adding macro for include command in profile files

author: netblue30 <netblue30@yahoo.com> 2017-02-09 09:03:35 -0500
committer: netblue30 <netblue30@yahoo.com> 2017-02-09 09:03:35 -0500
commit: 85c8cc454d3df3a83667556f7ddfafe66a78d421 (patch)
tree: 959478baa7851914746796128dbb9bba732b645a
parent: firemon fix (diff)
download: firejail-85c8cc454d3df3a83667556f7ddfafe66a78d421.tar.gz
firejail-85c8cc454d3df3a83667556f7ddfafe66a78d421.tar.zst
firejail-85c8cc454d3df3a83667556f7ddfafe66a78d421.zip
4 files changed, 34 insertions, 24 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index b90e30cca..4149f1342 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1362,6 +1362,8 @@ int main(int argc, char **argv) {
                }
 #endif
                else if (strncmp(argv[i], "--profile=", 10) == 0) {
+                        // multiple profile files are allowed!
                        if (arg_noprofile) {
                                fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n");
                                exit(1);
@@ -1370,19 +1372,6 @@ int main(int argc, char **argv) {
                        char *ppath = expand_home(argv[i] + 10, cfg.homedir);
                        if (!ppath)
                                errExit("strdup");
-                        invalid_filename(ppath);
-                        
-                        // multiple profile files are allowed!
-                        if (is_dir(ppath) || is_link(ppath) || strstr(ppath, "..")) {
-                                fprintf(stderr, "Error: invalid profile file\n");
-                                exit(1);
-                        }
-                        
-                        // access call checks as real UID/GID, not as effective UID/GID
-                        if (access(ppath, R_OK)) {
-                                fprintf(stderr, "Error: cannot access profile file\n");
-                                return 1;
-                        }
                        profile_read(ppath);
                        custom_profile = 1;
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 4856b31ae..9b3e58ab4 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1013,10 +1013,25 @@ void profile_read(const char *fname) {
                exit(1);        
        }
+        // check file
        if (strlen(fname) == 0) {
                fprintf(stderr, "Error: invalid profile file\n");
                exit(1);
        }
+        invalid_filename(fname);
+        if (is_dir(fname) || is_link(fname) || strstr(fname, "..")) {
+                fprintf(stderr, "Error: invalid profile file\n");
+                exit(1);
+        }
+        if (access(fname, R_OK)) {
+                // if the file ends in ".local", do not exit
+                char *ptr = strstr(fname, ".local");
+                if (ptr && strlen(ptr) == 6)
+                        return;
+                
+                fprintf(stderr, "Error: cannot access profile file\n");
+                exit(1);
+        }
        // allow debuggers
        if (arg_allow_debuggers) {
@@ -1027,15 +1042,10 @@ void profile_read(const char *fname) {
                                return;
                }
        }
+        
        // open profile file:
        FILE *fp = fopen(fname, "r");
        if (fp == NULL) {
-                // if the file ends in ".local", do not exit
-                char *ptr = strstr(fname, ".local");
-                if (ptr && strlen(ptr) == 6)
-                        return;
-                
                fprintf(stderr, "Error: cannot open profile file %s\n", fname);
                exit(1);
        }
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 44891ce2d..fbaf0b5ac 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -648,6 +648,11 @@ char *expand_home(const char *path, const char* homedir) {
                        errExit("asprintf");
                return new_name;
        }
+        else if (strncmp(path, "${CFG}", 6) == 0) {
+                if (asprintf(&new_name, "%s%s", SYSCONFDIR, path + 6) == -1)
+                        errExit("asprintf");
+                return new_name;
+        }
        char *rv = strdup(path);
        if (!rv)
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 90dca19bf..aa1aec567 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -81,14 +81,20 @@ Include other.profile file.
 Example: "include /etc/firejail/disable-common.inc"
-other.profile file name can be prefixed with ${HOME}. This will force Firejail to look for the
+The file name can be prefixed with a macro such as ${HOME} or ${CFG}.
-file in user home directory.
+${HOME} is expanded as user home directory, and ${CFG} is expanded as
+Firejail system configuration directory - in most cases /etc/firejail or
+/usr/local/etc/firejail.
 Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file.
-If the file is not found, and the file name does not end in ".local", the sandbox exist immediately
+Example: "include ${CFG}/firefox.profile" will load "/etc/firejail/firefox.profile" file.
-with an error printed on stderr. ".local" files can be used to customize the global configuration
-in /etc/firejail directory. These files are not overwritten during software install.
+System configuration files in ${CFG} are overwritten during software installation.
+Persistent configuration at system level is handled in ".local" files. For every
+profile file in ${CFG} directory, the user can create a corresponding .local file 
+storing modifications to the persistent configuration. Persistent .local files
+are included at the start of regular profile files.
 .TP
 \fBnoblacklist file_name
author	netblue30 <netblue30@yahoo.com>	2017-02-09 09:03:35 -0500
committer	netblue30 <netblue30@yahoo.com>	2017-02-09 09:03:35 -0500
commit	85c8cc454d3df3a83667556f7ddfafe66a78d421 (patch)
tree	959478baa7851914746796128dbb9bba732b645a
parent	firemon fix (diff)
download	firejail-85c8cc454d3df3a83667556f7ddfafe66a78d421.tar.gz firejail-85c8cc454d3df3a83667556f7ddfafe66a78d421.tar.zst firejail-85c8cc454d3df3a83667556f7ddfafe66a78d421.zip

diff --git a/src/firejail/main.c b/src/firejail/main.c index b90e30cca..4149f1342 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -1362,6 +1362,8 @@ int main(int argc, char **argv) {
1362	}	1362	}
1363	#endif	1363	#endif
1364	else if (strncmp(argv[i], "--profile=", 10) == 0) {	1364	else if (strncmp(argv[i], "--profile=", 10) == 0) {
		1365	// multiple profile files are allowed!
		1366
1365	if (arg_noprofile) {	1367	if (arg_noprofile) {
1366	fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n");	1368	fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n");
1367	exit(1);	1369	exit(1);
@@ -1370,19 +1372,6 @@ int main(int argc, char **argv) {
1370	char *ppath = expand_home(argv[i] + 10, cfg.homedir);	1372	char *ppath = expand_home(argv[i] + 10, cfg.homedir);
1371	if (!ppath)	1373	if (!ppath)
1372	errExit("strdup");	1374	errExit("strdup");
1373	invalid_filename(ppath);
1374
1375	// multiple profile files are allowed!
1376	if (is_dir(ppath) \|\| is_link(ppath) \|\| strstr(ppath, "..")) {
1377	fprintf(stderr, "Error: invalid profile file\n");
1378	exit(1);
1379	}
1380
1381	// access call checks as real UID/GID, not as effective UID/GID
1382	if (access(ppath, R_OK)) {
1383	fprintf(stderr, "Error: cannot access profile file\n");
1384	return 1;
1385	}
1386		1375
1387	profile_read(ppath);	1376	profile_read(ppath);
1388	custom_profile = 1;	1377	custom_profile = 1;


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 4856b31ae..9b3e58ab4 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -1013,10 +1013,25 @@ void profile_read(const char *fname) {
1013	exit(1);	1013	exit(1);
1014	}	1014	}
1015		1015
		1016	// check file
1016	if (strlen(fname) == 0) {	1017	if (strlen(fname) == 0) {
1017	fprintf(stderr, "Error: invalid profile file\n");	1018	fprintf(stderr, "Error: invalid profile file\n");
1018	exit(1);	1019	exit(1);
1019	}	1020	}
		1021	invalid_filename(fname);
		1022	if (is_dir(fname) \|\| is_link(fname) \|\| strstr(fname, "..")) {
		1023	fprintf(stderr, "Error: invalid profile file\n");
		1024	exit(1);
		1025	}
		1026	if (access(fname, R_OK)) {
		1027	// if the file ends in ".local", do not exit
		1028	char *ptr = strstr(fname, ".local");
		1029	if (ptr && strlen(ptr) == 6)
		1030	return;
		1031
		1032	fprintf(stderr, "Error: cannot access profile file\n");
		1033	exit(1);
		1034	}
1020		1035
1021	// allow debuggers	1036	// allow debuggers
1022	if (arg_allow_debuggers) {	1037	if (arg_allow_debuggers) {
@@ -1027,15 +1042,10 @@ void profile_read(const char *fname) {
1027	return;	1042	return;
1028	}	1043	}
1029	}	1044	}
1030		1045
1031	// open profile file:	1046	// open profile file:
1032	FILE *fp = fopen(fname, "r");	1047	FILE *fp = fopen(fname, "r");
1033	if (fp == NULL) {	1048	if (fp == NULL) {
1034	// if the file ends in ".local", do not exit
1035	char *ptr = strstr(fname, ".local");
1036	if (ptr && strlen(ptr) == 6)
1037	return;
1038
1039	fprintf(stderr, "Error: cannot open profile file %s\n", fname);	1049	fprintf(stderr, "Error: cannot open profile file %s\n", fname);
1040	exit(1);	1050	exit(1);
1041	}	1051	}


diff --git a/src/firejail/util.c b/src/firejail/util.c index 44891ce2d..fbaf0b5ac 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c
@@ -648,6 +648,11 @@ char expand_home(const char path, const char* homedir) {
648	errExit("asprintf");	648	errExit("asprintf");
649	return new_name;	649	return new_name;
650	}	650	}
		651	else if (strncmp(path, "${CFG}", 6) == 0) {
		652	if (asprintf(&new_name, "%s%s", SYSCONFDIR, path + 6) == -1)
		653	errExit("asprintf");
		654	return new_name;
		655	}
651		656
652	char *rv = strdup(path);	657	char *rv = strdup(path);
653	if (!rv)	658	if (!rv)


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 90dca19bf..aa1aec567 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -81,14 +81,20 @@ Include other.profile file.
81		81
82	Example: "include /etc/firejail/disable-common.inc"	82	Example: "include /etc/firejail/disable-common.inc"
83		83
84	other.profile file name can be prefixed with ${HOME}. This will force Firejail to look for the	84	The file name can be prefixed with a macro such as ${HOME} or ${CFG}.
85	file in user home directory.	85	${HOME} is expanded as user home directory, and ${CFG} is expanded as
		86	Firejail system configuration directory - in most cases /etc/firejail or
		87	/usr/local/etc/firejail.
86		88
87	Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file.	89	Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file.
88		90
89	If the file is not found, and the file name does not end in ".local", the sandbox exist immediately	91	Example: "include ${CFG}/firefox.profile" will load "/etc/firejail/firefox.profile" file.
90	with an error printed on stderr. ".local" files can be used to customize the global configuration	92
91	in /etc/firejail directory. These files are not overwritten during software install.	93	System configuration files in ${CFG} are overwritten during software installation.
		94	Persistent configuration at system level is handled in ".local" files. For every
		95	profile file in ${CFG} directory, the user can create a corresponding .local file
		96	storing modifications to the persistent configuration. Persistent .local files
		97	are included at the start of regular profile files.
92		98
93	.TP	99	.TP
94	\fBnoblacklist file_name	100	\fBnoblacklist file_name