diff options
author | netblue30 <netblue30@yahoo.com> | 2016-07-10 08:52:09 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-07-10 08:52:09 -0400 |
commit | a31dc992449959b86d403e1ad0bb5cae285e2826 (patch) | |
tree | 29286ad814af7d731d4f4c73162de95e1270228c /src | |
parent | /var and /etc are noexec by default (diff) | |
download | firejail-a31dc992449959b86d403e1ad0bb5cae285e2826.tar.gz firejail-a31dc992449959b86d403e1ad0bb5cae285e2826.tar.zst firejail-a31dc992449959b86d403e1ad0bb5cae285e2826.zip |
noexec inside /var directory
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs_var.c | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index f904fa5d9..1516d684f 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
@@ -121,7 +121,7 @@ void fs_var_log(void) { | |||
121 | // mount a tmpfs on top of /var/log | 121 | // mount a tmpfs on top of /var/log |
122 | if (arg_debug) | 122 | if (arg_debug) |
123 | printf("Mounting tmpfs on /var/log\n"); | 123 | printf("Mounting tmpfs on /var/log\n"); |
124 | if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 124 | if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
125 | errExit("mounting /var/log"); | 125 | errExit("mounting /var/log"); |
126 | fs_logger("tmpfs /var/log"); | 126 | fs_logger("tmpfs /var/log"); |
127 | 127 | ||
@@ -160,7 +160,7 @@ void fs_var_lib(void) { | |||
160 | if (stat("/var/lib/dhcp", &s) == 0) { | 160 | if (stat("/var/lib/dhcp", &s) == 0) { |
161 | if (arg_debug) | 161 | if (arg_debug) |
162 | printf("Mounting tmpfs on /var/lib/dhcp\n"); | 162 | printf("Mounting tmpfs on /var/lib/dhcp\n"); |
163 | if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 163 | if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
164 | errExit("mounting /var/lib/dhcp"); | 164 | errExit("mounting /var/lib/dhcp"); |
165 | fs_logger("tmpfs /var/lib/dhcp"); | 165 | fs_logger("tmpfs /var/lib/dhcp"); |
166 | 166 | ||
@@ -182,7 +182,7 @@ void fs_var_lib(void) { | |||
182 | if (stat("/var/lib/nginx", &s) == 0) { | 182 | if (stat("/var/lib/nginx", &s) == 0) { |
183 | if (arg_debug) | 183 | if (arg_debug) |
184 | printf("Mounting tmpfs on /var/lib/nginx\n"); | 184 | printf("Mounting tmpfs on /var/lib/nginx\n"); |
185 | if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 185 | if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
186 | errExit("mounting /var/lib/nginx"); | 186 | errExit("mounting /var/lib/nginx"); |
187 | fs_logger("tmpfs /var/lib/nginx"); | 187 | fs_logger("tmpfs /var/lib/nginx"); |
188 | } | 188 | } |
@@ -191,7 +191,7 @@ void fs_var_lib(void) { | |||
191 | if (stat("/var/lib/snmp", &s) == 0) { | 191 | if (stat("/var/lib/snmp", &s) == 0) { |
192 | if (arg_debug) | 192 | if (arg_debug) |
193 | printf("Mounting tmpfs on /var/lib/snmp\n"); | 193 | printf("Mounting tmpfs on /var/lib/snmp\n"); |
194 | if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 194 | if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
195 | errExit("mounting /var/lib/snmp"); | 195 | errExit("mounting /var/lib/snmp"); |
196 | fs_logger("tmpfs /var/lib/snmp"); | 196 | fs_logger("tmpfs /var/lib/snmp"); |
197 | } | 197 | } |
@@ -200,7 +200,7 @@ void fs_var_lib(void) { | |||
200 | if (stat("/var/lib/sudo", &s) == 0) { | 200 | if (stat("/var/lib/sudo", &s) == 0) { |
201 | if (arg_debug) | 201 | if (arg_debug) |
202 | printf("Mounting tmpfs on /var/lib/sudo\n"); | 202 | printf("Mounting tmpfs on /var/lib/sudo\n"); |
203 | if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 203 | if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
204 | errExit("mounting /var/lib/sudo"); | 204 | errExit("mounting /var/lib/sudo"); |
205 | fs_logger("tmpfs /var/lib/sudo"); | 205 | fs_logger("tmpfs /var/lib/sudo"); |
206 | } | 206 | } |
@@ -212,7 +212,7 @@ void fs_var_cache(void) { | |||
212 | if (stat("/var/cache/apache2", &s) == 0) { | 212 | if (stat("/var/cache/apache2", &s) == 0) { |
213 | if (arg_debug) | 213 | if (arg_debug) |
214 | printf("Mounting tmpfs on /var/cache/apache2\n"); | 214 | printf("Mounting tmpfs on /var/cache/apache2\n"); |
215 | if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 215 | if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
216 | errExit("mounting /var/cache/apache2"); | 216 | errExit("mounting /var/cache/apache2"); |
217 | fs_logger("tmpfs /var/cache/apache2"); | 217 | fs_logger("tmpfs /var/cache/apache2"); |
218 | } | 218 | } |
@@ -220,7 +220,7 @@ void fs_var_cache(void) { | |||
220 | if (stat("/var/cache/lighttpd", &s) == 0) { | 220 | if (stat("/var/cache/lighttpd", &s) == 0) { |
221 | if (arg_debug) | 221 | if (arg_debug) |
222 | printf("Mounting tmpfs on /var/cache/lighttpd\n"); | 222 | printf("Mounting tmpfs on /var/cache/lighttpd\n"); |
223 | if (mount("tmpfs", "/var/cache/lighttpd", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 223 | if (mount("tmpfs", "/var/cache/lighttpd", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
224 | errExit("mounting /var/cache/lighttpd"); | 224 | errExit("mounting /var/cache/lighttpd"); |
225 | fs_logger("tmpfs /var/cache/lighttpd"); | 225 | fs_logger("tmpfs /var/cache/lighttpd"); |
226 | 226 | ||
@@ -268,7 +268,7 @@ void fs_var_lock(void) { | |||
268 | if (is_dir("/var/lock")) { | 268 | if (is_dir("/var/lock")) { |
269 | if (arg_debug) | 269 | if (arg_debug) |
270 | printf("Mounting tmpfs on /var/lock\n"); | 270 | printf("Mounting tmpfs on /var/lock\n"); |
271 | if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) | 271 | if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) |
272 | errExit("mounting /lock"); | 272 | errExit("mounting /lock"); |
273 | fs_logger("tmpfs /var/lock"); | 273 | fs_logger("tmpfs /var/lock"); |
274 | } | 274 | } |
@@ -286,7 +286,7 @@ void fs_var_lock(void) { | |||
286 | } | 286 | } |
287 | if (arg_debug) | 287 | if (arg_debug) |
288 | printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk); | 288 | printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk); |
289 | if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) | 289 | if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) |
290 | errExit("mounting /var/lock"); | 290 | errExit("mounting /var/lock"); |
291 | free(lnk); | 291 | free(lnk); |
292 | fs_logger("tmpfs /var/lock"); | 292 | fs_logger("tmpfs /var/lock"); |
@@ -304,7 +304,7 @@ void fs_var_tmp(void) { | |||
304 | if (!is_link("/var/tmp")) { | 304 | if (!is_link("/var/tmp")) { |
305 | if (arg_debug) | 305 | if (arg_debug) |
306 | printf("Mounting tmpfs on /var/tmp\n"); | 306 | printf("Mounting tmpfs on /var/tmp\n"); |
307 | if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) | 307 | if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) |
308 | errExit("mounting /var/tmp"); | 308 | errExit("mounting /var/tmp"); |
309 | fs_logger("tmpfs /var/tmp"); | 309 | fs_logger("tmpfs /var/tmp"); |
310 | } | 310 | } |
@@ -362,7 +362,7 @@ void fs_var_utmp(void) { | |||
362 | // mount the new utmp file | 362 | // mount the new utmp file |
363 | if (arg_debug) | 363 | if (arg_debug) |
364 | printf("Mount the new utmp file\n"); | 364 | printf("Mount the new utmp file\n"); |
365 | if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_REC, NULL) < 0) | 365 | if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_NOSUID|MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) |
366 | errExit("mount bind utmp"); | 366 | errExit("mount bind utmp"); |
367 | fs_logger("create /var/run/utmp"); | 367 | fs_logger("create /var/run/utmp"); |
368 | } | 368 | } |