diff options
Diffstat (limited to 'src/firejail/fs.c')
-rw-r--r-- | src/firejail/fs.c | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index ad84b2222..c6dfdec30 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -56,7 +56,7 @@ static void create_empty_file(void) { | |||
56 | } | 56 | } |
57 | } | 57 | } |
58 | 58 | ||
59 | // build /tmp/firejail directory | 59 | // build /run/firejail directory |
60 | void fs_build_firejail_dir(void) { | 60 | void fs_build_firejail_dir(void) { |
61 | struct stat s; | 61 | struct stat s; |
62 | 62 | ||
@@ -86,11 +86,16 @@ void fs_build_firejail_dir(void) { | |||
86 | 86 | ||
87 | // build /tmp/firejail/mnt directory | 87 | // build /tmp/firejail/mnt directory |
88 | static int tmpfs_mounted = 0; | 88 | static int tmpfs_mounted = 0; |
89 | static void fs_build_remount_mnt_dir(void) { | ||
90 | tmpfs_mounted = 0; | ||
91 | fs_build_mnt_dir(); | ||
92 | } | ||
93 | |||
89 | void fs_build_mnt_dir(void) { | 94 | void fs_build_mnt_dir(void) { |
90 | struct stat s; | 95 | struct stat s; |
91 | fs_build_firejail_dir(); | 96 | fs_build_firejail_dir(); |
92 | 97 | ||
93 | // create /tmp/firejail directory | 98 | // create /run/firejail/mnt directory |
94 | if (stat(MNT_DIR, &s)) { | 99 | if (stat(MNT_DIR, &s)) { |
95 | if (arg_debug) | 100 | if (arg_debug) |
96 | printf("Creating %s directory\n", MNT_DIR); | 101 | printf("Creating %s directory\n", MNT_DIR); |
@@ -106,7 +111,7 @@ void fs_build_mnt_dir(void) { | |||
106 | 111 | ||
107 | // ... and mount tmpfs on top of it | 112 | // ... and mount tmpfs on top of it |
108 | if (!tmpfs_mounted) { | 113 | if (!tmpfs_mounted) { |
109 | // mount tmpfs on top of /tmp/firejail/mnt | 114 | // mount tmpfs on top of /run/firejail/mnt |
110 | if (arg_debug) | 115 | if (arg_debug) |
111 | printf("Mounting tmpfs on %s directory\n", MNT_DIR); | 116 | printf("Mounting tmpfs on %s directory\n", MNT_DIR); |
112 | if (mount("tmpfs", MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 117 | if (mount("tmpfs", MNT_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
@@ -533,6 +538,14 @@ void fs_proc_sys_dev_boot(void) { | |||
533 | errExit("mounting /boot directory"); | 538 | errExit("mounting /boot directory"); |
534 | } | 539 | } |
535 | 540 | ||
541 | // disable /selinux | ||
542 | if (stat("/selinux", &s) == 0) { | ||
543 | if (arg_debug) | ||
544 | printf("Mounting a new /selinux directory\n"); | ||
545 | if (mount("tmpfs", "/selinux", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) | ||
546 | errExit("mounting /selinux directory"); | ||
547 | } | ||
548 | |||
536 | // disable /dev/port | 549 | // disable /dev/port |
537 | if (stat("/dev/port", &s) == 0) { | 550 | if (stat("/dev/port", &s) == 0) { |
538 | disable_file(BLACKLIST_FILE, "/dev/port"); | 551 | disable_file(BLACKLIST_FILE, "/dev/port"); |
@@ -818,6 +831,8 @@ void fs_chroot(const char *rootdir) { | |||
818 | printf("Chrooting into %s\n", rootdir); | 831 | printf("Chrooting into %s\n", rootdir); |
819 | if (chroot(rootdir) < 0) | 832 | if (chroot(rootdir) < 0) |
820 | errExit("chroot"); | 833 | errExit("chroot"); |
834 | // mount a new tmpfs in /run/firejail/mnt - the old one was lost in chroot | ||
835 | fs_build_remount_mnt_dir(); | ||
821 | 836 | ||
822 | // update /var directory in order to support multiple sandboxes running on the same root directory | 837 | // update /var directory in order to support multiple sandboxes running on the same root directory |
823 | if (!arg_private_dev) | 838 | if (!arg_private_dev) |