various fixes

author: netblue30 <netblue30@yahoo.com> 2016-01-31 15:15:24 -0500
committer: netblue30 <netblue30@yahoo.com> 2016-01-31 15:15:24 -0500
commit: aa28ac9e09557b833f194f594e2940919d940d1f (patch)
tree: cf6e609b0c6efbee021c09feaea093e96ad32995
parent: various fixes (diff)
download: firejail-aa28ac9e09557b833f194f594e2940919d940d1f.tar.gz
firejail-aa28ac9e09557b833f194f594e2940919d940d1f.tar.zst
firejail-aa28ac9e09557b833f194f594e2940919d940d1f.zip
2 files changed, 22 insertions, 22 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 164e3368b..fa212bbd5 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -64,12 +64,12 @@ void fs_build_firejail_dir(void) {
                if (arg_debug)
                        printf("Creating %s directory\n", RUN_FIREJAIL_DIR);
                /* coverity[toctou] */
-                int rv = mkdir(RUN_FIREJAIL_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
+                int rv = mkdir(RUN_FIREJAIL_DIR, 0755);
                if (rv == -1)
                        errExit("mkdir");
                if (chown(RUN_FIREJAIL_DIR, 0, 0) < 0)
                        errExit("chown");
-                if (chmod(RUN_FIREJAIL_DIR, S_IRWXU  | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0)
+                if (chmod(RUN_FIREJAIL_DIR, 0755) < 0)
                        errExit("chmod");
        }
        else { // check /tmp/firejail directory belongs to root end exit if doesn't!
@@ -102,12 +102,12 @@ void fs_build_mnt_dir(void) {
                if (arg_debug)
                        printf("Creating %s directory\n", RUN_MNT_DIR);
                /* coverity[toctou] */
-                int rv = mkdir(RUN_MNT_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
+                int rv = mkdir(RUN_MNT_DIR, 0755);
                if (rv == -1)
                        errExit("mkdir");
                if (chown(RUN_MNT_DIR, 0, 0) < 0)
                        errExit("chown");
-                if (chmod(RUN_MNT_DIR, S_IRWXU  | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0)
+                if (chmod(RUN_MNT_DIR, 0755) < 0)
                        errExit("chmod");
        }
@@ -740,18 +740,18 @@ void fs_overlayfs(void) {
        char *oroot;
        if(asprintf(&oroot, "%s/oroot", RUN_MNT_DIR) == -1)
                errExit("asprintf");
-        if (mkdir(oroot, S_IRWXU | S_IRWXG | S_IRWXO))
+        if (mkdir(oroot, 0755))
                errExit("mkdir");
        if (chown(oroot, 0, 0) < 0)
                errExit("chown");
-        if (chmod(oroot, S_IRWXU  | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0)
+        if (chmod(oroot, 0755) < 0)
                errExit("chmod");
        char *basedir = RUN_MNT_DIR;
        if (arg_overlay_keep) {
                // set base for working and diff directories
                basedir = cfg.overlay_dir;
-                if (mkdir(basedir, S_IRWXU | S_IRWXG | S_IRWXO) != 0) {
+                if (mkdir(basedir, 0755) != 0) {
                        fprintf(stderr, "Error: cannot create overlay directory\n");
                        exit(1);
                }
@@ -760,21 +760,21 @@ void fs_overlayfs(void) {
        char *odiff;
        if(asprintf(&odiff, "%s/odiff", basedir) == -1)
                errExit("asprintf");
-        if (mkdir(odiff, S_IRWXU | S_IRWXG | S_IRWXO))
+        if (mkdir(odiff, 0755))
                errExit("mkdir");
        if (chown(odiff, 0, 0) < 0)
                errExit("chown");
-        if (chmod(odiff, S_IRWXU  | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0)
+        if (chmod(odiff, 0755) < 0)
                errExit("chmod");
        
        char *owork;
        if(asprintf(&owork, "%s/owork", basedir) == -1)
                errExit("asprintf");
-        if (mkdir(owork, S_IRWXU | S_IRWXG | S_IRWXO))
+        if (mkdir(owork, 0755))
                errExit("mkdir");
        if (chown(owork, 0, 0) < 0)
                errExit("chown");
-        if (chmod(owork, S_IRWXU  | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH) < 0)
+        if (chmod(owork, 0755) < 0)
                errExit("chmod");
        
        // mount overlayfs
@@ -913,7 +913,7 @@ void fs_chroot(const char *rootdir) {
        if (asprintf(&rundir, "%s/run", rootdir) == -1)
                errExit("asprintf");
        if (!is_dir(rundir)) {
-                int rv = mkdir(rundir, S_IRWXU | S_IRWXG | S_IRWXO);
+                int rv = mkdir(rundir, 0755);
                (void) rv;
                rv = chown(rundir, 0, 0);
                (void) rv;
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 85a51c0c8..22b5fb0a7 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -464,7 +464,7 @@ void fs_whitelist(void) {
        // /home/user
        if (home_dir) {
                // keep a copy of real home dir in RUN_WHITELIST_HOME_USER_DIR
-                int rv = mkdir(RUN_WHITELIST_HOME_USER_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
+                int rv = mkdir(RUN_WHITELIST_HOME_USER_DIR, 0755);
                if (rv == -1)
                        errExit("mkdir");
                if (chown(RUN_WHITELIST_HOME_USER_DIR, getuid(), getgid()) < 0)
@@ -482,12 +482,12 @@ void fs_whitelist(void) {
        // /tmp mountpoint
        if (tmp_dir) {
                // keep a copy of real /tmp directory in WHITELIST_TMP_DIR
-                int rv = mkdir(RUN_WHITELIST_TMP_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
+                int rv = mkdir(RUN_WHITELIST_TMP_DIR, 1777);
                if (rv == -1)
                        errExit("mkdir");
                if (chown(RUN_WHITELIST_TMP_DIR, 0, 0) < 0)
                        errExit("chown");
-                if (chmod(RUN_WHITELIST_TMP_DIR, 0777) < 0)
+                if (chmod(RUN_WHITELIST_TMP_DIR, 1777) < 0)
                        errExit("chmod");
        
                if (mount("/tmp", RUN_WHITELIST_TMP_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
@@ -496,7 +496,7 @@ void fs_whitelist(void) {
                // mount tmpfs on /tmp
                if (arg_debug || arg_debug_whitelists)
                        printf("Mounting tmpfs on /tmp directory\n");
-                if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=777,gid=0") < 0)
+                if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC,  "mode=1777,gid=0") < 0)
                        errExit("mounting tmpfs on /tmp");
                fs_logger("mount tmpfs on /tmp");
        }
@@ -504,7 +504,7 @@ void fs_whitelist(void) {
        // /media mountpoint
        if (media_dir) {
                // keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR
-                int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
+                int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, 0755);
                if (rv == -1)
                        errExit("mkdir");
                if (chown(RUN_WHITELIST_MEDIA_DIR, 0, 0) < 0)
@@ -526,7 +526,7 @@ void fs_whitelist(void) {
        // /var mountpoint
        if (var_dir) {
                // keep a copy of real /var directory in RUN_WHITELIST_VAR_DIR
-                int rv = mkdir(RUN_WHITELIST_VAR_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
+                int rv = mkdir(RUN_WHITELIST_VAR_DIR, 0755);
                if (rv == -1)
                        errExit("mkdir");
                if (chown(RUN_WHITELIST_VAR_DIR, 0, 0) < 0)
@@ -548,7 +548,7 @@ void fs_whitelist(void) {
        // /dev mountpoint
        if (dev_dir) {
                // keep a copy of real /dev directory in RUN_WHITELIST_DEV_DIR
-                int rv = mkdir(RUN_WHITELIST_DEV_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
+                int rv = mkdir(RUN_WHITELIST_DEV_DIR, 0755);
                if (rv == -1)
                        errExit("mkdir");
                if (chown(RUN_WHITELIST_DEV_DIR, 0, 0) < 0)
@@ -556,7 +556,7 @@ void fs_whitelist(void) {
                if (chmod(RUN_WHITELIST_DEV_DIR, 0755) < 0)
                        errExit("chmod");
        
-                if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
+                if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC,  "mode=755,gid=0") < 0)
                        errExit("mount bind");
        
                // mount tmpfs on /dev
@@ -569,8 +569,8 @@ void fs_whitelist(void) {
        // /opt mountpoint
        if (opt_dir) {
-                // keep a copy of real /opt directory in RUN_WHITELIST_DEV_DIR
+                // keep a copy of real /opt directory in RUN_WHITELIST_OPT_DIR
-                int rv = mkdir(RUN_WHITELIST_OPT_DIR, S_IRWXU | S_IRWXG | S_IRWXO);
+                int rv = mkdir(RUN_WHITELIST_OPT_DIR, 0755);
                if (rv == -1)
                        errExit("mkdir");
                if (chown(RUN_WHITELIST_OPT_DIR, 0, 0) < 0)
author	netblue30 <netblue30@yahoo.com>	2016-01-31 15:15:24 -0500
committer	netblue30 <netblue30@yahoo.com>	2016-01-31 15:15:24 -0500
commit	aa28ac9e09557b833f194f594e2940919d940d1f (patch)
tree	cf6e609b0c6efbee021c09feaea093e96ad32995
parent	various fixes (diff)
download	firejail-aa28ac9e09557b833f194f594e2940919d940d1f.tar.gz firejail-aa28ac9e09557b833f194f594e2940919d940d1f.tar.zst firejail-aa28ac9e09557b833f194f594e2940919d940d1f.zip

diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 164e3368b..fa212bbd5 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -64,12 +64,12 @@ void fs_build_firejail_dir(void) {
64	if (arg_debug)	64	if (arg_debug)
65	printf("Creating %s directory\n", RUN_FIREJAIL_DIR);	65	printf("Creating %s directory\n", RUN_FIREJAIL_DIR);
66	/* coverity[toctou] */	66	/* coverity[toctou] */
67	int rv = mkdir(RUN_FIREJAIL_DIR, S_IRWXU \| S_IRWXG \| S_IRWXO);	67	int rv = mkdir(RUN_FIREJAIL_DIR, 0755);
68	if (rv == -1)	68	if (rv == -1)
69	errExit("mkdir");	69	errExit("mkdir");
70	if (chown(RUN_FIREJAIL_DIR, 0, 0) < 0)	70	if (chown(RUN_FIREJAIL_DIR, 0, 0) < 0)
71	errExit("chown");	71	errExit("chown");
72	if (chmod(RUN_FIREJAIL_DIR, S_IRWXU \| S_IRGRP \| S_IXGRP \| S_IROTH \| S_IXOTH) < 0)	72	if (chmod(RUN_FIREJAIL_DIR, 0755) < 0)
73	errExit("chmod");	73	errExit("chmod");
74	}	74	}
75	else { // check /tmp/firejail directory belongs to root end exit if doesn't!	75	else { // check /tmp/firejail directory belongs to root end exit if doesn't!
@@ -102,12 +102,12 @@ void fs_build_mnt_dir(void) {
102	if (arg_debug)	102	if (arg_debug)
103	printf("Creating %s directory\n", RUN_MNT_DIR);	103	printf("Creating %s directory\n", RUN_MNT_DIR);
104	/* coverity[toctou] */	104	/* coverity[toctou] */
105	int rv = mkdir(RUN_MNT_DIR, S_IRWXU \| S_IRWXG \| S_IRWXO);	105	int rv = mkdir(RUN_MNT_DIR, 0755);
106	if (rv == -1)	106	if (rv == -1)
107	errExit("mkdir");	107	errExit("mkdir");
108	if (chown(RUN_MNT_DIR, 0, 0) < 0)	108	if (chown(RUN_MNT_DIR, 0, 0) < 0)
109	errExit("chown");	109	errExit("chown");
110	if (chmod(RUN_MNT_DIR, S_IRWXU \| S_IRGRP \| S_IXGRP \| S_IROTH \| S_IXOTH) < 0)	110	if (chmod(RUN_MNT_DIR, 0755) < 0)
111	errExit("chmod");	111	errExit("chmod");
112	}	112	}
113		113
@@ -740,18 +740,18 @@ void fs_overlayfs(void) {
740	char *oroot;	740	char *oroot;
741	if(asprintf(&oroot, "%s/oroot", RUN_MNT_DIR) == -1)	741	if(asprintf(&oroot, "%s/oroot", RUN_MNT_DIR) == -1)
742	errExit("asprintf");	742	errExit("asprintf");
743	if (mkdir(oroot, S_IRWXU \| S_IRWXG \| S_IRWXO))	743	if (mkdir(oroot, 0755))
744	errExit("mkdir");	744	errExit("mkdir");
745	if (chown(oroot, 0, 0) < 0)	745	if (chown(oroot, 0, 0) < 0)
746	errExit("chown");	746	errExit("chown");
747	if (chmod(oroot, S_IRWXU \| S_IRGRP \| S_IXGRP \| S_IROTH \| S_IXOTH) < 0)	747	if (chmod(oroot, 0755) < 0)
748	errExit("chmod");	748	errExit("chmod");
749		749
750	char *basedir = RUN_MNT_DIR;	750	char *basedir = RUN_MNT_DIR;
751	if (arg_overlay_keep) {	751	if (arg_overlay_keep) {
752	// set base for working and diff directories	752	// set base for working and diff directories
753	basedir = cfg.overlay_dir;	753	basedir = cfg.overlay_dir;
754	if (mkdir(basedir, S_IRWXU \| S_IRWXG \| S_IRWXO) != 0) {	754	if (mkdir(basedir, 0755) != 0) {
755	fprintf(stderr, "Error: cannot create overlay directory\n");	755	fprintf(stderr, "Error: cannot create overlay directory\n");
756	exit(1);	756	exit(1);
757	}	757	}
@@ -760,21 +760,21 @@ void fs_overlayfs(void) {
760	char *odiff;	760	char *odiff;
761	if(asprintf(&odiff, "%s/odiff", basedir) == -1)	761	if(asprintf(&odiff, "%s/odiff", basedir) == -1)
762	errExit("asprintf");	762	errExit("asprintf");
763	if (mkdir(odiff, S_IRWXU \| S_IRWXG \| S_IRWXO))	763	if (mkdir(odiff, 0755))
764	errExit("mkdir");	764	errExit("mkdir");
765	if (chown(odiff, 0, 0) < 0)	765	if (chown(odiff, 0, 0) < 0)
766	errExit("chown");	766	errExit("chown");
767	if (chmod(odiff, S_IRWXU \| S_IRGRP \| S_IXGRP \| S_IROTH \| S_IXOTH) < 0)	767	if (chmod(odiff, 0755) < 0)
768	errExit("chmod");	768	errExit("chmod");
769		769
770	char *owork;	770	char *owork;
771	if(asprintf(&owork, "%s/owork", basedir) == -1)	771	if(asprintf(&owork, "%s/owork", basedir) == -1)
772	errExit("asprintf");	772	errExit("asprintf");
773	if (mkdir(owork, S_IRWXU \| S_IRWXG \| S_IRWXO))	773	if (mkdir(owork, 0755))
774	errExit("mkdir");	774	errExit("mkdir");
775	if (chown(owork, 0, 0) < 0)	775	if (chown(owork, 0, 0) < 0)
776	errExit("chown");	776	errExit("chown");
777	if (chmod(owork, S_IRWXU \| S_IRGRP \| S_IXGRP \| S_IROTH \| S_IXOTH) < 0)	777	if (chmod(owork, 0755) < 0)
778	errExit("chmod");	778	errExit("chmod");
779		779
780	// mount overlayfs	780	// mount overlayfs
@@ -913,7 +913,7 @@ void fs_chroot(const char *rootdir) {
913	if (asprintf(&rundir, "%s/run", rootdir) == -1)	913	if (asprintf(&rundir, "%s/run", rootdir) == -1)
914	errExit("asprintf");	914	errExit("asprintf");
915	if (!is_dir(rundir)) {	915	if (!is_dir(rundir)) {
916	int rv = mkdir(rundir, S_IRWXU \| S_IRWXG \| S_IRWXO);	916	int rv = mkdir(rundir, 0755);
917	(void) rv;	917	(void) rv;
918	rv = chown(rundir, 0, 0);	918	rv = chown(rundir, 0, 0);
919	(void) rv;	919	(void) rv;


diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 85a51c0c8..22b5fb0a7 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c
@@ -464,7 +464,7 @@ void fs_whitelist(void) {
464	// /home/user	464	// /home/user
465	if (home_dir) {	465	if (home_dir) {
466	// keep a copy of real home dir in RUN_WHITELIST_HOME_USER_DIR	466	// keep a copy of real home dir in RUN_WHITELIST_HOME_USER_DIR
467	int rv = mkdir(RUN_WHITELIST_HOME_USER_DIR, S_IRWXU \| S_IRWXG \| S_IRWXO);	467	int rv = mkdir(RUN_WHITELIST_HOME_USER_DIR, 0755);
468	if (rv == -1)	468	if (rv == -1)
469	errExit("mkdir");	469	errExit("mkdir");
470	if (chown(RUN_WHITELIST_HOME_USER_DIR, getuid(), getgid()) < 0)	470	if (chown(RUN_WHITELIST_HOME_USER_DIR, getuid(), getgid()) < 0)
@@ -482,12 +482,12 @@ void fs_whitelist(void) {
482	// /tmp mountpoint	482	// /tmp mountpoint
483	if (tmp_dir) {	483	if (tmp_dir) {
484	// keep a copy of real /tmp directory in WHITELIST_TMP_DIR	484	// keep a copy of real /tmp directory in WHITELIST_TMP_DIR
485	int rv = mkdir(RUN_WHITELIST_TMP_DIR, S_IRWXU \| S_IRWXG \| S_IRWXO);	485	int rv = mkdir(RUN_WHITELIST_TMP_DIR, 1777);
486	if (rv == -1)	486	if (rv == -1)
487	errExit("mkdir");	487	errExit("mkdir");
488	if (chown(RUN_WHITELIST_TMP_DIR, 0, 0) < 0)	488	if (chown(RUN_WHITELIST_TMP_DIR, 0, 0) < 0)
489	errExit("chown");	489	errExit("chown");
490	if (chmod(RUN_WHITELIST_TMP_DIR, 0777) < 0)	490	if (chmod(RUN_WHITELIST_TMP_DIR, 1777) < 0)
491	errExit("chmod");	491	errExit("chmod");
492		492
493	if (mount("/tmp", RUN_WHITELIST_TMP_DIR, NULL, MS_BIND\|MS_REC, NULL) < 0)	493	if (mount("/tmp", RUN_WHITELIST_TMP_DIR, NULL, MS_BIND\|MS_REC, NULL) < 0)
@@ -496,7 +496,7 @@ void fs_whitelist(void) {
496	// mount tmpfs on /tmp	496	// mount tmpfs on /tmp
497	if (arg_debug \|\| arg_debug_whitelists)	497	if (arg_debug \|\| arg_debug_whitelists)
498	printf("Mounting tmpfs on /tmp directory\n");	498	printf("Mounting tmpfs on /tmp directory\n");
499	if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID \| MS_STRICTATIME \| MS_REC, "mode=777,gid=0") < 0)	499	if (mount("tmpfs", "/tmp", "tmpfs", MS_NOSUID \| MS_STRICTATIME \| MS_REC, "mode=1777,gid=0") < 0)
500	errExit("mounting tmpfs on /tmp");	500	errExit("mounting tmpfs on /tmp");
501	fs_logger("mount tmpfs on /tmp");	501	fs_logger("mount tmpfs on /tmp");
502	}	502	}
@@ -504,7 +504,7 @@ void fs_whitelist(void) {
504	// /media mountpoint	504	// /media mountpoint
505	if (media_dir) {	505	if (media_dir) {
506	// keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR	506	// keep a copy of real /media directory in RUN_WHITELIST_MEDIA_DIR
507	int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, S_IRWXU \| S_IRWXG \| S_IRWXO);	507	int rv = mkdir(RUN_WHITELIST_MEDIA_DIR, 0755);
508	if (rv == -1)	508	if (rv == -1)
509	errExit("mkdir");	509	errExit("mkdir");
510	if (chown(RUN_WHITELIST_MEDIA_DIR, 0, 0) < 0)	510	if (chown(RUN_WHITELIST_MEDIA_DIR, 0, 0) < 0)
@@ -526,7 +526,7 @@ void fs_whitelist(void) {
526	// /var mountpoint	526	// /var mountpoint
527	if (var_dir) {	527	if (var_dir) {
528	// keep a copy of real /var directory in RUN_WHITELIST_VAR_DIR	528	// keep a copy of real /var directory in RUN_WHITELIST_VAR_DIR
529	int rv = mkdir(RUN_WHITELIST_VAR_DIR, S_IRWXU \| S_IRWXG \| S_IRWXO);	529	int rv = mkdir(RUN_WHITELIST_VAR_DIR, 0755);
530	if (rv == -1)	530	if (rv == -1)
531	errExit("mkdir");	531	errExit("mkdir");
532	if (chown(RUN_WHITELIST_VAR_DIR, 0, 0) < 0)	532	if (chown(RUN_WHITELIST_VAR_DIR, 0, 0) < 0)
@@ -548,7 +548,7 @@ void fs_whitelist(void) {
548	// /dev mountpoint	548	// /dev mountpoint
549	if (dev_dir) {	549	if (dev_dir) {
550	// keep a copy of real /dev directory in RUN_WHITELIST_DEV_DIR	550	// keep a copy of real /dev directory in RUN_WHITELIST_DEV_DIR
551	int rv = mkdir(RUN_WHITELIST_DEV_DIR, S_IRWXU \| S_IRWXG \| S_IRWXO);	551	int rv = mkdir(RUN_WHITELIST_DEV_DIR, 0755);
552	if (rv == -1)	552	if (rv == -1)
553	errExit("mkdir");	553	errExit("mkdir");
554	if (chown(RUN_WHITELIST_DEV_DIR, 0, 0) < 0)	554	if (chown(RUN_WHITELIST_DEV_DIR, 0, 0) < 0)
@@ -556,7 +556,7 @@ void fs_whitelist(void) {
556	if (chmod(RUN_WHITELIST_DEV_DIR, 0755) < 0)	556	if (chmod(RUN_WHITELIST_DEV_DIR, 0755) < 0)
557	errExit("chmod");	557	errExit("chmod");
558		558
559	if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND\|MS_REC, NULL) < 0)	559	if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND\|MS_REC, "mode=755,gid=0") < 0)
560	errExit("mount bind");	560	errExit("mount bind");
561		561
562	// mount tmpfs on /dev	562	// mount tmpfs on /dev
@@ -569,8 +569,8 @@ void fs_whitelist(void) {
569		569
570	// /opt mountpoint	570	// /opt mountpoint
571	if (opt_dir) {	571	if (opt_dir) {
572	// keep a copy of real /opt directory in RUN_WHITELIST_DEV_DIR	572	// keep a copy of real /opt directory in RUN_WHITELIST_OPT_DIR
573	int rv = mkdir(RUN_WHITELIST_OPT_DIR, S_IRWXU \| S_IRWXG \| S_IRWXO);	573	int rv = mkdir(RUN_WHITELIST_OPT_DIR, 0755);
574	if (rv == -1)	574	if (rv == -1)
575	errExit("mkdir");	575	errExit("mkdir");
576	if (chown(RUN_WHITELIST_OPT_DIR, 0, 0) < 0)	576	if (chown(RUN_WHITELIST_OPT_DIR, 0, 0) < 0)