feature: keep ntsync char device when private-dev is used

feature: add nontsync argument to blacklist /dev/ntsync
netblue30 · Feb 22, 2025 · 14f2995 · 14f2995
1 parent 733f9a9
commit 14f2995
Show file tree

Hide file tree

Showing 11 changed files with 38 additions and 2 deletions.
diff --git a/contrib/syntax/lists/profile_commands_arg0.list b/contrib/syntax/lists/profile_commands_arg0.list
@@ -24,6 +24,7 @@ nodvd
 nogroups
 noinput
 nonewprivs
+nontsync
 noprinters
 noroot
 nosound

diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
@@ -142,6 +142,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
 		fprintf(fp, "#notv\t# disable DVB TV devices\n");
 		fprintf(fp, "#nou2f\t# disable U2F devices\n");
 		fprintf(fp, "#novideo\t# disable video capture devices\n");
+		fprintf(fp, "#nontsync\t# disable ntsync char device\n");
 		build_protocol(trace_output, fp);
 		fprintf(fp, "seccomp !chroot\t# allowing chroot, just in case this is an Electron app\n");
 		fprintf(fp, "#tracelog\t# send blacklist violations to syslog\n");

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
@@ -340,6 +340,7 @@ extern int arg_scan;		// arp-scan all interfaces
 extern int arg_whitelist;	// whitelist command
 extern int arg_nosound;	// disable sound
 extern int arg_novideo; //disable video devices in /dev
+extern int arg_nontsync;	// disable ntsync char device in /dev
 extern int arg_no3d;		// disable 3d hardware acceleration
 extern int arg_noprinters;	// disable printers
 extern int arg_quiet;		// no output for scripting
@@ -645,6 +646,7 @@ void fs_private_dev(void);
 void fs_dev_disable_sound(void);
 void fs_dev_disable_3d(void);
 void fs_dev_disable_video(void);
+void fs_dev_disable_ntsync(void);
 void fs_dev_disable_tv(void);
 void fs_dev_disable_dvd(void);
 void fs_dev_disable_tpm(void);

diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
@@ -41,7 +41,8 @@ typedef enum {
 	DEV_DVD,
 	DEV_TPM,
 	DEV_U2F,
-	DEV_INPUT
+	DEV_INPUT,
+	DEV_NTSYNC
 } DEV_TYPE;
 
 
@@ -98,6 +99,7 @@ static DevEntry dev[] = {
 	{"/dev/hidraw9", RUN_DEV_DIR "/hidraw9", DEV_U2F},
 	{"/dev/usb", RUN_DEV_DIR "/usb", DEV_U2F},	// USB devices such as Yubikey, U2F
 	{"/dev/input", RUN_DEV_DIR "/input", DEV_INPUT},
+	{"/dev/ntsync", RUN_DEV_DIR "/ntsync", DEV_NTSYNC},
 	{NULL, NULL, DEV_NONE}
 };
 
@@ -114,7 +116,8 @@ static void deventry_mount(void) {
 			    (dev[i].type == DEV_DVD && arg_nodvd == 0) ||
 			    (dev[i].type == DEV_TPM && arg_notpm == 0) ||
 			    (dev[i].type == DEV_U2F && arg_nou2f == 0) ||
-			    (dev[i].type == DEV_INPUT && arg_noinput == 0)) {
+			    (dev[i].type == DEV_INPUT && arg_noinput == 0) ||
+			    (dev[i].type == DEV_NTSYNC && arg_nontsync == 0)) {
 
 				int dir = is_dir(dev[i].run_fname);
 				if (arg_debug)
@@ -365,6 +368,15 @@ void fs_dev_disable_video(void) {
 	}
 }
 
+void fs_dev_disable_ntsync(void) {
+	int i = 0;
+	while (dev[i].dev_fname != NULL) {
+		if (dev[i].type == DEV_NTSYNC)
+			disable_file_or_dir(dev[i].dev_fname);
+		i++;
+	}
+}
+
 void fs_dev_disable_3d(void) {
 	int i = 0;
 	while (dev[i].dev_fname != NULL) {

diff --git a/src/firejail/main.c b/src/firejail/main.c
@@ -126,6 +126,7 @@ int arg_scan = 0;				// arp-scan all interfaces
 int arg_whitelist = 0;				// whitelist command
 int arg_nosound = 0;				// disable sound
 int arg_novideo = 0;			//disable video devices in /dev
+int arg_nontsync = 0;				// disable ntsync char device in /dev
 int arg_no3d;					// disable 3d hardware acceleration
 int arg_noprinters = 0;				// disable printers
 int arg_quiet = 0;				// no output for scripting
@@ -2209,6 +2210,8 @@ int main(int argc, char **argv, char **envp) {
 			arg_keep_config_pulse = 1;
 		else if (strcmp(argv[i], "--novideo") == 0)
 			arg_novideo = 1;
+		else if (strcmp(argv[i], "--nontsync") == 0)
+			arg_nontsync = 1;
 		else if (strcmp(argv[i], "--no3d") == 0)
 			arg_no3d = 1;
 		else if (strcmp(argv[i], "--noprinters") == 0) {

diff --git a/src/firejail/profile.c b/src/firejail/profile.c
@@ -463,6 +463,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		arg_novideo = 1;
 		return 0;
 	}
+	else if (strcmp(ptr, "nontsync") == 0) {
+		arg_nontsync = 1;
+		return 0;
+	}
 	else if (strcmp(ptr, "no3d") == 0) {
 		arg_no3d = 1;
 		return 0;

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
@@ -1110,6 +1110,9 @@ int sandbox(void* sandbox_arg) {
 	if (arg_novideo)
 		fs_dev_disable_video();
 
+	if (arg_nontsync)
+		fs_dev_disable_ntsync();
+
 	if (arg_noinput)
 		fs_dev_disable_input();
 

diff --git a/src/firejail/usage.c b/src/firejail/usage.c
@@ -190,6 +190,7 @@ static const char *const usage_str =
 #endif
 	"    --nosound - disable sound system.\n"
 	"    --novideo - disable video devices.\n"
+	"    --nontsync - disable ntsync char device.\n"
 	"    --notpm - disable TPM devices.\n"
 	"    --nou2f - disable U2F devices.\n"
 	"    --nowhitelist=filename - disable whitelist for file or directory.\n"

diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in
@@ -865,6 +865,9 @@ Disable U2F devices.
 \fBnovideo
 Disable video capture devices.
 .TP
+\fBnontsync
+Disable ntsync char device.
+.TP
 \fBmachine-id
 Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox.
 #ifdef HAVE_NETWORK

diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in
@@ -1982,6 +1982,11 @@ $ firejail \-\-nou2f
 Disable video devices.
 .br
 
+.TP
+\fB\-\-nontsync
+Disable ntsync char device.
+.br
+
 .TP
 \fB\-\-nowhitelist=dirname_or_filename
 Disable whitelist for this directory or file.

diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
@@ -136,6 +136,7 @@ _firejail_args=(
     '--notpm[disable TPM devices]'
     '--nou2f[disable U2F devices]'
     '--novideo[disable video devices]'
+    '--nontsync[disable ntsync char device]'
     '--private[temporary home directory]'
     '--private=-[use directory as user home]: :_files -/'
     '--private-bin=-[build a new /bin in a temporary filesystem, and copy the programs in the list]: :_files -W /usr/bin'