diff options
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs_dev.c | 23 | ||||
-rw-r--r-- | src/firejail/main.c | 4 | ||||
-rw-r--r-- | src/firejail/profile.c | 4 |
4 files changed, 23 insertions, 9 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index d18cd112f..3e05591b8 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -347,6 +347,7 @@ extern char *arg_netns; // "ip netns"-created network namespace to use | |||
347 | extern int arg_doubledash; // double dash | 347 | extern int arg_doubledash; // double dash |
348 | extern int arg_shell_none; // run the program directly without a shell | 348 | extern int arg_shell_none; // run the program directly without a shell |
349 | extern int arg_private_dev; // private dev directory | 349 | extern int arg_private_dev; // private dev directory |
350 | extern int arg_keep_dev_shm; // preserve /dev/shm | ||
350 | extern int arg_private_etc; // private etc directory | 351 | extern int arg_private_etc; // private etc directory |
351 | extern int arg_private_opt; // private opt directory | 352 | extern int arg_private_opt; // private opt directory |
352 | extern int arg_private_srv; // private srv directory | 353 | extern int arg_private_srv; // private srv directory |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 9e287bf27..ff525f0b9 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -171,12 +171,23 @@ static void empty_dev_shm(void) { | |||
171 | fs_logger("create /dev/shm"); | 171 | fs_logger("create /dev/shm"); |
172 | } | 172 | } |
173 | 173 | ||
174 | static void mount_dev_shm(void) { | ||
175 | mkdir_attr("/dev/shm", 01777, 0, 0); | ||
176 | int rv = mount(RUN_DEV_DIR "/shm", "/dev/shm", "none", MS_BIND, "mode=01777,gid=0"); | ||
177 | if (rv == -1) { | ||
178 | fwarning("cannot mount the old /dev/shm in private-dev\n"); | ||
179 | dbg_test_dir(RUN_DEV_DIR "/shm"); | ||
180 | empty_dev_shm(); | ||
181 | return; | ||
182 | } | ||
183 | } | ||
184 | |||
174 | static void process_dev_shm(void) { | 185 | static void process_dev_shm(void) { |
175 | // Jack audio keeps an Unix socket under (/dev/shm/jack_default_1000_0 or /dev/shm/jack/...) | 186 | // Jack audio keeps an Unix socket under (/dev/shm/jack_default_1000_0 or /dev/shm/jack/...) |
176 | // looking for jack socket | 187 | // looking for jack socket |
177 | glob_t globbuf; | 188 | glob_t globbuf; |
178 | int globerr = glob(RUN_DEV_DIR "/shm/jack*", GLOB_NOSORT, NULL, &globbuf); | 189 | int globerr = glob(RUN_DEV_DIR "/shm/jack*", GLOB_NOSORT, NULL, &globbuf); |
179 | if (globerr) { | 190 | if (globerr && !arg_keep_dev_shm) { |
180 | empty_dev_shm(); | 191 | empty_dev_shm(); |
181 | return; | 192 | return; |
182 | } | 193 | } |
@@ -184,14 +195,8 @@ static void process_dev_shm(void) { | |||
184 | 195 | ||
185 | // if we got here, it means we have a jack server installed | 196 | // if we got here, it means we have a jack server installed |
186 | // mount-bind the old /dev/shm | 197 | // mount-bind the old /dev/shm |
187 | mkdir_attr("/dev/shm", 01777, 0, 0); | 198 | mount_dev_shm(); |
188 | int rv = mount(RUN_DEV_DIR "/shm", "/dev/shm", "none", MS_BIND, "mode=01777,gid=0"); | 199 | |
189 | if (rv == -1) { | ||
190 | fwarning("cannot mount the old /dev/shm in private-dev\n"); | ||
191 | dbg_test_dir(RUN_DEV_DIR "/shm"); | ||
192 | empty_dev_shm(); | ||
193 | return; | ||
194 | } | ||
195 | } | 200 | } |
196 | 201 | ||
197 | 202 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index ce28c62da..9babb72de 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -85,6 +85,7 @@ char *arg_netns = NULL; // "ip netns"-created network namespace to use | |||
85 | int arg_doubledash = 0; // double dash | 85 | int arg_doubledash = 0; // double dash |
86 | int arg_shell_none = 0; // run the program directly without a shell | 86 | int arg_shell_none = 0; // run the program directly without a shell |
87 | int arg_private_dev = 0; // private dev directory | 87 | int arg_private_dev = 0; // private dev directory |
88 | int arg_keep_dev_shm = 0; // preserve /dev/shm | ||
88 | int arg_private_etc = 0; // private etc directory | 89 | int arg_private_etc = 0; // private etc directory |
89 | int arg_private_opt = 0; // private opt directory | 90 | int arg_private_opt = 0; // private opt directory |
90 | int arg_private_srv = 0; // private srv directory | 91 | int arg_private_srv = 0; // private srv directory |
@@ -1602,6 +1603,9 @@ int main(int argc, char **argv) { | |||
1602 | else if (strcmp(argv[i], "--private-dev") == 0) { | 1603 | else if (strcmp(argv[i], "--private-dev") == 0) { |
1603 | arg_private_dev = 1; | 1604 | arg_private_dev = 1; |
1604 | } | 1605 | } |
1606 | else if (strcmp(argv[i], "--keep-dev-shm") == 0) { | ||
1607 | arg_keep_dev_shm = 1; | ||
1608 | } | ||
1605 | else if (strncmp(argv[i], "--private-etc=", 14) == 0) { | 1609 | else if (strncmp(argv[i], "--private-etc=", 14) == 0) { |
1606 | if (arg_writable_etc) { | 1610 | if (arg_writable_etc) { |
1607 | fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); | 1611 | fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 7d03a7c34..88d27f09f 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -221,6 +221,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
221 | arg_private_dev = 1; | 221 | arg_private_dev = 1; |
222 | return 0; | 222 | return 0; |
223 | } | 223 | } |
224 | else if (strcmp(ptr, "keep-dev-shm") == 0) { | ||
225 | arg_keep_dev_shm = 1; | ||
226 | return 0; | ||
227 | } | ||
224 | else if (strcmp(ptr, "private-tmp") == 0) { | 228 | else if (strcmp(ptr, "private-tmp") == 0) { |
225 | arg_private_tmp = 1; | 229 | arg_private_tmp = 1; |
226 | return 0; | 230 | return 0; |