diff options
author | netblue30 <netblue30@yahoo.com> | 2016-07-10 08:07:09 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-07-10 08:07:09 -0400 |
commit | 0723d323e7996149d5f7ebd417f9c9162a4dea5e (patch) | |
tree | a401a453bc4e657b36dd0ee1560dd129d004b259 /src | |
parent | readme (diff) | |
download | firejail-0723d323e7996149d5f7ebd417f9c9162a4dea5e.tar.gz firejail-0723d323e7996149d5f7ebd417f9c9162a4dea5e.tar.zst firejail-0723d323e7996149d5f7ebd417f9c9162a4dea5e.zip |
adding nodev, nosuid, and noexec
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs_home.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index b12d8bb76..41092de2b 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -248,7 +248,7 @@ void fs_private_homedir(void) { | |||
248 | // mount bind private_homedir on top of homedir | 248 | // mount bind private_homedir on top of homedir |
249 | if (arg_debug) | 249 | if (arg_debug) |
250 | printf("Mount-bind %s on top of %s\n", private_homedir, homedir); | 250 | printf("Mount-bind %s on top of %s\n", private_homedir, homedir); |
251 | if (mount(private_homedir, homedir, NULL, MS_BIND|MS_REC, NULL) < 0) | 251 | if (mount(private_homedir, homedir, NULL, MS_NOSUID | MS_NODEV | MS_BIND | MS_REC, NULL) < 0) |
252 | errExit("mount bind"); | 252 | errExit("mount bind"); |
253 | fs_logger3("mount-bind", private_homedir, cfg.homedir); | 253 | fs_logger3("mount-bind", private_homedir, cfg.homedir); |
254 | fs_logger2("whitelist", cfg.homedir); | 254 | fs_logger2("whitelist", cfg.homedir); |
@@ -262,7 +262,7 @@ void fs_private_homedir(void) { | |||
262 | // mask /root | 262 | // mask /root |
263 | if (arg_debug) | 263 | if (arg_debug) |
264 | printf("Mounting a new /root directory\n"); | 264 | printf("Mounting a new /root directory\n"); |
265 | if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=700,gid=0") < 0) | 265 | if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC, "mode=700,gid=0") < 0) |
266 | errExit("mounting home directory"); | 266 | errExit("mounting home directory"); |
267 | fs_logger("tmpfs /root"); | 267 | fs_logger("tmpfs /root"); |
268 | } | 268 | } |
@@ -270,7 +270,7 @@ void fs_private_homedir(void) { | |||
270 | // mask /home | 270 | // mask /home |
271 | if (arg_debug) | 271 | if (arg_debug) |
272 | printf("Mounting a new /home directory\n"); | 272 | printf("Mounting a new /home directory\n"); |
273 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 273 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
274 | errExit("mounting home directory"); | 274 | errExit("mounting home directory"); |
275 | fs_logger("tmpfs /home"); | 275 | fs_logger("tmpfs /home"); |
276 | } | 276 | } |
@@ -300,14 +300,14 @@ void fs_private(void) { | |||
300 | // mask /home | 300 | // mask /home |
301 | if (arg_debug) | 301 | if (arg_debug) |
302 | printf("Mounting a new /home directory\n"); | 302 | printf("Mounting a new /home directory\n"); |
303 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 303 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
304 | errExit("mounting home directory"); | 304 | errExit("mounting home directory"); |
305 | fs_logger("tmpfs /home"); | 305 | fs_logger("tmpfs /home"); |
306 | 306 | ||
307 | // mask /root | 307 | // mask /root |
308 | if (arg_debug) | 308 | if (arg_debug) |
309 | printf("Mounting a new /root directory\n"); | 309 | printf("Mounting a new /root directory\n"); |
310 | if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=700,gid=0") < 0) | 310 | if (mount("tmpfs", "/root", "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_STRICTATIME | MS_REC, "mode=700,gid=0") < 0) |
311 | errExit("mounting root directory"); | 311 | errExit("mounting root directory"); |
312 | fs_logger("tmpfs /root"); | 312 | fs_logger("tmpfs /root"); |
313 | 313 | ||
@@ -331,6 +331,7 @@ void fs_private(void) { | |||
331 | copy_xauthority(); | 331 | copy_xauthority(); |
332 | if (aflag) | 332 | if (aflag) |
333 | copy_asoundrc(); | 333 | copy_asoundrc(); |
334 | |||
334 | } | 335 | } |
335 | 336 | ||
336 | 337 | ||