Added flag to allow passing files passed as arguments

oz-daemon/launch.go

@@ -161,6 +161,7 @@ func (d *daemonState) launch(p *oz.Profile, pwd string, args, env []string, uid,
 }
 
 func (sbox *Sandbox) launchProgram(pwd string, args []string, log *logging.Logger) {
+	if sbox.profile.AllowFiles {
 		for _, fpath := range args {
 			if _, err := os.Stat(fpath); err == nil {
 				if filepath.IsAbs(fpath) == false {
@@ -172,6 +173,7 @@ func (sbox *Sandbox) launchProgram(pwd string, args []string, log *logging.Logge
 				}
 			}
 		}
+	}
 	
 	err := ozinit.RunProgram(sbox.addr, pwd, args)
 	if err != nil {

profile.go

@@ -26,6 +26,8 @@ type Profile struct {
 	// Also disables default blacklist items (/sbin, /usr/sbin, /usr/bin/sudo)
 	// Normally not used
 	NoDefaults bool
+	// Allow bind mounting of files passed as arguments inside the container
+	AllowFiles bool `json:"allow_files"`
 	// List of paths to bind mount inside jail
 	Whitelist []WhitelistItem
 	// List of paths to blacklist inside jail

profiles/evince.json

@@ -1,5 +1,6 @@
 {
 "path": "/usr/bin/evince"
+, "allow_files": true
 , "xserver": {
 	"enabled": true
 	, "enable_tray": true