diff options
author | netblue30 <netblue30@yahoo.com> | 2015-11-17 10:41:52 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2015-11-17 10:41:52 -0500 |
commit | c3bd40d2404319cca625ecc521a4514d27e8f76a (patch) | |
tree | e26c188478bd45e28c44f58d33e8f06243410c88 | |
parent | handle ~/.config/user-dirs.dirs (diff) | |
download | firejail-c3bd40d2404319cca625ecc521a4514d27e8f76a.tar.gz firejail-c3bd40d2404319cca625ecc521a4514d27e8f76a.tar.zst firejail-c3bd40d2404319cca625ecc521a4514d27e8f76a.zip |
allow mixing of whitelist and private
-rw-r--r-- | src/firejail/fs_whitelist.c | 10 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 8 | ||||
-rwxr-xr-x | test/private-whitelist.exp | 36 | ||||
-rwxr-xr-x | test/test.sh | 3 |
4 files changed, 50 insertions, 7 deletions
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index fd2a29372..9203e3d00 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -213,6 +213,15 @@ void fs_whitelist(void) { | |||
213 | 213 | ||
214 | // check for supported directories | 214 | // check for supported directories |
215 | if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) { | 215 | if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) { |
216 | // whitelisting home directory is disabled if --private or --private-home option is present | ||
217 | if (arg_private) { | ||
218 | if (arg_debug) | ||
219 | printf("Removed whitelist path %s, --private option is present\n", entry->data); | ||
220 | |||
221 | *entry->data = '\0'; | ||
222 | continue; | ||
223 | } | ||
224 | |||
216 | entry->home_dir = 1; | 225 | entry->home_dir = 1; |
217 | home_dir = 1; | 226 | home_dir = 1; |
218 | // both path and absolute path are under /home | 227 | // both path and absolute path are under /home |
@@ -271,6 +280,7 @@ void fs_whitelist(void) { | |||
271 | 280 | ||
272 | // create mount points | 281 | // create mount points |
273 | fs_build_mnt_dir(); | 282 | fs_build_mnt_dir(); |
283 | |||
274 | 284 | ||
275 | // /home/user | 285 | // /home/user |
276 | if (home_dir) { | 286 | if (home_dir) { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 384688b54..c105894bb 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -354,13 +354,7 @@ int sandbox(void* sandbox_arg) { | |||
354 | //**************************** | 354 | //**************************** |
355 | if (cfg.profile) { | 355 | if (cfg.profile) { |
356 | // apply all whitelist commands ... | 356 | // apply all whitelist commands ... |
357 | if (arg_whitelist) { | 357 | fs_whitelist(); |
358 | // whitelist commands are disabled if --private or --private-home option is present | ||
359 | if (arg_private == 0) | ||
360 | fs_whitelist(); | ||
361 | else | ||
362 | fprintf(stderr, "Warning: whitelists disabled by private or private-home\n"); | ||
363 | } | ||
364 | 358 | ||
365 | // ... followed by blacklist commands | 359 | // ... followed by blacklist commands |
366 | fs_blacklist(); | 360 | fs_blacklist(); |
diff --git a/test/private-whitelist.exp b/test/private-whitelist.exp new file mode 100755 index 000000000..b78eb3b61 --- /dev/null +++ b/test/private-whitelist.exp | |||
@@ -0,0 +1,36 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | |||
3 | set timeout 10 | ||
4 | spawn $env(SHELL) | ||
5 | match_max 100000 | ||
6 | |||
7 | send -- "firejail --private --whitelist=/tmp/.X11-unix\r" | ||
8 | expect { | ||
9 | timeout {puts "TESTING ERROR 1\n";exit} | ||
10 | "Child process initialized" | ||
11 | } | ||
12 | sleep 1 | ||
13 | |||
14 | send -- "ls -al /tmp\r" | ||
15 | expect { | ||
16 | timeout {puts "TESTING ERROR 2\n";exit} | ||
17 | ".X11-unix" | ||
18 | } | ||
19 | sleep 1 | ||
20 | |||
21 | send -- "ls -a /tmp | wc\r" | ||
22 | expect { | ||
23 | timeout {puts "TESTING ERROR 3\n";exit} | ||
24 | "3" | ||
25 | } | ||
26 | sleep 1 | ||
27 | |||
28 | send -- "ls -a ~ | wc\r" | ||
29 | expect { | ||
30 | timeout {puts "TESTING ERROR 4\n";exit} | ||
31 | "4" | ||
32 | } | ||
33 | |||
34 | sleep 1 | ||
35 | puts "\nall done\n" | ||
36 | |||
diff --git a/test/test.sh b/test/test.sh index 61e5cce35..fdb1f8ed7 100755 --- a/test/test.sh +++ b/test/test.sh | |||
@@ -30,6 +30,9 @@ echo "TESTING: private-etc" | |||
30 | echo "TESTING: private-bin" | 30 | echo "TESTING: private-bin" |
31 | ./private-bin.exp | 31 | ./private-bin.exp |
32 | 32 | ||
33 | echo "TESTING: private whitelist" | ||
34 | ./private-whitelist.exp | ||
35 | |||
33 | sleep 1 | 36 | sleep 1 |
34 | rm -fr dir\ with\ space | 37 | rm -fr dir\ with\ space |
35 | mkdir dir\ with\ space | 38 | mkdir dir\ with\ space |