diff options
| author |  Chiraag Nataraj <chiraag.nataraj@gmail.com> | 2018-06-12 09:48:21 -0400 |
|---|---|---|
| committer | Chiraag Nataraj <chiraag.nataraj@gmail.com> | 2018-06-12 09:48:21 -0400 |
| commit | 197bcc86c1a1f4c75d6a42a850e0619b3268db1e (patch) | |
| tree | 37b5f5b107de84d1931926680a60a415e4b6e67a | |
| parent | Add /dev/hidraw* devices for potential fix for Yubikey devices (diff) | |
| download | firejail-197bcc86c1a1f4c75d6a42a850e0619b3268db1e.tar.gz firejail-197bcc86c1a1f4c75d6a42a850e0619b3268db1e.tar.zst firejail-197bcc86c1a1f4c75d6a42a850e0619b3268db1e.zip | |
Add --nousb option
| -rw-r--r-- | src/firejail/firejail.h | 2 | ||||
| -rw-r--r-- | src/firejail/fs_dev.c | 11 | ||||
| -rw-r--r-- | src/firejail/main.c | 3 | ||||
| -rw-r--r-- | src/firejail/profile.c | 4 | ||||
| -rw-r--r-- | src/firejail/sandbox.c | 3 | ||||
| -rw-r--r-- | src/man/firejail-profile.txt | 3 | ||||
| -rw-r--r-- | src/man/firejail.txt | 10 |
7 files changed, 35 insertions, 1 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 55f8e6081..565983341 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -383,6 +383,7 @@ extern int arg_noprofile; // use default.profile if none other found/specified | |||
| 383 | extern int arg_memory_deny_write_execute; // block writable and executable memory | 383 | extern int arg_memory_deny_write_execute; // block writable and executable memory |
| 384 | extern int arg_notv; // --notv | 384 | extern int arg_notv; // --notv |
| 385 | extern int arg_nodvd; // --nodvd | 385 | extern int arg_nodvd; // --nodvd |
| 386 | extern int arg_nousb; // --nousb | ||
| 386 | extern int arg_nodbus; // -nodbus | 387 | extern int arg_nodbus; // -nodbus |
| 387 | 388 | ||
| 388 | extern int login_shell; | 389 | extern int login_shell; |
| @@ -557,6 +558,7 @@ void fs_dev_disable_3d(void); | |||
| 557 | void fs_dev_disable_video(void); | 558 | void fs_dev_disable_video(void); |
| 558 | void fs_dev_disable_tv(void); | 559 | void fs_dev_disable_tv(void); |
| 559 | void fs_dev_disable_dvd(void); | 560 | void fs_dev_disable_dvd(void); |
| 561 | void fs_dev_disable_usb(void); | ||
| 560 | 562 | ||
| 561 | // fs_home.c | 563 | // fs_home.c |
| 562 | // private mode (--private) | 564 | // private mode (--private) |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index b2eeac9c8..f58ebe399 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
| @@ -102,7 +102,7 @@ static void deventry_mount(void) { | |||
| 102 | (dev[i].type == DEV_VIDEO && arg_novideo == 0) || | 102 | (dev[i].type == DEV_VIDEO && arg_novideo == 0) || |
| 103 | (dev[i].type == DEV_TV && arg_notv == 0) || | 103 | (dev[i].type == DEV_TV && arg_notv == 0) || |
| 104 | (dev[i].type == DEV_DVD && arg_nodvd == 0) || | 104 | (dev[i].type == DEV_DVD && arg_nodvd == 0) || |
| 105 | (dev[i].type == DEV_USB)) { | 105 | (dev[i].type == DEV_USB && arg_nousb == 0)) { |
| 106 | 106 | ||
| 107 | int dir = is_dir(dev[i].run_fname); | 107 | int dir = is_dir(dev[i].run_fname); |
| 108 | if (arg_debug) | 108 | if (arg_debug) |
| @@ -370,3 +370,12 @@ void fs_dev_disable_dvd(void) { | |||
| 370 | i++; | 370 | i++; |
| 371 | } | 371 | } |
| 372 | } | 372 | } |
| 373 | |||
| 374 | void fs_dev_disable_usb(void) { | ||
| 375 | int i = 0; | ||
| 376 | while (dev[i].dev_fname != NULL) { | ||
| 377 | if (dev[i].type == DEV_USB) | ||
| 378 | disable_file_or_dir(dev[i].dev_fname); | ||
| 379 | i++; | ||
| 380 | } | ||
| 381 | } | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index 072c4b0ee..51f875e91 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -123,6 +123,7 @@ int arg_memory_deny_write_execute = 0; // block writable and executable memory | |||
| 123 | int arg_notv = 0; // --notv | 123 | int arg_notv = 0; // --notv |
| 124 | int arg_nodvd = 0; // --nodvd | 124 | int arg_nodvd = 0; // --nodvd |
| 125 | int arg_nodbus = 0; // -nodbus | 125 | int arg_nodbus = 0; // -nodbus |
| 126 | int arg_nousb = 0; // --nousb | ||
| 126 | int login_shell = 0; | 127 | int login_shell = 0; |
| 127 | 128 | ||
| 128 | 129 | ||
| @@ -1722,6 +1723,8 @@ int main(int argc, char **argv) { | |||
| 1722 | arg_notv = 1; | 1723 | arg_notv = 1; |
| 1723 | else if (strcmp(argv[i], "--nodvd") == 0) | 1724 | else if (strcmp(argv[i], "--nodvd") == 0) |
| 1724 | arg_nodvd = 1; | 1725 | arg_nodvd = 1; |
| 1726 | else if (strcmp(argv[i], "--nousb") == 0) | ||
| 1727 | arg_nousb = 1; | ||
| 1725 | else if (strcmp(argv[i], "--nodbus") == 0) | 1728 | else if (strcmp(argv[i], "--nodbus") == 0) |
| 1726 | arg_nodbus = 1; | 1729 | arg_nodbus = 1; |
| 1727 | 1730 | ||
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 7b59cd48c..8c393cab5 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
| @@ -257,6 +257,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
| 257 | arg_nodbus = 1; | 257 | arg_nodbus = 1; |
| 258 | return 0; | 258 | return 0; |
| 259 | } | 259 | } |
| 260 | else if (strcmp(ptr, "nousb") == 0) { | ||
| 261 | arg_nousb = 1; | ||
| 262 | return 0; | ||
| 263 | } | ||
| 260 | else if (strcmp(ptr, "netfilter") == 0) { | 264 | else if (strcmp(ptr, "netfilter") == 0) { |
| 261 | #ifdef HAVE_NETWORK | 265 | #ifdef HAVE_NETWORK |
| 262 | if (checkcfg(CFG_NETWORK)) | 266 | if (checkcfg(CFG_NETWORK)) |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 5c129fead..c22d65122 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -908,6 +908,9 @@ int sandbox(void* sandbox_arg) { | |||
| 908 | if (arg_nodvd) | 908 | if (arg_nodvd) |
| 909 | fs_dev_disable_dvd(); | 909 | fs_dev_disable_dvd(); |
| 910 | 910 | ||
| 911 | if (arg_nousb) | ||
| 912 | fs_dev_disable_usb(); | ||
| 913 | |||
| 911 | if (arg_novideo) | 914 | if (arg_novideo) |
| 912 | fs_dev_disable_video(); | 915 | fs_dev_disable_video(); |
| 913 | 916 | ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 7bfa3a019..76a13c7cc 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
| @@ -468,6 +468,9 @@ pulse servers or non-standard socket paths. | |||
| 468 | \fBnotv | 468 | \fBnotv |
| 469 | Disable DVB (Digital Video Broadcasting) TV devices. | 469 | Disable DVB (Digital Video Broadcasting) TV devices. |
| 470 | .TP | 470 | .TP |
| 471 | \fBnousb | ||
| 472 | Disable USB devices. | ||
| 473 | .TP | ||
| 471 | \fBnovideo | 474 | \fBnovideo |
| 472 | Disable video devices. | 475 | Disable video devices. |
| 473 | .TP | 476 | .TP |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index aad678aa4..2ea39aed4 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
| @@ -1174,6 +1174,16 @@ Example: | |||
| 1174 | $ firejail \-\-notv vlc | 1174 | $ firejail \-\-notv vlc |
| 1175 | 1175 | ||
| 1176 | .TP | 1176 | .TP |
| 1177 | \fB\-\-nousb | ||
| 1178 | Disable USB devices. | ||
| 1179 | .br | ||
| 1180 | |||
| 1181 | .br | ||
| 1182 | Example: | ||
| 1183 | .br | ||
| 1184 | $ firejail \-\-nousb | ||
| 1185 | |||
| 1186 | .TP | ||
| 1177 | \fB\-\-novideo | 1187 | \fB\-\-novideo |
| 1178 | Disable video devices. | 1188 | Disable video devices. |
| 1179 | .br | 1189 | .br |