From e6e70962f87a47ea7528b48f5064b5bfcb5a555d Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Tue, 5 Sep 2017 19:02:37 +0200
Subject: remount config/pulse with noexec

---
 src/firejail/pulseaudio.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index 246ba8fd8..2f8cd5f7d 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -195,7 +195,8 @@ void pulseaudio_init(void) {
 	if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1)
 		errExit("asprintf");
 	if (stat(homeusercfg, &s) == 0) {
-		if (mount(RUN_PULSE_DIR, homeusercfg, "none", MS_BIND, NULL) < 0)
+		if (mount(RUN_PULSE_DIR, homeusercfg, "none", MS_BIND, NULL) < 0 ||
+		    mount(NULL, homeusercfg, NULL, MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_BIND|MS_REMOUNT, NULL) < 0)
 			errExit("mount pulseaudio");
 		fs_logger2("tmpfs", homeusercfg);
 	}
-- 
cgit v1.2.3-54-g00ecf


From f6ac9edce2f5bc9c5e19bbd92982de731b1ba72b Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Tue, 5 Sep 2017 21:38:56 +0200
Subject: noexec is hardcoded now

---
 etc/disable-common.inc | 1 -
 1 file changed, 1 deletion(-)

diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 294ff6bcb..024a48b6b 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -309,5 +309,4 @@ blacklist /initrd*
 blacklist /vmlinuz*
 
 # complement noexec ${HOME} and noexec /tmp
-noexec ${HOME}/.config/pulse
 noexec /tmp/.X11-unix
-- 
cgit v1.2.3-54-g00ecf