Merge pull request #990 from pmillerchip/private-blacklist

Implement the --allow-private-blacklist option
author: netblue30 <netblue30@yahoo.com> 2016-12-19 08:02:35 -0500
committer: GitHub <noreply@github.com> 2016-12-19 08:02:35 -0500
commit: 0bac2767e3f5596b1a1adbb21028416fc933634c (patch)
tree: d5201c97168b2050bc5b4fce8c63334f1d3427aa
parent: profile updates (diff)
parent: Implement the --allow-private-blacklist option (diff)
download: firejail-0bac2767e3f5596b1a1adbb21028416fc933634c.tar.gz
firejail-0bac2767e3f5596b1a1adbb21028416fc933634c.tar.zst
firejail-0bac2767e3f5596b1a1adbb21028416fc933634c.zip
5 files changed, 20 insertions, 2 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 8fede5a69..de939439d 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -208,7 +208,7 @@ typedef struct config_t {
        char *bin_private_keep; // keep list for private bin directory
        char *cwd;              // current working directory
        char *overlay_dir;
-   char *private_template; // template dir for tmpfs home
+        char *private_template; // template dir for tmpfs home
        // networking
        char *name;             // sandbox name
@@ -285,6 +285,7 @@ void clear_run_files(pid_t pid);
 extern int arg_private;         // mount private /home
 extern int arg_private_template; // private /home template
+extern int arg_allow_private_blacklist;  // blacklist things in private directories
 extern int arg_debug;           // print debug messages
 extern int arg_debug_check_filename;            // print debug messages for filename checking
 extern int arg_debug_blacklists;        // print debug messages for blacklists
@@ -564,6 +565,7 @@ void network_del_run_file(pid_t pid);
 void network_set_run_file(pid_t pid);
 // fs_etc.c
+void fs_machineid(void);
 void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list);
 // no_sandbox.c
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 890f281aa..e2fc09533 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -216,6 +216,15 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[
                                exit(1);
                        }
                }
+                // We don't usually need to blacklist things in private home directories
+                if (okay_to_blacklist
+                 && cfg.homedir
+                 && arg_private
+                 && (!arg_allow_private_blacklist)
+                 && (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0))
+                        okay_to_blacklist = false;
                if (okay_to_blacklist)
                        disable_file(op, path);
                else if (arg_debug)
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index a27c0e41b..479383af2 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -21,6 +21,7 @@
 #include <sys/mount.h>
 #include <sys/stat.h>
 #include <sys/types.h>
+#include <time.h>
 #include <unistd.h>
 // spoof /etc/machine_id
diff --git a/src/firejail/main.c b/src/firejail/main.c
index b25bad9f2..65d2b9d44 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -112,6 +112,7 @@ int arg_x11_block = 0;				// block X11
 int arg_x11_xorg = 0;                           // use X11 security extention
 int arg_allusers = 0;                           // all user home directories visible
 int arg_machineid = 0;                          // preserve /etc/machine-id
+int arg_allow_private_blacklist = 0;  // blacklist things in private directories
 int login_shell = 0;
@@ -1463,6 +1464,9 @@ int main(int argc, char **argv) {
                else if (strcmp(argv[i], "--machine-id") == 0) {
                        arg_machineid = 1;
                }
+                else if (strcmp(argv[i], "--allow-private-blacklist") == 0) {
+                        arg_allow_private_blacklist = 1;
+                }
                else if (strcmp(argv[i], "--private") == 0) {
                        arg_private = 1;
                }
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index db3c25a5a..1131abe5f 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -30,12 +30,14 @@ void usage(void) {
        printf("Options:\n");
        printf("    -- - signal the end of options and disables further option processing.\n");
        printf("    --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n");
+        printf("    --allow-private-blacklist - allow blacklisting things in private\n");
+        printf("\tdirectories.\n");
        printf("    --allusers - all user home directories are visible inside the sandbox.\n");
        printf("    --apparmor - enable AppArmor confinement.\n");
        printf("    --appimage - sandbox an AppImage application.\n");
        printf("    --audit[=test-program] - audit the sandbox.\n");
 #ifdef HAVE_NETWORK     
-        printf("    --bandwidth=name|pid - set  bandwidth  limits\n");
+        printf("    --bandwidth=name|pid - set bandwidth limits.\n");
 #endif
 #ifdef HAVE_BIND                
        printf("    --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n");
author	netblue30 <netblue30@yahoo.com>	2016-12-19 08:02:35 -0500
committer	GitHub <noreply@github.com>	2016-12-19 08:02:35 -0500
commit	0bac2767e3f5596b1a1adbb21028416fc933634c (patch)
tree	d5201c97168b2050bc5b4fce8c63334f1d3427aa
parent	profile updates (diff)
parent	Implement the --allow-private-blacklist option (diff)
download	firejail-0bac2767e3f5596b1a1adbb21028416fc933634c.tar.gz firejail-0bac2767e3f5596b1a1adbb21028416fc933634c.tar.zst firejail-0bac2767e3f5596b1a1adbb21028416fc933634c.zip