modif: populate /run/firejail while holding flock

There are reports of firejail sandboxed applications occasionally
taking a long time (12 seconds) to start up. When this happens, it
affects all sandboxed applications until the device is rebooted.

The reason for the slowdown seems to be a timing hazard in the way
remounts under /run/firejail are handled. This gets triggered when
multiple firejail processes are launched in parallel as part of user
session bring up and results in some, dozens, hundreds, or even
thousands of stray /run/firejail/xxx mounts. The amount of mount
points then affects every mount operation that is done during sandbox
filesystem construction.

To stop this from happening, arrange it so that only one firejail
process at time is inspecting and/or modifying mountpoints under
/run/firejail by doing:

1. Create /run/firejail directory (without locking)
2. Create and obtain a lock for /run/firejail/firejail-run.lock
3. Setup files, directories and mounts under /run/firejail
4. Release /run/firejail/firejail-run.lock

Author: spiiroin

src/firejail/chroot.c

@@ -273,7 +273,10 @@ void fs_chroot(const char *rootdir) {
 		errExit("mounting /proc");
 
 	// create all other /run/firejail files and directories
-	preproc_build_firejail_dir();
+	preproc_build_firejail_dir_unlocked();
+	preproc_lock_firejail_dir();
+	preproc_build_firejail_dir_locked();
+	preproc_unlock_firejail_dir();
 
 	// update /var directory in order to support multiple sandboxes running on the same root directory
 	//	if (!arg_private_dev)

src/firejail/firejail.h

@@ -435,7 +435,8 @@ void preproc_lock_firejail_dir(void);
 void preproc_unlock_firejail_dir(void);
 void preproc_lock_firejail_network_dir(void);
 void preproc_unlock_firejail_network_dir(void);
-void preproc_build_firejail_dir(void);
+void preproc_build_firejail_dir_unlocked(void);
+void preproc_build_firejail_dir_locked(void);
 void preproc_mount_mnt_dir(void);
 void preproc_clean_run(void);
 

src/firejail/main.c

@@ -1166,13 +1166,13 @@ int main(int argc, char **argv, char **envp) {
 #endif
 
 	// build /run/firejail directory structure
-	preproc_build_firejail_dir();
+	preproc_build_firejail_dir_unlocked();
+	preproc_lock_firejail_dir();
+	preproc_build_firejail_dir_locked();
 	const char *container_name = env_get("container");
-	if (!container_name || strcmp(container_name, "firejail")) {
-		preproc_lock_firejail_dir();
+	if (!container_name || strcmp(container_name, "firejail"))
 		preproc_clean_run();
-		preproc_unlock_firejail_dir();
-	}
+	preproc_unlock_firejail_dir();
 
 	delete_run_files(getpid());
 	atexit(clear_atexit);

src/firejail/preproc.c

@@ -105,7 +105,10 @@ void preproc_unlock_firejail_network_dir(void) {
 }
 
 // build /run/firejail directory
-void preproc_build_firejail_dir(void) {
+//
+// Note: This creates the base directory of the rundir lockfile;
+// it should be called before preproc_lock_firejail_dir().
+void preproc_build_firejail_dir_unlocked(void) {
 	struct stat s;
 
 	// CentOS 6 doesn't have /run directory
@@ -114,6 +117,14 @@ void preproc_build_firejail_dir(void) {
 	}
 
 	create_empty_dir_as_root(RUN_FIREJAIL_DIR, 0755);
+}
+
+// build directory hierarchy under /run/firejail
+//
+// Note: Remounts have timing hazards. This function should
+// only be called after acquiring the directory lock via
+// preproc_lock_firejail_dir().
+void preproc_build_firejail_dir_locked(void) {
 	create_empty_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755);
 	create_empty_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755);
 	create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755);