keep-dev-ntsync: block /dev/ntsync by default

Restore and use `fs_dev_disable_ntsync()`.
netblue30 · Feb 23, 2025 · edc5d07 · edc5d07
1 parent 67e67a9
commit edc5d07
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 0 deletions.
diff --git a/etc/profile-m-z/noprofile.profile b/etc/profile-m-z/noprofile.profile
@@ -21,6 +21,7 @@ ignore read-only /sys/module/nvidia*
 allow-debuggers
 allusers
 keep-config-pulse
+keep-dev-ntsync
 keep-dev-shm
 keep-fd all
 keep-var-tmp

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
@@ -651,6 +651,7 @@ void fs_dev_disable_dvd(void);
 void fs_dev_disable_tpm(void);
 void fs_dev_disable_u2f(void);
 void fs_dev_disable_input(void);
+void fs_dev_disable_ntsync(void);
 
 // fs_home.c
 // private mode (--private)

diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
@@ -421,3 +421,12 @@ void fs_dev_disable_input(void) {
 		i++;
 	}
 }
+
+void fs_dev_disable_ntsync(void) {
+	int i = 0;
+	while (dev[i].dev_fname != NULL) {
+		if (dev[i].type == DEV_NTSYNC)
+			disable_file_or_dir(dev[i].dev_fname);
+		i++;
+	}
+}
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
@@ -1113,6 +1113,9 @@ int sandbox(void* sandbox_arg) {
 	if (arg_noinput)
 		fs_dev_disable_input();
 
+	if (!arg_keep_dev_ntsync)
+		fs_dev_disable_ntsync();
+
 	//****************************
 	// set DNS
 	//****************************