run time support to disable remounting of /proc and /sys

3 files changed, 19 insertions, 4 deletions

diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index f5ea7439b..c4a6888a9 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -29,7 +29,6 @@ char *xephyr_extra_params = "";
 char *netfilter_default = NULL;
 
 int checkcfg(int val) {
-        EUID_ASSERT();
         assert(val < CFG_MAX);
         int line = 0;
 
@@ -38,7 +37,6 @@ int checkcfg(int val) {
                 int i;
                 for (i = 0; i < CFG_MAX; i++)
                         cfg_val[i] = 1; // most of them are enabled by default
-
                 cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default
                 cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default
                 
@@ -226,6 +224,15 @@ int checkcfg(int val) {
                                 if (strcmp(ptr + 17, "yes") == 0)
                                         arg_quiet = 1;
                         }
+                        // remount /proc and /sys
+                        else if (strncmp(ptr, "remount-proc-sys ", 17) == 0) {
+                                if (strcmp(ptr + 17, "yes") == 0)
+                                        cfg_val[CFG_REMOUNT_PROC_SYS] = 1;
+                                else if (strcmp(ptr + 17, "no") == 0)
+                                        cfg_val[CFG_REMOUNT_PROC_SYS] = 0;
+                                else
+                                        goto errout;
+                        }
                         else
                                 goto errout;
 
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 8301a79a0..067d788a6 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -590,7 +590,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh);
 #define CFG_FORCE_NONEWPRIVS 8
 #define CFG_WHITELIST 9
 #define CFG_XEPHYR_WINDOW_TITLE 10
-#define CFG_MAX 11 // this should always be the last entry
+#define CFG_REMOUNT_PROC_SYS 11
+#define CFG_MAX 12 // this should always be the last entry
 extern char *xephyr_screen;
 extern char *xephyr_extra_params;
 extern char *netfilter_default;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index a33c81937..0818bf450 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -208,6 +208,12 @@ static int monitor_application(pid_t app_pid) {
                 if (arg_debug)
                         printf("Sandbox monitor: waitpid %u retval %d status %d\n", monitored_pid, rv, status);
 
+                // if /proc is not remounted, we cannot check /proc directory,
+                // for now we just get out of here
+                // todo: find another way of checking child processes!
+                if (!checkcfg(CFG_REMOUNT_PROC_SYS))
+                        break;
+
                 DIR *dir;
                 if (!(dir = opendir("/proc"))) {
                         // sleep 2 seconds and try again
@@ -551,7 +557,8 @@ int sandbox(void* sandbox_arg) {
         //****************************
         // update /proc, /sys, /dev, /boot directorymy
         //****************************
-        fs_proc_sys_dev_boot();
+        if (checkcfg(CFG_REMOUNT_PROC_SYS))
+                fs_proc_sys_dev_boot();
         
         //****************************
         // apply the profile file