remount config/pulse with noexec

author: smitsohu <smitsohu@gmail.com> 2017-09-05 19:02:37 +0200
committer: smitsohu <smitsohu@gmail.com> 2017-09-05 19:02:37 +0200
commit: e6e70962f87a47ea7528b48f5064b5bfcb5a555d (patch)
tree: 0f784777232f351b9e24d87a96394776aa4a098b /src/firejail/pulseaudio.c
parent: fix caps.keep/dac-overwrite (diff)
download: firejail-e6e70962f87a47ea7528b48f5064b5bfcb5a555d.tar.gz
firejail-e6e70962f87a47ea7528b48f5064b5bfcb5a555d.tar.zst
firejail-e6e70962f87a47ea7528b48f5064b5bfcb5a555d.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index 246ba8fd8..2f8cd5f7d 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -195,7 +195,8 @@ void pulseaudio_init(void) {
        if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1)
                errExit("asprintf");
        if (stat(homeusercfg, &s) == 0) {
-                if (mount(RUN_PULSE_DIR, homeusercfg, "none", MS_BIND, NULL) < 0)
+                if (mount(RUN_PULSE_DIR, homeusercfg, "none", MS_BIND, NULL) < 0 ||
+                    mount(NULL, homeusercfg, NULL, MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_BIND|MS_REMOUNT, NULL) < 0)
                        errExit("mount pulseaudio");
                fs_logger2("tmpfs", homeusercfg);
        }
author	smitsohu <smitsohu@gmail.com>	2017-09-05 19:02:37 +0200
committer	smitsohu <smitsohu@gmail.com>	2017-09-05 19:02:37 +0200
commit	e6e70962f87a47ea7528b48f5064b5bfcb5a555d (patch)
tree	0f784777232f351b9e24d87a96394776aa4a098b /src/firejail/pulseaudio.c
parent	fix caps.keep/dac-overwrite (diff)
download	firejail-e6e70962f87a47ea7528b48f5064b5bfcb5a555d.tar.gz firejail-e6e70962f87a47ea7528b48f5064b5bfcb5a555d.tar.zst firejail-e6e70962f87a47ea7528b48f5064b5bfcb5a555d.zip