From 3e662f793df58fb44a26ba02193a99c26f554021 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Fri, 14 Jun 2019 21:02:04 +0200 Subject: avoid running without procfs describing the pid namespace --- src/firejail/fs.c | 31 ++++++++++++++++++++++++------- src/firejail/sandbox.c | 10 ++++++++++ 2 files changed, 34 insertions(+), 7 deletions(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index f3ef97aeb..411f2e778 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -682,13 +682,9 @@ void fs_mnt(const int enforce) { // mount /proc and /sys directories void fs_proc_sys_dev_boot(void) { - if (arg_debug) - printf("Remounting /proc and /proc/sys filesystems\n"); - if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) - errExit("mounting /proc"); - fs_logger("remount /proc"); - // remount /proc/sys readonly + if (arg_debug) + printf("Mounting read-only /proc/sys\n"); if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0 || mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) errExit("mounting /proc/sys"); @@ -698,7 +694,8 @@ void fs_proc_sys_dev_boot(void) { /* Mount a version of /sys that describes the network namespace */ if (arg_debug) printf("Remounting /sys directory\n"); - // if this is an overlay, don't try to unmount, just mount a new sysfs + // sysfs not yet mounted in overlays, so don't try to unmount it + // expect that unmounting /sys fails in a chroot, no need to print a warning in that case if (!arg_overlay) { if (umount2("/sys", MNT_DETACH) < 0 && !cfg.chrootdir) fwarning("failed to unmount /sys\n"); @@ -1176,6 +1173,15 @@ void fs_overlayfs(void) { errExit("mounting /tmp"); fs_logger("whitelist /tmp"); + // mount a new proc filesystem + if (arg_debug) + printf("Mounting /proc\n"); + char *proc; + if (asprintf(&proc, "%s/proc", oroot) == -1) + errExit("asprintf"); + if (mount("proc", proc, "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) + errExit("mounting /proc"); + // chroot in the new filesystem #ifdef HAVE_GCOV __gcov_flush(); @@ -1210,6 +1216,7 @@ void fs_overlayfs(void) { free(dev); free(run); free(tmp); + free(proc); } #endif @@ -1380,6 +1387,16 @@ void fs_chroot(const char *rootdir) { errExit("mounting /dev"); free(newdev); + // mount a new proc filesystem + char *newproc; + if (asprintf(&newproc, "%s/proc", rootdir) == -1) + errExit("asprintf"); + if (arg_debug) + printf("Mounting /proc filesystem on %s\n", newproc); + if (mount("proc", newproc, "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) + errExit("mounting /proc"); + free(newproc); + // x11 if (getenv("FIREJAIL_X11")) { char *newx11; diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 2c5c5fc12..841d57c89 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -622,6 +622,16 @@ int sandbox(void* sandbox_arg) { if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, "none", MS_BIND, NULL) < 0) errExit("mounting " RUN_FIREJAIL_LIB_DIR); + //**************************** + // mount new proc filesystem + // representing the pid namespace + //**************************** + + if (arg_debug) + printf("Remounting /proc filesystem\n"); + if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) + errExit("mounting /proc"); + //**************************** // log sandbox data //**************************** -- cgit v1.2.3-70-g09d2