From e18c7cd5f54f275190d5517c6cd42acf0d3a8bbc Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Sat, 8 Aug 2020 23:42:03 +0200
Subject: mount sandbox lib directory ro,nosuid,nodev

---
 src/firejail/sandbox.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 995e98f9f..da942207e 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -623,7 +623,8 @@ int sandbox(void* sandbox_arg) {
 	// ... and mount a tmpfs on top of /run/firejail/mnt directory
 	preproc_mount_mnt_dir();
 	// bind-mount firejail binaries and helper programs
-	if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, "none", MS_BIND, NULL) < 0)
+	if (mount(LIBDIR "/firejail", RUN_FIREJAIL_LIB_DIR, NULL, MS_BIND, NULL) < 0 ||
+	    mount(NULL, RUN_FIREJAIL_LIB_DIR, NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_BIND|MS_REMOUNT, NULL) < 0)
 		errExit("mounting " RUN_FIREJAIL_LIB_DIR);
 
 	//****************************
-- 
cgit v1.2.3-54-g00ecf