diff options
author | startx2017 <vradu.startx@yandex.com> | 2017-08-10 09:31:03 -0400 |
---|---|---|
committer | startx2017 <vradu.startx@yandex.com> | 2017-08-10 09:31:03 -0400 |
commit | be00aa351c1184ef7ac07a05190909d35d137c76 (patch) | |
tree | 6c30178875f38e0c269fcbd5ea02d38937d9f636 /src | |
parent | Merge pull request #1448 from da2x/patch-1 (diff) | |
download | firejail-be00aa351c1184ef7ac07a05190909d35d137c76.tar.gz firejail-be00aa351c1184ef7ac07a05190909d35d137c76.tar.zst firejail-be00aa351c1184ef7ac07a05190909d35d137c76.zip |
--notv for #1446
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/fs_dev.c | 83 | ||||
-rw-r--r-- | src/firejail/main.c | 16 | ||||
-rw-r--r-- | src/firejail/profile.c | 4 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 8 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 3 | ||||
-rw-r--r-- | src/man/firejail.txt | 10 |
7 files changed, 80 insertions, 46 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 86f730aa0..bb16ea42b 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -360,6 +360,7 @@ extern int arg_machineid; // preserve /etc/machine-id | |||
360 | extern int arg_disable_mnt; // disable /mnt and /media | 360 | extern int arg_disable_mnt; // disable /mnt and /media |
361 | extern int arg_noprofile; // use default.profile if none other found/specified | 361 | extern int arg_noprofile; // use default.profile if none other found/specified |
362 | extern int arg_memory_deny_write_execute; // block writable and executable memory | 362 | extern int arg_memory_deny_write_execute; // block writable and executable memory |
363 | extern int arg_notv; // --notv | ||
363 | 364 | ||
364 | extern int login_shell; | 365 | extern int login_shell; |
365 | extern int parent_to_child_fds[2]; | 366 | extern int parent_to_child_fds[2]; |
@@ -512,6 +513,7 @@ void fs_private_dev(void); | |||
512 | void fs_dev_disable_sound(void); | 513 | void fs_dev_disable_sound(void); |
513 | void fs_dev_disable_3d(void); | 514 | void fs_dev_disable_3d(void); |
514 | void fs_dev_disable_video(void); | 515 | void fs_dev_disable_video(void); |
516 | void fs_dev_disable_tv(void); | ||
515 | 517 | ||
516 | // fs_home.c | 518 | // fs_home.c |
517 | // private mode (--private) | 519 | // private mode (--private) |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 86ff0d4f9..45f4bcc1c 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -31,42 +31,50 @@ | |||
31 | #include <sys/sysmacros.h> | 31 | #include <sys/sysmacros.h> |
32 | #include <sys/types.h> | 32 | #include <sys/types.h> |
33 | 33 | ||
34 | // device type | ||
35 | typedef enum { | ||
36 | DEV_NONE = 0, | ||
37 | DEV_SOUND, | ||
38 | DEV_3D, | ||
39 | DEV_VIDEO, | ||
40 | DEV_TV, | ||
41 | } DEV_TYPE; | ||
42 | |||
43 | |||
34 | typedef struct { | 44 | typedef struct { |
35 | const char *dev_fname; | 45 | const char *dev_fname; |
36 | const char *run_fname; | 46 | const char *run_fname; |
37 | int sound; | 47 | DEV_TYPE type; |
38 | int hw3d; | ||
39 | int video; | ||
40 | } DevEntry; | 48 | } DevEntry; |
41 | 49 | ||
42 | static DevEntry dev[] = { | 50 | static DevEntry dev[] = { |
43 | {"/dev/snd", RUN_DEV_DIR "/snd", 1, 0, 0}, // sound device | 51 | {"/dev/snd", RUN_DEV_DIR "/snd", DEV_SOUND}, // sound device |
44 | {"/dev/dri", RUN_DEV_DIR "/dri", 0, 1, 0}, // 3d device | 52 | {"/dev/dri", RUN_DEV_DIR "/dri", DEV_3D}, // 3d device |
45 | {"/dev/nvidia0", RUN_DEV_DIR "/nvidia0", 0, 1, 0}, | 53 | {"/dev/nvidia0", RUN_DEV_DIR "/nvidia0", DEV_3D}, |
46 | {"/dev/nvidia1", RUN_DEV_DIR "/nvidia1", 0, 1, 0}, | 54 | {"/dev/nvidia1", RUN_DEV_DIR "/nvidia1", DEV_3D}, |
47 | {"/dev/nvidia2", RUN_DEV_DIR "/nvidia2", 0, 1, 0}, | 55 | {"/dev/nvidia2", RUN_DEV_DIR "/nvidia2", DEV_3D}, |
48 | {"/dev/nvidia3", RUN_DEV_DIR "/nvidia3", 0, 1, 0}, | 56 | {"/dev/nvidia3", RUN_DEV_DIR "/nvidia3", DEV_3D}, |
49 | {"/dev/nvidia4", RUN_DEV_DIR "/nvidia4", 0, 1, 0}, | 57 | {"/dev/nvidia4", RUN_DEV_DIR "/nvidia4", DEV_3D}, |
50 | {"/dev/nvidia5", RUN_DEV_DIR "/nvidia5", 0, 1, 0}, | 58 | {"/dev/nvidia5", RUN_DEV_DIR "/nvidia5", DEV_3D}, |
51 | {"/dev/nvidia6", RUN_DEV_DIR "/nvidia6", 0, 1, 0}, | 59 | {"/dev/nvidia6", RUN_DEV_DIR "/nvidia6", DEV_3D}, |
52 | {"/dev/nvidia7", RUN_DEV_DIR "/nvidia7", 0, 1, 0}, | 60 | {"/dev/nvidia7", RUN_DEV_DIR "/nvidia7", DEV_3D}, |
53 | {"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", 0, 1, 0}, | 61 | {"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", DEV_3D}, |
54 | {"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", 0, 1, 0}, | 62 | {"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", DEV_3D}, |
55 | {"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", 0, 1, 0}, | 63 | {"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", DEV_3D}, |
56 | {"/dev/nvidia-modeset", RUN_DEV_DIR "/nvidia-modeset", 0, 1, 0}, | 64 | {"/dev/nvidia-modeset", RUN_DEV_DIR "/nvidia-modeset", DEV_3D}, |
57 | {"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", 0, 1, 0}, | 65 | {"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", DEV_3D}, |
58 | {"/dev/video0", RUN_DEV_DIR "/video0", 0, 0, 1}, // video camera devices | 66 | {"/dev/video0", RUN_DEV_DIR "/video0", DEV_VIDEO}, // video camera devices |
59 | {"/dev/video1", RUN_DEV_DIR "/video1", 0, 0, 1}, | 67 | {"/dev/video1", RUN_DEV_DIR "/video1", DEV_VIDEO}, |
60 | {"/dev/video2", RUN_DEV_DIR "/video2", 0, 0, 1}, | 68 | {"/dev/video2", RUN_DEV_DIR "/video2", DEV_VIDEO}, |
61 | {"/dev/video3", RUN_DEV_DIR "/video3", 0, 0, 1}, | 69 | {"/dev/video3", RUN_DEV_DIR "/video3", DEV_VIDEO}, |
62 | {"/dev/video4", RUN_DEV_DIR "/video4", 0, 0, 1}, | 70 | {"/dev/video4", RUN_DEV_DIR "/video4", DEV_VIDEO}, |
63 | {"/dev/video5", RUN_DEV_DIR "/video5", 0, 0, 1}, | 71 | {"/dev/video5", RUN_DEV_DIR "/video5", DEV_VIDEO}, |
64 | {"/dev/video6", RUN_DEV_DIR "/video6", 0, 0, 1}, | 72 | {"/dev/video6", RUN_DEV_DIR "/video6", DEV_VIDEO}, |
65 | {"/dev/video7", RUN_DEV_DIR "/video7", 0, 0, 1}, | 73 | {"/dev/video7", RUN_DEV_DIR "/video7", DEV_VIDEO}, |
66 | {"/dev/video8", RUN_DEV_DIR "/video8", 0, 0, 1}, | 74 | {"/dev/video8", RUN_DEV_DIR "/video8", DEV_VIDEO}, |
67 | {"/dev/video9", RUN_DEV_DIR "/video9", 0, 0, 1}, | 75 | {"/dev/video9", RUN_DEV_DIR "/video9", DEV_VIDEO}, |
68 | {"/dev/dvb", RUN_DEV_DIR "/dvb", 0, 0, 0}, // DVB (Digital Video Brodcasting) - TV device | 76 | {"/dev/dvb", RUN_DEV_DIR "/dvb", DEV_TV}, // DVB (Digital Video Brodcasting) - TV device |
69 | {NULL, NULL, 0, 0, 0} | 77 | {NULL, NULL, DEV_NONE} |
70 | }; | 78 | }; |
71 | 79 | ||
72 | static void deventry_mount(void) { | 80 | static void deventry_mount(void) { |
@@ -295,7 +303,7 @@ static void disable_file_or_dir(const char *fname) { | |||
295 | void fs_dev_disable_sound(void) { | 303 | void fs_dev_disable_sound(void) { |
296 | int i = 0; | 304 | int i = 0; |
297 | while (dev[i].dev_fname != NULL) { | 305 | while (dev[i].dev_fname != NULL) { |
298 | if (dev[i].sound) | 306 | if (dev[i].type == DEV_SOUND) |
299 | disable_file_or_dir(dev[i].dev_fname); | 307 | disable_file_or_dir(dev[i].dev_fname); |
300 | i++; | 308 | i++; |
301 | } | 309 | } |
@@ -304,7 +312,7 @@ void fs_dev_disable_sound(void) { | |||
304 | void fs_dev_disable_video(void) { | 312 | void fs_dev_disable_video(void) { |
305 | int i = 0; | 313 | int i = 0; |
306 | while (dev[i].dev_fname != NULL) { | 314 | while (dev[i].dev_fname != NULL) { |
307 | if (dev[i].video) | 315 | if (dev[i].type == DEV_VIDEO) |
308 | disable_file_or_dir(dev[i].dev_fname); | 316 | disable_file_or_dir(dev[i].dev_fname); |
309 | i++; | 317 | i++; |
310 | } | 318 | } |
@@ -313,7 +321,16 @@ void fs_dev_disable_video(void) { | |||
313 | void fs_dev_disable_3d(void) { | 321 | void fs_dev_disable_3d(void) { |
314 | int i = 0; | 322 | int i = 0; |
315 | while (dev[i].dev_fname != NULL) { | 323 | while (dev[i].dev_fname != NULL) { |
316 | if (dev[i].hw3d) | 324 | if (dev[i].type == DEV_3D) |
325 | disable_file_or_dir(dev[i].dev_fname); | ||
326 | i++; | ||
327 | } | ||
328 | } | ||
329 | |||
330 | void fs_dev_disable_tv(void) { | ||
331 | int i = 0; | ||
332 | while (dev[i].dev_fname != NULL) { | ||
333 | if (dev[i].type == DEV_TV) | ||
317 | disable_file_or_dir(dev[i].dev_fname); | 334 | disable_file_or_dir(dev[i].dev_fname); |
318 | i++; | 335 | i++; |
319 | } | 336 | } |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 9cff080a0..3718c82ff 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -112,7 +112,7 @@ int arg_writable_var_log = 0; // writable /var/log | |||
112 | int arg_disable_mnt = 0; // disable /mnt and /media | 112 | int arg_disable_mnt = 0; // disable /mnt and /media |
113 | int arg_noprofile = 0; // use default.profile if none other found/specified | 113 | int arg_noprofile = 0; // use default.profile if none other found/specified |
114 | int arg_memory_deny_write_execute = 0; // block writable and executable memory | 114 | int arg_memory_deny_write_execute = 0; // block writable and executable memory |
115 | 115 | int arg_notv = 0; // --notv | |
116 | int login_shell = 0; | 116 | int login_shell = 0; |
117 | 117 | ||
118 | 118 | ||
@@ -1676,22 +1676,20 @@ int main(int argc, char **argv) { | |||
1676 | exit_err_feature("noroot"); | 1676 | exit_err_feature("noroot"); |
1677 | } | 1677 | } |
1678 | #endif | 1678 | #endif |
1679 | else if (strcmp(argv[i], "--nonewprivs") == 0) { | 1679 | else if (strcmp(argv[i], "--nonewprivs") == 0) |
1680 | arg_nonewprivs = 1; | 1680 | arg_nonewprivs = 1; |
1681 | } | ||
1682 | else if (strncmp(argv[i], "--env=", 6) == 0) | 1681 | else if (strncmp(argv[i], "--env=", 6) == 0) |
1683 | env_store(argv[i] + 6, SETENV); | 1682 | env_store(argv[i] + 6, SETENV); |
1684 | else if (strncmp(argv[i], "--rmenv=", 8) == 0) | 1683 | else if (strncmp(argv[i], "--rmenv=", 8) == 0) |
1685 | env_store(argv[i] + 8, RMENV); | 1684 | env_store(argv[i] + 8, RMENV); |
1686 | else if (strcmp(argv[i], "--nosound") == 0) { | 1685 | else if (strcmp(argv[i], "--nosound") == 0) |
1687 | arg_nosound = 1; | 1686 | arg_nosound = 1; |
1688 | } | 1687 | else if (strcmp(argv[i], "--novideo") == 0) |
1689 | else if (strcmp(argv[i], "--novideo") == 0) { | ||
1690 | arg_novideo = 1; | 1688 | arg_novideo = 1; |
1691 | } | 1689 | else if (strcmp(argv[i], "--no3d") == 0) |
1692 | else if (strcmp(argv[i], "--no3d") == 0) { | ||
1693 | arg_no3d = 1; | 1690 | arg_no3d = 1; |
1694 | } | 1691 | else if (strcmp(argv[i], "--notv") == 0) |
1692 | arg_notv = 1; | ||
1695 | 1693 | ||
1696 | //************************************* | 1694 | //************************************* |
1697 | // network | 1695 | // network |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 708251b0b..54670483f 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -225,6 +225,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
225 | arg_nosound = 1; | 225 | arg_nosound = 1; |
226 | return 0; | 226 | return 0; |
227 | } | 227 | } |
228 | else if (strcmp(ptr, "notv") == 0) { | ||
229 | arg_notv = 1; | ||
230 | return 0; | ||
231 | } | ||
228 | else if (strcmp(ptr, "novideo") == 0) { | 232 | else if (strcmp(ptr, "novideo") == 0) { |
229 | arg_novideo = 1; | 233 | arg_novideo = 1; |
230 | return 0; | 234 | return 0; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 6c0fdebe3..4af8b747b 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -876,7 +876,7 @@ int sandbox(void* sandbox_arg) { | |||
876 | fs_blacklist(); // mkdir and mkfile are processed all over again | 876 | fs_blacklist(); // mkdir and mkfile are processed all over again |
877 | 877 | ||
878 | //**************************** | 878 | //**************************** |
879 | // nosound/no3d and fix for pulseaudio 7.0 | 879 | // nosound/no3d/notv/novideo and fix for pulseaudio 7.0 |
880 | //**************************** | 880 | //**************************** |
881 | if (arg_nosound) { | 881 | if (arg_nosound) { |
882 | // disable pulseaudio | 882 | // disable pulseaudio |
@@ -891,9 +891,9 @@ int sandbox(void* sandbox_arg) { | |||
891 | if (arg_no3d) | 891 | if (arg_no3d) |
892 | fs_dev_disable_3d(); | 892 | fs_dev_disable_3d(); |
893 | 893 | ||
894 | //**************************** | 894 | if (arg_notv) |
895 | // novideo | 895 | fs_dev_disable_tv(); |
896 | //**************************** | 896 | |
897 | if (arg_novideo) { | 897 | if (arg_novideo) { |
898 | // disable /dev/video* | 898 | // disable /dev/video* |
899 | fs_dev_disable_video(); | 899 | fs_dev_disable_video(); |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index f446f37b8..665f4405b 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -423,6 +423,9 @@ Enable IPC namespace. | |||
423 | \fBnosound | 423 | \fBnosound |
424 | Disable sound system. | 424 | Disable sound system. |
425 | .TP | 425 | .TP |
426 | \fBnotv | ||
427 | Disable DVB (Digital Video Brodcasting) TV devices. | ||
428 | .TP | ||
426 | \fBnovideo | 429 | \fBnovideo |
427 | Disable video devices. | 430 | Disable video devices. |
428 | .TP | 431 | .TP |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index bf18167b2..b0746030b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1084,6 +1084,16 @@ Example: | |||
1084 | $ firejail \-\-nosound firefox | 1084 | $ firejail \-\-nosound firefox |
1085 | 1085 | ||
1086 | .TP | 1086 | .TP |
1087 | \fB\-\-notv | ||
1088 | Disable DVB (Digital Video Brodcasting) TV devices. | ||
1089 | .br | ||
1090 | |||
1091 | .br | ||
1092 | Example: | ||
1093 | .br | ||
1094 | $ firejail \-\-notv vlc | ||
1095 | |||
1096 | .TP | ||
1087 | \fB\-\-novideo | 1097 | \fB\-\-novideo |
1088 | Disable video devices. | 1098 | Disable video devices. |
1089 | .br | 1099 | .br |