From 50b9de988c17fc45e9baa97848b70e549190ff3a Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Wed, 6 Jul 2016 07:31:39 -0400
Subject: private-dev enhancements

---
 src/firejail/firejail.h |  2 ++
 src/firejail/fs_dev.c   | 42 +++++++++++++++++++++++++++++++++++++++++-
 src/firejail/main.c     |  1 -
 src/firejail/profile.c  |  1 -
 src/firejail/sandbox.c  |  7 ++++++-
 5 files changed, 49 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index ddc37e203..24af41192 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -44,6 +44,7 @@
 #define RUN_ETC_DIR	"/run/firejail/mnt/etc"
 #define RUN_BIN_DIR	"/run/firejail/mnt/bin"
 #define RUN_DRI_DIR	"/run/firejail/mnt/dri"
+#define RUN_SND_DIR	"/run/firejail/mnt/snd"
 #define RUN_PULSE_DIR	"/run/firejail/mnt/pulse"
 #define RUN_DEVLOG_FILE	"/run/firejail/mnt/devlog"
 
@@ -406,6 +407,7 @@ void dbg_test_dir(const char *dir);
 // fs_dev.c
 void fs_dev_shm(void);
 void fs_private_dev(void);
+void fs_dev_disable_sound();
 
 // fs_home.c
 // private mode (--private)
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 2fd450391..c7a27115f 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -68,9 +68,12 @@ void fs_private_dev(void){
 		printf("Mounting tmpfs on /dev\n");
 
 	int have_dri = 0;
+	int have_snd = 0;
 	struct stat s;
 	if (stat("/dev/dri", &s) == 0)
 		have_dri = 1;
+	if (stat("/dev/snd", &s) == 0)
+		have_snd = 1;
 
 	// create DRI_DIR
 	fs_build_mnt_dir();
@@ -89,7 +92,23 @@ void fs_private_dev(void){
 			errExit("mounting /dev/dri");
 	}
 	
-	// restore /dev/log
+	// create SND_DIR
+	if (have_snd) {
+		/* coverity[toctou] */
+		rv = mkdir(RUN_SND_DIR, 0755);
+		if (rv == -1)
+			errExit("mkdir");
+		if (chown(RUN_SND_DIR, 0, 0) < 0)
+			errExit("chown");
+		if (chmod(RUN_SND_DIR, 0755) < 0)
+			errExit("chmod");
+	
+		// keep a copy of /dev/dri under DRI_DIR
+		if (mount("/dev/snd", RUN_SND_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
+			errExit("mounting /dev/snd");
+	}
+	
+	// create DEVLOG_FILE
 	int have_devlog = 0;
 	if (stat("/dev/log", &s) == 0) {
 		have_devlog = 1;
@@ -121,6 +140,21 @@ void fs_private_dev(void){
 		}
 	}		
 
+	// bring back the /dev/snd directory
+	if (have_snd) {
+		/* coverity[toctou] */
+		rv = mkdir("/dev/snd", 0755);
+		if (rv == -1)
+			errExit("mkdir");
+		if (chown("/dev/snd", 0, 0) < 0)
+			errExit("chown");
+		if (chmod("/dev/snd",0755) < 0)
+			errExit("chmod");
+		if (mount(RUN_SND_DIR, "/dev/snd", NULL, MS_BIND|MS_REC, NULL) < 0)
+			errExit("mounting /dev/snd");
+		fs_logger("whitelist /dev/snd");
+	}
+
 	// bring back the /dev/dri directory
 	if (have_dri) {
 		/* coverity[toctou] */
@@ -243,3 +277,9 @@ void fs_dev_shm(void) {
 			
 	}
 }
+
+void fs_dev_disable_sound() {
+	if (mount(RUN_RO_DIR, "/dev/snd", "none", MS_BIND, "mode=400,gid=0") < 0)
+		errExit("disable /dev/snd");
+	fs_logger("blacklist /dev/snd");
+}
diff --git a/src/firejail/main.c b/src/firejail/main.c
index ac554ca2a..b1dd7d32c 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1468,7 +1468,6 @@ int main(int argc, char **argv) {
 			env_store(argv[i] + 6);
 		else if (strcmp(argv[i], "--nosound") == 0) {
 			arg_nosound = 1;
-			arg_private_dev = 1;
 		}
 				
 		//*************************************
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index a64f28c9a..040efea74 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -178,7 +178,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 	}
 	else if (strcmp(ptr, "nosound") == 0) {
 		arg_nosound = 1;
-		arg_private_dev = 1;
 		return 0;
 	}
 	else if (strcmp(ptr, "netfilter") == 0) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index d384d6fa0..0fd81979f 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -559,8 +559,13 @@ int sandbox(void* sandbox_arg) {
 	//****************************
 	// --nosound and fix for pulseaudio 7.0
 	//****************************
-	if (arg_nosound)
+	if (arg_nosound) {
+		// disable pulseaudio
 		pulseaudio_disable();
+
+		// disable /dev/snd
+		fs_dev_disable_sound();
+	}
 	else
 		pulseaudio_init();
 	
-- 
cgit v1.2.3-70-g09d2