diff options
-rw-r--r-- | RELNOTES | 3 | ||||
-rw-r--r-- | etc/firejail.config | 4 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 17 | ||||
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/fs.c | 8 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 8 |
6 files changed, 35 insertions, 7 deletions
@@ -32,7 +32,8 @@ firejail (0.9.45) baseline; urgency=low | |||
32 | * feature: follow-symlink-private-bin option in /etc/firejail/firejail.config | 32 | * feature: follow-symlink-private-bin option in /etc/firejail/firejail.config |
33 | * feature: xvfb X11 server support (--x11=xvfb) | 33 | * feature: xvfb X11 server support (--x11=xvfb) |
34 | * feature: allow /tmp directory in mkdir and mkfile profile commands | 34 | * feature: allow /tmp directory in mkdir and mkfile profile commands |
35 | * feature: implemented --noblacklist command | 35 | * feature: implemented --noblacklist command, profile support |
36 | * feature: config support to disable access to /mnt and /media (disable-mnt) | ||
36 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, | 37 | * new profiles: xiphos, Tor Browser Bundle, display (imagemagik), Wire, |
37 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, | 38 | * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma, |
38 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, | 39 | * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator, |
diff --git a/etc/firejail.config b/etc/firejail.config index 858ac4ec1..af190cb3c 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -14,6 +14,10 @@ | |||
14 | # and it will harden the rest of the chroot tree. | 14 | # and it will harden the rest of the chroot tree. |
15 | # chroot-desktop yes | 15 | # chroot-desktop yes |
16 | 16 | ||
17 | # Disable /mnt, /media, /run/mount and /run/media access. By default access | ||
18 | # to these directories is enabled. | ||
19 | # disable-mnt no | ||
20 | |||
17 | # Enable or disable file transfer support, default enabled. | 21 | # Enable or disable file transfer support, default enabled. |
18 | # file-transfer yes | 22 | # file-transfer yes |
19 | 23 | ||
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 02bff2bfa..2aa7e7373 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -43,10 +43,11 @@ int checkcfg(int val) { | |||
43 | for (i = 0; i < CFG_MAX; i++) | 43 | for (i = 0; i < CFG_MAX; i++) |
44 | cfg_val[i] = 1; // most of them are enabled by default | 44 | cfg_val[i] = 1; // most of them are enabled by default |
45 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default | 45 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default |
46 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default | 46 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; |
47 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; // disabled by default | 47 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; |
48 | cfg_val[CFG_FIREJAIL_PROMPT] = 0; // disabled by default | 48 | cfg_val[CFG_FIREJAIL_PROMPT] = 0; |
49 | cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 0; // disabled by default | 49 | cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 0; |
50 | cfg_val[CFG_DISABLE_MNT] = 0; | ||
50 | 51 | ||
51 | // open configuration file | 52 | // open configuration file |
52 | const char *fname = SYSCONFDIR "/firejail.config"; | 53 | const char *fname = SYSCONFDIR "/firejail.config"; |
@@ -314,6 +315,14 @@ int checkcfg(int val) { | |||
314 | else | 315 | else |
315 | goto errout; | 316 | goto errout; |
316 | } | 317 | } |
318 | else if (strncmp(ptr, "disable-mnt ", 12) == 0) { | ||
319 | if (strcmp(ptr + 12, "yes") == 0) | ||
320 | cfg_val[CFG_DISABLE_MNT] = 1; | ||
321 | else if (strcmp(ptr + 12, "no") == 0) | ||
322 | cfg_val[CFG_DISABLE_MNT] = 0; | ||
323 | else | ||
324 | goto errout; | ||
325 | } | ||
317 | else | 326 | else |
318 | goto errout; | 327 | goto errout; |
319 | 328 | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 74e5b2c6b..f4d24ffa5 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -419,6 +419,7 @@ void profile_read(const char *fname); | |||
419 | int profile_check_line(char *ptr, int lineno, const char *fname); | 419 | int profile_check_line(char *ptr, int lineno, const char *fname); |
420 | // add a profile entry in cfg.profile list; use str to populate the list | 420 | // add a profile entry in cfg.profile list; use str to populate the list |
421 | void profile_add(char *str); | 421 | void profile_add(char *str); |
422 | void fs_mnt(void); | ||
422 | 423 | ||
423 | // list.c | 424 | // list.c |
424 | void list(void); | 425 | void list(void); |
@@ -682,6 +683,7 @@ enum { | |||
682 | CFG_FIREJAIL_PROMPT, | 683 | CFG_FIREJAIL_PROMPT, |
683 | CFG_FOLLOW_SYMLINK_AS_USER, | 684 | CFG_FOLLOW_SYMLINK_AS_USER, |
684 | CFG_FOLLOW_SYMLINK_PRIVATE_BIN, | 685 | CFG_FOLLOW_SYMLINK_PRIVATE_BIN, |
686 | CFG_DISABLE_MNT, | ||
685 | CFG_MAX // this should always be the last entry | 687 | CFG_MAX // this should always be the last entry |
686 | }; | 688 | }; |
687 | extern char *xephyr_screen; | 689 | extern char *xephyr_screen; |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 712e5fb0a..801bde57c 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -471,7 +471,13 @@ void fs_noexec(const char *dir) { | |||
471 | } | 471 | } |
472 | } | 472 | } |
473 | 473 | ||
474 | 474 | // Disable /mnt, /media, /run/mount and /run/media access | |
475 | void fs_mnt(void) { | ||
476 | disable_file(BLACKLIST_FILE, "/mnt"); | ||
477 | disable_file(BLACKLIST_FILE, "/media"); | ||
478 | disable_file(BLACKLIST_FILE, "/run/mount"); | ||
479 | disable_file(BLACKLIST_FILE, "//run/media"); | ||
480 | } | ||
475 | 481 | ||
476 | // mount /proc and /sys directories | 482 | // mount /proc and /sys directories |
477 | void fs_proc_sys_dev_boot(void) { | 483 | void fs_proc_sys_dev_boot(void) { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 84ee5ee11..83afff516 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -759,12 +759,18 @@ int sandbox(void* sandbox_arg) { | |||
759 | netns_mounts(arg_netns); | 759 | netns_mounts(arg_netns); |
760 | 760 | ||
761 | //**************************** | 761 | //**************************** |
762 | // update /proc, /sys, /dev, /boot directorymy | 762 | // update /proc, /sys, /dev, /boot directory |
763 | //**************************** | 763 | //**************************** |
764 | if (checkcfg(CFG_REMOUNT_PROC_SYS)) | 764 | if (checkcfg(CFG_REMOUNT_PROC_SYS)) |
765 | fs_proc_sys_dev_boot(); | 765 | fs_proc_sys_dev_boot(); |
766 | 766 | ||
767 | //**************************** | 767 | //**************************** |
768 | // handle /mnt and /media | ||
769 | //**************************** | ||
770 | if (checkcfg(CFG_DISABLE_MNT)) | ||
771 | fs_mnt(); | ||
772 | |||
773 | //**************************** | ||
768 | // apply the profile file | 774 | // apply the profile file |
769 | //**************************** | 775 | //**************************** |
770 | // apply all whitelist commands ... | 776 | // apply all whitelist commands ... |