diff options
author | netblue30 <netblue30@yahoo.com> | 2017-08-06 10:59:49 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-08-06 10:59:49 -0400 |
commit | 92fe7e5a8ec10c321c0f493f9ae4f5cad202cd1f (patch) | |
tree | c70ce4c8f8b89abaac62f6900a678a1969cf2949 /src | |
parent | bring in private-lib libraries for all private-bin programs. Example:firejail... (diff) | |
download | firejail-92fe7e5a8ec10c321c0f493f9ae4f5cad202cd1f.tar.gz firejail-92fe7e5a8ec10c321c0f493f9ae4f5cad202cd1f.tar.zst firejail-92fe7e5a8ec10c321c0f493f9ae4f5cad202cd1f.zip |
prive-lib: integration with firetools
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs_lib.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 38c23a756..f39349fe6 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -99,6 +99,7 @@ static void copy_directory(const char *full_path, const char *dir_name, const ch | |||
99 | if (mount(full_path, dest, NULL, MS_BIND|MS_REC, NULL) < 0 || | 99 | if (mount(full_path, dest, NULL, MS_BIND|MS_REC, NULL) < 0 || |
100 | mount(NULL, dest, NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | 100 | mount(NULL, dest, NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) |
101 | errExit("mount bind"); | 101 | errExit("mount bind"); |
102 | fs_logger2("clone", full_path); | ||
102 | fs_logger2("mount", full_path); | 103 | fs_logger2("mount", full_path); |
103 | free(dest); | 104 | free(dest); |
104 | } | 105 | } |
@@ -229,15 +230,26 @@ void fs_private_lib(void) { | |||
229 | if (mount(RUN_LIB_DIR, "/lib", NULL, MS_BIND|MS_REC, NULL) < 0 || | 230 | if (mount(RUN_LIB_DIR, "/lib", NULL, MS_BIND|MS_REC, NULL) < 0 || |
230 | mount(NULL, "/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | 231 | mount(NULL, "/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) |
231 | errExit("mount bind"); | 232 | errExit("mount bind"); |
233 | fs_logger2("tmpfs", "/lib"); | ||
232 | fs_logger("mount /lib"); | 234 | fs_logger("mount /lib"); |
233 | 235 | ||
234 | if (mount(RUN_LIB_DIR, "/lib64", NULL, MS_BIND|MS_REC, NULL) < 0 || | 236 | if (mount(RUN_LIB_DIR, "/lib64", NULL, MS_BIND|MS_REC, NULL) < 0 || |
235 | mount(NULL, "/lib64", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | 237 | mount(NULL, "/lib64", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) |
236 | errExit("mount bind"); | 238 | errExit("mount bind"); |
239 | fs_logger2("tmpfs", "/lib64"); | ||
237 | fs_logger("mount /lib64"); | 240 | fs_logger("mount /lib64"); |
238 | 241 | ||
239 | if (mount(RUN_LIB_DIR, "/usr/lib", NULL, MS_BIND|MS_REC, NULL) < 0 || | 242 | if (mount(RUN_LIB_DIR, "/usr/lib", NULL, MS_BIND|MS_REC, NULL) < 0 || |
240 | mount(NULL, "/usr/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | 243 | mount(NULL, "/usr/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) |
241 | errExit("mount bind"); | 244 | errExit("mount bind"); |
245 | fs_logger2("tmpfs", "/usr/lib"); | ||
242 | fs_logger("mount /usr/lib"); | 246 | fs_logger("mount /usr/lib"); |
247 | |||
248 | // for amd64 only - we'll deal with i386 later | ||
249 | if (mount(RUN_RO_DIR, "/lib32", "none", MS_BIND, "mode=400,gid=0") < 0) | ||
250 | errExit("disable file"); | ||
251 | fs_logger("blacklist-nolog /lib32"); | ||
252 | if (mount(RUN_RO_DIR, "/libx32", "none", MS_BIND, "mode=400,gid=0") < 0) | ||
253 | errExit("disable file"); | ||
254 | fs_logger("blacklist-nolog /libx32"); | ||
243 | } | 255 | } |