diff options
Diffstat (limited to 'src/firejail/restrict_users.c')
-rw-r--r-- | src/firejail/restrict_users.c | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 5c5ace90b..ee2e497cb 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -25,9 +25,13 @@ | |||
25 | #include <fnmatch.h> | 25 | #include <fnmatch.h> |
26 | #include <glob.h> | 26 | #include <glob.h> |
27 | #include <dirent.h> | 27 | #include <dirent.h> |
28 | #include <fcntl.h> | ||
29 | #include <errno.h> | 28 | #include <errno.h> |
30 | 29 | ||
30 | #include <fcntl.h> | ||
31 | #ifndef O_PATH | ||
32 | # define O_PATH 010000000 | ||
33 | #endif | ||
34 | |||
31 | #define MAXBUF 1024 | 35 | #define MAXBUF 1024 |
32 | 36 | ||
33 | // linked list of users | 37 | // linked list of users |
@@ -79,8 +83,16 @@ static void sanitize_home(void) { | |||
79 | errExit("mkdir"); | 83 | errExit("mkdir"); |
80 | 84 | ||
81 | // keep a copy of the user home directory | 85 | // keep a copy of the user home directory |
82 | if (mount(cfg.homedir, RUN_WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 86 | int fd = safe_fd(cfg.homedir, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); |
87 | if (fd == -1) | ||
88 | errExit("safe_fd"); | ||
89 | char *proc; | ||
90 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | ||
91 | errExit("asprintf"); | ||
92 | if (mount(proc, RUN_WHITELIST_HOME_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
83 | errExit("mount bind"); | 93 | errExit("mount bind"); |
94 | free(proc); | ||
95 | close(fd); | ||
84 | 96 | ||
85 | // mount tmpfs in the new home | 97 | // mount tmpfs in the new home |
86 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) | 98 | if (mount("tmpfs", "/home", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME, "mode=755,gid=0") < 0) |