diff options
| author |  netblue30 <netblue30@yahoo.com> | 2016-09-20 09:18:07 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2016-09-20 09:18:07 -0400 |
| commit | 2ef9a452c72686e76f71817d0b4c383971f2b380 (patch) | |
| tree | d878127346d84f7731fef879d4ff82a664ce857f | |
| parent | --private-tmp whitelists /tmp/.X11-unix directory (diff) | |
| download | firejail-2ef9a452c72686e76f71817d0b4c383971f2b380.tar.gz firejail-2ef9a452c72686e76f71817d0b4c383971f2b380.tar.zst firejail-2ef9a452c72686e76f71817d0b4c383971f2b380.zip | |
support nvidia drivers in --private-dev
| -rw-r--r-- | RELNOTES | 1 | ||||
| -rw-r--r-- | src/firejail/firejail.h | 4 | ||||
| -rw-r--r-- | src/firejail/fs_dev.c | 113 | ||||
| -rw-r--r-- | todo | 4 |
4 files changed, 60 insertions, 62 deletions
| @@ -3,6 +3,7 @@ firejail (0.9.43) baseline; urgency=low | |||
| 3 | * modifs: removed man firejail-config | 3 | * modifs: removed man firejail-config |
| 4 | * modifs: make deb builds package based on the current configuration | 4 | * modifs: make deb builds package based on the current configuration |
| 5 | * modifs: --private-tmp whitelists /tmp/.X11-unix directory | 5 | * modifs: --private-tmp whitelists /tmp/.X11-unix directory |
| 6 | * modifs: Nvidia drivers added to --privte-dev | ||
| 6 | * feature: blocking x11 (--x11=block) | 7 | * feature: blocking x11 (--x11=block) |
| 7 | * feature: x11 xpra, x11 xephyr, x11 block profile commands | 8 | * feature: x11 xpra, x11 xephyr, x11 block profile commands |
| 8 | * bugfixes | 9 | * bugfixes |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index c0536502e..bee93ca85 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -45,9 +45,9 @@ | |||
| 45 | #define RUN_HOME_DIR "/run/firejail/mnt/home" | 45 | #define RUN_HOME_DIR "/run/firejail/mnt/home" |
| 46 | #define RUN_ETC_DIR "/run/firejail/mnt/etc" | 46 | #define RUN_ETC_DIR "/run/firejail/mnt/etc" |
| 47 | #define RUN_BIN_DIR "/run/firejail/mnt/bin" | 47 | #define RUN_BIN_DIR "/run/firejail/mnt/bin" |
| 48 | #define RUN_DRI_DIR "/run/firejail/mnt/dri" | ||
| 49 | #define RUN_SND_DIR "/run/firejail/mnt/snd" | ||
| 50 | #define RUN_PULSE_DIR "/run/firejail/mnt/pulse" | 48 | #define RUN_PULSE_DIR "/run/firejail/mnt/pulse" |
| 49 | |||
| 50 | #define RUN_DEV_DIR "/run/firejail/mnt/dev" | ||
| 51 | #define RUN_DEVLOG_FILE "/run/firejail/mnt/devlog" | 51 | #define RUN_DEVLOG_FILE "/run/firejail/mnt/devlog" |
| 52 | 52 | ||
| 53 | #define RUN_WHITELIST_X11_DIR "/run/firejail/mnt/orig-x11" | 53 | #define RUN_WHITELIST_X11_DIR "/run/firejail/mnt/orig-x11" |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 363d3e484..4744b3096 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
| @@ -30,6 +30,49 @@ | |||
| 30 | #endif | 30 | #endif |
| 31 | #include <sys/types.h> | 31 | #include <sys/types.h> |
| 32 | 32 | ||
| 33 | typedef struct { | ||
| 34 | const char *dev_fname; | ||
| 35 | const char *run_fname; | ||
| 36 | } DevEntry; | ||
| 37 | |||
| 38 | static DevEntry dev[] = { | ||
| 39 | {"/dev/snd", RUN_DEV_DIR "/snd"}, | ||
| 40 | {"/dev/dri", RUN_DEV_DIR "/dri"}, | ||
| 41 | {"/dev/nvidia0", RUN_DEV_DIR "/nvidia0"}, | ||
| 42 | {"/dev/nvidia1", RUN_DEV_DIR "/nvidia1"}, | ||
| 43 | {"/dev/nvidia2", RUN_DEV_DIR "/nvidia2"}, | ||
| 44 | {"/dev/nvidia3", RUN_DEV_DIR "/nvidia3"}, | ||
| 45 | {"/dev/nvidia4", RUN_DEV_DIR "/nvidia4"}, | ||
| 46 | {"/dev/nvidia5", RUN_DEV_DIR "/nvidia5"}, | ||
| 47 | {"/dev/nvidia6", RUN_DEV_DIR "/nvidia6"}, | ||
| 48 | {"/dev/nvidia7", RUN_DEV_DIR "/nvidia7"}, | ||
| 49 | {"/dev/nvidia8", RUN_DEV_DIR "/nvidia8"}, | ||
| 50 | {"/dev/nvidia9", RUN_DEV_DIR "/nvidia9"}, | ||
| 51 | {"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl"}, | ||
| 52 | {"/dev/nvidia-modset", RUN_DEV_DIR "/nvidia-modset"}, | ||
| 53 | {"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm"}, | ||
| 54 | {NULL, NULL} | ||
| 55 | }; | ||
| 56 | |||
| 57 | static void deventry_mount(void) { | ||
| 58 | int i = 0; | ||
| 59 | while (dev[i].dev_fname != NULL) { | ||
| 60 | struct stat s; | ||
| 61 | if (stat(dev[i].run_fname, &s) == 0) { | ||
| 62 | if (mkdir(dev[i].dev_fname, 0755) == -1) | ||
| 63 | errExit("mkdir"); | ||
| 64 | if (chmod(dev[i].dev_fname, 0755) == -1) | ||
| 65 | errExit("chmod"); | ||
| 66 | ASSERT_PERMS(dev[i].dev_fname, 0, 0, 0755); | ||
| 67 | if (mount(dev[i].run_fname, dev[i].dev_fname, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
| 68 | errExit("mounting /dev/snd"); | ||
| 69 | fs_logger2("whitelist", dev[i].dev_fname); | ||
| 70 | } | ||
| 71 | |||
| 72 | i++; | ||
| 73 | } | ||
| 74 | } | ||
| 75 | |||
| 33 | static void create_char_dev(const char *path, mode_t mode, int major, int minor) { | 76 | static void create_char_dev(const char *path, mode_t mode, int major, int minor) { |
| 34 | dev_t dev = makedev(major, minor); | 77 | dev_t dev = makedev(major, minor); |
| 35 | if (mknod(path, S_IFCHR | mode, dev) == -1) | 78 | if (mknod(path, S_IFCHR | mode, dev) == -1) |
| @@ -62,43 +105,21 @@ void fs_private_dev(void){ | |||
| 62 | if (arg_debug) | 105 | if (arg_debug) |
| 63 | printf("Mounting tmpfs on /dev\n"); | 106 | printf("Mounting tmpfs on /dev\n"); |
| 64 | 107 | ||
| 65 | int have_dri = 0; | ||
| 66 | int have_snd = 0; | ||
| 67 | struct stat s; | ||
| 68 | if (stat("/dev/dri", &s) == 0) | ||
| 69 | have_dri = 1; | ||
| 70 | if (stat("/dev/snd", &s) == 0) | ||
| 71 | have_snd = 1; | ||
| 72 | |||
| 73 | // create DRI_DIR | 108 | // create DRI_DIR |
| 74 | fs_build_mnt_dir(); | 109 | fs_build_mnt_dir(); |
| 75 | if (have_dri) { | ||
| 76 | if (mkdir(RUN_DRI_DIR, 0755) == -1) | ||
| 77 | errExit("mkdir"); | ||
| 78 | if (chmod(RUN_DRI_DIR, 0755) == -1) | ||
| 79 | errExit("chmod"); | ||
| 80 | ASSERT_PERMS(RUN_DRI_DIR, 0, 0, 0755); | ||
| 81 | |||
| 82 | // keep a copy of /dev/dri under DRI_DIR | ||
| 83 | if (mount("/dev/dri", RUN_DRI_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
| 84 | errExit("mounting /dev/dri"); | ||
| 85 | } | ||
| 86 | |||
| 87 | // create SND_DIR | ||
| 88 | if (have_snd) { | ||
| 89 | if (mkdir(RUN_SND_DIR, 0755) == -1) | ||
| 90 | errExit("mkdir"); | ||
| 91 | if (chmod(RUN_SND_DIR, 0755) == -1) | ||
| 92 | errExit("chmod"); | ||
| 93 | ASSERT_PERMS(RUN_SND_DIR, 0, 0, 0755); | ||
| 94 | |||
| 95 | // keep a copy of /dev/dri under DRI_DIR | ||
| 96 | if (mount("/dev/snd", RUN_SND_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
| 97 | errExit("mounting /dev/snd"); | ||
| 98 | } | ||
| 99 | 110 | ||
| 111 | // keep a copy of dev directory | ||
| 112 | if (mkdir(RUN_DEV_DIR, 0755) == -1) | ||
| 113 | errExit("mkdir"); | ||
| 114 | if (chmod(RUN_DEV_DIR, 0755) == -1) | ||
| 115 | errExit("chmod"); | ||
| 116 | ASSERT_PERMS(RUN_DEV_DIR, 0, 0, 0755); | ||
| 117 | if (mount("/dev", RUN_DEV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
| 118 | errExit("mounting /dev/dri"); | ||
| 119 | |||
| 100 | // create DEVLOG_FILE | 120 | // create DEVLOG_FILE |
| 101 | int have_devlog = 0; | 121 | int have_devlog = 0; |
| 122 | struct stat s; | ||
| 102 | if (stat("/dev/log", &s) == 0) { | 123 | if (stat("/dev/log", &s) == 0) { |
| 103 | have_devlog = 1; | 124 | have_devlog = 1; |
| 104 | FILE *fp = fopen(RUN_DEVLOG_FILE, "w"); | 125 | FILE *fp = fopen(RUN_DEVLOG_FILE, "w"); |
| @@ -116,6 +137,8 @@ void fs_private_dev(void){ | |||
| 116 | if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 137 | if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
| 117 | errExit("mounting /dev"); | 138 | errExit("mounting /dev"); |
| 118 | fs_logger("tmpfs /dev"); | 139 | fs_logger("tmpfs /dev"); |
| 140 | |||
| 141 | deventry_mount(); | ||
| 119 | 142 | ||
| 120 | // bring back /dev/log | 143 | // bring back /dev/log |
| 121 | if (have_devlog) { | 144 | if (have_devlog) { |
| @@ -128,31 +151,9 @@ void fs_private_dev(void){ | |||
| 128 | fs_logger("clone /dev/log"); | 151 | fs_logger("clone /dev/log"); |
| 129 | } | 152 | } |
| 130 | } | 153 | } |
| 154 | if (mount(RUN_RO_DIR, RUN_DEV_DIR, "none", MS_BIND, "mode=400,gid=0") < 0) | ||
| 155 | errExit("disable /dev/snd"); | ||
| 131 | 156 | ||
| 132 | // bring back the /dev/snd directory | ||
| 133 | if (have_snd) { | ||
| 134 | /* coverity[toctou] */ | ||
| 135 | if (mkdir("/dev/snd", 0755) == -1) | ||
| 136 | errExit("mkdir"); | ||
| 137 | if (chmod("/dev/snd", 0755) == -1) | ||
| 138 | errExit("chmod"); | ||
| 139 | ASSERT_PERMS("/dev/snd", 0, 0, 0755); | ||
| 140 | if (mount(RUN_SND_DIR, "/dev/snd", NULL, MS_BIND|MS_REC, NULL) < 0) | ||
| 141 | errExit("mounting /dev/snd"); | ||
| 142 | fs_logger("whitelist /dev/snd"); | ||
| 143 | } | ||
| 144 | |||
| 145 | // bring back the /dev/dri directory | ||
| 146 | if (have_dri) { | ||
| 147 | if (mkdir("/dev/dri", 0755) == -1) | ||
| 148 | errExit("mkdir"); | ||
| 149 | if (chmod("/dev/dri", 0755) == -1) | ||
| 150 | errExit("chmod"); | ||
| 151 | ASSERT_PERMS("/dev/dri", 0, 0, 0755); | ||
| 152 | if (mount(RUN_DRI_DIR, "/dev/dri", NULL, MS_BIND|MS_REC, NULL) < 0) | ||
| 153 | errExit("mounting /dev/dri"); | ||
| 154 | fs_logger("whitelist /dev/dri"); | ||
| 155 | } | ||
| 156 | 157 | ||
| 157 | // create /dev/shm | 158 | // create /dev/shm |
| 158 | if (arg_debug) | 159 | if (arg_debug) |
| @@ -161,10 +161,6 @@ To disable Vsync | |||
| 161 | 161 | ||
| 162 | $ vblank_mode=0 glxgears | 162 | $ vblank_mode=0 glxgears |
| 163 | 163 | ||
| 164 | 18. Bring in nvidia drives in private-dev | ||
| 165 | |||
| 166 | /dev/nvidia[0-9], /dev/nvidiactl, /dev/nvidia-modset and /dev/nvidia-uvm | ||
| 167 | |||
| 168 | 19. testing snaps | 164 | 19. testing snaps |
| 169 | 165 | ||
| 170 | Install firejail from official repository | 166 | Install firejail from official repository |