Add a conditional to control DRM/noexec exception for browsers

author: Tad <tad@spotco.us> 2019-04-13 10:27:47 -0400
committer: Tad <tad@spotco.us> 2019-04-13 14:37:02 -0400
commit: ab78a250dbf889898427f46f52260425ccc8eda5 (patch)
tree: ac2c49207d51f3779ebbd83098fbd8cab7adb27f /src
parent: Fixes https://github.com/netblue30/firejail/issues/2547 (#2648) (diff)
download: firejail-ab78a250dbf889898427f46f52260425ccc8eda5.tar.gz
firejail-ab78a250dbf889898427f46f52260425ccc8eda5.tar.zst
firejail-ab78a250dbf889898427f46f52260425ccc8eda5.zip
4 files changed, 8 insertions, 1 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 54f6ea023..7ca72bf30 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -111,6 +111,7 @@ int checkcfg(int val) {
                        PARSE_YESNO(CFG_DISABLE_MNT, "disable-mnt")
                        PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach")
                        PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f")
+                        PARSE_YESNO(CFG_BROWSER_ALLOW_DRM, "browser-allow-drm")
 #undef PARSE_YESNO
                        // netfilter
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index b2c18d79f..2e04084e3 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -702,6 +702,7 @@ enum {
        CFG_ARP_PROBES,
        CFG_XPRA_ATTACH,
        CFG_BROWSER_DISABLE_U2F,
+        CFG_BROWSER_ALLOW_DRM,
        CFG_PRIVATE_LIB,
        CFG_APPARMOR,
        CFG_DBUS,
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 667b03652..c8619f7e2 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -151,10 +151,15 @@ static int check_disable_u2f(void) {
        return checkcfg(CFG_BROWSER_DISABLE_U2F) != 0;
 }
+static int check_allow_drm(void) {
+        return checkcfg(CFG_BROWSER_ALLOW_DRM) != 0;
+}
 Cond conditionals[] = {
        {"HAS_APPIMAGE", check_appimage},
        {"HAS_NODBUS", check_nodbus},
        {"BROWSER_DISABLE_U2F", check_disable_u2f},
+        {"BROWSER_ALLOW_DRM", check_allow_drm},
        { NULL, NULL }
 };
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index dde815d05..20b547355 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -94,7 +94,7 @@ Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
 This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line.
-Currently the only conditionals supported are HAS_APPIMAGE, HAS_NODBUS and BROWSER_DISABLE_U2F.
+Currently the only conditionals supported are HAS_APPIMAGE, HAS_NODBUS, BROWSER_DISABLE_U2F, and BROWSER_ALLOW_DRM.
 The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines.
author	Tad <tad@spotco.us>	2019-04-13 10:27:47 -0400
committer	Tad <tad@spotco.us>	2019-04-13 14:37:02 -0400
commit	ab78a250dbf889898427f46f52260425ccc8eda5 (patch)
tree	ac2c49207d51f3779ebbd83098fbd8cab7adb27f /src
parent	Fixes https://github.com/netblue30/firejail/issues/2547 (#2648) (diff)
download	firejail-ab78a250dbf889898427f46f52260425ccc8eda5.tar.gz firejail-ab78a250dbf889898427f46f52260425ccc8eda5.tar.zst firejail-ab78a250dbf889898427f46f52260425ccc8eda5.zip