diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs.c | 21 |
1 files changed, 13 insertions, 8 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index f4384faf7..1cfdbaea7 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -153,15 +153,20 @@ static void disable_file(OPERATION op, const char *filename, const char *emptydi | |||
153 | 153 | ||
154 | // modify the file | 154 | // modify the file |
155 | if (op == BLACKLIST_FILE) { | 155 | if (op == BLACKLIST_FILE) { |
156 | if (arg_debug) | 156 | // some distros put all executables under /usr/bin and make /bin a symbolic link |
157 | printf("Disable %s\n", fname); | 157 | if (is_link(filename) && S_ISDIR(s.st_mode)) |
158 | if (S_ISDIR(s.st_mode)) { | 158 | fprintf(stderr, "Warning: %s directory link was not blacklisted\n", filename); |
159 | if (mount(emptydir, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | ||
160 | errExit("disable file"); | ||
161 | } | ||
162 | else { | 159 | else { |
163 | if (mount(emptyfile, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | 160 | if (arg_debug) |
164 | errExit("disable file"); | 161 | printf("Disable %s\n", fname); |
162 | if (S_ISDIR(s.st_mode)) { | ||
163 | if (mount(emptydir, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | ||
164 | errExit("disable file"); | ||
165 | } | ||
166 | else { | ||
167 | if (mount(emptyfile, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | ||
168 | errExit("disable file"); | ||
169 | } | ||
165 | } | 170 | } |
166 | } | 171 | } |
167 | else if (op == MOUNT_READONLY) { | 172 | else if (op == MOUNT_READONLY) { |