17 files changed, 244 insertions, 6 deletions
diff --git a/src/Common/Language.xml b/src/Common/Language.xml
index 9821bbe9..757cccc2 100644
--- a/src/Common/Language.xml
+++ b/src/Common/Language.xml
@@ -1640,8 +1640,11 @@
     <entry lang="en" key="LINUX_RESTART_FOR_LANGUAGE_CHANGE">For the language change to come into effect, VeraCrypt needs to be restarted.</entry>
     <entry lang="en" key="ERR_XTS_MASTERKEY_VULNERABLE">WARNING: The volume's master key is vulnerable to an attack that compromises data security.\n\nPlease create a new volume and transfer the data to it.</entry>
     <entry lang="en" key="ERR_SYSENC_XTS_MASTERKEY_VULNERABLE">WARNING: The encrypted system's master key is vulnerable to an attack that compromises data security.\nPlease decrypt the system partition/drive and then re-encrypt it.</entry>
     <entry lang="en" key="ERR_XTS_MASTERKEY_VULNERABLE_SHORT">WARNING: The volume's master key has a security vulnerability.</entry>
+    <entry lang="en" key="MOUNTPOINT_BLOCKED">ERROR: The volume mount point is blocked because it overrides a protected system directory.\n\nPlease choose a different mount point.</entry>
+    <entry lang="en" key="MOUNTPOINT_NOTALLOWED">ERROR: The volume mount point is not allowed because it overrides a directory that is part of the PATH environment variable.\n\nPlease choose a different mount point.</entry>
+    <entry lang="en" key="INSECURE_MODE">[INSECURE MODE]</entry>
   </localization>
   <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
     <xs:element name="VeraCrypt">
       <xs:complexType>
diff --git a/src/Core/CoreBase.cpp b/src/Core/CoreBase.cpp
index ed934a63..d2dbd6d7 100644
--- a/src/Core/CoreBase.cpp
+++ b/src/Core/CoreBase.cpp
@@ -22,8 +22,11 @@ namespace VeraCrypt
 		: DeviceChangeInProgress (false)
 #if defined(TC_LINUX ) || defined (TC_FREEBSD)
 		, UseDummySudoPassword (false)
 #endif
+#if defined(TC_UNIX)
+		,AllowInsecureMount (false)
+#endif
 	{
 	}
 
 	CoreBase::~CoreBase ()
diff --git a/src/Core/CoreBase.h b/src/Core/CoreBase.h
index 07d0f881..e4ff0a94 100644
--- a/src/Core/CoreBase.h
+++ b/src/Core/CoreBase.h
@@ -79,8 +79,18 @@ namespace VeraCrypt
 		virtual void WipePasswordCache () const = 0;
 		virtual void ForceUseDummySudoPassword (bool useDummySudoPassword) { UseDummySudoPassword = useDummySudoPassword;}
 		virtual bool GetUseDummySudoPassword () const { return UseDummySudoPassword;}
 
+#if defined(TC_UNIX)
+		virtual bool IsProtectedSystemDirectory (const DirectoryPath &directory) const = 0;
+		virtual bool IsDirectoryOnUserPath(const DirectoryPath &directory) const = 0;
+		virtual void SetAllowInsecureMount (bool allowInsecureMount) { AllowInsecureMount = allowInsecureMount; }
+		virtual bool GetAllowInsecureMount () const { return AllowInsecureMount; }
+#endif
+
+		virtual void SetUserEnvPATH (const string &path) { UserEnvPATH = path; }
+		virtual string GetUserEnvPATH () const { return UserEnvPATH; }
+
 		Event VolumeDismountedEvent;
 		Event VolumeMountedEvent;
 		Event WarningEvent;
 
@@ -88,10 +98,15 @@ namespace VeraCrypt
 		CoreBase ();
 
 		bool DeviceChangeInProgress;
 		FilePath ApplicationExecutablePath;
+		string UserEnvPATH;
 		bool UseDummySudoPassword;
 
+#if defined(TC_UNIX)
+		bool AllowInsecureMount;
+#endif
+
 	private:
 		CoreBase (const CoreBase &);
 		CoreBase &operator= (const CoreBase &);
 	};
diff --git a/src/Core/Unix/CoreService.cpp b/src/Core/Unix/CoreService.cpp
index c2eb2bf0..712dbab4 100644
--- a/src/Core/Unix/CoreService.cpp
+++ b/src/Core/Unix/CoreService.cpp
@@ -98,8 +98,13 @@ namespace VeraCrypt
 			while (true)
 			{
 				shared_ptr <CoreServiceRequest> request = Serializable::DeserializeNew <CoreServiceRequest> (inputStream);
 
+				// Update Core properties based on the received request
+				Core->SetUserEnvPATH (request->UserEnvPATH);
+				Core->ForceUseDummySudoPassword(request->UseDummySudoPassword);
+				Core->SetAllowInsecureMount(request->AllowInsecureMount);
+
 				try
 				{
 					// ExitRequest
 					if (dynamic_cast <ExitRequest*> (request.get()) != nullptr)
@@ -282,14 +287,19 @@ namespace VeraCrypt
 	{
 		static Mutex mutex;
 		ScopeLock lock (mutex);
 
+		// Copy Core properties to the request so that they can be transferred to the elevated process
+		request.ApplicationExecutablePath = Core->GetApplicationExecutablePath();
+		request.UserEnvPATH = Core->GetUserEnvPATH();
+		request.UseDummySudoPassword = Core->GetUseDummySudoPassword();
+		request.AllowInsecureMount = Core->GetAllowInsecureMount();
+
 		if (request.RequiresElevation())
 		{
 			request.ElevateUserPrivileges = true;
 			request.FastElevation = !ElevatedServiceAvailable;
-			request.ApplicationExecutablePath = Core->GetApplicationExecutablePath();
-
+			
 			while (!ElevatedServiceAvailable)
 			{
 				//	Test if the user has an active "sudo" session.
 				bool authCheckDone = false;
diff --git a/src/Core/Unix/CoreServiceRequest.cpp b/src/Core/Unix/CoreServiceRequest.cpp
index 900fbcc4..14e2ec28 100644
--- a/src/Core/Unix/CoreServiceRequest.cpp
+++ b/src/Core/Unix/CoreServiceRequest.cpp
@@ -22,8 +22,11 @@ namespace VeraCrypt
 		sr.Deserialize ("AdminPassword", AdminPassword);
 		ApplicationExecutablePath = sr.DeserializeWString ("ApplicationExecutablePath");
 		sr.Deserialize ("ElevateUserPrivileges", ElevateUserPrivileges);
 		sr.Deserialize ("FastElevation", FastElevation);
+		sr.Deserialize ("UserEnvPATH", UserEnvPATH);
+		sr.Deserialize ("UseDummySudoPassword", UseDummySudoPassword);
+		sr.Deserialize ("AllowInsecureMount", AllowInsecureMount);
 	}
 
 	void CoreServiceRequest::Serialize (shared_ptr <Stream> stream) const
 	{
@@ -32,8 +35,11 @@ namespace VeraCrypt
 		sr.Serialize ("AdminPassword", AdminPassword);
 		sr.Serialize ("ApplicationExecutablePath", wstring (ApplicationExecutablePath));
 		sr.Serialize ("ElevateUserPrivileges", ElevateUserPrivileges);
 		sr.Serialize ("FastElevation", FastElevation);
+		sr.Serialize ("UserEnvPATH", UserEnvPATH);
+		sr.Serialize ("UseDummySudoPassword", UseDummySudoPassword);
+		sr.Serialize ("AllowInsecureMount", AllowInsecureMount);
 	}
 
 	// CheckFilesystemRequest
 	void CheckFilesystemRequest::Deserialize (shared_ptr <Stream> stream)
diff --git a/src/Core/Unix/CoreServiceRequest.h b/src/Core/Unix/CoreServiceRequest.h
index c00a865d..77778ca2 100644
--- a/src/Core/Unix/CoreServiceRequest.h
+++ b/src/Core/Unix/CoreServiceRequest.h
@@ -19,17 +19,20 @@
 namespace VeraCrypt
 {
 	struct CoreServiceRequest : public Serializable
 	{
-		CoreServiceRequest () : ElevateUserPrivileges (false), FastElevation (false) { }
+		CoreServiceRequest () : ElevateUserPrivileges (false), FastElevation (false), UseDummySudoPassword (false), AllowInsecureMount (false) { }
 		TC_SERIALIZABLE (CoreServiceRequest);
 
 		virtual bool RequiresElevation () const { return false; }
 
 		string AdminPassword;
 		FilePath ApplicationExecutablePath;
 		bool ElevateUserPrivileges;
 		bool FastElevation;
+		string UserEnvPATH;
+		bool UseDummySudoPassword;
+		bool AllowInsecureMount;
 	};
 
 	struct CheckFilesystemRequest : CoreServiceRequest
 	{
diff --git a/src/Core/Unix/CoreUnix.cpp b/src/Core/Unix/CoreUnix.cpp
index f6827806..1f2d3125 100644
--- a/src/Core/Unix/CoreUnix.cpp
+++ b/src/Core/Unix/CoreUnix.cpp
@@ -595,8 +595,19 @@ namespace VeraCrypt
 
 		if (IsVolumeMounted (*options.Path))
 			throw VolumeAlreadyMounted (SRC_POS);
 
+		if (options.MountPoint && !options.MountPoint->IsEmpty())
+		{
+			// Reject if the mount point is a system directory
+			if (IsProtectedSystemDirectory(*options.MountPoint))
+				throw MountPointBlocked (SRC_POS);
+
+			// Reject if the mount point is in the user's PATH and the user has not explicitly allowed insecure mount points
+			if (!GetAllowInsecureMount() && IsDirectoryOnUserPath(*options.MountPoint))
+				throw MountPointNotAllowed (SRC_POS);
+		}
+
 		Cipher::EnableHwSupport (!options.NoHardwareCrypto);
 
 		shared_ptr <Volume> volume;
 
@@ -827,5 +838,101 @@ namespace VeraCrypt
 		stringstream s;
 		s << GetDefaultMountPointPrefix() << slotNumber;
 		return s.str();
 	}
+
+	bool CoreUnix::IsProtectedSystemDirectory (const DirectoryPath &directory) const
+	{
+		static const char* systemDirs[] = {
+			"/usr",
+			"/bin",
+			"/sbin",
+			"/lib",
+#ifdef TC_LINUX
+			"/lib32",
+			"/lib64",
+			"/libx32",
+#endif
+			"/etc",
+			"/boot",
+			"/root",
+			"/proc",
+			"/sys",
+			"/dev",
+			NULL
+		};
+
+		// Resolve any symlinks in the path
+		string path(directory);
+		char* resolvedPathCStr = realpath(path.c_str(), NULL);
+		if (resolvedPathCStr)
+		{
+			path = resolvedPathCStr;
+			free(resolvedPathCStr); // Free the allocated memory
+		}
+
+		// reject of the path is the root directory "/"
+		if (path == "/")
+			return true;
+
+		// Check if resolved path matches any system directory
+		for (int i = 0; systemDirs[i] != NULL; ++i)
+		{
+			if (path == systemDirs[i] || path.find(string(systemDirs[i]) + "/") == 0)
+				return true;
+		}
+
+		return false;
+	}
+
+	bool CoreUnix::IsDirectoryOnUserPath(const DirectoryPath &directory) const
+	{
+		// Obtain the PATH environment variable
+		const char* pathEnv = UserEnvPATH.c_str();
+		if (!pathEnv[0])
+			return false;
+
+		// Resolve the given directory
+		string dirPath(directory);
+		char* resolvedDir = realpath(dirPath.c_str(), NULL);
+		if (resolvedDir)
+		{
+			dirPath = resolvedDir;
+			free(resolvedDir);
+		}
+
+		// Split PATH and compare each entry
+		stringstream ss(pathEnv);
+		string token;
+		while (getline(ss, token, ':'))
+		{
+			// remove any trailing slashes from the token
+			while (!token.empty() && token.back() == '/')
+				token.pop_back();
+
+			if (token.empty())
+				continue;
+
+			// check if the directory is the same as the entry or a subdirectory
+			if (dirPath == token || dirPath.find(token + "/") == 0)
+				return true;
+
+			// handle the case where the PATH entry is a symlink
+			char* resolvedEntry = realpath(token.c_str(), NULL);
+			if (!resolvedEntry)
+				continue; // skip to the next entry since the path does not exist
+
+			string entryPath(resolvedEntry);
+			free(resolvedEntry);
+
+			// remove any trailing slashes from the token
+			while (!entryPath.empty() && entryPath.back() == '/')
+				entryPath.pop_back();
+
+			// perform check again if the resolved path is different from the original (symlink)
+			if (dirPath == entryPath || dirPath.find(entryPath + "/") == 0)
+				return true;
+		}
+
+		return false;
+	}
 }
diff --git a/src/Core/Unix/CoreUnix.h b/src/Core/Unix/CoreUnix.h
index 0f1ab344..ae26bf0a 100644
--- a/src/Core/Unix/CoreUnix.h
+++ b/src/Core/Unix/CoreUnix.h
@@ -47,8 +47,10 @@ namespace VeraCrypt
 		virtual shared_ptr <VolumeInfo> MountVolume (MountOptions &options);
 		virtual void SetFileOwner (const FilesystemPath &path, const UserId &owner) const;
 		virtual DirectoryPath SlotNumberToMountPoint (VolumeSlotNumber slotNumber) const;
 		virtual void WipePasswordCache () const { throw NotApplicable (SRC_POS); }
+		virtual bool IsProtectedSystemDirectory (const DirectoryPath &directory) const;
+		virtual bool IsDirectoryOnUserPath(const DirectoryPath &directory) const;
 
 	protected:
 		virtual DevicePath AttachFileToLoopDevice (const FilePath &filePath, bool readOnly) const { throw NotApplicable (SRC_POS); }
 		virtual void DetachLoopDevice (const DevicePath &devicePath) const { throw NotApplicable (SRC_POS); }
diff --git a/src/Main/CommandLineInterface.cpp b/src/Main/CommandLineInterface.cpp
index f2f5e793..9994e450 100644
--- a/src/Main/CommandLineInterface.cpp
+++ b/src/Main/CommandLineInterface.cpp
@@ -32,8 +32,11 @@ namespace VeraCrypt
 		ArgAllowScreencapture (false),
 		ArgDisableFileSizeCheck (false),
 		ArgUseLegacyPassword (false),
 		ArgUseDummySudoPassword (false),
+#if defined(TC_UNIX)
+		ArgAllowInsecureMount (false),
+ #endif
 		StartBackgroundTask (false)
 	{
 		wxCmdLineParser parser;
 		parser.SetCmdLine (argc, argv);
@@ -107,8 +110,11 @@ namespace VeraCrypt
 		parser.AddSwitch (L"",	L"legacy-password-maxlength", _("Use legacy maximum password length (64 UTF-8 bytes)"));
 #if defined(TC_LINUX ) || defined (TC_FREEBSD)
 		parser.AddSwitch (L"",	L"use-dummy-sudo-password",	_("Use dummy password in sudo to detect if it is already authenticated"));
 #endif
+#if defined(TC_UNIX)
+		parser.AddSwitch (L"",	L"allow-insecure-mount",	_("Allow mounting volumes on mount points that are in the user's PATH"));
+#endif
 		wxString str;
 		bool param1IsVolume = false;
 		bool param1IsMountedVolumeSpec = false;
 		bool param1IsMountPoint = false;
@@ -375,8 +381,12 @@ namespace VeraCrypt
 		ArgDisableFileSizeCheck = parser.Found (L"no-size-check");
 		ArgUseLegacyPassword = parser.Found (L"legacy-password-maxlength");		
 		ArgUseDummySudoPassword = parser.Found (L"use-dummy-sudo-password");
 
+#if defined(TC_UNIX)
+		ArgAllowInsecureMount = parser.Found (L"allow-insecure-mount");
+#endif
+
 #if !defined(TC_WINDOWS) && !defined(TC_MACOSX)
 		if (parser.Found (L"fs-options", &str))
 			ArgMountOptions.FilesystemOptions = str;
 #endif
diff --git a/src/Main/CommandLineInterface.h b/src/Main/CommandLineInterface.h
index bab1eb87..c255feb0 100644
--- a/src/Main/CommandLineInterface.h
+++ b/src/Main/CommandLineInterface.h
@@ -88,8 +88,12 @@ namespace VeraCrypt
         bool ArgDisableFileSizeCheck;
         bool ArgUseLegacyPassword;
         bool ArgUseDummySudoPassword;
 
+#if defined(TC_UNIX)
+		bool ArgAllowInsecureMount;
+#endif
+
 		bool StartBackgroundTask;
 		UserPreferences Preferences;
 
 	protected:
diff --git a/src/Main/Forms/MountOptionsDialog.cpp b/src/Main/Forms/MountOptionsDialog.cpp
index d9ffca6b..32b7ae57 100644
--- a/src/Main/Forms/MountOptionsDialog.cpp
+++ b/src/Main/Forms/MountOptionsDialog.cpp
@@ -33,16 +33,29 @@ namespace VeraCrypt
 #ifdef __WXGTK__ // GTK apparently needs wxRESIZE_BORDER to support dynamic resizing
 		, wxDefaultPosition, wxSize (-1,-1), wxDEFAULT_DIALOG_STYLE | wxRESIZE_BORDER
 #endif
 		), Options (options)
+#ifdef TC_UNIX
+		, m_showRedBorder(false)
+#endif
 	{
 		if (!title.empty())
 			this->SetTitle (title);
 		else if (options.Path && !options.Path->IsEmpty())
 			this->SetTitle (StringFormatter (LangString["ENTER_PASSWORD_FOR"], wstring (*options.Path)));
 		else
 			this->SetTitle (LangString["ENTER_TC_VOL_PASSWORD"]);
 
+#ifdef TC_UNIX
+		if (Gui->InsecureMountAllowed())
+		{
+			this->SetTitle (LangString["INSECURE_MODE"] + L" - " + this->GetTitle());
+			m_showRedBorder = true;
+			Bind(wxEVT_PAINT, &MountOptionsDialog::OnPaint, this);  
+			Bind(wxEVT_SIZE, &MountOptionsDialog::OnSize, this);
+		}
+#endif
+
 		if (disableMountOptions)
 			OptionsButton->Show (false);
 			
 
@@ -229,5 +242,28 @@ namespace VeraCrypt
 		Fit();
 		Layout();
 		MainSizer->Fit( this );
 	}
+
+#ifdef TC_UNIX
+	void MountOptionsDialog::OnPaint(wxPaintEvent& event)  
+	{  
+		wxPaintDC dc(this);  
+		if (m_showRedBorder)  
+		{  
+			wxSize size = GetClientSize();  
+			wxPen pen(*wxRED, 3); // 3 pixels width  
+			dc.SetPen(pen);  
+			dc.SetBrush(*wxTRANSPARENT_BRUSH);  
+			dc.DrawRectangle(0, 0, size.GetWidth(), size.GetHeight());  
+		}  
+		event.Skip();  
+	}  
+	
+	void MountOptionsDialog::OnSize(wxSizeEvent& event)  
+	{  
+		event.Skip();  
+		if (m_showRedBorder)  
+			Refresh();  
+	}
+#endif
 }
diff --git a/src/Main/Forms/MountOptionsDialog.h b/src/Main/Forms/MountOptionsDialog.h
index d0677820..b9bf38ea 100644
--- a/src/Main/Forms/MountOptionsDialog.h
+++ b/src/Main/Forms/MountOptionsDialog.h
@@ -39,9 +39,18 @@ namespace VeraCrypt
 		void OnProtectionHyperlinkClick (wxHyperlinkEvent& event);
 		void OnReadOnlyCheckBoxClick (wxCommandEvent& event) { UpdateDialog(); }
 		void UpdateDialog ();
 
+#ifdef TC_UNIX
+		// Used for displaying a red border around the dialog window when insecure mode is enabled
+		void OnPaint(wxPaintEvent& event);
+		void OnSize(wxSizeEvent& event);
+#endif
+
 		MountOptions &Options;
+#ifdef TC_UNIX
+		bool m_showRedBorder;
+#endif
 		wxString OptionsButtonLabel;
 		VolumePasswordPanel *PasswordPanel;
 		VolumePasswordPanel *ProtectionPasswordPanel;
 	};
diff --git a/src/Main/Forms/WaitDialog.cpp b/src/Main/Forms/WaitDialog.cpp
index f8180c1d..2489a17b 100644
--- a/src/Main/Forms/WaitDialog.cpp
+++ b/src/Main/Forms/WaitDialog.cpp
@@ -116,7 +116,10 @@ namespace VeraCrypt
 		VC_CONVERT_EXCEPTION (InvalidEMVPath);
 		VC_CONVERT_EXCEPTION (EMVKeyfileDataNotFound);
 		VC_CONVERT_EXCEPTION (EMVPANNotFound);
 
+		VC_CONVERT_EXCEPTION (MountPointBlocked);
+		VC_CONVERT_EXCEPTION (MountPointNotAllowed);
+
 		throw *ex;
 	}
 }
diff --git a/src/Main/GraphicUserInterface.cpp b/src/Main/GraphicUserInterface.cpp
index a6ce2a0c..84daa1aa 100644
--- a/src/Main/GraphicUserInterface.cpp
+++ b/src/Main/GraphicUserInterface.cpp
@@ -1081,9 +1081,14 @@ namespace VeraCrypt
 			Gui->Connect (wxEVT_POWER_SUSPENDING, wxPowerEventHandler (GraphicUserInterface::OnPowerSuspending));
 #endif
 
 			mMainFrame = new MainFrame (nullptr);
-
+#if defined(TC_UNIX)
+			if (CmdLine->ArgAllowInsecureMount)
+			{
+				mMainFrame->SetTitle (mMainFrame->GetTitle() + wxT(" ") + LangString["INSECURE_MODE"]);
+			}
+#endif
 			if (CmdLine->StartBackgroundTask)
 			{
 				UserPreferences prefs = GetPreferences ();
 				prefs.BackgroundTaskEnabled = true;
diff --git a/src/Main/UserInterface.cpp b/src/Main/UserInterface.cpp
index 5798cb31..8da77f5b 100644
--- a/src/Main/UserInterface.cpp
+++ b/src/Main/UserInterface.cpp
@@ -540,8 +540,11 @@ namespace VeraCrypt
 #ifdef TC_MACOSX
 		EX2MSG (HigherFuseVersionRequired,			LangString["LINUX_EX2MSG_HIGHERFUSEVERSIONREQUIRED"]);
 #endif
 
+		EX2MSG (MountPointBlocked,					LangString["MOUNTPOINT_BLOCKED"]);
+		EX2MSG (MountPointNotAllowed,				LangString["MOUNTPOINT_NOTALLOWED"]);
+
 #undef EX2MSG
 		return L"";
 	}
 
@@ -559,8 +562,9 @@ namespace VeraCrypt
 		CmdLine.reset (new CommandLineInterface (argc, argv, InterfaceType));
 		SetPreferences (CmdLine->Preferences);
 
 		Core->SetApplicationExecutablePath (Application::GetExecutablePath());
+		Core->SetUserEnvPATH (getenv ("PATH"));
 
 		if (!Preferences.NonInteractive)
 		{
 			Core->SetAdminPasswordCallback (GetAdminPasswordRequestHandler());
@@ -571,8 +575,12 @@ namespace VeraCrypt
 		}
 
 		Core->ForceUseDummySudoPassword (CmdLine->ArgUseDummySudoPassword);
 
+#if defined(TC_UNIX)
+		Core->SetAllowInsecureMount (CmdLine->ArgAllowInsecureMount);
+#endif
+
 		Core->WarningEvent.Connect (EventConnector <UserInterface> (this, &UserInterface::OnWarning));
 		Core->VolumeMountedEvent.Connect (EventConnector <UserInterface> (this, &UserInterface::OnVolumeMounted));
 
 		if (!CmdLine->Preferences.SecurityTokenModule.IsEmpty() && !SecurityToken::IsInitialized())
@@ -1645,8 +1653,15 @@ const FileManager fileManagers[] = {
 
 		return sResult;
 	}
 
+#ifdef TC_UNIX
+	bool UserInterface::InsecureMountAllowed () const
+	{
+		return CmdLine->ArgAllowInsecureMount;
+	}
+#endif
+
 	#define VC_CONVERT_EXCEPTION(NAME) if (dynamic_cast<NAME*> (ex)) throw (NAME&) *ex;
 
 	void UserInterface::ThrowException (Exception* ex)
 	{
@@ -1733,7 +1748,10 @@ const FileManager fileManagers[] = {
 		VC_CONVERT_EXCEPTION (InvalidEMVPath);
 		VC_CONVERT_EXCEPTION (EMVKeyfileDataNotFound);
 		VC_CONVERT_EXCEPTION (EMVPANNotFound);
 
+		VC_CONVERT_EXCEPTION (MountPointBlocked);
+		VC_CONVERT_EXCEPTION (MountPointNotAllowed);
+
 		throw *ex;
 	}
 }
diff --git a/src/Main/UserInterface.h b/src/Main/UserInterface.h
index 0c742bc7..d04f0214 100644
--- a/src/Main/UserInterface.h
+++ b/src/Main/UserInterface.h
@@ -85,9 +85,11 @@ namespace VeraCrypt
 		virtual WaitThreadUI* GetWaitThreadUI(WaitThreadRoutine *pRoutine) const { return new WaitThreadUI(pRoutine);}
 		virtual wxDateTime VolumeTimeToDateTime (VolumeTime volumeTime) const { return wxDateTime ((time_t) (volumeTime / 1000ULL / 1000 / 10 - 134774ULL * 24 * 3600)); }
 		virtual wxString VolumeTimeToString (VolumeTime volumeTime) const;
 		virtual wxString VolumeTypeToString (VolumeType::Enum type, VolumeProtection::Enum protection) const;
-
+#ifdef TC_UNIX
+		virtual bool InsecureMountAllowed () const;
+#endif
 		Event PreferencesUpdatedEvent;
 
 		struct BusyScope
 		{
diff --git a/src/Platform/Exception.h b/src/Platform/Exception.h
index 4f3838ea..a768bfda 100644
--- a/src/Platform/Exception.h
+++ b/src/Platform/Exception.h
@@ -95,9 +95,11 @@ namespace VeraCrypt
 	TC_EXCEPTION (TerminalNotFound); \
 	TC_EXCEPTION (TestFailed); \
 	TC_EXCEPTION (TimeOut); \
 	TC_EXCEPTION (UnknownException); \
-	TC_EXCEPTION (UserAbort)
+	TC_EXCEPTION (UserAbort); \
+	TC_EXCEPTION (MountPointBlocked); \
+	TC_EXCEPTION (MountPointNotAllowed)
 
 	TC_EXCEPTION_SET;
 
 #undef TC_EXCEPTION