make firewarden even stricter

[Rosika2]

not an issue, rather a question

Hi altogether,

What I want to do is make firewarden a bit stricter. I want to exclude access to /mnt and /media. To be clear: I still want to access a single dedicated file on /media[...]. But that should be it. No other files from there should be accessible.

As far as the --private option is concerned netblue30 once told me:

"You can also block /mnt and /media. I’m not doing it by default because people use to bring all kind of video and music files on USB devices and play them. Or they can bring documents and work on them. To disable it use --disable-mnt (disables both /media and /mnt). On older firejail versions use --blacklist=/media."

(https://firejail.wordpress.com/documentation-2/basic-usage/ )

So I downloaded the firewarden bash script (https://github.com/pigmonkey/firewarden/archive/master.zip ) and modified line 118 in such a way that instead of

/usr/bin/firejail --private-srv=firewarden-"$now" --private-opt=firewarden-"$now" $quiet $homeopt $netopt $devopt "$app" "${appopt[@]}" "${finalargs[@]}"

I use

/usr/bin/firejail --disable-mnt --private-srv=firewarden-"$now" --private-opt=firewarden-"$now" $quiet $homeopt $netopt $devopt "$app" "${appopt[@]}" "${finalargs[@]}"

I just added "--disable-mnt" as an additional parameter. I tried it out and it works.

So just to confirm: Have I done it correctly?

Thanks in advance.

Greetings. Rosika

[pigmonkey]

Yes, your change is correct. I'd accept a pull request with the change.

[Rosika2]

@pigmonkey: Hi and thank you for you answer. I´m glad you could confirm it.

I'd accept a pull request with the change.

That´s really nice of you. I´d be glad to do that but first I must look up how to do it properly as I´ve never done such a thing before.

Greetings. Rosika