mount private-lib directories read-only

avoids creating holes in the basic read-only filesystem
author: smitsohu <smitsohu@gmail.com> 2021-01-06 19:58:39 +0100
committer: smitsohu <smitsohu@gmail.com> 2021-01-06 20:00:27 +0100
commit: 6c7138edf75e3366cf0eed8001f59b40975231c8 (patch)
tree: 7198e7f2b0fd182d940a9f8e906fe87e7e55798c /src/firejail/fs_lib.c
parent: join: misc improvements (diff)
download: firejail-6c7138edf75e3366cf0eed8001f59b40975231c8.tar.gz
firejail-6c7138edf75e3366cf0eed8001f59b40975231c8.tar.zst
firejail-6c7138edf75e3366cf0eed8001f59b40975231c8.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 5cfd33b42..d5b392d71 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -165,7 +165,7 @@ void fslib_copy_dir(const char *full_path) {
        mkdir_attr(dest, 0755, 0, 0);
        if (mount(full_path, dest, NULL, MS_BIND|MS_REC, NULL) < 0 ||
-                mount(NULL, dest, NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
+                mount(NULL, dest, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
                errExit("mount bind");
        fs_logger2("clone", full_path);
        fs_logger2("mount", full_path);
author	smitsohu <smitsohu@gmail.com>	2021-01-06 19:58:39 +0100
committer	smitsohu <smitsohu@gmail.com>	2021-01-06 20:00:27 +0100
commit	6c7138edf75e3366cf0eed8001f59b40975231c8 (patch)
tree	7198e7f2b0fd182d940a9f8e906fe87e7e55798c /src/firejail/fs_lib.c
parent	join: misc improvements (diff)
download	firejail-6c7138edf75e3366cf0eed8001f59b40975231c8.tar.gz firejail-6c7138edf75e3366cf0eed8001f59b40975231c8.tar.zst firejail-6c7138edf75e3366cf0eed8001f59b40975231c8.zip

diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 5cfd33b42..d5b392d71 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c
@@ -165,7 +165,7 @@ void fslib_copy_dir(const char *full_path) {
165	mkdir_attr(dest, 0755, 0, 0);	165	mkdir_attr(dest, 0755, 0, 0);
166		166
167	if (mount(full_path, dest, NULL, MS_BIND\|MS_REC, NULL) < 0 \|\|	167	if (mount(full_path, dest, NULL, MS_BIND\|MS_REC, NULL) < 0 \|\|
168	mount(NULL, dest, NULL, MS_BIND\|MS_REMOUNT\|MS_NOSUID\|MS_NODEV\|MS_REC, NULL) < 0)	168	mount(NULL, dest, NULL, MS_BIND\|MS_REMOUNT\|MS_RDONLY\|MS_NOSUID\|MS_NODEV\|MS_REC, NULL) < 0)
169	errExit("mount bind");	169	errExit("mount bind");
170	fs_logger2("clone", full_path);	170	fs_logger2("clone", full_path);
171	fs_logger2("mount", full_path);	171	fs_logger2("mount", full_path);