From 0169ebe193abdfeddbd17a764688d5f9e7a3cb78 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Sat, 20 Aug 2016 21:06:21 -0400
Subject: run time support to disable remounting of /proc and /sys

---
 src/firejail/checkcfg.c | 11 +++++++++--
 src/firejail/firejail.h |  3 ++-
 src/firejail/sandbox.c  |  9 ++++++++-
 3 files changed, 19 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index f5ea7439b..c4a6888a9 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -29,7 +29,6 @@ char *xephyr_extra_params = "";
 char *netfilter_default = NULL;
 
 int checkcfg(int val) {
-	EUID_ASSERT();
 	assert(val < CFG_MAX);
 	int line = 0;
 
@@ -38,7 +37,6 @@ int checkcfg(int val) {
 		int i;
 		for (i = 0; i < CFG_MAX; i++)
 			cfg_val[i] = 1; // most of them are enabled by default
-
 		cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default
 		cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default
 		
@@ -226,6 +224,15 @@ int checkcfg(int val) {
 				if (strcmp(ptr + 17, "yes") == 0)
 					arg_quiet = 1;
 			}
+			// remount /proc and /sys
+			else if (strncmp(ptr, "remount-proc-sys ", 17) == 0) {
+				if (strcmp(ptr + 17, "yes") == 0)
+					cfg_val[CFG_REMOUNT_PROC_SYS] = 1;
+				else if (strcmp(ptr + 17, "no") == 0)
+					cfg_val[CFG_REMOUNT_PROC_SYS] = 0;
+				else
+					goto errout;
+			}
 			else
 				goto errout;
 
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 8301a79a0..067d788a6 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -590,7 +590,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh);
 #define CFG_FORCE_NONEWPRIVS 8
 #define CFG_WHITELIST 9
 #define CFG_XEPHYR_WINDOW_TITLE 10
-#define CFG_MAX 11 // this should always be the last entry
+#define CFG_REMOUNT_PROC_SYS 11
+#define CFG_MAX 12 // this should always be the last entry
 extern char *xephyr_screen;
 extern char *xephyr_extra_params;
 extern char *netfilter_default;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index a33c81937..0818bf450 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -208,6 +208,12 @@ static int monitor_application(pid_t app_pid) {
 		if (arg_debug)
 			printf("Sandbox monitor: waitpid %u retval %d status %d\n", monitored_pid, rv, status);
 
+		// if /proc is not remounted, we cannot check /proc directory,
+		// for now we just get out of here
+		// todo: find another way of checking child processes!
+		if (!checkcfg(CFG_REMOUNT_PROC_SYS))
+			break;
+
 		DIR *dir;
 		if (!(dir = opendir("/proc"))) {
 			// sleep 2 seconds and try again
@@ -551,7 +557,8 @@ int sandbox(void* sandbox_arg) {
 	//****************************
 	// update /proc, /sys, /dev, /boot directorymy
 	//****************************
-	fs_proc_sys_dev_boot();
+	if (checkcfg(CFG_REMOUNT_PROC_SYS))
+		fs_proc_sys_dev_boot();
 	
 	//****************************
 	// apply the profile file
-- 
cgit v1.2.3-54-g00ecf