diff options
author | netblue30 <netblue30@yahoo.com> | 2016-02-17 12:13:19 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-02-17 12:13:19 -0500 |
commit | 97a9d0186863f6afe1a003e7e390b1b369167531 (patch) | |
tree | 68b5d03aa5c88e96651516e628ce296935716014 | |
parent | cherrytree profile (diff) | |
download | firejail-97a9d0186863f6afe1a003e7e390b1b369167531.tar.gz firejail-97a9d0186863f6afe1a003e7e390b1b369167531.tar.zst firejail-97a9d0186863f6afe1a003e7e390b1b369167531.zip |
mkdir support in profile files
-rw-r--r-- | README.md | 21 | ||||
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | etc/firefox.profile | 4 | ||||
-rw-r--r-- | src/firejail/firejail.h | 3 | ||||
-rw-r--r-- | src/firejail/fs_mkdir.c | 70 | ||||
-rw-r--r-- | src/firejail/profile.c | 5 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 19 |
7 files changed, 123 insertions, 0 deletions
@@ -79,6 +79,27 @@ $ firejail --net=eth0 firefox | |||
79 | $ firejail --nice=-5 firefox | 79 | $ firejail --nice=-5 firefox |
80 | ````` | 80 | ````` |
81 | 81 | ||
82 | ## mkdir | ||
83 | |||
84 | ````` | ||
85 | $ man firejail-profile | ||
86 | [...] | ||
87 | mkdir directory | ||
88 | Create a directory in user home. Use this command for | ||
89 | whitelisted directories you need to preserve when the sandbox is | ||
90 | closed. Subdirectories also need to be created using mkdir. | ||
91 | Example from firefox profile: | ||
92 | |||
93 | mkdir ~/.mozilla | ||
94 | whitelist ~/.mozilla | ||
95 | mkdir ~/.cache | ||
96 | mkdir ~/.cache/mozilla | ||
97 | mkdir ~/.cache/mozilla/firefox | ||
98 | whitelist ~/.cache/mozilla/firefox | ||
99 | |||
100 | [...] | ||
101 | ````` | ||
102 | |||
82 | ## New security profiles | 103 | ## New security profiles |
83 | 104 | ||
84 | lxterminal, Epiphany, cherrytree | 105 | lxterminal, Epiphany, cherrytree |
@@ -3,6 +3,7 @@ firejail (0.9.39) baseline; urgency=low | |||
3 | * default seccomp filter update | 3 | * default seccomp filter update |
4 | * disable STUN/WebRTC in default netfilter configuration | 4 | * disable STUN/WebRTC in default netfilter configuration |
5 | * added --nice option | 5 | * added --nice option |
6 | * addded mkdir profile command | ||
6 | * --version also prints compile options | 7 | * --version also prints compile options |
7 | * build rpm packages using "make rpms" | 8 | * build rpm packages using "make rpms" |
8 | * new profiles: lxterminal, Epiphany, cherrytree | 9 | * new profiles: lxterminal, Epiphany, cherrytree |
diff --git a/etc/firefox.profile b/etc/firefox.profile index 0946ebfbe..0b082f216 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -12,7 +12,11 @@ netfilter | |||
12 | tracelog | 12 | tracelog |
13 | noroot | 13 | noroot |
14 | whitelist ${DOWNLOADS} | 14 | whitelist ${DOWNLOADS} |
15 | mkdir ~/.mozilla | ||
15 | whitelist ~/.mozilla | 16 | whitelist ~/.mozilla |
17 | mkdir ~/.cache | ||
18 | mkdir ~/.cache/mozilla | ||
19 | mkdir ~/.cache/mozilla/firefox | ||
16 | whitelist ~/.cache/mozilla/firefox | 20 | whitelist ~/.cache/mozilla/firefox |
17 | whitelist ~/dwhelper | 21 | whitelist ~/dwhelper |
18 | whitelist ~/.zotero | 22 | whitelist ~/.zotero |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index a754711b1..2662cc1d7 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -512,5 +512,8 @@ void check_user(int argc, char **argv); | |||
512 | // paths.c | 512 | // paths.c |
513 | char **build_paths(void); | 513 | char **build_paths(void); |
514 | 514 | ||
515 | // fs_mkdir.c | ||
516 | void fs_mkdir(const char *name); | ||
517 | |||
515 | #endif | 518 | #endif |
516 | 519 | ||
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c new file mode 100644 index 000000000..7c2b108c6 --- /dev/null +++ b/src/firejail/fs_mkdir.c | |||
@@ -0,0 +1,70 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2016 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firejail.h" | ||
21 | #include <sys/types.h> | ||
22 | #include <sys/stat.h> | ||
23 | #include <unistd.h> | ||
24 | #include <grp.h> | ||
25 | #include <sys/wait.h> | ||
26 | |||
27 | void fs_mkdir(const char *name) { | ||
28 | // check directory name | ||
29 | invalid_filename(name); | ||
30 | char *expanded = expand_home(name, cfg.homedir); | ||
31 | if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0) { | ||
32 | fprintf(stderr, "Error: only directories in user home are supported by mkdir\n"); | ||
33 | exit(1); | ||
34 | } | ||
35 | |||
36 | struct stat s; | ||
37 | if (stat(expanded, &s) == 0) { | ||
38 | // file exists, do nothing | ||
39 | goto doexit; | ||
40 | } | ||
41 | |||
42 | // fork a process, drop privileges, and create the directory | ||
43 | // no error recovery will be attempted | ||
44 | pid_t child = fork(); | ||
45 | if (child < 0) | ||
46 | errExit("fork"); | ||
47 | if (child == 0) { | ||
48 | if (arg_debug) | ||
49 | printf("Create %s directory\n", expanded); | ||
50 | |||
51 | // drop privileges | ||
52 | if (setgroups(0, NULL) < 0) | ||
53 | errExit("setgroups"); | ||
54 | if (setgid(getgid()) < 0) | ||
55 | errExit("setgid/getgid"); | ||
56 | if (setuid(getuid()) < 0) | ||
57 | errExit("setuid/getuid"); | ||
58 | |||
59 | // create directory | ||
60 | if (mkdir(expanded, 0755) == -1) | ||
61 | fprintf(stderr, "Warning: cannot create %s directory\n", expanded); | ||
62 | exit(0); | ||
63 | } | ||
64 | |||
65 | // wait for the child to finish | ||
66 | waitpid(child, NULL, 0); | ||
67 | |||
68 | doexit: | ||
69 | free(expanded); | ||
70 | } | ||
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 70ec360ce..0c28eefd8 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -99,6 +99,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
99 | return 0; | 99 | return 0; |
100 | } | 100 | } |
101 | 101 | ||
102 | if (strncmp(ptr, "mkdir ", 6) == 0) { | ||
103 | fs_mkdir(ptr + 6); | ||
104 | return 0; | ||
105 | } | ||
106 | |||
102 | // sandbox name | 107 | // sandbox name |
103 | if (strncmp(ptr, "name ", 5) == 0) { | 108 | if (strncmp(ptr, "name ", 5) == 0) { |
104 | cfg.name = ptr + 5; | 109 | cfg.name = ptr + 5; |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 3ebb11549..b46958bd4 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -134,6 +134,25 @@ Mount-bind directory1 on top of directory2. This option is only available when r | |||
134 | \fBbind file1,file2 | 134 | \fBbind file1,file2 |
135 | Mount-bind file1 on top of file2. This option is only available when running as root. | 135 | Mount-bind file1 on top of file2. This option is only available when running as root. |
136 | .TP | 136 | .TP |
137 | \fBmkdir directory | ||
138 | Create a directory in user home. Use this command for whitelisted directories you need to preserve | ||
139 | when the sandbox is closed. Subdirectories also need to be created using mkdir. Example from | ||
140 | firefox profile: | ||
141 | .br | ||
142 | |||
143 | .br | ||
144 | mkdir ~/.mozilla | ||
145 | .br | ||
146 | whitelist ~/.mozilla | ||
147 | .br | ||
148 | mkdir ~/.cache | ||
149 | .br | ||
150 | mkdir ~/.cache/mozilla | ||
151 | .br | ||
152 | mkdir ~/.cache/mozilla/firefox | ||
153 | .br | ||
154 | whitelist ~/.cache/mozilla/firefox | ||
155 | .TP | ||
137 | \fBprivate | 156 | \fBprivate |
138 | Mount new /root and /home/user directories in temporary | 157 | Mount new /root and /home/user directories in temporary |
139 | filesystems. All modifications are discarded when the sandbox is | 158 | filesystems. All modifications are discarded when the sandbox is |