diff options
-rw-r--r-- | src/firejail/fs.c | 31 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 10 |
2 files changed, 34 insertions, 7 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 84003fa98..14d7d7156 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -583,13 +583,9 @@ void fs_mnt(const int enforce) { | |||
583 | // mount /proc and /sys directories | 583 | // mount /proc and /sys directories |
584 | void fs_proc_sys_dev_boot(void) { | 584 | void fs_proc_sys_dev_boot(void) { |
585 | 585 | ||
586 | if (arg_debug) | ||
587 | printf("Remounting /proc and /proc/sys filesystems\n"); | ||
588 | if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) | ||
589 | errExit("mounting /proc"); | ||
590 | fs_logger("remount /proc"); | ||
591 | |||
592 | // remount /proc/sys readonly | 586 | // remount /proc/sys readonly |
587 | if (arg_debug) | ||
588 | printf("Mounting read-only /proc/sys\n"); | ||
593 | if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0 || | 589 | if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0 || |
594 | mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) | 590 | mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) |
595 | errExit("mounting /proc/sys"); | 591 | errExit("mounting /proc/sys"); |
@@ -599,7 +595,8 @@ void fs_proc_sys_dev_boot(void) { | |||
599 | /* Mount a version of /sys that describes the network namespace */ | 595 | /* Mount a version of /sys that describes the network namespace */ |
600 | if (arg_debug) | 596 | if (arg_debug) |
601 | printf("Remounting /sys directory\n"); | 597 | printf("Remounting /sys directory\n"); |
602 | // if this is an overlay, don't try to unmount, just mount a new sysfs | 598 | // sysfs not yet mounted in overlays, so don't try to unmount it |
599 | // expect that unmounting /sys fails in a chroot, no need to print a warning in that case | ||
603 | if (!arg_overlay) { | 600 | if (!arg_overlay) { |
604 | if (umount2("/sys", MNT_DETACH) < 0 && !cfg.chrootdir) | 601 | if (umount2("/sys", MNT_DETACH) < 0 && !cfg.chrootdir) |
605 | fwarning("failed to unmount /sys\n"); | 602 | fwarning("failed to unmount /sys\n"); |
@@ -1078,6 +1075,15 @@ void fs_overlayfs(void) { | |||
1078 | errExit("mounting /tmp"); | 1075 | errExit("mounting /tmp"); |
1079 | fs_logger("whitelist /tmp"); | 1076 | fs_logger("whitelist /tmp"); |
1080 | 1077 | ||
1078 | // mount a new proc filesystem | ||
1079 | if (arg_debug) | ||
1080 | printf("Mounting /proc\n"); | ||
1081 | char *proc; | ||
1082 | if (asprintf(&proc, "%s/proc", oroot) == -1) | ||
1083 | errExit("asprintf"); | ||
1084 | if (mount("proc", proc, "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) | ||
1085 | errExit("mounting /proc"); | ||
1086 | |||
1081 | // chroot in the new filesystem | 1087 | // chroot in the new filesystem |
1082 | #ifdef HAVE_GCOV | 1088 | #ifdef HAVE_GCOV |
1083 | __gcov_flush(); | 1089 | __gcov_flush(); |
@@ -1112,6 +1118,7 @@ void fs_overlayfs(void) { | |||
1112 | free(dev); | 1118 | free(dev); |
1113 | free(run); | 1119 | free(run); |
1114 | free(tmp); | 1120 | free(tmp); |
1121 | free(proc); | ||
1115 | } | 1122 | } |
1116 | #endif | 1123 | #endif |
1117 | 1124 | ||
@@ -1282,6 +1289,16 @@ void fs_chroot(const char *rootdir) { | |||
1282 | errExit("mounting /dev"); | 1289 | errExit("mounting /dev"); |
1283 | free(newdev); | 1290 | free(newdev); |
1284 | 1291 | ||
1292 | // mount a new proc filesystem | ||
1293 | char *newproc; | ||
1294 | if (asprintf(&newproc, "%s/proc", rootdir) == -1) | ||
1295 | errExit("asprintf"); | ||
1296 | if (arg_debug) | ||
1297 | printf("Mounting /proc filesystem on %s\n", newproc); | ||
1298 | if (mount("proc", newproc, "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) | ||
1299 | errExit("mounting /proc"); | ||
1300 | free(newproc); | ||
1301 | |||
1285 | // x11 | 1302 | // x11 |
1286 | if (getenv("FIREJAIL_X11")) { | 1303 | if (getenv("FIREJAIL_X11")) { |
1287 | char *newx11; | 1304 | char *newx11; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 43fd6af77..f91e5ab7c 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -623,6 +623,16 @@ int sandbox(void* sandbox_arg) { | |||
623 | errExit("mounting " RUN_FIREJAIL_LIB_DIR); | 623 | errExit("mounting " RUN_FIREJAIL_LIB_DIR); |
624 | 624 | ||
625 | //**************************** | 625 | //**************************** |
626 | // mount new proc filesystem | ||
627 | // representing the pid namespace | ||
628 | //**************************** | ||
629 | |||
630 | if (arg_debug) | ||
631 | printf("Remounting /proc filesystem\n"); | ||
632 | if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) | ||
633 | errExit("mounting /proc"); | ||
634 | |||
635 | //**************************** | ||
626 | // log sandbox data | 636 | // log sandbox data |
627 | //**************************** | 637 | //**************************** |
628 | if (cfg.name) | 638 | if (cfg.name) |