diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firecfg/firecfg.config | 1 | ||||
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/fs.c | 22 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 6 |
4 files changed, 23 insertions, 8 deletions
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 60a2e9a45..d991d2f3e 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -13,6 +13,7 @@ Fritzing | |||
13 | JDownloader | 13 | JDownloader |
14 | Mathematica | 14 | Mathematica |
15 | Natron | 15 | Natron |
16 | QMediathekView | ||
16 | Telegram | 17 | Telegram |
17 | Viber | 18 | Viber |
18 | VirtualBox | 19 | VirtualBox |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 40155b155..1d74dc8dc 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -453,7 +453,7 @@ void fs_chroot(const char *rootdir); | |||
453 | void fs_check_chroot_dir(const char *rootdir); | 453 | void fs_check_chroot_dir(const char *rootdir); |
454 | void fs_private_tmp(void); | 454 | void fs_private_tmp(void); |
455 | void fs_private_cache(void); | 455 | void fs_private_cache(void); |
456 | void fs_mnt(void); | 456 | void fs_mnt(const int enforce); |
457 | 457 | ||
458 | // profile.c | 458 | // profile.c |
459 | // find and read the profile specified by name from dir directory | 459 | // find and read the profile specified by name from dir directory |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 83830cff6..b958df81a 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -545,11 +545,23 @@ void fs_noexec(const char *dir) { | |||
545 | } | 545 | } |
546 | 546 | ||
547 | // Disable /mnt, /media, /run/mount and /run/media access | 547 | // Disable /mnt, /media, /run/mount and /run/media access |
548 | void fs_mnt(void) { | 548 | void fs_mnt(const int enforce) { |
549 | disable_file(BLACKLIST_FILE, "/mnt"); | 549 | if (enforce) { |
550 | disable_file(BLACKLIST_FILE, "/media"); | 550 | // disable-mnt set in firejail.config |
551 | disable_file(BLACKLIST_FILE, "/run/mount"); | 551 | // overriding with noblacklist is not possible in this case |
552 | disable_file(BLACKLIST_FILE, "//run/media"); | 552 | disable_file(BLACKLIST_FILE, "/mnt"); |
553 | disable_file(BLACKLIST_FILE, "/media"); | ||
554 | disable_file(BLACKLIST_FILE, "/run/mount"); | ||
555 | disable_file(BLACKLIST_FILE, "/run/media"); | ||
556 | } | ||
557 | else { | ||
558 | EUID_USER(); | ||
559 | profile_add("blacklist /mnt"); | ||
560 | profile_add("blacklist /media"); | ||
561 | profile_add("blacklist /run/mount"); | ||
562 | profile_add("blacklist /run/media"); | ||
563 | EUID_ROOT(); | ||
564 | } | ||
553 | } | 565 | } |
554 | 566 | ||
555 | 567 | ||
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 5441522ab..8eede6f93 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -923,8 +923,10 @@ int sandbox(void* sandbox_arg) { | |||
923 | //**************************** | 923 | //**************************** |
924 | // handle /mnt and /media | 924 | // handle /mnt and /media |
925 | //**************************** | 925 | //**************************** |
926 | if (arg_disable_mnt || checkcfg(CFG_DISABLE_MNT)) | 926 | if (checkcfg(CFG_DISABLE_MNT)) |
927 | fs_mnt(); | 927 | fs_mnt(1); |
928 | else if (arg_disable_mnt) | ||
929 | fs_mnt(0); | ||
928 | 930 | ||
929 | //**************************** | 931 | //**************************** |
930 | // apply the profile file | 932 | // apply the profile file |