diff options
author | netblue30 <netblue30@protonmail.com> | 2021-05-29 12:27:12 -0400 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2021-05-29 12:27:12 -0400 |
commit | a2b81da0f38fc34c9587a1fdc0709ef6fe6ca13d (patch) | |
tree | 4ac5e79743cdcaab18eda1339463a570a512368d | |
parent | [minor] gunzip profile broken (#4317) (diff) | |
download | firejail-a2b81da0f38fc34c9587a1fdc0709ef6fe6ca13d.tar.gz firejail-a2b81da0f38fc34c9587a1fdc0709ef6fe6ca13d.tar.zst firejail-a2b81da0f38fc34c9587a1fdc0709ef6fe6ca13d.zip |
disable home dir whitelists when --private is present
-rw-r--r-- | src/firejail/fs_whitelist.c | 7 | ||||
-rw-r--r-- | src/firejail/main.c | 4 |
2 files changed, 7 insertions, 4 deletions
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 77bb5e5bb..9a7a1bac7 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -423,6 +423,13 @@ static TopDir *add_topdir(const char *dir, TopDir *topdirs, const char *path) { | |||
423 | strcmp(dir, "/sys") == 0) | 423 | strcmp(dir, "/sys") == 0) |
424 | whitelist_error(path); | 424 | whitelist_error(path); |
425 | 425 | ||
426 | // whitelisting home directory is disabled if --private option is present | ||
427 | if (arg_private && strcmp(dir, cfg.homedir) == 0) { | ||
428 | if (arg_debug || arg_debug_whitelists) | ||
429 | printf("Debug %d: skip %s - a private home dir is configured!\n", __LINE__, path); | ||
430 | return NULL; | ||
431 | } | ||
432 | |||
426 | // do nothing if directory doesn't exist | 433 | // do nothing if directory doesn't exist |
427 | struct stat s; | 434 | struct stat s; |
428 | if (lstat(dir, &s) != 0) { | 435 | if (lstat(dir, &s) != 0) { |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 31694558d..7cfa58078 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1904,8 +1904,6 @@ int main(int argc, char **argv, char **envp) { | |||
1904 | } | 1904 | } |
1905 | else if (strcmp(argv[i], "--private") == 0) { | 1905 | else if (strcmp(argv[i], "--private") == 0) { |
1906 | arg_private = 1; | 1906 | arg_private = 1; |
1907 | // disable whitelisting in home directory | ||
1908 | profile_add("whitelist ~/*"); | ||
1909 | } | 1907 | } |
1910 | else if (strncmp(argv[i], "--private=", 10) == 0) { | 1908 | else if (strncmp(argv[i], "--private=", 10) == 0) { |
1911 | if (cfg.home_private_keep) { | 1909 | if (cfg.home_private_keep) { |
@@ -1927,8 +1925,6 @@ int main(int argc, char **argv, char **envp) { | |||
1927 | cfg.home_private = NULL; | 1925 | cfg.home_private = NULL; |
1928 | } | 1926 | } |
1929 | arg_private = 1; | 1927 | arg_private = 1; |
1930 | // disable whitelisting in home directory | ||
1931 | profile_add("whitelist ~/*"); | ||
1932 | } | 1928 | } |
1933 | #ifdef HAVE_PRIVATE_HOME | 1929 | #ifdef HAVE_PRIVATE_HOME |
1934 | else if (strncmp(argv[i], "--private-home=", 15) == 0) { | 1930 | else if (strncmp(argv[i], "--private-home=", 15) == 0) { |