aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2016-09-28 10:13:17 -0400
committerLibravatar netblue30 <netblue30@yahoo.com>2016-09-28 10:13:17 -0400
commit79a014e0e6b2d8f1a83fd0a3fab61cc1d2e376ea (patch)
tree8c49078f4ff6164415378b0c9ac16b1bc17efa81 /src
parentprivate-dev fix (diff)
downloadfirejail-79a014e0e6b2d8f1a83fd0a3fab61cc1d2e376ea.tar.gz
firejail-79a014e0e6b2d8f1a83fd0a3fab61cc1d2e376ea.tar.zst
firejail-79a014e0e6b2d8f1a83fd0a3fab61cc1d2e376ea.zip
--no3d - disable 3D hardware acceleration
Diffstat (limited to 'src')
-rw-r--r--src/firejail/firejail.h4
-rw-r--r--src/firejail/fs_dev.c72
-rw-r--r--src/firejail/main.c4
-rw-r--r--src/firejail/profile.c4
-rw-r--r--src/firejail/sandbox.c10
-rw-r--r--src/firejail/usage.c3
-rw-r--r--src/man/firejail-profile.txt3
-rw-r--r--src/man/firejail.txt9
8 files changed, 80 insertions, 29 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 4e92f3e89..4ee1c943a 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -305,6 +305,7 @@ extern int arg_private_tmp; // private tmp directory
305extern int arg_scan; // arp-scan all interfaces 305extern int arg_scan; // arp-scan all interfaces
306extern int arg_whitelist; // whitelist commad 306extern int arg_whitelist; // whitelist commad
307extern int arg_nosound; // disable sound 307extern int arg_nosound; // disable sound
308extern int arg_no3d; // disable 3d hardware acceleration
308extern int arg_quiet; // no output for scripting 309extern int arg_quiet; // no output for scripting
309extern int arg_join_network; // join only the network namespace 310extern int arg_join_network; // join only the network namespace
310extern int arg_join_filesystem; // join only the mount namespace 311extern int arg_join_filesystem; // join only the mount namespace
@@ -470,7 +471,8 @@ void dbg_test_dir(const char *dir);
470// fs_dev.c 471// fs_dev.c
471void fs_dev_shm(void); 472void fs_dev_shm(void);
472void fs_private_dev(void); 473void fs_private_dev(void);
473void fs_dev_disable_sound(); 474void fs_dev_disable_sound(void);
475void fs_dev_disable_3d(void);
474 476
475// fs_home.c 477// fs_home.c
476// private mode (--private) 478// private mode (--private)
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 6f5385f79..daf0afd9e 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -33,25 +33,27 @@
33typedef struct { 33typedef struct {
34 const char *dev_fname; 34 const char *dev_fname;
35 const char *run_fname; 35 const char *run_fname;
36 int sound;
37 int hw3d;
36} DevEntry; 38} DevEntry;
37 39
38static DevEntry dev[] = { 40static DevEntry dev[] = {
39 {"/dev/snd", RUN_DEV_DIR "/snd"}, 41 {"/dev/snd", RUN_DEV_DIR "/snd", 1, 0}, // sound device
40 {"/dev/dri", RUN_DEV_DIR "/dri"}, 42 {"/dev/dri", RUN_DEV_DIR "/dri", 0, 1}, // 3d device
41 {"/dev/nvidia0", RUN_DEV_DIR "/nvidia0"}, 43 {"/dev/nvidia0", RUN_DEV_DIR "/nvidia0", 0, 1},
42 {"/dev/nvidia1", RUN_DEV_DIR "/nvidia1"}, 44 {"/dev/nvidia1", RUN_DEV_DIR "/nvidia1", 0, 1},
43 {"/dev/nvidia2", RUN_DEV_DIR "/nvidia2"}, 45 {"/dev/nvidia2", RUN_DEV_DIR "/nvidia2", 0, 1},
44 {"/dev/nvidia3", RUN_DEV_DIR "/nvidia3"}, 46 {"/dev/nvidia3", RUN_DEV_DIR "/nvidia3", 0, 1},
45 {"/dev/nvidia4", RUN_DEV_DIR "/nvidia4"}, 47 {"/dev/nvidia4", RUN_DEV_DIR "/nvidia4", 0, 1},
46 {"/dev/nvidia5", RUN_DEV_DIR "/nvidia5"}, 48 {"/dev/nvidia5", RUN_DEV_DIR "/nvidia5", 0, 1},
47 {"/dev/nvidia6", RUN_DEV_DIR "/nvidia6"}, 49 {"/dev/nvidia6", RUN_DEV_DIR "/nvidia6", 0, 1},
48 {"/dev/nvidia7", RUN_DEV_DIR "/nvidia7"}, 50 {"/dev/nvidia7", RUN_DEV_DIR "/nvidia7", 0, 1},
49 {"/dev/nvidia8", RUN_DEV_DIR "/nvidia8"}, 51 {"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", 0, 1},
50 {"/dev/nvidia9", RUN_DEV_DIR "/nvidia9"}, 52 {"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", 0, 1},
51 {"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl"}, 53 {"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", 0, 1},
52 {"/dev/nvidia-modset", RUN_DEV_DIR "/nvidia-modset"}, 54 {"/dev/nvidia-modset", RUN_DEV_DIR "/nvidia-modset", 0, 1},
53 {"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm"}, 55 {"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", 0, 1},
54 {NULL, NULL} 56 {NULL, NULL, 0, 0}
55}; 57};
56 58
57static void deventry_mount(void) { 59static void deventry_mount(void) {
@@ -281,10 +283,38 @@ void fs_dev_shm(void) {
281 } 283 }
282} 284}
283 285
284void fs_dev_disable_sound() { 286static void disable_file_or_dir(const char *fname) {
285 if (arg_debug) 287 if (arg_debug)
286 printf("disable /dev/snd\n"); 288 printf("disable %s\n", fname);
287 if (mount(RUN_RO_DIR, "/dev/snd", "none", MS_BIND, "mode=400,gid=0") < 0) 289 struct stat s;
288 errExit("disable /dev/snd"); 290 if (stat(fname, &s) != -1) {
289 fs_logger("blacklist /dev/snd"); 291 if (is_dir(fname)) {
292 if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
293 errExit("disable directory");
294 }
295 else {
296 if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
297 errExit("disable file");
298 }
299 }
300 fs_logger2("blacklist", fname);
301
302}
303
304void fs_dev_disable_sound(void) {
305 int i = 0;
306 while (dev[i].dev_fname != NULL) {
307 if (dev[i].sound)
308 disable_file_or_dir(dev[i].dev_fname);
309 i++;
310 }
311}
312
313void fs_dev_disable_3d(void) {
314 int i = 0;
315 while (dev[i].dev_fname != NULL) {
316 if (dev[i].hw3d)
317 disable_file_or_dir(dev[i].dev_fname);
318 i++;
319 }
290} 320}
diff --git a/src/firejail/main.c b/src/firejail/main.c
index bf73656d2..c2d71bdf5 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -93,6 +93,7 @@ int arg_private_tmp = 0; // private tmp directory
93int arg_scan = 0; // arp-scan all interfaces 93int arg_scan = 0; // arp-scan all interfaces
94int arg_whitelist = 0; // whitelist commad 94int arg_whitelist = 0; // whitelist commad
95int arg_nosound = 0; // disable sound 95int arg_nosound = 0; // disable sound
96int arg_no3d; // disable 3d hardware acceleration
96int arg_quiet = 0; // no output for scripting 97int arg_quiet = 0; // no output for scripting
97int arg_join_network = 0; // join only the network namespace 98int arg_join_network = 0; // join only the network namespace
98int arg_join_filesystem = 0; // join only the mount namespace 99int arg_join_filesystem = 0; // join only the mount namespace
@@ -1733,6 +1734,9 @@ int main(int argc, char **argv) {
1733 else if (strcmp(argv[i], "--nosound") == 0) { 1734 else if (strcmp(argv[i], "--nosound") == 0) {
1734 arg_nosound = 1; 1735 arg_nosound = 1;
1735 } 1736 }
1737 else if (strcmp(argv[i], "--no3d") == 0) {
1738 arg_no3d = 1;
1739 }
1736 1740
1737 //************************************* 1741 //*************************************
1738 // network 1742 // network
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 33029a86b..1e1ccaf0e 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -201,6 +201,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
201 arg_nosound = 1; 201 arg_nosound = 1;
202 return 0; 202 return 0;
203 } 203 }
204 else if (strcmp(ptr, "no3d") == 0) {
205 arg_no3d = 1;
206 return 0;
207 }
204 else if (strcmp(ptr, "netfilter") == 0) { 208 else if (strcmp(ptr, "netfilter") == 0) {
205#ifdef HAVE_NETWORK 209#ifdef HAVE_NETWORK
206 if (checkcfg(CFG_NETWORK)) 210 if (checkcfg(CFG_NETWORK))
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index cd81b0b11..7666f1f62 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -558,11 +558,6 @@ int sandbox(void* sandbox_arg) {
558 fs_private(); 558 fs_private();
559 } 559 }
560 560
561#if 0
562 if (arg_private_template)
563 fs_private_template();
564#endif
565
566 if (arg_private_dev) { 561 if (arg_private_dev) {
567 if (cfg.chrootdir) 562 if (cfg.chrootdir)
568 fprintf(stderr, "Warning: private-dev feature is disabled in chroot\n"); 563 fprintf(stderr, "Warning: private-dev feature is disabled in chroot\n");
@@ -635,7 +630,7 @@ int sandbox(void* sandbox_arg) {
635 fs_trace(); 630 fs_trace();
636 631
637 //**************************** 632 //****************************
638 // --nosound and fix for pulseaudio 7.0 633 // nosound/no3d and fix for pulseaudio 7.0
639 //**************************** 634 //****************************
640 if (arg_nosound) { 635 if (arg_nosound) {
641 // disable pulseaudio 636 // disable pulseaudio
@@ -647,6 +642,9 @@ int sandbox(void* sandbox_arg) {
647 else 642 else
648 pulseaudio_init(); 643 pulseaudio_init();
649 644
645 if (arg_no3d)
646 fs_dev_disable_3d();
647
650 //**************************** 648 //****************************
651 // networking 649 // networking
652 //**************************** 650 //****************************
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 3425b050e..78ba34fd2 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -147,7 +147,8 @@ void usage(void) {
147 printf(" --netstats - monitor network statistics for sandboxes creating a new\n"); 147 printf(" --netstats - monitor network statistics for sandboxes creating a new\n");
148 printf("\tnetwork namespace.\n\n"); 148 printf("\tnetwork namespace.\n\n");
149#endif 149#endif
150 printf(" --nice=value - set nice value\n\n"); 150 printf(" --nice=value - set nice value.\n\n");
151 printf(" --no3d - disable 3D hardware acceleration.\n\n");
151 printf(" --noblacklist=dirname_or_filename - disable blacklist for directory or\n"); 152 printf(" --noblacklist=dirname_or_filename - disable blacklist for directory or\n");
152 printf("\tfile.\n\n"); 153 printf("\tfile.\n\n");
153 printf(" --noexec=dirname_of_filenam - remount the file or directory noexec\n"); 154 printf(" --noexec=dirname_of_filenam - remount the file or directory noexec\n");
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 3e415c2cc..b945f6828 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -355,6 +355,9 @@ Enable IPC namespace.
355.TP 355.TP
356\fBnosound 356\fBnosound
357Disable sound system. 357Disable sound system.
358.TP
359\fBno3d
360Disable 3D hardware acceleration.
358 361
359.SH Networking 362.SH Networking
360Networking features available in profile files. 363Networking features available in profile files.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 71624afc2..fe3e53044 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -853,6 +853,15 @@ Example:
853.br 853.br
854$ firejail --nice=2 firefox 854$ firejail --nice=2 firefox
855 855
856.TP
857\fB\-\-no3d
858Disable 3D hardware acceleration.
859.br
860
861.br
862Example:
863.br
864$ firejail --no3d firefox
856 865
857.TP 866.TP
858\fB\-\-noblacklist=dirname_or_filename 867\fB\-\-noblacklist=dirname_or_filename
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-28 17:20:24 +0000