-
Notifications
You must be signed in to change notification settings - Fork 570
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
whitelist restructuring #4985
whitelist restructuring #4985
Conversation
as functions operate on a file descriptor it should be safe to remove them; this sets the stage for improvements to the whitelist code
a4694b5
to
72deb4f
Compare
791bc75
to
ed87884
Compare
some cleanup, simplify extending the code (for example adding additional members to the TopDir struct)
Check mountids while creating path of a new mount target. If the mountid differs from the top level directory (tmpfs) mountid, this proves an earlier whitelist command. It is important to note though that this check is not exhaustive, as besides nested whitelist commands there are also nested top level directories. So a user could run: firejail --whitelist=/a/b --whitelist=/a/b/c where both a and b are (whitelist) top level directories. Such a command may result in b and c sharing the filesystem and hence mountid. In this case the nested nature of the whitelist commands will go unnoticed. A more rigorous version will probably need to apply some sorting to the whitelist command, possibly by means of glob(3).
I didn't respond sooner as I noticed you were actively working on this and regularly pushing changes. Having some free time over the weekend I was planning on checking out your whitelist branch and give it a test run. Might be redundant to ask for a branch described as 'no functional changes', but if there's anything specific to look out for, feel free to throw in pointers. |
@glitsj16 thanks for trying it out :) If you find any functional change it means that I got something wrong. If you do things like That's about it. Other than that it is just writing stuff in a different way but do the same thing. I was just hoping to organize the code a bit better. |
all in! |
Some reorganization/cleanup of the whitelist code. Also a new mechanism to detect earlier whitelist mounts.
There should be no functional changes.