summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar smitsohu <smitsohu@gmail.com>2019-10-13 04:12:19 +0200
committerLibravatar smitsohu <smitsohu@gmail.com>2019-10-13 04:12:19 +0200
commit2581e3073bdcae1575fbbc006e6de0f5b69559eb (patch)
tree245cd2c76b1463b753b4dfea6292bbb315b1eb9e
parentfix chroot with mounted resolv.conf (diff)
downloadfirejail-2581e3073bdcae1575fbbc006e6de0f5b69559eb.tar.gz
firejail-2581e3073bdcae1575fbbc006e6de0f5b69559eb.tar.zst
firejail-2581e3073bdcae1575fbbc006e6de0f5b69559eb.zip
postpone procfs mount until after chroot call
issue #2301
Diffstat
-rw-r--r--src/firejail/chroot.c19
-rw-r--r--src/firejail/fs.c22
-rw-r--r--src/firejail/sandbox.c10
3 files changed, 18 insertions, 33 deletions
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c
index 1cc619c20..9ebbcea1a 100644
--- a/src/firejail/chroot.c
+++ b/src/firejail/chroot.c
@@ -164,19 +164,6 @@ void fs_chroot(const char *rootdir) {
164 free(proc); 164 free(proc);
165 close(fd); 165 close(fd);
166 166
167 // mount a brand new proc filesystem
168 if (arg_debug)
169 printf("Mounting /proc filesystem on chroot /proc\n");
170 fd = openat(parentfd, "proc", O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
171 if (fd == -1)
172 errExit("open");
173 if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1)
174 errExit("asprintf");
175 if (mount("proc", proc, "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
176 errExit("mounting /proc");
177 free(proc);
178 close(fd);
179
180 // x11 167 // x11
181 if (getenv("FIREJAIL_X11")) { 168 if (getenv("FIREJAIL_X11")) {
182 if (arg_debug) 169 if (arg_debug)
@@ -259,6 +246,12 @@ void fs_chroot(const char *rootdir) {
259 // create all other /run/firejail files and directories 246 // create all other /run/firejail files and directories
260 preproc_build_firejail_dir(); 247 preproc_build_firejail_dir();
261 248
249 // mount a new proc filesystem
250 if (arg_debug)
251 printf("Mounting /proc filesystem representing the PID namespace\n");
252 if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
253 errExit("mounting /proc");
254
262 // update /var directory in order to support multiple sandboxes running on the same root directory 255 // update /var directory in order to support multiple sandboxes running on the same root directory
263 // if (!arg_private_dev) 256 // if (!arg_private_dev)
264 // fs_dev_shm(); 257 // fs_dev_shm();
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 003b15605..4fde3d661 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -725,6 +725,12 @@ void disable_config(void) {
725void fs_basic_fs(void) { 725void fs_basic_fs(void) {
726 uid_t uid = getuid(); 726 uid_t uid = getuid();
727 727
728 // mount a new proc filesystem
729 if (arg_debug)
730 printf("Mounting /proc filesystem representing the PID namespace\n");
731 if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
732 errExit("mounting /proc");
733
728 if (arg_debug) 734 if (arg_debug)
729 printf("Basic read-only filesystem:\n"); 735 printf("Basic read-only filesystem:\n");
730 if (!arg_writable_etc) { 736 if (!arg_writable_etc) {
@@ -1077,15 +1083,6 @@ void fs_overlayfs(void) {
1077 errExit("mounting /tmp"); 1083 errExit("mounting /tmp");
1078 fs_logger("whitelist /tmp"); 1084 fs_logger("whitelist /tmp");
1079 1085
1080 // mount a new proc filesystem
1081 if (arg_debug)
1082 printf("Mounting /proc\n");
1083 char *proc;
1084 if (asprintf(&proc, "%s/proc", oroot) == -1)
1085 errExit("asprintf");
1086 if (mount("proc", proc, "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
1087 errExit("mounting /proc");
1088
1089 // chroot in the new filesystem 1086 // chroot in the new filesystem
1090#ifdef HAVE_GCOV 1087#ifdef HAVE_GCOV
1091 __gcov_flush(); 1088 __gcov_flush();
@@ -1093,6 +1090,12 @@ void fs_overlayfs(void) {
1093 if (chroot(oroot) == -1) 1090 if (chroot(oroot) == -1)
1094 errExit("chroot"); 1091 errExit("chroot");
1095 1092
1093 // mount a new proc filesystem
1094 if (arg_debug)
1095 printf("Mounting /proc filesystem representing the PID namespace\n");
1096 if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
1097 errExit("mounting /proc");
1098
1096 // update /var directory in order to support multiple sandboxes running on the same root directory 1099 // update /var directory in order to support multiple sandboxes running on the same root directory
1097// if (!arg_private_dev) 1100// if (!arg_private_dev)
1098// fs_dev_shm(); 1101// fs_dev_shm();
@@ -1120,7 +1123,6 @@ void fs_overlayfs(void) {
1120 free(dev); 1123 free(dev);
1121 free(run); 1124 free(run);
1122 free(tmp); 1125 free(tmp);
1123 free(proc);
1124} 1126}
1125#endif 1127#endif
1126 1128
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 80b595a9f..995e98f9f 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -627,16 +627,6 @@ int sandbox(void* sandbox_arg) {
627 errExit("mounting " RUN_FIREJAIL_LIB_DIR); 627 errExit("mounting " RUN_FIREJAIL_LIB_DIR);
628 628
629 //**************************** 629 //****************************
630 // mount new proc filesystem
631 // representing the pid namespace
632 //****************************
633
634 if (arg_debug)
635 printf("Remounting /proc filesystem\n");
636 if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
637 errExit("mounting /proc");
638
639 //****************************
640 // log sandbox data 630 // log sandbox data
641 //**************************** 631 //****************************
642 if (cfg.name) 632 if (cfg.name)
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-08-19 07:55:13 +0000