1 files changed, 31 insertions, 0 deletions
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 0adca5e33..c644f83a8 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -21,6 +21,7 @@
 #include "firejail.h"
 #include <ftw.h>
 #include <sys/stat.h>
+#include <sys/mount.h>
 #include <fcntl.h>
 #include <syslog.h>
 #include <errno.h>
@@ -964,3 +965,33 @@ unsigned extract_timeout(const char *str) {
        return h * 3600 + m * 60 + s;
 }
+void disable_file_or_dir(const char *fname) {
+        if (arg_debug)
+                printf("blacklist %s\n", fname);
+        struct stat s;
+        if (stat(fname, &s) != -1) {
+                if (is_dir(fname)) {
+                        if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
+                                errExit("disable directory");
+                }
+                else {
+                        if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
+                                errExit("disable file");
+                }
+        }
+        fs_logger2("blacklist", fname);
+}
+void disable_file_path(const char *path, const char *file) {
+        assert(file);
+        assert(path);
+        char *fname;
+        if (asprintf(&fname, "%s/%s", path, file) == -1)
+                errExit("asprintf");
+        disable_file_or_dir(fname);
+        free(fname);
+}

diff --git a/src/firejail/util.c b/src/firejail/util.c index 0adca5e33..c644f83a8 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c
@@ -21,6 +21,7 @@
21	#include "firejail.h"	21	#include "firejail.h"
22	#include <ftw.h>	22	#include <ftw.h>
23	#include <sys/stat.h>	23	#include <sys/stat.h>
		24	#include <sys/mount.h>
24	#include <fcntl.h>	25	#include <fcntl.h>
25	#include <syslog.h>	26	#include <syslog.h>
26	#include <errno.h>	27	#include <errno.h>
@@ -964,3 +965,33 @@ unsigned extract_timeout(const char *str) {
964		965
965	return h * 3600 + m * 60 + s;	966	return h * 3600 + m * 60 + s;
966	}	967	}
		968
		969	void disable_file_or_dir(const char *fname) {
		970	if (arg_debug)
		971	printf("blacklist %s\n", fname);
		972	struct stat s;
		973	if (stat(fname, &s) != -1) {
		974	if (is_dir(fname)) {
		975	if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
		976	errExit("disable directory");
		977	}
		978	else {
		979	if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
		980	errExit("disable file");
		981	}
		982	}
		983	fs_logger2("blacklist", fname);
		984	}
		985
		986	void disable_file_path(const char path, const char file) {
		987	assert(file);
		988	assert(path);
		989
		990	char *fname;
		991	if (asprintf(&fname, "%s/%s", path, file) == -1)
		992	errExit("asprintf");
		993
		994	disable_file_or_dir(fname);
		995	free(fname);
		996	}
		997