diff options
author | startx2017 <vradu.startx@yandex.com> | 2018-10-17 18:49:23 -0400 |
---|---|---|
committer | startx2017 <vradu.startx@yandex.com> | 2018-10-17 18:49:23 -0400 |
commit | d95bd0616e760986c58cd7b459a2f4cffee87829 (patch) | |
tree | fb8db345f8a32b9b5ad04a0634491e11ad93443d /src | |
parent | mainline merge: clean /run/user directory (diff) | |
download | firejail-d95bd0616e760986c58cd7b459a2f4cffee87829.tar.gz firejail-d95bd0616e760986c58cd7b459a2f4cffee87829.tar.zst firejail-d95bd0616e760986c58cd7b459a2f4cffee87829.zip |
mainline merge: allow overriding of disable-mnt with noblacklist
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/fs.c | 22 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 6 |
3 files changed, 22 insertions, 8 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 92c04e7cb..91636b755 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -414,7 +414,7 @@ void fs_chroot(const char *rootdir); | |||
414 | void fs_check_chroot_dir(const char *rootdir); | 414 | void fs_check_chroot_dir(const char *rootdir); |
415 | void fs_private_tmp(void); | 415 | void fs_private_tmp(void); |
416 | void fs_private_cache(void); | 416 | void fs_private_cache(void); |
417 | void fs_mnt(void); | 417 | void fs_mnt(const int enforce); |
418 | 418 | ||
419 | // profile.c | 419 | // profile.c |
420 | // find and read the profile specified by name from dir directory | 420 | // find and read the profile specified by name from dir directory |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 74f8328ff..b93424365 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -545,11 +545,23 @@ void fs_noexec(const char *dir) { | |||
545 | } | 545 | } |
546 | 546 | ||
547 | // Disable /mnt, /media, /run/mount and /run/media access | 547 | // Disable /mnt, /media, /run/mount and /run/media access |
548 | void fs_mnt(void) { | 548 | void fs_mnt(const int enforce) { |
549 | disable_file(BLACKLIST_FILE, "/mnt"); | 549 | if (enforce) { |
550 | disable_file(BLACKLIST_FILE, "/media"); | 550 | // disable-mnt set in firejail.config |
551 | disable_file(BLACKLIST_FILE, "/run/mount"); | 551 | // overriding with noblacklist is not possible in this case |
552 | disable_file(BLACKLIST_FILE, "//run/media"); | 552 | disable_file(BLACKLIST_FILE, "/mnt"); |
553 | disable_file(BLACKLIST_FILE, "/media"); | ||
554 | disable_file(BLACKLIST_FILE, "/run/mount"); | ||
555 | disable_file(BLACKLIST_FILE, "/run/media"); | ||
556 | } | ||
557 | else { | ||
558 | EUID_USER(); | ||
559 | profile_add("blacklist /mnt"); | ||
560 | profile_add("blacklist /media"); | ||
561 | profile_add("blacklist /run/mount"); | ||
562 | profile_add("blacklist /run/media"); | ||
563 | EUID_ROOT(); | ||
564 | } | ||
553 | } | 565 | } |
554 | 566 | ||
555 | 567 | ||
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 7871b8ac3..240358923 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -794,8 +794,10 @@ int sandbox(void* sandbox_arg) { | |||
794 | //**************************** | 794 | //**************************** |
795 | // handle /mnt and /media | 795 | // handle /mnt and /media |
796 | //**************************** | 796 | //**************************** |
797 | if (arg_disable_mnt || checkcfg(CFG_DISABLE_MNT)) | 797 | if (checkcfg(CFG_DISABLE_MNT)) |
798 | fs_mnt(); | 798 | fs_mnt(1); |
799 | else if (arg_disable_mnt) | ||
800 | fs_mnt(0); | ||
799 | 801 | ||
800 | //**************************** | 802 | //**************************** |
801 | // apply the profile file | 803 | // apply the profile file |