diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/pulseaudio.c | 54 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 3 |
2 files changed, 57 insertions, 0 deletions
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index 2af00e37b..1e2361f70 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -25,6 +25,7 @@ | |||
25 | #include <dirent.h> | 25 | #include <dirent.h> |
26 | #include <errno.h> | 26 | #include <errno.h> |
27 | #include <sys/wait.h> | 27 | #include <sys/wait.h> |
28 | #include <glob.h> | ||
28 | 29 | ||
29 | #include <fcntl.h> | 30 | #include <fcntl.h> |
30 | #ifndef O_PATH | 31 | #ifndef O_PATH |
@@ -33,6 +34,59 @@ | |||
33 | 34 | ||
34 | #define PULSE_CLIENT_SYSCONF "/etc/pulse/client.conf" | 35 | #define PULSE_CLIENT_SYSCONF "/etc/pulse/client.conf" |
35 | 36 | ||
37 | |||
38 | |||
39 | static void disable_rundir_pipewire(const char *path) { | ||
40 | assert(path); | ||
41 | |||
42 | // globbing for path/pipewire-* | ||
43 | char *pattern; | ||
44 | if (asprintf(&pattern, "%s/pipewire-*", path) == -1) | ||
45 | errExit("asprintf"); | ||
46 | |||
47 | glob_t globbuf; | ||
48 | int globerr = glob(pattern, GLOB_NOCHECK | GLOB_NOSORT, NULL, &globbuf); | ||
49 | if (globerr) { | ||
50 | fprintf(stderr, "Error: failed to glob pattern %s\n", pattern); | ||
51 | exit(1); | ||
52 | } | ||
53 | |||
54 | int i; | ||
55 | for (i = 0; i < globbuf.gl_pathc; i++) { | ||
56 | char *dir = globbuf.gl_pathv[i]; | ||
57 | assert(dir); | ||
58 | |||
59 | // don't disable symlinks - disable_file_or_dir will bind-mount an empty directory on top of it! | ||
60 | if (is_link(dir)) | ||
61 | continue; | ||
62 | disable_file_or_dir(dir); | ||
63 | } | ||
64 | globfree(&globbuf); | ||
65 | free(pattern); | ||
66 | } | ||
67 | |||
68 | |||
69 | |||
70 | // disable pipewire socket | ||
71 | void pipewire_disable(void) { | ||
72 | if (arg_debug) | ||
73 | printf("disable pipewire\n"); | ||
74 | // blacklist user config directory | ||
75 | disable_file_path(cfg.homedir, ".config/pipewire"); | ||
76 | |||
77 | // blacklist pipewire in XDG_RUNTIME_DIR | ||
78 | const char *name = env_get("XDG_RUNTIME_DIR"); | ||
79 | if (name) | ||
80 | disable_rundir_pipewire(name); | ||
81 | |||
82 | // try the default location anyway | ||
83 | char *path; | ||
84 | if (asprintf(&path, "/run/user/%d", getuid()) == -1) | ||
85 | errExit("asprintf"); | ||
86 | disable_rundir_pipewire(path); | ||
87 | free(path); | ||
88 | } | ||
89 | |||
36 | // disable pulseaudio socket | 90 | // disable pulseaudio socket |
37 | void pulseaudio_disable(void) { | 91 | void pulseaudio_disable(void) { |
38 | if (arg_debug) | 92 | if (arg_debug) |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 0e4e1a36e..c351b8e94 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -1051,6 +1051,9 @@ int sandbox(void* sandbox_arg) { | |||
1051 | // disable pulseaudio | 1051 | // disable pulseaudio |
1052 | pulseaudio_disable(); | 1052 | pulseaudio_disable(); |
1053 | 1053 | ||
1054 | // disable pipewire | ||
1055 | pipewire_disable(); | ||
1056 | |||
1054 | // disable /dev/snd | 1057 | // disable /dev/snd |
1055 | fs_dev_disable_sound(); | 1058 | fs_dev_disable_sound(); |
1056 | } | 1059 | } |