diff options
author | netblue30 <netblue30@yahoo.com> | 2016-03-12 14:22:59 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-03-12 14:22:59 -0500 |
commit | ee7237f7a92378b5debb7ec29e42f974aa1a5c79 (patch) | |
tree | f834e05602bdf9138c4a637c8b7e459595098623 | |
parent | cfg x11 (diff) | |
download | firejail-ee7237f7a92378b5debb7ec29e42f974aa1a5c79.tar.gz firejail-ee7237f7a92378b5debb7ec29e42f974aa1a5c79.tar.zst firejail-ee7237f7a92378b5debb7ec29e42f974aa1a5c79.zip |
cfg bind
-rw-r--r-- | src/firejail/checkcfg.c | 9 | ||||
-rw-r--r-- | src/firejail/firejail.h | 3 | ||||
-rw-r--r-- | src/firejail/fs.c | 4 | ||||
-rw-r--r-- | src/firejail/main.c | 24 | ||||
-rw-r--r-- | src/firejail/profile.c | 62 |
5 files changed, 64 insertions, 38 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index f868a699a..68dc6ac58 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -77,6 +77,15 @@ int checkcfg(int val) { | |||
77 | else | 77 | else |
78 | goto errout; | 78 | goto errout; |
79 | } | 79 | } |
80 | // bind | ||
81 | else if (strncmp(ptr, "bind ", 5) == 0) { | ||
82 | if (strcmp(ptr + 5, "yes") == 0) | ||
83 | cfg_val[CFG_BIND] = 1; | ||
84 | else if (strcmp(ptr + 5, "no") == 0) | ||
85 | cfg_val[CFG_BIND] = 0; | ||
86 | else | ||
87 | goto errout; | ||
88 | } | ||
80 | else | 89 | else |
81 | goto errout; | 90 | goto errout; |
82 | free(ptr); | 91 | free(ptr); |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index d15d5a686..ff6eb485b 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -540,7 +540,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh); | |||
540 | // checkcfg.c | 540 | // checkcfg.c |
541 | #define CFG_FILE_TRANSFER 0 | 541 | #define CFG_FILE_TRANSFER 0 |
542 | #define CFG_X11 1 | 542 | #define CFG_X11 1 |
543 | #define CFG_MAX 2 // this should always be the last entry | 543 | #define CFG_BIND 2 |
544 | #define CFG_MAX 3 // this should always be the last entry | ||
544 | int checkcfg(int val); | 545 | int checkcfg(int val); |
545 | 546 | ||
546 | #endif | 547 | #endif |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index acee0ba1d..f63e8b5eb 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -435,12 +435,12 @@ void fs_blacklist(void) { | |||
435 | } | 435 | } |
436 | struct stat s; | 436 | struct stat s; |
437 | if (stat(dname1, &s) == -1) { | 437 | if (stat(dname1, &s) == -1) { |
438 | fprintf(stderr, "Error: cannot find directories for bind command\n"); | 438 | fprintf(stderr, "Error: cannot find %s for bind command\n", dname1); |
439 | entry = entry->next; | 439 | entry = entry->next; |
440 | continue; | 440 | continue; |
441 | } | 441 | } |
442 | if (stat(dname2, &s) == -1) { | 442 | if (stat(dname2, &s) == -1) { |
443 | fprintf(stderr, "Error: cannot find directories for bind command\n"); | 443 | fprintf(stderr, "Error: cannot find %s for bind command\n", dname2); |
444 | entry = entry->next; | 444 | entry = entry->next; |
445 | continue; | 445 | continue; |
446 | } | 446 | } |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 64e6e2d98..d1d0f91a6 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -283,7 +283,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
283 | exit(0); | 283 | exit(0); |
284 | } | 284 | } |
285 | else { | 285 | else { |
286 | fprintf(stderr, "Error: this feature is disabled in Firejail configuration file\n"); | 286 | fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n"); |
287 | exit(1); | 287 | exit(1); |
288 | } | 288 | } |
289 | } | 289 | } |
@@ -461,7 +461,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
461 | exit(0); | 461 | exit(0); |
462 | } | 462 | } |
463 | else { | 463 | else { |
464 | fprintf(stderr, "Error: this feature is disabled in Firejail configuration file\n"); | 464 | fprintf(stderr, "Error: --get feature is disabled in Firejail configuration file\n"); |
465 | exit(1); | 465 | exit(1); |
466 | } | 466 | } |
467 | } | 467 | } |
@@ -490,7 +490,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
490 | exit(0); | 490 | exit(0); |
491 | } | 491 | } |
492 | else { | 492 | else { |
493 | fprintf(stderr, "Error: this feature is disabled in Firejail configuration file\n"); | 493 | fprintf(stderr, "Error: --ls feature is disabled in Firejail configuration file\n"); |
494 | exit(1); | 494 | exit(1); |
495 | } | 495 | } |
496 | } | 496 | } |
@@ -887,12 +887,18 @@ int main(int argc, char **argv) { | |||
887 | //************************************* | 887 | //************************************* |
888 | #ifdef HAVE_BIND | 888 | #ifdef HAVE_BIND |
889 | else if (strncmp(argv[i], "--bind=", 7) == 0) { | 889 | else if (strncmp(argv[i], "--bind=", 7) == 0) { |
890 | char *line; | 890 | if (checkcfg(CFG_BIND)) { |
891 | if (asprintf(&line, "bind %s", argv[i] + 7) == -1) | 891 | char *line; |
892 | errExit("asprintf"); | 892 | if (asprintf(&line, "bind %s", argv[i] + 7) == -1) |
893 | 893 | errExit("asprintf"); | |
894 | profile_check_line(line, 0, NULL); // will exit if something wrong | 894 | |
895 | profile_add(line); | 895 | profile_check_line(line, 0, NULL); // will exit if something wrong |
896 | profile_add(line); | ||
897 | } | ||
898 | else { | ||
899 | fprintf(stderr, "Error: --bind feature is disabled in Firejail configuration file\n"); | ||
900 | exit(1); | ||
901 | } | ||
896 | } | 902 | } |
897 | #endif | 903 | #endif |
898 | else if (strncmp(argv[i], "--tmpfs=", 8) == 0) { | 904 | else if (strncmp(argv[i], "--tmpfs=", 8) == 0) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 461bcb941..36741ad4a 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -352,34 +352,44 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
352 | 352 | ||
353 | // filesystem bind | 353 | // filesystem bind |
354 | if (strncmp(ptr, "bind ", 5) == 0) { | 354 | if (strncmp(ptr, "bind ", 5) == 0) { |
355 | if (getuid() != 0) { | 355 | #ifdef HAVE_BIND |
356 | fprintf(stderr, "Error: --bind option is available only if running as root\n"); | 356 | if (checkcfg(CFG_BIND)) { |
357 | exit(1); | 357 | if (getuid() != 0) { |
358 | } | 358 | fprintf(stderr, "Error: --bind option is available only if running as root\n"); |
359 | 359 | exit(1); | |
360 | // extract two directories | 360 | } |
361 | char *dname1 = ptr + 5; | 361 | |
362 | char *dname2 = split_comma(dname1); // this inserts a '0 to separate the two dierctories | 362 | // extract two directories |
363 | if (dname2 == NULL) { | 363 | char *dname1 = ptr + 5; |
364 | fprintf(stderr, "Error: missing second directory for bind\n"); | 364 | char *dname2 = split_comma(dname1); // this inserts a '0 to separate the two dierctories |
365 | exit(1); | 365 | if (dname2 == NULL) { |
366 | } | 366 | fprintf(stderr, "Error: missing second directory for bind\n"); |
367 | 367 | exit(1); | |
368 | // check directories | 368 | } |
369 | invalid_filename(dname1); | 369 | |
370 | invalid_filename(dname2); | 370 | // check directories |
371 | if (strstr(dname1, "..") || strstr(dname2, "..")) { | 371 | invalid_filename(dname1); |
372 | fprintf(stderr, "Error: invalid file name.\n"); | 372 | invalid_filename(dname2); |
373 | exit(1); | 373 | if (strstr(dname1, "..") || strstr(dname2, "..")) { |
374 | fprintf(stderr, "Error: invalid file name.\n"); | ||
375 | exit(1); | ||
376 | } | ||
377 | if (is_link(dname1) || is_link(dname2)) { | ||
378 | fprintf(stderr, "Symbolic links are not allowed for bind command\n"); | ||
379 | exit(1); | ||
380 | } | ||
381 | |||
382 | // insert comma back | ||
383 | *(dname2 - 1) = ','; | ||
384 | return 1; | ||
374 | } | 385 | } |
375 | if (is_link(dname1) || is_link(dname2)) { | 386 | else { |
376 | fprintf(stderr, "Symbolic links are not allowed for bind command\n"); | 387 | fprintf(stderr, "Warning: bind feature is disabled in Firejail configuration file\n"); |
377 | exit(1); | 388 | return 0; |
378 | } | 389 | } |
379 | 390 | #else | |
380 | // insert comma back | 391 | return 0; |
381 | *(dname2 - 1) = ','; | 392 | #endif |
382 | return 1; | ||
383 | } | 393 | } |
384 | 394 | ||
385 | // rlimit | 395 | // rlimit |