7 files changed, 38 insertions, 2 deletions

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index ca4c988fa..e07035ae6 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -339,7 +339,8 @@ extern int arg_noprofile;	// use default.profile if none other found/specified
 extern int arg_memory_deny_write_execute;       // block writable and executable memory
 extern int arg_notv;    // --notv
 extern int arg_nodvd;   // --nodvd
-extern int arg_nou2f;   // --nou2f
+extern int arg_nou2f;   // --nou2f
+extern int arg_noinput; // --noinput
 extern int arg_deterministic_exit_code; // always exit with first child's exit status
 
 typedef enum {
@@ -569,6 +570,7 @@ void fs_dev_disable_video(void);
 void fs_dev_disable_tv(void);
 void fs_dev_disable_dvd(void);
 void fs_dev_disable_u2f(void);
+void fs_dev_disable_input(void);
 
 // fs_home.c
 // private mode (--private)
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index b2fa60f63..2f0067c93 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -41,6 +41,7 @@ typedef enum {
         DEV_TV,
         DEV_DVD,
         DEV_U2F,
+        DEV_INPUT
 } DEV_TYPE;
 
 
@@ -89,6 +90,7 @@ static DevEntry dev[] = {
         {"/dev/hidraw8", RUN_DEV_DIR "/hidraw8", DEV_U2F},
         {"/dev/hidraw9", RUN_DEV_DIR "/hidraw9", DEV_U2F},
         {"/dev/usb", RUN_DEV_DIR "/usb", DEV_U2F},      // USB devices such as Yubikey, U2F
+        {"/dev/input", RUN_DEV_DIR "/input", DEV_INPUT},
         {NULL, NULL, DEV_NONE}
 };
 
@@ -103,7 +105,8 @@ static void deventry_mount(void) {
                             (dev[i].type == DEV_VIDEO && arg_novideo == 0) ||
                             (dev[i].type == DEV_TV && arg_notv == 0) ||
                             (dev[i].type == DEV_DVD && arg_nodvd == 0) ||
-                            (dev[i].type == DEV_U2F && arg_nou2f == 0)) {
+                            (dev[i].type == DEV_U2F && arg_nou2f == 0) ||
+                            (dev[i].type == DEV_INPUT && arg_noinput == 0)) {
 
                                 int dir = is_dir(dev[i].run_fname);
                                 if (arg_debug)
@@ -386,3 +389,12 @@ void fs_dev_disable_u2f(void) {
                 i++;
         }
 }
+
+void fs_dev_disable_input(void) {
+        int i = 0;
+        while (dev[i].dev_fname != NULL) {
+                if (dev[i].type == DEV_INPUT)
+                        disable_file_or_dir(dev[i].dev_fname);
+                i++;
+        }
+}
diff --git a/src/firejail/main.c b/src/firejail/main.c
index b3524fcf5..d6de6d997 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -143,6 +143,7 @@ int arg_memory_deny_write_execute = 0;		// block writable and executable memory
 int arg_notv = 0;       // --notv
 int arg_nodvd = 0; // --nodvd
 int arg_nou2f = 0; // --nou2f
+int arg_noinput = 0; // --noinput
 int arg_deterministic_exit_code = 0;    // always exit with first child's exit status
 DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW;   // --dbus-user
 DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system
@@ -2086,6 +2087,8 @@ int main(int argc, char **argv, char **envp) {
                         arg_nodvd = 1;
                 else if (strcmp(argv[i], "--nou2f") == 0)
                         arg_nou2f = 1;
+                else if (strcmp(argv[i], "--noinput") == 0)
+                        arg_noinput = 1;
                 else if (strcmp(argv[i], "--nodbus") == 0) {
                         arg_dbus_user = DBUS_POLICY_BLOCK;
                         arg_dbus_system = DBUS_POLICY_BLOCK;
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 351b760df..2ea32b665 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -442,6 +442,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 arg_no3d = 1;
                 return 0;
         }
+        else if (strcmp(ptr, "noinput") == 0) {
+                arg_noinput = 1;
+                return 0;
+        }
         else if (strcmp(ptr, "nodbus") == 0) {
 #ifdef HAVE_DBUSPROXY
                 arg_dbus_user = DBUS_POLICY_BLOCK;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 743d84b43..3af828ede 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1033,6 +1033,9 @@ int sandbox(void* sandbox_arg) {
         if (arg_novideo)
                 fs_dev_disable_video();
 
+        if (arg_noinput)
+                fs_dev_disable_input();
+
         //****************************
         // set dns
         //****************************
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 2bb57cee2..9d11add06 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -674,6 +674,9 @@ Disable U2F devices.
 \fBnovideo
 Disable video capture devices.
 .TP
+\fBnoinput
+Disable input devices.
+.TP
 \fBshell none
 Run the program directly, without a shell.
 
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 1ee7ab1f1..23ec23fb1 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1515,6 +1515,15 @@ Example:
 .br
 $ firejail \-\-nodvd
 .TP
+\fB\-\-noinput
+Disable input devices.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-noinput
+.TP
 \fB\-\-noexec=dirname_or_filename
 Remount directory or file noexec, nodev and nosuid. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
 .br