1 files changed, 23 insertions, 2 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 9a4be5cc0..ff5f4cb1e 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -969,8 +969,29 @@ int sandbox(void* sandbox_arg) {
                else if (arg_overlay)
                        fwarning("private-etc feature is disabled in overlay\n");
                else {
-                        fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep);
+                        /* Current /etc/passwd and /etc/group files are bind
-                        fs_private_dir_list("/usr/etc", RUN_USR_ETC_DIR, cfg.etc_private_keep); // openSUSE
+                         * mounted filtered versions of originals. Leaving
+                         * them underneath private-etc mount causes problems
+                         * in devices with older kernels, e.g. attempts to
+                         * update the real /etc/passwd file yield EBUSY.
+                         *
+                         * As we do want to retain filtered /etc content:
+                         * 1. duplicate /etc content to RUN_ETC_DIR
+                         * 2. unmount bind mounts from /etc
+                         * 3. mount RUN_ETC_DIR at /etc
+                         */
+                        fs_private_dir_copy("/etc", RUN_ETC_DIR, cfg.etc_private_keep);
+                        fs_private_dir_copy("/usr/etc", RUN_USR_ETC_DIR, cfg.etc_private_keep); // openSUSE
+                        if (umount2("/etc/group", MNT_DETACH) == -1)
+                                fprintf(stderr, "/etc/group: unmount: %m\n");
+                        if (umount2("/etc/passwd", MNT_DETACH) == -1)
+                                fprintf(stderr, "/etc/passwd: unmount: %m\n");
+                        fs_private_dir_mount("/etc", RUN_ETC_DIR);
+                        fs_private_dir_mount("/usr/etc", RUN_USR_ETC_DIR);
                        // create /etc/ld.so.preload file again
                        if (need_preload)
                                fs_trace_preload();

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 9a4be5cc0..ff5f4cb1e 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -969,8 +969,29 @@ int sandbox(void* sandbox_arg) {
969	else if (arg_overlay)	969	else if (arg_overlay)
970	fwarning("private-etc feature is disabled in overlay\n");	970	fwarning("private-etc feature is disabled in overlay\n");
971	else {	971	else {
972	fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep);	972	/* Current /etc/passwd and /etc/group files are bind
973	fs_private_dir_list("/usr/etc", RUN_USR_ETC_DIR, cfg.etc_private_keep); // openSUSE	973	* mounted filtered versions of originals. Leaving
		974	* them underneath private-etc mount causes problems
		975	* in devices with older kernels, e.g. attempts to
		976	* update the real /etc/passwd file yield EBUSY.
		977	*
		978	* As we do want to retain filtered /etc content:
		979	* 1. duplicate /etc content to RUN_ETC_DIR
		980	* 2. unmount bind mounts from /etc
		981	* 3. mount RUN_ETC_DIR at /etc
		982	*/
		983	fs_private_dir_copy("/etc", RUN_ETC_DIR, cfg.etc_private_keep);
		984	fs_private_dir_copy("/usr/etc", RUN_USR_ETC_DIR, cfg.etc_private_keep); // openSUSE
		985
		986	if (umount2("/etc/group", MNT_DETACH) == -1)
		987	fprintf(stderr, "/etc/group: unmount: %m\n");
		988
		989	if (umount2("/etc/passwd", MNT_DETACH) == -1)
		990	fprintf(stderr, "/etc/passwd: unmount: %m\n");
		991
		992	fs_private_dir_mount("/etc", RUN_ETC_DIR);
		993	fs_private_dir_mount("/usr/etc", RUN_USR_ETC_DIR);
		994
974	// create /etc/ld.so.preload file again	995	// create /etc/ld.so.preload file again
975	if (need_preload)	996	if (need_preload)
976	fs_trace_preload();	997	fs_trace_preload();