diff options
| author |  netblue30 <netblue30@yahoo.com> | 2018-01-24 10:03:46 -0500 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2018-01-24 10:03:46 -0500 |
| commit | 237e115d0c85120bc304c953a702d2c6ef253e95 (patch) | |
| tree | c709f939a5dc43287cdf6da52fa799fdab52fcba /src | |
| parent | --overlay clanup (diff) | |
| download | firejail-237e115d0c85120bc304c953a702d2c6ef253e95.tar.gz firejail-237e115d0c85120bc304c953a702d2c6ef253e95.tar.zst firejail-237e115d0c85120bc304c953a702d2c6ef253e95.zip | |
apparmor support for --chroot sandboxes
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/fs.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 4246fbe5b..ab2958593 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
| @@ -1230,9 +1230,15 @@ void fs_chroot(const char *rootdir) { | |||
| 1230 | #ifdef HAVE_GCOV | 1230 | #ifdef HAVE_GCOV |
| 1231 | __gcov_flush(); | 1231 | __gcov_flush(); |
| 1232 | #endif | 1232 | #endif |
| 1233 | // mount the chroot dir on top of /run/firejail/mnt/oroot in order to reuse the apparmor rules for overlay | ||
| 1234 | // and chroot into this new directory | ||
| 1233 | if (arg_debug) | 1235 | if (arg_debug) |
| 1234 | printf("Chrooting into %s\n", rootdir); | 1236 | printf("Chrooting into %s\n", rootdir); |
| 1235 | if (chroot(rootdir) < 0) | 1237 | char *oroot = RUN_OVERLAY_ROOT; |
| 1238 | mkdir_attr(oroot, 0755, 0, 0); | ||
| 1239 | if (mount(rootdir, oroot, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
| 1240 | errExit("mounting rootdir oroot"); | ||
| 1241 | if (chroot(oroot) < 0) | ||
| 1236 | errExit("chroot"); | 1242 | errExit("chroot"); |
| 1237 | 1243 | ||
| 1238 | // create all other /run/firejail files and directories | 1244 | // create all other /run/firejail files and directories |