diff options
author | netblue30 <netblue30@yahoo.com> | 2015-10-08 09:30:11 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2015-10-08 09:30:11 -0400 |
commit | 2e2924af6cb01e1a27a643b135b4a3640c977115 (patch) | |
tree | 1b4bb4c25fba819ee4322c7831ba605bb75518d4 /src | |
parent | fixed transmission-qt.profile (diff) | |
download | firejail-2e2924af6cb01e1a27a643b135b4a3640c977115.tar.gz firejail-2e2924af6cb01e1a27a643b135b4a3640c977115.tar.zst firejail-2e2924af6cb01e1a27a643b135b4a3640c977115.zip |
blacklisting some directories by default under /sys
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs.c | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 755cb9f6e..54086e0bb 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -431,6 +431,30 @@ void fs_proc_sys_dev_boot(void) { | |||
431 | if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) | 431 | if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) |
432 | fprintf(stderr, "Warning: failed to mount /sys\n"); | 432 | fprintf(stderr, "Warning: failed to mount /sys\n"); |
433 | 433 | ||
434 | |||
435 | if (arg_debug) | ||
436 | printf("Disable /sys/firmware directory\n"); | ||
437 | if (mount("tmpfs", "/sys/firmware", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | ||
438 | errExit("disable /sys/firmware directory"); | ||
439 | if (arg_debug) | ||
440 | printf("Disable /sys/hypervisor directory\n"); | ||
441 | if (mount("tmpfs", "/sys/hypervisor", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | ||
442 | errExit("disable /sys/hypervisor directory"); | ||
443 | if (arg_debug) | ||
444 | printf("Disable /sys/fs directory\n"); | ||
445 | if (mount("tmpfs", "/sys/fs", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | ||
446 | errExit("disable /sys/fs directory"); | ||
447 | if (arg_debug) | ||
448 | printf("Disable /sys/module directory\n"); | ||
449 | if (mount("tmpfs", "/sys/module", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | ||
450 | errExit("disable /sys/module directory"); | ||
451 | if (arg_debug) | ||
452 | printf("Disable /sys/power directory\n"); | ||
453 | if (mount("tmpfs", "/sys/power", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | ||
454 | errExit("disable /sys/power directory"); | ||
455 | |||
456 | |||
457 | |||
434 | // if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) | 458 | // if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) |
435 | // errExit("mounting /sys"); | 459 | // errExit("mounting /sys"); |
436 | 460 | ||