aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/firecfg/firecfg.config1
-rw-r--r--src/firejail/firejail.h2
-rw-r--r--src/firejail/fs.c22
-rw-r--r--src/firejail/sandbox.c6
4 files changed, 23 insertions, 8 deletions
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 746c70c53..1146e2d13 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -13,6 +13,7 @@ Fritzing
13JDownloader 13JDownloader
14Mathematica 14Mathematica
15Natron 15Natron
16QMediathekView
16Telegram 17Telegram
17Viber 18Viber
18VirtualBox 19VirtualBox
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 40155b155..1d74dc8dc 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -453,7 +453,7 @@ void fs_chroot(const char *rootdir);
453void fs_check_chroot_dir(const char *rootdir); 453void fs_check_chroot_dir(const char *rootdir);
454void fs_private_tmp(void); 454void fs_private_tmp(void);
455void fs_private_cache(void); 455void fs_private_cache(void);
456void fs_mnt(void); 456void fs_mnt(const int enforce);
457 457
458// profile.c 458// profile.c
459// find and read the profile specified by name from dir directory 459// find and read the profile specified by name from dir directory
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 83830cff6..b958df81a 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -545,11 +545,23 @@ void fs_noexec(const char *dir) {
545} 545}
546 546
547// Disable /mnt, /media, /run/mount and /run/media access 547// Disable /mnt, /media, /run/mount and /run/media access
548void fs_mnt(void) { 548void fs_mnt(const int enforce) {
549 disable_file(BLACKLIST_FILE, "/mnt"); 549 if (enforce) {
550 disable_file(BLACKLIST_FILE, "/media"); 550 // disable-mnt set in firejail.config
551 disable_file(BLACKLIST_FILE, "/run/mount"); 551 // overriding with noblacklist is not possible in this case
552 disable_file(BLACKLIST_FILE, "//run/media"); 552 disable_file(BLACKLIST_FILE, "/mnt");
553 disable_file(BLACKLIST_FILE, "/media");
554 disable_file(BLACKLIST_FILE, "/run/mount");
555 disable_file(BLACKLIST_FILE, "/run/media");
556 }
557 else {
558 EUID_USER();
559 profile_add("blacklist /mnt");
560 profile_add("blacklist /media");
561 profile_add("blacklist /run/mount");
562 profile_add("blacklist /run/media");
563 EUID_ROOT();
564 }
553} 565}
554 566
555 567
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 5441522ab..8eede6f93 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -923,8 +923,10 @@ int sandbox(void* sandbox_arg) {
923 //**************************** 923 //****************************
924 // handle /mnt and /media 924 // handle /mnt and /media
925 //**************************** 925 //****************************
926 if (arg_disable_mnt || checkcfg(CFG_DISABLE_MNT)) 926 if (checkcfg(CFG_DISABLE_MNT))
927 fs_mnt(); 927 fs_mnt(1);
928 else if (arg_disable_mnt)
929 fs_mnt(0);
928 930
929 //**************************** 931 //****************************
930 // apply the profile file 932 // apply the profile file
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-08-28 23:40:28 +0000