mount sandbox lib directory ro,nosuid,nodev

author: smitsohu <smitsohu@gmail.com> 2020-08-08 23:42:03 +0200
committer: smitsohu <smitsohu@gmail.com> 2020-08-09 19:11:50 +0200
commit: e18c7cd5f54f275190d5517c6cd42acf0d3a8bbc (patch)
tree: 466fff0e09ab7ddaa19738239554436dbbd93ce4
parent: fix read-only=/ (diff)
download: firejail-e18c7cd5f54f275190d5517c6cd42acf0d3a8bbc.tar.gz
firejail-e18c7cd5f54f275190d5517c6cd42acf0d3a8bbc.tar.zst
firejail-e18c7cd5f54f275190d5517c6cd42acf0d3a8bbc.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 995e98f9f..da942207e 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -623,7 +623,8 @@ int sandbox(void* sandbox_arg) {
        // ... and mount a tmpfs on top of /run/firejail/mnt directory
        preproc_mount_mnt_dir();
        // bind-mount firejail binaries and helper programs
-        if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, "none", MS_BIND, NULL) < 0)
+        if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, NULL, MS_BIND, NULL) < 0 ||
+            mount(NULL, RUN_FIREJAIL_LIB_DIR, NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_BIND|MS_REMOUNT, NULL) < 0)
                errExit("mounting " RUN_FIREJAIL_LIB_DIR);
        //****************************
author	smitsohu <smitsohu@gmail.com>	2020-08-08 23:42:03 +0200
committer	smitsohu <smitsohu@gmail.com>	2020-08-09 19:11:50 +0200
commit	e18c7cd5f54f275190d5517c6cd42acf0d3a8bbc (patch)
tree	466fff0e09ab7ddaa19738239554436dbbd93ce4
parent	fix read-only=/ (diff)
download	firejail-e18c7cd5f54f275190d5517c6cd42acf0d3a8bbc.tar.gz firejail-e18c7cd5f54f275190d5517c6cd42acf0d3a8bbc.tar.zst firejail-e18c7cd5f54f275190d5517c6cd42acf0d3a8bbc.zip

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 995e98f9f..da942207e 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -623,7 +623,8 @@ int sandbox(void* sandbox_arg) {
623	// ... and mount a tmpfs on top of /run/firejail/mnt directory	623	// ... and mount a tmpfs on top of /run/firejail/mnt directory
624	preproc_mount_mnt_dir();	624	preproc_mount_mnt_dir();
625	// bind-mount firejail binaries and helper programs	625	// bind-mount firejail binaries and helper programs
626	if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, "none", MS_BIND, NULL) < 0)	626	if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, NULL, MS_BIND, NULL) < 0 \|\|
		627	mount(NULL, RUN_FIREJAIL_LIB_DIR, NULL, MS_RDONLY\|MS_NOSUID\|MS_NODEV\|MS_BIND\|MS_REMOUNT, NULL) < 0)
627	errExit("mounting " RUN_FIREJAIL_LIB_DIR);	628	errExit("mounting " RUN_FIREJAIL_LIB_DIR);
628		629
629	//****************************	630	//****************************