From dfd660f80d8a364dc45b750a1f921adf4f2af450 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 24 Jan 2016 20:31:52 -0500 Subject: 0.9.38 testing --- src/firejail/fs.c | 10 ++++++++++ src/firejail/fs_home.c | 24 +++++++++++++++++++++++- src/firejail/main.c | 2 +- src/firejail/pulseaudio.c | 4 ++++ src/firejail/restrict_users.c | 8 ++++++++ src/firejail/shutdown.c | 6 ++++++ 6 files changed, 52 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/firejail/fs.c b/src/firejail/fs.c index f4c448024..cad101bf9 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -136,12 +136,18 @@ void fs_build_cp_command(void) { fprintf(stderr, "Error: /bin/cp not found\n"); exit(1); } + if (is_link(fname)) { + fprintf(stderr, "Error: invalid /bin/cp file\n"); + exit(1); + } int rv = copy_file(fname, RUN_CP_COMMAND); if (rv) { fprintf(stderr, "Error: cannot access /bin/cp\n"); exit(1); } /* coverity[toctou] */ + if (chown(RUN_CP_COMMAND, 0, 0)) + errExit("chown"); if (chmod(RUN_CP_COMMAND, 0755)) errExit("chmod"); @@ -921,6 +927,10 @@ void fs_chroot(const char *rootdir) { errExit("asprintf"); if (arg_debug) printf("Updating /etc/resolv.conf in %s\n", fname); + if (is_link(fname)) { + fprintf(stderr, "Error: invalid %s file\n", fname); + exit(1); + } if (copy_file("/etc/resolv.conf", fname) == -1) fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n"); diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 08141ed03..e42ce5255 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -41,6 +41,10 @@ static void skel(const char *homedir, uid_t u, gid_t g) { if (stat(fname, &s) == 0) return; if (stat("/etc/skel/.zshrc", &s) == 0) { + if (is_link("/etc/skel/.zshrc")) { + fprintf(stderr, "Error: invalid /etc/skel/.zshrc file\n"); + exit(1); + } if (copy_file("/etc/skel/.zshrc", fname) == 0) { if (chown(fname, u, g) == -1) errExit("chown"); @@ -71,6 +75,10 @@ static void skel(const char *homedir, uid_t u, gid_t g) { if (stat(fname, &s) == 0) return; if (stat("/etc/skel/.cshrc", &s) == 0) { + if (is_link("/etc/skel/.cshrc")) { + fprintf(stderr, "Error: invalid /etc/skel/.cshrc file\n"); + exit(1); + } if (copy_file("/etc/skel/.cshrc", fname) == 0) { if (chown(fname, u, g) == -1) errExit("chown"); @@ -102,6 +110,10 @@ static void skel(const char *homedir, uid_t u, gid_t g) { if (stat(fname, &s) == 0) return; if (stat("/etc/skel/.bashrc", &s) == 0) { + if (is_link("/etc/skel/.bashrc")) { + fprintf(stderr, "Error: invalid /etc/skel/.bashrc file\n"); + exit(1); + } if (copy_file("/etc/skel/.bashrc", fname) == 0) { /* coverity[toctou] */ if (chown(fname, u, g) == -1) @@ -123,7 +135,12 @@ static int store_xauthority(void) { errExit("asprintf"); struct stat s; - if (stat(src, &s) == 0) { + if (stat(src, &s) == 0) { + if (is_link(src)) { + fprintf(stderr, "Error: invalid .Xauthority file\n"); + exit(1); + } + int rv = copy_file(src, dest); if (rv) { fprintf(stderr, "Warning: cannot transfer .Xauthority in private home directory\n"); @@ -146,6 +163,11 @@ static int store_asoundrc(void) { struct stat s; if (stat(src, &s) == 0) { + if (is_link(src)) { + fprintf(stderr, "Error: invalid .asoundrc file\n"); + exit(1); + } + int rv = copy_file(src, dest); if (rv) { fprintf(stderr, "Warning: cannot transfer .asoundrc in private home directory\n"); diff --git a/src/firejail/main.c b/src/firejail/main.c index 7afbf9ce3..014ea8cae 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -300,7 +300,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { if (read_pid(argv[i] + 12, &pid) == 0) bandwidth_pid(pid, cmd, dev, down, up); else - bandwidth_name(argv[i] + 12, cmd, dev, down, up); + bandwidth_name(argv[i] + 12, cmd, dev, down, up); exit(0); } diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index 29f3bc4f0..a3348baf4 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c @@ -104,6 +104,10 @@ void pulseaudio_init(void) { char *pulsecfg = NULL; if (asprintf(&pulsecfg, "%s/client.conf", RUN_PULSE_DIR) == -1) errExit("asprintf"); + if (is_link("/etc/pulse/client.conf")) { + fprintf(stderr, "Error: invalid /etc/pulse/client.conf file\n"); + exit(1); + } if (copy_file("/etc/pulse/client.conf", pulsecfg)) errExit("copy_file"); FILE *fp = fopen(pulsecfg, "a+"); diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index aa6a5d268..88dd38021 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c @@ -115,6 +115,10 @@ static void sanitize_passwd(void) { return; if (arg_debug) printf("Sanitizing /etc/passwd\n"); + if (is_link("/etc/passwd")) { + fprintf(stderr, "Error: invalid /etc/passwd\n"); + exit(1); + } FILE *fpin = NULL; FILE *fpout = NULL; @@ -248,6 +252,10 @@ static void sanitize_group(void) { return; if (arg_debug) printf("Sanitizing /etc/group\n"); + if (is_link("/etc/group")) { + fprintf(stderr, "Error: invalid /etc/group\n"); + exit(1); + } FILE *fpin = NULL; FILE *fpout = NULL; diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c index 131f663d4..edaac7eb9 100644 --- a/src/firejail/shutdown.c +++ b/src/firejail/shutdown.c @@ -54,8 +54,14 @@ void shut(pid_t pid) { printf("Switching to pid %u, the first child process inside the sandbox\n", (unsigned) pid); } } + else { + fprintf(stderr, "Error: this is not a firejail sandbox\n"); + exit(1); + } free(comm); } + else + errExit("/proc/PID/comm"); // check privileges for non-root users uid_t uid = getuid(); -- cgit v1.2.3-54-g00ecf