mount runtime seccomp files read-only (#2602)

avoid creating locations in the file system that are both writable and executable (in this case for processes with euid of the user). for the same reason also remove user owned libfiles when it is not needed any more
author: smitsohu <smitsohu@gmail.com> 2019-03-23 22:32:30 +0000
committer: GitHub <noreply@github.com> 2019-03-23 22:32:30 +0000
commit: eecf35c2f8249489a1d3e512bb07f0d427183134 (patch)
tree: daa2959c75d282672d9a4bb7469a21b99f9ed809 /src/firejail/fs_lib.c
parent: Add kid3, kid3-cli, kid3-qt (#2614) (diff)
download: firejail-eecf35c2f8249489a1d3e512bb07f0d427183134.tar.gz
firejail-eecf35c2f8249489a1d3e512bb07f0d427183134.tar.zst
firejail-eecf35c2f8249489a1d3e512bb07f0d427183134.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 808ead240..70c6ac88a 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -133,6 +133,7 @@ void fslib_copy_libs(const char *full_path) {
                fslib_duplicate(buf);
        }
        fclose(fp);
+        unlink(RUN_LIB_FILE);
 }
author	smitsohu <smitsohu@gmail.com>	2019-03-23 22:32:30 +0000
committer	GitHub <noreply@github.com>	2019-03-23 22:32:30 +0000
commit	eecf35c2f8249489a1d3e512bb07f0d427183134 (patch)
tree	daa2959c75d282672d9a4bb7469a21b99f9ed809 /src/firejail/fs_lib.c
parent	Add kid3, kid3-cli, kid3-qt (#2614) (diff)
download	firejail-eecf35c2f8249489a1d3e512bb07f0d427183134.tar.gz firejail-eecf35c2f8249489a1d3e512bb07f0d427183134.tar.zst firejail-eecf35c2f8249489a1d3e512bb07f0d427183134.zip

diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 808ead240..70c6ac88a 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c
@@ -133,6 +133,7 @@ void fslib_copy_libs(const char *full_path) {
133	fslib_duplicate(buf);	133	fslib_duplicate(buf);
134	}	134	}
135	fclose(fp);	135	fclose(fp);
		136	unlink(RUN_LIB_FILE);
136	}	137	}
137		138
138		139