diff options
author | Antoine Catton <devel@antoine.catton.fr> | 2023-01-30 23:55:49 +0100 |
---|---|---|
committer | Antoine Catton <devel@antoine.catton.fr> | 2023-02-03 23:11:18 +0100 |
commit | d0a12f27d650ebed63f14102baa671f3655b50c8 (patch) | |
tree | d9acf7ff384a7bae5f8f4fc6ed687241f1af5eff | |
parent | testing (diff) | |
download | firejail-d0a12f27d650ebed63f14102baa671f3655b50c8.tar.gz firejail-d0a12f27d650ebed63f14102baa671f3655b50c8.tar.zst firejail-d0a12f27d650ebed63f14102baa671f3655b50c8.zip |
feature: add 'keep-shell-rc' flag and option
This fixes #1127.
This allow a user to provide their own zshrc/bashrc inside the jail.
This is very useful when using firejail to develop and prevent bad pip
packages to access your system.
-rw-r--r-- | contrib/syntax/lists/profile_commands_arg0.list | 1 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs_home.c | 9 | ||||
-rw-r--r-- | src/firejail/main.c | 4 | ||||
-rw-r--r-- | src/firejail/profile.c | 5 | ||||
-rw-r--r-- | src/firejail/usage.c | 1 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 3 | ||||
-rw-r--r-- | src/man/firejail.txt | 8 | ||||
-rw-r--r-- | src/zsh_completion/_firejail.in | 1 |
9 files changed, 30 insertions, 3 deletions
diff --git a/contrib/syntax/lists/profile_commands_arg0.list b/contrib/syntax/lists/profile_commands_arg0.list index a402671a6..fd1bdb401 100644 --- a/contrib/syntax/lists/profile_commands_arg0.list +++ b/contrib/syntax/lists/profile_commands_arg0.list | |||
@@ -10,6 +10,7 @@ disable-mnt | |||
10 | ipc-namespace | 10 | ipc-namespace |
11 | keep-config-pulse | 11 | keep-config-pulse |
12 | keep-dev-shm | 12 | keep-dev-shm |
13 | keep-shell-rc | ||
13 | keep-var-tmp | 14 | keep-var-tmp |
14 | machine-id | 15 | machine-id |
15 | memory-deny-write-execute | 16 | memory-deny-write-execute |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 66d2d8b83..a09158e9e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -332,6 +332,7 @@ extern int arg_nice; // nice value configured | |||
332 | extern int arg_ipc; // enable ipc namespace | 332 | extern int arg_ipc; // enable ipc namespace |
333 | extern int arg_writable_etc; // writable etc | 333 | extern int arg_writable_etc; // writable etc |
334 | extern int arg_keep_config_pulse; // disable automatic ~/.config/pulse init | 334 | extern int arg_keep_config_pulse; // disable automatic ~/.config/pulse init |
335 | extern int arg_keep_shell_rc; // do not copy shell configuration from /etc/skel | ||
335 | extern int arg_writable_var; // writable var | 336 | extern int arg_writable_var; // writable var |
336 | extern int arg_keep_var_tmp; // don't overwrite /var/tmp | 337 | extern int arg_keep_var_tmp; // don't overwrite /var/tmp |
337 | extern int arg_writable_run_user; // writable /run/user | 338 | extern int arg_writable_run_user; // writable /run/user |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 8c4cb3d4f..8e72f8687 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -361,7 +361,8 @@ void fs_private_homedir(void) { | |||
361 | } | 361 | } |
362 | EUID_USER(); | 362 | EUID_USER(); |
363 | 363 | ||
364 | skel(homedir); | 364 | if (!arg_keep_shell_rc) |
365 | skel(homedir); | ||
365 | if (xflag) | 366 | if (xflag) |
366 | copy_xauthority(); | 367 | copy_xauthority(); |
367 | if (aflag) | 368 | if (aflag) |
@@ -430,7 +431,8 @@ void fs_private(void) { | |||
430 | selinux_relabel_path(homedir, homedir); | 431 | selinux_relabel_path(homedir, homedir); |
431 | } | 432 | } |
432 | 433 | ||
433 | skel(homedir); | 434 | if (!arg_keep_shell_rc) |
435 | skel(homedir); | ||
434 | if (xflag) | 436 | if (xflag) |
435 | copy_xauthority(); | 437 | copy_xauthority(); |
436 | if (aflag) | 438 | if (aflag) |
@@ -682,7 +684,8 @@ void fs_private_home_list(void) { | |||
682 | errExit("mounting tmpfs"); | 684 | errExit("mounting tmpfs"); |
683 | EUID_USER(); | 685 | EUID_USER(); |
684 | 686 | ||
685 | skel(homedir); | 687 | if (!arg_keep_shell_rc) |
688 | skel(homedir); | ||
686 | if (xflag) | 689 | if (xflag) |
687 | copy_xauthority(); | 690 | copy_xauthority(); |
688 | if (aflag) | 691 | if (aflag) |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 02fcb77d7..8df6926ee 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -127,6 +127,7 @@ int arg_nice = 0; // nice value configured | |||
127 | int arg_ipc = 0; // enable ipc namespace | 127 | int arg_ipc = 0; // enable ipc namespace |
128 | int arg_writable_etc = 0; // writable etc | 128 | int arg_writable_etc = 0; // writable etc |
129 | int arg_keep_config_pulse = 0; // disable automatic ~/.config/pulse init | 129 | int arg_keep_config_pulse = 0; // disable automatic ~/.config/pulse init |
130 | int arg_keep_shell_rc = 0; // do not copy shell configuration from /etc/skel | ||
130 | int arg_writable_var = 0; // writable var | 131 | int arg_writable_var = 0; // writable var |
131 | int arg_keep_var_tmp = 0; // don't overwrite /var/tmp | 132 | int arg_keep_var_tmp = 0; // don't overwrite /var/tmp |
132 | int arg_writable_run_user = 0; // writable /run/user | 133 | int arg_writable_run_user = 0; // writable /run/user |
@@ -1975,6 +1976,9 @@ int main(int argc, char **argv, char **envp) { | |||
1975 | else if (strcmp(argv[i], "--keep-config-pulse") == 0) { | 1976 | else if (strcmp(argv[i], "--keep-config-pulse") == 0) { |
1976 | arg_keep_config_pulse = 1; | 1977 | arg_keep_config_pulse = 1; |
1977 | } | 1978 | } |
1979 | else if (strcmp(argv[i], "--keep-shell-rc") == 0) { | ||
1980 | arg_keep_shell_rc = 1; | ||
1981 | } | ||
1978 | else if (strcmp(argv[i], "--writable-var") == 0) { | 1982 | else if (strcmp(argv[i], "--writable-var") == 0) { |
1979 | arg_writable_var = 1; | 1983 | arg_writable_var = 1; |
1980 | } | 1984 | } |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index d01999ec5..3924465e4 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1235,6 +1235,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1235 | return 0; | 1235 | return 0; |
1236 | } | 1236 | } |
1237 | 1237 | ||
1238 | if (strcmp(ptr, "keep-shell-rc") == 0) { | ||
1239 | arg_keep_shell_rc = 1; | ||
1240 | return 0; | ||
1241 | } | ||
1242 | |||
1238 | // writable-var | 1243 | // writable-var |
1239 | if (strcmp(ptr, "writable-var") == 0) { | 1244 | if (strcmp(ptr, "writable-var") == 0) { |
1240 | arg_writable_var = 1; | 1245 | arg_writable_var = 1; |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index bf4550dd8..e31293c66 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -129,6 +129,7 @@ static char *usage_str = | |||
129 | " --keep-config-pulse - disable automatic ~/.config/pulse init.\n" | 129 | " --keep-config-pulse - disable automatic ~/.config/pulse init.\n" |
130 | " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n" | 130 | " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n" |
131 | " --keep-fd - inherit open file descriptors to sandbox.\n" | 131 | " --keep-fd - inherit open file descriptors to sandbox.\n" |
132 | " --keep-shell-rc - do not copy shell rc files from /etc/skel\n" | ||
132 | " --keep-var-tmp - /var/tmp directory is untouched.\n" | 133 | " --keep-var-tmp - /var/tmp directory is untouched.\n" |
133 | " --list - list all sandboxes.\n" | 134 | " --list - list all sandboxes.\n" |
134 | #ifdef HAVE_FILE_TRANSFER | 135 | #ifdef HAVE_FILE_TRANSFER |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 5b16179ac..3fa07d1ee 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -288,6 +288,9 @@ pulse servers or non-standard socket paths. | |||
288 | \fBkeep-dev-shm | 288 | \fBkeep-dev-shm |
289 | /dev/shm directory is untouched (even with private-dev). | 289 | /dev/shm directory is untouched (even with private-dev). |
290 | .TP | 290 | .TP |
291 | \fBkeep-shell-rc | ||
292 | Do not copy shell rc files (such as ~/.bashrc and ~/.zshrc) from /etc/skel. | ||
293 | .TP | ||
291 | \fBkeep-var-tmp | 294 | \fBkeep-var-tmp |
292 | /var/tmp directory is untouched. | 295 | /var/tmp directory is untouched. |
293 | .TP | 296 | .TP |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 1b051ab57..6068c9ff4 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1224,6 +1224,14 @@ Example: | |||
1224 | $ firejail --keep-fd=3,4,5 | 1224 | $ firejail --keep-fd=3,4,5 |
1225 | 1225 | ||
1226 | .TP | 1226 | .TP |
1227 | \fB\-\-keep-shell-rc | ||
1228 | By default, when using a private home directory, firejail copies files from the | ||
1229 | system's user home template (/etc/skel) into it, which overrides attempts to | ||
1230 | whitelist the original files (such as ~/.bashrc and ~/.zshrc). | ||
1231 | This option disables this feature, and enables the user to whitelist the | ||
1232 | original files. | ||
1233 | |||
1234 | .TP | ||
1227 | \fB\-\-keep-var-tmp | 1235 | \fB\-\-keep-var-tmp |
1228 | /var/tmp directory is untouched. | 1236 | /var/tmp directory is untouched. |
1229 | .br | 1237 | .br |
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 2b67c2a00..37ce7055b 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -104,6 +104,7 @@ _firejail_args=( | |||
104 | '--keep-config-pulse[disable automatic ~/.config/pulse init]' | 104 | '--keep-config-pulse[disable automatic ~/.config/pulse init]' |
105 | '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' | 105 | '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' |
106 | '--keep-fd[inherit open file descriptors to sandbox]: :' | 106 | '--keep-fd[inherit open file descriptors to sandbox]: :' |
107 | '--keep-shell-rc[do not copy shell rc files from /etc/skel]' | ||
107 | '--keep-var-tmp[/var/tmp directory is untouched]' | 108 | '--keep-var-tmp[/var/tmp directory is untouched]' |
108 | '--machine-id[spoof /etc/machine-id with a random id]' | 109 | '--machine-id[spoof /etc/machine-id with a random id]' |
109 | '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]' | 110 | '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]' |