--notv for #1446

author: startx2017 <vradu.startx@yandex.com> 2017-08-10 09:31:03 -0400
committer: startx2017 <vradu.startx@yandex.com> 2017-08-10 09:31:03 -0400
commit: be00aa351c1184ef7ac07a05190909d35d137c76 (patch)
tree: 6c30178875f38e0c269fcbd5ea02d38937d9f636 /src
parent: Merge pull request #1448 from da2x/patch-1 (diff)
download: firejail-be00aa351c1184ef7ac07a05190909d35d137c76.tar.gz
firejail-be00aa351c1184ef7ac07a05190909d35d137c76.tar.zst
firejail-be00aa351c1184ef7ac07a05190909d35d137c76.zip
7 files changed, 80 insertions, 46 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 86f730aa0..bb16ea42b 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -360,6 +360,7 @@ extern int arg_machineid;	// preserve /etc/machine-id
 extern int arg_disable_mnt;     // disable /mnt and /media
 extern int arg_noprofile;       // use default.profile if none other found/specified
 extern int arg_memory_deny_write_execute;       // block writable and executable memory
+extern int arg_notv;    // --notv
 extern int login_shell;
 extern int parent_to_child_fds[2];
@@ -512,6 +513,7 @@ void fs_private_dev(void);
 void fs_dev_disable_sound(void);
 void fs_dev_disable_3d(void);
 void fs_dev_disable_video(void);
+void fs_dev_disable_tv(void);
 // fs_home.c
 // private mode (--private)
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 86ff0d4f9..45f4bcc1c 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -31,42 +31,50 @@
 #include <sys/sysmacros.h>
 #include <sys/types.h>
+// device type
+typedef enum {
+        DEV_NONE = 0,
+        DEV_SOUND,
+        DEV_3D,
+        DEV_VIDEO,
+        DEV_TV,
+} DEV_TYPE;
 typedef struct {
        const char *dev_fname;
        const char *run_fname;
-        int sound;
+        DEV_TYPE  type;
-        int hw3d;
-        int video;
 } DevEntry;
 static DevEntry dev[] = {
-        {"/dev/snd", RUN_DEV_DIR "/snd", 1, 0, 0},      // sound device
+        {"/dev/snd", RUN_DEV_DIR "/snd", DEV_SOUND},    // sound device
-        {"/dev/dri", RUN_DEV_DIR "/dri", 0, 1, 0},              // 3d device
+        {"/dev/dri", RUN_DEV_DIR "/dri", DEV_3D},               // 3d device
-        {"/dev/nvidia0", RUN_DEV_DIR "/nvidia0", 0, 1, 0},
+        {"/dev/nvidia0", RUN_DEV_DIR "/nvidia0", DEV_3D},
-        {"/dev/nvidia1", RUN_DEV_DIR "/nvidia1", 0, 1, 0},
+        {"/dev/nvidia1", RUN_DEV_DIR "/nvidia1", DEV_3D},
-        {"/dev/nvidia2", RUN_DEV_DIR "/nvidia2", 0, 1, 0},
+        {"/dev/nvidia2", RUN_DEV_DIR "/nvidia2", DEV_3D},
-        {"/dev/nvidia3", RUN_DEV_DIR "/nvidia3", 0, 1, 0},
+        {"/dev/nvidia3", RUN_DEV_DIR "/nvidia3", DEV_3D},
-        {"/dev/nvidia4", RUN_DEV_DIR "/nvidia4", 0, 1, 0},
+        {"/dev/nvidia4", RUN_DEV_DIR "/nvidia4", DEV_3D},
-        {"/dev/nvidia5", RUN_DEV_DIR "/nvidia5", 0, 1, 0},
+        {"/dev/nvidia5", RUN_DEV_DIR "/nvidia5", DEV_3D},
-        {"/dev/nvidia6", RUN_DEV_DIR "/nvidia6", 0, 1, 0},
+        {"/dev/nvidia6", RUN_DEV_DIR "/nvidia6", DEV_3D},
-        {"/dev/nvidia7", RUN_DEV_DIR "/nvidia7", 0, 1, 0},
+        {"/dev/nvidia7", RUN_DEV_DIR "/nvidia7", DEV_3D},
-        {"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", 0, 1, 0},
+        {"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", DEV_3D},
-        {"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", 0, 1, 0},
+        {"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", DEV_3D},
-        {"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", 0, 1, 0},
+        {"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", DEV_3D},
-        {"/dev/nvidia-modeset", RUN_DEV_DIR "/nvidia-modeset", 0, 1, 0},
+        {"/dev/nvidia-modeset", RUN_DEV_DIR "/nvidia-modeset", DEV_3D},
-        {"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", 0, 1, 0},
+        {"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", DEV_3D},
-        {"/dev/video0", RUN_DEV_DIR "/video0", 0, 0, 1}, // video camera devices
+        {"/dev/video0", RUN_DEV_DIR "/video0", DEV_VIDEO}, // video camera devices
-        {"/dev/video1", RUN_DEV_DIR "/video1", 0, 0, 1},
+        {"/dev/video1", RUN_DEV_DIR "/video1", DEV_VIDEO},
-        {"/dev/video2", RUN_DEV_DIR "/video2", 0, 0, 1},
+        {"/dev/video2", RUN_DEV_DIR "/video2", DEV_VIDEO},
-        {"/dev/video3", RUN_DEV_DIR "/video3", 0, 0, 1},
+        {"/dev/video3", RUN_DEV_DIR "/video3", DEV_VIDEO},
-        {"/dev/video4", RUN_DEV_DIR "/video4", 0, 0, 1},
+        {"/dev/video4", RUN_DEV_DIR "/video4", DEV_VIDEO},
-        {"/dev/video5", RUN_DEV_DIR "/video5", 0, 0, 1},
+        {"/dev/video5", RUN_DEV_DIR "/video5", DEV_VIDEO},
-        {"/dev/video6", RUN_DEV_DIR "/video6", 0, 0, 1},
+        {"/dev/video6", RUN_DEV_DIR "/video6", DEV_VIDEO},
-        {"/dev/video7", RUN_DEV_DIR "/video7", 0, 0, 1},
+        {"/dev/video7", RUN_DEV_DIR "/video7", DEV_VIDEO},
-        {"/dev/video8", RUN_DEV_DIR "/video8", 0, 0, 1},
+        {"/dev/video8", RUN_DEV_DIR "/video8", DEV_VIDEO},
-        {"/dev/video9", RUN_DEV_DIR "/video9", 0, 0, 1},
+        {"/dev/video9", RUN_DEV_DIR "/video9", DEV_VIDEO},
-        {"/dev/dvb", RUN_DEV_DIR "/dvb", 0, 0, 0}, // DVB (Digital Video Brodcasting) - TV device
+        {"/dev/dvb", RUN_DEV_DIR "/dvb", DEV_TV}, // DVB (Digital Video Brodcasting) - TV device
-        {NULL, NULL, 0, 0, 0}
+        {NULL, NULL, DEV_NONE}
 };
 static void deventry_mount(void) {
@@ -295,7 +303,7 @@ static void disable_file_or_dir(const char *fname) {
 void fs_dev_disable_sound(void) {
        int i = 0;
        while (dev[i].dev_fname != NULL) {
-                if (dev[i].sound)
+                if (dev[i].type == DEV_SOUND)
                        disable_file_or_dir(dev[i].dev_fname);
                i++;
        }
@@ -304,7 +312,7 @@ void fs_dev_disable_sound(void) {
 void fs_dev_disable_video(void) {
        int i = 0;
        while (dev[i].dev_fname != NULL) {
-                if (dev[i].video)
+                if (dev[i].type == DEV_VIDEO)
                        disable_file_or_dir(dev[i].dev_fname);
                i++;
        }
@@ -313,7 +321,16 @@ void fs_dev_disable_video(void) {
 void fs_dev_disable_3d(void) {
        int i = 0;
        while (dev[i].dev_fname != NULL) {
-                if (dev[i].hw3d)
+                if (dev[i].type == DEV_3D)
+                        disable_file_or_dir(dev[i].dev_fname);
+                i++;
+        }
+}
+void fs_dev_disable_tv(void) {
+        int i = 0;
+        while (dev[i].dev_fname != NULL) {
+                if (dev[i].type == DEV_TV)
                        disable_file_or_dir(dev[i].dev_fname);
                i++;
        }
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 9cff080a0..3718c82ff 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -112,7 +112,7 @@ int arg_writable_var_log = 0;		// writable /var/log
 int arg_disable_mnt = 0;                        // disable /mnt and /media
 int arg_noprofile = 0; // use default.profile if none other found/specified
 int arg_memory_deny_write_execute = 0;          // block writable and executable memory
+int arg_notv = 0;       // --notv
 int login_shell = 0;
@@ -1676,22 +1676,20 @@ int main(int argc, char **argv) {
                                exit_err_feature("noroot");
                }
 #endif
-                else if (strcmp(argv[i], "--nonewprivs") == 0) {
+                else if (strcmp(argv[i], "--nonewprivs") == 0)
                        arg_nonewprivs = 1;
-                }
                else if (strncmp(argv[i], "--env=", 6) == 0)
                        env_store(argv[i] + 6, SETENV);
                else if (strncmp(argv[i], "--rmenv=", 8) == 0)
                        env_store(argv[i] + 8, RMENV);
-                else if (strcmp(argv[i], "--nosound") == 0) {
+                else if (strcmp(argv[i], "--nosound") == 0)
                        arg_nosound = 1;
-                }
+                else if (strcmp(argv[i], "--novideo") == 0)
-                else if (strcmp(argv[i], "--novideo") == 0) {
                        arg_novideo = 1;
-                }
+                else if (strcmp(argv[i], "--no3d") == 0)
-                else if (strcmp(argv[i], "--no3d") == 0) {
                        arg_no3d = 1;
-                }
+                else if (strcmp(argv[i], "--notv") == 0)
+                        arg_notv = 1;
                //*************************************
                // network
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 708251b0b..54670483f 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -225,6 +225,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                arg_nosound = 1;
                return 0;
        }
+        else if (strcmp(ptr, "notv") == 0) {
+                arg_notv = 1;
+                return 0;
+        }
        else if (strcmp(ptr, "novideo") == 0) {
                arg_novideo = 1;
                return 0;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 6c0fdebe3..4af8b747b 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -876,7 +876,7 @@ int sandbox(void* sandbox_arg) {
        fs_blacklist(); // mkdir and mkfile are processed all over again
        //****************************
-        // nosound/no3d and fix for pulseaudio 7.0
+        // nosound/no3d/notv/novideo and fix for pulseaudio 7.0
        //****************************
        if (arg_nosound) {
                // disable pulseaudio
@@ -891,9 +891,9 @@ int sandbox(void* sandbox_arg) {
        if (arg_no3d)
                fs_dev_disable_3d();
-        //****************************
+        if (arg_notv)
-        // novideo
+                fs_dev_disable_tv();
-        //****************************
        if (arg_novideo) {
                // disable /dev/video*
                fs_dev_disable_video();
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index f446f37b8..665f4405b 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -423,6 +423,9 @@ Enable IPC namespace.
 \fBnosound
 Disable sound system.
 .TP
+\fBnotv
+Disable DVB (Digital Video Brodcasting) TV devices.
+.TP
 \fBnovideo
 Disable video devices.
 .TP
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index bf18167b2..b0746030b 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1084,6 +1084,16 @@ Example:
 $ firejail \-\-nosound firefox
 .TP
+\fB\-\-notv
+Disable DVB (Digital Video Brodcasting) TV devices.
+.br
+.br
+Example:
+.br
+$ firejail \-\-notv vlc
+.TP
 \fB\-\-novideo
 Disable video devices.
 .br
author	startx2017 <vradu.startx@yandex.com>	2017-08-10 09:31:03 -0400
committer	startx2017 <vradu.startx@yandex.com>	2017-08-10 09:31:03 -0400
commit	be00aa351c1184ef7ac07a05190909d35d137c76 (patch)
tree	6c30178875f38e0c269fcbd5ea02d38937d9f636 /src
parent	Merge pull request #1448 from da2x/patch-1 (diff)
download	firejail-be00aa351c1184ef7ac07a05190909d35d137c76.tar.gz firejail-be00aa351c1184ef7ac07a05190909d35d137c76.tar.zst firejail-be00aa351c1184ef7ac07a05190909d35d137c76.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 86f730aa0..bb16ea42b 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -360,6 +360,7 @@ extern int arg_machineid; // preserve /etc/machine-id
360	extern int arg_disable_mnt; // disable /mnt and /media	360	extern int arg_disable_mnt; // disable /mnt and /media
361	extern int arg_noprofile; // use default.profile if none other found/specified	361	extern int arg_noprofile; // use default.profile if none other found/specified
362	extern int arg_memory_deny_write_execute; // block writable and executable memory	362	extern int arg_memory_deny_write_execute; // block writable and executable memory
		363	extern int arg_notv; // --notv
363		364
364	extern int login_shell;	365	extern int login_shell;
365	extern int parent_to_child_fds[2];	366	extern int parent_to_child_fds[2];
@@ -512,6 +513,7 @@ void fs_private_dev(void);
512	void fs_dev_disable_sound(void);	513	void fs_dev_disable_sound(void);
513	void fs_dev_disable_3d(void);	514	void fs_dev_disable_3d(void);
514	void fs_dev_disable_video(void);	515	void fs_dev_disable_video(void);
		516	void fs_dev_disable_tv(void);
515		517
516	// fs_home.c	518	// fs_home.c
517	// private mode (--private)	519	// private mode (--private)


diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 86ff0d4f9..45f4bcc1c 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c
@@ -31,42 +31,50 @@
31	#include <sys/sysmacros.h>	31	#include <sys/sysmacros.h>
32	#include <sys/types.h>	32	#include <sys/types.h>
33		33
		34	// device type
		35	typedef enum {
		36	DEV_NONE = 0,
		37	DEV_SOUND,
		38	DEV_3D,
		39	DEV_VIDEO,
		40	DEV_TV,
		41	} DEV_TYPE;
		42
		43
34	typedef struct {	44	typedef struct {
35	const char *dev_fname;	45	const char *dev_fname;
36	const char *run_fname;	46	const char *run_fname;
37	int sound;	47	DEV_TYPE type;
38	int hw3d;
39	int video;
40	} DevEntry;	48	} DevEntry;
41		49
42	static DevEntry dev[] = {	50	static DevEntry dev[] = {
43	{"/dev/snd", RUN_DEV_DIR "/snd", 1, 0, 0}, // sound device	51	{"/dev/snd", RUN_DEV_DIR "/snd", DEV_SOUND}, // sound device
44	{"/dev/dri", RUN_DEV_DIR "/dri", 0, 1, 0}, // 3d device	52	{"/dev/dri", RUN_DEV_DIR "/dri", DEV_3D}, // 3d device
45	{"/dev/nvidia0", RUN_DEV_DIR "/nvidia0", 0, 1, 0},	53	{"/dev/nvidia0", RUN_DEV_DIR "/nvidia0", DEV_3D},
46	{"/dev/nvidia1", RUN_DEV_DIR "/nvidia1", 0, 1, 0},	54	{"/dev/nvidia1", RUN_DEV_DIR "/nvidia1", DEV_3D},
47	{"/dev/nvidia2", RUN_DEV_DIR "/nvidia2", 0, 1, 0},	55	{"/dev/nvidia2", RUN_DEV_DIR "/nvidia2", DEV_3D},
48	{"/dev/nvidia3", RUN_DEV_DIR "/nvidia3", 0, 1, 0},	56	{"/dev/nvidia3", RUN_DEV_DIR "/nvidia3", DEV_3D},
49	{"/dev/nvidia4", RUN_DEV_DIR "/nvidia4", 0, 1, 0},	57	{"/dev/nvidia4", RUN_DEV_DIR "/nvidia4", DEV_3D},
50	{"/dev/nvidia5", RUN_DEV_DIR "/nvidia5", 0, 1, 0},	58	{"/dev/nvidia5", RUN_DEV_DIR "/nvidia5", DEV_3D},
51	{"/dev/nvidia6", RUN_DEV_DIR "/nvidia6", 0, 1, 0},	59	{"/dev/nvidia6", RUN_DEV_DIR "/nvidia6", DEV_3D},
52	{"/dev/nvidia7", RUN_DEV_DIR "/nvidia7", 0, 1, 0},	60	{"/dev/nvidia7", RUN_DEV_DIR "/nvidia7", DEV_3D},
53	{"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", 0, 1, 0},	61	{"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", DEV_3D},
54	{"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", 0, 1, 0},	62	{"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", DEV_3D},
55	{"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", 0, 1, 0},	63	{"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", DEV_3D},
56	{"/dev/nvidia-modeset", RUN_DEV_DIR "/nvidia-modeset", 0, 1, 0},	64	{"/dev/nvidia-modeset", RUN_DEV_DIR "/nvidia-modeset", DEV_3D},
57	{"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", 0, 1, 0},	65	{"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", DEV_3D},
58	{"/dev/video0", RUN_DEV_DIR "/video0", 0, 0, 1}, // video camera devices	66	{"/dev/video0", RUN_DEV_DIR "/video0", DEV_VIDEO}, // video camera devices
59	{"/dev/video1", RUN_DEV_DIR "/video1", 0, 0, 1},	67	{"/dev/video1", RUN_DEV_DIR "/video1", DEV_VIDEO},
60	{"/dev/video2", RUN_DEV_DIR "/video2", 0, 0, 1},	68	{"/dev/video2", RUN_DEV_DIR "/video2", DEV_VIDEO},
61	{"/dev/video3", RUN_DEV_DIR "/video3", 0, 0, 1},	69	{"/dev/video3", RUN_DEV_DIR "/video3", DEV_VIDEO},
62	{"/dev/video4", RUN_DEV_DIR "/video4", 0, 0, 1},	70	{"/dev/video4", RUN_DEV_DIR "/video4", DEV_VIDEO},
63	{"/dev/video5", RUN_DEV_DIR "/video5", 0, 0, 1},	71	{"/dev/video5", RUN_DEV_DIR "/video5", DEV_VIDEO},
64	{"/dev/video6", RUN_DEV_DIR "/video6", 0, 0, 1},	72	{"/dev/video6", RUN_DEV_DIR "/video6", DEV_VIDEO},
65	{"/dev/video7", RUN_DEV_DIR "/video7", 0, 0, 1},	73	{"/dev/video7", RUN_DEV_DIR "/video7", DEV_VIDEO},
66	{"/dev/video8", RUN_DEV_DIR "/video8", 0, 0, 1},	74	{"/dev/video8", RUN_DEV_DIR "/video8", DEV_VIDEO},
67	{"/dev/video9", RUN_DEV_DIR "/video9", 0, 0, 1},	75	{"/dev/video9", RUN_DEV_DIR "/video9", DEV_VIDEO},
68	{"/dev/dvb", RUN_DEV_DIR "/dvb", 0, 0, 0}, // DVB (Digital Video Brodcasting) - TV device	76	{"/dev/dvb", RUN_DEV_DIR "/dvb", DEV_TV}, // DVB (Digital Video Brodcasting) - TV device
69	{NULL, NULL, 0, 0, 0}	77	{NULL, NULL, DEV_NONE}
70	};	78	};
71		79
72	static void deventry_mount(void) {	80	static void deventry_mount(void) {
@@ -295,7 +303,7 @@ static void disable_file_or_dir(const char *fname) {
295	void fs_dev_disable_sound(void) {	303	void fs_dev_disable_sound(void) {
296	int i = 0;	304	int i = 0;
297	while (dev[i].dev_fname != NULL) {	305	while (dev[i].dev_fname != NULL) {
298	if (dev[i].sound)	306	if (dev[i].type == DEV_SOUND)
299	disable_file_or_dir(dev[i].dev_fname);	307	disable_file_or_dir(dev[i].dev_fname);
300	i++;	308	i++;
301	}	309	}
@@ -304,7 +312,7 @@ void fs_dev_disable_sound(void) {
304	void fs_dev_disable_video(void) {	312	void fs_dev_disable_video(void) {
305	int i = 0;	313	int i = 0;
306	while (dev[i].dev_fname != NULL) {	314	while (dev[i].dev_fname != NULL) {
307	if (dev[i].video)	315	if (dev[i].type == DEV_VIDEO)
308	disable_file_or_dir(dev[i].dev_fname);	316	disable_file_or_dir(dev[i].dev_fname);
309	i++;	317	i++;
310	}	318	}
@@ -313,7 +321,16 @@ void fs_dev_disable_video(void) {
313	void fs_dev_disable_3d(void) {	321	void fs_dev_disable_3d(void) {
314	int i = 0;	322	int i = 0;
315	while (dev[i].dev_fname != NULL) {	323	while (dev[i].dev_fname != NULL) {
316	if (dev[i].hw3d)	324	if (dev[i].type == DEV_3D)
		325	disable_file_or_dir(dev[i].dev_fname);
		326	i++;
		327	}
		328	}
		329
		330	void fs_dev_disable_tv(void) {
		331	int i = 0;
		332	while (dev[i].dev_fname != NULL) {
		333	if (dev[i].type == DEV_TV)
317	disable_file_or_dir(dev[i].dev_fname);	334	disable_file_or_dir(dev[i].dev_fname);
318	i++;	335	i++;
319	}	336	}


diff --git a/src/firejail/main.c b/src/firejail/main.c index 9cff080a0..3718c82ff 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -112,7 +112,7 @@ int arg_writable_var_log = 0; // writable /var/log
112	int arg_disable_mnt = 0; // disable /mnt and /media	112	int arg_disable_mnt = 0; // disable /mnt and /media
113	int arg_noprofile = 0; // use default.profile if none other found/specified	113	int arg_noprofile = 0; // use default.profile if none other found/specified
114	int arg_memory_deny_write_execute = 0; // block writable and executable memory	114	int arg_memory_deny_write_execute = 0; // block writable and executable memory
115		115	int arg_notv = 0; // --notv
116	int login_shell = 0;	116	int login_shell = 0;
117		117
118		118
@@ -1676,22 +1676,20 @@ int main(int argc, char **argv) {
1676	exit_err_feature("noroot");	1676	exit_err_feature("noroot");
1677	}	1677	}
1678	#endif	1678	#endif
1679	else if (strcmp(argv[i], "--nonewprivs") == 0) {	1679	else if (strcmp(argv[i], "--nonewprivs") == 0)
1680	arg_nonewprivs = 1;	1680	arg_nonewprivs = 1;
1681	}
1682	else if (strncmp(argv[i], "--env=", 6) == 0)	1681	else if (strncmp(argv[i], "--env=", 6) == 0)
1683	env_store(argv[i] + 6, SETENV);	1682	env_store(argv[i] + 6, SETENV);
1684	else if (strncmp(argv[i], "--rmenv=", 8) == 0)	1683	else if (strncmp(argv[i], "--rmenv=", 8) == 0)
1685	env_store(argv[i] + 8, RMENV);	1684	env_store(argv[i] + 8, RMENV);
1686	else if (strcmp(argv[i], "--nosound") == 0) {	1685	else if (strcmp(argv[i], "--nosound") == 0)
1687	arg_nosound = 1;	1686	arg_nosound = 1;
1688	}	1687	else if (strcmp(argv[i], "--novideo") == 0)
1689	else if (strcmp(argv[i], "--novideo") == 0) {
1690	arg_novideo = 1;	1688	arg_novideo = 1;
1691	}	1689	else if (strcmp(argv[i], "--no3d") == 0)
1692	else if (strcmp(argv[i], "--no3d") == 0) {
1693	arg_no3d = 1;	1690	arg_no3d = 1;
1694	}	1691	else if (strcmp(argv[i], "--notv") == 0)
		1692	arg_notv = 1;
1695		1693
1696	//*************************************	1694	//*************************************
1697	// network	1695	// network


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 708251b0b..54670483f 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -225,6 +225,10 @@ int profile_check_line(char ptr, int lineno, const char fname) {
225	arg_nosound = 1;	225	arg_nosound = 1;
226	return 0;	226	return 0;
227	}	227	}
		228	else if (strcmp(ptr, "notv") == 0) {
		229	arg_notv = 1;
		230	return 0;
		231	}
228	else if (strcmp(ptr, "novideo") == 0) {	232	else if (strcmp(ptr, "novideo") == 0) {
229	arg_novideo = 1;	233	arg_novideo = 1;
230	return 0;	234	return 0;


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 6c0fdebe3..4af8b747b 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -876,7 +876,7 @@ int sandbox(void* sandbox_arg) {
876	fs_blacklist(); // mkdir and mkfile are processed all over again	876	fs_blacklist(); // mkdir and mkfile are processed all over again
877		877
878	//****************************	878	//****************************
879	// nosound/no3d and fix for pulseaudio 7.0	879	// nosound/no3d/notv/novideo and fix for pulseaudio 7.0
880	//****************************	880	//****************************
881	if (arg_nosound) {	881	if (arg_nosound) {
882	// disable pulseaudio	882	// disable pulseaudio
@@ -891,9 +891,9 @@ int sandbox(void* sandbox_arg) {
891	if (arg_no3d)	891	if (arg_no3d)
892	fs_dev_disable_3d();	892	fs_dev_disable_3d();
893		893
894	//****************************	894	if (arg_notv)
895	// novideo	895	fs_dev_disable_tv();
896	//****************************	896
897	if (arg_novideo) {	897	if (arg_novideo) {
898	// disable /dev/video*	898	// disable /dev/video*
899	fs_dev_disable_video();	899	fs_dev_disable_video();


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index f446f37b8..665f4405b 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -423,6 +423,9 @@ Enable IPC namespace.
423	\fBnosound	423	\fBnosound
424	Disable sound system.	424	Disable sound system.
425	.TP	425	.TP
		426	\fBnotv
		427	Disable DVB (Digital Video Brodcasting) TV devices.
		428	.TP
426	\fBnovideo	429	\fBnovideo
427	Disable video devices.	430	Disable video devices.
428	.TP	431	.TP


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index bf18167b2..b0746030b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1084,6 +1084,16 @@ Example:
1084	$ firejail \-\-nosound firefox	1084	$ firejail \-\-nosound firefox
1085		1085
1086	.TP	1086	.TP
		1087	\fB\-\-notv
		1088	Disable DVB (Digital Video Brodcasting) TV devices.
		1089	.br
		1090
		1091	.br
		1092	Example:
		1093	.br
		1094	$ firejail \-\-notv vlc
		1095
		1096	.TP
1087	\fB\-\-novideo	1097	\fB\-\-novideo
1088	Disable video devices.	1098	Disable video devices.
1089	.br	1099	.br