From e1463e78dcbcebe63d835bb64312c74c49cc3a6f Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Wed, 18 Nov 2015 08:37:01 -0500
Subject: /home rework

---
 src/firejail/firejail.h     |  3 +-
 src/firejail/fs.c           | 72 ++++++++++++++++++++++-----------------------
 src/firejail/fs_whitelist.c | 14 ++++-----
 3 files changed, 44 insertions(+), 45 deletions(-)

(limited to 'src')

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 4f8968e4a..b29e11923 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -40,7 +40,8 @@
 #define PULSE_DIR	"/run/firejail/mnt/pulse"
 #define DEVLOG_FILE	"/run/firejail/mnt/devlog"
 
-#define WHITELIST_HOME_DIR	"/run/firejail/mnt/orig-home"
+#define WHITELIST_HOME_DIR	"/run/firejail/mnt/orig-home"	// default home directory masking
+#define WHITELIST_HOME_USER_DIR	"/run/firejail/mnt/orig-home-user"	// home directory whitelisting
 #define WHITELIST_TMP_DIR	"/run/firejail/mnt/orig-tmp"
 #define WHITELIST_MEDIA_DIR	"/run/firejail/mnt/orig-media"
 #define WHITELIST_VAR_DIR	"/run/firejail/mnt/orig-var"
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 5cce383e2..aec1698b0 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -540,50 +540,48 @@ void fs_proc_sys_dev_boot(void) {
 }
 
 static void sanitize_home(void) {
-	// extract current /home directory data
-	struct dirent *dir;
-	DIR *d = opendir("/home");
-	if (d == NULL)
+	assert(getuid() != 0);	// this code works only for regular users
+	
+	if (arg_debug)
+		printf("Cleaning /home directory\n");
+	
+	struct stat s;
+	if (stat(cfg.homedir, &s) == -1) {
+		// cannot find home directory, just return
+		fprintf(stderr, "Warning: cannot find home directory\n");
 		return;
-
-	while ((dir = readdir(d))) {
-		if(strcmp(dir->d_name, "." ) == 0 || strcmp(dir->d_name, ".." ) == 0)
-			continue;
-
-		if (dir->d_type == DT_DIR ) {
-			// get properties
-			struct stat s;
-			char *name;
-			if (asprintf(&name, "/home/%s", dir->d_name) == -1)
-				continue;
-			if (stat(name, &s) == -1)
-				continue;
-			if (S_ISLNK(s.st_mode)) {
-				free(name);
-				continue;
-			}
-			
-			if (strcmp(name, cfg.homedir) == 0)
-				continue;
-
-//			printf("directory %u %u:%u #%s#\n",
-//				s.st_mode,
-//				s.st_uid,
-//				s.st_gid,
-//				name);
-			
-			// disable directory
-			disable_file(BLACKLIST_FILE, name);
-			free(name);
-		}			
 	}
-	closedir(d);
-}
+	
+	fs_build_mnt_dir();
+	if (mkdir(WHITELIST_HOME_DIR, 0755) == -1)
+		errExit("mkdir");
+
+	// keep a copy of the user home directory
+	if (mount(cfg.homedir, WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
+		errExit("mount bind");
 
+	// mount tmpfs in the new home
+	if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+		errExit("mount tmpfs");
 
+	// create user home directory
+	if (mkdir(cfg.homedir, 0755) == -1)
+		errExit("mkdir");
 
+	// set mode and ownership
+	if (chown(cfg.homedir, s.st_uid, s.st_gid) == -1)
+		errExit("chown");
+	if (chmod(cfg.homedir, s.st_mode) == -1)
+		errExit("chmod");
 
+	// mount user home directory
+	if (mount(WHITELIST_HOME_DIR, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0)
+		errExit("mount bind");
 
+	// mask home dir under /run
+	if (mount("tmpfs", WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+		errExit("mount tmpfs");
+}
 
 // build a basic read-only filesystem
 void fs_basic_fs(void) {
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 9203e3d00..b081752f4 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -70,7 +70,7 @@ static void whitelist_path(ProfileEntry *entry) {
 			exit(1);
 		}
 	
-		if (asprintf(&wfile, "%s/%s", WHITELIST_HOME_DIR, fname) == -1)
+		if (asprintf(&wfile, "%s/%s", WHITELIST_HOME_USER_DIR, fname) == -1)
 			errExit("asprintf");
 	}
 	else if (entry->tmp_dir) {
@@ -284,16 +284,16 @@ void fs_whitelist(void) {
 
 	// /home/user
 	if (home_dir) {
-		// keep a copy of real home dir in WHITELIST_HOME_DIR
-		int rv = mkdir(WHITELIST_HOME_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
+		// keep a copy of real home dir in WHITELIST_HOME_USER_DIR
+		int rv = mkdir(WHITELIST_HOME_USER_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
 		if (rv == -1)
 			errExit("mkdir");
-		if (chown(WHITELIST_HOME_DIR, getuid(), getgid()) < 0)
+		if (chown(WHITELIST_HOME_USER_DIR, getuid(), getgid()) < 0)
 			errExit("chown");
-		if (chmod(WHITELIST_HOME_DIR, 0755) < 0)
+		if (chmod(WHITELIST_HOME_USER_DIR, 0755) < 0)
 			errExit("chmod");
 	
-		if (mount(cfg.homedir, WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
+		if (mount(cfg.homedir, WHITELIST_HOME_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
 			errExit("mount bind");
 	
 		// mount a tmpfs and initialize /home/user
@@ -418,7 +418,7 @@ void fs_whitelist(void) {
 
 	// mask the real home directory, currently mounted on WHITELIST_HOME_DIR
 	if (home_dir) {
-		if (mount("tmpfs", WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+		if (mount("tmpfs", WHITELIST_HOME_USER_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
 			errExit("mount tmpfs");
 	}
 	
-- 
cgit v1.2.3-70-g09d2