--no3d - disable 3D hardware acceleration

10 files changed, 88 insertions, 31 deletions

diff --git a/README.md b/README.md
index 39bb5bc59..43489d38a 100644
--- a/README.md
+++ b/README.md
@@ -68,6 +68,11 @@ If you keep your Firejail profiles in a public repository, please give us a link
               sandbox with specified name exists, otherwise same as "firejail --name=name ..."
               Note that in contrary to other join options there is respective profile option.
 
+      --no3d Disable 3D hardware acceleration.
+
+              Example:
+              $ firejail --no3d firefox
+
 `````
 
 ## New profile commands
diff --git a/RELNOTES b/RELNOTES
index 492bd007a..8b47ee8e4 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -3,13 +3,14 @@ firejail (0.9.43) baseline; urgency=low
   * development version
   * modifs: removed man firejail-config
   * modifs: --private-tmp whitelists /tmp/.X11-unix directory
-  * modifs: Nvidia drivers added to --privte-dev
+  * modifs: Nvidia drivers added to --private-dev
   * feature: support starting/joining sandbox is a single command
     (--join-or-start)
   * feature: all user home directories are visible (--allusers)
   * feature: add files to sandbox container (--put)
   * feature: blocking x11 (--x11=block)
-  * feature: x11 xpra, x11 xephyr, x11 block, allusers profile commands
+  * feature: disable 3D hardware acceleration (--no3d)
+  * feature: x11 xpra, x11 xephyr, x11 block, allusers, no3d profile commands
   * new profiles: qpdfview, mupdf
   * bugfixes
  -- netblue30 <netblue30@yahoo.com>  Fri, 9 Sept 2016 08:00:00 -0500
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 4e92f3e89..4ee1c943a 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -305,6 +305,7 @@ extern int arg_private_tmp;	// private tmp directory
 extern int arg_scan;            // arp-scan all interfaces
 extern int arg_whitelist;       // whitelist commad
 extern int arg_nosound; // disable sound
+extern int arg_no3d;            // disable 3d hardware acceleration
 extern int arg_quiet;           // no output for scripting
 extern int arg_join_network;    // join only the network namespace
 extern int arg_join_filesystem; // join only the mount namespace
@@ -470,7 +471,8 @@ void dbg_test_dir(const char *dir);
 // fs_dev.c
 void fs_dev_shm(void);
 void fs_private_dev(void);
-void fs_dev_disable_sound();
+void fs_dev_disable_sound(void);
+void fs_dev_disable_3d(void);
 
 // fs_home.c
 // private mode (--private)
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 6f5385f79..daf0afd9e 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -33,25 +33,27 @@
 typedef struct {
         const char *dev_fname;
         const char *run_fname;
+        int sound;
+        int hw3d;
 } DevEntry;
 
 static DevEntry dev[] = {
-        {"/dev/snd", RUN_DEV_DIR "/snd"},
-        {"/dev/dri", RUN_DEV_DIR "/dri"},
-        {"/dev/nvidia0", RUN_DEV_DIR "/nvidia0"},
-        {"/dev/nvidia1", RUN_DEV_DIR "/nvidia1"},
-        {"/dev/nvidia2", RUN_DEV_DIR "/nvidia2"},
-        {"/dev/nvidia3", RUN_DEV_DIR "/nvidia3"},
-        {"/dev/nvidia4", RUN_DEV_DIR "/nvidia4"},
-        {"/dev/nvidia5", RUN_DEV_DIR "/nvidia5"},
-        {"/dev/nvidia6", RUN_DEV_DIR "/nvidia6"},
-        {"/dev/nvidia7", RUN_DEV_DIR "/nvidia7"},
-        {"/dev/nvidia8", RUN_DEV_DIR "/nvidia8"},
-        {"/dev/nvidia9", RUN_DEV_DIR "/nvidia9"},
-        {"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl"},
-        {"/dev/nvidia-modset", RUN_DEV_DIR "/nvidia-modset"},
-        {"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm"},
-        {NULL, NULL}
+        {"/dev/snd", RUN_DEV_DIR "/snd", 1, 0}, // sound device
+        {"/dev/dri", RUN_DEV_DIR "/dri", 0, 1},         // 3d device
+        {"/dev/nvidia0", RUN_DEV_DIR "/nvidia0", 0, 1},
+        {"/dev/nvidia1", RUN_DEV_DIR "/nvidia1", 0, 1},
+        {"/dev/nvidia2", RUN_DEV_DIR "/nvidia2", 0, 1},
+        {"/dev/nvidia3", RUN_DEV_DIR "/nvidia3", 0, 1},
+        {"/dev/nvidia4", RUN_DEV_DIR "/nvidia4", 0, 1},
+        {"/dev/nvidia5", RUN_DEV_DIR "/nvidia5", 0, 1},
+        {"/dev/nvidia6", RUN_DEV_DIR "/nvidia6", 0, 1},
+        {"/dev/nvidia7", RUN_DEV_DIR "/nvidia7", 0, 1},
+        {"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", 0, 1},
+        {"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", 0, 1},
+        {"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", 0, 1},
+        {"/dev/nvidia-modset", RUN_DEV_DIR "/nvidia-modset", 0, 1},
+        {"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", 0, 1},
+        {NULL, NULL, 0, 0}
 };
 
 static void deventry_mount(void) {
@@ -281,10 +283,38 @@ void fs_dev_shm(void) {
         }
 }
 
-void fs_dev_disable_sound() {
+static void disable_file_or_dir(const char *fname) {
         if (arg_debug)
-                printf("disable /dev/snd\n");
-        if (mount(RUN_RO_DIR, "/dev/snd", "none", MS_BIND, "mode=400,gid=0") < 0)
-                errExit("disable /dev/snd");
-        fs_logger("blacklist /dev/snd");
+                printf("disable %s\n", fname);
+        struct stat s;
+        if (stat(fname, &s) != -1) {
+                if (is_dir(fname)) {    
+                        if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
+                                errExit("disable directory");
+                }
+                else {
+                        if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
+                                errExit("disable file");
+                }               
+        }
+        fs_logger2("blacklist", fname);
+
+}
+
+void fs_dev_disable_sound(void) {
+        int i = 0;
+        while (dev[i].dev_fname != NULL) {
+                if (dev[i].sound)
+                        disable_file_or_dir(dev[i].dev_fname);
+                i++;
+        }
+}
+
+void fs_dev_disable_3d(void) {
+        int i = 0;
+        while (dev[i].dev_fname != NULL) {
+                if (dev[i].hw3d)
+                        disable_file_or_dir(dev[i].dev_fname);
+                i++;
+        }
 }
diff --git a/src/firejail/main.c b/src/firejail/main.c
index bf73656d2..c2d71bdf5 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -93,6 +93,7 @@ int arg_private_tmp = 0;			// private tmp directory
 int arg_scan = 0;                               // arp-scan all interfaces
 int arg_whitelist = 0;                          // whitelist commad
 int arg_nosound = 0;                            // disable sound
+int arg_no3d;                                   // disable 3d hardware acceleration
 int arg_quiet = 0;                              // no output for scripting
 int arg_join_network = 0;                       // join only the network namespace
 int arg_join_filesystem = 0;                    // join only the mount namespace
@@ -1733,6 +1734,9 @@ int main(int argc, char **argv) {
                 else if (strcmp(argv[i], "--nosound") == 0) {
                         arg_nosound = 1;
                 }
+                else if (strcmp(argv[i], "--no3d") == 0) {
+                        arg_no3d = 1;
+                }
                                 
                 //*************************************
                 // network
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 33029a86b..1e1ccaf0e 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -201,6 +201,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 arg_nosound = 1;
                 return 0;
         }
+        else if (strcmp(ptr, "no3d") == 0) {
+                arg_no3d = 1;
+                return 0;
+        }
         else if (strcmp(ptr, "netfilter") == 0) {
 #ifdef HAVE_NETWORK
                 if (checkcfg(CFG_NETWORK))
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index cd81b0b11..7666f1f62 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -558,11 +558,6 @@ int sandbox(void* sandbox_arg) {
                         fs_private();
         }
 
-#if 0   
-   if (arg_private_template) 
-      fs_private_template();
-#endif
-
         if (arg_private_dev) {
                 if (cfg.chrootdir)
                         fprintf(stderr, "Warning: private-dev feature is disabled in chroot\n");
@@ -635,7 +630,7 @@ int sandbox(void* sandbox_arg) {
                 fs_trace();
                 
         //****************************
-        // --nosound and fix for pulseaudio 7.0
+        // nosound/no3d and fix for pulseaudio 7.0
         //****************************
         if (arg_nosound) {
                 // disable pulseaudio
@@ -647,6 +642,9 @@ int sandbox(void* sandbox_arg) {
         else
                 pulseaudio_init();
         
+        if (arg_no3d)
+                fs_dev_disable_3d();
+        
         //****************************
         // networking
         //****************************
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 3425b050e..78ba34fd2 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -147,7 +147,8 @@ void usage(void) {
         printf("    --netstats - monitor network statistics for sandboxes creating a new\n");
         printf("\tnetwork namespace.\n\n");
 #endif
-        printf("    --nice=value - set nice value\n\n");
+        printf("    --nice=value - set nice value.\n\n");
+        printf("    --no3d - disable 3D hardware acceleration.\n\n");
         printf("    --noblacklist=dirname_or_filename - disable blacklist for directory or\n");
         printf("\tfile.\n\n");
         printf("    --noexec=dirname_of_filenam - remount the file or directory noexec\n");
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 3e415c2cc..b945f6828 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -355,6 +355,9 @@ Enable IPC namespace.
 .TP
 \fBnosound
 Disable sound system.
+.TP
+\fBno3d
+Disable 3D hardware acceleration.
 
 .SH Networking
 Networking features available in profile files.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 71624afc2..fe3e53044 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -853,6 +853,15 @@ Example:
 .br
 $ firejail --nice=2 firefox
 
+.TP
+\fB\-\-no3d
+Disable 3D hardware acceleration.
+.br
+
+.br
+Example:
+.br
+$ firejail --no3d firefox
 
 .TP
 \fB\-\-noblacklist=dirname_or_filename