diff options
author | netblue30 <netblue30@yahoo.com> | 2016-09-20 09:18:07 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-09-20 09:18:07 -0400 |
commit | 2ef9a452c72686e76f71817d0b4c383971f2b380 (patch) | |
tree | d878127346d84f7731fef879d4ff82a664ce857f /src | |
parent | --private-tmp whitelists /tmp/.X11-unix directory (diff) | |
download | firejail-2ef9a452c72686e76f71817d0b4c383971f2b380.tar.gz firejail-2ef9a452c72686e76f71817d0b4c383971f2b380.tar.zst firejail-2ef9a452c72686e76f71817d0b4c383971f2b380.zip |
support nvidia drivers in --private-dev
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 4 | ||||
-rw-r--r-- | src/firejail/fs_dev.c | 113 |
2 files changed, 59 insertions, 58 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index c0536502e..bee93ca85 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -45,9 +45,9 @@ | |||
45 | #define RUN_HOME_DIR "/run/firejail/mnt/home" | 45 | #define RUN_HOME_DIR "/run/firejail/mnt/home" |
46 | #define RUN_ETC_DIR "/run/firejail/mnt/etc" | 46 | #define RUN_ETC_DIR "/run/firejail/mnt/etc" |
47 | #define RUN_BIN_DIR "/run/firejail/mnt/bin" | 47 | #define RUN_BIN_DIR "/run/firejail/mnt/bin" |
48 | #define RUN_DRI_DIR "/run/firejail/mnt/dri" | ||
49 | #define RUN_SND_DIR "/run/firejail/mnt/snd" | ||
50 | #define RUN_PULSE_DIR "/run/firejail/mnt/pulse" | 48 | #define RUN_PULSE_DIR "/run/firejail/mnt/pulse" |
49 | |||
50 | #define RUN_DEV_DIR "/run/firejail/mnt/dev" | ||
51 | #define RUN_DEVLOG_FILE "/run/firejail/mnt/devlog" | 51 | #define RUN_DEVLOG_FILE "/run/firejail/mnt/devlog" |
52 | 52 | ||
53 | #define RUN_WHITELIST_X11_DIR "/run/firejail/mnt/orig-x11" | 53 | #define RUN_WHITELIST_X11_DIR "/run/firejail/mnt/orig-x11" |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 363d3e484..4744b3096 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -30,6 +30,49 @@ | |||
30 | #endif | 30 | #endif |
31 | #include <sys/types.h> | 31 | #include <sys/types.h> |
32 | 32 | ||
33 | typedef struct { | ||
34 | const char *dev_fname; | ||
35 | const char *run_fname; | ||
36 | } DevEntry; | ||
37 | |||
38 | static DevEntry dev[] = { | ||
39 | {"/dev/snd", RUN_DEV_DIR "/snd"}, | ||
40 | {"/dev/dri", RUN_DEV_DIR "/dri"}, | ||
41 | {"/dev/nvidia0", RUN_DEV_DIR "/nvidia0"}, | ||
42 | {"/dev/nvidia1", RUN_DEV_DIR "/nvidia1"}, | ||
43 | {"/dev/nvidia2", RUN_DEV_DIR "/nvidia2"}, | ||
44 | {"/dev/nvidia3", RUN_DEV_DIR "/nvidia3"}, | ||
45 | {"/dev/nvidia4", RUN_DEV_DIR "/nvidia4"}, | ||
46 | {"/dev/nvidia5", RUN_DEV_DIR "/nvidia5"}, | ||
47 | {"/dev/nvidia6", RUN_DEV_DIR "/nvidia6"}, | ||
48 | {"/dev/nvidia7", RUN_DEV_DIR "/nvidia7"}, | ||
49 | {"/dev/nvidia8", RUN_DEV_DIR "/nvidia8"}, | ||
50 | {"/dev/nvidia9", RUN_DEV_DIR "/nvidia9"}, | ||
51 | {"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl"}, | ||
52 | {"/dev/nvidia-modset", RUN_DEV_DIR "/nvidia-modset"}, | ||
53 | {"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm"}, | ||
54 | {NULL, NULL} | ||
55 | }; | ||
56 | |||
57 | static void deventry_mount(void) { | ||
58 | int i = 0; | ||
59 | while (dev[i].dev_fname != NULL) { | ||
60 | struct stat s; | ||
61 | if (stat(dev[i].run_fname, &s) == 0) { | ||
62 | if (mkdir(dev[i].dev_fname, 0755) == -1) | ||
63 | errExit("mkdir"); | ||
64 | if (chmod(dev[i].dev_fname, 0755) == -1) | ||
65 | errExit("chmod"); | ||
66 | ASSERT_PERMS(dev[i].dev_fname, 0, 0, 0755); | ||
67 | if (mount(dev[i].run_fname, dev[i].dev_fname, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
68 | errExit("mounting /dev/snd"); | ||
69 | fs_logger2("whitelist", dev[i].dev_fname); | ||
70 | } | ||
71 | |||
72 | i++; | ||
73 | } | ||
74 | } | ||
75 | |||
33 | static void create_char_dev(const char *path, mode_t mode, int major, int minor) { | 76 | static void create_char_dev(const char *path, mode_t mode, int major, int minor) { |
34 | dev_t dev = makedev(major, minor); | 77 | dev_t dev = makedev(major, minor); |
35 | if (mknod(path, S_IFCHR | mode, dev) == -1) | 78 | if (mknod(path, S_IFCHR | mode, dev) == -1) |
@@ -62,43 +105,21 @@ void fs_private_dev(void){ | |||
62 | if (arg_debug) | 105 | if (arg_debug) |
63 | printf("Mounting tmpfs on /dev\n"); | 106 | printf("Mounting tmpfs on /dev\n"); |
64 | 107 | ||
65 | int have_dri = 0; | ||
66 | int have_snd = 0; | ||
67 | struct stat s; | ||
68 | if (stat("/dev/dri", &s) == 0) | ||
69 | have_dri = 1; | ||
70 | if (stat("/dev/snd", &s) == 0) | ||
71 | have_snd = 1; | ||
72 | |||
73 | // create DRI_DIR | 108 | // create DRI_DIR |
74 | fs_build_mnt_dir(); | 109 | fs_build_mnt_dir(); |
75 | if (have_dri) { | ||
76 | if (mkdir(RUN_DRI_DIR, 0755) == -1) | ||
77 | errExit("mkdir"); | ||
78 | if (chmod(RUN_DRI_DIR, 0755) == -1) | ||
79 | errExit("chmod"); | ||
80 | ASSERT_PERMS(RUN_DRI_DIR, 0, 0, 0755); | ||
81 | |||
82 | // keep a copy of /dev/dri under DRI_DIR | ||
83 | if (mount("/dev/dri", RUN_DRI_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
84 | errExit("mounting /dev/dri"); | ||
85 | } | ||
86 | |||
87 | // create SND_DIR | ||
88 | if (have_snd) { | ||
89 | if (mkdir(RUN_SND_DIR, 0755) == -1) | ||
90 | errExit("mkdir"); | ||
91 | if (chmod(RUN_SND_DIR, 0755) == -1) | ||
92 | errExit("chmod"); | ||
93 | ASSERT_PERMS(RUN_SND_DIR, 0, 0, 0755); | ||
94 | |||
95 | // keep a copy of /dev/dri under DRI_DIR | ||
96 | if (mount("/dev/snd", RUN_SND_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
97 | errExit("mounting /dev/snd"); | ||
98 | } | ||
99 | 110 | ||
111 | // keep a copy of dev directory | ||
112 | if (mkdir(RUN_DEV_DIR, 0755) == -1) | ||
113 | errExit("mkdir"); | ||
114 | if (chmod(RUN_DEV_DIR, 0755) == -1) | ||
115 | errExit("chmod"); | ||
116 | ASSERT_PERMS(RUN_DEV_DIR, 0, 0, 0755); | ||
117 | if (mount("/dev", RUN_DEV_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
118 | errExit("mounting /dev/dri"); | ||
119 | |||
100 | // create DEVLOG_FILE | 120 | // create DEVLOG_FILE |
101 | int have_devlog = 0; | 121 | int have_devlog = 0; |
122 | struct stat s; | ||
102 | if (stat("/dev/log", &s) == 0) { | 123 | if (stat("/dev/log", &s) == 0) { |
103 | have_devlog = 1; | 124 | have_devlog = 1; |
104 | FILE *fp = fopen(RUN_DEVLOG_FILE, "w"); | 125 | FILE *fp = fopen(RUN_DEVLOG_FILE, "w"); |
@@ -116,6 +137,8 @@ void fs_private_dev(void){ | |||
116 | if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 137 | if (mount("tmpfs", "/dev", "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
117 | errExit("mounting /dev"); | 138 | errExit("mounting /dev"); |
118 | fs_logger("tmpfs /dev"); | 139 | fs_logger("tmpfs /dev"); |
140 | |||
141 | deventry_mount(); | ||
119 | 142 | ||
120 | // bring back /dev/log | 143 | // bring back /dev/log |
121 | if (have_devlog) { | 144 | if (have_devlog) { |
@@ -128,31 +151,9 @@ void fs_private_dev(void){ | |||
128 | fs_logger("clone /dev/log"); | 151 | fs_logger("clone /dev/log"); |
129 | } | 152 | } |
130 | } | 153 | } |
154 | if (mount(RUN_RO_DIR, RUN_DEV_DIR, "none", MS_BIND, "mode=400,gid=0") < 0) | ||
155 | errExit("disable /dev/snd"); | ||
131 | 156 | ||
132 | // bring back the /dev/snd directory | ||
133 | if (have_snd) { | ||
134 | /* coverity[toctou] */ | ||
135 | if (mkdir("/dev/snd", 0755) == -1) | ||
136 | errExit("mkdir"); | ||
137 | if (chmod("/dev/snd", 0755) == -1) | ||
138 | errExit("chmod"); | ||
139 | ASSERT_PERMS("/dev/snd", 0, 0, 0755); | ||
140 | if (mount(RUN_SND_DIR, "/dev/snd", NULL, MS_BIND|MS_REC, NULL) < 0) | ||
141 | errExit("mounting /dev/snd"); | ||
142 | fs_logger("whitelist /dev/snd"); | ||
143 | } | ||
144 | |||
145 | // bring back the /dev/dri directory | ||
146 | if (have_dri) { | ||
147 | if (mkdir("/dev/dri", 0755) == -1) | ||
148 | errExit("mkdir"); | ||
149 | if (chmod("/dev/dri", 0755) == -1) | ||
150 | errExit("chmod"); | ||
151 | ASSERT_PERMS("/dev/dri", 0, 0, 0755); | ||
152 | if (mount(RUN_DRI_DIR, "/dev/dri", NULL, MS_BIND|MS_REC, NULL) < 0) | ||
153 | errExit("mounting /dev/dri"); | ||
154 | fs_logger("whitelist /dev/dri"); | ||
155 | } | ||
156 | 157 | ||
157 | // create /dev/shm | 158 | // create /dev/shm |
158 | if (arg_debug) | 159 | if (arg_debug) |