From 6c7138edf75e3366cf0eed8001f59b40975231c8 Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Wed, 6 Jan 2021 19:58:39 +0100
Subject: mount private-lib directories read-only

avoids creating holes in the basic read-only filesystem
---
 src/firejail/fs_lib.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 5cfd33b42..d5b392d71 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -165,7 +165,7 @@ void fslib_copy_dir(const char *full_path) {
 	mkdir_attr(dest, 0755, 0, 0);
 
 	if (mount(full_path, dest, NULL, MS_BIND|MS_REC, NULL) < 0 ||
-		mount(NULL, dest, NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
+		mount(NULL, dest, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
 		errExit("mount bind");
 	fs_logger2("clone", full_path);
 	fs_logger2("mount", full_path);
-- 
cgit v1.2.3-54-g00ecf