diff options
author | smitsohu <smitsohu@gmail.com> | 2021-06-06 19:49:32 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2021-06-06 20:08:01 +0200 |
commit | ab9d30c61cb4479aece756a5373e2fe8904a53d7 (patch) | |
tree | 263f1a0a0bcf43e0761f89a3ba08febe323ed0b7 | |
parent | selinux enhancements (diff) | |
download | firejail-ab9d30c61cb4479aece756a5373e2fe8904a53d7.tar.gz firejail-ab9d30c61cb4479aece756a5373e2fe8904a53d7.tar.zst firejail-ab9d30c61cb4479aece756a5373e2fe8904a53d7.zip |
blacklist cleaned passwd, group, utmp files
just in case users decide to remove them
completely from the sandbox, by means of
private-etc or whitelist
-rw-r--r-- | src/firejail/fs_var.c | 4 | ||||
-rw-r--r-- | src/firejail/restrict_users.c | 10 |
2 files changed, 14 insertions, 0 deletions
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index bae3d6df0..20e262d80 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
@@ -323,4 +323,8 @@ void fs_var_utmp(void) { | |||
323 | if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_NOSUID|MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) | 323 | if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_NOSUID|MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) |
324 | errExit("mount bind utmp"); | 324 | errExit("mount bind utmp"); |
325 | fs_logger2("create", UTMP_FILE); | 325 | fs_logger2("create", UTMP_FILE); |
326 | |||
327 | // blacklist RUN_UTMP_FILE | ||
328 | if (mount(RUN_RO_FILE, RUN_UTMP_FILE, NULL, MS_BIND, "mode=400,gid=0") < 0) | ||
329 | errExit("mount bind"); | ||
326 | } | 330 | } |
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 53e395b89..892244b5f 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -246,6 +246,11 @@ static void sanitize_passwd(void) { | |||
246 | // mount-bind tne new password file | 246 | // mount-bind tne new password file |
247 | if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0) | 247 | if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0) |
248 | errExit("mount"); | 248 | errExit("mount"); |
249 | |||
250 | // blacklist RUN_PASSWD_FILE | ||
251 | if (mount(RUN_RO_FILE, RUN_PASSWD_FILE, "none", MS_BIND, "mode=400,gid=0") < 0) | ||
252 | errExit("mount"); | ||
253 | |||
249 | fs_logger("create /etc/passwd"); | 254 | fs_logger("create /etc/passwd"); |
250 | 255 | ||
251 | return; | 256 | return; |
@@ -376,6 +381,11 @@ static void sanitize_group(void) { | |||
376 | // mount-bind tne new group file | 381 | // mount-bind tne new group file |
377 | if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0) | 382 | if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0) |
378 | errExit("mount"); | 383 | errExit("mount"); |
384 | |||
385 | // blacklist RUN_GROUP_FILE | ||
386 | if (mount(RUN_RO_FILE, RUN_GROUP_FILE, "none", MS_BIND, "mode=400,gid=0") < 0) | ||
387 | errExit("mount"); | ||
388 | |||
379 | fs_logger("create /etc/group"); | 389 | fs_logger("create /etc/group"); |
380 | 390 | ||
381 | return; | 391 | return; |