diff options
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 43 | ||||
-rw-r--r-- | src/firejail/profile.c | 1 | ||||
-rw-r--r-- | src/firejail/util.c | 22 |
4 files changed, 67 insertions, 0 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 251350acc..a7673ae20 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -324,6 +324,7 @@ extern int arg_whitelist; // whitelist command | |||
324 | extern int arg_nosound; // disable sound | 324 | extern int arg_nosound; // disable sound |
325 | extern int arg_novideo; //disable video devices in /dev | 325 | extern int arg_novideo; //disable video devices in /dev |
326 | extern int arg_no3d; // disable 3d hardware acceleration | 326 | extern int arg_no3d; // disable 3d hardware acceleration |
327 | extern int arg_noprinters; // disable printers | ||
327 | extern int arg_quiet; // no output for scripting | 328 | extern int arg_quiet; // no output for scripting |
328 | extern int arg_join_network; // join only the network namespace | 329 | extern int arg_join_network; // join only the network namespace |
329 | extern int arg_join_filesystem; // join only the mount namespace | 330 | extern int arg_join_filesystem; // join only the mount namespace |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 2a2874151..f3d288c56 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -120,6 +120,7 @@ int arg_whitelist = 0; // whitelist command | |||
120 | int arg_nosound = 0; // disable sound | 120 | int arg_nosound = 0; // disable sound |
121 | int arg_novideo = 0; //disable video devices in /dev | 121 | int arg_novideo = 0; //disable video devices in /dev |
122 | int arg_no3d; // disable 3d hardware acceleration | 122 | int arg_no3d; // disable 3d hardware acceleration |
123 | int arg_noprinters = 0; // disable printers | ||
123 | int arg_quiet = 0; // no output for scripting | 124 | int arg_quiet = 0; // no output for scripting |
124 | int arg_join_network = 0; // join only the network namespace | 125 | int arg_join_network = 0; // join only the network namespace |
125 | int arg_join_filesystem = 0; // join only the mount namespace | 126 | int arg_join_filesystem = 0; // join only the mount namespace |
@@ -2160,6 +2161,7 @@ int main(int argc, char **argv, char **envp) { | |||
2160 | else if (strcmp(argv[i], "--no3d") == 0) | 2161 | else if (strcmp(argv[i], "--no3d") == 0) |
2161 | arg_no3d = 1; | 2162 | arg_no3d = 1; |
2162 | else if (strcmp(argv[i], "--noprinters") == 0) { | 2163 | else if (strcmp(argv[i], "--noprinters") == 0) { |
2164 | arg_noprinters = 1; | ||
2163 | profile_add("blacklist /dev/lp*"); | 2165 | profile_add("blacklist /dev/lp*"); |
2164 | profile_add("blacklist /run/cups/cups.sock"); | 2166 | profile_add("blacklist /run/cups/cups.sock"); |
2165 | } | 2167 | } |
@@ -3153,6 +3155,47 @@ int main(int argc, char **argv, char **envp) { | |||
3153 | } | 3155 | } |
3154 | } | 3156 | } |
3155 | 3157 | ||
3158 | // add render group | ||
3159 | if (!arg_no3d) { | ||
3160 | g = get_group_id("render"); | ||
3161 | if (g) { | ||
3162 | sprintf(ptr, "%d %d 1\n", g, g); | ||
3163 | ptr += strlen(ptr); | ||
3164 | } | ||
3165 | } | ||
3166 | |||
3167 | // add lp group | ||
3168 | if (!arg_noprinters) { | ||
3169 | g = get_group_id("lp"); | ||
3170 | if (g) { | ||
3171 | sprintf(ptr, "%d %d 1\n", g, g); | ||
3172 | ptr += strlen(ptr); | ||
3173 | } | ||
3174 | } | ||
3175 | |||
3176 | // add cdrom/optical groups | ||
3177 | if (!arg_nodvd) { | ||
3178 | g = get_group_id("cdrom"); | ||
3179 | if (g) { | ||
3180 | sprintf(ptr, "%d %d 1\n", g, g); | ||
3181 | ptr += strlen(ptr); | ||
3182 | } | ||
3183 | g = get_group_id("optical"); | ||
3184 | if (g) { | ||
3185 | sprintf(ptr, "%d %d 1\n", g, g); | ||
3186 | ptr += strlen(ptr); | ||
3187 | } | ||
3188 | } | ||
3189 | |||
3190 | // add input group | ||
3191 | if (!arg_noinput) { | ||
3192 | g = get_group_id("input"); | ||
3193 | if (g) { | ||
3194 | sprintf(ptr, "%d %d 1\n", g, g); | ||
3195 | ptr += strlen(ptr); | ||
3196 | } | ||
3197 | } | ||
3198 | |||
3156 | if (!arg_nogroups) { | 3199 | if (!arg_nogroups) { |
3157 | // add firejail group | 3200 | // add firejail group |
3158 | g = get_group_id("firejail"); | 3201 | g = get_group_id("firejail"); |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index d44b97ff6..b8bb086d2 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -450,6 +450,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
450 | return 0; | 450 | return 0; |
451 | } | 451 | } |
452 | else if (strcmp(ptr, "noprinters") == 0) { | 452 | else if (strcmp(ptr, "noprinters") == 0) { |
453 | arg_noprinters = 1; | ||
453 | profile_add("blacklist /dev/lp*"); | 454 | profile_add("blacklist /dev/lp*"); |
454 | profile_add("blacklist /run/cups/cups.sock"); | 455 | profile_add("blacklist /run/cups/cups.sock"); |
455 | return 0; | 456 | return 0; |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 3bfb4435e..97afe9649 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -168,6 +168,28 @@ static void clean_supplementary_groups(gid_t gid) { | |||
168 | new_groups, &new_ngroups, MAX_GROUPS); | 168 | new_groups, &new_ngroups, MAX_GROUPS); |
169 | } | 169 | } |
170 | 170 | ||
171 | if (!arg_no3d) { | ||
172 | copy_group_ifcont("render", groups, ngroups, | ||
173 | new_groups, &new_ngroups, MAX_GROUPS); | ||
174 | } | ||
175 | |||
176 | if (!arg_noprinters) { | ||
177 | copy_group_ifcont("lp", groups, ngroups, | ||
178 | new_groups, &new_ngroups, MAX_GROUPS); | ||
179 | } | ||
180 | |||
181 | if (!arg_nodvd) { | ||
182 | copy_group_ifcont("cdrom", groups, ngroups, | ||
183 | new_groups, &new_ngroups, MAX_GROUPS); | ||
184 | copy_group_ifcont("optical", groups, ngroups, | ||
185 | new_groups, &new_ngroups, MAX_GROUPS); | ||
186 | } | ||
187 | |||
188 | if (!arg_noinput) { | ||
189 | copy_group_ifcont("input", groups, ngroups, | ||
190 | new_groups, &new_ngroups, MAX_GROUPS); | ||
191 | } | ||
192 | |||
171 | if (new_ngroups) { | 193 | if (new_ngroups) { |
172 | rv = setgroups(new_ngroups, new_groups); | 194 | rv = setgroups(new_ngroups, new_groups); |
173 | if (rv) | 195 | if (rv) |