1 files changed, 19 insertions, 7 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 4ae7dbfa4..5ac2da164 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -18,6 +18,7 @@
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "firejail.h"
+#include "../include/gcov_wrapper.h"
 #include <sys/mount.h>
 #include <sys/stat.h>
 #include <sys/statvfs.h>
@@ -33,10 +34,6 @@
 #define O_PATH 010000000
 #endif
-#ifdef HAVE_GCOV
-#include <gcov.h>
-#endif
 #define MAX_BUF 4096
 #define EMPTY_STRING ("")
 // check noblacklist statements not matched by a proper blacklist in disable-*.inc files
@@ -165,6 +162,19 @@ static void disable_file(OPERATION op, const char *filename) {
                                fs_logger2("blacklist", fname);
                        else
                                fs_logger2("blacklist-nolog", fname);
+                        // files in /etc will be reprocessed during /etc rebuild
+                        if (strncmp(fname, "/etc/", 5) == 0) {
+                                ProfileEntry *prf = malloc(sizeof(ProfileEntry));
+                                if (!prf)
+                                        errExit("malloc");
+                                memset(prf, 0, sizeof(ProfileEntry));
+                                prf->data = strdup(fname);
+                                if (!prf->data)
+                                        errExit("strdup");
+                                prf->next = cfg.profile_rebuild_etc;
+                                cfg.profile_rebuild_etc = prf;
+                        }
                }
        }
        else if (op == MOUNT_READONLY || op == MOUNT_RDWR || op == MOUNT_NOEXEC) {
@@ -492,7 +502,7 @@ void fs_tmpfs(const char *dir, unsigned check_owner) {
        struct statvfs buf;
        if (fstatvfs(fd, &buf) == -1)
                errExit("fstatvfs");
-        unsigned long flags = buf.f_flag & ~(MS_RDONLY|MS_BIND);
+        unsigned long flags = buf.f_flag & ~(MS_RDONLY|MS_BIND|MS_REMOUNT);
        // mount via the symbolic link in /proc/self/fd
        EUID_ROOT();
        char *proc;
@@ -1213,9 +1223,8 @@ void fs_overlayfs(void) {
        fs_logger("whitelist /tmp");
        // chroot in the new filesystem
-#ifdef HAVE_GCOV
        __gcov_flush();
-#endif
        if (chroot(oroot) == -1)
                errExit("chroot");
@@ -1281,6 +1290,9 @@ void fs_private_tmp(void) {
        // read-only x11 directory
        profile_add("read-only /tmp/.X11-unix");
+        // whitelist sndio directory
+        profile_add("whitelist /tmp/sndio");
        // whitelist any pulse* file in /tmp directory
        // some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user
        DIR *dir;

diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 4ae7dbfa4..5ac2da164 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -18,6 +18,7 @@
18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.	18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19	*/	19	*/
20	#include "firejail.h"	20	#include "firejail.h"
		21	#include "../include/gcov_wrapper.h"
21	#include <sys/mount.h>	22	#include <sys/mount.h>
22	#include <sys/stat.h>	23	#include <sys/stat.h>
23	#include <sys/statvfs.h>	24	#include <sys/statvfs.h>
@@ -33,10 +34,6 @@
33	#define O_PATH 010000000	34	#define O_PATH 010000000
34	#endif	35	#endif
35		36
36	#ifdef HAVE_GCOV
37	#include <gcov.h>
38	#endif
39
40	#define MAX_BUF 4096	37	#define MAX_BUF 4096
41	#define EMPTY_STRING ("")	38	#define EMPTY_STRING ("")
42	// check noblacklist statements not matched by a proper blacklist in disable-*.inc files	39	// check noblacklist statements not matched by a proper blacklist in disable-*.inc files
@@ -165,6 +162,19 @@ static void disable_file(OPERATION op, const char *filename) {
165	fs_logger2("blacklist", fname);	162	fs_logger2("blacklist", fname);
166	else	163	else
167	fs_logger2("blacklist-nolog", fname);	164	fs_logger2("blacklist-nolog", fname);
		165
		166	// files in /etc will be reprocessed during /etc rebuild
		167	if (strncmp(fname, "/etc/", 5) == 0) {
		168	ProfileEntry *prf = malloc(sizeof(ProfileEntry));
		169	if (!prf)
		170	errExit("malloc");
		171	memset(prf, 0, sizeof(ProfileEntry));
		172	prf->data = strdup(fname);
		173	if (!prf->data)
		174	errExit("strdup");
		175	prf->next = cfg.profile_rebuild_etc;
		176	cfg.profile_rebuild_etc = prf;
		177	}
168	}	178	}
169	}	179	}
170	else if (op == MOUNT_READONLY \|\| op == MOUNT_RDWR \|\| op == MOUNT_NOEXEC) {	180	else if (op == MOUNT_READONLY \|\| op == MOUNT_RDWR \|\| op == MOUNT_NOEXEC) {
@@ -492,7 +502,7 @@ void fs_tmpfs(const char *dir, unsigned check_owner) {
492	struct statvfs buf;	502	struct statvfs buf;
493	if (fstatvfs(fd, &buf) == -1)	503	if (fstatvfs(fd, &buf) == -1)
494	errExit("fstatvfs");	504	errExit("fstatvfs");
495	unsigned long flags = buf.f_flag & ~(MS_RDONLY\|MS_BIND);	505	unsigned long flags = buf.f_flag & ~(MS_RDONLY\|MS_BIND\|MS_REMOUNT);
496	// mount via the symbolic link in /proc/self/fd	506	// mount via the symbolic link in /proc/self/fd
497	EUID_ROOT();	507	EUID_ROOT();
498	char *proc;	508	char *proc;
@@ -1213,9 +1223,8 @@ void fs_overlayfs(void) {
1213	fs_logger("whitelist /tmp");	1223	fs_logger("whitelist /tmp");
1214		1224
1215	// chroot in the new filesystem	1225	// chroot in the new filesystem
1216	#ifdef HAVE_GCOV
1217	__gcov_flush();	1226	__gcov_flush();
1218	#endif	1227
1219	if (chroot(oroot) == -1)	1228	if (chroot(oroot) == -1)
1220	errExit("chroot");	1229	errExit("chroot");
1221		1230
@@ -1281,6 +1290,9 @@ void fs_private_tmp(void) {
1281	// read-only x11 directory	1290	// read-only x11 directory
1282	profile_add("read-only /tmp/.X11-unix");	1291	profile_add("read-only /tmp/.X11-unix");
1283		1292
		1293	// whitelist sndio directory
		1294	profile_add("whitelist /tmp/sndio");
		1295
1284	// whitelist any pulse* file in /tmp directory	1296	// whitelist any pulse* file in /tmp directory
1285	// some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user	1297	// some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user
1286	DIR *dir;	1298	DIR *dir;