diff options
author | netblue30 <netblue30@yahoo.com> | 2018-01-24 10:03:46 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2018-01-24 10:03:46 -0500 |
commit | 237e115d0c85120bc304c953a702d2c6ef253e95 (patch) | |
tree | c709f939a5dc43287cdf6da52fa799fdab52fcba | |
parent | --overlay clanup (diff) | |
download | firejail-237e115d0c85120bc304c953a702d2c6ef253e95.tar.gz firejail-237e115d0c85120bc304c953a702d2c6ef253e95.tar.zst firejail-237e115d0c85120bc304c953a702d2c6ef253e95.zip |
apparmor support for --chroot sandboxes
-rw-r--r-- | src/firejail/fs.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 4246fbe5b..ab2958593 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -1230,9 +1230,15 @@ void fs_chroot(const char *rootdir) { | |||
1230 | #ifdef HAVE_GCOV | 1230 | #ifdef HAVE_GCOV |
1231 | __gcov_flush(); | 1231 | __gcov_flush(); |
1232 | #endif | 1232 | #endif |
1233 | // mount the chroot dir on top of /run/firejail/mnt/oroot in order to reuse the apparmor rules for overlay | ||
1234 | // and chroot into this new directory | ||
1233 | if (arg_debug) | 1235 | if (arg_debug) |
1234 | printf("Chrooting into %s\n", rootdir); | 1236 | printf("Chrooting into %s\n", rootdir); |
1235 | if (chroot(rootdir) < 0) | 1237 | char *oroot = RUN_OVERLAY_ROOT; |
1238 | mkdir_attr(oroot, 0755, 0, 0); | ||
1239 | if (mount(rootdir, oroot, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
1240 | errExit("mounting rootdir oroot"); | ||
1241 | if (chroot(oroot) < 0) | ||
1236 | errExit("chroot"); | 1242 | errExit("chroot"); |
1237 | 1243 | ||
1238 | // create all other /run/firejail files and directories | 1244 | // create all other /run/firejail files and directories |