--nosound option

author: netblue30 <netblue30@yahoo.com> 2015-10-12 09:03:24 -0400
committer: netblue30 <netblue30@yahoo.com> 2015-10-12 09:03:24 -0400
commit: e1d2a3af68f89e14c4d4651cfd0cad14de07027b (patch)
tree: 566236f58a184a33cec913b3dc4ec263e3a1168d /src
parent: --private-bin (diff)
download: firejail-e1d2a3af68f89e14c4d4651cfd0cad14de07027b.tar.gz
firejail-e1d2a3af68f89e14c4d4651cfd0cad14de07027b.tar.zst
firejail-e1d2a3af68f89e14c4d4651cfd0cad14de07027b.zip
4 files changed, 72 insertions, 4 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index cbc4086fb..ed3e2679f 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -174,6 +174,7 @@ extern int arg_private_etc;	// private etc directory
 extern int arg_private_bin;     // private bin directory
 extern int arg_scan;            // arp-scan all interfaces
 extern int arg_whitelist;       // whitelist commad
+extern int arg_nosound; // disable sound
 extern int parent_to_child_fds[2];
 extern int child_to_parent_fds[2];
@@ -406,6 +407,7 @@ void errno_print(void);
 // pulseaudio.c
 void pulseaudio_init(void);
+void pulseaudio_disable(void);
 // fs_bin.c
 void fs_check_bin_list(void);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 616b26894..14ba21db5 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -85,6 +85,7 @@ int arg_private_etc = 0;			// private etc directory
 int arg_private_bin = 0;                        // private bin directory
 int arg_scan = 0;                               // arp-scan all interfaces
 int arg_whitelist = 0;                          // whitelist commad
+int arg_nosound = 0;                            // disable sound
 int parent_to_child_fds[2];
 int child_to_parent_fds[2];
@@ -791,7 +792,11 @@ int main(int argc, char **argv) {
                }
                else if (strncmp(argv[i], "--env=", 6) == 0)
                        env_store(argv[i] + 6);
-                
+                else if (strncmp(argv[i], "--nosound", 9) == 0) {
+                        arg_nosound = 1;
+                        arg_private_dev = 1;
+                }
+                                
                //*************************************
                // network
                //*************************************
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index bea0cc940..7ab77998e 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -21,8 +21,66 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/mount.h>
+#include <dirent.h>
-// disable shm in pulse audio
+static void disable_file(const char *file) {
+        assert(file);
+        
+        struct stat s;
+        char *fname;
+        if (asprintf(&fname, "/tmp/%s", file) == -1)
+                errExit("asprintf");
+        if (stat(fname, &s) == -1)
+                return;
+        if (S_ISDIR(s.st_mode)) {
+                if (mount(RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
+                        errExit("disable file");
+        }
+        else {
+                if (mount(RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
+                        errExit("disable file");
+        }
+}
+// disable pulseaudio socket
+void pulseaudio_disable(void) {
+        //**************************************
+        // blacklist any pulse* directory in /tmp directory
+        //**************************************
+        DIR *dir;
+        if (!(dir = opendir("/tmp"))) {
+                // sleep 2 seconds and try again
+                sleep(2);
+                if (!(dir = opendir("/tmp"))) {
+                        fprintf(stderr, "Warning: cannot open /tmp directory. PulseAudio sockets not disabled\n");
+                        return;
+                }
+        }
+        struct dirent *entry;
+        while ((entry = readdir(dir))) {
+                if (strncmp(entry->d_name, "pulse-", 6) == 0) {
+                        if (arg_debug)
+                                printf("Disable %s\n", entry->d_name);
+                        disable_file(entry->d_name);
+                }
+        }
+        closedir(dir);
+        //**************************************
+        // blacklist XDG_RUNTIME_DIR
+        //**************************************
+        char *name = getenv("XDG_RUNTIME_DIR");
+        if (name) {
+                if (arg_debug)
+                        printf("Disable %s\n", name);
+                disable_file(name);
+        }
+}
+// disable shm in pulseaudio
 void pulseaudio_init(void) {
        struct stat s;
        
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index d3f92e51b..50fe50380 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -272,9 +272,12 @@ int sandbox(void* sandbox_arg) {
        fs_proc_sys_dev_boot();
        
        //****************************
-        // fix for pulseaudio 7.0
+        // --nosound and fix for pulseaudio 7.0
        //****************************
-        pulseaudio_init();
+        if (arg_nosound)
+                pulseaudio_disable();
+        else
+                pulseaudio_init();
        
        //****************************
        // networking
author	netblue30 <netblue30@yahoo.com>	2015-10-12 09:03:24 -0400
committer	netblue30 <netblue30@yahoo.com>	2015-10-12 09:03:24 -0400
commit	e1d2a3af68f89e14c4d4651cfd0cad14de07027b (patch)
tree	566236f58a184a33cec913b3dc4ec263e3a1168d /src
parent	--private-bin (diff)
download	firejail-e1d2a3af68f89e14c4d4651cfd0cad14de07027b.tar.gz firejail-e1d2a3af68f89e14c4d4651cfd0cad14de07027b.tar.zst firejail-e1d2a3af68f89e14c4d4651cfd0cad14de07027b.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index cbc4086fb..ed3e2679f 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -174,6 +174,7 @@ extern int arg_private_etc; // private etc directory
174	extern int arg_private_bin; // private bin directory	174	extern int arg_private_bin; // private bin directory
175	extern int arg_scan; // arp-scan all interfaces	175	extern int arg_scan; // arp-scan all interfaces
176	extern int arg_whitelist; // whitelist commad	176	extern int arg_whitelist; // whitelist commad
		177	extern int arg_nosound; // disable sound
177		178
178	extern int parent_to_child_fds[2];	179	extern int parent_to_child_fds[2];
179	extern int child_to_parent_fds[2];	180	extern int child_to_parent_fds[2];
@@ -406,6 +407,7 @@ void errno_print(void);
406		407
407	// pulseaudio.c	408	// pulseaudio.c
408	void pulseaudio_init(void);	409	void pulseaudio_init(void);
		410	void pulseaudio_disable(void);
409		411
410	// fs_bin.c	412	// fs_bin.c
411	void fs_check_bin_list(void);	413	void fs_check_bin_list(void);


diff --git a/src/firejail/main.c b/src/firejail/main.c index 616b26894..14ba21db5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -85,6 +85,7 @@ int arg_private_etc = 0; // private etc directory
85	int arg_private_bin = 0; // private bin directory	85	int arg_private_bin = 0; // private bin directory
86	int arg_scan = 0; // arp-scan all interfaces	86	int arg_scan = 0; // arp-scan all interfaces
87	int arg_whitelist = 0; // whitelist commad	87	int arg_whitelist = 0; // whitelist commad
		88	int arg_nosound = 0; // disable sound
88		89
89	int parent_to_child_fds[2];	90	int parent_to_child_fds[2];
90	int child_to_parent_fds[2];	91	int child_to_parent_fds[2];
@@ -791,7 +792,11 @@ int main(int argc, char **argv) {
791	}	792	}
792	else if (strncmp(argv[i], "--env=", 6) == 0)	793	else if (strncmp(argv[i], "--env=", 6) == 0)
793	env_store(argv[i] + 6);	794	env_store(argv[i] + 6);
794		795	else if (strncmp(argv[i], "--nosound", 9) == 0) {
		796	arg_nosound = 1;
		797	arg_private_dev = 1;
		798	}
		799
795	//*************************************	800	//*************************************
796	// network	801	// network
797	//*************************************	802	//*************************************


diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index bea0cc940..7ab77998e 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c
@@ -21,8 +21,66 @@
21	#include <sys/types.h>	21	#include <sys/types.h>
22	#include <sys/stat.h>	22	#include <sys/stat.h>
23	#include <sys/mount.h>	23	#include <sys/mount.h>
		24	#include <dirent.h>
24		25
25	// disable shm in pulse audio	26	static void disable_file(const char *file) {
		27	assert(file);
		28
		29	struct stat s;
		30	char *fname;
		31	if (asprintf(&fname, "/tmp/%s", file) == -1)
		32	errExit("asprintf");
		33	if (stat(fname, &s) == -1)
		34	return;
		35	if (S_ISDIR(s.st_mode)) {
		36	if (mount(RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
		37	errExit("disable file");
		38	}
		39	else {
		40	if (mount(RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
		41	errExit("disable file");
		42	}
		43	}
		44
		45	// disable pulseaudio socket
		46	void pulseaudio_disable(void) {
		47	//**************************************
		48	// blacklist any pulse* directory in /tmp directory
		49	//**************************************
		50	DIR *dir;
		51	if (!(dir = opendir("/tmp"))) {
		52	// sleep 2 seconds and try again
		53	sleep(2);
		54	if (!(dir = opendir("/tmp"))) {
		55	fprintf(stderr, "Warning: cannot open /tmp directory. PulseAudio sockets not disabled\n");
		56	return;
		57	}
		58	}
		59
		60	struct dirent *entry;
		61	while ((entry = readdir(dir))) {
		62	if (strncmp(entry->d_name, "pulse-", 6) == 0) {
		63	if (arg_debug)
		64	printf("Disable %s\n", entry->d_name);
		65	disable_file(entry->d_name);
		66	}
		67	}
		68
		69	closedir(dir);
		70
		71	//**************************************
		72	// blacklist XDG_RUNTIME_DIR
		73	//**************************************
		74	char *name = getenv("XDG_RUNTIME_DIR");
		75	if (name) {
		76	if (arg_debug)
		77	printf("Disable %s\n", name);
		78	disable_file(name);
		79	}
		80	}
		81
		82
		83	// disable shm in pulseaudio
26	void pulseaudio_init(void) {	84	void pulseaudio_init(void) {
27	struct stat s;	85	struct stat s;
28		86


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index d3f92e51b..50fe50380 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -272,9 +272,12 @@ int sandbox(void* sandbox_arg) {
272	fs_proc_sys_dev_boot();	272	fs_proc_sys_dev_boot();
273		273
274	//****************************	274	//****************************
275	// fix for pulseaudio 7.0	275	// --nosound and fix for pulseaudio 7.0
276	//****************************	276	//****************************
277	pulseaudio_init();	277	if (arg_nosound)
		278	pulseaudio_disable();
		279	else
		280	pulseaudio_init();
278		281
279	//****************************	282	//****************************
280	// networking	283	// networking