whitelist restructuring #4985
whitelist restructuring #4985
Conversation
as functions operate on a file descriptor it should be safe to remove them; this sets the stage for improvements to the whitelist code
smitsohu
force-pushed
the
whitelist
branch
4 times, most recently
from
a4694b5
to
72deb4f
Compare
smitsohu
force-pushed
the
whitelist
branch
2 times, most recently
from
791bc75
to
ed87884
Compare
some cleanup, simplify extending the code (for example adding additional members to the TopDir struct)
Check mountids while creating path of a new mount target. If the mountid differs from the top level directory (tmpfs) mountid, this proves an earlier whitelist command. It is important to note though that this check is not exhaustive, as besides nested whitelist commands there are also nested top level directories. So a user could run: firejail --whitelist=/a/b --whitelist=/a/b/c where both a and b are (whitelist) top level directories. Such a command may result in b and c sharing the filesystem and hence mountid. In this case the nested nature of the whitelist commands will go unnoticed. A more rigorous version will probably need to apply some sorting to the whitelist command, possibly by means of glob(3).
|
I didn't respond sooner as I noticed you were actively working on this and regularly pushing changes. Having some free time over the weekend I was planning on checking out your whitelist branch and give it a test run. Might be redundant to ask for a branch described as 'no functional changes', but if there's anything specific to look out for, feel free to throw in pointers. |
|
@glitsj16 thanks for trying it out :) If you find any functional change it means that I got something wrong. If you do things like That's about it. Other than that it is just writing stuff in a different way but do the same thing. I was just hoping to organize the code a bit better. |
|
all in! |
Some reorganization/cleanup of the whitelist code. Also a new mechanism to detect earlier whitelist mounts.
There should be no functional changes.