diff options
author | netblue30 <netblue30@yahoo.com> | 2015-11-28 08:55:38 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2015-11-28 08:55:38 -0500 |
commit | 6ed8488a354b0e0ff9f46cff82df38a03310e393 (patch) | |
tree | 49d05555269e3832ee539bfdc0acd73c99859cfe /src | |
parent | cleanup (diff) | |
download | firejail-6ed8488a354b0e0ff9f46cff82df38a03310e393.tar.gz firejail-6ed8488a354b0e0ff9f46cff82df38a03310e393.tar.zst firejail-6ed8488a354b0e0ff9f46cff82df38a03310e393.zip |
fix /sys directory
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs.c | 47 |
1 files changed, 15 insertions, 32 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index e93db9cff..a0128a248 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -482,42 +482,25 @@ void fs_proc_sys_dev_boot(void) { | |||
482 | 482 | ||
483 | 483 | ||
484 | 484 | ||
485 | if (arg_debug) | 485 | if (stat("/sys/firmware", &s) == 0) { |
486 | printf("Disable /sys/firmware directory\n"); | 486 | disable_file(BLACKLIST_FILE, "/sys/firmware"); |
487 | if (mount("tmpfs", "/sys/firmware", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 487 | } |
488 | fprintf(stderr, "Warning: cannot disable /sys/firmware directory\n"); | ||
489 | else | ||
490 | fs_logger("mount tmpfs on /sys/firmware"); | ||
491 | 488 | ||
492 | if (arg_debug) | 489 | if (stat("/sys/hypervisor", &s) == 0) { |
493 | printf("Disable /sys/hypervisor directory\n"); | 490 | disable_file(BLACKLIST_FILE, "/sys/hypervisor"); |
494 | if (mount("tmpfs", "/sys/hypervisor", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 491 | } |
495 | fprintf(stderr, "Warning: cannot disable /sys/hypervisor directory\n"); | ||
496 | else | ||
497 | fs_logger("mount tmpfs on /sys/hypervisor"); | ||
498 | |||
499 | if (arg_debug) | ||
500 | printf("Disable /sys/fs directory\n"); | ||
501 | if (mount("tmpfs", "/sys/fs", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | ||
502 | fprintf(stderr, "Warning: cannot disable /sys/fs directory\n"); | ||
503 | else | ||
504 | fs_logger("mount tmpfs on /sys/fs"); | ||
505 | |||
506 | if (arg_debug) | ||
507 | printf("Disable /sys/module directory\n"); | ||
508 | if (mount("tmpfs", "/sys/module", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | ||
509 | fprintf(stderr, "Warning: cannot disable /sys/module directory\n"); | ||
510 | else | ||
511 | fs_logger("mount tmpfs on /sys/module"); | ||
512 | 492 | ||
513 | if (arg_debug) | 493 | if (stat("/sys/fs", &s) == 0) { |
514 | printf("Disable /sys/power directory\n"); | 494 | disable_file(BLACKLIST_FILE, "/sys/fs"); |
515 | if (mount("tmpfs", "/sys/power", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 495 | } |
516 | fprintf(stderr, "Warning: cannot disable /sys/power directory\n"); | ||
517 | else | ||
518 | fs_logger("mount tmpfs on /sys/power"); | ||
519 | 496 | ||
497 | if (stat("/sys/module", &s) == 0) { | ||
498 | disable_file(BLACKLIST_FILE, "/sys/module"); | ||
499 | } | ||
520 | 500 | ||
501 | if (stat("/sys/power", &s) == 0) { | ||
502 | disable_file(BLACKLIST_FILE, "/sys/power"); | ||
503 | } | ||
521 | 504 | ||
522 | // if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) | 505 | // if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) |
523 | // errExit("mounting /sys"); | 506 | // errExit("mounting /sys"); |