aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/firecfg/firecfg.config4
-rw-r--r--src/firejail/firejail.h2
-rw-r--r--src/firejail/fs.c22
-rw-r--r--src/firejail/sandbox.c6
4 files changed, 26 insertions, 8 deletions
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index d54ca4d68..2190f133d 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -10,9 +10,11 @@ Discord
10DiscordCanary 10DiscordCanary
11FossaMail 11FossaMail
12Fritzing 12Fritzing
13GitHub Desktop
13JDownloader 14JDownloader
14Mathematica 15Mathematica
15Natron 16Natron
17QMediathekView
16Telegram 18Telegram
17Viber 19Viber
18VirtualBox 20VirtualBox
@@ -85,6 +87,7 @@ clipit
85cliqz 87cliqz
86cmus 88cmus
87code 89code
90com.github.bilelmoussaoui.Authenticator
88conkeror 91conkeror
89conky 92conky
90corebird 93corebird
@@ -111,6 +114,7 @@ dooble-qt4
111dosbox 114dosbox
112dragon 115dragon
113dropbox 116dropbox
117easystroke
114ebook-viewer 118ebook-viewer
115electrum 119electrum
116elinks 120elinks
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 40155b155..1d74dc8dc 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -453,7 +453,7 @@ void fs_chroot(const char *rootdir);
453void fs_check_chroot_dir(const char *rootdir); 453void fs_check_chroot_dir(const char *rootdir);
454void fs_private_tmp(void); 454void fs_private_tmp(void);
455void fs_private_cache(void); 455void fs_private_cache(void);
456void fs_mnt(void); 456void fs_mnt(const int enforce);
457 457
458// profile.c 458// profile.c
459// find and read the profile specified by name from dir directory 459// find and read the profile specified by name from dir directory
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 83830cff6..b958df81a 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -545,11 +545,23 @@ void fs_noexec(const char *dir) {
545} 545}
546 546
547// Disable /mnt, /media, /run/mount and /run/media access 547// Disable /mnt, /media, /run/mount and /run/media access
548void fs_mnt(void) { 548void fs_mnt(const int enforce) {
549 disable_file(BLACKLIST_FILE, "/mnt"); 549 if (enforce) {
550 disable_file(BLACKLIST_FILE, "/media"); 550 // disable-mnt set in firejail.config
551 disable_file(BLACKLIST_FILE, "/run/mount"); 551 // overriding with noblacklist is not possible in this case
552 disable_file(BLACKLIST_FILE, "//run/media"); 552 disable_file(BLACKLIST_FILE, "/mnt");
553 disable_file(BLACKLIST_FILE, "/media");
554 disable_file(BLACKLIST_FILE, "/run/mount");
555 disable_file(BLACKLIST_FILE, "/run/media");
556 }
557 else {
558 EUID_USER();
559 profile_add("blacklist /mnt");
560 profile_add("blacklist /media");
561 profile_add("blacklist /run/mount");
562 profile_add("blacklist /run/media");
563 EUID_ROOT();
564 }
553} 565}
554 566
555 567
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 5441522ab..8eede6f93 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -923,8 +923,10 @@ int sandbox(void* sandbox_arg) {
923 //**************************** 923 //****************************
924 // handle /mnt and /media 924 // handle /mnt and /media
925 //**************************** 925 //****************************
926 if (arg_disable_mnt || checkcfg(CFG_DISABLE_MNT)) 926 if (checkcfg(CFG_DISABLE_MNT))
927 fs_mnt(); 927 fs_mnt(1);
928 else if (arg_disable_mnt)
929 fs_mnt(0);
928 930
929 //**************************** 931 //****************************
930 // apply the profile file 932 // apply the profile file
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-22 21:23:53 +0000