diff options
author | netblue30 <netblue30@yahoo.com> | 2017-03-10 09:00:38 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-03-10 09:00:38 -0500 |
commit | 4f455f7f7bbc821ea459143e661f3b8e43e82d0d (patch) | |
tree | fbb04e0e85bd8428d22f0c06378cac72c4c98e5b /src | |
parent | --nowhitelist (diff) | |
download | firejail-4f455f7f7bbc821ea459143e661f3b8e43e82d0d.tar.gz firejail-4f455f7f7bbc821ea459143e661f3b8e43e82d0d.tar.zst firejail-4f455f7f7bbc821ea459143e661f3b8e43e82d0d.zip |
config support to disable access to /mnt and /media
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/checkcfg.c | 17 | ||||
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/fs.c | 8 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 8 |
4 files changed, 29 insertions, 6 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 02bff2bfa..2aa7e7373 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -43,10 +43,11 @@ int checkcfg(int val) { | |||
43 | for (i = 0; i < CFG_MAX; i++) | 43 | for (i = 0; i < CFG_MAX; i++) |
44 | cfg_val[i] = 1; // most of them are enabled by default | 44 | cfg_val[i] = 1; // most of them are enabled by default |
45 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default | 45 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default |
46 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default | 46 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; |
47 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; // disabled by default | 47 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; |
48 | cfg_val[CFG_FIREJAIL_PROMPT] = 0; // disabled by default | 48 | cfg_val[CFG_FIREJAIL_PROMPT] = 0; |
49 | cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 0; // disabled by default | 49 | cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 0; |
50 | cfg_val[CFG_DISABLE_MNT] = 0; | ||
50 | 51 | ||
51 | // open configuration file | 52 | // open configuration file |
52 | const char *fname = SYSCONFDIR "/firejail.config"; | 53 | const char *fname = SYSCONFDIR "/firejail.config"; |
@@ -314,6 +315,14 @@ int checkcfg(int val) { | |||
314 | else | 315 | else |
315 | goto errout; | 316 | goto errout; |
316 | } | 317 | } |
318 | else if (strncmp(ptr, "disable-mnt ", 12) == 0) { | ||
319 | if (strcmp(ptr + 12, "yes") == 0) | ||
320 | cfg_val[CFG_DISABLE_MNT] = 1; | ||
321 | else if (strcmp(ptr + 12, "no") == 0) | ||
322 | cfg_val[CFG_DISABLE_MNT] = 0; | ||
323 | else | ||
324 | goto errout; | ||
325 | } | ||
317 | else | 326 | else |
318 | goto errout; | 327 | goto errout; |
319 | 328 | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 74e5b2c6b..f4d24ffa5 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -419,6 +419,7 @@ void profile_read(const char *fname); | |||
419 | int profile_check_line(char *ptr, int lineno, const char *fname); | 419 | int profile_check_line(char *ptr, int lineno, const char *fname); |
420 | // add a profile entry in cfg.profile list; use str to populate the list | 420 | // add a profile entry in cfg.profile list; use str to populate the list |
421 | void profile_add(char *str); | 421 | void profile_add(char *str); |
422 | void fs_mnt(void); | ||
422 | 423 | ||
423 | // list.c | 424 | // list.c |
424 | void list(void); | 425 | void list(void); |
@@ -682,6 +683,7 @@ enum { | |||
682 | CFG_FIREJAIL_PROMPT, | 683 | CFG_FIREJAIL_PROMPT, |
683 | CFG_FOLLOW_SYMLINK_AS_USER, | 684 | CFG_FOLLOW_SYMLINK_AS_USER, |
684 | CFG_FOLLOW_SYMLINK_PRIVATE_BIN, | 685 | CFG_FOLLOW_SYMLINK_PRIVATE_BIN, |
686 | CFG_DISABLE_MNT, | ||
685 | CFG_MAX // this should always be the last entry | 687 | CFG_MAX // this should always be the last entry |
686 | }; | 688 | }; |
687 | extern char *xephyr_screen; | 689 | extern char *xephyr_screen; |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 712e5fb0a..801bde57c 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -471,7 +471,13 @@ void fs_noexec(const char *dir) { | |||
471 | } | 471 | } |
472 | } | 472 | } |
473 | 473 | ||
474 | 474 | // Disable /mnt, /media, /run/mount and /run/media access | |
475 | void fs_mnt(void) { | ||
476 | disable_file(BLACKLIST_FILE, "/mnt"); | ||
477 | disable_file(BLACKLIST_FILE, "/media"); | ||
478 | disable_file(BLACKLIST_FILE, "/run/mount"); | ||
479 | disable_file(BLACKLIST_FILE, "//run/media"); | ||
480 | } | ||
475 | 481 | ||
476 | // mount /proc and /sys directories | 482 | // mount /proc and /sys directories |
477 | void fs_proc_sys_dev_boot(void) { | 483 | void fs_proc_sys_dev_boot(void) { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 84ee5ee11..83afff516 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -759,12 +759,18 @@ int sandbox(void* sandbox_arg) { | |||
759 | netns_mounts(arg_netns); | 759 | netns_mounts(arg_netns); |
760 | 760 | ||
761 | //**************************** | 761 | //**************************** |
762 | // update /proc, /sys, /dev, /boot directorymy | 762 | // update /proc, /sys, /dev, /boot directory |
763 | //**************************** | 763 | //**************************** |
764 | if (checkcfg(CFG_REMOUNT_PROC_SYS)) | 764 | if (checkcfg(CFG_REMOUNT_PROC_SYS)) |
765 | fs_proc_sys_dev_boot(); | 765 | fs_proc_sys_dev_boot(); |
766 | 766 | ||
767 | //**************************** | 767 | //**************************** |
768 | // handle /mnt and /media | ||
769 | //**************************** | ||
770 | if (checkcfg(CFG_DISABLE_MNT)) | ||
771 | fs_mnt(); | ||
772 | |||
773 | //**************************** | ||
768 | // apply the profile file | 774 | // apply the profile file |
769 | //**************************** | 775 | //**************************** |
770 | // apply all whitelist commands ... | 776 | // apply all whitelist commands ... |