adding nodev, nosuid, and noexec

author: netblue30 <netblue30@yahoo.com> 2016-07-10 08:07:09 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-07-10 08:07:09 -0400
commit: 0723d323e7996149d5f7ebd417f9c9162a4dea5e (patch)
tree: a401a453bc4e657b36dd0ee1560dd129d004b259
parent: readme (diff)
download: firejail-0723d323e7996149d5f7ebd417f9c9162a4dea5e.tar.gz
firejail-0723d323e7996149d5f7ebd417f9c9162a4dea5e.tar.zst
firejail-0723d323e7996149d5f7ebd417f9c9162a4dea5e.zip
1 files changed, 6 insertions, 5 deletions
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index b12d8bb76..41092de2b 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -248,7 +248,7 @@ void fs_private_homedir(void) {
        // mount bind private_homedir on top of homedir
        if (arg_debug)
                printf("Mount-bind %s on top of %s\n", private_homedir, homedir);
-        if (mount(private_homedir, homedir, NULL, MS_BIND|MS_REC, NULL) < 0)
+        if (mount(private_homedir, homedir, NULL, MS_NOSUID | MS_NODEV | MS_BIND | MS_REC, NULL) < 0)
                errExit("mount bind");
        fs_logger3("mount-bind", private_homedir, cfg.homedir);
        fs_logger2("whitelist", cfg.homedir);
@@ -262,7 +262,7 @@ void fs_private_homedir(void) {
                // mask /root
                if (arg_debug)
                        printf("Mounting a new /root directory\n");
-                if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=700,gid=0") < 0)
+                if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC,  "mode=700,gid=0") < 0)
                        errExit("mounting home directory");
                fs_logger("tmpfs /root");
        }
@@ -270,7 +270,7 @@ void fs_private_homedir(void) {
                // mask /home
                if (arg_debug)
                        printf("Mounting a new /home directory\n");
-                if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+                if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mounting home directory");
                fs_logger("tmpfs /home");
        }
@@ -300,14 +300,14 @@ void fs_private(void) {
        // mask /home
        if (arg_debug)
                printf("Mounting a new /home directory\n");
-        if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
+        if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC,  "mode=755,gid=0") < 0)
                errExit("mounting home directory");
        fs_logger("tmpfs /home");
        // mask /root
        if (arg_debug)
                printf("Mounting a new /root directory\n");
-        if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=700,gid=0") < 0)
+        if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC,  "mode=700,gid=0") < 0)
                errExit("mounting root directory");
        fs_logger("tmpfs /root");
@@ -331,6 +331,7 @@ void fs_private(void) {
                copy_xauthority();
        if (aflag)
                copy_asoundrc();
 }
author	netblue30 <netblue30@yahoo.com>	2016-07-10 08:07:09 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-07-10 08:07:09 -0400
commit	0723d323e7996149d5f7ebd417f9c9162a4dea5e (patch)
tree	a401a453bc4e657b36dd0ee1560dd129d004b259
parent	readme (diff)
download	firejail-0723d323e7996149d5f7ebd417f9c9162a4dea5e.tar.gz firejail-0723d323e7996149d5f7ebd417f9c9162a4dea5e.tar.zst firejail-0723d323e7996149d5f7ebd417f9c9162a4dea5e.zip

diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index b12d8bb76..41092de2b 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c
@@ -248,7 +248,7 @@ void fs_private_homedir(void) {
248	// mount bind private_homedir on top of homedir	248	// mount bind private_homedir on top of homedir
249	if (arg_debug)	249	if (arg_debug)
250	printf("Mount-bind %s on top of %s\n", private_homedir, homedir);	250	printf("Mount-bind %s on top of %s\n", private_homedir, homedir);
251	if (mount(private_homedir, homedir, NULL, MS_BIND\|MS_REC, NULL) < 0)	251	if (mount(private_homedir, homedir, NULL, MS_NOSUID \| MS_NODEV \| MS_BIND \| MS_REC, NULL) < 0)
252	errExit("mount bind");	252	errExit("mount bind");
253	fs_logger3("mount-bind", private_homedir, cfg.homedir);	253	fs_logger3("mount-bind", private_homedir, cfg.homedir);
254	fs_logger2("whitelist", cfg.homedir);	254	fs_logger2("whitelist", cfg.homedir);
@@ -262,7 +262,7 @@ void fs_private_homedir(void) {
262	// mask /root	262	// mask /root
263	if (arg_debug)	263	if (arg_debug)
264	printf("Mounting a new /root directory\n");	264	printf("Mounting a new /root directory\n");
265	if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=700,gid=0") < 0)	265	if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_NOEXEC \| MS_STRICTATIME \| MS_REC, "mode=700,gid=0") < 0)
266	errExit("mounting home directory");	266	errExit("mounting home directory");
267	fs_logger("tmpfs /root");	267	fs_logger("tmpfs /root");
268	}	268	}
@@ -270,7 +270,7 @@ void fs_private_homedir(void) {
270	// mask /home	270	// mask /home
271	if (arg_debug)	271	if (arg_debug)
272	printf("Mounting a new /home directory\n");	272	printf("Mounting a new /home directory\n");
273	if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)	273	if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_NOEXEC \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)
274	errExit("mounting home directory");	274	errExit("mounting home directory");
275	fs_logger("tmpfs /home");	275	fs_logger("tmpfs /home");
276	}	276	}
@@ -300,14 +300,14 @@ void fs_private(void) {
300	// mask /home	300	// mask /home
301	if (arg_debug)	301	if (arg_debug)
302	printf("Mounting a new /home directory\n");	302	printf("Mounting a new /home directory\n");
303	if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)	303	if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_NOEXEC \| MS_STRICTATIME \| MS_REC, "mode=755,gid=0") < 0)
304	errExit("mounting home directory");	304	errExit("mounting home directory");
305	fs_logger("tmpfs /home");	305	fs_logger("tmpfs /home");
306		306
307	// mask /root	307	// mask /root
308	if (arg_debug)	308	if (arg_debug)
309	printf("Mounting a new /root directory\n");	309	printf("Mounting a new /root directory\n");
310	if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_STRICTATIME \| MS_REC, "mode=700,gid=0") < 0)	310	if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID \| MS_NODEV \| MS_NOEXEC \| MS_STRICTATIME \| MS_REC, "mode=700,gid=0") < 0)
311	errExit("mounting root directory");	311	errExit("mounting root directory");
312	fs_logger("tmpfs /root");	312	fs_logger("tmpfs /root");
313		313
@@ -331,6 +331,7 @@ void fs_private(void) {
331	copy_xauthority();	331	copy_xauthority();
332	if (aflag)	332	if (aflag)
333	copy_asoundrc();	333	copy_asoundrc();
		334
334	}	335	}
335		336
336		337