blacklist cleaned passwd, group, utmp files

just in case users decide to remove them
completely from the sandbox, by means of
private-etc or whitelist

2 files changed, 14 insertions, 0 deletions

diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index bae3d6df0..20e262d80 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -323,4 +323,8 @@ void fs_var_utmp(void) {
         if (mount(RUN_UTMP_FILE, UTMP_FILE, NULL, MS_BIND|MS_NOSUID|MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
                 errExit("mount bind utmp");
         fs_logger2("create", UTMP_FILE);
+
+        // blacklist RUN_UTMP_FILE
+        if (mount(RUN_RO_FILE, RUN_UTMP_FILE, NULL, MS_BIND, "mode=400,gid=0") < 0)
+                errExit("mount bind");
 }
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index 53e395b89..892244b5f 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -246,6 +246,11 @@ static void sanitize_passwd(void) {
         // mount-bind tne new password file
         if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0)
                 errExit("mount");
+
+        // blacklist RUN_PASSWD_FILE
+        if (mount(RUN_RO_FILE, RUN_PASSWD_FILE, "none", MS_BIND, "mode=400,gid=0") < 0)
+                errExit("mount");
+
         fs_logger("create /etc/passwd");
 
         return;
@@ -376,6 +381,11 @@ static void sanitize_group(void) {
         // mount-bind tne new group file
         if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0)
                 errExit("mount");
+
+        // blacklist RUN_GROUP_FILE
+        if (mount(RUN_RO_FILE, RUN_GROUP_FILE, "none", MS_BIND, "mode=400,gid=0") < 0)
+                errExit("mount");
+
         fs_logger("create /etc/group");
 
         return;