diff options
Diffstat (limited to 'src/firejail/restrict_users.c')
| -rw-r--r-- | src/firejail/restrict_users.c | 22 |
1 files changed, 12 insertions, 10 deletions
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 53e395b89..6f17231a4 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
| @@ -104,12 +104,8 @@ static void sanitize_home(void) { | |||
| 104 | selinux_relabel_path(cfg.homedir, cfg.homedir); | 104 | selinux_relabel_path(cfg.homedir, cfg.homedir); |
| 105 | 105 | ||
| 106 | // bring back real user home directory | 106 | // bring back real user home directory |
| 107 | char *proc; | 107 | if (bind_mount_fd_to_path(fd, cfg.homedir)) |
| 108 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | ||
| 109 | errExit("asprintf"); | ||
| 110 | if (mount(proc, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
| 111 | errExit("mount bind"); | 108 | errExit("mount bind"); |
| 112 | free(proc); | ||
| 113 | close(fd); | 109 | close(fd); |
| 114 | 110 | ||
| 115 | if (!arg_private) | 111 | if (!arg_private) |
| @@ -154,12 +150,8 @@ static void sanitize_run(void) { | |||
| 154 | selinux_relabel_path(runuser, runuser); | 150 | selinux_relabel_path(runuser, runuser); |
| 155 | 151 | ||
| 156 | // bring back real run/user/$UID directory | 152 | // bring back real run/user/$UID directory |
| 157 | char *proc; | 153 | if (bind_mount_fd_to_path(fd, runuser)) |
| 158 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | ||
| 159 | errExit("asprintf"); | ||
| 160 | if (mount(proc, runuser, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
| 161 | errExit("mount bind"); | 154 | errExit("mount bind"); |
| 162 | free(proc); | ||
| 163 | close(fd); | 155 | close(fd); |
| 164 | 156 | ||
| 165 | fs_logger2("whitelist", runuser); | 157 | fs_logger2("whitelist", runuser); |
| @@ -246,6 +238,11 @@ static void sanitize_passwd(void) { | |||
| 246 | // mount-bind tne new password file | 238 | // mount-bind tne new password file |
| 247 | if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0) | 239 | if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0) |
| 248 | errExit("mount"); | 240 | errExit("mount"); |
| 241 | |||
| 242 | // blacklist RUN_PASSWD_FILE | ||
| 243 | if (mount(RUN_RO_FILE, RUN_PASSWD_FILE, "none", MS_BIND, "mode=400,gid=0") < 0) | ||
| 244 | errExit("mount"); | ||
| 245 | |||
| 249 | fs_logger("create /etc/passwd"); | 246 | fs_logger("create /etc/passwd"); |
| 250 | 247 | ||
| 251 | return; | 248 | return; |
| @@ -376,6 +373,11 @@ static void sanitize_group(void) { | |||
| 376 | // mount-bind tne new group file | 373 | // mount-bind tne new group file |
| 377 | if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0) | 374 | if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0) |
| 378 | errExit("mount"); | 375 | errExit("mount"); |
| 376 | |||
| 377 | // blacklist RUN_GROUP_FILE | ||
| 378 | if (mount(RUN_RO_FILE, RUN_GROUP_FILE, "none", MS_BIND, "mode=400,gid=0") < 0) | ||
| 379 | errExit("mount"); | ||
| 380 | |||
| 379 | fs_logger("create /etc/group"); | 381 | fs_logger("create /etc/group"); |
| 380 | 382 | ||
| 381 | return; | 383 | return; |