// build /run/firejail/mnt directory
void preproc_mount_mnt_dir(void) {
// mount tmpfs on top of /run/firejail/mnt
if (!tmpfs_mounted) {
if (arg_debug)
printf("Mounting tmpfs on %s directory\n", RUN_MNT_DIR);
if (mount("tmpfs", RUN_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME, "mode=755,gid=0") < 0)
errExit("mounting /run/firejail/mnt");
tmpfs_mounted = 1;
fs_logger2("tmpfs", RUN_MNT_DIR);
#ifdef HAVE_SECCOMP
create_empty_dir_as_root(RUN_SECCOMP_DIR, 0755);
if (arg_seccomp_block_secondary)
copy_file(PATH_SECCOMP_BLOCK_SECONDARY, RUN_SECCOMP_BLOCK_SECONDARY, getuid(), getgid(), 0644); // root needed
else {
//copy default seccomp files
copy_file(PATH_SECCOMP_32, RUN_SECCOMP_32, getuid(), getgid(), 0644); // root needed
}
if (arg_allow_debuggers)
copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed
else
copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed
if (arg_memory_deny_write_execute)
copy_file(PATH_SECCOMP_MDWX, RUN_SECCOMP_MDWX, getuid(), getgid(), 0644); // root needed
// as root, create empty RUN_SECCOMP_PROTOCOL and RUN_SECCOMP_POSTEXEC files
create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644);
if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644))
errExit("set_perms");
create_empty_file_as_root(RUN_SECCOMP_POSTEXEC, 0644);
if (set_perms(RUN_SECCOMP_POSTEXEC, getuid(), getgid(), 0644))
errExit("set_perms");
#endif
}
}
// build /run/firejail directory
void preproc_build_firejail_dir(void) {
struct stat s;
// CentOS 6 doesn't have /run directory
if (stat(RUN_FIREJAIL_BASEDIR, &s)) {
create_empty_dir_as_root(RUN_FIREJAIL_BASEDIR, 0755);
}
if (stat(RUN_FIREJAIL_DIR, &s)) {
create_empty_dir_as_root(RUN_FIREJAIL_DIR, 0755);
}
if (stat(RUN_FIREJAIL_NETWORK_DIR, &s)) {
create_empty_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755);
}
if (stat(RUN_FIREJAIL_BANDWIDTH_DIR, &s)) {
create_empty_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755);
}
if (stat(RUN_FIREJAIL_NAME_DIR, &s)) {
create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755);
}
if (stat(RUN_FIREJAIL_PROFILE_DIR, &s)) {
create_empty_dir_as_root(RUN_FIREJAIL_PROFILE_DIR, 0755);
}
if (stat(RUN_FIREJAIL_X11_DIR, &s)) {
create_empty_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755);
}
if (stat(RUN_FIREJAIL_APPIMAGE_DIR, &s)) {
create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755);
}
if (stat(RUN_FIREJAIL_LIB_DIR, &s)) {
create_empty_dir_as_root(RUN_FIREJAIL_LIB_DIR, 0755);
}
if (stat(RUN_MNT_DIR, &s)) {
create_empty_dir_as_root(RUN_MNT_DIR, 0755);
}
create_empty_file_as_root(RUN_RO_FILE, S_IRUSR);
create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR);
}
// build /run/firejail/mnt directory
void preproc_mount_mnt_dir(void) {
// mount tmpfs on top of /run/firejail/mnt
if (!tmpfs_mounted) {
if (arg_debug)
printf("Mounting tmpfs on %s directory\n", RUN_MNT_DIR);
if (mount("tmpfs", RUN_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
errExit("mounting /run/firejail/mnt");
tmpfs_mounted = 1;
fs_logger2("tmpfs", RUN_MNT_DIR);
//copy defaultl seccomp files
copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644);
copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644);
if (arg_allow_debuggers)
copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644);
else
copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644);
// as root, create an empty RUN_SECCOMP_PROTOCOL file
create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644);
if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644))
errExit("set_perms");
}
}
void fs_hostname(const char *hostname) {
struct stat s;
// create a new /etc/hostname
if (stat("/etc/hostname", &s) == 0) {
if (arg_debug)
printf("Creating a new /etc/hostname file\n");
create_empty_file_as_root(RUN_HOSTNAME_FILE, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
// bind-mount the file on top of /etc/hostname
if (mount(RUN_HOSTNAME_FILE, "/etc/hostname", NULL, MS_BIND|MS_REC, NULL) < 0)
errExit("mount bind /etc/hostname");
fs_logger("create /etc/hostname");
}
// create a new /etc/hosts
if (stat("/etc/hosts", &s) == 0) {
if (arg_debug)
printf("Creating a new /etc/hosts file\n");
// copy /etc/host into our new file, and modify it on the fly
/* coverity[toctou] */
FILE *fp1 = fopen("/etc/hosts", "r");
if (!fp1)
goto errexit;
FILE *fp2 = fopen(RUN_HOSTS_FILE, "w");
if (!fp2) {
fclose(fp1);
goto errexit;
}
char buf[4096];
int done = 0;
while (fgets(buf, sizeof(buf), fp1)) {
// remove '\n'
char *ptr = strchr(buf, '\n');
if (ptr)
*ptr = '\0';
// copy line
if (strstr(buf, "127.0.0.1") && done == 0) {
done = 1;
fprintf(fp2, "%s %s\n", buf, hostname);
}
else
fprintf(fp2, "%s\n", buf);
}
fclose(fp1);
// mode and owner
SET_PERMS_STREAM(fp2, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
fclose(fp2);
// bind-mount the file on top of /etc/hostname
if (mount(RUN_HOSTS_FILE, "/etc/hosts", NULL, MS_BIND|MS_REC, NULL) < 0)
errExit("mount bind /etc/hosts");
fs_logger("create /etc/hosts");
}
return;
errexit:
fprintf(stderr, "Error: cannot create hostname file\n");
exit(1);
}
