diff options
author | netblue30 <netblue30@yahoo.com> | 2016-04-20 09:16:35 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-04-20 09:16:35 -0400 |
commit | 66cd15982d1d763afe70852aa4b3342313d04656 (patch) | |
tree | 3932ee28779d6fc508d07f6c641b5732305c114b | |
parent | fix: --private-etc and --writable-etc are mutually exclusive (diff) | |
download | firejail-66cd15982d1d763afe70852aa4b3342313d04656.tar.gz firejail-66cd15982d1d763afe70852aa4b3342313d04656.tar.zst firejail-66cd15982d1d763afe70852aa4b3342313d04656.zip |
profile support for writable-etc and writable-var
-rw-r--r-- | src/firejail/profile.c | 24 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 8 | ||||
-rw-r--r-- | src/man/firejail.txt | 4 |
3 files changed, 34 insertions, 2 deletions
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index a2336090f..9e0f0325e 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -570,6 +570,30 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
570 | return 0; | 570 | return 0; |
571 | } | 571 | } |
572 | 572 | ||
573 | // writable-etc | ||
574 | if (strcmp(ptr, "writable-etc") == 0) { | ||
575 | if (getuid() != 0) { | ||
576 | fprintf(stderr, "Error: writable-etc is available only for root user\n"); | ||
577 | exit(1); | ||
578 | } | ||
579 | if (cfg.etc_private_keep) { | ||
580 | fprintf(stderr, "Error: private-etc and writable-etc are mutually exclusive\n"); | ||
581 | exit(1); | ||
582 | } | ||
583 | arg_writable_etc = 1; | ||
584 | return 0; | ||
585 | } | ||
586 | |||
587 | // writable-var | ||
588 | if (strcmp(ptr, "writable-var") == 0) { | ||
589 | if (getuid() != 0) { | ||
590 | fprintf(stderr, "Error: writable-var is available only for root user\n"); | ||
591 | exit(1); | ||
592 | } | ||
593 | arg_writable_var = 1; | ||
594 | return 0; | ||
595 | } | ||
596 | |||
573 | // private directory | 597 | // private directory |
574 | if (strncmp(ptr, "private ", 8) == 0) { | 598 | if (strncmp(ptr, "private ", 8) == 0) { |
575 | cfg.home_private = ptr + 8; | 599 | cfg.home_private = ptr + 8; |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index f5610cafc..8d0b6a890 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -181,6 +181,14 @@ Build a new user home in a temporary filesystem, and mount-bind file_or_director | |||
181 | The modifications to file_or_directory are persistent, everything else is discarded | 181 | The modifications to file_or_directory are persistent, everything else is discarded |
182 | when the sandbox is closed. | 182 | when the sandbox is closed. |
183 | .TP | 183 | .TP |
184 | \fBwritable-etc | ||
185 | Mount /etc directory read-write. This option is available only | ||
186 | when running the sandbox as root user. | ||
187 | .TP | ||
188 | \fBwritable-var | ||
189 | Mount /var directory read-write. This option is available only | ||
190 | when running the sandbox as root user. | ||
191 | .TP | ||
184 | \fBtracelog | 192 | \fBtracelog |
185 | Blacklist violations logged to syslog. | 193 | Blacklist violations logged to syslog. |
186 | .SH Security filters | 194 | .SH Security filters |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 14b3c6a60..51abaef28 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1463,7 +1463,7 @@ $ firejail "\-\-whitelist=/home/username/My Virtual Machines" | |||
1463 | 1463 | ||
1464 | .TP | 1464 | .TP |
1465 | \fB\-\-writable-etc | 1465 | \fB\-\-writable-etc |
1466 | Mount /etc directory read-write. This option is available only when running the sandbox as root user | 1466 | Mount /etc directory read-write. This option is available only when running the sandbox as root user. |
1467 | .br | 1467 | .br |
1468 | 1468 | ||
1469 | .br | 1469 | .br |
@@ -1473,7 +1473,7 @@ $ sudo firejail --writable-etc | |||
1473 | 1473 | ||
1474 | .TP | 1474 | .TP |
1475 | \fB\-\-writable-var | 1475 | \fB\-\-writable-var |
1476 | Mount /var directory read-write. This option is available only when running the sandbox as root user | 1476 | Mount /var directory read-write. This option is available only when running the sandbox as root user. |
1477 | .br | 1477 | .br |
1478 | 1478 | ||
1479 | .br | 1479 | .br |