added --nodvd

7 files changed, 46 insertions, 4 deletions

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index bb16ea42b..b19aded44 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -361,6 +361,7 @@ extern int arg_disable_mnt;	// disable /mnt and /media
 extern int arg_noprofile;       // use default.profile if none other found/specified
 extern int arg_memory_deny_write_execute;       // block writable and executable memory
 extern int arg_notv;    // --notv
+extern int arg_nodvd;   // --nodvd
 
 extern int login_shell;
 extern int parent_to_child_fds[2];
@@ -514,6 +515,7 @@ void fs_dev_disable_sound(void);
 void fs_dev_disable_3d(void);
 void fs_dev_disable_video(void);
 void fs_dev_disable_tv(void);
+void fs_dev_disable_dvd(void);
 
 // fs_home.c
 // private mode (--private)
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index d94a6de5a..0dbbb65a0 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -38,6 +38,7 @@ typedef enum {
         DEV_3D,
         DEV_VIDEO,
         DEV_TV,
+        DEV_DVD,
 } DEV_TYPE;
 
 
@@ -74,6 +75,7 @@ static DevEntry dev[] = {
         {"/dev/video8", RUN_DEV_DIR "/video8", DEV_VIDEO},
         {"/dev/video9", RUN_DEV_DIR "/video9", DEV_VIDEO},
         {"/dev/dvb", RUN_DEV_DIR "/dvb", DEV_TV}, // DVB (Digital Video Broadcasting) - TV device
+        {"/dev/sr0", RUN_DEV_DIR "/sr0", DEV_DVD}, // for DVD and audio CD players
         {NULL, NULL, DEV_NONE}
 };
 
@@ -87,7 +89,8 @@ static void deventry_mount(void) {
                         if ((dev[i].type == DEV_SOUND && arg_nosound == 0) ||
                             (dev[i].type == DEV_3D && arg_no3d == 0) ||
                             (dev[i].type == DEV_VIDEO && arg_novideo == 0) ||
-                            (dev[i].type == DEV_TV && arg_notv == 0)) {
+                            (dev[i].type == DEV_TV && arg_notv == 0) ||
+                            (dev[i].type == DEV_DVD && arg_nodvd == 0)) {
                         
                                 int dir = is_dir(dev[i].run_fname);
                                 if (arg_debug)
@@ -251,6 +254,14 @@ void fs_private_dev(void){
         create_link("/proc/self/fd/1", "/dev/stdout");
         create_link("/proc/self/fd/2", "/dev/stderr");
 #endif
+
+        // symlinks for DVD/CD players
+        if (stat("/dev/sr0", &s) == 0) {
+                create_link("/dev/sr0", "/dev/cdrom");
+                create_link("/dev/sr0", "/dev/cdrw");
+                create_link("/dev/sr0", "/dev/dvd");
+                create_link("/dev/sr0", "/dev/dvdrw");
+        }
 }
 
 
@@ -343,3 +354,12 @@ void fs_dev_disable_tv(void) {
                 i++;
         }
 }
+
+void fs_dev_disable_dvd(void) {
+        int i = 0;
+        while (dev[i].dev_fname != NULL) {
+                if (dev[i].type == DEV_DVD)
+                        disable_file_or_dir(dev[i].dev_fname);
+                i++;
+        }
+}
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 3718c82ff..31857ee57 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -113,6 +113,7 @@ int arg_disable_mnt = 0;			// disable /mnt and /media
 int arg_noprofile = 0; // use default.profile if none other found/specified
 int arg_memory_deny_write_execute = 0;          // block writable and executable memory
 int arg_notv = 0;       // --notv
+int arg_nodvd = 0; // --nodvd
 int login_shell = 0;
 
 
@@ -1690,6 +1691,8 @@ int main(int argc, char **argv) {
                         arg_no3d = 1;
                 else if (strcmp(argv[i], "--notv") == 0)
                         arg_notv = 1;
+                else if (strcmp(argv[i], "--nodvd") == 0)
+                        arg_nodvd = 1;
 
                 //*************************************
                 // network
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 54670483f..7753ee3b2 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -229,6 +229,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 arg_notv = 1;
                 return 0;
         }
+        else if (strcmp(ptr, "nodvd") == 0) {
+                arg_nodvd = 1;
+                return 0;
+        }
         else if (strcmp(ptr, "novideo") == 0) {
                 arg_novideo = 1;
                 return 0;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 4af8b747b..472f09355 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -894,10 +894,11 @@ int sandbox(void* sandbox_arg) {
         if (arg_notv)
                 fs_dev_disable_tv();
 
-        if (arg_novideo) {
-                // disable /dev/video*
+        if (arg_nodvd)
+                fs_dev_disable_dvd();
+
+        if (arg_novideo)
                 fs_dev_disable_video();
-        }
 
         //****************************
         // install trace
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 489e70c95..5bd4f6ef8 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -411,6 +411,9 @@ env LD_LIBRARY_PATH=/opt/test/lib
 env CFLAGS="-W -Wall -Werror"
 
 .TP
+\fBnodvd
+Disable DVD and audio CD devices.
+.TP
 \fBnogroups
 Disable supplementary user groups
 .TP
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index ddcaa1412..e7b427e7e 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -974,6 +974,15 @@ $ nc dict.org 2628
 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64
 .br
 .TP
+\fB\-\-nodvd
+Disable DVD and audio CD devices.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-nodvd
+.TP
 \fB\-\-noexec=dirname_or_filename
 Remount directory or file noexec, nodev and nosuid.
 .br