diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/chroot.c | 19 | ||||
-rw-r--r-- | src/firejail/fs.c | 22 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 10 |
3 files changed, 18 insertions, 33 deletions
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c index 1cc619c20..9ebbcea1a 100644 --- a/src/firejail/chroot.c +++ b/src/firejail/chroot.c | |||
@@ -164,19 +164,6 @@ void fs_chroot(const char *rootdir) { | |||
164 | free(proc); | 164 | free(proc); |
165 | close(fd); | 165 | close(fd); |
166 | 166 | ||
167 | // mount a brand new proc filesystem | ||
168 | if (arg_debug) | ||
169 | printf("Mounting /proc filesystem on chroot /proc\n"); | ||
170 | fd = openat(parentfd, "proc", O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); | ||
171 | if (fd == -1) | ||
172 | errExit("open"); | ||
173 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | ||
174 | errExit("asprintf"); | ||
175 | if (mount("proc", proc, "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) | ||
176 | errExit("mounting /proc"); | ||
177 | free(proc); | ||
178 | close(fd); | ||
179 | |||
180 | // x11 | 167 | // x11 |
181 | if (getenv("FIREJAIL_X11")) { | 168 | if (getenv("FIREJAIL_X11")) { |
182 | if (arg_debug) | 169 | if (arg_debug) |
@@ -259,6 +246,12 @@ void fs_chroot(const char *rootdir) { | |||
259 | // create all other /run/firejail files and directories | 246 | // create all other /run/firejail files and directories |
260 | preproc_build_firejail_dir(); | 247 | preproc_build_firejail_dir(); |
261 | 248 | ||
249 | // mount a new proc filesystem | ||
250 | if (arg_debug) | ||
251 | printf("Mounting /proc filesystem representing the PID namespace\n"); | ||
252 | if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) | ||
253 | errExit("mounting /proc"); | ||
254 | |||
262 | // update /var directory in order to support multiple sandboxes running on the same root directory | 255 | // update /var directory in order to support multiple sandboxes running on the same root directory |
263 | // if (!arg_private_dev) | 256 | // if (!arg_private_dev) |
264 | // fs_dev_shm(); | 257 | // fs_dev_shm(); |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 003b15605..4fde3d661 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -725,6 +725,12 @@ void disable_config(void) { | |||
725 | void fs_basic_fs(void) { | 725 | void fs_basic_fs(void) { |
726 | uid_t uid = getuid(); | 726 | uid_t uid = getuid(); |
727 | 727 | ||
728 | // mount a new proc filesystem | ||
729 | if (arg_debug) | ||
730 | printf("Mounting /proc filesystem representing the PID namespace\n"); | ||
731 | if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) | ||
732 | errExit("mounting /proc"); | ||
733 | |||
728 | if (arg_debug) | 734 | if (arg_debug) |
729 | printf("Basic read-only filesystem:\n"); | 735 | printf("Basic read-only filesystem:\n"); |
730 | if (!arg_writable_etc) { | 736 | if (!arg_writable_etc) { |
@@ -1077,15 +1083,6 @@ void fs_overlayfs(void) { | |||
1077 | errExit("mounting /tmp"); | 1083 | errExit("mounting /tmp"); |
1078 | fs_logger("whitelist /tmp"); | 1084 | fs_logger("whitelist /tmp"); |
1079 | 1085 | ||
1080 | // mount a new proc filesystem | ||
1081 | if (arg_debug) | ||
1082 | printf("Mounting /proc\n"); | ||
1083 | char *proc; | ||
1084 | if (asprintf(&proc, "%s/proc", oroot) == -1) | ||
1085 | errExit("asprintf"); | ||
1086 | if (mount("proc", proc, "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) | ||
1087 | errExit("mounting /proc"); | ||
1088 | |||
1089 | // chroot in the new filesystem | 1086 | // chroot in the new filesystem |
1090 | #ifdef HAVE_GCOV | 1087 | #ifdef HAVE_GCOV |
1091 | __gcov_flush(); | 1088 | __gcov_flush(); |
@@ -1093,6 +1090,12 @@ void fs_overlayfs(void) { | |||
1093 | if (chroot(oroot) == -1) | 1090 | if (chroot(oroot) == -1) |
1094 | errExit("chroot"); | 1091 | errExit("chroot"); |
1095 | 1092 | ||
1093 | // mount a new proc filesystem | ||
1094 | if (arg_debug) | ||
1095 | printf("Mounting /proc filesystem representing the PID namespace\n"); | ||
1096 | if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) | ||
1097 | errExit("mounting /proc"); | ||
1098 | |||
1096 | // update /var directory in order to support multiple sandboxes running on the same root directory | 1099 | // update /var directory in order to support multiple sandboxes running on the same root directory |
1097 | // if (!arg_private_dev) | 1100 | // if (!arg_private_dev) |
1098 | // fs_dev_shm(); | 1101 | // fs_dev_shm(); |
@@ -1120,7 +1123,6 @@ void fs_overlayfs(void) { | |||
1120 | free(dev); | 1123 | free(dev); |
1121 | free(run); | 1124 | free(run); |
1122 | free(tmp); | 1125 | free(tmp); |
1123 | free(proc); | ||
1124 | } | 1126 | } |
1125 | #endif | 1127 | #endif |
1126 | 1128 | ||
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 80b595a9f..995e98f9f 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -627,16 +627,6 @@ int sandbox(void* sandbox_arg) { | |||
627 | errExit("mounting " RUN_FIREJAIL_LIB_DIR); | 627 | errExit("mounting " RUN_FIREJAIL_LIB_DIR); |
628 | 628 | ||
629 | //**************************** | 629 | //**************************** |
630 | // mount new proc filesystem | ||
631 | // representing the pid namespace | ||
632 | //**************************** | ||
633 | |||
634 | if (arg_debug) | ||
635 | printf("Remounting /proc filesystem\n"); | ||
636 | if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) | ||
637 | errExit("mounting /proc"); | ||
638 | |||
639 | //**************************** | ||
640 | // log sandbox data | 630 | // log sandbox data |
641 | //**************************** | 631 | //**************************** |
642 | if (cfg.name) | 632 | if (cfg.name) |