run time support to disable chroot desktop features

5 files changed, 84 insertions, 65 deletions

diff --git a/RELNOTES b/RELNOTES
index ee3d60230..2a3d93771 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -26,6 +26,7 @@ firejail (0.9.42~rc2) baseline; urgency=low
   * compile time and run time support to disable whitelists
   * compile time support to disable global configuration file
   * run time support to disable remounting of /proc and /sys
+  * run time support to disable chroot desktop features
   * added quiet-by-default config option in /etc/firejail/firejail.config
   * added netfilter-default config option in /etc/firejail/firejail.config
   * added x11 command for profile files
diff --git a/etc/firejail.config b/etc/firejail.config
index 275bba8e2..6b6ba7fdf 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -9,6 +9,11 @@
 # Enable or disable chroot support, default enabled.
 # chroot yes
 
+# Use chroot for desktop programs, default enabled. The sandbox will have full
+# access to system's /dev directory in order to allow video acceleration,
+# and it will harden the rest of the chroot tree.
+# chroot-desktop yes
+
 # Enable or disable file transfer support, default enabled.
 # file-transfer yes
 
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index fed934434..5bc859f8d 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -241,6 +241,14 @@ int checkcfg(int val) {
                                 else
                                         goto errout;
                         }
+                        else if (strncmp(ptr, "chroot-desktop ", 15) == 0) {
+                                if (strcmp(ptr + 15, "yes") == 0)
+                                        cfg_val[CFG_CHROOT_DESKTOP] = 1;
+                                else if (strcmp(ptr + 15, "no") == 0)
+                                        cfg_val[CFG_CHROOT_DESKTOP] = 0;
+                                else
+                                        goto errout;
+                        }
                         else
                                 goto errout;
 
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 8e30e929a..abbaa807c 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -593,7 +593,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh);
 #define CFG_XEPHYR_WINDOW_TITLE 10
 #define CFG_REMOUNT_PROC_SYS 11
 #define CFG_OVERLAYFS 12
-#define CFG_MAX 13 // this should always be the last entry
+#define CFG_CHROOT_DESKTOP 13
+#define CFG_MAX 14 // this should always be the last entry
 extern char *xephyr_screen;
 extern char *xephyr_extra_params;
 extern char *netfilter_default;
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index c5ef27615..6c87df1e9 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -1211,56 +1211,58 @@ int fs_check_chroot_dir(const char *rootdir) {
 void fs_chroot(const char *rootdir) {
         assert(rootdir);
         
-        // mount-bind a /dev in rootdir
-        char *newdev;
-        if (asprintf(&newdev, "%s/dev", rootdir) == -1)
-                errExit("asprintf");
-        if (arg_debug)
-                printf("Mounting /dev on %s\n", newdev);
-        if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0)
-                errExit("mounting /dev");
-        free(newdev);
-        
-        // x11
-        if (getenv("FIREJAIL_X11")) {
-                char *newx11;
-                if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1)
+        if (checkcfg(CFG_CHROOT_DESKTOP)) {
+                // mount-bind a /dev in rootdir
+                char *newdev;
+                if (asprintf(&newdev, "%s/dev", rootdir) == -1)
                         errExit("asprintf");
                 if (arg_debug)
-                        printf("Mounting /tmp/.X11-unix on %s\n", newx11);
-                if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND|MS_REC, NULL) < 0)
-                        errExit("mounting /tmp/.X11-unix");
-                free(newx11);
-        }
-        
-        // some older distros don't have a /run directory
-        // create one by default
-        // no exit on error, let the user deal with any problems
-        char *rundir;
-        if (asprintf(&rundir, "%s/run", rootdir) == -1)
-                errExit("asprintf");
-        if (!is_dir(rundir)) {
-                int rv = mkdir(rundir, 0755);
-                (void) rv;
-                rv = chown(rundir, 0, 0);
-                (void) rv;
+                        printf("Mounting /dev on %s\n", newdev);
+                if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0)
+                        errExit("mounting /dev");
+                free(newdev);
+                
+                // x11
+                if (getenv("FIREJAIL_X11")) {
+                        char *newx11;
+                        if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1)
+                                errExit("asprintf");
+                        if (arg_debug)
+                                printf("Mounting /tmp/.X11-unix on %s\n", newx11);
+                        if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND|MS_REC, NULL) < 0)
+                                errExit("mounting /tmp/.X11-unix");
+                        free(newx11);
+                }
+                
+                // some older distros don't have a /run directory
+                // create one by default
+                // no exit on error, let the user deal with any problems
+                char *rundir;
+                if (asprintf(&rundir, "%s/run", rootdir) == -1)
+                        errExit("asprintf");
+                if (!is_dir(rundir)) {
+                        int rv = mkdir(rundir, 0755);
+                        (void) rv;
+                        rv = chown(rundir, 0, 0);
+                        (void) rv;
+                }
+                
+                // copy /etc/resolv.conf in chroot directory
+                // if resolv.conf in chroot is a symbolic link, this will fail
+                // no exit on error, let the user deal with the problem
+                char *fname;
+                if (asprintf(&fname, "%s/etc/resolv.conf", rootdir) == -1)
+                        errExit("asprintf");
+                if (arg_debug)
+                        printf("Updating /etc/resolv.conf in %s\n", fname);
+                if (is_link(fname)) {
+                        fprintf(stderr, "Error: invalid %s file\n", fname);
+                        exit(1);
+                }
+                if (copy_file("/etc/resolv.conf", fname) == -1)
+                        fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n");
         }
         
-        // copy /etc/resolv.conf in chroot directory
-        // if resolv.conf in chroot is a symbolic link, this will fail
-        // no exit on error, let the user deal with the problem
-        char *fname;
-        if (asprintf(&fname, "%s/etc/resolv.conf", rootdir) == -1)
-                errExit("asprintf");
-        if (arg_debug)
-                printf("Updating /etc/resolv.conf in %s\n", fname);
-        if (is_link(fname)) {
-                fprintf(stderr, "Error: invalid %s file\n", fname);
-                exit(1);
-        }
-        if (copy_file("/etc/resolv.conf", fname) == -1)
-                fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n");
-                
         // chroot into the new directory
         if (arg_debug)
                 printf("Chrooting into %s\n", rootdir);
@@ -1269,24 +1271,26 @@ void fs_chroot(const char *rootdir) {
         // mount a new tmpfs in /run/firejail/mnt - the old one was lost in chroot
         fs_build_remount_mnt_dir();
                 
-        // update /var directory in order to support multiple sandboxes running on the same root directory
-        if (!arg_private_dev)
-                fs_dev_shm();
-        fs_var_lock();
-        fs_var_tmp();
-        fs_var_log();
-        fs_var_lib();
-        fs_var_cache();
-        fs_var_utmp();
-
-        // don't leak user information
-        restrict_users();
-
-        // when starting as root, firejail config is not disabled;
-        // this mode could be used to install and test new software by chaining
-        // firejail sandboxes (firejail --force)
-        if (getuid() != 0)
-                disable_config();
+        if (checkcfg(CFG_CHROOT_DESKTOP)) {
+                // update /var directory in order to support multiple sandboxes running on the same root directory
+                if (!arg_private_dev)
+                        fs_dev_shm();
+                fs_var_lock();
+                fs_var_tmp();
+                fs_var_log();
+                fs_var_lib();
+                fs_var_cache();
+                fs_var_utmp();
+        
+                // don't leak user information
+                restrict_users();
+        
+                // when starting as root, firejail config is not disabled;
+                // this mode could be used to install and test new software by chaining
+                // firejail sandboxes (firejail --force)
+                if (getuid() != 0)
+                        disable_config();
+        }
 }
 #endif