diff options
-rw-r--r-- | src/firejail/firejail.h | 4 | ||||
-rw-r--r-- | src/firejail/fs_dev.c | 14 | ||||
-rw-r--r-- | src/firejail/main.c | 3 | ||||
-rw-r--r-- | src/firejail/profile.c | 4 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 3 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 3 | ||||
-rw-r--r-- | src/man/firejail.txt | 9 |
7 files changed, 38 insertions, 2 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index ca4c988fa..e07035ae6 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -339,7 +339,8 @@ extern int arg_noprofile; // use default.profile if none other found/specified | |||
339 | extern int arg_memory_deny_write_execute; // block writable and executable memory | 339 | extern int arg_memory_deny_write_execute; // block writable and executable memory |
340 | extern int arg_notv; // --notv | 340 | extern int arg_notv; // --notv |
341 | extern int arg_nodvd; // --nodvd | 341 | extern int arg_nodvd; // --nodvd |
342 | extern int arg_nou2f; // --nou2f | 342 | extern int arg_nou2f; // --nou2f |
343 | extern int arg_noinput; // --noinput | ||
343 | extern int arg_deterministic_exit_code; // always exit with first child's exit status | 344 | extern int arg_deterministic_exit_code; // always exit with first child's exit status |
344 | 345 | ||
345 | typedef enum { | 346 | typedef enum { |
@@ -569,6 +570,7 @@ void fs_dev_disable_video(void); | |||
569 | void fs_dev_disable_tv(void); | 570 | void fs_dev_disable_tv(void); |
570 | void fs_dev_disable_dvd(void); | 571 | void fs_dev_disable_dvd(void); |
571 | void fs_dev_disable_u2f(void); | 572 | void fs_dev_disable_u2f(void); |
573 | void fs_dev_disable_input(void); | ||
572 | 574 | ||
573 | // fs_home.c | 575 | // fs_home.c |
574 | // private mode (--private) | 576 | // private mode (--private) |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index b2fa60f63..2f0067c93 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -41,6 +41,7 @@ typedef enum { | |||
41 | DEV_TV, | 41 | DEV_TV, |
42 | DEV_DVD, | 42 | DEV_DVD, |
43 | DEV_U2F, | 43 | DEV_U2F, |
44 | DEV_INPUT | ||
44 | } DEV_TYPE; | 45 | } DEV_TYPE; |
45 | 46 | ||
46 | 47 | ||
@@ -89,6 +90,7 @@ static DevEntry dev[] = { | |||
89 | {"/dev/hidraw8", RUN_DEV_DIR "/hidraw8", DEV_U2F}, | 90 | {"/dev/hidraw8", RUN_DEV_DIR "/hidraw8", DEV_U2F}, |
90 | {"/dev/hidraw9", RUN_DEV_DIR "/hidraw9", DEV_U2F}, | 91 | {"/dev/hidraw9", RUN_DEV_DIR "/hidraw9", DEV_U2F}, |
91 | {"/dev/usb", RUN_DEV_DIR "/usb", DEV_U2F}, // USB devices such as Yubikey, U2F | 92 | {"/dev/usb", RUN_DEV_DIR "/usb", DEV_U2F}, // USB devices such as Yubikey, U2F |
93 | {"/dev/input", RUN_DEV_DIR "/input", DEV_INPUT}, | ||
92 | {NULL, NULL, DEV_NONE} | 94 | {NULL, NULL, DEV_NONE} |
93 | }; | 95 | }; |
94 | 96 | ||
@@ -103,7 +105,8 @@ static void deventry_mount(void) { | |||
103 | (dev[i].type == DEV_VIDEO && arg_novideo == 0) || | 105 | (dev[i].type == DEV_VIDEO && arg_novideo == 0) || |
104 | (dev[i].type == DEV_TV && arg_notv == 0) || | 106 | (dev[i].type == DEV_TV && arg_notv == 0) || |
105 | (dev[i].type == DEV_DVD && arg_nodvd == 0) || | 107 | (dev[i].type == DEV_DVD && arg_nodvd == 0) || |
106 | (dev[i].type == DEV_U2F && arg_nou2f == 0)) { | 108 | (dev[i].type == DEV_U2F && arg_nou2f == 0) || |
109 | (dev[i].type == DEV_INPUT && arg_noinput == 0)) { | ||
107 | 110 | ||
108 | int dir = is_dir(dev[i].run_fname); | 111 | int dir = is_dir(dev[i].run_fname); |
109 | if (arg_debug) | 112 | if (arg_debug) |
@@ -386,3 +389,12 @@ void fs_dev_disable_u2f(void) { | |||
386 | i++; | 389 | i++; |
387 | } | 390 | } |
388 | } | 391 | } |
392 | |||
393 | void fs_dev_disable_input(void) { | ||
394 | int i = 0; | ||
395 | while (dev[i].dev_fname != NULL) { | ||
396 | if (dev[i].type == DEV_INPUT) | ||
397 | disable_file_or_dir(dev[i].dev_fname); | ||
398 | i++; | ||
399 | } | ||
400 | } | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index b3524fcf5..d6de6d997 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -143,6 +143,7 @@ int arg_memory_deny_write_execute = 0; // block writable and executable memory | |||
143 | int arg_notv = 0; // --notv | 143 | int arg_notv = 0; // --notv |
144 | int arg_nodvd = 0; // --nodvd | 144 | int arg_nodvd = 0; // --nodvd |
145 | int arg_nou2f = 0; // --nou2f | 145 | int arg_nou2f = 0; // --nou2f |
146 | int arg_noinput = 0; // --noinput | ||
146 | int arg_deterministic_exit_code = 0; // always exit with first child's exit status | 147 | int arg_deterministic_exit_code = 0; // always exit with first child's exit status |
147 | DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user | 148 | DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user |
148 | DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system | 149 | DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system |
@@ -2086,6 +2087,8 @@ int main(int argc, char **argv, char **envp) { | |||
2086 | arg_nodvd = 1; | 2087 | arg_nodvd = 1; |
2087 | else if (strcmp(argv[i], "--nou2f") == 0) | 2088 | else if (strcmp(argv[i], "--nou2f") == 0) |
2088 | arg_nou2f = 1; | 2089 | arg_nou2f = 1; |
2090 | else if (strcmp(argv[i], "--noinput") == 0) | ||
2091 | arg_noinput = 1; | ||
2089 | else if (strcmp(argv[i], "--nodbus") == 0) { | 2092 | else if (strcmp(argv[i], "--nodbus") == 0) { |
2090 | arg_dbus_user = DBUS_POLICY_BLOCK; | 2093 | arg_dbus_user = DBUS_POLICY_BLOCK; |
2091 | arg_dbus_system = DBUS_POLICY_BLOCK; | 2094 | arg_dbus_system = DBUS_POLICY_BLOCK; |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 351b760df..2ea32b665 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -442,6 +442,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
442 | arg_no3d = 1; | 442 | arg_no3d = 1; |
443 | return 0; | 443 | return 0; |
444 | } | 444 | } |
445 | else if (strcmp(ptr, "noinput") == 0) { | ||
446 | arg_noinput = 1; | ||
447 | return 0; | ||
448 | } | ||
445 | else if (strcmp(ptr, "nodbus") == 0) { | 449 | else if (strcmp(ptr, "nodbus") == 0) { |
446 | #ifdef HAVE_DBUSPROXY | 450 | #ifdef HAVE_DBUSPROXY |
447 | arg_dbus_user = DBUS_POLICY_BLOCK; | 451 | arg_dbus_user = DBUS_POLICY_BLOCK; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 743d84b43..3af828ede 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -1033,6 +1033,9 @@ int sandbox(void* sandbox_arg) { | |||
1033 | if (arg_novideo) | 1033 | if (arg_novideo) |
1034 | fs_dev_disable_video(); | 1034 | fs_dev_disable_video(); |
1035 | 1035 | ||
1036 | if (arg_noinput) | ||
1037 | fs_dev_disable_input(); | ||
1038 | |||
1036 | //**************************** | 1039 | //**************************** |
1037 | // set dns | 1040 | // set dns |
1038 | //**************************** | 1041 | //**************************** |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index ee685da73..ddb736e81 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -668,6 +668,9 @@ Disable U2F devices. | |||
668 | \fBnovideo | 668 | \fBnovideo |
669 | Disable video capture devices. | 669 | Disable video capture devices. |
670 | .TP | 670 | .TP |
671 | \fBnoinput | ||
672 | Disable input devices. | ||
673 | .TP | ||
671 | \fBshell none | 674 | \fBshell none |
672 | Run the program directly, without a shell. | 675 | Run the program directly, without a shell. |
673 | 676 | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index f27379a2d..c0640c404 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1515,6 +1515,15 @@ Example: | |||
1515 | .br | 1515 | .br |
1516 | $ firejail \-\-nodvd | 1516 | $ firejail \-\-nodvd |
1517 | .TP | 1517 | .TP |
1518 | \fB\-\-noinput | ||
1519 | Disable input devices. | ||
1520 | .br | ||
1521 | |||
1522 | .br | ||
1523 | Example: | ||
1524 | .br | ||
1525 | $ firejail \-\-noinput | ||
1526 | .TP | ||
1518 | \fB\-\-noexec=dirname_or_filename | 1527 | \fB\-\-noexec=dirname_or_filename |
1519 | Remount directory or file noexec, nodev and nosuid. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | 1528 | Remount directory or file noexec, nodev and nosuid. File globbing is supported, see \fBFILE GLOBBING\fR section for more details. |
1520 | .br | 1529 | .br |