diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 7 | ||||
-rw-r--r-- | src/firejail/pulseaudio.c | 60 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 7 |
4 files changed, 72 insertions, 4 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index cbc4086fb..ed3e2679f 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -174,6 +174,7 @@ extern int arg_private_etc; // private etc directory | |||
174 | extern int arg_private_bin; // private bin directory | 174 | extern int arg_private_bin; // private bin directory |
175 | extern int arg_scan; // arp-scan all interfaces | 175 | extern int arg_scan; // arp-scan all interfaces |
176 | extern int arg_whitelist; // whitelist commad | 176 | extern int arg_whitelist; // whitelist commad |
177 | extern int arg_nosound; // disable sound | ||
177 | 178 | ||
178 | extern int parent_to_child_fds[2]; | 179 | extern int parent_to_child_fds[2]; |
179 | extern int child_to_parent_fds[2]; | 180 | extern int child_to_parent_fds[2]; |
@@ -406,6 +407,7 @@ void errno_print(void); | |||
406 | 407 | ||
407 | // pulseaudio.c | 408 | // pulseaudio.c |
408 | void pulseaudio_init(void); | 409 | void pulseaudio_init(void); |
410 | void pulseaudio_disable(void); | ||
409 | 411 | ||
410 | // fs_bin.c | 412 | // fs_bin.c |
411 | void fs_check_bin_list(void); | 413 | void fs_check_bin_list(void); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 616b26894..14ba21db5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -85,6 +85,7 @@ int arg_private_etc = 0; // private etc directory | |||
85 | int arg_private_bin = 0; // private bin directory | 85 | int arg_private_bin = 0; // private bin directory |
86 | int arg_scan = 0; // arp-scan all interfaces | 86 | int arg_scan = 0; // arp-scan all interfaces |
87 | int arg_whitelist = 0; // whitelist commad | 87 | int arg_whitelist = 0; // whitelist commad |
88 | int arg_nosound = 0; // disable sound | ||
88 | 89 | ||
89 | int parent_to_child_fds[2]; | 90 | int parent_to_child_fds[2]; |
90 | int child_to_parent_fds[2]; | 91 | int child_to_parent_fds[2]; |
@@ -791,7 +792,11 @@ int main(int argc, char **argv) { | |||
791 | } | 792 | } |
792 | else if (strncmp(argv[i], "--env=", 6) == 0) | 793 | else if (strncmp(argv[i], "--env=", 6) == 0) |
793 | env_store(argv[i] + 6); | 794 | env_store(argv[i] + 6); |
794 | 795 | else if (strncmp(argv[i], "--nosound", 9) == 0) { | |
796 | arg_nosound = 1; | ||
797 | arg_private_dev = 1; | ||
798 | } | ||
799 | |||
795 | //************************************* | 800 | //************************************* |
796 | // network | 801 | // network |
797 | //************************************* | 802 | //************************************* |
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index bea0cc940..7ab77998e 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -21,8 +21,66 @@ | |||
21 | #include <sys/types.h> | 21 | #include <sys/types.h> |
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <sys/mount.h> | 23 | #include <sys/mount.h> |
24 | #include <dirent.h> | ||
24 | 25 | ||
25 | // disable shm in pulse audio | 26 | static void disable_file(const char *file) { |
27 | assert(file); | ||
28 | |||
29 | struct stat s; | ||
30 | char *fname; | ||
31 | if (asprintf(&fname, "/tmp/%s", file) == -1) | ||
32 | errExit("asprintf"); | ||
33 | if (stat(fname, &s) == -1) | ||
34 | return; | ||
35 | if (S_ISDIR(s.st_mode)) { | ||
36 | if (mount(RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | ||
37 | errExit("disable file"); | ||
38 | } | ||
39 | else { | ||
40 | if (mount(RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | ||
41 | errExit("disable file"); | ||
42 | } | ||
43 | } | ||
44 | |||
45 | // disable pulseaudio socket | ||
46 | void pulseaudio_disable(void) { | ||
47 | //************************************** | ||
48 | // blacklist any pulse* directory in /tmp directory | ||
49 | //************************************** | ||
50 | DIR *dir; | ||
51 | if (!(dir = opendir("/tmp"))) { | ||
52 | // sleep 2 seconds and try again | ||
53 | sleep(2); | ||
54 | if (!(dir = opendir("/tmp"))) { | ||
55 | fprintf(stderr, "Warning: cannot open /tmp directory. PulseAudio sockets not disabled\n"); | ||
56 | return; | ||
57 | } | ||
58 | } | ||
59 | |||
60 | struct dirent *entry; | ||
61 | while ((entry = readdir(dir))) { | ||
62 | if (strncmp(entry->d_name, "pulse-", 6) == 0) { | ||
63 | if (arg_debug) | ||
64 | printf("Disable %s\n", entry->d_name); | ||
65 | disable_file(entry->d_name); | ||
66 | } | ||
67 | } | ||
68 | |||
69 | closedir(dir); | ||
70 | |||
71 | //************************************** | ||
72 | // blacklist XDG_RUNTIME_DIR | ||
73 | //************************************** | ||
74 | char *name = getenv("XDG_RUNTIME_DIR"); | ||
75 | if (name) { | ||
76 | if (arg_debug) | ||
77 | printf("Disable %s\n", name); | ||
78 | disable_file(name); | ||
79 | } | ||
80 | } | ||
81 | |||
82 | |||
83 | // disable shm in pulseaudio | ||
26 | void pulseaudio_init(void) { | 84 | void pulseaudio_init(void) { |
27 | struct stat s; | 85 | struct stat s; |
28 | 86 | ||
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index d3f92e51b..50fe50380 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -272,9 +272,12 @@ int sandbox(void* sandbox_arg) { | |||
272 | fs_proc_sys_dev_boot(); | 272 | fs_proc_sys_dev_boot(); |
273 | 273 | ||
274 | //**************************** | 274 | //**************************** |
275 | // fix for pulseaudio 7.0 | 275 | // --nosound and fix for pulseaudio 7.0 |
276 | //**************************** | 276 | //**************************** |
277 | pulseaudio_init(); | 277 | if (arg_nosound) |
278 | pulseaudio_disable(); | ||
279 | else | ||
280 | pulseaudio_init(); | ||
278 | 281 | ||
279 | //**************************** | 282 | //**************************** |
280 | // networking | 283 | // networking |