diff options
-rw-r--r-- | etc/profile-m-z/noprofile.profile | 2 | ||||
-rw-r--r-- | src/firejail/fs.c | 14 |
2 files changed, 14 insertions, 2 deletions
diff --git a/etc/profile-m-z/noprofile.profile b/etc/profile-m-z/noprofile.profile index 7d0e01d98..c2e4999ea 100644 --- a/etc/profile-m-z/noprofile.profile +++ b/etc/profile-m-z/noprofile.profile | |||
@@ -15,6 +15,8 @@ | |||
15 | 15 | ||
16 | noblacklist /sys/fs | 16 | noblacklist /sys/fs |
17 | noblacklist /sys/module | 17 | noblacklist /sys/module |
18 | nowhitelist /sys/module/nvidia* | ||
19 | ignore read-only /sys/module/nvidia* | ||
18 | 20 | ||
19 | allow-debuggers | 21 | allow-debuggers |
20 | allusers | 22 | allusers |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index cdad5e220..abef85515 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -743,10 +743,20 @@ void fs_proc_sys_dev_boot(void) { | |||
743 | 743 | ||
744 | disable_file(BLACKLIST_FILE, "/sys/firmware"); | 744 | disable_file(BLACKLIST_FILE, "/sys/firmware"); |
745 | disable_file(BLACKLIST_FILE, "/sys/hypervisor"); | 745 | disable_file(BLACKLIST_FILE, "/sys/hypervisor"); |
746 | { // allow user access to some directories in /sys/ by specifying 'noblacklist' option | 746 | |
747 | profile_add("blacklist /sys/fs"); | 747 | // Soft-block some paths in /sys/ (can be undone in profiles). |
748 | profile_add("blacklist /sys/fs"); | ||
749 | |||
750 | // Hardware acceleration with the nvidia proprietary driver may fail | ||
751 | // without access to these paths (see #6372). | ||
752 | if (access("/dev/nvidiactl", R_OK) == 0 && arg_no3d == 0) { | ||
753 | profile_add("whitelist /sys/module/nvidia*"); | ||
754 | profile_add("read-only /sys/module/nvidia*"); | ||
755 | } | ||
756 | else { | ||
748 | profile_add("blacklist /sys/module"); | 757 | profile_add("blacklist /sys/module"); |
749 | } | 758 | } |
759 | |||
750 | disable_file(BLACKLIST_FILE, "/sys/power"); | 760 | disable_file(BLACKLIST_FILE, "/sys/power"); |
751 | disable_file(BLACKLIST_FILE, "/sys/kernel/debug"); | 761 | disable_file(BLACKLIST_FILE, "/sys/kernel/debug"); |
752 | disable_file(BLACKLIST_FILE, "/sys/kernel/vmcoreinfo"); | 762 | disable_file(BLACKLIST_FILE, "/sys/kernel/vmcoreinfo"); |