avoid running without procfs describing the pid namespace

2 files changed, 34 insertions, 7 deletions

diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index f3ef97aeb..411f2e778 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -682,13 +682,9 @@ void fs_mnt(const int enforce) {
 // mount /proc and /sys directories
 void fs_proc_sys_dev_boot(void) {
 
-        if (arg_debug)
-                printf("Remounting /proc and /proc/sys filesystems\n");
-        if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
-                errExit("mounting /proc");
-        fs_logger("remount /proc");
-
         // remount /proc/sys readonly
+        if (arg_debug)
+                printf("Mounting read-only /proc/sys\n");
         if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0 ||
             mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
                 errExit("mounting /proc/sys");
@@ -698,7 +694,8 @@ void fs_proc_sys_dev_boot(void) {
         /* Mount a version of /sys that describes the network namespace */
         if (arg_debug)
                 printf("Remounting /sys directory\n");
-        // if this is an overlay, don't try to unmount, just mount a new sysfs
+        // sysfs not yet mounted in overlays, so don't try to unmount it
+        // expect that unmounting /sys fails in a chroot, no need to print a warning in that case
         if (!arg_overlay) {
                 if (umount2("/sys", MNT_DETACH) < 0 && !cfg.chrootdir)
                         fwarning("failed to unmount /sys\n");
@@ -1176,6 +1173,15 @@ void fs_overlayfs(void) {
                 errExit("mounting /tmp");
         fs_logger("whitelist /tmp");
 
+        // mount a new proc filesystem
+        if (arg_debug)
+                printf("Mounting /proc\n");
+        char *proc;
+        if (asprintf(&proc, "%s/proc", oroot) == -1)
+                errExit("asprintf");
+        if (mount("proc", proc, "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
+                errExit("mounting /proc");
+
         // chroot in the new filesystem
 #ifdef HAVE_GCOV
         __gcov_flush();
@@ -1210,6 +1216,7 @@ void fs_overlayfs(void) {
         free(dev);
         free(run);
         free(tmp);
+        free(proc);
 }
 #endif
 
@@ -1380,6 +1387,16 @@ void fs_chroot(const char *rootdir) {
                 errExit("mounting /dev");
         free(newdev);
 
+        // mount a new proc filesystem
+        char *newproc;
+        if (asprintf(&newproc, "%s/proc", rootdir) == -1)
+                errExit("asprintf");
+        if (arg_debug)
+                printf("Mounting /proc filesystem on %s\n", newproc);
+        if (mount("proc", newproc, "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
+                errExit("mounting /proc");
+        free(newproc);
+
         // x11
         if (getenv("FIREJAIL_X11")) {
                 char *newx11;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 2c5c5fc12..841d57c89 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -623,6 +623,16 @@ int sandbox(void* sandbox_arg) {
                 errExit("mounting " RUN_FIREJAIL_LIB_DIR);
 
         //****************************
+        // mount new proc filesystem
+        // representing the pid namespace
+        //****************************
+
+        if (arg_debug)
+                printf("Remounting /proc filesystem\n");
+        if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
+                errExit("mounting /proc");
+
+        //****************************
         // log sandbox data
         //****************************
         if (cfg.name)