per-profile disable-mnt

6 files changed, 24 insertions, 2 deletions

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 8bf2a75c3..8aa80f274 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -350,6 +350,7 @@ extern int arg_x11_block;	// block X11
 extern int arg_x11_xorg;        // use X11 security extention
 extern int arg_allusers;        // all user home directories visible
 extern int arg_machineid;       // preserve /etc/machine-id
+extern int arg_disable_mnt;     // disable /mnt and /media
 
 extern int login_shell;
 extern int parent_to_child_fds[2];
diff --git a/src/firejail/main.c b/src/firejail/main.c
index cff61f64a..1f714df58 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -107,7 +107,8 @@ int arg_x11_xorg = 0;				// use X11 security extention
 int arg_allusers = 0;                           // all user home directories visible
 int arg_machineid = 0;                          // preserve /etc/machine-id
 int arg_allow_private_blacklist = 0;            // blacklist things in private directories
-int arg_writable_var_log;                       // writable /var/log
+int arg_writable_var_log = 0;           // writable /var/log
+int arg_disable_mnt = 0;                        // disable /mnt and /media
 
 int login_shell = 0;
 
@@ -1291,6 +1292,8 @@ int main(int argc, char **argv) {
                         profile_check_line(line, 0, NULL);      // will exit if something wrong
                         profile_add(line);
                 }
+                else if (strcmp(argv[i], "--disable-mnt") == 0)
+                        arg_disable_mnt = 1;
 #ifdef HAVE_OVERLAYFS
                 else if (strcmp(argv[i], "--overlay") == 0) {
                         if (checkcfg(CFG_OVERLAYFS)) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index cabea05f3..af943581e 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1001,6 +1001,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
 
+        if (strcmp(ptr, "disable-mnt") == 0) {
+                arg_disable_mnt = 1;
+                return 0;
+        }
+
         // rest of filesystem
         if (strncmp(ptr, "blacklist ", 10) == 0)
                 ptr += 10;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 4ee05d070..ea39ed580 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -790,7 +790,7 @@ int sandbox(void* sandbox_arg) {
         //****************************
         // handle /mnt and /media
         //****************************
-        if (checkcfg(CFG_DISABLE_MNT))
+        if (arg_disable_mnt || checkcfg(CFG_DISABLE_MNT))
                 fs_mnt();
 
         //****************************
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 9b3aef95f..9f4f4a927 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -161,6 +161,9 @@ Mount-bind directory1 on top of directory2. This option is only available when r
 \fBbind file1,file2
 Mount-bind file1 on top of file2. This option is only available when running as root.
 .TP
+\fBdisable-mnt
+Disable /mnt, /media, /run/mount and /run/media access.
+.TP
 \fBmkdir directory
 Create a directory in user home or under /tmp before the sandbox is started.
 The directory is created if it doesn't already exist.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 25992fb3e..6e49fc25f 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -378,6 +378,16 @@ Example:
 $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox
 
 .TP
+\fB\-\-disable-mnt
+Disable /mnt, /media, /run/mount and /run/media access.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-disable-mnt firefox
+
+.TP
 \fB\-\-dns=address
 Set a DNS server for the sandbox. Up to three DNS servers can be defined.
 Use this option if you don't trust the DNS setup on your network.