diff options
author | netblue30 <netblue30@yahoo.com> | 2017-08-06 15:27:19 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-08-06 15:27:19 -0400 |
commit | 608386fa784e1c0c84a952c643648c2f619e5547 (patch) | |
tree | 3fe85f912060c7d0108195fdd64af3eaa0f32df5 /src | |
parent | Merge pull request #1438 from smitsohu/patch-1 (diff) | |
download | firejail-608386fa784e1c0c84a952c643648c2f619e5547.tar.gz firejail-608386fa784e1c0c84a952c643648c2f619e5547.tar.zst firejail-608386fa784e1c0c84a952c643648c2f619e5547.zip |
private-lib fixes
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs_lib.c | 56 |
1 files changed, 33 insertions, 23 deletions
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index f39349fe6..165d5651d 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -227,29 +227,39 @@ void fs_private_lib(void) { | |||
227 | if (arg_debug) | 227 | if (arg_debug) |
228 | printf("Mount-bind %s on top of /lib /lib64 /usr/lib\n", RUN_LIB_DIR); | 228 | printf("Mount-bind %s on top of /lib /lib64 /usr/lib\n", RUN_LIB_DIR); |
229 | 229 | ||
230 | if (mount(RUN_LIB_DIR, "/lib", NULL, MS_BIND|MS_REC, NULL) < 0 || | 230 | if (is_dir("/lib")) { |
231 | mount(NULL, "/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | 231 | if (mount(RUN_LIB_DIR, "/lib", NULL, MS_BIND|MS_REC, NULL) < 0 || |
232 | errExit("mount bind"); | 232 | mount(NULL, "/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) |
233 | fs_logger2("tmpfs", "/lib"); | 233 | errExit("mount bind"); |
234 | fs_logger("mount /lib"); | 234 | fs_logger2("tmpfs", "/lib"); |
235 | 235 | fs_logger("mount /lib"); | |
236 | if (mount(RUN_LIB_DIR, "/lib64", NULL, MS_BIND|MS_REC, NULL) < 0 || | 236 | } |
237 | mount(NULL, "/lib64", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | 237 | |
238 | errExit("mount bind"); | 238 | if (is_dir("/lib64")) { |
239 | fs_logger2("tmpfs", "/lib64"); | 239 | if (mount(RUN_LIB_DIR, "/lib64", NULL, MS_BIND|MS_REC, NULL) < 0 || |
240 | fs_logger("mount /lib64"); | 240 | mount(NULL, "/lib64", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) |
241 | 241 | errExit("mount bind"); | |
242 | if (mount(RUN_LIB_DIR, "/usr/lib", NULL, MS_BIND|MS_REC, NULL) < 0 || | 242 | fs_logger2("tmpfs", "/lib64"); |
243 | mount(NULL, "/usr/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | 243 | fs_logger("mount /lib64"); |
244 | errExit("mount bind"); | 244 | } |
245 | fs_logger2("tmpfs", "/usr/lib"); | 245 | |
246 | fs_logger("mount /usr/lib"); | 246 | if (is_dir("/usr/lib")) { |
247 | if (mount(RUN_LIB_DIR, "/usr/lib", NULL, MS_BIND|MS_REC, NULL) < 0 || | ||
248 | mount(NULL, "/usr/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0) | ||
249 | errExit("mount bind"); | ||
250 | fs_logger2("tmpfs", "/usr/lib"); | ||
251 | fs_logger("mount /usr/lib"); | ||
252 | } | ||
247 | 253 | ||
248 | // for amd64 only - we'll deal with i386 later | 254 | // for amd64 only - we'll deal with i386 later |
249 | if (mount(RUN_RO_DIR, "/lib32", "none", MS_BIND, "mode=400,gid=0") < 0) | 255 | if (is_dir("/lib32")) { |
250 | errExit("disable file"); | 256 | if (mount(RUN_RO_DIR, "/lib32", "none", MS_BIND, "mode=400,gid=0") < 0) |
251 | fs_logger("blacklist-nolog /lib32"); | 257 | errExit("disable file"); |
252 | if (mount(RUN_RO_DIR, "/libx32", "none", MS_BIND, "mode=400,gid=0") < 0) | 258 | fs_logger("blacklist-nolog /lib32"); |
253 | errExit("disable file"); | 259 | } |
254 | fs_logger("blacklist-nolog /libx32"); | 260 | if (is_dir("/libx32")) { |
261 | if (mount(RUN_RO_DIR, "/libx32", "none", MS_BIND, "mode=400,gid=0") < 0) | ||
262 | errExit("disable file"); | ||
263 | fs_logger("blacklist-nolog /libx32"); | ||
264 | } | ||
255 | } | 265 | } |