aboutsummaryrefslogtreecommitdiffstats
path: root/src/firejail/fs.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/firejail/fs.c')
-rw-r--r--src/firejail/fs.c31
1 files changed, 24 insertions, 7 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index f3ef97aeb..411f2e778 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -682,13 +682,9 @@ void fs_mnt(const int enforce) {
682// mount /proc and /sys directories 682// mount /proc and /sys directories
683void fs_proc_sys_dev_boot(void) { 683void fs_proc_sys_dev_boot(void) {
684 684
685 if (arg_debug)
686 printf("Remounting /proc and /proc/sys filesystems\n");
687 if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
688 errExit("mounting /proc");
689 fs_logger("remount /proc");
690
691 // remount /proc/sys readonly 685 // remount /proc/sys readonly
686 if (arg_debug)
687 printf("Mounting read-only /proc/sys\n");
692 if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0 || 688 if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0 ||
693 mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) 689 mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
694 errExit("mounting /proc/sys"); 690 errExit("mounting /proc/sys");
@@ -698,7 +694,8 @@ void fs_proc_sys_dev_boot(void) {
698 /* Mount a version of /sys that describes the network namespace */ 694 /* Mount a version of /sys that describes the network namespace */
699 if (arg_debug) 695 if (arg_debug)
700 printf("Remounting /sys directory\n"); 696 printf("Remounting /sys directory\n");
701 // if this is an overlay, don't try to unmount, just mount a new sysfs 697 // sysfs not yet mounted in overlays, so don't try to unmount it
698 // expect that unmounting /sys fails in a chroot, no need to print a warning in that case
702 if (!arg_overlay) { 699 if (!arg_overlay) {
703 if (umount2("/sys", MNT_DETACH) < 0 && !cfg.chrootdir) 700 if (umount2("/sys", MNT_DETACH) < 0 && !cfg.chrootdir)
704 fwarning("failed to unmount /sys\n"); 701 fwarning("failed to unmount /sys\n");
@@ -1176,6 +1173,15 @@ void fs_overlayfs(void) {
1176 errExit("mounting /tmp"); 1173 errExit("mounting /tmp");
1177 fs_logger("whitelist /tmp"); 1174 fs_logger("whitelist /tmp");
1178 1175
1176 // mount a new proc filesystem
1177 if (arg_debug)
1178 printf("Mounting /proc\n");
1179 char *proc;
1180 if (asprintf(&proc, "%s/proc", oroot) == -1)
1181 errExit("asprintf");
1182 if (mount("proc", proc, "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
1183 errExit("mounting /proc");
1184
1179 // chroot in the new filesystem 1185 // chroot in the new filesystem
1180#ifdef HAVE_GCOV 1186#ifdef HAVE_GCOV
1181 __gcov_flush(); 1187 __gcov_flush();
@@ -1210,6 +1216,7 @@ void fs_overlayfs(void) {
1210 free(dev); 1216 free(dev);
1211 free(run); 1217 free(run);
1212 free(tmp); 1218 free(tmp);
1219 free(proc);
1213} 1220}
1214#endif 1221#endif
1215 1222
@@ -1380,6 +1387,16 @@ void fs_chroot(const char *rootdir) {
1380 errExit("mounting /dev"); 1387 errExit("mounting /dev");
1381 free(newdev); 1388 free(newdev);
1382 1389
1390 // mount a new proc filesystem
1391 char *newproc;
1392 if (asprintf(&newproc, "%s/proc", rootdir) == -1)
1393 errExit("asprintf");
1394 if (arg_debug)
1395 printf("Mounting /proc filesystem on %s\n", newproc);
1396 if (mount("proc", newproc, "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
1397 errExit("mounting /proc");
1398 free(newproc);
1399
1383 // x11 1400 // x11
1384 if (getenv("FIREJAIL_X11")) { 1401 if (getenv("FIREJAIL_X11")) {
1385 char *newx11; 1402 char *newx11;
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-08-27 22:28:23 +0000