aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2016-07-10 08:52:09 -0400
committerLibravatar netblue30 <netblue30@yahoo.com>2016-07-10 08:52:09 -0400
commita31dc992449959b86d403e1ad0bb5cae285e2826 (patch)
tree29286ad814af7d731d4f4c73162de95e1270228c /src
parent/var and /etc are noexec by default (diff)
downloadfirejail-a31dc992449959b86d403e1ad0bb5cae285e2826.tar.gz
firejail-a31dc992449959b86d403e1ad0bb5cae285e2826.tar.zst
firejail-a31dc992449959b86d403e1ad0bb5cae285e2826.zip
noexec inside /var directory
Diffstat (limited to 'src')
-rw-r--r--src/firejail/fs_var.c22
1 files changed, 11 insertions, 11 deletions
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index f904fa5d9..1516d684f 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -121,7 +121,7 @@ void fs_var_log(void) {
121 // mount a tmpfs on top of /var/log 121 // mount a tmpfs on top of /var/log
122 if (arg_debug) 122 if (arg_debug)
123 printf("Mounting tmpfs on /var/log\n"); 123 printf("Mounting tmpfs on /var/log\n");
124 if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 124 if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
125 errExit("mounting /var/log"); 125 errExit("mounting /var/log");
126 fs_logger("tmpfs /var/log"); 126 fs_logger("tmpfs /var/log");
127 127
@@ -160,7 +160,7 @@ void fs_var_lib(void) {
160 if (stat("/var/lib/dhcp", &s) == 0) { 160 if (stat("/var/lib/dhcp", &s) == 0) {
161 if (arg_debug) 161 if (arg_debug)
162 printf("Mounting tmpfs on /var/lib/dhcp\n"); 162 printf("Mounting tmpfs on /var/lib/dhcp\n");
163 if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 163 if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
164 errExit("mounting /var/lib/dhcp"); 164 errExit("mounting /var/lib/dhcp");
165 fs_logger("tmpfs /var/lib/dhcp"); 165 fs_logger("tmpfs /var/lib/dhcp");
166 166
@@ -182,7 +182,7 @@ void fs_var_lib(void) {
182 if (stat("/var/lib/nginx", &s) == 0) { 182 if (stat("/var/lib/nginx", &s) == 0) {
183 if (arg_debug) 183 if (arg_debug)
184 printf("Mounting tmpfs on /var/lib/nginx\n"); 184 printf("Mounting tmpfs on /var/lib/nginx\n");
185 if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 185 if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
186 errExit("mounting /var/lib/nginx"); 186 errExit("mounting /var/lib/nginx");
187 fs_logger("tmpfs /var/lib/nginx"); 187 fs_logger("tmpfs /var/lib/nginx");
188 } 188 }
@@ -191,7 +191,7 @@ void fs_var_lib(void) {
191 if (stat("/var/lib/snmp", &s) == 0) { 191 if (stat("/var/lib/snmp", &s) == 0) {
192 if (arg_debug) 192 if (arg_debug)
193 printf("Mounting tmpfs on /var/lib/snmp\n"); 193 printf("Mounting tmpfs on /var/lib/snmp\n");
194 if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 194 if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
195 errExit("mounting /var/lib/snmp"); 195 errExit("mounting /var/lib/snmp");
196 fs_logger("tmpfs /var/lib/snmp"); 196 fs_logger("tmpfs /var/lib/snmp");
197 } 197 }
@@ -200,7 +200,7 @@ void fs_var_lib(void) {
200 if (stat("/var/lib/sudo", &s) == 0) { 200 if (stat("/var/lib/sudo", &s) == 0) {
201 if (arg_debug) 201 if (arg_debug)
202 printf("Mounting tmpfs on /var/lib/sudo\n"); 202 printf("Mounting tmpfs on /var/lib/sudo\n");
203 if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 203 if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
204 errExit("mounting /var/lib/sudo"); 204 errExit("mounting /var/lib/sudo");
205 fs_logger("tmpfs /var/lib/sudo"); 205 fs_logger("tmpfs /var/lib/sudo");
206 } 206 }
@@ -212,7 +212,7 @@ void fs_var_cache(void) {
212 if (stat("/var/cache/apache2", &s) == 0) { 212 if (stat("/var/cache/apache2", &s) == 0) {
213 if (arg_debug) 213 if (arg_debug)
214 printf("Mounting tmpfs on /var/cache/apache2\n"); 214 printf("Mounting tmpfs on /var/cache/apache2\n");
215 if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 215 if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
216 errExit("mounting /var/cache/apache2"); 216 errExit("mounting /var/cache/apache2");
217 fs_logger("tmpfs /var/cache/apache2"); 217 fs_logger("tmpfs /var/cache/apache2");
218 } 218 }
@@ -220,7 +220,7 @@ void fs_var_cache(void) {
220 if (stat("/var/cache/lighttpd", &s) == 0) { 220 if (stat("/var/cache/lighttpd", &s) == 0) {
221 if (arg_debug) 221 if (arg_debug)
222 printf("Mounting tmpfs on /var/cache/lighttpd\n"); 222 printf("Mounting tmpfs on /var/cache/lighttpd\n");
223 if (mount("tmpfs", "/var/cache/lighttpd", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 223 if (mount("tmpfs", "/var/cache/lighttpd", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
224 errExit("mounting /var/cache/lighttpd"); 224 errExit("mounting /var/cache/lighttpd");
225 fs_logger("tmpfs /var/cache/lighttpd"); 225 fs_logger("tmpfs /var/cache/lighttpd");
226 226
@@ -268,7 +268,7 @@ void fs_var_lock(void) {
268 if (is_dir("/var/lock")) { 268 if (is_dir("/var/lock")) {
269 if (arg_debug) 269 if (arg_debug)
270 printf("Mounting tmpfs on /var/lock\n"); 270 printf("Mounting tmpfs on /var/lock\n");
271 if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) 271 if (mount("tmpfs", "/var/lock", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0)
272 errExit("mounting /lock"); 272 errExit("mounting /lock");
273 fs_logger("tmpfs /var/lock"); 273 fs_logger("tmpfs /var/lock");
274 } 274 }
@@ -286,7 +286,7 @@ void fs_var_lock(void) {
286 } 286 }
287 if (arg_debug) 287 if (arg_debug)
288 printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk); 288 printf("Mounting tmpfs on %s on behalf of /var/lock\n", lnk);
289 if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) 289 if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0)
290 errExit("mounting /var/lock"); 290 errExit("mounting /var/lock");
291 free(lnk); 291 free(lnk);
292 fs_logger("tmpfs /var/lock"); 292 fs_logger("tmpfs /var/lock");
@@ -304,7 +304,7 @@ void fs_var_tmp(void) {
304 if (!is_link("/var/tmp")) { 304 if (!is_link("/var/tmp")) {
305 if (arg_debug) 305 if (arg_debug)
306 printf("Mounting tmpfs on /var/tmp\n"); 306 printf("Mounting tmpfs on /var/tmp\n");
307 if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) 307 if (mount("tmpfs", "/var/tmp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0)
308 errExit("mounting /var/tmp"); 308 errExit("mounting /var/tmp");
309 fs_logger("tmpfs /var/tmp"); 309 fs_logger("tmpfs /var/tmp");
310 } 310 }
@@ -362,7 +362,7 @@ void fs_var_utmp(void) {
362 // mount the new utmp file 362 // mount the new utmp file
363 if (arg_debug) 363 if (arg_debug)
364 printf("Mount the new utmp file\n"); 364 printf("Mount the new utmp file\n");
365 if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_REC, NULL) < 0) 365 if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_NOSUID|MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
366 errExit("mount bind utmp"); 366 errExit("mount bind utmp");
367 fs_logger("create /var/run/utmp"); 367 fs_logger("create /var/run/utmp");
368} 368}
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-19 13:55:21 +0000