C++ (Cpp) fs_rdonly_noexit Examples

Programming Language: C++ (Cpp)

Method/Function: fs_rdonly_noexit

Examples at hotexamples.com: 2

C++ (Cpp) fs_rdonly_noexit - 2 examples found. These are the top rated real world C++ (Cpp) examples of fs_rdonly_noexit extracted from open source projects. You can rate examples to help us improve the quality of examples.

Example #1

Show file

File: fs.c Project: jgriffiths/firejail

// mount /proc and /sys directories
void fs_proc_sys_dev_boot(void) {
	struct stat s;

	if (arg_debug)
		printf("Remounting /proc and /proc/sys filesystems\n");
	if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
		errExit("mounting /proc");
	fs_logger("remount /proc");

	// remount /proc/sys readonly
	if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0)
		errExit("mounting /proc/sys");

	if (mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_REC, NULL) < 0)
		errExit("mounting /proc/sys");
	fs_logger("read-only /proc/sys");


	/* Mount a version of /sys that describes the network namespace */
	if (arg_debug)
		printf("Remounting /sys directory\n");
	if (umount2("/sys", MNT_DETACH) < 0)
		fprintf(stderr, "Warning: failed to unmount /sys\n");
	else {
		if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0)
			fprintf(stderr, "Warning: failed to mount /sys\n");
		else
			fs_logger("remount /sys");
	}
		
	if (stat("/sys/firmware", &s) == 0) {
		disable_file(BLACKLIST_FILE, "/sys/firmware");
	}
		
	if (stat("/sys/hypervisor", &s) == 0) {
		disable_file(BLACKLIST_FILE, "/sys/hypervisor");
	}

	if (stat("/sys/fs", &s) == 0) {
		disable_file(BLACKLIST_FILE, "/sys/fs");
	}

	if (stat("/sys/module", &s) == 0) {
		disable_file(BLACKLIST_FILE, "/sys/module");
	}

	if (stat("/sys/power", &s) == 0) {
		disable_file(BLACKLIST_FILE, "/sys/power");
	}

//	if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0)
//		errExit("mounting /sys");

	// Disable SysRq
	// a linux box can be shut down easily using the following commands (as root):
	// # echo 1 > /proc/sys/kernel/sysrq
	// #echo b > /proc/sysrq-trigger
	// for more information see https://www.kernel.org/doc/Documentation/sysrq.txt
	if (arg_debug)
		printf("Disable /proc/sysrq-trigger\n");
	fs_rdonly_noexit("/proc/sysrq-trigger");
	
	// disable hotplug and uevent_helper
	if (arg_debug)
		printf("Disable /proc/sys/kernel/hotplug\n");
	fs_rdonly_noexit("/proc/sys/kernel/hotplug");
	if (arg_debug)
		printf("Disable /sys/kernel/uevent_helper\n");
	fs_rdonly_noexit("/sys/kernel/uevent_helper");
	
	// read-only /proc/irq and /proc/bus
	if (arg_debug)
		printf("Disable /proc/irq\n");
	fs_rdonly_noexit("/proc/irq");
	if (arg_debug)
		printf("Disable /proc/bus\n");
	fs_rdonly_noexit("/proc/bus");
	
	// disable /proc/kcore
	disable_file(BLACKLIST_FILE, "/proc/kcore");

	// disable /proc/kallsyms
	disable_file(BLACKLIST_FILE, "/proc/kallsyms");
	
	// disable /boot
	if (stat("/boot", &s) == 0) {
		if (arg_debug)
			printf("Disable /boot directory\n");
		disable_file(BLACKLIST_FILE, "/boot");
	}
	
	// disable /selinux
	if (stat("/selinux", &s) == 0) {
		if (arg_debug)
			printf("Disable /selinux directory\n");
		disable_file(BLACKLIST_FILE, "/selinux");
	}
	
	// disable /dev/port
	if (stat("/dev/port", &s) == 0) {
		disable_file(BLACKLIST_FILE, "/dev/port");
	}
	
	if (getuid() != 0) {
		// disable /dev/kmsg
		if (stat("/dev/kmsg", &s) == 0) {
			disable_file(BLACKLIST_FILE, "/dev/kmsg");
		}
		
		// disable /proc/kmsg
		if (stat("/proc/kmsg", &s) == 0) {
			disable_file(BLACKLIST_FILE, "/proc/kmsg");
		}
	}
}

Example #2

Show file

File: fs.c Project: COLABORATI/firejail

// mount /proc and /sys directories
void fs_proc_sys_dev_boot(void) {
	struct stat s;

	if (arg_debug)
		printf("Remounting /proc and /proc/sys filesystems\n");
	if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_REC, NULL) < 0)
		errExit("mounting /proc");

	// remount /proc/sys readonly
	if (mount("/proc/sys", "/proc/sys", NULL, MS_BIND | MS_REC, NULL) < 0)
		errExit("mounting /proc/sys");

	if (mount(NULL, "/proc/sys", NULL, MS_BIND | MS_REMOUNT | MS_RDONLY | MS_REC, NULL) < 0)
		errExit("mounting /proc/sys");


	/* Mount a version of /sys that describes the network namespace */
	if (arg_debug)
		printf("Remounting /sys directory\n");
	if (umount2("/sys", MNT_DETACH) < 0) 
		fprintf(stderr, "Warning: failed to unmount /sys\n");
	if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0)
		fprintf(stderr, "Warning: failed to mount /sys\n");

//	if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0)
//		errExit("mounting /sys");


	// mounting firejail kernel module files
	if (stat("/proc/firejail-uptime", &s) == 0) {
		errno = 0;
		FILE *fp = fopen("/proc/firejail", "w");
		int cnt = 0;
		while (errno == EBUSY && cnt < 10) {
			if (!fp) {
				int s = random();
				s /= 200000;
				usleep(s);
				fp = fopen("/proc/firejail", "w");
			}
			else
				break;
		}
		if (!fp) {
			fprintf(stderr, "Error: cannot register sandbox with firejail-lkm\n");
			exit(1);
		}	
		if (fp) {
			// registration
			fprintf(fp, "register\n");
			fflush(0);
			// filtering x11 connect calls
			if (arg_nox11) {
				fprintf(fp, "no connect unix /tmp/.X11\n");
				fflush(0);
				printf("X11 access disabled\n");
			}
			if (arg_nodbus) {
				fprintf(fp, "no connect unix /var/run/dbus/system_bus_socket\n");
				fflush(0);
				fprintf(fp, "no connect unix /tmp/dbus\n");
				fflush(0);
				printf("D-Bus access disabled\n");
			}
			fclose(fp);
			if (mount("/proc/firejail-uptime", "/proc/uptime", NULL, MS_BIND|MS_REC, NULL) < 0)
				fprintf(stderr, "Warning: cannot mount /proc/firejail-uptime\n");
		}
	}

	// Disable SysRq
	// a linux box can be shut down easily using the following commands (as root):
	// # echo 1 > /proc/sys/kernel/sysrq
	// #echo b > /proc/sysrq-trigger
	// for more information see https://www.kernel.org/doc/Documentation/sysrq.txt
	if (arg_debug)
		printf("Disable /proc/sysrq-trigger\n");
	fs_rdonly_noexit("/proc/sysrq-trigger");
	
	// disable hotplug and uevent_helper
	if (arg_debug)
		printf("Disable /proc/sys/kernel/hotplug\n");
	fs_rdonly_noexit("/proc/sys/kernel/hotplug");
	if (arg_debug)
		printf("Disable /sys/kernel/uevent_helper\n");
	fs_rdonly_noexit("/sys/kernel/uevent_helper");
	
	// read-only /proc/irq and /proc/bus
	if (arg_debug)
		printf("Disable /proc/irq\n");
	fs_rdonly_noexit("/proc/irq");
	if (arg_debug)
		printf("Disable /proc/bus\n");
	fs_rdonly_noexit("/proc/bus");
	
	// disable /proc/kcore
	disable_file(BLACKLIST_FILE, "/proc/kcore", "not used", "/dev/null");

	// disable /proc/kallsyms
	disable_file(BLACKLIST_FILE, "/proc/kallsyms", "not used", "/dev/null");
	
	// disable /boot
	if (stat("/boot", &s) == 0) {
		if (arg_debug)
			printf("Mounting a new /boot directory\n");
		if (mount("tmpfs", "/boot", "tmpfs", MS_NOSUID | MS_NODEV | MS_STRICTATIME | MS_REC,  "mode=777,gid=0") < 0)
			errExit("mounting /boot directory");
	}
	
	// disable /dev/port
	if (stat("/dev/port", &s) == 0) {
		disable_file(BLACKLIST_FILE, "/dev/port", "not used", "/dev/null");
	}
}