mainline merge: allow overriding of disable-mnt with noblacklist

author: startx2017 <vradu.startx@yandex.com> 2018-10-17 18:49:23 -0400
committer: startx2017 <vradu.startx@yandex.com> 2018-10-17 18:49:23 -0400
commit: d95bd0616e760986c58cd7b459a2f4cffee87829 (patch)
tree: fb8db345f8a32b9b5ad04a0634491e11ad93443d /src
parent: mainline merge: clean /run/user directory (diff)
download: firejail-d95bd0616e760986c58cd7b459a2f4cffee87829.tar.gz
firejail-d95bd0616e760986c58cd7b459a2f4cffee87829.tar.zst
firejail-d95bd0616e760986c58cd7b459a2f4cffee87829.zip
3 files changed, 22 insertions, 8 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 92c04e7cb..91636b755 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -414,7 +414,7 @@ void fs_chroot(const char *rootdir);
 void fs_check_chroot_dir(const char *rootdir);
 void fs_private_tmp(void);
 void fs_private_cache(void);
-void fs_mnt(void);
+void fs_mnt(const int enforce);
 // profile.c
 // find and read the profile specified by name from dir directory
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 74f8328ff..b93424365 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -545,11 +545,23 @@ void fs_noexec(const char *dir) {
 }
 // Disable /mnt, /media, /run/mount and /run/media access
-void fs_mnt(void) {
+void fs_mnt(const int enforce) {
-        disable_file(BLACKLIST_FILE, "/mnt");
+        if (enforce) {
-        disable_file(BLACKLIST_FILE, "/media");
+                // disable-mnt set in firejail.config
-        disable_file(BLACKLIST_FILE, "/run/mount");
+                // overriding with noblacklist is not possible in this case
-        disable_file(BLACKLIST_FILE, "//run/media");
+                disable_file(BLACKLIST_FILE, "/mnt");
+                disable_file(BLACKLIST_FILE, "/media");
+                disable_file(BLACKLIST_FILE, "/run/mount");
+                disable_file(BLACKLIST_FILE, "/run/media");
+        }
+        else {
+                EUID_USER();
+                profile_add("blacklist /mnt");
+                profile_add("blacklist /media");
+                profile_add("blacklist /run/mount");
+                profile_add("blacklist /run/media");
+                EUID_ROOT();
+        }
 }
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 7871b8ac3..240358923 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -794,8 +794,10 @@ int sandbox(void* sandbox_arg) {
        //****************************
        // handle /mnt and /media
        //****************************
-        if (arg_disable_mnt || checkcfg(CFG_DISABLE_MNT))
+        if (checkcfg(CFG_DISABLE_MNT))
-                fs_mnt();
+                fs_mnt(1);
+        else if (arg_disable_mnt)
+                fs_mnt(0);
        //****************************
        // apply the profile file
author	startx2017 <vradu.startx@yandex.com>	2018-10-17 18:49:23 -0400
committer	startx2017 <vradu.startx@yandex.com>	2018-10-17 18:49:23 -0400
commit	d95bd0616e760986c58cd7b459a2f4cffee87829 (patch)
tree	fb8db345f8a32b9b5ad04a0634491e11ad93443d /src
parent	mainline merge: clean /run/user directory (diff)
download	firejail-d95bd0616e760986c58cd7b459a2f4cffee87829.tar.gz firejail-d95bd0616e760986c58cd7b459a2f4cffee87829.tar.zst firejail-d95bd0616e760986c58cd7b459a2f4cffee87829.zip