private-dev enhancements

7 files changed, 54 insertions, 4 deletions

diff --git a/README.md b/README.md
index a46e116d0..bec1a2716 100644
--- a/README.md
+++ b/README.md
@@ -86,6 +86,10 @@ AUDIT
        Limitations: audit feature is not implemented for --x11 commands.
 `````
 
+## --private-dev enhancements - work in progress!
+
+The following devices are added to --private-dev list.
+
 ## Converting profiles to private-bin - work in progress!
 
 BitTorrent: deluge, qbittorrent, rtorrent, transmission-gtk, transmission-qt, uget-gtk
diff --git a/RELNOTES b/RELNOTES
index d845e976c..96a5f0a7f 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -2,6 +2,7 @@ firejail (0.9.41) baseline; urgency=low
   * work in progress...
   * AppImage support (--appimage)
   * Sandbox auditing support (--audit)
+  * include /dev/snd in --private-dev
   * compile time and run time support to disable whitelists
   * compile time support to disable global configuration file
   * some profiles have been converted to private-bin
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index ddc37e203..24af41192 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -44,6 +44,7 @@
 #define RUN_ETC_DIR     "/run/firejail/mnt/etc"
 #define RUN_BIN_DIR     "/run/firejail/mnt/bin"
 #define RUN_DRI_DIR     "/run/firejail/mnt/dri"
+#define RUN_SND_DIR     "/run/firejail/mnt/snd"
 #define RUN_PULSE_DIR   "/run/firejail/mnt/pulse"
 #define RUN_DEVLOG_FILE "/run/firejail/mnt/devlog"
 
@@ -406,6 +407,7 @@ void dbg_test_dir(const char *dir);
 // fs_dev.c
 void fs_dev_shm(void);
 void fs_private_dev(void);
+void fs_dev_disable_sound();
 
 // fs_home.c
 // private mode (--private)
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 2fd450391..c7a27115f 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -68,9 +68,12 @@ void fs_private_dev(void){
                 printf("Mounting tmpfs on /dev\n");
 
         int have_dri = 0;
+        int have_snd = 0;
         struct stat s;
         if (stat("/dev/dri", &s) == 0)
                 have_dri = 1;
+        if (stat("/dev/snd", &s) == 0)
+                have_snd = 1;
 
         // create DRI_DIR
         fs_build_mnt_dir();
@@ -89,7 +92,23 @@ void fs_private_dev(void){
                         errExit("mounting /dev/dri");
         }
         
-        // restore /dev/log
+        // create SND_DIR
+        if (have_snd) {
+                /* coverity[toctou] */
+                rv = mkdir(RUN_SND_DIR, 0755);
+                if (rv == -1)
+                        errExit("mkdir");
+                if (chown(RUN_SND_DIR, 0, 0) < 0)
+                        errExit("chown");
+                if (chmod(RUN_SND_DIR, 0755) < 0)
+                        errExit("chmod");
+        
+                // keep a copy of /dev/dri under DRI_DIR
+                if (mount("/dev/snd", RUN_SND_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
+                        errExit("mounting /dev/snd");
+        }
+        
+        // create DEVLOG_FILE
         int have_devlog = 0;
         if (stat("/dev/log", &s) == 0) {
                 have_devlog = 1;
@@ -121,6 +140,21 @@ void fs_private_dev(void){
                 }
         }               
 
+        // bring back the /dev/snd directory
+        if (have_snd) {
+                /* coverity[toctou] */
+                rv = mkdir("/dev/snd", 0755);
+                if (rv == -1)
+                        errExit("mkdir");
+                if (chown("/dev/snd", 0, 0) < 0)
+                        errExit("chown");
+                if (chmod("/dev/snd",0755) < 0)
+                        errExit("chmod");
+                if (mount(RUN_SND_DIR, "/dev/snd", NULL, MS_BIND|MS_REC, NULL) < 0)
+                        errExit("mounting /dev/snd");
+                fs_logger("whitelist /dev/snd");
+        }
+
         // bring back the /dev/dri directory
         if (have_dri) {
                 /* coverity[toctou] */
@@ -243,3 +277,9 @@ void fs_dev_shm(void) {
                         
         }
 }
+
+void fs_dev_disable_sound() {
+        if (mount(RUN_RO_DIR, "/dev/snd", "none", MS_BIND, "mode=400,gid=0") < 0)
+                errExit("disable /dev/snd");
+        fs_logger("blacklist /dev/snd");
+}
diff --git a/src/firejail/main.c b/src/firejail/main.c
index ac554ca2a..b1dd7d32c 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1468,7 +1468,6 @@ int main(int argc, char **argv) {
                         env_store(argv[i] + 6);
                 else if (strcmp(argv[i], "--nosound") == 0) {
                         arg_nosound = 1;
-                        arg_private_dev = 1;
                 }
                                 
                 //*************************************
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index a64f28c9a..040efea74 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -178,7 +178,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         }
         else if (strcmp(ptr, "nosound") == 0) {
                 arg_nosound = 1;
-                arg_private_dev = 1;
                 return 0;
         }
         else if (strcmp(ptr, "netfilter") == 0) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index d384d6fa0..0fd81979f 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -559,8 +559,13 @@ int sandbox(void* sandbox_arg) {
         //****************************
         // --nosound and fix for pulseaudio 7.0
         //****************************
-        if (arg_nosound)
+        if (arg_nosound) {
+                // disable pulseaudio
                 pulseaudio_disable();
+
+                // disable /dev/snd
+                fs_dev_disable_sound();
+        }
         else
                 pulseaudio_init();