more cleanup: remove MS_REC from tmpfs mounts

author: smitsohu <smitsohu@gmail.com> 2019-03-02 17:59:32 +0100
committer: smitsohu <smitsohu@gmail.com> 2019-03-02 17:59:32 +0100
commit: 10726a0601e0622b21e8f94ca033b0745ed49229 (patch)
tree: 90064b2647119ef09e040e5699e7ade2c0e266ec
parent: profile.c: errout with too many dns args (diff)
download: firejail-10726a0601e0622b21e8f94ca033b0745ed49229.tar.gz
firejail-10726a0601e0622b21e8f94ca033b0745ed49229.tar.zst
firejail-10726a0601e0622b21e8f94ca033b0745ed49229.zip
7 files changed, 25 insertions, 25 deletions
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 4872d6cd9..bd036908a 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -228,7 +228,7 @@ void fs_private_dev(void){
        }
        // mount tmpfs on top of /dev
-        if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+        if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                errExit("mounting /dev");
        fs_logger("tmpfs /dev");
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 7746aa44b..e35bf073d 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -270,7 +270,7 @@ void fs_private_homedir(void) {
                // mask /root
                if (arg_debug)
                        printf("Mounting a new /root directory\n");
-                if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC,  "mode=700,gid=0") < 0)
+                if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME,  "mode=700,gid=0") < 0)
                        errExit("mounting home directory");
                fs_logger("tmpfs /root");
        }
@@ -278,7 +278,7 @@ void fs_private_homedir(void) {
                // mask /home
                if (arg_debug)
                        printf("Mounting a new /home directory\n");
-                if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                        errExit("mounting home directory");
                fs_logger("tmpfs /home");
        }
@@ -313,7 +313,7 @@ void fs_private(void) {
        else {
                if (arg_allusers)
                        fwarning("--allusers disabled by --private or --whitelist\n");
-                if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                        errExit("mounting home directory");
                fs_logger("tmpfs /home");
        }
@@ -321,7 +321,7 @@ void fs_private(void) {
        // mask /root
        if (arg_debug)
                printf("Mounting a new /root directory\n");
-        if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC,  "mode=700,gid=0") < 0)
+        if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME,  "mode=700,gid=0") < 0)
                errExit("mounting root directory");
        fs_logger("tmpfs /root");
@@ -517,14 +517,14 @@ void fs_private_home_list(void) {
                // mask /root
                if (arg_debug)
                        printf("Mounting a new /root directory\n");
-                if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=700,gid=0") < 0)
+                if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=700,gid=0") < 0)
                        errExit("mounting home directory");
        }
        else {
                // mask /home
                if (arg_debug)
                        printf("Mounting a new /home directory\n");
-                if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                        errExit("mounting home directory");
        }
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index 5b872ad75..75369b47c 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -118,7 +118,7 @@ void fs_var_log(void) {
                // mount a tmpfs on top of /var/log
                if (arg_debug)
                        printf("Mounting tmpfs on /var/log\n");
-                if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                        errExit("mounting /var/log");
                fs_logger("tmpfs /var/log");
@@ -153,7 +153,7 @@ void fs_var_lib(void) {
        if (stat("/var/lib/dhcp", &s) == 0) {
                if (arg_debug)
                        printf("Mounting tmpfs on /var/lib/dhcp\n");
-                if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID |  MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID |  MS_NOEXEC | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                        errExit("mounting /var/lib/dhcp");
                fs_logger("tmpfs /var/lib/dhcp");
@@ -172,7 +172,7 @@ void fs_var_lib(void) {
        if (stat("/var/lib/nginx", &s) == 0) {
                if (arg_debug)
                        printf("Mounting tmpfs on /var/lib/nginx\n");
-                if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                        errExit("mounting /var/lib/nginx");
                fs_logger("tmpfs /var/lib/nginx");
        }
@@ -181,7 +181,7 @@ void fs_var_lib(void) {
        if (stat("/var/lib/snmp", &s) == 0) {
                if (arg_debug)
                        printf("Mounting tmpfs on /var/lib/snmp\n");
-                if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                        errExit("mounting /var/lib/snmp");
                fs_logger("tmpfs /var/lib/snmp");
        }
@@ -190,7 +190,7 @@ void fs_var_lib(void) {
        if (stat("/var/lib/sudo", &s) == 0) {
                if (arg_debug)
                        printf("Mounting tmpfs on /var/lib/sudo\n");
-                if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                        errExit("mounting /var/lib/sudo");
                fs_logger("tmpfs /var/lib/sudo");
        }
@@ -202,7 +202,7 @@ void fs_var_cache(void) {
        if (stat("/var/cache/apache2", &s) == 0) {
                if (arg_debug)
                        printf("Mounting tmpfs on /var/cache/apache2\n");
-                if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                        errExit("mounting /var/cache/apache2");
                fs_logger("tmpfs /var/cache/apache2");
        }
@@ -210,7 +210,7 @@ void fs_var_cache(void) {
        if (stat("/var/cache/lighttpd", &s) == 0) {
                if (arg_debug)
                        printf("Mounting tmpfs on /var/cache/lighttpd\n");
-                if (mount("tmpfs", "/var/cache/lighttpd", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/var/cache/lighttpd", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                        errExit("mounting /var/cache/lighttpd");
                fs_logger("tmpfs /var/cache/lighttpd");
@@ -250,7 +250,7 @@ void fs_var_lock(void) {
        if (is_dir("/var/lock")) {
                if (arg_debug)
                        printf("Mounting tmpfs on /var/lock\n");
-                if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
+                if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME,  "mode=1777,gid=0") < 0)
                        errExit("mounting /lock");
                fs_logger("tmpfs /var/lock");
        }
@@ -266,7 +266,7 @@ void fs_var_tmp(void) {
                if (!is_link("/var/tmp")) {
                        if (arg_debug)
                                printf("Mounting tmpfs on /var/tmp\n");
-                        if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
+                        if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME,  "mode=1777,gid=0") < 0)
                                errExit("mounting /var/tmp");
                        fs_logger("tmpfs /var/tmp");
                }
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index 905cc0f15..2effebbaa 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -80,7 +80,7 @@ void preproc_mount_mnt_dir(void) {
        if (!tmpfs_mounted) {
                if (arg_debug)
                        printf("Mounting tmpfs on %s directory\n", RUN_MNT_DIR);
-                if (mount("tmpfs", RUN_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", RUN_MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                        errExit("mounting /run/firejail/mnt");
                tmpfs_mounted = 1;
                fs_logger2("tmpfs", RUN_MNT_DIR);
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index 7778d7ed8..5c5ace90b 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -83,7 +83,7 @@ static void sanitize_home(void) {
                errExit("mount bind");
        // mount tmpfs in the new home
-        if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+        if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                errExit("mount tmpfs");
        fs_logger("tmpfs /home");
@@ -105,7 +105,7 @@ static void sanitize_home(void) {
                errExit("mount bind");
        // mask home dir under /run
-        if (mount("tmpfs", RUN_WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+        if (mount("tmpfs", RUN_WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                errExit("mount tmpfs");
        fs_logger2("tmpfs", RUN_WHITELIST_HOME_DIR);
        if (!arg_private)
@@ -138,7 +138,7 @@ static void sanitize_run(void) {
                errExit("mount bind");
        // mount tmpfs on /run/user
-        if (mount("tmpfs", "/run/user", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+        if (mount("tmpfs", "/run/user", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                errExit("mount tmpfs");
        fs_logger("tmpfs /run/user");
@@ -156,7 +156,7 @@ static void sanitize_run(void) {
                errExit("mount bind");
        // mask mirrored /run/user/$UID directory
-        if (mount("tmpfs", RUN_WHITELIST_RUN_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+        if (mount("tmpfs", RUN_WHITELIST_RUN_DIR, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                errExit("mount tmpfs");
        fs_logger2("tmpfs", RUN_WHITELIST_RUN_DIR);
@@ -398,7 +398,7 @@ void restrict_users(void) {
                else {
                        // user has the home directory outside /home
                        // mount tmpfs on top of /home in order to hide it
-                        if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                        if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
                                errExit("mount tmpfs");
                        fs_logger("tmpfs /home");
                }
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 63b36053b..b0ed10b30 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1099,7 +1099,7 @@ void x11_xorg(void) {
        }
        // temporarily mount a tempfs on top of /tmp directory
-        if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
+        if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=1777,gid=0") < 0)
                errExit("mounting /tmp");
        // create the temporary .Xauthority file
@@ -1253,7 +1253,7 @@ void fs_x11(void) {
        // This directory must be mode 1777, or Xlib will barf.
        if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs",
-                MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC,
+                MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME,
                "mode=1777,uid=0,gid=0") < 0)
                errExit("mounting tmpfs on /tmp/.X11-unix");
        fs_logger("tmpfs /tmp/.X11-unix");
diff --git a/test/filters/syscall_test.c b/test/filters/syscall_test.c
index 6952c751c..2005f2109 100644
--- a/test/filters/syscall_test.c
+++ b/test/filters/syscall_test.c
@@ -69,7 +69,7 @@ int main(int argc, char **argv) {
        }
        else if (strcmp(argv[1], "mount") == 0) {
                printf("before mount\n");
-                if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0) {
+                if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME,  "mode=755,gid=0") < 0) {
                        perror("mount");
                }
                printf("after mount\n");
author	smitsohu <smitsohu@gmail.com>	2019-03-02 17:59:32 +0100
committer	smitsohu <smitsohu@gmail.com>	2019-03-02 17:59:32 +0100
commit	10726a0601e0622b21e8f94ca033b0745ed49229 (patch)
tree	90064b2647119ef09e040e5699e7ade2c0e266ec
parent	profile.c: errout with too many dns args (diff)
download	firejail-10726a0601e0622b21e8f94ca033b0745ed49229.tar.gz firejail-10726a0601e0622b21e8f94ca033b0745ed49229.tar.zst firejail-10726a0601e0622b21e8f94ca033b0745ed49229.zip

diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 4872d6cd9..bd036908a 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c
@@ -228,7 +228,7 @@ void fs_private_dev(void){
228	}	228	}
229		229
230	// mount tmpfs on top of /dev	230	// mount tmpfs on top of /dev
231	if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)	231	if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID \| MS_STRICTATIME, "mode=755,gid=0") < 0)
232	errExit("mounting /dev");	232	errExit("mounting /dev");
233	fs_logger("tmpfs /dev");	233	fs_logger("tmpfs /dev");
234		234


diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 7746aa44b..e35bf073d 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c
@@ -270,7 +270,7 @@ void fs_private_homedir(void) {
270	// mask /root	270	// mask /root
271	if (arg_debug)	271	if (arg_debug)
272	printf("Mounting a new /root directory\n");	272	printf("Mounting a new /root directory\n");
273	if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_NOEXEC \| MS_STRICTATIME \| MS_REC, "mode=700,gid=0") < 0)	273	if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_NOEXEC \| MS_STRICTATIME, "mode=700,gid=0") < 0)
274	errExit("mounting home directory");	274	errExit("mounting home directory");
275	fs_logger("tmpfs /root");	275	fs_logger("tmpfs /root");
276	}	276	}
@@ -278,7 +278,7 @@ void fs_private_homedir(void) {
278	// mask /home	278	// mask /home
279	if (arg_debug)	279	if (arg_debug)
280	printf("Mounting a new /home directory\n");	280	printf("Mounting a new /home directory\n");
281	if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_NOEXEC \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)	281	if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_NOEXEC \| MS_STRICTATIME, "mode=755,gid=0") < 0)
282	errExit("mounting home directory");	282	errExit("mounting home directory");
283	fs_logger("tmpfs /home");	283	fs_logger("tmpfs /home");
284	}	284	}
@@ -313,7 +313,7 @@ void fs_private(void) {
313	else {	313	else {
314	if (arg_allusers)	314	if (arg_allusers)
315	fwarning("--allusers disabled by --private or --whitelist\n");	315	fwarning("--allusers disabled by --private or --whitelist\n");
316	if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_NOEXEC \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)	316	if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_NOEXEC \| MS_STRICTATIME, "mode=755,gid=0") < 0)
317	errExit("mounting home directory");	317	errExit("mounting home directory");
318	fs_logger("tmpfs /home");	318	fs_logger("tmpfs /home");
319	}	319	}
@@ -321,7 +321,7 @@ void fs_private(void) {
321	// mask /root	321	// mask /root
322	if (arg_debug)	322	if (arg_debug)
323	printf("Mounting a new /root directory\n");	323	printf("Mounting a new /root directory\n");
324	if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_NOEXEC \| MS_STRICTATIME \| MS_REC, "mode=700,gid=0") < 0)	324	if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_NOEXEC \| MS_STRICTATIME, "mode=700,gid=0") < 0)
325	errExit("mounting root directory");	325	errExit("mounting root directory");
326	fs_logger("tmpfs /root");	326	fs_logger("tmpfs /root");
327		327
@@ -517,14 +517,14 @@ void fs_private_home_list(void) {
517	// mask /root	517	// mask /root
518	if (arg_debug)	518	if (arg_debug)
519	printf("Mounting a new /root directory\n");	519	printf("Mounting a new /root directory\n");
520	if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=700,gid=0") < 0)	520	if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME, "mode=700,gid=0") < 0)
521	errExit("mounting home directory");	521	errExit("mounting home directory");
522	}	522	}
523	else {	523	else {
524	// mask /home	524	// mask /home
525	if (arg_debug)	525	if (arg_debug)
526	printf("Mounting a new /home directory\n");	526	printf("Mounting a new /home directory\n");
527	if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)	527	if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME, "mode=755,gid=0") < 0)
528	errExit("mounting home directory");	528	errExit("mounting home directory");
529	}	529	}
530		530


diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 5b872ad75..75369b47c 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c
@@ -118,7 +118,7 @@ void fs_var_log(void) {
118	// mount a tmpfs on top of /var/log	118	// mount a tmpfs on top of /var/log
119	if (arg_debug)	119	if (arg_debug)
120	printf("Mounting tmpfs on /var/log\n");	120	printf("Mounting tmpfs on /var/log\n");
121	if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID \| MS_NOEXEC \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)	121	if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID \| MS_NOEXEC \| MS_NODEV \| MS_STRICTATIME, "mode=755,gid=0") < 0)
122	errExit("mounting /var/log");	122	errExit("mounting /var/log");
123	fs_logger("tmpfs /var/log");	123	fs_logger("tmpfs /var/log");
124		124
@@ -153,7 +153,7 @@ void fs_var_lib(void) {
153	if (stat("/var/lib/dhcp", &s) == 0) {	153	if (stat("/var/lib/dhcp", &s) == 0) {
154	if (arg_debug)	154	if (arg_debug)
155	printf("Mounting tmpfs on /var/lib/dhcp\n");	155	printf("Mounting tmpfs on /var/lib/dhcp\n");
156	if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID \| MS_NOEXEC \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)	156	if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID \| MS_NOEXEC \| MS_NODEV \| MS_STRICTATIME, "mode=755,gid=0") < 0)
157	errExit("mounting /var/lib/dhcp");	157	errExit("mounting /var/lib/dhcp");
158	fs_logger("tmpfs /var/lib/dhcp");	158	fs_logger("tmpfs /var/lib/dhcp");
159		159
@@ -172,7 +172,7 @@ void fs_var_lib(void) {
172	if (stat("/var/lib/nginx", &s) == 0) {	172	if (stat("/var/lib/nginx", &s) == 0) {
173	if (arg_debug)	173	if (arg_debug)
174	printf("Mounting tmpfs on /var/lib/nginx\n");	174	printf("Mounting tmpfs on /var/lib/nginx\n");
175	if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID \| MS_NOEXEC \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)	175	if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID \| MS_NOEXEC \| MS_NODEV \| MS_STRICTATIME, "mode=755,gid=0") < 0)
176	errExit("mounting /var/lib/nginx");	176	errExit("mounting /var/lib/nginx");
177	fs_logger("tmpfs /var/lib/nginx");	177	fs_logger("tmpfs /var/lib/nginx");
178	}	178	}
@@ -181,7 +181,7 @@ void fs_var_lib(void) {
181	if (stat("/var/lib/snmp", &s) == 0) {	181	if (stat("/var/lib/snmp", &s) == 0) {
182	if (arg_debug)	182	if (arg_debug)
183	printf("Mounting tmpfs on /var/lib/snmp\n");	183	printf("Mounting tmpfs on /var/lib/snmp\n");
184	if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID \| MS_NOEXEC \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)	184	if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID \| MS_NOEXEC \| MS_NODEV \| MS_STRICTATIME, "mode=755,gid=0") < 0)
185	errExit("mounting /var/lib/snmp");	185	errExit("mounting /var/lib/snmp");
186	fs_logger("tmpfs /var/lib/snmp");	186	fs_logger("tmpfs /var/lib/snmp");
187	}	187	}
@@ -190,7 +190,7 @@ void fs_var_lib(void) {
190	if (stat("/var/lib/sudo", &s) == 0) {	190	if (stat("/var/lib/sudo", &s) == 0) {
191	if (arg_debug)	191	if (arg_debug)
192	printf("Mounting tmpfs on /var/lib/sudo\n");	192	printf("Mounting tmpfs on /var/lib/sudo\n");
193	if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID \| MS_NOEXEC \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)	193	if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID \| MS_NOEXEC \| MS_NODEV \| MS_STRICTATIME, "mode=755,gid=0") < 0)
194	errExit("mounting /var/lib/sudo");	194	errExit("mounting /var/lib/sudo");
195	fs_logger("tmpfs /var/lib/sudo");	195	fs_logger("tmpfs /var/lib/sudo");
196	}	196	}
@@ -202,7 +202,7 @@ void fs_var_cache(void) {
202	if (stat("/var/cache/apache2", &s) == 0) {	202	if (stat("/var/cache/apache2", &s) == 0) {
203	if (arg_debug)	203	if (arg_debug)
204	printf("Mounting tmpfs on /var/cache/apache2\n");	204	printf("Mounting tmpfs on /var/cache/apache2\n");
205	if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID \| MS_NOEXEC \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)	205	if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID \| MS_NOEXEC \| MS_NODEV \| MS_STRICTATIME, "mode=755,gid=0") < 0)
206	errExit("mounting /var/cache/apache2");	206	errExit("mounting /var/cache/apache2");
207	fs_logger("tmpfs /var/cache/apache2");	207	fs_logger("tmpfs /var/cache/apache2");
208	}	208	}
@@ -210,7 +210,7 @@ void fs_var_cache(void) {
210	if (stat("/var/cache/lighttpd", &s) == 0) {	210	if (stat("/var/cache/lighttpd", &s) == 0) {
211	if (arg_debug)	211	if (arg_debug)
212	printf("Mounting tmpfs on /var/cache/lighttpd\n");	212	printf("Mounting tmpfs on /var/cache/lighttpd\n");
213	if (mount("tmpfs", "/var/cache/lighttpd", "tmpfs", MS_NOSUID \| MS_NOEXEC \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)	213	if (mount("tmpfs", "/var/cache/lighttpd", "tmpfs", MS_NOSUID \| MS_NOEXEC \| MS_NODEV \| MS_STRICTATIME, "mode=755,gid=0") < 0)
214	errExit("mounting /var/cache/lighttpd");	214	errExit("mounting /var/cache/lighttpd");
215	fs_logger("tmpfs /var/cache/lighttpd");	215	fs_logger("tmpfs /var/cache/lighttpd");
216		216
@@ -250,7 +250,7 @@ void fs_var_lock(void) {
250	if (is_dir("/var/lock")) {	250	if (is_dir("/var/lock")) {
251	if (arg_debug)	251	if (arg_debug)
252	printf("Mounting tmpfs on /var/lock\n");	252	printf("Mounting tmpfs on /var/lock\n");
253	if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID \| MS_NOEXEC \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=1777,gid=0") < 0)	253	if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID \| MS_NOEXEC \| MS_NODEV \| MS_STRICTATIME, "mode=1777,gid=0") < 0)
254	errExit("mounting /lock");	254	errExit("mounting /lock");
255	fs_logger("tmpfs /var/lock");	255	fs_logger("tmpfs /var/lock");
256	}	256	}
@@ -266,7 +266,7 @@ void fs_var_tmp(void) {
266	if (!is_link("/var/tmp")) {	266	if (!is_link("/var/tmp")) {
267	if (arg_debug)	267	if (arg_debug)
268	printf("Mounting tmpfs on /var/tmp\n");	268	printf("Mounting tmpfs on /var/tmp\n");
269	if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID \| MS_NOEXEC \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=1777,gid=0") < 0)	269	if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID \| MS_NOEXEC \| MS_NODEV \| MS_STRICTATIME, "mode=1777,gid=0") < 0)
270	errExit("mounting /var/tmp");	270	errExit("mounting /var/tmp");
271	fs_logger("tmpfs /var/tmp");	271	fs_logger("tmpfs /var/tmp");
272	}	272	}


diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index 905cc0f15..2effebbaa 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c
@@ -80,7 +80,7 @@ void preproc_mount_mnt_dir(void) {
80	if (!tmpfs_mounted) {	80	if (!tmpfs_mounted) {
81	if (arg_debug)	81	if (arg_debug)
82	printf("Mounting tmpfs on %s directory\n", RUN_MNT_DIR);	82	printf("Mounting tmpfs on %s directory\n", RUN_MNT_DIR);
83	if (mount("tmpfs", RUN_MNT_DIR, "tmpfs", MS_NOSUID \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)	83	if (mount("tmpfs", RUN_MNT_DIR, "tmpfs", MS_NOSUID \| MS_STRICTATIME, "mode=755,gid=0") < 0)
84	errExit("mounting /run/firejail/mnt");	84	errExit("mounting /run/firejail/mnt");
85	tmpfs_mounted = 1;	85	tmpfs_mounted = 1;
86	fs_logger2("tmpfs", RUN_MNT_DIR);	86	fs_logger2("tmpfs", RUN_MNT_DIR);


diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 7778d7ed8..5c5ace90b 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c
@@ -83,7 +83,7 @@ static void sanitize_home(void) {
83	errExit("mount bind");	83	errExit("mount bind");
84		84
85	// mount tmpfs in the new home	85	// mount tmpfs in the new home
86	if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)	86	if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME, "mode=755,gid=0") < 0)
87	errExit("mount tmpfs");	87	errExit("mount tmpfs");
88	fs_logger("tmpfs /home");	88	fs_logger("tmpfs /home");
89		89
@@ -105,7 +105,7 @@ static void sanitize_home(void) {
105	errExit("mount bind");	105	errExit("mount bind");
106		106
107	// mask home dir under /run	107	// mask home dir under /run
108	if (mount("tmpfs", RUN_WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)	108	if (mount("tmpfs", RUN_WHITELIST_HOME_DIR, "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME, "mode=755,gid=0") < 0)
109	errExit("mount tmpfs");	109	errExit("mount tmpfs");
110	fs_logger2("tmpfs", RUN_WHITELIST_HOME_DIR);	110	fs_logger2("tmpfs", RUN_WHITELIST_HOME_DIR);
111	if (!arg_private)	111	if (!arg_private)
@@ -138,7 +138,7 @@ static void sanitize_run(void) {
138	errExit("mount bind");	138	errExit("mount bind");
139		139
140	// mount tmpfs on /run/user	140	// mount tmpfs on /run/user
141	if (mount("tmpfs", "/run/user", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)	141	if (mount("tmpfs", "/run/user", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME, "mode=755,gid=0") < 0)
142	errExit("mount tmpfs");	142	errExit("mount tmpfs");
143	fs_logger("tmpfs /run/user");	143	fs_logger("tmpfs /run/user");
144		144
@@ -156,7 +156,7 @@ static void sanitize_run(void) {
156	errExit("mount bind");	156	errExit("mount bind");
157		157
158	// mask mirrored /run/user/$UID directory	158	// mask mirrored /run/user/$UID directory
159	if (mount("tmpfs", RUN_WHITELIST_RUN_DIR, "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)	159	if (mount("tmpfs", RUN_WHITELIST_RUN_DIR, "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME, "mode=755,gid=0") < 0)
160	errExit("mount tmpfs");	160	errExit("mount tmpfs");
161	fs_logger2("tmpfs", RUN_WHITELIST_RUN_DIR);	161	fs_logger2("tmpfs", RUN_WHITELIST_RUN_DIR);
162		162
@@ -398,7 +398,7 @@ void restrict_users(void) {
398	else {	398	else {
399	// user has the home directory outside /home	399	// user has the home directory outside /home
400	// mount tmpfs on top of /home in order to hide it	400	// mount tmpfs on top of /home in order to hide it
401	if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)	401	if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME, "mode=755,gid=0") < 0)
402	errExit("mount tmpfs");	402	errExit("mount tmpfs");
403	fs_logger("tmpfs /home");	403	fs_logger("tmpfs /home");
404	}	404	}


diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 63b36053b..b0ed10b30 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c
@@ -1099,7 +1099,7 @@ void x11_xorg(void) {
1099	}	1099	}
1100		1100
1101	// temporarily mount a tempfs on top of /tmp directory	1101	// temporarily mount a tempfs on top of /tmp directory
1102	if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID \| MS_STRICTATIME \| MS_REC, "mode=1777,gid=0") < 0)	1102	if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID \| MS_STRICTATIME, "mode=1777,gid=0") < 0)
1103	errExit("mounting /tmp");	1103	errExit("mounting /tmp");
1104		1104
1105	// create the temporary .Xauthority file	1105	// create the temporary .Xauthority file
@@ -1253,7 +1253,7 @@ void fs_x11(void) {
1253		1253
1254	// This directory must be mode 1777, or Xlib will barf.	1254	// This directory must be mode 1777, or Xlib will barf.
1255	if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs",	1255	if (mount("tmpfs", "/tmp/.X11-unix", "tmpfs",
1256	MS_NOSUID \| MS_NOEXEC \| MS_NODEV \| MS_STRICTATIME \| MS_REC,	1256	MS_NOSUID \| MS_NOEXEC \| MS_NODEV \| MS_STRICTATIME,
1257	"mode=1777,uid=0,gid=0") < 0)	1257	"mode=1777,uid=0,gid=0") < 0)
1258	errExit("mounting tmpfs on /tmp/.X11-unix");	1258	errExit("mounting tmpfs on /tmp/.X11-unix");
1259	fs_logger("tmpfs /tmp/.X11-unix");	1259	fs_logger("tmpfs /tmp/.X11-unix");


diff --git a/test/filters/syscall_test.c b/test/filters/syscall_test.c index 6952c751c..2005f2109 100644 --- a/test/filters/syscall_test.c +++ b/test/filters/syscall_test.c
@@ -69,7 +69,7 @@ int main(int argc, char **argv) {
69	}	69	}
70	else if (strcmp(argv[1], "mount") == 0) {	70	else if (strcmp(argv[1], "mount") == 0) {
71	printf("before mount\n");	71	printf("before mount\n");
72	if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0) {	72	if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID \| MS_STRICTATIME, "mode=755,gid=0") < 0) {
73	perror("mount");	73	perror("mount");
74	}	74	}
75	printf("after mount\n");	75	printf("after mount\n");