diff options
Diffstat (limited to 'src/firejail/chroot.c')
-rw-r--r-- | src/firejail/chroot.c | 40 |
1 files changed, 8 insertions, 32 deletions
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c index 757ffb1f7..4125a4130 100644 --- a/src/firejail/chroot.c +++ b/src/firejail/chroot.c | |||
@@ -163,12 +163,8 @@ void fs_chroot(const char *rootdir) { | |||
163 | int fd = openat(parentfd, "dev", O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | 163 | int fd = openat(parentfd, "dev", O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
164 | if (fd == -1) | 164 | if (fd == -1) |
165 | errExit("open"); | 165 | errExit("open"); |
166 | char *proc; | 166 | if (bind_mount_path_to_fd("/dev", fd)) |
167 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | ||
168 | errExit("asprintf"); | ||
169 | if (mount("/dev", proc, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
170 | errExit("mounting /dev"); | 167 | errExit("mounting /dev"); |
171 | free(proc); | ||
172 | close(fd); | 168 | close(fd); |
173 | 169 | ||
174 | #ifdef HAVE_X11 | 170 | #ifdef HAVE_X11 |
@@ -192,11 +188,8 @@ void fs_chroot(const char *rootdir) { | |||
192 | fd = openat(parentfd, "tmp/.X11-unix", O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | 188 | fd = openat(parentfd, "tmp/.X11-unix", O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
193 | if (fd == -1) | 189 | if (fd == -1) |
194 | errExit("open"); | 190 | errExit("open"); |
195 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | 191 | if (bind_mount_path_to_fd("/tmp/.X11-unix", fd)) |
196 | errExit("asprintf"); | ||
197 | if (mount("/tmp/.X11-unix", proc, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
198 | errExit("mounting /tmp/.X11-unix"); | 192 | errExit("mounting /tmp/.X11-unix"); |
199 | free(proc); | ||
200 | close(fd); | 193 | close(fd); |
201 | } | 194 | } |
202 | #endif // HAVE_X11 | 195 | #endif // HAVE_X11 |
@@ -225,19 +218,11 @@ void fs_chroot(const char *rootdir) { | |||
225 | fprintf(stderr, "Error: cannot open %s\n", pulse); | 218 | fprintf(stderr, "Error: cannot open %s\n", pulse); |
226 | exit(1); | 219 | exit(1); |
227 | } | 220 | } |
228 | free(pulse); | 221 | if (bind_mount_by_fd(src, dst)) |
229 | 222 | errExit("mounting pulseaudio") | |
230 | char *proc_src, *proc_dst; | ||
231 | if (asprintf(&proc_src, "/proc/self/fd/%d", src) == -1) | ||
232 | errExit("asprintf"); | ||
233 | if (asprintf(&proc_dst, "/proc/self/fd/%d", dst) == -1) | ||
234 | errExit("asprintf"); | ||
235 | if (mount(proc_src, proc_dst, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
236 | errExit("mount bind"); | ||
237 | free(proc_src); | ||
238 | free(proc_dst); | ||
239 | close(src); | 223 | close(src); |
240 | close(dst); | 224 | close(dst); |
225 | free(pulse); | ||
241 | 226 | ||
242 | // update /etc/machine-id in chroot | 227 | // update /etc/machine-id in chroot |
243 | update_file(parentfd, "etc/machine-id"); | 228 | update_file(parentfd, "etc/machine-id"); |
@@ -256,11 +241,8 @@ void fs_chroot(const char *rootdir) { | |||
256 | fd = openat(parentfd, &RUN_FIREJAIL_LIB_DIR[1], O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | 241 | fd = openat(parentfd, &RUN_FIREJAIL_LIB_DIR[1], O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
257 | if (fd == -1) | 242 | if (fd == -1) |
258 | errExit("open"); | 243 | errExit("open"); |
259 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | 244 | if (bind_mount_path_to_fd(RUN_FIREJAIL_LIB_DIR, fd)) |
260 | errExit("asprintf"); | ||
261 | if (mount(RUN_FIREJAIL_LIB_DIR, proc, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
262 | errExit("mount bind"); | 245 | errExit("mount bind"); |
263 | free(proc); | ||
264 | close(fd); | 246 | close(fd); |
265 | 247 | ||
266 | // create /run/firejail/mnt directory in chroot | 248 | // create /run/firejail/mnt directory in chroot |
@@ -271,11 +253,8 @@ void fs_chroot(const char *rootdir) { | |||
271 | fd = openat(parentfd, &RUN_MNT_DIR[1], O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | 253 | fd = openat(parentfd, &RUN_MNT_DIR[1], O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
272 | if (fd == -1) | 254 | if (fd == -1) |
273 | errExit("open"); | 255 | errExit("open"); |
274 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | 256 | if (bind_mount_path_to_fd(RUN_MNT_DIR, fd)) |
275 | errExit("asprintf"); | ||
276 | if (mount(RUN_MNT_DIR, proc, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
277 | errExit("mount bind"); | 257 | errExit("mount bind"); |
278 | free(proc); | ||
279 | close(fd); | 258 | close(fd); |
280 | 259 | ||
281 | // update chroot resolv.conf | 260 | // update chroot resolv.conf |
@@ -289,11 +268,8 @@ void fs_chroot(const char *rootdir) { | |||
289 | if (mkdir(oroot, 0755) == -1) | 268 | if (mkdir(oroot, 0755) == -1) |
290 | errExit("mkdir"); | 269 | errExit("mkdir"); |
291 | // mount the chroot dir on top of /run/firejail/mnt/oroot in order to reuse the apparmor rules for overlay | 270 | // mount the chroot dir on top of /run/firejail/mnt/oroot in order to reuse the apparmor rules for overlay |
292 | if (asprintf(&proc, "/proc/self/fd/%d", parentfd) == -1) | 271 | if (bind_mount_fd_to_path(parentfd, oroot)) |
293 | errExit("asprintf"); | ||
294 | if (mount(proc, oroot, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
295 | errExit("mounting rootdir oroot"); | 272 | errExit("mounting rootdir oroot"); |
296 | free(proc); | ||
297 | close(parentfd); | 273 | close(parentfd); |
298 | // chroot into the new directory | 274 | // chroot into the new directory |
299 | if (arg_debug) | 275 | if (arg_debug) |