diff options
Diffstat (limited to 'src/firejail/restrict_users.c')
-rw-r--r-- | src/firejail/restrict_users.c | 22 |
1 files changed, 12 insertions, 10 deletions
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 53e395b89..6f17231a4 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -104,12 +104,8 @@ static void sanitize_home(void) { | |||
104 | selinux_relabel_path(cfg.homedir, cfg.homedir); | 104 | selinux_relabel_path(cfg.homedir, cfg.homedir); |
105 | 105 | ||
106 | // bring back real user home directory | 106 | // bring back real user home directory |
107 | char *proc; | 107 | if (bind_mount_fd_to_path(fd, cfg.homedir)) |
108 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | ||
109 | errExit("asprintf"); | ||
110 | if (mount(proc, cfg.homedir, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
111 | errExit("mount bind"); | 108 | errExit("mount bind"); |
112 | free(proc); | ||
113 | close(fd); | 109 | close(fd); |
114 | 110 | ||
115 | if (!arg_private) | 111 | if (!arg_private) |
@@ -154,12 +150,8 @@ static void sanitize_run(void) { | |||
154 | selinux_relabel_path(runuser, runuser); | 150 | selinux_relabel_path(runuser, runuser); |
155 | 151 | ||
156 | // bring back real run/user/$UID directory | 152 | // bring back real run/user/$UID directory |
157 | char *proc; | 153 | if (bind_mount_fd_to_path(fd, runuser)) |
158 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | ||
159 | errExit("asprintf"); | ||
160 | if (mount(proc, runuser, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
161 | errExit("mount bind"); | 154 | errExit("mount bind"); |
162 | free(proc); | ||
163 | close(fd); | 155 | close(fd); |
164 | 156 | ||
165 | fs_logger2("whitelist", runuser); | 157 | fs_logger2("whitelist", runuser); |
@@ -246,6 +238,11 @@ static void sanitize_passwd(void) { | |||
246 | // mount-bind tne new password file | 238 | // mount-bind tne new password file |
247 | if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0) | 239 | if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0) |
248 | errExit("mount"); | 240 | errExit("mount"); |
241 | |||
242 | // blacklist RUN_PASSWD_FILE | ||
243 | if (mount(RUN_RO_FILE, RUN_PASSWD_FILE, "none", MS_BIND, "mode=400,gid=0") < 0) | ||
244 | errExit("mount"); | ||
245 | |||
249 | fs_logger("create /etc/passwd"); | 246 | fs_logger("create /etc/passwd"); |
250 | 247 | ||
251 | return; | 248 | return; |
@@ -376,6 +373,11 @@ static void sanitize_group(void) { | |||
376 | // mount-bind tne new group file | 373 | // mount-bind tne new group file |
377 | if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0) | 374 | if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0) |
378 | errExit("mount"); | 375 | errExit("mount"); |
376 | |||
377 | // blacklist RUN_GROUP_FILE | ||
378 | if (mount(RUN_RO_FILE, RUN_GROUP_FILE, "none", MS_BIND, "mode=400,gid=0") < 0) | ||
379 | errExit("mount"); | ||
380 | |||
379 | fs_logger("create /etc/group"); | 381 | fs_logger("create /etc/group"); |
380 | 382 | ||
381 | return; | 383 | return; |