mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-21 06:45:29 -06:00
fixes
This commit is contained in:
netblue30
parent
ea96a480d7
commit
a91649ccf7
7 changed files with 88 additions and 7 deletions
|
|
@ -322,6 +322,7 @@ int net_move_interface(const char *dev, unsigned pid);
|
|||
|
||||
// util.c
|
||||
void drop_privs(int nogroups);
|
||||
int mkpath_as_root(const char* path);
|
||||
void extract_command_name(const char *str);
|
||||
void logsignal(int s);
|
||||
void logmsg(const char *msg);
|
||||
|
|
|
|||
|
|
@ -55,7 +55,7 @@ static char *check_dir_or_file(const char *name) {
|
|||
}
|
||||
|
||||
if (!fname) {
|
||||
fprintf(stderr, "Warning: file %s not found\n", name);
|
||||
// fprintf(stderr, "Warning: file %s not found\n", name);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -233,9 +233,12 @@ void fs_private(void) {
|
|||
// create /home/user
|
||||
if (arg_debug)
|
||||
printf("Create a new user directory\n");
|
||||
int rv = mkdir(homedir, S_IRWXU);
|
||||
if (rv == -1)
|
||||
errExit("mkdir");
|
||||
if (mkdir(homedir, S_IRWXU) == -1) {
|
||||
if (mkpath_as_root(homedir) == -1)
|
||||
errExit("mkpath");
|
||||
if (mkdir(homedir, S_IRWXU) == -1)
|
||||
errExit("mkdir");
|
||||
}
|
||||
if (chown(homedir, u, g) < 0)
|
||||
errExit("chown");
|
||||
}
|
||||
|
|
@ -346,7 +349,7 @@ void fs_check_private_dir(void) {
|
|||
exit(1);
|
||||
}
|
||||
if (s1.st_uid != s2.st_uid) {
|
||||
printf("Error: the two home directories must have the same owner\n");
|
||||
printf("Error: --private directory should be owned by the current user\n");
|
||||
exit(1);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -75,7 +75,7 @@ static void whitelist_path(ProfileEntry *entry) {
|
|||
assert(path);
|
||||
const char *fname;
|
||||
char *wfile = NULL;
|
||||
|
||||
|
||||
if (entry->home_dir) {
|
||||
fname = path + strlen(cfg.homedir);
|
||||
if (*fname == '\0') {
|
||||
|
|
|
|||
|
|
@ -120,7 +120,7 @@ static void sanitize_home(void) {
|
|||
|
||||
// create user home directory
|
||||
if (mkdir(cfg.homedir, 0755) == -1) {
|
||||
if (mkpath(cfg.homedir))
|
||||
if (mkpath_as_root(cfg.homedir))
|
||||
errExit("mkpath");
|
||||
if (mkdir(cfg.homedir, 0755) == -1)
|
||||
errExit("mkdir");
|
||||
|
|
|
|||
|
|
@ -75,6 +75,40 @@ void drop_privs(int nogroups) {
|
|||
}
|
||||
|
||||
|
||||
int mkpath_as_root(const char* path) {
|
||||
assert(path && *path);
|
||||
|
||||
// work on a copy of the path
|
||||
char *file_path = strdup(path);
|
||||
if (!file_path)
|
||||
errExit("strdup");
|
||||
|
||||
char* p;
|
||||
for (p=strchr(file_path+1, '/'); p; p=strchr(p+1, '/')) {
|
||||
*p='\0';
|
||||
if (mkdir(file_path, 0755)==-1) {
|
||||
if (errno != EEXIST) {
|
||||
*p='/';
|
||||
free(file_path);
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
else {
|
||||
if (chmod(file_path, 0755) == -1)
|
||||
errExit("chmod");
|
||||
if (chown(file_path, 0, 0) == -1)
|
||||
errExit("chown");
|
||||
}
|
||||
|
||||
*p='/';
|
||||
}
|
||||
|
||||
free(file_path);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
|
||||
void logsignal(int s) {
|
||||
if (!arg_debug)
|
||||
return;
|
||||
|
|
|
|||
43
todo
43
todo
|
|
@ -96,3 +96,46 @@ Warning: cannot disable /sys/power directory
|
|||
Child process initialized
|
||||
|
||||
16. add support for --ip, --iprange, --mac and --mtu for --interface option
|
||||
|
||||
17. private-home clashing with blacklist
|
||||
$ firejail --private-home=.mozilla
|
||||
Reading profile /etc/firejail/generic.profile
|
||||
Reading profile /etc/firejail/disable-mgmt.inc
|
||||
Reading profile /etc/firejail/disable-secret.inc
|
||||
Reading profile /etc/firejail/disable-common.inc
|
||||
|
||||
** Note: you can use --noprofile to disable generic.profile **
|
||||
|
||||
Parent pid 8193, child pid 8194
|
||||
/run/firejail/mnt/cp: cannot access `/home/netblue/.mozilla': Permission denied
|
||||
Error system cp -a --parents:duplicate(381): No such file or directory
|
||||
Child process initialized
|
||||
$ ls -la
|
||||
total 4
|
||||
drwx------ 3 test test 100 Nov 25 07:59 .
|
||||
drwxr-xr-x 3 65534 65534 60 Nov 25 07:59 ..
|
||||
-rw-r--r-- 1 test test 3392 Nov 25 07:59 .bashrc
|
||||
dr-x------ 2 65534 65534 40 Nov 24 17:53 .mozilla
|
||||
-rw------- 1 test test 0 Nov 25 07:59 .Xauthority
|
||||
|
||||
|
||||
|
||||
|
||||
18. whitelist clashing with blacklist
|
||||
$ firejail --whitelist=~/.mozilla
|
||||
Reading profile /etc/firejail/generic.profile
|
||||
Reading profile /etc/firejail/disable-mgmt.inc
|
||||
Reading profile /etc/firejail/disable-secret.inc
|
||||
Reading profile /etc/firejail/disable-common.inc
|
||||
|
||||
** Note: you can use --noprofile to disable generic.profile **
|
||||
|
||||
Parent pid 9440, child pid 9441
|
||||
Child process initialized
|
||||
$ ls -al
|
||||
total 8
|
||||
drwx------ 3 netblue netblue 100 Nov 25 08:09 .
|
||||
drwxr-xr-x 3 65534 65534 60 Nov 25 08:09 ..
|
||||
-rw-r--r-- 1 netblue netblue 3392 Nov 25 08:09 .bashrc
|
||||
dr-x------ 2 65534 65534 40 Nov 24 17:53 .mozilla
|
||||
-rw------- 1 netblue netblue 51 Nov 25 08:09 .Xauthority
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue