diff options
author | Peter Millerchip <pete@millerchipsoftware.com> | 2016-12-18 14:11:37 +0000 |
---|---|---|
committer | Peter Millerchip <pete@millerchipsoftware.com> | 2016-12-18 14:13:28 +0000 |
commit | a49147ae947c6b9a07f2bb629268b251694b5c22 (patch) | |
tree | d5201c97168b2050bc5b4fce8c63334f1d3427aa | |
parent | Remove compiler warnings on Ubuntu 16.04 (diff) | |
download | firejail-a49147ae947c6b9a07f2bb629268b251694b5c22.tar.gz firejail-a49147ae947c6b9a07f2bb629268b251694b5c22.tar.zst firejail-a49147ae947c6b9a07f2bb629268b251694b5c22.zip |
Implement the --allow-private-blacklist option
-rw-r--r-- | src/firejail/firejail.h | 3 | ||||
-rw-r--r-- | src/firejail/fs.c | 9 | ||||
-rw-r--r-- | src/firejail/main.c | 4 | ||||
-rw-r--r-- | src/firejail/usage.c | 4 |
4 files changed, 18 insertions, 2 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 86a669fcd..de939439d 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -208,7 +208,7 @@ typedef struct config_t { | |||
208 | char *bin_private_keep; // keep list for private bin directory | 208 | char *bin_private_keep; // keep list for private bin directory |
209 | char *cwd; // current working directory | 209 | char *cwd; // current working directory |
210 | char *overlay_dir; | 210 | char *overlay_dir; |
211 | char *private_template; // template dir for tmpfs home | 211 | char *private_template; // template dir for tmpfs home |
212 | 212 | ||
213 | // networking | 213 | // networking |
214 | char *name; // sandbox name | 214 | char *name; // sandbox name |
@@ -285,6 +285,7 @@ void clear_run_files(pid_t pid); | |||
285 | 285 | ||
286 | extern int arg_private; // mount private /home | 286 | extern int arg_private; // mount private /home |
287 | extern int arg_private_template; // private /home template | 287 | extern int arg_private_template; // private /home template |
288 | extern int arg_allow_private_blacklist; // blacklist things in private directories | ||
288 | extern int arg_debug; // print debug messages | 289 | extern int arg_debug; // print debug messages |
289 | extern int arg_debug_check_filename; // print debug messages for filename checking | 290 | extern int arg_debug_check_filename; // print debug messages for filename checking |
290 | extern int arg_debug_blacklists; // print debug messages for blacklists | 291 | extern int arg_debug_blacklists; // print debug messages for blacklists |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 890f281aa..e2fc09533 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -216,6 +216,15 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[ | |||
216 | exit(1); | 216 | exit(1); |
217 | } | 217 | } |
218 | } | 218 | } |
219 | |||
220 | // We don't usually need to blacklist things in private home directories | ||
221 | if (okay_to_blacklist | ||
222 | && cfg.homedir | ||
223 | && arg_private | ||
224 | && (!arg_allow_private_blacklist) | ||
225 | && (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0)) | ||
226 | okay_to_blacklist = false; | ||
227 | |||
219 | if (okay_to_blacklist) | 228 | if (okay_to_blacklist) |
220 | disable_file(op, path); | 229 | disable_file(op, path); |
221 | else if (arg_debug) | 230 | else if (arg_debug) |
diff --git a/src/firejail/main.c b/src/firejail/main.c index b25bad9f2..65d2b9d44 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -112,6 +112,7 @@ int arg_x11_block = 0; // block X11 | |||
112 | int arg_x11_xorg = 0; // use X11 security extention | 112 | int arg_x11_xorg = 0; // use X11 security extention |
113 | int arg_allusers = 0; // all user home directories visible | 113 | int arg_allusers = 0; // all user home directories visible |
114 | int arg_machineid = 0; // preserve /etc/machine-id | 114 | int arg_machineid = 0; // preserve /etc/machine-id |
115 | int arg_allow_private_blacklist = 0; // blacklist things in private directories | ||
115 | 116 | ||
116 | int login_shell = 0; | 117 | int login_shell = 0; |
117 | 118 | ||
@@ -1463,6 +1464,9 @@ int main(int argc, char **argv) { | |||
1463 | else if (strcmp(argv[i], "--machine-id") == 0) { | 1464 | else if (strcmp(argv[i], "--machine-id") == 0) { |
1464 | arg_machineid = 1; | 1465 | arg_machineid = 1; |
1465 | } | 1466 | } |
1467 | else if (strcmp(argv[i], "--allow-private-blacklist") == 0) { | ||
1468 | arg_allow_private_blacklist = 1; | ||
1469 | } | ||
1466 | else if (strcmp(argv[i], "--private") == 0) { | 1470 | else if (strcmp(argv[i], "--private") == 0) { |
1467 | arg_private = 1; | 1471 | arg_private = 1; |
1468 | } | 1472 | } |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index db3c25a5a..1131abe5f 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -30,12 +30,14 @@ void usage(void) { | |||
30 | printf("Options:\n"); | 30 | printf("Options:\n"); |
31 | printf(" -- - signal the end of options and disables further option processing.\n"); | 31 | printf(" -- - signal the end of options and disables further option processing.\n"); |
32 | printf(" --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"); | 32 | printf(" --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"); |
33 | printf(" --allow-private-blacklist - allow blacklisting things in private\n"); | ||
34 | printf("\tdirectories.\n"); | ||
33 | printf(" --allusers - all user home directories are visible inside the sandbox.\n"); | 35 | printf(" --allusers - all user home directories are visible inside the sandbox.\n"); |
34 | printf(" --apparmor - enable AppArmor confinement.\n"); | 36 | printf(" --apparmor - enable AppArmor confinement.\n"); |
35 | printf(" --appimage - sandbox an AppImage application.\n"); | 37 | printf(" --appimage - sandbox an AppImage application.\n"); |
36 | printf(" --audit[=test-program] - audit the sandbox.\n"); | 38 | printf(" --audit[=test-program] - audit the sandbox.\n"); |
37 | #ifdef HAVE_NETWORK | 39 | #ifdef HAVE_NETWORK |
38 | printf(" --bandwidth=name|pid - set bandwidth limits\n"); | 40 | printf(" --bandwidth=name|pid - set bandwidth limits.\n"); |
39 | #endif | 41 | #endif |
40 | #ifdef HAVE_BIND | 42 | #ifdef HAVE_BIND |
41 | printf(" --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n"); | 43 | printf(" --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n"); |