diff options
author | netblue30 <netblue30@yahoo.com> | 2016-07-06 07:31:39 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-07-06 07:31:39 -0400 |
commit | 50b9de988c17fc45e9baa97848b70e549190ff3a (patch) | |
tree | 9dd178b9824de4e160dd39793bc17c3f2c338333 /src | |
parent | audit feature: bash completion (diff) | |
download | firejail-50b9de988c17fc45e9baa97848b70e549190ff3a.tar.gz firejail-50b9de988c17fc45e9baa97848b70e549190ff3a.tar.zst firejail-50b9de988c17fc45e9baa97848b70e549190ff3a.zip |
private-dev enhancements
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/fs_dev.c | 42 | ||||
-rw-r--r-- | src/firejail/main.c | 1 | ||||
-rw-r--r-- | src/firejail/profile.c | 1 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 7 |
5 files changed, 49 insertions, 4 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index ddc37e203..24af41192 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -44,6 +44,7 @@ | |||
44 | #define RUN_ETC_DIR "/run/firejail/mnt/etc" | 44 | #define RUN_ETC_DIR "/run/firejail/mnt/etc" |
45 | #define RUN_BIN_DIR "/run/firejail/mnt/bin" | 45 | #define RUN_BIN_DIR "/run/firejail/mnt/bin" |
46 | #define RUN_DRI_DIR "/run/firejail/mnt/dri" | 46 | #define RUN_DRI_DIR "/run/firejail/mnt/dri" |
47 | #define RUN_SND_DIR "/run/firejail/mnt/snd" | ||
47 | #define RUN_PULSE_DIR "/run/firejail/mnt/pulse" | 48 | #define RUN_PULSE_DIR "/run/firejail/mnt/pulse" |
48 | #define RUN_DEVLOG_FILE "/run/firejail/mnt/devlog" | 49 | #define RUN_DEVLOG_FILE "/run/firejail/mnt/devlog" |
49 | 50 | ||
@@ -406,6 +407,7 @@ void dbg_test_dir(const char *dir); | |||
406 | // fs_dev.c | 407 | // fs_dev.c |
407 | void fs_dev_shm(void); | 408 | void fs_dev_shm(void); |
408 | void fs_private_dev(void); | 409 | void fs_private_dev(void); |
410 | void fs_dev_disable_sound(); | ||
409 | 411 | ||
410 | // fs_home.c | 412 | // fs_home.c |
411 | // private mode (--private) | 413 | // private mode (--private) |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 2fd450391..c7a27115f 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -68,9 +68,12 @@ void fs_private_dev(void){ | |||
68 | printf("Mounting tmpfs on /dev\n"); | 68 | printf("Mounting tmpfs on /dev\n"); |
69 | 69 | ||
70 | int have_dri = 0; | 70 | int have_dri = 0; |
71 | int have_snd = 0; | ||
71 | struct stat s; | 72 | struct stat s; |
72 | if (stat("/dev/dri", &s) == 0) | 73 | if (stat("/dev/dri", &s) == 0) |
73 | have_dri = 1; | 74 | have_dri = 1; |
75 | if (stat("/dev/snd", &s) == 0) | ||
76 | have_snd = 1; | ||
74 | 77 | ||
75 | // create DRI_DIR | 78 | // create DRI_DIR |
76 | fs_build_mnt_dir(); | 79 | fs_build_mnt_dir(); |
@@ -89,7 +92,23 @@ void fs_private_dev(void){ | |||
89 | errExit("mounting /dev/dri"); | 92 | errExit("mounting /dev/dri"); |
90 | } | 93 | } |
91 | 94 | ||
92 | // restore /dev/log | 95 | // create SND_DIR |
96 | if (have_snd) { | ||
97 | /* coverity[toctou] */ | ||
98 | rv = mkdir(RUN_SND_DIR, 0755); | ||
99 | if (rv == -1) | ||
100 | errExit("mkdir"); | ||
101 | if (chown(RUN_SND_DIR, 0, 0) < 0) | ||
102 | errExit("chown"); | ||
103 | if (chmod(RUN_SND_DIR, 0755) < 0) | ||
104 | errExit("chmod"); | ||
105 | |||
106 | // keep a copy of /dev/dri under DRI_DIR | ||
107 | if (mount("/dev/snd", RUN_SND_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
108 | errExit("mounting /dev/snd"); | ||
109 | } | ||
110 | |||
111 | // create DEVLOG_FILE | ||
93 | int have_devlog = 0; | 112 | int have_devlog = 0; |
94 | if (stat("/dev/log", &s) == 0) { | 113 | if (stat("/dev/log", &s) == 0) { |
95 | have_devlog = 1; | 114 | have_devlog = 1; |
@@ -121,6 +140,21 @@ void fs_private_dev(void){ | |||
121 | } | 140 | } |
122 | } | 141 | } |
123 | 142 | ||
143 | // bring back the /dev/snd directory | ||
144 | if (have_snd) { | ||
145 | /* coverity[toctou] */ | ||
146 | rv = mkdir("/dev/snd", 0755); | ||
147 | if (rv == -1) | ||
148 | errExit("mkdir"); | ||
149 | if (chown("/dev/snd", 0, 0) < 0) | ||
150 | errExit("chown"); | ||
151 | if (chmod("/dev/snd",0755) < 0) | ||
152 | errExit("chmod"); | ||
153 | if (mount(RUN_SND_DIR, "/dev/snd", NULL, MS_BIND|MS_REC, NULL) < 0) | ||
154 | errExit("mounting /dev/snd"); | ||
155 | fs_logger("whitelist /dev/snd"); | ||
156 | } | ||
157 | |||
124 | // bring back the /dev/dri directory | 158 | // bring back the /dev/dri directory |
125 | if (have_dri) { | 159 | if (have_dri) { |
126 | /* coverity[toctou] */ | 160 | /* coverity[toctou] */ |
@@ -243,3 +277,9 @@ void fs_dev_shm(void) { | |||
243 | 277 | ||
244 | } | 278 | } |
245 | } | 279 | } |
280 | |||
281 | void fs_dev_disable_sound() { | ||
282 | if (mount(RUN_RO_DIR, "/dev/snd", "none", MS_BIND, "mode=400,gid=0") < 0) | ||
283 | errExit("disable /dev/snd"); | ||
284 | fs_logger("blacklist /dev/snd"); | ||
285 | } | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index ac554ca2a..b1dd7d32c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1468,7 +1468,6 @@ int main(int argc, char **argv) { | |||
1468 | env_store(argv[i] + 6); | 1468 | env_store(argv[i] + 6); |
1469 | else if (strcmp(argv[i], "--nosound") == 0) { | 1469 | else if (strcmp(argv[i], "--nosound") == 0) { |
1470 | arg_nosound = 1; | 1470 | arg_nosound = 1; |
1471 | arg_private_dev = 1; | ||
1472 | } | 1471 | } |
1473 | 1472 | ||
1474 | //************************************* | 1473 | //************************************* |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index a64f28c9a..040efea74 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -178,7 +178,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
178 | } | 178 | } |
179 | else if (strcmp(ptr, "nosound") == 0) { | 179 | else if (strcmp(ptr, "nosound") == 0) { |
180 | arg_nosound = 1; | 180 | arg_nosound = 1; |
181 | arg_private_dev = 1; | ||
182 | return 0; | 181 | return 0; |
183 | } | 182 | } |
184 | else if (strcmp(ptr, "netfilter") == 0) { | 183 | else if (strcmp(ptr, "netfilter") == 0) { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index d384d6fa0..0fd81979f 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -559,8 +559,13 @@ int sandbox(void* sandbox_arg) { | |||
559 | //**************************** | 559 | //**************************** |
560 | // --nosound and fix for pulseaudio 7.0 | 560 | // --nosound and fix for pulseaudio 7.0 |
561 | //**************************** | 561 | //**************************** |
562 | if (arg_nosound) | 562 | if (arg_nosound) { |
563 | // disable pulseaudio | ||
563 | pulseaudio_disable(); | 564 | pulseaudio_disable(); |
565 | |||
566 | // disable /dev/snd | ||
567 | fs_dev_disable_sound(); | ||
568 | } | ||
564 | else | 569 | else |
565 | pulseaudio_init(); | 570 | pulseaudio_init(); |
566 | 571 | ||