diff options
author | netblue30 <netblue30@yahoo.com> | 2017-07-04 10:24:23 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-07-04 10:24:23 -0400 |
commit | 822be0355f3b440d7cf193bc5c923f24163dd6d5 (patch) | |
tree | 0028f78ff27621c4772915765b0f24fd065bd2fc /src | |
parent | merges (diff) | |
download | firejail-822be0355f3b440d7cf193bc5c923f24163dd6d5.tar.gz firejail-822be0355f3b440d7cf193bc5c923f24163dd6d5.tar.zst firejail-822be0355f3b440d7cf193bc5c923f24163dd6d5.zip |
per-profile disable-mnt
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 5 | ||||
-rw-r--r-- | src/firejail/profile.c | 5 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 2 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 3 | ||||
-rw-r--r-- | src/man/firejail.txt | 10 |
6 files changed, 24 insertions, 2 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 8bf2a75c3..8aa80f274 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -350,6 +350,7 @@ extern int arg_x11_block; // block X11 | |||
350 | extern int arg_x11_xorg; // use X11 security extention | 350 | extern int arg_x11_xorg; // use X11 security extention |
351 | extern int arg_allusers; // all user home directories visible | 351 | extern int arg_allusers; // all user home directories visible |
352 | extern int arg_machineid; // preserve /etc/machine-id | 352 | extern int arg_machineid; // preserve /etc/machine-id |
353 | extern int arg_disable_mnt; // disable /mnt and /media | ||
353 | 354 | ||
354 | extern int login_shell; | 355 | extern int login_shell; |
355 | extern int parent_to_child_fds[2]; | 356 | extern int parent_to_child_fds[2]; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index cff61f64a..1f714df58 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -107,7 +107,8 @@ int arg_x11_xorg = 0; // use X11 security extention | |||
107 | int arg_allusers = 0; // all user home directories visible | 107 | int arg_allusers = 0; // all user home directories visible |
108 | int arg_machineid = 0; // preserve /etc/machine-id | 108 | int arg_machineid = 0; // preserve /etc/machine-id |
109 | int arg_allow_private_blacklist = 0; // blacklist things in private directories | 109 | int arg_allow_private_blacklist = 0; // blacklist things in private directories |
110 | int arg_writable_var_log; // writable /var/log | 110 | int arg_writable_var_log = 0; // writable /var/log |
111 | int arg_disable_mnt = 0; // disable /mnt and /media | ||
111 | 112 | ||
112 | int login_shell = 0; | 113 | int login_shell = 0; |
113 | 114 | ||
@@ -1291,6 +1292,8 @@ int main(int argc, char **argv) { | |||
1291 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1292 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1292 | profile_add(line); | 1293 | profile_add(line); |
1293 | } | 1294 | } |
1295 | else if (strcmp(argv[i], "--disable-mnt") == 0) | ||
1296 | arg_disable_mnt = 1; | ||
1294 | #ifdef HAVE_OVERLAYFS | 1297 | #ifdef HAVE_OVERLAYFS |
1295 | else if (strcmp(argv[i], "--overlay") == 0) { | 1298 | else if (strcmp(argv[i], "--overlay") == 0) { |
1296 | if (checkcfg(CFG_OVERLAYFS)) { | 1299 | if (checkcfg(CFG_OVERLAYFS)) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index cabea05f3..af943581e 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1001,6 +1001,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1001 | return 0; | 1001 | return 0; |
1002 | } | 1002 | } |
1003 | 1003 | ||
1004 | if (strcmp(ptr, "disable-mnt") == 0) { | ||
1005 | arg_disable_mnt = 1; | ||
1006 | return 0; | ||
1007 | } | ||
1008 | |||
1004 | // rest of filesystem | 1009 | // rest of filesystem |
1005 | if (strncmp(ptr, "blacklist ", 10) == 0) | 1010 | if (strncmp(ptr, "blacklist ", 10) == 0) |
1006 | ptr += 10; | 1011 | ptr += 10; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 4ee05d070..ea39ed580 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -790,7 +790,7 @@ int sandbox(void* sandbox_arg) { | |||
790 | //**************************** | 790 | //**************************** |
791 | // handle /mnt and /media | 791 | // handle /mnt and /media |
792 | //**************************** | 792 | //**************************** |
793 | if (checkcfg(CFG_DISABLE_MNT)) | 793 | if (arg_disable_mnt || checkcfg(CFG_DISABLE_MNT)) |
794 | fs_mnt(); | 794 | fs_mnt(); |
795 | 795 | ||
796 | //**************************** | 796 | //**************************** |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 9b3aef95f..9f4f4a927 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -161,6 +161,9 @@ Mount-bind directory1 on top of directory2. This option is only available when r | |||
161 | \fBbind file1,file2 | 161 | \fBbind file1,file2 |
162 | Mount-bind file1 on top of file2. This option is only available when running as root. | 162 | Mount-bind file1 on top of file2. This option is only available when running as root. |
163 | .TP | 163 | .TP |
164 | \fBdisable-mnt | ||
165 | Disable /mnt, /media, /run/mount and /run/media access. | ||
166 | .TP | ||
164 | \fBmkdir directory | 167 | \fBmkdir directory |
165 | Create a directory in user home or under /tmp before the sandbox is started. | 168 | Create a directory in user home or under /tmp before the sandbox is started. |
166 | The directory is created if it doesn't already exist. | 169 | The directory is created if it doesn't already exist. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 25992fb3e..6e49fc25f 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -378,6 +378,16 @@ Example: | |||
378 | $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox | 378 | $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox |
379 | 379 | ||
380 | .TP | 380 | .TP |
381 | \fB\-\-disable-mnt | ||
382 | Disable /mnt, /media, /run/mount and /run/media access. | ||
383 | .br | ||
384 | |||
385 | .br | ||
386 | Example: | ||
387 | .br | ||
388 | $ firejail \-\-disable-mnt firefox | ||
389 | |||
390 | .TP | ||
381 | \fB\-\-dns=address | 391 | \fB\-\-dns=address |
382 | Set a DNS server for the sandbox. Up to three DNS servers can be defined. | 392 | Set a DNS server for the sandbox. Up to three DNS servers can be defined. |
383 | Use this option if you don't trust the DNS setup on your network. | 393 | Use this option if you don't trust the DNS setup on your network. |