From 7a324c70bd0db2fc34c9d94edbd4c449c512d558 Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Tue, 25 Jul 2017 12:02:19 +0300
Subject: /proc/sys can be nosuid,noexec,nodev

---
 src/firejail/fs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index c1de53ee5..6695fc6b4 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -515,7 +515,7 @@ void fs_proc_sys_dev_boot(void) {
 
 	// remount /proc/sys readonly
 	if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0 ||
-	    mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_REC, NULL) < 0)
+	    mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
 		errExit("mounting /proc/sys");
 	fs_logger("read-only /proc/sys");
 
-- 
cgit v1.2.3-54-g00ecf