From 237e115d0c85120bc304c953a702d2c6ef253e95 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Wed, 24 Jan 2018 10:03:46 -0500
Subject: apparmor support for --chroot sandboxes

---
 src/firejail/fs.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 4246fbe5b..ab2958593 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -1230,9 +1230,15 @@ void fs_chroot(const char *rootdir) {
 #ifdef HAVE_GCOV
 	__gcov_flush();
 #endif
+	// mount the chroot dir on top of /run/firejail/mnt/oroot in order to reuse the apparmor rules for overlay
+	// and chroot into this new directory
 	if (arg_debug)
 		printf("Chrooting into %s\n", rootdir);
-	if (chroot(rootdir) < 0)
+	char *oroot = RUN_OVERLAY_ROOT;
+	mkdir_attr(oroot, 0755, 0, 0);
+	if (mount(rootdir, oroot, NULL, MS_BIND|MS_REC, NULL) < 0)
+		errExit("mounting rootdir oroot");
+	if (chroot(oroot) < 0)
 		errExit("chroot");
 
 	// create all other /run/firejail files and directories
-- 
cgit v1.2.3-54-g00ecf