIST_TMP_DIR + // keep a copy of real /tmp directory in int rv = mkdir(RUN_WHITELIST_TMP_DIR, 1777); if (rv == -1) errExit("mkdir"); @@ -522,6 +522,29 @@ void fs_whitelist(void) { if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) errExit("mounting tmpfs on /tmp"); fs_logger("tmpfs /tmp"); + + // mount appimage directory if necessary + if (arg_appimage) { + const char *dir = appimage_getdir(); + assert(dir); + char *wdir; + if (asprintf(&wdir, "%s/%s", RUN_WHITELIST_TMP_DIR, dir + 4) == -1) + errExit("asprintf"); + + // create directory + if (mkdir(dir, 0755) < 0) + errExit("mkdir"); + if (chown(dir, getuid(), getgid()) < 0) + errExit("chown"); + if (chmod(dir, 0755) < 0) + errExit("chmod"); + + // mount + if (mount(wdir, dir, NULL, MS_BIND|MS_REC, NULL) < 0) + errExit("mount bind"); + fs_logger2("whitelist", dir); + free(wdir); + } } // /media mountpoint diff --git a/src/firejail/main.c b/src/firejail/main.c index 423df3752..9e8e1eaf0 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -99,6 +99,7 @@ int arg_nice = 0; // nice value configured int arg_ipc = 0; // enable ipc namespace int arg_writable_etc = 0; // writable etc int arg_writable_var = 0; // writable var +int arg_appimage = 0; // appimage int parent_to_child_fds[2]; int child_to_parent_fds[2]; @@ -705,7 +706,6 @@ int main(int argc, char **argv) { #ifdef HAVE_SECCOMP int highest_errno = errno_highest_nr(); #endif - int arg_appimage = 0; // drop permissions by default and rise them when required EUID_INIT(); -- cgit v1.2.3-70-g09d2