diff options
author | smitsohu <smitsohu@gmail.com> | 2019-06-14 21:02:04 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2019-06-14 21:02:04 +0200 |
commit | 3e662f793df58fb44a26ba02193a99c26f554021 (patch) | |
tree | 3c9c841be114226319dfb1d1efd81e3d2669651e /src | |
parent | Fixes for masterpdfeditor.profile (diff) | |
download | firejail-3e662f793df58fb44a26ba02193a99c26f554021.tar.gz firejail-3e662f793df58fb44a26ba02193a99c26f554021.tar.zst firejail-3e662f793df58fb44a26ba02193a99c26f554021.zip |
avoid running without procfs describing the pid namespace
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs.c | 31 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 10 |
2 files changed, 34 insertions, 7 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index f3ef97aeb..411f2e778 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -682,13 +682,9 @@ void fs_mnt(const int enforce) { | |||
682 | // mount /proc and /sys directories | 682 | // mount /proc and /sys directories |
683 | void fs_proc_sys_dev_boot(void) { | 683 | void fs_proc_sys_dev_boot(void) { |
684 | 684 | ||
685 | if (arg_debug) | ||
686 | printf("Remounting /proc and /proc/sys filesystems\n"); | ||
687 | if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) | ||
688 | errExit("mounting /proc"); | ||
689 | fs_logger("remount /proc"); | ||
690 | |||
691 | // remount /proc/sys readonly | 685 | // remount /proc/sys readonly |
686 | if (arg_debug) | ||
687 | printf("Mounting read-only /proc/sys\n"); | ||
692 | if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0 || | 688 | if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0 || |
693 | mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) | 689 | mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) |
694 | errExit("mounting /proc/sys"); | 690 | errExit("mounting /proc/sys"); |
@@ -698,7 +694,8 @@ void fs_proc_sys_dev_boot(void) { | |||
698 | /* Mount a version of /sys that describes the network namespace */ | 694 | /* Mount a version of /sys that describes the network namespace */ |
699 | if (arg_debug) | 695 | if (arg_debug) |
700 | printf("Remounting /sys directory\n"); | 696 | printf("Remounting /sys directory\n"); |
701 | // if this is an overlay, don't try to unmount, just mount a new sysfs | 697 | // sysfs not yet mounted in overlays, so don't try to unmount it |
698 | // expect that unmounting /sys fails in a chroot, no need to print a warning in that case | ||
702 | if (!arg_overlay) { | 699 | if (!arg_overlay) { |
703 | if (umount2("/sys", MNT_DETACH) < 0 && !cfg.chrootdir) | 700 | if (umount2("/sys", MNT_DETACH) < 0 && !cfg.chrootdir) |
704 | fwarning("failed to unmount /sys\n"); | 701 | fwarning("failed to unmount /sys\n"); |
@@ -1176,6 +1173,15 @@ void fs_overlayfs(void) { | |||
1176 | errExit("mounting /tmp"); | 1173 | errExit("mounting /tmp"); |
1177 | fs_logger("whitelist /tmp"); | 1174 | fs_logger("whitelist /tmp"); |
1178 | 1175 | ||
1176 | // mount a new proc filesystem | ||
1177 | if (arg_debug) | ||
1178 | printf("Mounting /proc\n"); | ||
1179 | char *proc; | ||
1180 | if (asprintf(&proc, "%s/proc", oroot) == -1) | ||
1181 | errExit("asprintf"); | ||
1182 | if (mount("proc", proc, "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) | ||
1183 | errExit("mounting /proc"); | ||
1184 | |||
1179 | // chroot in the new filesystem | 1185 | // chroot in the new filesystem |
1180 | #ifdef HAVE_GCOV | 1186 | #ifdef HAVE_GCOV |
1181 | __gcov_flush(); | 1187 | __gcov_flush(); |
@@ -1210,6 +1216,7 @@ void fs_overlayfs(void) { | |||
1210 | free(dev); | 1216 | free(dev); |
1211 | free(run); | 1217 | free(run); |
1212 | free(tmp); | 1218 | free(tmp); |
1219 | free(proc); | ||
1213 | } | 1220 | } |
1214 | #endif | 1221 | #endif |
1215 | 1222 | ||
@@ -1380,6 +1387,16 @@ void fs_chroot(const char *rootdir) { | |||
1380 | errExit("mounting /dev"); | 1387 | errExit("mounting /dev"); |
1381 | free(newdev); | 1388 | free(newdev); |
1382 | 1389 | ||
1390 | // mount a new proc filesystem | ||
1391 | char *newproc; | ||
1392 | if (asprintf(&newproc, "%s/proc", rootdir) == -1) | ||
1393 | errExit("asprintf"); | ||
1394 | if (arg_debug) | ||
1395 | printf("Mounting /proc filesystem on %s\n", newproc); | ||
1396 | if (mount("proc", newproc, "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) | ||
1397 | errExit("mounting /proc"); | ||
1398 | free(newproc); | ||
1399 | |||
1383 | // x11 | 1400 | // x11 |
1384 | if (getenv("FIREJAIL_X11")) { | 1401 | if (getenv("FIREJAIL_X11")) { |
1385 | char *newx11; | 1402 | char *newx11; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 2c5c5fc12..841d57c89 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -623,6 +623,16 @@ int sandbox(void* sandbox_arg) { | |||
623 | errExit("mounting " RUN_FIREJAIL_LIB_DIR); | 623 | errExit("mounting " RUN_FIREJAIL_LIB_DIR); |
624 | 624 | ||
625 | //**************************** | 625 | //**************************** |
626 | // mount new proc filesystem | ||
627 | // representing the pid namespace | ||
628 | //**************************** | ||
629 | |||
630 | if (arg_debug) | ||
631 | printf("Remounting /proc filesystem\n"); | ||
632 | if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) | ||
633 | errExit("mounting /proc"); | ||
634 | |||
635 | //**************************** | ||
626 | // log sandbox data | 636 | // log sandbox data |
627 | //**************************** | 637 | //**************************** |
628 | if (cfg.name) | 638 | if (cfg.name) |