diff options
Diffstat (limited to 'src/firejail/restrict_users.c')
| -rw-r--r-- | src/firejail/restrict_users.c | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 5c5ace90b..ee2e497cb 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
| @@ -25,9 +25,13 @@ | |||
| 25 | #include <fnmatch.h> | 25 | #include <fnmatch.h> |
| 26 | #include <glob.h> | 26 | #include <glob.h> |
| 27 | #include <dirent.h> | 27 | #include <dirent.h> |
| 28 | #include <fcntl.h> | ||
| 29 | #include <errno.h> | 28 | #include <errno.h> |
| 30 | 29 | ||
| 30 | #include <fcntl.h> | ||
| 31 | #ifndef O_PATH | ||
| 32 | # define O_PATH 010000000 | ||
| 33 | #endif | ||
| 34 | |||
| 31 | #define MAXBUF 1024 | 35 | #define MAXBUF 1024 |
| 32 | 36 | ||
| 33 | // linked list of users | 37 | // linked list of users |
| @@ -79,8 +83,16 @@ static void sanitize_home(void) { | |||
| 79 | errExit("mkdir"); | 83 | errExit("mkdir"); |
| 80 | 84 | ||
| 81 | // keep a copy of the user home directory | 85 | // keep a copy of the user home directory |
| 82 | if (mount(cfg.homedir, RUN_WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 86 | int fd = safe_fd(cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
| 87 | if (fd == -1) | ||
| 88 | errExit("safe_fd"); | ||
| 89 | char *proc; | ||
| 90 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | ||
| 91 | errExit("asprintf"); | ||
| 92 | if (mount(proc, RUN_WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
| 83 | errExit("mount bind"); | 93 | errExit("mount bind"); |
| 94 | free(proc); | ||
| 95 | close(fd); | ||
| 84 | 96 | ||
| 85 | // mount tmpfs in the new home | 97 | // mount tmpfs in the new home |
| 86 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) | 98 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) |