From 822be0355f3b440d7cf193bc5c923f24163dd6d5 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Tue, 4 Jul 2017 10:24:23 -0400
Subject: per-profile disable-mnt

---
 src/firejail/firejail.h      |  1 +
 src/firejail/main.c          |  5 ++++-
 src/firejail/profile.c       |  5 +++++
 src/firejail/sandbox.c       |  2 +-
 src/man/firejail-profile.txt |  3 +++
 src/man/firejail.txt         | 10 ++++++++++
 6 files changed, 24 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 8bf2a75c3..8aa80f274 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -350,6 +350,7 @@ extern int arg_x11_block;	// block X11
 extern int arg_x11_xorg;	// use X11 security extention
 extern int arg_allusers;	// all user home directories visible
 extern int arg_machineid;	// preserve /etc/machine-id
+extern int arg_disable_mnt;	// disable /mnt and /media
 
 extern int login_shell;
 extern int parent_to_child_fds[2];
diff --git a/src/firejail/main.c b/src/firejail/main.c
index cff61f64a..1f714df58 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -107,7 +107,8 @@ int arg_x11_xorg = 0;				// use X11 security extention
 int arg_allusers = 0;				// all user home directories visible
 int arg_machineid = 0;				// preserve /etc/machine-id
 int arg_allow_private_blacklist = 0; 		// blacklist things in private directories
-int arg_writable_var_log;			// writable /var/log
+int arg_writable_var_log = 0;		// writable /var/log
+int arg_disable_mnt = 0;			// disable /mnt and /media
 
 int login_shell = 0;
 
@@ -1291,6 +1292,8 @@ int main(int argc, char **argv) {
 			profile_check_line(line, 0, NULL);	// will exit if something wrong
 			profile_add(line);
 		}
+		else if (strcmp(argv[i], "--disable-mnt") == 0)
+			arg_disable_mnt = 1;
 #ifdef HAVE_OVERLAYFS
 		else if (strcmp(argv[i], "--overlay") == 0) {
 			if (checkcfg(CFG_OVERLAYFS)) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index cabea05f3..af943581e 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1001,6 +1001,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		return 0;
 	}
 
+	if (strcmp(ptr, "disable-mnt") == 0) {
+		arg_disable_mnt = 1;
+		return 0;
+	}
+
 	// rest of filesystem
 	if (strncmp(ptr, "blacklist ", 10) == 0)
 		ptr += 10;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 4ee05d070..ea39ed580 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -790,7 +790,7 @@ int sandbox(void* sandbox_arg) {
 	//****************************
 	// handle /mnt and /media
 	//****************************
-	if (checkcfg(CFG_DISABLE_MNT))
+	if (arg_disable_mnt || checkcfg(CFG_DISABLE_MNT))
 		fs_mnt();
 
 	//****************************
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 9b3aef95f..9f4f4a927 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -161,6 +161,9 @@ Mount-bind directory1 on top of directory2. This option is only available when r
 \fBbind file1,file2
 Mount-bind file1 on top of file2. This option is only available when running as root.
 .TP
+\fBdisable-mnt
+Disable /mnt, /media, /run/mount and /run/media access.
+.TP
 \fBmkdir directory
 Create a directory in user home or under /tmp before the sandbox is started.
 The directory is created if it doesn't already exist.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 25992fb3e..6e49fc25f 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -377,6 +377,16 @@ Example:
 .br
 $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox
 
+.TP
+\fB\-\-disable-mnt
+Disable /mnt, /media, /run/mount and /run/media access.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-disable-mnt firefox
+
 .TP
 \fB\-\-dns=address
 Set a DNS server for the sandbox. Up to three DNS servers can be defined.
-- 
cgit v1.2.3-54-g00ecf