diff options
Diffstat (limited to 'src/firejail/sandbox.c')
-rw-r--r-- | src/firejail/sandbox.c | 25 |
1 files changed, 23 insertions, 2 deletions
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 9a4be5cc0..ff5f4cb1e 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -969,8 +969,29 @@ int sandbox(void* sandbox_arg) { | |||
969 | else if (arg_overlay) | 969 | else if (arg_overlay) |
970 | fwarning("private-etc feature is disabled in overlay\n"); | 970 | fwarning("private-etc feature is disabled in overlay\n"); |
971 | else { | 971 | else { |
972 | fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep); | 972 | /* Current /etc/passwd and /etc/group files are bind |
973 | fs_private_dir_list("/usr/etc", RUN_USR_ETC_DIR, cfg.etc_private_keep); // openSUSE | 973 | * mounted filtered versions of originals. Leaving |
974 | * them underneath private-etc mount causes problems | ||
975 | * in devices with older kernels, e.g. attempts to | ||
976 | * update the real /etc/passwd file yield EBUSY. | ||
977 | * | ||
978 | * As we do want to retain filtered /etc content: | ||
979 | * 1. duplicate /etc content to RUN_ETC_DIR | ||
980 | * 2. unmount bind mounts from /etc | ||
981 | * 3. mount RUN_ETC_DIR at /etc | ||
982 | */ | ||
983 | fs_private_dir_copy("/etc", RUN_ETC_DIR, cfg.etc_private_keep); | ||
984 | fs_private_dir_copy("/usr/etc", RUN_USR_ETC_DIR, cfg.etc_private_keep); // openSUSE | ||
985 | |||
986 | if (umount2("/etc/group", MNT_DETACH) == -1) | ||
987 | fprintf(stderr, "/etc/group: unmount: %m\n"); | ||
988 | |||
989 | if (umount2("/etc/passwd", MNT_DETACH) == -1) | ||
990 | fprintf(stderr, "/etc/passwd: unmount: %m\n"); | ||
991 | |||
992 | fs_private_dir_mount("/etc", RUN_ETC_DIR); | ||
993 | fs_private_dir_mount("/usr/etc", RUN_USR_ETC_DIR); | ||
994 | |||
974 | // create /etc/ld.so.preload file again | 995 | // create /etc/ld.so.preload file again |
975 | if (need_preload) | 996 | if (need_preload) |
976 | fs_trace_preload(); | 997 | fs_trace_preload(); |