blacklisting some directories by default under /sys

author: netblue30 <netblue30@yahoo.com> 2015-10-08 09:30:11 -0400
committer: netblue30 <netblue30@yahoo.com> 2015-10-08 09:30:11 -0400
commit: 2e2924af6cb01e1a27a643b135b4a3640c977115 (patch)
tree: 1b4bb4c25fba819ee4322c7831ba605bb75518d4
parent: fixed transmission-qt.profile (diff)
download: firejail-2e2924af6cb01e1a27a643b135b4a3640c977115.tar.gz
firejail-2e2924af6cb01e1a27a643b135b4a3640c977115.tar.zst
firejail-2e2924af6cb01e1a27a643b135b4a3640c977115.zip
1 files changed, 24 insertions, 0 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 755cb9f6e..54086e0bb 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -431,6 +431,30 @@ void fs_proc_sys_dev_boot(void) {
        if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0)
                fprintf(stderr, "Warning: failed to mount /sys\n");
+        if (arg_debug)
+                printf("Disable /sys/firmware directory\n");
+        if (mount("tmpfs", "/sys/firmware", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                errExit("disable /sys/firmware directory");
+        if (arg_debug)
+                printf("Disable /sys/hypervisor directory\n");
+        if (mount("tmpfs", "/sys/hypervisor", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                errExit("disable /sys/hypervisor directory");
+        if (arg_debug)
+                printf("Disable /sys/fs directory\n");
+        if (mount("tmpfs", "/sys/fs", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                errExit("disable /sys/fs directory");
+        if (arg_debug)
+                printf("Disable /sys/module directory\n");
+        if (mount("tmpfs", "/sys/module", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                errExit("disable /sys/module directory");
+        if (arg_debug)
+                printf("Disable /sys/power directory\n");
+        if (mount("tmpfs", "/sys/power", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                errExit("disable /sys/power directory");
 //      if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0)
 //              errExit("mounting /sys");
author	netblue30 <netblue30@yahoo.com>	2015-10-08 09:30:11 -0400
committer	netblue30 <netblue30@yahoo.com>	2015-10-08 09:30:11 -0400
commit	2e2924af6cb01e1a27a643b135b4a3640c977115 (patch)
tree	1b4bb4c25fba819ee4322c7831ba605bb75518d4
parent	fixed transmission-qt.profile (diff)
download	firejail-2e2924af6cb01e1a27a643b135b4a3640c977115.tar.gz firejail-2e2924af6cb01e1a27a643b135b4a3640c977115.tar.zst firejail-2e2924af6cb01e1a27a643b135b4a3640c977115.zip

diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 755cb9f6e..54086e0bb 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -431,6 +431,30 @@ void fs_proc_sys_dev_boot(void) {
431	if (mount("sysfs", "/sys", "sysfs", MS_RDONLY\|MS_NOSUID\|MS_NOEXEC\|MS_NODEV\|MS_REC, NULL) < 0)	431	if (mount("sysfs", "/sys", "sysfs", MS_RDONLY\|MS_NOSUID\|MS_NOEXEC\|MS_NODEV\|MS_REC, NULL) < 0)
432	fprintf(stderr, "Warning: failed to mount /sys\n");	432	fprintf(stderr, "Warning: failed to mount /sys\n");
433		433
		434
		435	if (arg_debug)
		436	printf("Disable /sys/firmware directory\n");
		437	if (mount("tmpfs", "/sys/firmware", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)
		438	errExit("disable /sys/firmware directory");
		439	if (arg_debug)
		440	printf("Disable /sys/hypervisor directory\n");
		441	if (mount("tmpfs", "/sys/hypervisor", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)
		442	errExit("disable /sys/hypervisor directory");
		443	if (arg_debug)
		444	printf("Disable /sys/fs directory\n");
		445	if (mount("tmpfs", "/sys/fs", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)
		446	errExit("disable /sys/fs directory");
		447	if (arg_debug)
		448	printf("Disable /sys/module directory\n");
		449	if (mount("tmpfs", "/sys/module", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)
		450	errExit("disable /sys/module directory");
		451	if (arg_debug)
		452	printf("Disable /sys/power directory\n");
		453	if (mount("tmpfs", "/sys/power", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)
		454	errExit("disable /sys/power directory");
		455
		456
		457
434	// if (mount("sysfs", "/sys", "sysfs", MS_RDONLY\|MS_NOSUID\|MS_NOEXEC\|MS_NODEV\|MS_REC, NULL) < 0)	458	// if (mount("sysfs", "/sys", "sysfs", MS_RDONLY\|MS_NOSUID\|MS_NOEXEC\|MS_NODEV\|MS_REC, NULL) < 0)
435	// errExit("mounting /sys");	459	// errExit("mounting /sys");
436		460