From be00aa351c1184ef7ac07a05190909d35d137c76 Mon Sep 17 00:00:00 2001
From: startx2017 <vradu.startx@yandex.com>
Date: Thu, 10 Aug 2017 09:31:03 -0400
Subject: --notv for #1446

---
 src/firejail/firejail.h      |  2 ++
 src/firejail/fs_dev.c        | 83 ++++++++++++++++++++++++++------------------
 src/firejail/main.c          | 16 ++++-----
 src/firejail/profile.c       |  4 +++
 src/firejail/sandbox.c       |  8 ++---
 src/man/firejail-profile.txt |  3 ++
 src/man/firejail.txt         | 10 ++++++
 7 files changed, 80 insertions(+), 46 deletions(-)

(limited to 'src')

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 86f730aa0..bb16ea42b 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -360,6 +360,7 @@ extern int arg_machineid;	// preserve /etc/machine-id
 extern int arg_disable_mnt;	// disable /mnt and /media
 extern int arg_noprofile;	// use default.profile if none other found/specified
 extern int arg_memory_deny_write_execute;	// block writable and executable memory
+extern int arg_notv;	// --notv
 
 extern int login_shell;
 extern int parent_to_child_fds[2];
@@ -512,6 +513,7 @@ void fs_private_dev(void);
 void fs_dev_disable_sound(void);
 void fs_dev_disable_3d(void);
 void fs_dev_disable_video(void);
+void fs_dev_disable_tv(void);
 
 // fs_home.c
 // private mode (--private)
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 86ff0d4f9..45f4bcc1c 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -31,42 +31,50 @@
 #include <sys/sysmacros.h>
 #include <sys/types.h>
 
+// device type
+typedef enum {
+	DEV_NONE = 0,
+	DEV_SOUND,
+	DEV_3D,
+	DEV_VIDEO,
+	DEV_TV,
+} DEV_TYPE;
+
+
 typedef struct {
 	const char *dev_fname;
 	const char *run_fname;
-	int sound;
-	int hw3d;
-	int video;
+	DEV_TYPE  type;
 } DevEntry;
 
 static DevEntry dev[] = {
-	{"/dev/snd", RUN_DEV_DIR "/snd", 1, 0, 0},	// sound device
-	{"/dev/dri", RUN_DEV_DIR "/dri", 0, 1, 0},		// 3d device
-	{"/dev/nvidia0", RUN_DEV_DIR "/nvidia0", 0, 1, 0},
-	{"/dev/nvidia1", RUN_DEV_DIR "/nvidia1", 0, 1, 0},
-	{"/dev/nvidia2", RUN_DEV_DIR "/nvidia2", 0, 1, 0},
-	{"/dev/nvidia3", RUN_DEV_DIR "/nvidia3", 0, 1, 0},
-	{"/dev/nvidia4", RUN_DEV_DIR "/nvidia4", 0, 1, 0},
-	{"/dev/nvidia5", RUN_DEV_DIR "/nvidia5", 0, 1, 0},
-	{"/dev/nvidia6", RUN_DEV_DIR "/nvidia6", 0, 1, 0},
-	{"/dev/nvidia7", RUN_DEV_DIR "/nvidia7", 0, 1, 0},
-	{"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", 0, 1, 0},
-	{"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", 0, 1, 0},
-	{"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", 0, 1, 0},
-	{"/dev/nvidia-modeset", RUN_DEV_DIR "/nvidia-modeset", 0, 1, 0},
-	{"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", 0, 1, 0},
-	{"/dev/video0", RUN_DEV_DIR "/video0", 0, 0, 1}, // video camera devices
-	{"/dev/video1", RUN_DEV_DIR "/video1", 0, 0, 1},
-	{"/dev/video2", RUN_DEV_DIR "/video2", 0, 0, 1},
-	{"/dev/video3", RUN_DEV_DIR "/video3", 0, 0, 1},
-	{"/dev/video4", RUN_DEV_DIR "/video4", 0, 0, 1},
-	{"/dev/video5", RUN_DEV_DIR "/video5", 0, 0, 1},
-	{"/dev/video6", RUN_DEV_DIR "/video6", 0, 0, 1},
-	{"/dev/video7", RUN_DEV_DIR "/video7", 0, 0, 1},
-	{"/dev/video8", RUN_DEV_DIR "/video8", 0, 0, 1},
-	{"/dev/video9", RUN_DEV_DIR "/video9", 0, 0, 1},
-	{"/dev/dvb", RUN_DEV_DIR "/dvb", 0, 0, 0}, // DVB (Digital Video Brodcasting) - TV device
-	{NULL, NULL, 0, 0, 0}
+	{"/dev/snd", RUN_DEV_DIR "/snd", DEV_SOUND},	// sound device
+	{"/dev/dri", RUN_DEV_DIR "/dri", DEV_3D},		// 3d device
+	{"/dev/nvidia0", RUN_DEV_DIR "/nvidia0", DEV_3D},
+	{"/dev/nvidia1", RUN_DEV_DIR "/nvidia1", DEV_3D},
+	{"/dev/nvidia2", RUN_DEV_DIR "/nvidia2", DEV_3D},
+	{"/dev/nvidia3", RUN_DEV_DIR "/nvidia3", DEV_3D},
+	{"/dev/nvidia4", RUN_DEV_DIR "/nvidia4", DEV_3D},
+	{"/dev/nvidia5", RUN_DEV_DIR "/nvidia5", DEV_3D},
+	{"/dev/nvidia6", RUN_DEV_DIR "/nvidia6", DEV_3D},
+	{"/dev/nvidia7", RUN_DEV_DIR "/nvidia7", DEV_3D},
+	{"/dev/nvidia8", RUN_DEV_DIR "/nvidia8", DEV_3D},
+	{"/dev/nvidia9", RUN_DEV_DIR "/nvidia9", DEV_3D},
+	{"/dev/nvidiactl", RUN_DEV_DIR "/nvidiactl", DEV_3D},
+	{"/dev/nvidia-modeset", RUN_DEV_DIR "/nvidia-modeset", DEV_3D},
+	{"/dev/nvidia-uvm", RUN_DEV_DIR "/nvidia-uvm", DEV_3D},
+	{"/dev/video0", RUN_DEV_DIR "/video0", DEV_VIDEO}, // video camera devices
+	{"/dev/video1", RUN_DEV_DIR "/video1", DEV_VIDEO},
+	{"/dev/video2", RUN_DEV_DIR "/video2", DEV_VIDEO},
+	{"/dev/video3", RUN_DEV_DIR "/video3", DEV_VIDEO},
+	{"/dev/video4", RUN_DEV_DIR "/video4", DEV_VIDEO},
+	{"/dev/video5", RUN_DEV_DIR "/video5", DEV_VIDEO},
+	{"/dev/video6", RUN_DEV_DIR "/video6", DEV_VIDEO},
+	{"/dev/video7", RUN_DEV_DIR "/video7", DEV_VIDEO},
+	{"/dev/video8", RUN_DEV_DIR "/video8", DEV_VIDEO},
+	{"/dev/video9", RUN_DEV_DIR "/video9", DEV_VIDEO},
+	{"/dev/dvb", RUN_DEV_DIR "/dvb", DEV_TV}, // DVB (Digital Video Brodcasting) - TV device
+	{NULL, NULL, DEV_NONE}
 };
 
 static void deventry_mount(void) {
@@ -295,7 +303,7 @@ static void disable_file_or_dir(const char *fname) {
 void fs_dev_disable_sound(void) {
 	int i = 0;
 	while (dev[i].dev_fname != NULL) {
-		if (dev[i].sound)
+		if (dev[i].type == DEV_SOUND)
 			disable_file_or_dir(dev[i].dev_fname);
 		i++;
 	}
@@ -304,7 +312,7 @@ void fs_dev_disable_sound(void) {
 void fs_dev_disable_video(void) {
 	int i = 0;
 	while (dev[i].dev_fname != NULL) {
-		if (dev[i].video)
+		if (dev[i].type == DEV_VIDEO)
 			disable_file_or_dir(dev[i].dev_fname);
 		i++;
 	}
@@ -313,7 +321,16 @@ void fs_dev_disable_video(void) {
 void fs_dev_disable_3d(void) {
 	int i = 0;
 	while (dev[i].dev_fname != NULL) {
-		if (dev[i].hw3d)
+		if (dev[i].type == DEV_3D)
+			disable_file_or_dir(dev[i].dev_fname);
+		i++;
+	}
+}
+
+void fs_dev_disable_tv(void) {
+	int i = 0;
+	while (dev[i].dev_fname != NULL) {
+		if (dev[i].type == DEV_TV)
 			disable_file_or_dir(dev[i].dev_fname);
 		i++;
 	}
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 9cff080a0..3718c82ff 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -112,7 +112,7 @@ int arg_writable_var_log = 0;		// writable /var/log
 int arg_disable_mnt = 0;			// disable /mnt and /media
 int arg_noprofile = 0; // use default.profile if none other found/specified
 int arg_memory_deny_write_execute = 0;		// block writable and executable memory
-
+int arg_notv = 0;	// --notv
 int login_shell = 0;
 
 
@@ -1676,22 +1676,20 @@ int main(int argc, char **argv) {
 				exit_err_feature("noroot");
 		}
 #endif
-		else if (strcmp(argv[i], "--nonewprivs") == 0) {
+		else if (strcmp(argv[i], "--nonewprivs") == 0)
 			arg_nonewprivs = 1;
-		}
 		else if (strncmp(argv[i], "--env=", 6) == 0)
 			env_store(argv[i] + 6, SETENV);
 		else if (strncmp(argv[i], "--rmenv=", 8) == 0)
 			env_store(argv[i] + 8, RMENV);
-		else if (strcmp(argv[i], "--nosound") == 0) {
+		else if (strcmp(argv[i], "--nosound") == 0)
 			arg_nosound = 1;
-		}
-		else if (strcmp(argv[i], "--novideo") == 0) {
+		else if (strcmp(argv[i], "--novideo") == 0)
 			arg_novideo = 1;
-		}
-		else if (strcmp(argv[i], "--no3d") == 0) {
+		else if (strcmp(argv[i], "--no3d") == 0)
 			arg_no3d = 1;
-		}
+		else if (strcmp(argv[i], "--notv") == 0)
+			arg_notv = 1;
 
 		//*************************************
 		// network
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 708251b0b..54670483f 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -225,6 +225,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		arg_nosound = 1;
 		return 0;
 	}
+	else if (strcmp(ptr, "notv") == 0) {
+		arg_notv = 1;
+		return 0;
+	}
 	else if (strcmp(ptr, "novideo") == 0) {
 		arg_novideo = 1;
 		return 0;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 6c0fdebe3..4af8b747b 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -876,7 +876,7 @@ int sandbox(void* sandbox_arg) {
 	fs_blacklist(); // mkdir and mkfile are processed all over again
 
 	//****************************
-	// nosound/no3d and fix for pulseaudio 7.0
+	// nosound/no3d/notv/novideo and fix for pulseaudio 7.0
 	//****************************
 	if (arg_nosound) {
 		// disable pulseaudio
@@ -891,9 +891,9 @@ int sandbox(void* sandbox_arg) {
 	if (arg_no3d)
 		fs_dev_disable_3d();
 
-	//****************************
-	// novideo
-	//****************************
+	if (arg_notv)
+		fs_dev_disable_tv();
+
 	if (arg_novideo) {
 		// disable /dev/video*
 		fs_dev_disable_video();
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index f446f37b8..665f4405b 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -423,6 +423,9 @@ Enable IPC namespace.
 \fBnosound
 Disable sound system.
 .TP
+\fBnotv
+Disable DVB (Digital Video Brodcasting) TV devices.
+.TP
 \fBnovideo
 Disable video devices.
 .TP
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index bf18167b2..b0746030b 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1083,6 +1083,16 @@ Example:
 .br
 $ firejail \-\-nosound firefox
 
+.TP
+\fB\-\-notv
+Disable DVB (Digital Video Brodcasting) TV devices.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-notv vlc
+
 .TP
 \fB\-\-novideo
 Disable video devices.
-- 
cgit v1.2.3-54-g00ecf