[PR #2602] [MERGED] mount runtime seccomp files read-only #4441

New issue

Closed

opened 2026-05-05 10:20:09 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:20:09 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/2602
Author: @smitsohu
Created: 3/16/2019
Status: ✅ Merged
Merged: 3/23/2019
Merged by: @smitsohu

Base: master ← Head: noexec

📝 Commits (2)

f8c0798 mount runtime seccomp files read-only
f847713 Merge branch 'master' into noexec

📊 Changes

4 files changed (+16 additions, -11 deletions)

View changed files

📝 src/firejail/firejail.h (+8 -8)
📝 src/firejail/fs_lib.c (+1 -0)
📝 src/firejail/preproc.c (+2 -0)
📝 src/firejail/sandbox.c (+5 -3)

📄 Description

In order to reduce exposure to locations that are both writable and executable (only processes with euid of the user):

group user owned /run/firejail/mnt/seccomp.* files in a directory and
mount this directory read-only
remove user owned /run/firejail/mnt/libfiles once it is not needed any more

/run/firejail/mnt/pulse and /run/firejail/mnt/sec.Xauthority are noexec already, and the appimage mounts are read-only, so I think this PR should cover the last remaining paths. To make this possible it was necessary to drop capabilities a little bit later during sandbox setup.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/2602 **Author:** [@smitsohu](https://github.com/smitsohu) **Created:** 3/16/2019 **Status:** ✅ Merged **Merged:** 3/23/2019 **Merged by:** [@smitsohu](https://github.com/smitsohu) **Base:** `master` ← **Head:** `noexec` --- ### 📝 Commits (2) - [`f8c0798`](https://github.com/netblue30/firejail/commit/f8c0798f4b8f9c0728fb696d07eac588f2e34d57) mount runtime seccomp files read-only - [`f847713`](https://github.com/netblue30/firejail/commit/f847713eba0e9ede0976315fabd20530b74562f9) Merge branch 'master' into noexec ### 📊 Changes **4 files changed** (+16 additions, -11 deletions) <details> <summary>View changed files</summary> 📝 `src/firejail/firejail.h` (+8 -8) 📝 `src/firejail/fs_lib.c` (+1 -0) 📝 `src/firejail/preproc.c` (+2 -0) 📝 `src/firejail/sandbox.c` (+5 -3) </details> ### 📄 Description In order to reduce exposure to locations that are both writable and executable (only processes with euid of the user): * group user owned /run/firejail/mnt/seccomp.* files in a directory and * mount this directory read-only * remove user owned /run/firejail/mnt/libfiles once it is not needed any more /run/firejail/mnt/pulse and /run/firejail/mnt/sec.Xauthority are noexec already, and the appimage mounts are read-only, so I think this PR should cover the last remaining paths. To make this possible it was necessary to drop capabilities a little bit later during sandbox setup. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:20:09 -06:00

closed this issue
added the
pull-request
label

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#4441

No description provided.

Rows
Columns