From f439d08ca2d8abe5be7277ffa3496a032dd53558 Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Thu, 28 Nov 2019 11:36:40 +0100
Subject: mask more private options runtime directories, just to be sure

---
 src/firejail/fs_etc.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'src')

diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index eb03eb35f..082f8b4a0 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -189,5 +189,10 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c
 		errExit("mount bind");
 	fs_logger2("mount", private_dir);
 
+	// mask private_run_dir (who knows if there are writable paths, and it is mounted exec)
+	if (mount("tmpfs", private_run_dir, "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME,  "mode=755,gid=0") < 0)
+		errExit("mounting tmpfs");
+	fs_logger2("tmpfs", private_run_dir);
+
 	fmessage("Private %s installed in %0.2f ms\n", private_dir, timetrace_end());
 }
-- 
cgit v1.2.3-70-g09d2