Include additional directories in ProtectSystem

author Ansgar Burchardt <ansgar@debian.org>

Thu, 24 Jul 2014 17:38:07 +0000 (19:38 +0200)

committer Felipe Sateler <fsateler@gmail.com>

Tue, 27 Feb 2018 21:56:19 +0000 (18:56 -0300)
author Ansgar Burchardt <ansgar@debian.org>
Thu, 24 Jul 2014 17:38:07 +0000 (19:38 +0200)
committer Felipe Sateler <fsateler@gmail.com>
Tue, 27 Feb 2018 21:56:19 +0000 (18:56 -0300)
diff --git a/src/core/namespace.c b/src/core/namespace.c

index 5d092488bd4e435fa0f26b0ff2586c4ca569c81d..876faa7f55897d8571efa98516a7e909deddc70c 100644 (file)
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -148,6 +148,12 @@ static const MountEntry protect_system_yes_table[] = {
          { "/usr",                READONLY,     false },
          { "/boot",               READONLY,     true  },
          { "/efi",                READONLY,     true  },
+#if HAVE_SPLIT_USR
+        { "/lib",                READONLY,     true  },
+        { "/lib64",              READONLY,     true  },
+        { "/bin",                READONLY,     true  },
+        { "/sbin",               READONLY,     true  },
+#endif
  };
  
  /* ProtectSystem=full includes ProtectSystem=yes */
@@ -156,6 +162,12 @@ static const MountEntry protect_system_full_table[] = {
          { "/boot",               READONLY,     true  },
          { "/efi",                READONLY,     true  },
          { "/etc",                READONLY,     false },
+#if HAVE_SPLIT_USR
+        { "/lib",                READONLY,     true  },
+        { "/lib64",              READONLY,     true  },
+        { "/bin",                READONLY,     true  },
+        { "/sbin",               READONLY,     true  },
+#endif
  };
  
  /*
author	Ansgar Burchardt <ansgar@debian.org>
	Thu, 24 Jul 2014 17:38:07 +0000 (19:38 +0200)
committer	Felipe Sateler <fsateler@gmail.com>
	Tue, 27 Feb 2018 21:56:19 +0000 (18:56 -0300)