private-dev: blacklist stashed syslog socket when it is not needed anymore

closes #3584
author: smitsohu <smitsohu@gmail.com> 2020-08-28 16:02:24 +0200
committer: GitHub <noreply@github.com> 2020-08-28 16:02:24 +0200
commit: 5014a434e5b0a735a7fcd4a1170408337fe4fc09 (patch)
tree: a678fdf3a6d3197d6ad5743c1e3e2f0177dad11b
parent: expose pulseaudio in chroot if FIREJAIL_CHROOT_PULSE is set (diff)
download: firejail-5014a434e5b0a735a7fcd4a1170408337fe4fc09.tar.gz
firejail-5014a434e5b0a735a7fcd4a1170408337fe4fc09.tar.zst
firejail-5014a434e5b0a735a7fcd4a1170408337fe4fc09.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 00edc5f88..3950ea2fd 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -244,6 +244,8 @@ void fs_private_dev(void){
                                errExit("mounting /dev/log");
                        fs_logger("clone /dev/log");
                }
+                if (mount(RUN_RO_FILE, RUN_DEVLOG_FILE, "none", MS_BIND, "mode=400,gid=0") < 0)
+                        errExit("blacklisting " RUN_DEVLOG_FILE);
        }
        // bring forward the current /dev/shm directory if necessary
author	smitsohu <smitsohu@gmail.com>	2020-08-28 16:02:24 +0200
committer	GitHub <noreply@github.com>	2020-08-28 16:02:24 +0200
commit	5014a434e5b0a735a7fcd4a1170408337fe4fc09 (patch)
tree	a678fdf3a6d3197d6ad5743c1e3e2f0177dad11b
parent	expose pulseaudio in chroot if FIREJAIL_CHROOT_PULSE is set (diff)
download	firejail-5014a434e5b0a735a7fcd4a1170408337fe4fc09.tar.gz firejail-5014a434e5b0a735a7fcd4a1170408337fe4fc09.tar.zst firejail-5014a434e5b0a735a7fcd4a1170408337fe4fc09.zip

diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 00edc5f88..3950ea2fd 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c
@@ -244,6 +244,8 @@ void fs_private_dev(void){
244	errExit("mounting /dev/log");	244	errExit("mounting /dev/log");
245	fs_logger("clone /dev/log");	245	fs_logger("clone /dev/log");
246	}	246	}
		247	if (mount(RUN_RO_FILE, RUN_DEVLOG_FILE, "none", MS_BIND, "mode=400,gid=0") < 0)
		248	errExit("blacklisting " RUN_DEVLOG_FILE);
247	}	249	}
248		250
249	// bring forward the current /dev/shm directory if necessary	251	// bring forward the current /dev/shm directory if necessary