From 2581e3073bdcae1575fbbc006e6de0f5b69559eb Mon Sep 17 00:00:00 2001 From: smitsohu Date: Sun, 13 Oct 2019 04:12:19 +0200 Subject: postpone procfs mount until after chroot call issue #2301 --- src/firejail/chroot.c | 19 ++++++------------- src/firejail/fs.c | 22 ++++++++++++---------- src/firejail/sandbox.c | 10 ---------- 3 files changed, 18 insertions(+), 33 deletions(-) diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c index 1cc619c20..9ebbcea1a 100644 --- a/src/firejail/chroot.c +++ b/src/firejail/chroot.c @@ -164,19 +164,6 @@ void fs_chroot(const char *rootdir) { free(proc); close(fd); - // mount a brand new proc filesystem - if (arg_debug) - printf("Mounting /proc filesystem on chroot /proc\n"); - fd = openat(parentfd, "proc", O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); - if (fd == -1) - errExit("open"); - if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) - errExit("asprintf"); - if (mount("proc", proc, "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) - errExit("mounting /proc"); - free(proc); - close(fd); - // x11 if (getenv("FIREJAIL_X11")) { if (arg_debug) @@ -259,6 +246,12 @@ void fs_chroot(const char *rootdir) { // create all other /run/firejail files and directories preproc_build_firejail_dir(); + // mount a new proc filesystem + if (arg_debug) + printf("Mounting /proc filesystem representing the PID namespace\n"); + if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) + errExit("mounting /proc"); + // update /var directory in order to support multiple sandboxes running on the same root directory // if (!arg_private_dev) // fs_dev_shm(); diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 003b15605..4fde3d661 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -725,6 +725,12 @@ void disable_config(void) { void fs_basic_fs(void) { uid_t uid = getuid(); + // mount a new proc filesystem + if (arg_debug) + printf("Mounting /proc filesystem representing the PID namespace\n"); + if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) + errExit("mounting /proc"); + if (arg_debug) printf("Basic read-only filesystem:\n"); if (!arg_writable_etc) { @@ -1077,15 +1083,6 @@ void fs_overlayfs(void) { errExit("mounting /tmp"); fs_logger("whitelist /tmp"); - // mount a new proc filesystem - if (arg_debug) - printf("Mounting /proc\n"); - char *proc; - if (asprintf(&proc, "%s/proc", oroot) == -1) - errExit("asprintf"); - if (mount("proc", proc, "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) - errExit("mounting /proc"); - // chroot in the new filesystem #ifdef HAVE_GCOV __gcov_flush(); @@ -1093,6 +1090,12 @@ void fs_overlayfs(void) { if (chroot(oroot) == -1) errExit("chroot"); + // mount a new proc filesystem + if (arg_debug) + printf("Mounting /proc filesystem representing the PID namespace\n"); + if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) + errExit("mounting /proc"); + // update /var directory in order to support multiple sandboxes running on the same root directory // if (!arg_private_dev) // fs_dev_shm(); @@ -1120,7 +1123,6 @@ void fs_overlayfs(void) { free(dev); free(run); free(tmp); - free(proc); } #endif diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 80b595a9f..995e98f9f 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -626,16 +626,6 @@ int sandbox(void* sandbox_arg) { if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, "none", MS_BIND, NULL) < 0) errExit("mounting " RUN_FIREJAIL_LIB_DIR); - //**************************** - // mount new proc filesystem - // representing the pid namespace - //**************************** - - if (arg_debug) - printf("Remounting /proc filesystem\n"); - if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) - errExit("mounting /proc"); - //**************************** // log sandbox data //**************************** -- cgit v1.2.3-70-g09d2