mount sandbox lib directory ro,nosuid,nodev

author: smitsohu <smitsohu@gmail.com> 2020-08-08 23:42:03 +0200
committer: GitHub <noreply@github.com> 2020-08-08 23:42:03 +0200
commit: d3b58663e48210c258380f7480c6f9a22e96a5e0 (patch)
tree: ed1e1d8c4c8fffe57c05c512852d29b714a597f1 /src/firejail/sandbox.c
parent: fix for older compilers (gcc 4.9.2, Debian 8) (diff)
download: firejail-d3b58663e48210c258380f7480c6f9a22e96a5e0.tar.gz
firejail-d3b58663e48210c258380f7480c6f9a22e96a5e0.tar.zst
firejail-d3b58663e48210c258380f7480c6f9a22e96a5e0.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 2314d5744..e42d35be5 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -666,7 +666,8 @@ int sandbox(void* sandbox_arg) {
        // ... and mount a tmpfs on top of /run/firejail/mnt directory
        preproc_mount_mnt_dir();
        // bind-mount firejail binaries and helper programs
-        if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, "none", MS_BIND, NULL) < 0)
+        if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, NULL, MS_BIND, NULL) < 0 ||
+            mount(NULL, RUN_FIREJAIL_LIB_DIR, NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_BIND|MS_REMOUNT, NULL) < 0)
                errExit("mounting " RUN_FIREJAIL_LIB_DIR);
        //****************************
author	smitsohu <smitsohu@gmail.com>	2020-08-08 23:42:03 +0200
committer	GitHub <noreply@github.com>	2020-08-08 23:42:03 +0200
commit	d3b58663e48210c258380f7480c6f9a22e96a5e0 (patch)
tree	ed1e1d8c4c8fffe57c05c512852d29b714a597f1 /src/firejail/sandbox.c
parent	fix for older compilers (gcc 4.9.2, Debian 8) (diff)
download	firejail-d3b58663e48210c258380f7480c6f9a22e96a5e0.tar.gz firejail-d3b58663e48210c258380f7480c6f9a22e96a5e0.tar.zst firejail-d3b58663e48210c258380f7480c6f9a22e96a5e0.zip

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 2314d5744..e42d35be5 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -666,7 +666,8 @@ int sandbox(void* sandbox_arg) {
666	// ... and mount a tmpfs on top of /run/firejail/mnt directory	666	// ... and mount a tmpfs on top of /run/firejail/mnt directory
667	preproc_mount_mnt_dir();	667	preproc_mount_mnt_dir();
668	// bind-mount firejail binaries and helper programs	668	// bind-mount firejail binaries and helper programs
669	if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, "none", MS_BIND, NULL) < 0)	669	if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, NULL, MS_BIND, NULL) < 0 \|\|
		670	mount(NULL, RUN_FIREJAIL_LIB_DIR, NULL, MS_RDONLY\|MS_NOSUID\|MS_NODEV\|MS_BIND\|MS_REMOUNT, NULL) < 0)
670	errExit("mounting " RUN_FIREJAIL_LIB_DIR);	671	errExit("mounting " RUN_FIREJAIL_LIB_DIR);
671		672
672	//****************************	673	//****************************