aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2018-10-11 09:20:28 -0400
committerLibravatar netblue30 <netblue30@yahoo.com>2018-10-11 09:20:28 -0400
commit5ce3ca1842c57bde4c29ad572b8fb91cc5f1530d (patch)
treeab4a458dbae4b29dff3762858358344545b00e10
parent0.9.56.1 - bugfix release (diff)
parentMerge pull request #2159 from smitsohu/master (diff)
downloadfirejail-5ce3ca1842c57bde4c29ad572b8fb91cc5f1530d.tar.gz
firejail-5ce3ca1842c57bde4c29ad572b8fb91cc5f1530d.tar.zst
firejail-5ce3ca1842c57bde4c29ad572b8fb91cc5f1530d.zip
Merge branch 'master' of http://github.com/netblue30/firejail
Diffstat
-rw-r--r--src/firejail/firejail.h2
-rw-r--r--src/firejail/fs.c22
-rw-r--r--src/firejail/sandbox.c6
3 files changed, 22 insertions, 8 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 40155b155..1d74dc8dc 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -453,7 +453,7 @@ void fs_chroot(const char *rootdir);
453void fs_check_chroot_dir(const char *rootdir); 453void fs_check_chroot_dir(const char *rootdir);
454void fs_private_tmp(void); 454void fs_private_tmp(void);
455void fs_private_cache(void); 455void fs_private_cache(void);
456void fs_mnt(void); 456void fs_mnt(const int enforce);
457 457
458// profile.c 458// profile.c
459// find and read the profile specified by name from dir directory 459// find and read the profile specified by name from dir directory
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 83830cff6..b958df81a 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -545,11 +545,23 @@ void fs_noexec(const char *dir) {
545} 545}
546 546
547// Disable /mnt, /media, /run/mount and /run/media access 547// Disable /mnt, /media, /run/mount and /run/media access
548void fs_mnt(void) { 548void fs_mnt(const int enforce) {
549 disable_file(BLACKLIST_FILE, "/mnt"); 549 if (enforce) {
550 disable_file(BLACKLIST_FILE, "/media"); 550 // disable-mnt set in firejail.config
551 disable_file(BLACKLIST_FILE, "/run/mount"); 551 // overriding with noblacklist is not possible in this case
552 disable_file(BLACKLIST_FILE, "//run/media"); 552 disable_file(BLACKLIST_FILE, "/mnt");
553 disable_file(BLACKLIST_FILE, "/media");
554 disable_file(BLACKLIST_FILE, "/run/mount");
555 disable_file(BLACKLIST_FILE, "/run/media");
556 }
557 else {
558 EUID_USER();
559 profile_add("blacklist /mnt");
560 profile_add("blacklist /media");
561 profile_add("blacklist /run/mount");
562 profile_add("blacklist /run/media");
563 EUID_ROOT();
564 }
553} 565}
554 566
555 567
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 5441522ab..8eede6f93 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -923,8 +923,10 @@ int sandbox(void* sandbox_arg) {
923 //**************************** 923 //****************************
924 // handle /mnt and /media 924 // handle /mnt and /media
925 //**************************** 925 //****************************
926 if (arg_disable_mnt || checkcfg(CFG_DISABLE_MNT)) 926 if (checkcfg(CFG_DISABLE_MNT))
927 fs_mnt(); 927 fs_mnt(1);
928 else if (arg_disable_mnt)
929 fs_mnt(0);
928 930
929 //**************************** 931 //****************************
930 // apply the profile file 932 // apply the profile file
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-14 02:19:49 +0000