From 36281ef60b3fcc272e5d4d67b72d673d0028beab Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Thu, 11 Oct 2018 02:06:52 +0200
Subject: allow overriding of disable-mnt with noblacklist - #2154

---
 src/firejail/firejail.h |  2 +-
 src/firejail/fs.c       | 22 +++++++++++++++++-----
 src/firejail/sandbox.c  |  6 ++++--
 3 files changed, 22 insertions(+), 8 deletions(-)

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 40155b155..1d74dc8dc 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -453,7 +453,7 @@ void fs_chroot(const char *rootdir);
 void fs_check_chroot_dir(const char *rootdir);
 void fs_private_tmp(void);
 void fs_private_cache(void);
-void fs_mnt(void);
+void fs_mnt(const int enforce);
 
 // profile.c
 // find and read the profile specified by name from dir directory
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 83830cff6..b958df81a 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -545,11 +545,23 @@ void fs_noexec(const char *dir) {
 }
 
 // Disable /mnt, /media, /run/mount and /run/media access
-void fs_mnt(void) {
-	disable_file(BLACKLIST_FILE, "/mnt");
-	disable_file(BLACKLIST_FILE, "/media");
-	disable_file(BLACKLIST_FILE, "/run/mount");
-	disable_file(BLACKLIST_FILE, "//run/media");
+void fs_mnt(const int enforce) {
+	if (enforce) {
+		// disable-mnt set in firejail.config
+		// overriding with noblacklist is not possible in this case
+		disable_file(BLACKLIST_FILE, "/mnt");
+		disable_file(BLACKLIST_FILE, "/media");
+		disable_file(BLACKLIST_FILE, "/run/mount");
+		disable_file(BLACKLIST_FILE, "/run/media");
+	}
+	else {
+		EUID_USER();
+		profile_add("blacklist /mnt");
+		profile_add("blacklist /media");
+		profile_add("blacklist /run/mount");
+		profile_add("blacklist /run/media");
+		EUID_ROOT();
+	}
 }
 
 
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 5441522ab..8eede6f93 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -923,8 +923,10 @@ int sandbox(void* sandbox_arg) {
 	//****************************
 	// handle /mnt and /media
 	//****************************
-	if (arg_disable_mnt || checkcfg(CFG_DISABLE_MNT))
-		fs_mnt();
+	if (checkcfg(CFG_DISABLE_MNT))
+		fs_mnt(1);
+	else if (arg_disable_mnt)
+		fs_mnt(0);
 
 	//****************************
 	// apply the profile file
-- 
cgit v1.2.3-70-g09d2