diff options
author | netblue30 <netblue30@yahoo.com> | 2017-12-27 11:36:48 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-12-27 11:36:48 -0500 |
commit | 1df4a7e02322e5eb662b1e745ce9dfc9b4f22f3a (patch) | |
tree | bf3171286fb7c0362dfabe624f29adecbba336c0 /src | |
parent | Merge branch 'master' of https://github.com/netblue30/firejail (diff) | |
download | firejail-1df4a7e02322e5eb662b1e745ce9dfc9b4f22f3a.tar.gz firejail-1df4a7e02322e5eb662b1e745ce9dfc9b4f22f3a.tar.zst firejail-1df4a7e02322e5eb662b1e745ce9dfc9b4f22f3a.zip |
fix private-dev for Jack Audio setups - #1694
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs_dev.c | 96 |
1 files changed, 54 insertions, 42 deletions
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 523f319ed..cc3bc72b2 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -153,6 +153,37 @@ errexit: | |||
153 | exit(1); | 153 | exit(1); |
154 | } | 154 | } |
155 | 155 | ||
156 | static void empty_dev_shm(void) { | ||
157 | // create an empty /dev/shm directory | ||
158 | mkdir_attr("/dev/shm", 01777, 0, 0); | ||
159 | fs_logger("mkdir /dev/shm"); | ||
160 | fs_logger("create /dev/shm"); | ||
161 | } | ||
162 | |||
163 | static void process_dev_shm(void) { | ||
164 | // Jack audio keeps an Unix socket under (/dev/shm/jack_default_1000_0 or /dev/shm/jack/...) | ||
165 | // looking for jack socket | ||
166 | glob_t globbuf; | ||
167 | int globerr = glob(RUN_DEV_DIR "/shm/jack*", GLOB_NOSORT, NULL, &globbuf); | ||
168 | if (globerr) { | ||
169 | empty_dev_shm(); | ||
170 | return; | ||
171 | } | ||
172 | globfree(&globbuf); | ||
173 | |||
174 | // if we got here, it means we have a jack server installed | ||
175 | // mount-bind the old /dev/shm | ||
176 | mkdir_attr("/dev/shm", 01777, 0, 0); | ||
177 | int rv = mount(RUN_DEV_DIR "/shm", "/dev/shm", "none", MS_BIND, "mode=01777,gid=0"); | ||
178 | if (rv == -1) { | ||
179 | fwarning("cannot mount the old /dev/shm in private-dev\n"); | ||
180 | dbg_test_dir(RUN_DEV_DIR "/shm"); | ||
181 | empty_dev_shm(); | ||
182 | return; | ||
183 | } | ||
184 | } | ||
185 | |||
186 | |||
156 | void fs_private_dev(void){ | 187 | void fs_private_dev(void){ |
157 | // install a new /dev directory | 188 | // install a new /dev directory |
158 | if (arg_debug) | 189 | if (arg_debug) |
@@ -199,15 +230,14 @@ void fs_private_dev(void){ | |||
199 | fs_logger("clone /dev/log"); | 230 | fs_logger("clone /dev/log"); |
200 | } | 231 | } |
201 | } | 232 | } |
202 | if (mount(RUN_RO_DIR, RUN_DEV_DIR, "none", MS_BIND, "mode=400,gid=0") < 0) | ||
203 | errExit("disable run dev directory"); | ||
204 | 233 | ||
205 | // create /dev/shm | 234 | // bring forward the current /dev/shm directory if necessary |
206 | if (arg_debug) | 235 | if (arg_debug) |
207 | printf("Create /dev/shm directory\n"); | 236 | printf("Process /dev/shm directory\n"); |
208 | mkdir_attr("/dev/shm", 01777, 0, 0); | 237 | process_dev_shm(); |
209 | fs_logger("mkdir /dev/shm"); | 238 | |
210 | fs_logger("create /dev/shm"); | 239 | if (mount(RUN_RO_DIR, RUN_DEV_DIR, "none", MS_BIND, "mode=400,gid=0") < 0) |
240 | errExit("disable run dev directory"); | ||
211 | 241 | ||
212 | // create default devices | 242 | // create default devices |
213 | create_char_dev("/dev/zero", 0666, 1, 5); // mknod -m 666 /dev/zero c 1 5 | 243 | create_char_dev("/dev/zero", 0666, 1, 5); // mknod -m 666 /dev/zero c 1 5 |
@@ -269,41 +299,6 @@ void fs_private_dev(void){ | |||
269 | } | 299 | } |
270 | 300 | ||
271 | 301 | ||
272 | #if 0 | ||
273 | void fs_dev_shm(void) { | ||
274 | uid_t uid = getuid(); // set a new shm only if we started as root | ||
275 | if (uid) | ||
276 | return; | ||
277 | |||
278 | if (is_dir("/dev/shm")) { | ||
279 | if (arg_debug) | ||
280 | printf("Mounting tmpfs on /dev/shm\n"); | ||
281 | if (mount("tmpfs", "/dev/shm", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) | ||
282 | errExit("mounting /dev/shm"); | ||
283 | fs_logger("tmpfs /dev/shm"); | ||
284 | } | ||
285 | else { | ||
286 | char *lnk = realpath("/dev/shm", NULL); | ||
287 | if (lnk) { | ||
288 | if (!is_dir(lnk)) { | ||
289 | // create directory | ||
290 | mkdir_attr(lnk, 01777, 0, 0); | ||
291 | } | ||
292 | if (arg_debug) | ||
293 | printf("Mounting tmpfs on %s on behalf of /dev/shm\n", lnk); | ||
294 | if (mount("tmpfs", lnk, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=1777,gid=0") < 0) | ||
295 | errExit("mounting /var/tmp"); | ||
296 | fs_logger2("tmpfs", lnk); | ||
297 | free(lnk); | ||
298 | } | ||
299 | else { | ||
300 | fwarning("/dev/shm not mounted\n"); | ||
301 | dbg_test_dir("/dev/shm"); | ||
302 | } | ||
303 | |||
304 | } | ||
305 | } | ||
306 | #endif | ||
307 | 302 | ||
308 | static void disable_file_or_dir(const char *fname) { | 303 | static void disable_file_or_dir(const char *fname) { |
309 | if (arg_debug) | 304 | if (arg_debug) |
@@ -330,6 +325,23 @@ void fs_dev_disable_sound(void) { | |||
330 | disable_file_or_dir(dev[i].dev_fname); | 325 | disable_file_or_dir(dev[i].dev_fname); |
331 | i++; | 326 | i++; |
332 | } | 327 | } |
328 | |||
329 | // disable all jack sockets in /dev/shm | ||
330 | glob_t globbuf; | ||
331 | int globerr = glob("/dev/shm/jack*", GLOB_NOSORT, NULL, &globbuf); | ||
332 | if (globerr) | ||
333 | return; | ||
334 | |||
335 | for (i = 0; i < globbuf.gl_pathc; i++) { | ||
336 | char *path = globbuf.gl_pathv[i]; | ||
337 | assert(path); | ||
338 | if (is_link(path)) { | ||
339 | fwarning("skipping nosound for %s because it is a symbolic link\n", path); | ||
340 | continue; | ||
341 | } | ||
342 | disable_file_or_dir(path); | ||
343 | } | ||
344 | globfree(&globbuf); | ||
333 | } | 345 | } |
334 | 346 | ||
335 | void fs_dev_disable_video(void) { | 347 | void fs_dev_disable_video(void) { |