fix /sys handling for overlayfs and chroot

author: netblue30 <netblue30@yahoo.com> 2017-04-13 07:02:44 -0400
committer: netblue30 <netblue30@yahoo.com> 2017-04-13 07:02:44 -0400
commit: 3813d1c47e6ac48b23c2a401e65b7a412f5de5f6 (patch)
tree: 3056838d37fceba7fdcff5f6158087fa4c603331
parent: fix gimp profile (diff)
download: firejail-3813d1c47e6ac48b23c2a401e65b7a412f5de5f6.tar.gz
firejail-3813d1c47e6ac48b23c2a401e65b7a412f5de5f6.tar.zst
firejail-3813d1c47e6ac48b23c2a401e65b7a412f5de5f6.zip
4 files changed, 21 insertions, 7 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 71cefffe0..f6aba7048 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -502,12 +502,10 @@ void fs_proc_sys_dev_boot(void) {
                printf("Remounting /sys directory\n");
        if (umount2("/sys", MNT_DETACH) < 0)
                fprintf(stderr, "Warning: failed to unmount /sys\n");
-        else {
+        if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0)
-                if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0)
+                fprintf(stderr, "Warning: failed to mount /sys\n");
-                        fprintf(stderr, "Warning: failed to mount /sys\n");
+        else
-                else
+                fs_logger("remount /sys");
-                        fs_logger("remount /sys");
-        }
                
        disable_file(BLACKLIST_FILE, "/sys/firmware");
        disable_file(BLACKLIST_FILE, "/sys/hypervisor");
diff --git a/test/chroot/configure b/test/chroot/configure
index ba8238803..26a516931 100755
--- a/test/chroot/configure
+++ b/test/chroot/configure
@@ -8,7 +8,7 @@ DEFAULT_FILES+=`find /lib -name libnss*`	# files required by glibc
 DEFAULT_FILES+=" /bin/cp /bin/ls /bin/cat /bin/ps /bin/netstat /bin/ping /sbin/ifconfig /usr/bin/touch /bin/ip /bin/hostname /bin/grep /usr/bin/dig /usr/bin/openssl /usr/bin/id /usr/bin/getent /usr/bin/whoami /usr/bin/wc /usr/bin/wget /bin/umount"
 rm -fr $ROOTDIR
-mkdir -p $ROOTDIR/{root,bin,lib,lib64,usr,home,etc,dev/shm,tmp,var/run,var/tmp,var/lock,var/log,proc}
+mkdir -p $ROOTDIR/{root,bin,lib,lib64,usr,home,etc,dev/shm,tmp,var/run,var/tmp,var/lock,var/log,proc,sys}
 chmod 777 $ROOTDIR/tmp
 mkdir -p $ROOTDIR/etc/firejail
 mkdir -p $ROOTDIR/home/netblue/.config/firejail
diff --git a/test/chroot/fs_chroot.exp b/test/chroot/fs_chroot.exp
index 295ff8ff9..2190db359 100755
--- a/test/chroot/fs_chroot.exp
+++ b/test/chroot/fs_chroot.exp
@@ -49,6 +49,14 @@ expect {
 }
 after 100
+# check /sys directory
+send -- "ls /sys\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "block"
+}
+after 100
 puts "all done\n"
diff --git a/test/overlay/fs.exp b/test/overlay/fs.exp
index 15ada9203..15828f437 100755
--- a/test/overlay/fs.exp
+++ b/test/overlay/fs.exp
@@ -40,7 +40,15 @@ expect {
        "xyzxyzxyz" {puts "TESTING ERROR 5.1\n";exit}
        "done"
 }
+after 100
+# check /sys directory
+send -- "ls /sys\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "block"
+}
 after 100
 puts "\nall done\n"
author	netblue30 <netblue30@yahoo.com>	2017-04-13 07:02:44 -0400
committer	netblue30 <netblue30@yahoo.com>	2017-04-13 07:02:44 -0400
commit	3813d1c47e6ac48b23c2a401e65b7a412f5de5f6 (patch)
tree	3056838d37fceba7fdcff5f6158087fa4c603331
parent	fix gimp profile (diff)
download	firejail-3813d1c47e6ac48b23c2a401e65b7a412f5de5f6.tar.gz firejail-3813d1c47e6ac48b23c2a401e65b7a412f5de5f6.tar.zst firejail-3813d1c47e6ac48b23c2a401e65b7a412f5de5f6.zip