diff options
author | smitsohu <smitsohu@gmail.com> | 2018-10-25 22:07:19 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2018-10-25 22:07:19 +0200 |
commit | a7164cb38171c0291fac7f3a0767fe8f1c69b02d (patch) | |
tree | 88335663b94f807ebe7efcdb70eaeae80701601e /src/firejail/pulseaudio.c | |
parent | merges (diff) | |
download | firejail-a7164cb38171c0291fac7f3a0767fe8f1c69b02d.tar.gz firejail-a7164cb38171c0291fac7f3a0767fe8f1c69b02d.tar.zst firejail-a7164cb38171c0291fac7f3a0767fe8f1c69b02d.zip |
experimental: remounts child mount points as well (read-only, read-write, noexec)
Diffstat (limited to 'src/firejail/pulseaudio.c')
-rw-r--r-- | src/firejail/pulseaudio.c | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index e6696ecb4..4ddaba7ed 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -20,6 +20,7 @@ | |||
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include <sys/types.h> | 21 | #include <sys/types.h> |
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <sys/statvfs.h> | ||
23 | #include <sys/mount.h> | 24 | #include <sys/mount.h> |
24 | #include <dirent.h> | 25 | #include <dirent.h> |
25 | #include <sys/wait.h> | 26 | #include <sys/wait.h> |
@@ -82,10 +83,8 @@ void pulseaudio_init(void) { | |||
82 | // create the new user pulseaudio directory | 83 | // create the new user pulseaudio directory |
83 | if (mkdir(RUN_PULSE_DIR, 0700) == -1) | 84 | if (mkdir(RUN_PULSE_DIR, 0700) == -1) |
84 | errExit("mkdir"); | 85 | errExit("mkdir"); |
85 | // make it a mount point and add mount flags | 86 | // mount it nosuid, noexec, nodev |
86 | if (mount(RUN_PULSE_DIR, RUN_PULSE_DIR, NULL, MS_BIND, NULL) < 0 || | 87 | fs_noexec(RUN_PULSE_DIR); |
87 | mount(NULL, RUN_PULSE_DIR, NULL, MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_BIND|MS_REMOUNT, NULL) < 0) | ||
88 | errExit("mount RUN_PULSE_DIR"); | ||
89 | 88 | ||
90 | // create the new client.conf file | 89 | // create the new client.conf file |
91 | char *pulsecfg = NULL; | 90 | char *pulsecfg = NULL; |
@@ -189,7 +188,12 @@ void pulseaudio_init(void) { | |||
189 | // confirm the actual mount destination is owned by the user | 188 | // confirm the actual mount destination is owned by the user |
190 | if (fstat(fd, &s) == -1 || s.st_uid != getuid()) | 189 | if (fstat(fd, &s) == -1 || s.st_uid != getuid()) |
191 | errExit("fstat"); | 190 | errExit("fstat"); |
192 | 191 | // preserve a read-only mount | |
192 | struct statvfs vfs; | ||
193 | if (fstatvfs(fd, &vfs) == -1) | ||
194 | errExit("fstatvfs"); | ||
195 | if ((vfs.f_flag & MS_RDONLY) == MS_RDONLY) | ||
196 | fs_rdonly(RUN_PULSE_DIR); | ||
193 | // mount via the link in /proc/self/fd | 197 | // mount via the link in /proc/self/fd |
194 | char *proc; | 198 | char *proc; |
195 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | 199 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) |