Added flag to allow passing files passed as arguments

oz-daemon/launch.go

@@ -161,14 +161,16 @@ func (d *daemonState) launch(p *oz.Profile, pwd string, args, env []string, uid,
 }
 
 func (sbox *Sandbox) launchProgram(pwd string, args []string, log *logging.Logger) {
-	for _, fpath := range args {
-		if _, err := os.Stat(fpath); err == nil {
-			if filepath.IsAbs(fpath) == false {
-				fpath = path.Join(pwd, fpath)
-			}
-			log.Info("Adding file `%s` to sandbox `%s`.", fpath, sbox.profile.Name)
-			if err := sbox.fs.AddBindWhitelist(fpath, fpath, false); err != nil {
-				log.Warning("Error adding file `%s`!", fpath)
+	if sbox.profile.AllowFiles {
+		for _, fpath := range args {
+			if _, err := os.Stat(fpath); err == nil {
+				if filepath.IsAbs(fpath) == false {
+					fpath = path.Join(pwd, fpath)
+				}
+				log.Info("Adding file `%s` to sandbox `%s`.", fpath, sbox.profile.Name)
+				if err := sbox.fs.AddBindWhitelist(fpath, fpath, false); err != nil {
+					log.Warning("Error adding file `%s`!", fpath)
+				}
 			}
 		}
 	}

profile.go

@@ -26,6 +26,8 @@ type Profile struct {
 	// Also disables default blacklist items (/sbin, /usr/sbin, /usr/bin/sudo)
 	// Normally not used
 	NoDefaults bool
+	// Allow bind mounting of files passed as arguments inside the container
+	AllowFiles bool `json:"allow_files"`
 	// List of paths to bind mount inside jail
 	Whitelist []WhitelistItem
 	// List of paths to blacklist inside jail

profiles/evince.json

@@ -1,5 +1,6 @@
 {
 "path": "/usr/bin/evince"
+, "allow_files": true
 , "xserver": {
 	"enabled": true
 	, "enable_tray": true