diff options
| author |  netblue30 <netblue30@yahoo.com> | 2017-08-06 15:27:19 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2017-08-06 15:27:19 -0400 |
| commit | 608386fa784e1c0c84a952c643648c2f619e5547 (patch) | |
| tree | 3fe85f912060c7d0108195fdd64af3eaa0f32df5 | |
| parent | Merge pull request #1438 from smitsohu/patch-1 (diff) | |
| download | firejail-608386fa784e1c0c84a952c643648c2f619e5547.tar.gz firejail-608386fa784e1c0c84a952c643648c2f619e5547.tar.zst firejail-608386fa784e1c0c84a952c643648c2f619e5547.zip | |
private-lib fixes
| -rw-r--r-- | src/firejail/fs_lib.c | 56 |
1 files changed, 33 insertions, 23 deletions
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index f39349fe6..165d5651d 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
| @@ -227,29 +227,39 @@ void fs_private_lib(void) { | |||
| 227 | if (arg_debug) | 227 | if (arg_debug) |
| 228 | printf("Mount-bind %s on top of /lib /lib64 /usr/lib\n", RUN_LIB_DIR); | 228 | printf("Mount-bind %s on top of /lib /lib64 /usr/lib\n", RUN_LIB_DIR); |
| 229 | 229 | ||
| 230 | if (mount(RUN_LIB_DIR, "/lib", NULL, MS_BIND|MS_REC, NULL) < 0 || | 230 | if (is_dir("/lib")) { |
| 231 | mount(NULL, "/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | 231 | if (mount(RUN_LIB_DIR, "/lib", NULL, MS_BIND|MS_REC, NULL) < 0 || |
| 232 | errExit("mount bind"); | 232 | mount(NULL, "/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) |
| 233 | fs_logger2("tmpfs", "/lib"); | 233 | errExit("mount bind"); |
| 234 | fs_logger("mount /lib"); | 234 | fs_logger2("tmpfs", "/lib"); |
| 235 | 235 | fs_logger("mount /lib"); | |
| 236 | if (mount(RUN_LIB_DIR, "/lib64", NULL, MS_BIND|MS_REC, NULL) < 0 || | 236 | } |
| 237 | mount(NULL, "/lib64", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | 237 | |
| 238 | errExit("mount bind"); | 238 | if (is_dir("/lib64")) { |
| 239 | fs_logger2("tmpfs", "/lib64"); | 239 | if (mount(RUN_LIB_DIR, "/lib64", NULL, MS_BIND|MS_REC, NULL) < 0 || |
| 240 | fs_logger("mount /lib64"); | 240 | mount(NULL, "/lib64", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) |
| 241 | 241 | errExit("mount bind"); | |
| 242 | if (mount(RUN_LIB_DIR, "/usr/lib", NULL, MS_BIND|MS_REC, NULL) < 0 || | 242 | fs_logger2("tmpfs", "/lib64"); |
| 243 | mount(NULL, "/usr/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | 243 | fs_logger("mount /lib64"); |
| 244 | errExit("mount bind"); | 244 | } |
| 245 | fs_logger2("tmpfs", "/usr/lib"); | 245 | |
| 246 | fs_logger("mount /usr/lib"); | 246 | if (is_dir("/usr/lib")) { |
| 247 | if (mount(RUN_LIB_DIR, "/usr/lib", NULL, MS_BIND|MS_REC, NULL) < 0 || | ||
| 248 | mount(NULL, "/usr/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | ||
| 249 | errExit("mount bind"); | ||
| 250 | fs_logger2("tmpfs", "/usr/lib"); | ||
| 251 | fs_logger("mount /usr/lib"); | ||
| 252 | } | ||
| 247 | 253 | ||
| 248 | // for amd64 only - we'll deal with i386 later | 254 | // for amd64 only - we'll deal with i386 later |
| 249 | if (mount(RUN_RO_DIR, "/lib32", "none", MS_BIND, "mode=400,gid=0") < 0) | 255 | if (is_dir("/lib32")) { |
| 250 | errExit("disable file"); | 256 | if (mount(RUN_RO_DIR, "/lib32", "none", MS_BIND, "mode=400,gid=0") < 0) |
| 251 | fs_logger("blacklist-nolog /lib32"); | 257 | errExit("disable file"); |
| 252 | if (mount(RUN_RO_DIR, "/libx32", "none", MS_BIND, "mode=400,gid=0") < 0) | 258 | fs_logger("blacklist-nolog /lib32"); |
| 253 | errExit("disable file"); | 259 | } |
| 254 | fs_logger("blacklist-nolog /libx32"); | 260 | if (is_dir("/libx32")) { |
| 261 | if (mount(RUN_RO_DIR, "/libx32", "none", MS_BIND, "mode=400,gid=0") < 0) | ||
| 262 | errExit("disable file"); | ||
| 263 | fs_logger("blacklist-nolog /libx32"); | ||
| 264 | } | ||
| 255 | } | 265 | } |