diff options
author | netblue30 <netblue30@yahoo.com> | 2016-08-29 11:56:34 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-08-29 11:56:34 -0400 |
commit | 70d1b463a04867e2ede3da284a5209d190458d84 (patch) | |
tree | 026cbe6cb873d3e0b34936e1f67e0d2a15d99ba1 /src | |
parent | fixes (diff) | |
download | firejail-70d1b463a04867e2ede3da284a5209d190458d84.tar.gz firejail-70d1b463a04867e2ede3da284a5209d190458d84.tar.zst firejail-70d1b463a04867e2ede3da284a5209d190458d84.zip |
0.9.42~rc3 starting
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs.c | 10 |
1 files changed, 4 insertions, 6 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 27c69d0e1..855ebad7b 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -647,10 +647,6 @@ void fs_proc_sys_dev_boot(void) { | |||
647 | disable_file(BLACKLIST_FILE, "/sys/kernel/vmcoreinfo"); | 647 | disable_file(BLACKLIST_FILE, "/sys/kernel/vmcoreinfo"); |
648 | disable_file(BLACKLIST_FILE, "/sys/kernel/uevent_helper"); | 648 | disable_file(BLACKLIST_FILE, "/sys/kernel/uevent_helper"); |
649 | 649 | ||
650 | // if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) | ||
651 | // errExit("mounting /sys"); | ||
652 | |||
653 | |||
654 | // various /proc/sys files | 650 | // various /proc/sys files |
655 | disable_file(BLACKLIST_FILE, "/proc/sys/security"); | 651 | disable_file(BLACKLIST_FILE, "/proc/sys/security"); |
656 | disable_file(BLACKLIST_FILE, "/proc/sys/efi/vars"); | 652 | disable_file(BLACKLIST_FILE, "/proc/sys/efi/vars"); |
@@ -661,7 +657,6 @@ void fs_proc_sys_dev_boot(void) { | |||
661 | disable_file(BLACKLIST_FILE, "/proc/sys/kernel/hotplug"); | 657 | disable_file(BLACKLIST_FILE, "/proc/sys/kernel/hotplug"); |
662 | disable_file(BLACKLIST_FILE, "/proc/sys/vm/panic_on_oom"); | 658 | disable_file(BLACKLIST_FILE, "/proc/sys/vm/panic_on_oom"); |
663 | 659 | ||
664 | |||
665 | // various /proc files | 660 | // various /proc files |
666 | disable_file(BLACKLIST_FILE, "/proc/irq"); | 661 | disable_file(BLACKLIST_FILE, "/proc/irq"); |
667 | disable_file(BLACKLIST_FILE, "/proc/bus"); | 662 | disable_file(BLACKLIST_FILE, "/proc/bus"); |
@@ -674,7 +669,10 @@ void fs_proc_sys_dev_boot(void) { | |||
674 | disable_file(BLACKLIST_FILE, "/proc/mem"); | 669 | disable_file(BLACKLIST_FILE, "/proc/mem"); |
675 | disable_file(BLACKLIST_FILE, "/proc/kmem"); | 670 | disable_file(BLACKLIST_FILE, "/proc/kmem"); |
676 | 671 | ||
677 | // disable /boot | 672 | // remove kernel symbol information |
673 | disable_file(BLACKLIST_FILE, "/usr/src/linux"); | ||
674 | disable_file(BLACKLIST_FILE, "/lib/modules"); | ||
675 | disable_file(BLACKLIST_FILE, "/usr/lib/debug"); | ||
678 | disable_file(BLACKLIST_FILE, "/boot"); | 676 | disable_file(BLACKLIST_FILE, "/boot"); |
679 | 677 | ||
680 | // disable /selinux | 678 | // disable /selinux |