diff options
author | smitsohu <smitsohu@gmail.com> | 2018-10-11 02:06:52 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2018-10-11 02:06:52 +0200 |
commit | 36281ef60b3fcc272e5d4d67b72d673d0028beab (patch) | |
tree | 9349d44ddcd8ac56c68b1ef5d470b44454964b97 | |
parent | merges (diff) | |
download | firejail-36281ef60b3fcc272e5d4d67b72d673d0028beab.tar.gz firejail-36281ef60b3fcc272e5d4d67b72d673d0028beab.tar.zst firejail-36281ef60b3fcc272e5d4d67b72d673d0028beab.zip |
allow overriding of disable-mnt with noblacklist - #2154
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/fs.c | 22 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 6 |
3 files changed, 22 insertions, 8 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 40155b155..1d74dc8dc 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -453,7 +453,7 @@ void fs_chroot(const char *rootdir); | |||
453 | void fs_check_chroot_dir(const char *rootdir); | 453 | void fs_check_chroot_dir(const char *rootdir); |
454 | void fs_private_tmp(void); | 454 | void fs_private_tmp(void); |
455 | void fs_private_cache(void); | 455 | void fs_private_cache(void); |
456 | void fs_mnt(void); | 456 | void fs_mnt(const int enforce); |
457 | 457 | ||
458 | // profile.c | 458 | // profile.c |
459 | // find and read the profile specified by name from dir directory | 459 | // find and read the profile specified by name from dir directory |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 83830cff6..b958df81a 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -545,11 +545,23 @@ void fs_noexec(const char *dir) { | |||
545 | } | 545 | } |
546 | 546 | ||
547 | // Disable /mnt, /media, /run/mount and /run/media access | 547 | // Disable /mnt, /media, /run/mount and /run/media access |
548 | void fs_mnt(void) { | 548 | void fs_mnt(const int enforce) { |
549 | disable_file(BLACKLIST_FILE, "/mnt"); | 549 | if (enforce) { |
550 | disable_file(BLACKLIST_FILE, "/media"); | 550 | // disable-mnt set in firejail.config |
551 | disable_file(BLACKLIST_FILE, "/run/mount"); | 551 | // overriding with noblacklist is not possible in this case |
552 | disable_file(BLACKLIST_FILE, "//run/media"); | 552 | disable_file(BLACKLIST_FILE, "/mnt"); |
553 | disable_file(BLACKLIST_FILE, "/media"); | ||
554 | disable_file(BLACKLIST_FILE, "/run/mount"); | ||
555 | disable_file(BLACKLIST_FILE, "/run/media"); | ||
556 | } | ||
557 | else { | ||
558 | EUID_USER(); | ||
559 | profile_add("blacklist /mnt"); | ||
560 | profile_add("blacklist /media"); | ||
561 | profile_add("blacklist /run/mount"); | ||
562 | profile_add("blacklist /run/media"); | ||
563 | EUID_ROOT(); | ||
564 | } | ||
553 | } | 565 | } |
554 | 566 | ||
555 | 567 | ||
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 5441522ab..8eede6f93 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -923,8 +923,10 @@ int sandbox(void* sandbox_arg) { | |||
923 | //**************************** | 923 | //**************************** |
924 | // handle /mnt and /media | 924 | // handle /mnt and /media |
925 | //**************************** | 925 | //**************************** |
926 | if (arg_disable_mnt || checkcfg(CFG_DISABLE_MNT)) | 926 | if (checkcfg(CFG_DISABLE_MNT)) |
927 | fs_mnt(); | 927 | fs_mnt(1); |
928 | else if (arg_disable_mnt) | ||
929 | fs_mnt(0); | ||
928 | 930 | ||
929 | //**************************** | 931 | //**************************** |
930 | // apply the profile file | 932 | // apply the profile file |