diff options
| author |  netblue30 <netblue30@yahoo.com> | 2017-08-06 10:59:49 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2017-08-06 10:59:49 -0400 |
| commit | 92fe7e5a8ec10c321c0f493f9ae4f5cad202cd1f (patch) | |
| tree | c70ce4c8f8b89abaac62f6900a678a1969cf2949 /src | |
| parent | bring in private-lib libraries for all private-bin programs. Example:firejail... (diff) | |
| download | firejail-92fe7e5a8ec10c321c0f493f9ae4f5cad202cd1f.tar.gz firejail-92fe7e5a8ec10c321c0f493f9ae4f5cad202cd1f.tar.zst firejail-92fe7e5a8ec10c321c0f493f9ae4f5cad202cd1f.zip | |
prive-lib: integration with firetools
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/fs_lib.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 38c23a756..f39349fe6 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
| @@ -99,6 +99,7 @@ static void copy_directory(const char *full_path, const char *dir_name, const ch | |||
| 99 | if (mount(full_path, dest, NULL, MS_BIND|MS_REC, NULL) < 0 || | 99 | if (mount(full_path, dest, NULL, MS_BIND|MS_REC, NULL) < 0 || |
| 100 | mount(NULL, dest, NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | 100 | mount(NULL, dest, NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) |
| 101 | errExit("mount bind"); | 101 | errExit("mount bind"); |
| 102 | fs_logger2("clone", full_path); | ||
| 102 | fs_logger2("mount", full_path); | 103 | fs_logger2("mount", full_path); |
| 103 | free(dest); | 104 | free(dest); |
| 104 | } | 105 | } |
| @@ -229,15 +230,26 @@ void fs_private_lib(void) { | |||
| 229 | if (mount(RUN_LIB_DIR, "/lib", NULL, MS_BIND|MS_REC, NULL) < 0 || | 230 | if (mount(RUN_LIB_DIR, "/lib", NULL, MS_BIND|MS_REC, NULL) < 0 || |
| 230 | mount(NULL, "/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | 231 | mount(NULL, "/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) |
| 231 | errExit("mount bind"); | 232 | errExit("mount bind"); |
| 233 | fs_logger2("tmpfs", "/lib"); | ||
| 232 | fs_logger("mount /lib"); | 234 | fs_logger("mount /lib"); |
| 233 | 235 | ||
| 234 | if (mount(RUN_LIB_DIR, "/lib64", NULL, MS_BIND|MS_REC, NULL) < 0 || | 236 | if (mount(RUN_LIB_DIR, "/lib64", NULL, MS_BIND|MS_REC, NULL) < 0 || |
| 235 | mount(NULL, "/lib64", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | 237 | mount(NULL, "/lib64", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) |
| 236 | errExit("mount bind"); | 238 | errExit("mount bind"); |
| 239 | fs_logger2("tmpfs", "/lib64"); | ||
| 237 | fs_logger("mount /lib64"); | 240 | fs_logger("mount /lib64"); |
| 238 | 241 | ||
| 239 | if (mount(RUN_LIB_DIR, "/usr/lib", NULL, MS_BIND|MS_REC, NULL) < 0 || | 242 | if (mount(RUN_LIB_DIR, "/usr/lib", NULL, MS_BIND|MS_REC, NULL) < 0 || |
| 240 | mount(NULL, "/usr/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | 243 | mount(NULL, "/usr/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) |
| 241 | errExit("mount bind"); | 244 | errExit("mount bind"); |
| 245 | fs_logger2("tmpfs", "/usr/lib"); | ||
| 242 | fs_logger("mount /usr/lib"); | 246 | fs_logger("mount /usr/lib"); |
| 247 | |||
| 248 | // for amd64 only - we'll deal with i386 later | ||
| 249 | if (mount(RUN_RO_DIR, "/lib32", "none", MS_BIND, "mode=400,gid=0") < 0) | ||
| 250 | errExit("disable file"); | ||
| 251 | fs_logger("blacklist-nolog /lib32"); | ||
| 252 | if (mount(RUN_RO_DIR, "/libx32", "none", MS_BIND, "mode=400,gid=0") < 0) | ||
| 253 | errExit("disable file"); | ||
| 254 | fs_logger("blacklist-nolog /libx32"); | ||
| 243 | } | 255 | } |