// mount /proc and /sys directories void fs_proc_sys_dev_boot(void) { struct stat s; if (arg_debug) printf("Remounting /proc and /proc/sys filesystems\n"); if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) errExit("mounting /proc"); fs_logger("remount /proc"); // remount /proc/sys readonly if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0) errExit("mounting /proc/sys"); if (mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_REC, NULL) < 0) errExit("mounting /proc/sys"); fs_logger("read-only /proc/sys"); /* Mount a version of /sys that describes the network namespace */ if (arg_debug) printf("Remounting /sys directory\n"); if (umount2("/sys", MNT_DETACH) < 0) fprintf(stderr, "Warning: failed to unmount /sys\n"); else { if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) fprintf(stderr, "Warning: failed to mount /sys\n"); else fs_logger("remount /sys"); } if (stat("/sys/firmware", &s) == 0) { disable_file(BLACKLIST_FILE, "/sys/firmware"); } if (stat("/sys/hypervisor", &s) == 0) { disable_file(BLACKLIST_FILE, "/sys/hypervisor"); } if (stat("/sys/fs", &s) == 0) { disable_file(BLACKLIST_FILE, "/sys/fs"); } if (stat("/sys/module", &s) == 0) { disable_file(BLACKLIST_FILE, "/sys/module"); } if (stat("/sys/power", &s) == 0) { disable_file(BLACKLIST_FILE, "/sys/power"); } // if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) // errExit("mounting /sys"); // Disable SysRq // a linux box can be shut down easily using the following commands (as root): // # echo 1 > /proc/sys/kernel/sysrq // #echo b > /proc/sysrq-trigger // for more information see https://www.kernel.org/doc/Documentation/sysrq.txt if (arg_debug) printf("Disable /proc/sysrq-trigger\n"); fs_rdonly_noexit("/proc/sysrq-trigger"); // disable hotplug and uevent_helper if (arg_debug) printf("Disable /proc/sys/kernel/hotplug\n"); fs_rdonly_noexit("/proc/sys/kernel/hotplug"); if (arg_debug) printf("Disable /sys/kernel/uevent_helper\n"); fs_rdonly_noexit("/sys/kernel/uevent_helper"); // read-only /proc/irq and /proc/bus if (arg_debug) printf("Disable /proc/irq\n"); fs_rdonly_noexit("/proc/irq"); if (arg_debug) printf("Disable /proc/bus\n"); fs_rdonly_noexit("/proc/bus"); // disable /proc/kcore disable_file(BLACKLIST_FILE, "/proc/kcore"); // disable /proc/kallsyms disable_file(BLACKLIST_FILE, "/proc/kallsyms"); // disable /boot if (stat("/boot", &s) == 0) { if (arg_debug) printf("Disable /boot directory\n"); disable_file(BLACKLIST_FILE, "/boot"); } // disable /selinux if (stat("/selinux", &s) == 0) { if (arg_debug) printf("Disable /selinux directory\n"); disable_file(BLACKLIST_FILE, "/selinux"); } // disable /dev/port if (stat("/dev/port", &s) == 0) { disable_file(BLACKLIST_FILE, "/dev/port"); } if (getuid() != 0) { // disable /dev/kmsg if (stat("/dev/kmsg", &s) == 0) { disable_file(BLACKLIST_FILE, "/dev/kmsg"); } // disable /proc/kmsg if (stat("/proc/kmsg", &s) == 0) { disable_file(BLACKLIST_FILE, "/proc/kmsg"); } } }
// mount /proc and /sys directories void fs_proc_sys_dev_boot(void) { struct stat s; if (arg_debug) printf("Remounting /proc and /proc/sys filesystems\n"); if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0) errExit("mounting /proc"); // remount /proc/sys readonly if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0) errExit("mounting /proc/sys"); if (mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_REC, NULL) < 0) errExit("mounting /proc/sys"); /* Mount a version of /sys that describes the network namespace */ if (arg_debug) printf("Remounting /sys directory\n"); if (umount2("/sys", MNT_DETACH) < 0) fprintf(stderr, "Warning: failed to unmount /sys\n"); if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) fprintf(stderr, "Warning: failed to mount /sys\n"); // if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) // errExit("mounting /sys"); // mounting firejail kernel module files if (stat("/proc/firejail-uptime", &s) == 0) { errno = 0; FILE *fp = fopen("/proc/firejail", "w"); int cnt = 0; while (errno == EBUSY && cnt < 10) { if (!fp) { int s = random(); s /= 200000; usleep(s); fp = fopen("/proc/firejail", "w"); } else break; } if (!fp) { fprintf(stderr, "Error: cannot register sandbox with firejail-lkm\n"); exit(1); } if (fp) { // registration fprintf(fp, "register\n"); fflush(0); // filtering x11 connect calls if (arg_nox11) { fprintf(fp, "no connect unix /tmp/.X11\n"); fflush(0); printf("X11 access disabled\n"); } if (arg_nodbus) { fprintf(fp, "no connect unix /var/run/dbus/system_bus_socket\n"); fflush(0); fprintf(fp, "no connect unix /tmp/dbus\n"); fflush(0); printf("D-Bus access disabled\n"); } fclose(fp); if (mount("/proc/firejail-uptime", "/proc/uptime", NULL, MS_BIND|MS_REC, NULL) < 0) fprintf(stderr, "Warning: cannot mount /proc/firejail-uptime\n"); } } // Disable SysRq // a linux box can be shut down easily using the following commands (as root): // # echo 1 > /proc/sys/kernel/sysrq // #echo b > /proc/sysrq-trigger // for more information see https://www.kernel.org/doc/Documentation/sysrq.txt if (arg_debug) printf("Disable /proc/sysrq-trigger\n"); fs_rdonly_noexit("/proc/sysrq-trigger"); // disable hotplug and uevent_helper if (arg_debug) printf("Disable /proc/sys/kernel/hotplug\n"); fs_rdonly_noexit("/proc/sys/kernel/hotplug"); if (arg_debug) printf("Disable /sys/kernel/uevent_helper\n"); fs_rdonly_noexit("/sys/kernel/uevent_helper"); // read-only /proc/irq and /proc/bus if (arg_debug) printf("Disable /proc/irq\n"); fs_rdonly_noexit("/proc/irq"); if (arg_debug) printf("Disable /proc/bus\n"); fs_rdonly_noexit("/proc/bus"); // disable /proc/kcore disable_file(BLACKLIST_FILE, "/proc/kcore", "not used", "/dev/null"); // disable /proc/kallsyms disable_file(BLACKLIST_FILE, "/proc/kallsyms", "not used", "/dev/null"); // disable /boot if (stat("/boot", &s) == 0) { if (arg_debug) printf("Mounting a new /boot directory\n"); if (mount("tmpfs", "/boot", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=777,gid=0") < 0) errExit("mounting /boot directory"); } // disable /dev/port if (stat("/dev/port", &s) == 0) { disable_file(BLACKLIST_FILE, "/dev/port", "not used", "/dev/null"); } }