mainline merge: allow overriding of disable-mnt with noblacklist

author: startx2017 <vradu.startx@yandex.com> 2018-10-17 18:49:23 -0400
committer: startx2017 <vradu.startx@yandex.com> 2018-10-17 18:49:23 -0400
commit: d95bd0616e760986c58cd7b459a2f4cffee87829 (patch)
tree: fb8db345f8a32b9b5ad04a0634491e11ad93443d /src/firejail/fs.c
parent: mainline merge: clean /run/user directory (diff)
download: firejail-d95bd0616e760986c58cd7b459a2f4cffee87829.tar.gz
firejail-d95bd0616e760986c58cd7b459a2f4cffee87829.tar.zst
firejail-d95bd0616e760986c58cd7b459a2f4cffee87829.zip
1 files changed, 17 insertions, 5 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 74f8328ff..b93424365 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -545,11 +545,23 @@ void fs_noexec(const char *dir) {
 }
 // Disable /mnt, /media, /run/mount and /run/media access
-void fs_mnt(void) {
+void fs_mnt(const int enforce) {
-        disable_file(BLACKLIST_FILE, "/mnt");
+        if (enforce) {
-        disable_file(BLACKLIST_FILE, "/media");
+                // disable-mnt set in firejail.config
-        disable_file(BLACKLIST_FILE, "/run/mount");
+                // overriding with noblacklist is not possible in this case
-        disable_file(BLACKLIST_FILE, "//run/media");
+                disable_file(BLACKLIST_FILE, "/mnt");
+                disable_file(BLACKLIST_FILE, "/media");
+                disable_file(BLACKLIST_FILE, "/run/mount");
+                disable_file(BLACKLIST_FILE, "/run/media");
+        }
+        else {
+                EUID_USER();
+                profile_add("blacklist /mnt");
+                profile_add("blacklist /media");
+                profile_add("blacklist /run/mount");
+                profile_add("blacklist /run/media");
+                EUID_ROOT();
+        }
 }
author	startx2017 <vradu.startx@yandex.com>	2018-10-17 18:49:23 -0400
committer	startx2017 <vradu.startx@yandex.com>	2018-10-17 18:49:23 -0400
commit	d95bd0616e760986c58cd7b459a2f4cffee87829 (patch)
tree	fb8db345f8a32b9b5ad04a0634491e11ad93443d /src/firejail/fs.c
parent	mainline merge: clean /run/user directory (diff)
download	firejail-d95bd0616e760986c58cd7b459a2f4cffee87829.tar.gz firejail-d95bd0616e760986c58cd7b459a2f4cffee87829.tar.zst firejail-d95bd0616e760986c58cd7b459a2f4cffee87829.zip

diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 74f8328ff..b93424365 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -545,11 +545,23 @@ void fs_noexec(const char *dir) {
545	}	545	}
546		546
547	// Disable /mnt, /media, /run/mount and /run/media access	547	// Disable /mnt, /media, /run/mount and /run/media access
548	void fs_mnt(void) {	548	void fs_mnt(const int enforce) {
549	disable_file(BLACKLIST_FILE, "/mnt");	549	if (enforce) {
550	disable_file(BLACKLIST_FILE, "/media");	550	// disable-mnt set in firejail.config
551	disable_file(BLACKLIST_FILE, "/run/mount");	551	// overriding with noblacklist is not possible in this case
552	disable_file(BLACKLIST_FILE, "//run/media");	552	disable_file(BLACKLIST_FILE, "/mnt");
		553	disable_file(BLACKLIST_FILE, "/media");
		554	disable_file(BLACKLIST_FILE, "/run/mount");
		555	disable_file(BLACKLIST_FILE, "/run/media");
		556	}
		557	else {
		558	EUID_USER();
		559	profile_add("blacklist /mnt");
		560	profile_add("blacklist /media");
		561	profile_add("blacklist /run/mount");
		562	profile_add("blacklist /run/media");
		563	EUID_ROOT();
		564	}
553	}	565	}
554		566
555		567