diff options
author | netblue30 <netblue30@yahoo.com> | 2017-10-27 09:37:09 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-10-27 09:37:09 -0400 |
commit | e8cf957a8bf3deda07e608e0c482b38cd573627a (patch) | |
tree | c935731763eb38af17354e91e123a3f02afc3b21 | |
parent | modif: remount-proc-sys deprecated from firejail.config (diff) | |
download | firejail-e8cf957a8bf3deda07e608e0c482b38cd573627a.tar.gz firejail-e8cf957a8bf3deda07e608e0c482b38cd573627a.tar.zst firejail-e8cf957a8bf3deda07e608e0c482b38cd573627a.zip |
modif: --profile-path was deprecated
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 35 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 31 | ||||
-rw-r--r-- | src/man/firejail.txt | 15 |
4 files changed, 7 insertions, 75 deletions
@@ -4,6 +4,7 @@ firejail (0.9.51) baseline; urgency=low | |||
4 | read-only, read-write, tmpfs and noexec are allowed in | 4 | read-only, read-write, tmpfs and noexec are allowed in |
5 | private home directories | 5 | private home directories |
6 | * modif: remount-proc-sys deprecated from firejail.config | 6 | * modif: remount-proc-sys deprecated from firejail.config |
7 | * modif: --profile-path deprecated | ||
7 | * enhancement: support Firejail user config directory in firecfg | 8 | * enhancement: support Firejail user config directory in firecfg |
8 | * enhancement: disable DBus activation in firecfg | 9 | * enhancement: disable DBus activation in firecfg |
9 | * enhancement; enumerate root directories in apparmor profile | 10 | * enhancement; enumerate root directories in apparmor profile |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 069aa6ca8..7730e8384 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -888,8 +888,6 @@ int main(int argc, char **argv) { | |||
888 | int option_cgroup = 0; | 888 | int option_cgroup = 0; |
889 | int option_force = 0; | 889 | int option_force = 0; |
890 | int custom_profile = 0; // custom profile loaded | 890 | int custom_profile = 0; // custom profile loaded |
891 | char *custom_profile_dir = NULL; // custom profile directory | ||
892 | |||
893 | 891 | ||
894 | atexit(clear_atexit); | 892 | atexit(clear_atexit); |
895 | 893 | ||
@@ -1497,22 +1495,8 @@ int main(int argc, char **argv) { | |||
1497 | free(ppath); | 1495 | free(ppath); |
1498 | } | 1496 | } |
1499 | else if (strncmp(argv[i], "--profile-path=", 15) == 0) { | 1497 | else if (strncmp(argv[i], "--profile-path=", 15) == 0) { |
1500 | if (arg_noprofile) { | 1498 | if (!arg_quiet) |
1501 | fprintf(stderr, "Error: --noprofile and --profile-path options are mutually exclusive\n"); | 1499 | fprintf(stderr, "Warning: --profile-path has been deprecated\n"); |
1502 | exit(1); | ||
1503 | } | ||
1504 | custom_profile_dir = expand_home(argv[i] + 15, cfg.homedir); | ||
1505 | invalid_filename(custom_profile_dir, 0); // no globbing | ||
1506 | if (!is_dir(custom_profile_dir) || is_link(custom_profile_dir) || strstr(custom_profile_dir, "..")) { | ||
1507 | fprintf(stderr, "Error: invalid profile path\n"); | ||
1508 | exit(1); | ||
1509 | } | ||
1510 | |||
1511 | // access call checks as real UID/GID, not as effective UID/GID | ||
1512 | if (access(custom_profile_dir, R_OK)) { | ||
1513 | fprintf(stderr, "Error: cannot access profile directory\n"); | ||
1514 | return 1; | ||
1515 | } | ||
1516 | } | 1500 | } |
1517 | else if (strcmp(argv[i], "--noprofile") == 0) { | 1501 | else if (strcmp(argv[i], "--noprofile") == 0) { |
1518 | if (custom_profile) { | 1502 | if (custom_profile) { |
@@ -2398,11 +2382,7 @@ int main(int argc, char **argv) { | |||
2398 | } | 2382 | } |
2399 | if (!custom_profile) { | 2383 | if (!custom_profile) { |
2400 | // look for a user profile in /etc/firejail directory | 2384 | // look for a user profile in /etc/firejail directory |
2401 | int rv; | 2385 | int rv = profile_find(cfg.command_name, SYSCONFDIR); |
2402 | if (custom_profile_dir) | ||
2403 | rv = profile_find(cfg.command_name, custom_profile_dir); | ||
2404 | else | ||
2405 | rv = profile_find(cfg.command_name, SYSCONFDIR); | ||
2406 | custom_profile = rv; | 2386 | custom_profile = rv; |
2407 | } | 2387 | } |
2408 | } | 2388 | } |
@@ -2430,13 +2410,10 @@ int main(int argc, char **argv) { | |||
2430 | custom_profile = profile_find(profile_name, usercfgdir); | 2410 | custom_profile = profile_find(profile_name, usercfgdir); |
2431 | free(usercfgdir); | 2411 | free(usercfgdir); |
2432 | 2412 | ||
2433 | if (!custom_profile) { | 2413 | if (!custom_profile) |
2434 | // look for the profile in /etc/firejail directory | 2414 | // look for the profile in /etc/firejail directory |
2435 | if (custom_profile_dir) | 2415 | custom_profile = profile_find(profile_name, SYSCONFDIR); |
2436 | custom_profile = profile_find(profile_name, custom_profile_dir); | 2416 | |
2437 | else | ||
2438 | custom_profile = profile_find(profile_name, SYSCONFDIR); | ||
2439 | } | ||
2440 | if (!custom_profile) { | 2417 | if (!custom_profile) { |
2441 | fprintf(stderr, "Error: no default.profile installed\n"); | 2418 | fprintf(stderr, "Error: no default.profile installed\n"); |
2442 | exit(1); | 2419 | exit(1); |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 39680ab0a..77bdffb62 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -594,37 +594,6 @@ instead of the default one. | |||
594 | Join the sandbox identified by name or start a new one. | 594 | Join the sandbox identified by name or start a new one. |
595 | Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname". | 595 | Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname". |
596 | 596 | ||
597 | .SH RELOCATING PROFILES | ||
598 | For various reasons some users might want to keep the profile files in a different directory. | ||
599 | Using \fB--profile-path\fR command line option, Firejail can be instructed to look for profiles | ||
600 | into this directory. | ||
601 | |||
602 | This is an example of relocating the profile files into a new | ||
603 | directory, /home/netblue/myprofiles. Start by creating the new directory and copy all | ||
604 | the profile files in: | ||
605 | .br | ||
606 | |||
607 | .br | ||
608 | $ mkdir ~/myprofiles && cd ~/myprofiles && cp /etc/firejail/* . | ||
609 | .br | ||
610 | |||
611 | .br | ||
612 | Using \fBsed\fR utility, modify the absolute paths for \fBinclude\fR commands: | ||
613 | .br | ||
614 | |||
615 | .br | ||
616 | $ sed -i "s/\\/etc\\/firejail/\\/home\\/netblue\\/myprofiles/g" *.profile | ||
617 | .br | ||
618 | $ sed -i "s/\\/etc\\/firejail/\\/home\\/netblue\\/myprofiles/g" *.inc | ||
619 | .br | ||
620 | |||
621 | .br | ||
622 | Start Firejail using the new path: | ||
623 | .br | ||
624 | |||
625 | .br | ||
626 | $ firejail --profile-path=~/myprofiles | ||
627 | |||
628 | .SH FILES | 597 | .SH FILES |
629 | /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile | 598 | /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile |
630 | 599 | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index d725bb883..476050d9c 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1451,21 +1451,6 @@ $ firejail \-\-profile.print=browser | |||
1451 | .br | 1451 | .br |
1452 | /etc/firejail/firefox.profile | 1452 | /etc/firejail/firefox.profile |
1453 | .br | 1453 | .br |
1454 | |||
1455 | .TP | ||
1456 | \fB\-\-profile-path=directory | ||
1457 | Use this directory to look for profile files. Use an absolute path or a path in the home directory starting with ~/. | ||
1458 | For more information, see \fBSECURITY PROFILES\fR section below and \fBRELOCATING PROFILE FILES\fR in | ||
1459 | \fBman 5 firejail-profile\fR. | ||
1460 | .br | ||
1461 | |||
1462 | .br | ||
1463 | Example: | ||
1464 | .br | ||
1465 | $ firejail \-\-profile-path=~/myprofiles | ||
1466 | .br | ||
1467 | $ firejail \-\-profile-path=/home/netblue/myprofiles | ||
1468 | |||
1469 | .TP | 1454 | .TP |
1470 | \fB\-\-protocol=protocol,protocol,protocol | 1455 | \fB\-\-protocol=protocol,protocol,protocol |
1471 | Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call. | 1456 | Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call. |