diff options
-rw-r--r-- | src/firejail/fs.c | 47 | ||||
-rw-r--r-- | todo | 11 |
2 files changed, 17 insertions, 41 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index e93db9cff..a0128a248 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -482,42 +482,25 @@ void fs_proc_sys_dev_boot(void) { | |||
482 | 482 | ||
483 | 483 | ||
484 | 484 | ||
485 | if (arg_debug) | 485 | if (stat("/sys/firmware", &s) == 0) { |
486 | printf("Disable /sys/firmware directory\n"); | 486 | disable_file(BLACKLIST_FILE, "/sys/firmware"); |
487 | if (mount("tmpfs", "/sys/firmware", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 487 | } |
488 | fprintf(stderr, "Warning: cannot disable /sys/firmware directory\n"); | ||
489 | else | ||
490 | fs_logger("mount tmpfs on /sys/firmware"); | ||
491 | 488 | ||
492 | if (arg_debug) | 489 | if (stat("/sys/hypervisor", &s) == 0) { |
493 | printf("Disable /sys/hypervisor directory\n"); | 490 | disable_file(BLACKLIST_FILE, "/sys/hypervisor"); |
494 | if (mount("tmpfs", "/sys/hypervisor", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 491 | } |
495 | fprintf(stderr, "Warning: cannot disable /sys/hypervisor directory\n"); | ||
496 | else | ||
497 | fs_logger("mount tmpfs on /sys/hypervisor"); | ||
498 | |||
499 | if (arg_debug) | ||
500 | printf("Disable /sys/fs directory\n"); | ||
501 | if (mount("tmpfs", "/sys/fs", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | ||
502 | fprintf(stderr, "Warning: cannot disable /sys/fs directory\n"); | ||
503 | else | ||
504 | fs_logger("mount tmpfs on /sys/fs"); | ||
505 | |||
506 | if (arg_debug) | ||
507 | printf("Disable /sys/module directory\n"); | ||
508 | if (mount("tmpfs", "/sys/module", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | ||
509 | fprintf(stderr, "Warning: cannot disable /sys/module directory\n"); | ||
510 | else | ||
511 | fs_logger("mount tmpfs on /sys/module"); | ||
512 | 492 | ||
513 | if (arg_debug) | 493 | if (stat("/sys/fs", &s) == 0) { |
514 | printf("Disable /sys/power directory\n"); | 494 | disable_file(BLACKLIST_FILE, "/sys/fs"); |
515 | if (mount("tmpfs", "/sys/power", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 495 | } |
516 | fprintf(stderr, "Warning: cannot disable /sys/power directory\n"); | ||
517 | else | ||
518 | fs_logger("mount tmpfs on /sys/power"); | ||
519 | 496 | ||
497 | if (stat("/sys/module", &s) == 0) { | ||
498 | disable_file(BLACKLIST_FILE, "/sys/module"); | ||
499 | } | ||
520 | 500 | ||
501 | if (stat("/sys/power", &s) == 0) { | ||
502 | disable_file(BLACKLIST_FILE, "/sys/power"); | ||
503 | } | ||
521 | 504 | ||
522 | // if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) | 505 | // if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) |
523 | // errExit("mounting /sys"); | 506 | // errExit("mounting /sys"); |
@@ -141,16 +141,9 @@ dr-x------ 2 65534 65534 40 Nov 24 17:53 .mozilla | |||
141 | -rw------- 1 netblue netblue 51 Nov 25 08:09 .Xauthority | 141 | -rw------- 1 netblue netblue 51 Nov 25 08:09 .Xauthority |
142 | 142 | ||
143 | 143 | ||
144 | 19. move from tmpfs to blacklist | 144 | 19. Try --overlay on a Ubuntu 14.04 32bit.Without adding --dns, there will be no network connectivity - see issue 151 |
145 | mount tmpfs on /sys/firmware | ||
146 | mount tmpfs on /sys/hypervisor | ||
147 | mount tmpfs on /sys/fs | ||
148 | mount tmpfs on /sys/module | ||
149 | mount tmpfs on /sys/power | ||
150 | 145 | ||
151 | 20. Try --overlay on a Ubuntu 14.04 32bit.Without adding --dns, there will be no network connectivity - see issue 151 | 146 | 20. Check this out: |
152 | |||
153 | 21. Check this out: | ||
154 | 147 | ||
155 | I was messing around with my fstab, and found out that firejail can't have /usr/bin mounted in read-only. | 148 | I was messing around with my fstab, and found out that firejail can't have /usr/bin mounted in read-only. |
156 | Here's what my fstab looks like now: | 149 | Here's what my fstab looks like now: |