Merge pull request #46 from iiotx/master

Use generic.profile by default
author: netblue30 <netblue30@yahoo.com> 2015-08-27 11:30:07 -0400
committer: netblue30 <netblue30@yahoo.com> 2015-08-27 11:30:07 -0400
commit: a83a7fc106876ed5fe4aee2258d8b39ea6308750 (patch)
tree: 2b74d4445395ae095e3fe3911175599953cc18f5
parent: Merge branch 'master' of https://github.com/netblue30/firejail (diff)
parent: Use generic.profile by default: fixes (diff)
download: firejail-a83a7fc106876ed5fe4aee2258d8b39ea6308750.tar.gz
firejail-a83a7fc106876ed5fe4aee2258d8b39ea6308750.tar.zst
firejail-a83a7fc106876ed5fe4aee2258d8b39ea6308750.zip
4 files changed, 67 insertions, 1 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 868e1fca0..351e9d045 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -28,6 +28,7 @@
 #define MNT_DIR "/tmp/firejail/mnt"
 #define HOME_DIR        "/tmp/firejail/mnt/home"
 #define ETC_DIR "/tmp/firejail/mnt/etc"
+#define GENERIC_PROFILE_NAME    "generic"
 #define MAX_INCLUDE_LEVEL 6
 // main.c
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 2a56d1725..7db18181d 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -399,6 +399,7 @@ int main(int argc, char **argv) {
        int arg_ipc = 0;
        int arg_cgroup = 0;
        int custom_profile = 0; // custom profile loaded
+        int arg_noprofile = 0; // use generic.profile if none other found/specified
        
        // initialize globals
        init_cfg();
@@ -653,6 +654,10 @@ int main(int argc, char **argv) {
                        arg_overlay = 1;
                }
                else if (strncmp(argv[i], "--profile=", 10) == 0) {
+                        if (arg_noprofile) {
+                                fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n");
+                                exit(1);
+                        }
                        // multiple profile files are allowed!
                        char *ptr = argv[i] + 10;
                        if (is_dir(ptr) || is_link(ptr) || strstr(ptr, "..")) {
@@ -669,6 +674,13 @@ int main(int argc, char **argv) {
                        profile_read(argv[i] + 10, NULL, NULL);
                        custom_profile = 1;
                }
+                else if (strcmp(argv[i], "--noprofile") == 0) {
+                        if (custom_profile) {
+                                fprintf(stderr, "Error: --profile and --noprofile options are mutually exclusive\n");
+                                exit(1);
+                        }
+                        arg_noprofile = 1;
+                }
 #ifdef HAVE_CHROOT              
                else if (strncmp(argv[i], "--chroot=", 9) == 0) {
                        if (arg_overlay) {
@@ -1054,7 +1066,7 @@ int main(int argc, char **argv) {
        }
        
        // load the profile
-        {
+        if (!arg_noprofile) {
                assert(cfg.command_name);
                if (arg_debug)
                        printf("Command name #%s#\n", cfg.command_name);                
@@ -1074,6 +1086,24 @@ int main(int argc, char **argv) {
                }
        }
+        // use generic.profile as the default
+        if (!custom_profile && !arg_noprofile) {
+                if (arg_debug)
+                        printf("Attempting to find %s.profile...",GENERIC_PROFILE_NAME);
+                // look for the profile in ~/.config/firejail directory
+                char *usercfgdir;
+                if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1)
+                        errExit("asprintf");
+                custom_profile = profile_find(GENERIC_PROFILE_NAME, usercfgdir);
+                free(usercfgdir);
+                if (!custom_profile) {
+                        // look for the profile in /etc/firejail directory
+                        custom_profile = profile_find(GENERIC_PROFILE_NAME, "/etc/firejail");
+                }
+        }
        // check and assign an IP address - for macvlan it will be done again in the sandbox!
        if (any_bridge_configured()) {
                lockfd = open("/tmp/firejail/firejail.lock", O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR);
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 1f9e37248..602b68ebb 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -134,6 +134,10 @@ void usage(void) {
        printf("\t\tsupplementary groups are enabled for the user starting the\n");
        printf("\t\tsandbox. For root user supplementary groups are always\n");
        printf("\t\tdisabled.\n\n");
+        printf("\t--noprofile - do not use a profile.  Profile priority is use the one\n");
+        printf("\t\tspecified on the command line, next try to find one that\n");
+        printf("\t\tmatches the command name, and lastly use %s.profile.\n\n",GENERIC_PROFILE_NAME);
        
        printf("\t--noroot - install a user namespace with a single user - the current\n");
        printf("\t\tuser. root user does not exist in the new namespace. This option\n");
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 2e87fbb8e..d78ce6723 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -565,6 +565,37 @@ uid=1000(netblue) gid=1000(netblue) groups=1000(netblue)
 $
 .TP
+\fB\-\-noprofile
+Do not use a profile.  Profile priority is use the one
+specified on the command line, next try to find one that
+matches the command name, and lastly use generic.profile.
+.br
+.br
+Example:
+.br
+$ firejail \-\-noprofile
+.br
+Parent pid 8553, child pid 8554
+.br
+Child process initialized
+.br
+$ exit
+.br
+.br
+parent is shutting down, bye...
+.br
+$ firejail
+.br
+Reading profile /etc/firejail/generic.profile
+.br
+Parent pid 8553, child pid 8554
+.br
+Child process initialized
+.br
+$ 
+.TP
 \fB\-\-noroot
 Install a user namespace with a single user - the current user.
 root user does not exist in the new namespace. This option
author	netblue30 <netblue30@yahoo.com>	2015-08-27 11:30:07 -0400
committer	netblue30 <netblue30@yahoo.com>	2015-08-27 11:30:07 -0400
commit	a83a7fc106876ed5fe4aee2258d8b39ea6308750 (patch)
tree	2b74d4445395ae095e3fe3911175599953cc18f5
parent	Merge branch 'master' of https://github.com/netblue30/firejail (diff)
parent	Use generic.profile by default: fixes (diff)
download	firejail-a83a7fc106876ed5fe4aee2258d8b39ea6308750.tar.gz firejail-a83a7fc106876ed5fe4aee2258d8b39ea6308750.tar.zst firejail-a83a7fc106876ed5fe4aee2258d8b39ea6308750.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 868e1fca0..351e9d045 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -28,6 +28,7 @@
28	#define MNT_DIR "/tmp/firejail/mnt"	28	#define MNT_DIR "/tmp/firejail/mnt"
29	#define HOME_DIR "/tmp/firejail/mnt/home"	29	#define HOME_DIR "/tmp/firejail/mnt/home"
30	#define ETC_DIR "/tmp/firejail/mnt/etc"	30	#define ETC_DIR "/tmp/firejail/mnt/etc"
		31	#define GENERIC_PROFILE_NAME "generic"
31	#define MAX_INCLUDE_LEVEL 6	32	#define MAX_INCLUDE_LEVEL 6
32		33
33	// main.c	34	// main.c


diff --git a/src/firejail/main.c b/src/firejail/main.c index 2a56d1725..7db18181d 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -399,6 +399,7 @@ int main(int argc, char **argv) {
399	int arg_ipc = 0;	399	int arg_ipc = 0;
400	int arg_cgroup = 0;	400	int arg_cgroup = 0;
401	int custom_profile = 0; // custom profile loaded	401	int custom_profile = 0; // custom profile loaded
		402	int arg_noprofile = 0; // use generic.profile if none other found/specified
402		403
403	// initialize globals	404	// initialize globals
404	init_cfg();	405	init_cfg();
@@ -653,6 +654,10 @@ int main(int argc, char **argv) {
653	arg_overlay = 1;	654	arg_overlay = 1;
654	}	655	}
655	else if (strncmp(argv[i], "--profile=", 10) == 0) {	656	else if (strncmp(argv[i], "--profile=", 10) == 0) {
		657	if (arg_noprofile) {
		658	fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n");
		659	exit(1);
		660	}
656	// multiple profile files are allowed!	661	// multiple profile files are allowed!
657	char *ptr = argv[i] + 10;	662	char *ptr = argv[i] + 10;
658	if (is_dir(ptr) \|\| is_link(ptr) \|\| strstr(ptr, "..")) {	663	if (is_dir(ptr) \|\| is_link(ptr) \|\| strstr(ptr, "..")) {
@@ -669,6 +674,13 @@ int main(int argc, char **argv) {
669	profile_read(argv[i] + 10, NULL, NULL);	674	profile_read(argv[i] + 10, NULL, NULL);
670	custom_profile = 1;	675	custom_profile = 1;
671	}	676	}
		677	else if (strcmp(argv[i], "--noprofile") == 0) {
		678	if (custom_profile) {
		679	fprintf(stderr, "Error: --profile and --noprofile options are mutually exclusive\n");
		680	exit(1);
		681	}
		682	arg_noprofile = 1;
		683	}
672	#ifdef HAVE_CHROOT	684	#ifdef HAVE_CHROOT
673	else if (strncmp(argv[i], "--chroot=", 9) == 0) {	685	else if (strncmp(argv[i], "--chroot=", 9) == 0) {
674	if (arg_overlay) {	686	if (arg_overlay) {
@@ -1054,7 +1066,7 @@ int main(int argc, char **argv) {
1054	}	1066	}
1055		1067
1056	// load the profile	1068	// load the profile
1057	{	1069	if (!arg_noprofile) {
1058	assert(cfg.command_name);	1070	assert(cfg.command_name);
1059	if (arg_debug)	1071	if (arg_debug)
1060	printf("Command name #%s#\n", cfg.command_name);	1072	printf("Command name #%s#\n", cfg.command_name);
@@ -1074,6 +1086,24 @@ int main(int argc, char **argv) {
1074	}	1086	}
1075	}	1087	}
1076		1088
		1089	// use generic.profile as the default
		1090	if (!custom_profile && !arg_noprofile) {
		1091	if (arg_debug)
		1092	printf("Attempting to find %s.profile...",GENERIC_PROFILE_NAME);
		1093
		1094	// look for the profile in ~/.config/firejail directory
		1095	char *usercfgdir;
		1096	if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1)
		1097	errExit("asprintf");
		1098	custom_profile = profile_find(GENERIC_PROFILE_NAME, usercfgdir);
		1099	free(usercfgdir);
		1100
		1101	if (!custom_profile) {
		1102	// look for the profile in /etc/firejail directory
		1103	custom_profile = profile_find(GENERIC_PROFILE_NAME, "/etc/firejail");
		1104	}
		1105	}
		1106
1077	// check and assign an IP address - for macvlan it will be done again in the sandbox!	1107	// check and assign an IP address - for macvlan it will be done again in the sandbox!
1078	if (any_bridge_configured()) {	1108	if (any_bridge_configured()) {
1079	lockfd = open("/tmp/firejail/firejail.lock", O_WRONLY \| O_CREAT, S_IRUSR \| S_IWUSR);	1109	lockfd = open("/tmp/firejail/firejail.lock", O_WRONLY \| O_CREAT, S_IRUSR \| S_IWUSR);


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 1f9e37248..602b68ebb 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -134,6 +134,10 @@ void usage(void) {
134	printf("\t\tsupplementary groups are enabled for the user starting the\n");	134	printf("\t\tsupplementary groups are enabled for the user starting the\n");
135	printf("\t\tsandbox. For root user supplementary groups are always\n");	135	printf("\t\tsandbox. For root user supplementary groups are always\n");
136	printf("\t\tdisabled.\n\n");	136	printf("\t\tdisabled.\n\n");
		137
		138	printf("\t--noprofile - do not use a profile. Profile priority is use the one\n");
		139	printf("\t\tspecified on the command line, next try to find one that\n");
		140	printf("\t\tmatches the command name, and lastly use %s.profile.\n\n",GENERIC_PROFILE_NAME);
137		141
138	printf("\t--noroot - install a user namespace with a single user - the current\n");	142	printf("\t--noroot - install a user namespace with a single user - the current\n");
139	printf("\t\tuser. root user does not exist in the new namespace. This option\n");	143	printf("\t\tuser. root user does not exist in the new namespace. This option\n");


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 2e87fbb8e..d78ce6723 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -565,6 +565,37 @@ uid=1000(netblue) gid=1000(netblue) groups=1000(netblue)
565	$	565	$
566		566
567	.TP	567	.TP
		568	\fB\-\-noprofile
		569	Do not use a profile. Profile priority is use the one
		570	specified on the command line, next try to find one that
		571	matches the command name, and lastly use generic.profile.
		572	.br
		573
		574	.br
		575	Example:
		576	.br
		577	$ firejail \-\-noprofile
		578	.br
		579	Parent pid 8553, child pid 8554
		580	.br
		581	Child process initialized
		582	.br
		583	$ exit
		584	.br
		585	.br
		586	parent is shutting down, bye...
		587	.br
		588	$ firejail
		589	.br
		590	Reading profile /etc/firejail/generic.profile
		591	.br
		592	Parent pid 8553, child pid 8554
		593	.br
		594	Child process initialized
		595	.br
		596	$
		597
		598	.TP
568	\fB\-\-noroot	599	\fB\-\-noroot
569	Install a user namespace with a single user - the current user.	600	Install a user namespace with a single user - the current user.
570	root user does not exist in the new namespace. This option	601	root user does not exist in the new namespace. This option