diff options
| -rw-r--r-- | README.md | 10 | ||||
| -rw-r--r-- | RELNOTES | 1 | ||||
| -rw-r--r-- | src/firejail/firejail.h | 1 | ||||
| -rw-r--r-- | src/firejail/main.c | 5 | ||||
| -rw-r--r-- | src/firejail/profile.c | 5 | ||||
| -rw-r--r-- | src/firejail/sandbox.c | 2 | ||||
| -rw-r--r-- | src/man/firejail-profile.txt | 3 | ||||
| -rw-r--r-- | src/man/firejail.txt | 10 |
8 files changed, 35 insertions, 2 deletions
| @@ -95,6 +95,16 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir | |||
| 95 | ````` | 95 | ````` |
| 96 | # Current development version: 0.9.49 | 96 | # Current development version: 0.9.49 |
| 97 | 97 | ||
| 98 | ## New command options: | ||
| 99 | ````` | ||
| 100 | --disable-mnt | ||
| 101 | Disable /mnt, /media, /run/mount and /run/media access. | ||
| 102 | |||
| 103 | Example: | ||
| 104 | $ firejail --disable-mnt firefox | ||
| 105 | ````` | ||
| 106 | |||
| 107 | |||
| 98 | ## New profiles: | 108 | ## New profiles: |
| 99 | 109 | ||
| 100 | curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, Geary, Liferea | 110 | curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, Geary, Liferea |
| @@ -1,5 +1,6 @@ | |||
| 1 | firejail (0.9.49) baseline; urgency=low | 1 | firejail (0.9.49) baseline; urgency=low |
| 2 | * work in progress! | 2 | * work in progress! |
| 3 | * feature: per-profile disable-mnt | ||
| 3 | * new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, | 4 | * new profiles: curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, |
| 4 | * new profiles: Geary, Liferea | 5 | * new profiles: Geary, Liferea |
| 5 | * bugfixes | 6 | * bugfixes |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 8bf2a75c3..8aa80f274 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -350,6 +350,7 @@ extern int arg_x11_block; // block X11 | |||
| 350 | extern int arg_x11_xorg; // use X11 security extention | 350 | extern int arg_x11_xorg; // use X11 security extention |
| 351 | extern int arg_allusers; // all user home directories visible | 351 | extern int arg_allusers; // all user home directories visible |
| 352 | extern int arg_machineid; // preserve /etc/machine-id | 352 | extern int arg_machineid; // preserve /etc/machine-id |
| 353 | extern int arg_disable_mnt; // disable /mnt and /media | ||
| 353 | 354 | ||
| 354 | extern int login_shell; | 355 | extern int login_shell; |
| 355 | extern int parent_to_child_fds[2]; | 356 | extern int parent_to_child_fds[2]; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index cff61f64a..1f714df58 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -107,7 +107,8 @@ int arg_x11_xorg = 0; // use X11 security extention | |||
| 107 | int arg_allusers = 0; // all user home directories visible | 107 | int arg_allusers = 0; // all user home directories visible |
| 108 | int arg_machineid = 0; // preserve /etc/machine-id | 108 | int arg_machineid = 0; // preserve /etc/machine-id |
| 109 | int arg_allow_private_blacklist = 0; // blacklist things in private directories | 109 | int arg_allow_private_blacklist = 0; // blacklist things in private directories |
| 110 | int arg_writable_var_log; // writable /var/log | 110 | int arg_writable_var_log = 0; // writable /var/log |
| 111 | int arg_disable_mnt = 0; // disable /mnt and /media | ||
| 111 | 112 | ||
| 112 | int login_shell = 0; | 113 | int login_shell = 0; |
| 113 | 114 | ||
| @@ -1291,6 +1292,8 @@ int main(int argc, char **argv) { | |||
| 1291 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1292 | profile_check_line(line, 0, NULL); // will exit if something wrong |
| 1292 | profile_add(line); | 1293 | profile_add(line); |
| 1293 | } | 1294 | } |
| 1295 | else if (strcmp(argv[i], "--disable-mnt") == 0) | ||
| 1296 | arg_disable_mnt = 1; | ||
| 1294 | #ifdef HAVE_OVERLAYFS | 1297 | #ifdef HAVE_OVERLAYFS |
| 1295 | else if (strcmp(argv[i], "--overlay") == 0) { | 1298 | else if (strcmp(argv[i], "--overlay") == 0) { |
| 1296 | if (checkcfg(CFG_OVERLAYFS)) { | 1299 | if (checkcfg(CFG_OVERLAYFS)) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index cabea05f3..af943581e 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
| @@ -1001,6 +1001,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
| 1001 | return 0; | 1001 | return 0; |
| 1002 | } | 1002 | } |
| 1003 | 1003 | ||
| 1004 | if (strcmp(ptr, "disable-mnt") == 0) { | ||
| 1005 | arg_disable_mnt = 1; | ||
| 1006 | return 0; | ||
| 1007 | } | ||
| 1008 | |||
| 1004 | // rest of filesystem | 1009 | // rest of filesystem |
| 1005 | if (strncmp(ptr, "blacklist ", 10) == 0) | 1010 | if (strncmp(ptr, "blacklist ", 10) == 0) |
| 1006 | ptr += 10; | 1011 | ptr += 10; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 4ee05d070..ea39ed580 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -790,7 +790,7 @@ int sandbox(void* sandbox_arg) { | |||
| 790 | //**************************** | 790 | //**************************** |
| 791 | // handle /mnt and /media | 791 | // handle /mnt and /media |
| 792 | //**************************** | 792 | //**************************** |
| 793 | if (checkcfg(CFG_DISABLE_MNT)) | 793 | if (arg_disable_mnt || checkcfg(CFG_DISABLE_MNT)) |
| 794 | fs_mnt(); | 794 | fs_mnt(); |
| 795 | 795 | ||
| 796 | //**************************** | 796 | //**************************** |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 9b3aef95f..9f4f4a927 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
| @@ -161,6 +161,9 @@ Mount-bind directory1 on top of directory2. This option is only available when r | |||
| 161 | \fBbind file1,file2 | 161 | \fBbind file1,file2 |
| 162 | Mount-bind file1 on top of file2. This option is only available when running as root. | 162 | Mount-bind file1 on top of file2. This option is only available when running as root. |
| 163 | .TP | 163 | .TP |
| 164 | \fBdisable-mnt | ||
| 165 | Disable /mnt, /media, /run/mount and /run/media access. | ||
| 166 | .TP | ||
| 164 | \fBmkdir directory | 167 | \fBmkdir directory |
| 165 | Create a directory in user home or under /tmp before the sandbox is started. | 168 | Create a directory in user home or under /tmp before the sandbox is started. |
| 166 | The directory is created if it doesn't already exist. | 169 | The directory is created if it doesn't already exist. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 25992fb3e..6e49fc25f 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
| @@ -378,6 +378,16 @@ Example: | |||
| 378 | $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox | 378 | $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox |
| 379 | 379 | ||
| 380 | .TP | 380 | .TP |
| 381 | \fB\-\-disable-mnt | ||
| 382 | Disable /mnt, /media, /run/mount and /run/media access. | ||
| 383 | .br | ||
| 384 | |||
| 385 | .br | ||
| 386 | Example: | ||
| 387 | .br | ||
| 388 | $ firejail \-\-disable-mnt firefox | ||
| 389 | |||
| 390 | .TP | ||
| 381 | \fB\-\-dns=address | 391 | \fB\-\-dns=address |
| 382 | Set a DNS server for the sandbox. Up to three DNS servers can be defined. | 392 | Set a DNS server for the sandbox. Up to three DNS servers can be defined. |
| 383 | Use this option if you don't trust the DNS setup on your network. | 393 | Use this option if you don't trust the DNS setup on your network. |