Skip to content

Commit e3f9438

Browse files
ChrysoliteAzaleaChrysoliteAzalea
committed
Fixed a bug that caused "dev" and temporary directories to be inaccessible if Landlock is enabled
Signed-off-by: ChrysoliteAzalea <charming.flurry@yandex.ru>
1 parent 53a392f commit e3f9438

File tree

1 file changed

+10
-10
lines changed

1 file changed

+10
-10
lines changed

bubblewrap.c

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1112,6 +1112,8 @@ privileged_op (int privileged_op_socket,
11121112

11131113
case PRIV_SEP_OP_PROC_MOUNT:
11141114
{
1115+
if (mount ("proc", arg1, "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV, NULL) != 0)
1116+
die_with_error ("Can't mount proc on %s", arg1);
11151117
if (opt_landlock_ruleset_fd>-1)
11161118
{
11171119
int exposed_fd = open(arg1,O_PATH | O_CLOEXEC);
@@ -1120,15 +1122,15 @@ privileged_op (int privileged_op_socket,
11201122
add_execute_rule(opt_landlock_ruleset_fd,exposed_fd);
11211123
close(exposed_fd);
11221124
}
1123-
if (mount ("proc", arg1, "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV, NULL) != 0)
1124-
die_with_error ("Can't mount proc on %s", arg1);
11251125
break;
11261126
}
11271127

11281128
case PRIV_SEP_OP_TMPFS_MOUNT:
11291129
{
11301130
cleanup_free char *mode = xasprintf ("mode=%#o", perms);
11311131
cleanup_free char *opt = label_mount (mode, opt_file_label);
1132+
if (mount ("tmpfs", arg1, "tmpfs", MS_NOSUID | MS_NODEV, opt) != 0)
1133+
die_with_error ("Can't mount tmpfs on %s", arg1);
11321134
if (opt_landlock_ruleset_fd>-1)
11331135
{
11341136
int exposed_fd = open(arg1,O_PATH | O_CLOEXEC);
@@ -1137,26 +1139,26 @@ privileged_op (int privileged_op_socket,
11371139
add_execute_rule(opt_landlock_ruleset_fd,exposed_fd);
11381140
close(exposed_fd);
11391141
}
1140-
if (mount ("tmpfs", arg1, "tmpfs", MS_NOSUID | MS_NODEV, opt) != 0)
1141-
die_with_error ("Can't mount tmpfs on %s", arg1);
11421142
break;
11431143
}
11441144

11451145
case PRIV_SEP_OP_DEVPTS_MOUNT:
1146+
if (mount ("devpts", arg1, "devpts", MS_NOSUID | MS_NOEXEC,
1147+
"newinstance,ptmxmode=0666,mode=620") != 0)
1148+
die_with_error ("Can't mount devpts on %s", arg1);
11461149
if (opt_landlock_ruleset_fd>-1)
11471150
{
11481151
int exposed_fd = open(arg1,O_PATH | O_CLOEXEC);
11491152
add_read_access_rule(opt_landlock_ruleset_fd,exposed_fd);
1150-
add_write_access_rule(opt_landlock_ruleset_fd,exposed_fd,1);
1153+
add_write_access_rule(opt_landlock_ruleset_fd,exposed_fd,0);
11511154
add_execute_rule(opt_landlock_ruleset_fd,exposed_fd);
11521155
close(exposed_fd);
11531156
}
1154-
if (mount ("devpts", arg1, "devpts", MS_NOSUID | MS_NOEXEC,
1155-
"newinstance,ptmxmode=0666,mode=620") != 0)
1156-
die_with_error ("Can't mount devpts on %s", arg1);
11571157
break;
11581158

11591159
case PRIV_SEP_OP_MQUEUE_MOUNT:
1160+
if (mount ("mqueue", arg1, "mqueue", 0, NULL) != 0)
1161+
die_with_error ("Can't mount mqueue on %s", arg1);
11601162
if (opt_landlock_ruleset_fd>-1)
11611163
{
11621164
int exposed_fd = open(arg1,O_PATH | O_CLOEXEC);
@@ -1165,8 +1167,6 @@ privileged_op (int privileged_op_socket,
11651167
add_execute_rule(opt_landlock_ruleset_fd,exposed_fd);
11661168
close(exposed_fd);
11671169
}
1168-
if (mount ("mqueue", arg1, "mqueue", 0, NULL) != 0)
1169-
die_with_error ("Can't mount mqueue on %s", arg1);
11701170
break;
11711171

11721172
case PRIV_SEP_OP_SET_HOSTNAME:

0 commit comments

Comments
 (0)