diff options
| author |  netblue30 <netblue30@yahoo.com> | 2015-11-28 08:55:38 -0500 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2015-11-28 08:55:38 -0500 |
| commit | 6ed8488a354b0e0ff9f46cff82df38a03310e393 (patch) | |
| tree | 49d05555269e3832ee539bfdc0acd73c99859cfe /src | |
| parent | cleanup (diff) | |
| download | firejail-6ed8488a354b0e0ff9f46cff82df38a03310e393.tar.gz firejail-6ed8488a354b0e0ff9f46cff82df38a03310e393.tar.zst firejail-6ed8488a354b0e0ff9f46cff82df38a03310e393.zip | |
fix /sys directory
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/fs.c | 47 |
1 files changed, 15 insertions, 32 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index e93db9cff..a0128a248 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
| @@ -482,42 +482,25 @@ void fs_proc_sys_dev_boot(void) { | |||
| 482 | 482 | ||
| 483 | 483 | ||
| 484 | 484 | ||
| 485 | if (arg_debug) | 485 | if (stat("/sys/firmware", &s) == 0) { |
| 486 | printf("Disable /sys/firmware directory\n"); | 486 | disable_file(BLACKLIST_FILE, "/sys/firmware"); |
| 487 | if (mount("tmpfs", "/sys/firmware", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 487 | } |
| 488 | fprintf(stderr, "Warning: cannot disable /sys/firmware directory\n"); | ||
| 489 | else | ||
| 490 | fs_logger("mount tmpfs on /sys/firmware"); | ||
| 491 | 488 | ||
| 492 | if (arg_debug) | 489 | if (stat("/sys/hypervisor", &s) == 0) { |
| 493 | printf("Disable /sys/hypervisor directory\n"); | 490 | disable_file(BLACKLIST_FILE, "/sys/hypervisor"); |
| 494 | if (mount("tmpfs", "/sys/hypervisor", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 491 | } |
| 495 | fprintf(stderr, "Warning: cannot disable /sys/hypervisor directory\n"); | ||
| 496 | else | ||
| 497 | fs_logger("mount tmpfs on /sys/hypervisor"); | ||
| 498 | |||
| 499 | if (arg_debug) | ||
| 500 | printf("Disable /sys/fs directory\n"); | ||
| 501 | if (mount("tmpfs", "/sys/fs", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | ||
| 502 | fprintf(stderr, "Warning: cannot disable /sys/fs directory\n"); | ||
| 503 | else | ||
| 504 | fs_logger("mount tmpfs on /sys/fs"); | ||
| 505 | |||
| 506 | if (arg_debug) | ||
| 507 | printf("Disable /sys/module directory\n"); | ||
| 508 | if (mount("tmpfs", "/sys/module", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | ||
| 509 | fprintf(stderr, "Warning: cannot disable /sys/module directory\n"); | ||
| 510 | else | ||
| 511 | fs_logger("mount tmpfs on /sys/module"); | ||
| 512 | 492 | ||
| 513 | if (arg_debug) | 493 | if (stat("/sys/fs", &s) == 0) { |
| 514 | printf("Disable /sys/power directory\n"); | 494 | disable_file(BLACKLIST_FILE, "/sys/fs"); |
| 515 | if (mount("tmpfs", "/sys/power", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 495 | } |
| 516 | fprintf(stderr, "Warning: cannot disable /sys/power directory\n"); | ||
| 517 | else | ||
| 518 | fs_logger("mount tmpfs on /sys/power"); | ||
| 519 | 496 | ||
| 497 | if (stat("/sys/module", &s) == 0) { | ||
| 498 | disable_file(BLACKLIST_FILE, "/sys/module"); | ||
| 499 | } | ||
| 520 | 500 | ||
| 501 | if (stat("/sys/power", &s) == 0) { | ||
| 502 | disable_file(BLACKLIST_FILE, "/sys/power"); | ||
| 503 | } | ||
| 521 | 504 | ||
| 522 | // if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) | 505 | // if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) |
| 523 | // errExit("mounting /sys"); | 506 | // errExit("mounting /sys"); |