fix /sys directory

2 files changed, 17 insertions, 41 deletions

diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index e93db9cff..a0128a248 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -482,42 +482,25 @@ void fs_proc_sys_dev_boot(void) {
                 
 
 
-        if (arg_debug)
-                printf("Disable /sys/firmware directory\n");
-        if (mount("tmpfs", "/sys/firmware", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                fprintf(stderr, "Warning: cannot disable /sys/firmware directory\n");
-        else
-                fs_logger("mount tmpfs on /sys/firmware");
+        if (stat("/sys/firmware", &s) == 0) {
+                disable_file(BLACKLIST_FILE, "/sys/firmware");
+        }
                 
-        if (arg_debug)
-                printf("Disable /sys/hypervisor directory\n");
-        if (mount("tmpfs", "/sys/hypervisor", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                fprintf(stderr, "Warning: cannot disable /sys/hypervisor directory\n");
-        else
-                fs_logger("mount tmpfs on /sys/hypervisor");
-
-        if (arg_debug)
-                printf("Disable /sys/fs directory\n");
-        if (mount("tmpfs", "/sys/fs", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                fprintf(stderr, "Warning: cannot disable /sys/fs directory\n");
-        else
-                fs_logger("mount tmpfs on /sys/fs");
-
-        if (arg_debug)
-                printf("Disable /sys/module directory\n");
-        if (mount("tmpfs", "/sys/module", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                fprintf(stderr, "Warning: cannot disable /sys/module directory\n");
-        else
-                fs_logger("mount tmpfs on /sys/module");
+        if (stat("/sys/hypervisor", &s) == 0) {
+                disable_file(BLACKLIST_FILE, "/sys/hypervisor");
+        }
 
-        if (arg_debug)
-                printf("Disable /sys/power directory\n");
-        if (mount("tmpfs", "/sys/power", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
-                fprintf(stderr, "Warning: cannot disable /sys/power directory\n");
-        else
-                fs_logger("mount tmpfs on /sys/power");
+        if (stat("/sys/fs", &s) == 0) {
+                disable_file(BLACKLIST_FILE, "/sys/fs");
+        }
 
+        if (stat("/sys/module", &s) == 0) {
+                disable_file(BLACKLIST_FILE, "/sys/module");
+        }
 
+        if (stat("/sys/power", &s) == 0) {
+                disable_file(BLACKLIST_FILE, "/sys/power");
+        }
 
 //      if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0)
 //              errExit("mounting /sys");
diff --git a/todo b/todo
index db895deef..0c7738395 100644
--- a/todo
+++ b/todo
@@ -141,16 +141,9 @@ dr-x------ 2   65534   65534   40 Nov 24 17:53 .mozilla
 -rw------- 1 netblue netblue   51 Nov 25 08:09 .Xauthority
 
 
-19. move from tmpfs to blacklist
-mount tmpfs on /sys/firmware
-mount tmpfs on /sys/hypervisor
-mount tmpfs on /sys/fs
-mount tmpfs on /sys/module
-mount tmpfs on /sys/power
+19. Try --overlay on a Ubuntu 14.04 32bit.Without adding --dns, there will be no network connectivity - see issue 151
 
-20. Try --overlay on a Ubuntu 14.04 32bit.Without adding --dns, there will be no network connectivity - see issue 151
-
-21. Check this out:
+20. Check this out:
 
 I was messing around with my fstab, and found out that firejail can't have /usr/bin mounted in read-only.
  Here's what my fstab looks like now: