diff options
-rw-r--r-- | etc/disable-common.inc | 15 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 32 |
2 files changed, 23 insertions, 24 deletions
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 1c1b298a9..7a5e8bf5b 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -181,19 +181,14 @@ read-only ${HOME}/.gem | |||
181 | read-only ${HOME}/.luarocks | 181 | read-only ${HOME}/.luarocks |
182 | read-only ${HOME}/.npm-packages | 182 | read-only ${HOME}/.npm-packages |
183 | 183 | ||
184 | ########################### | ||
185 | # The following block breaks trash functionality in file managers | 184 | # The following block breaks trash functionality in file managers |
186 | ########################## | ||
187 | # Make the contents of ~/.local read-only, | ||
188 | # except the commonly-used ~/.local/share, | ||
189 | # but including ~/.local/share/applications | ||
190 | #read-only ${HOME}/.local | 185 | #read-only ${HOME}/.local |
191 | #read-write ${HOME}/.local/share | 186 | #read-write ${HOME}/.local/share |
192 | #noexec ${HOME}/.local/share | 187 | #noexec ${HOME}/.local/share |
193 | read-only ${HOME}/.local/share/applications | 188 | blacklist ${HOME}/.local/share/Trash |
194 | blacklist ${HOME}/.local/share/Trash | ||
195 | |||
196 | 189 | ||
190 | # Write-protection for desktop entries | ||
191 | read-only ${HOME}/.local/share/applications | ||
197 | 192 | ||
198 | # top secret | 193 | # top secret |
199 | blacklist ${HOME}/.ecryptfs | 194 | blacklist ${HOME}/.ecryptfs |
@@ -296,3 +291,7 @@ blacklist ${PATH}/urxvtcd | |||
296 | # kernel files | 291 | # kernel files |
297 | blacklist /vmlinuz* | 292 | blacklist /vmlinuz* |
298 | blacklist /initrd* | 293 | blacklist /initrd* |
294 | |||
295 | # complement noexec ${HOME} and noexec /tmp | ||
296 | noexec ${HOME}/.config/pulse | ||
297 | noexec /tmp/.X11-unix | ||
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 5bfa06ade..3ff104d26 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -789,7 +789,23 @@ int sandbox(void* sandbox_arg) { | |||
789 | //**************************** | 789 | //**************************** |
790 | if (checkcfg(CFG_DISABLE_MNT)) | 790 | if (checkcfg(CFG_DISABLE_MNT)) |
791 | fs_mnt(); | 791 | fs_mnt(); |
792 | |||
793 | //**************************** | ||
794 | // nosound/no3d and fix for pulseaudio 7.0 | ||
795 | //**************************** | ||
796 | if (arg_nosound) { | ||
797 | // disable pulseaudio | ||
798 | pulseaudio_disable(); | ||
792 | 799 | ||
800 | // disable /dev/snd | ||
801 | fs_dev_disable_sound(); | ||
802 | } | ||
803 | else | ||
804 | pulseaudio_init(); | ||
805 | |||
806 | if (arg_no3d) | ||
807 | fs_dev_disable_3d(); | ||
808 | |||
793 | //**************************** | 809 | //**************************** |
794 | // apply the profile file | 810 | // apply the profile file |
795 | //**************************** | 811 | //**************************** |
@@ -809,22 +825,6 @@ int sandbox(void* sandbox_arg) { | |||
809 | //**************************** | 825 | //**************************** |
810 | if (arg_trace || arg_tracelog) | 826 | if (arg_trace || arg_tracelog) |
811 | fs_trace(); | 827 | fs_trace(); |
812 | |||
813 | //**************************** | ||
814 | // nosound/no3d and fix for pulseaudio 7.0 | ||
815 | //**************************** | ||
816 | if (arg_nosound) { | ||
817 | // disable pulseaudio | ||
818 | pulseaudio_disable(); | ||
819 | |||
820 | // disable /dev/snd | ||
821 | fs_dev_disable_sound(); | ||
822 | } | ||
823 | else | ||
824 | pulseaudio_init(); | ||
825 | |||
826 | if (arg_no3d) | ||
827 | fs_dev_disable_3d(); | ||
828 | 828 | ||
829 | //**************************** | 829 | //**************************** |
830 | // set dns | 830 | // set dns |