Upstreaming a set of fixes from Sailfish's packaging #3998
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When constructing sandbox fs, /etc/mtab which is symlink to /proc/self/mounts gets resolved as /proc/PID/mounts. Where PID is not the pid of the process that is going to get executed in the firejail -> the result is broken/unaccessible symlink from the application point of view. Use /proc/self/xxx type symlink target if it resolves similarly as the /proc/PID/xxx type would at the time of mapping. Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com> Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
These have little consequences as the tool exits anyway, but fs_copydir() leaks memory on success path and check() on failure path. Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com> Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
|
One of these changes causes a regression in the test suite: (the other errors are mostly the same) It might be related to this line: because |
Firejail uses file bind-mounts to filter /etc/passwd and /etc/group content. If private-etc is used, these mounts are left underneath the /etc directory mount and this seems to be causing problems in devices with older kernels: attempts to modify passwd or group data fails with EBUSY. Make it possible to perform fs_private_dir_list() actions in two separate phases. Undo the file mounts in /etc before mounting private-etc content. Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com> Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
Lacking linefeed chars cause messages to get concatenated. Signed-off-by: Simo Piiroinen <simo.piiroinen@jolla.com> Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
Check that the directory exists before attempting to mount it. Signed-off-by: Tomi Leppänen <tomi.leppanen@jolla.com>
|
Nice catch from the test suite! I added the same check that fs_private_dir_copy() has to fs_private_dir_mount() which results in some duplicated work but I think one more stat() is not that bad of a tradeoff. Also added those asserts just in case. |
|
all set, thanks! |
netblue30
added a commit
that referenced
this pull request
Feb 24, 2021
netblue30
added a commit
that referenced
this pull request
Feb 24, 2021
smitsohu
added a commit
that referenced
this pull request
Feb 24, 2021
musl stdlib (Alpine Linux) doesn't know about canonicalize_file_name, replace with equivalent realpath calls
Merged
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is upstreaming first set of fixes from Sailfish's firejail packaging. These were developed as part of implementing firejail sandboxing in Sailfish OS. See also #3960 for discussion.
These are general fixes to firejail touching logging, private-etc, memory handing and symbolic link construction around /proc filesystem. Please see the commit messages for explanations. These were written by my colleague and previously reviewed by me or one of my other colleagues.