diff options
-rw-r--r-- | etc/google-play-music-desktop-player.profile | 16 | ||||
-rw-r--r-- | src/firejail/fs.c | 15 |
2 files changed, 26 insertions, 5 deletions
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile new file mode 100644 index 000000000..56d09d5b2 --- /dev/null +++ b/etc/google-play-music-desktop-player.profile | |||
@@ -0,0 +1,16 @@ | |||
1 | # Google Play Music desktop player profile | ||
2 | noblacklist ~/.config/Google Play Music Desktop Player | ||
3 | |||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-programs.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-passwdmgr.inc | ||
8 | |||
9 | caps.drop all | ||
10 | seccomp | ||
11 | protocol unix,inet,inet6,netlink | ||
12 | noroot | ||
13 | |||
14 | #whitelist ~/.pulse | ||
15 | #whitelist ~/.config/pulse | ||
16 | whitelist ~/.config/Google Play Music Desktop Player | ||
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index af1ddf93b..4c2510021 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -726,7 +726,16 @@ static void disable_firejail_config(void) { | |||
726 | // build a basic read-only filesystem | 726 | // build a basic read-only filesystem |
727 | void fs_basic_fs(void) { | 727 | void fs_basic_fs(void) { |
728 | if (arg_debug) | 728 | if (arg_debug) |
729 | printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var\n"); | 729 | printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr"); |
730 | if (!arg_writable_etc) { | ||
731 | fs_rdonly("/etc"); | ||
732 | if (arg_debug) printf(", /etc"); | ||
733 | } | ||
734 | if (!arg_writable_var) { | ||
735 | fs_rdonly("/var"); | ||
736 | if (arg_debug) printf(", /var"); | ||
737 | } | ||
738 | if (arg_debug) printf("\n"); | ||
730 | fs_rdonly("/bin"); | 739 | fs_rdonly("/bin"); |
731 | fs_rdonly("/sbin"); | 740 | fs_rdonly("/sbin"); |
732 | fs_rdonly("/lib"); | 741 | fs_rdonly("/lib"); |
@@ -734,10 +743,6 @@ void fs_basic_fs(void) { | |||
734 | fs_rdonly("/lib32"); | 743 | fs_rdonly("/lib32"); |
735 | fs_rdonly("/libx32"); | 744 | fs_rdonly("/libx32"); |
736 | fs_rdonly("/usr"); | 745 | fs_rdonly("/usr"); |
737 | if (!arg_writable_etc) | ||
738 | fs_rdonly("/etc"); | ||
739 | if (!arg_writable_var) | ||
740 | fs_rdonly("/var"); | ||
741 | 746 | ||
742 | // update /var directory in order to support multiple sandboxes running on the same root directory | 747 | // update /var directory in order to support multiple sandboxes running on the same root directory |
743 | if (!arg_private_dev) | 748 | if (!arg_private_dev) |