Merge pull request #21 from pmillerchip/private-home

Implement the --private-home option
author: netblue30 <netblue30@yahoo.com> 2015-08-14 07:31:47 -0400
committer: netblue30 <netblue30@yahoo.com> 2015-08-14 07:31:47 -0400
commit: 167d4af4382341c7bb5336a791f640f3cbf4c045 (patch)
tree: c03fad72153118888617936db9136c8cbba6fabf
parent: Merge pull request #19 from pmillerchip/manpage-fixes (diff)
parent: Implement the --private-home option as an alternative name for --private.keep (diff)
download: firejail-167d4af4382341c7bb5336a791f640f3cbf4c045.tar.gz
firejail-167d4af4382341c7bb5336a791f640f3cbf4c045.tar.zst
firejail-167d4af4382341c7bb5336a791f640f3cbf4c045.zip
9 files changed, 17 insertions, 15 deletions
diff --git a/src/firejail/arg-checking.txt b/src/firejail/arg-checking.txt
index c1ab2cb21..07e61df93 100644
--- a/src/firejail/arg-checking.txt
+++ b/src/firejail/arg-checking.txt
@@ -59,7 +59,7 @@ arg checking:
        - check same owner
        - unit test
        
-9. --private.keep=filelist
+9. --private-home=filelist
        - supported in profiles
        - checking no ".."
        - checking file found
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 5adabbcb3..a1833b4bc 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -282,9 +282,9 @@ void fs_private_dev(void);
 void fs_private(void);
 // private mode (--private=homedir)
 void fs_private_homedir(void);
-// private mode (--private.keep=list)
+// private mode (--private-home=list)
 void fs_private_home_list(void);
-// check directory linst specified by user (--private.keep option) - exit if it fails
+// check directory list specified by user (--private-home option) - exit if it fails
 void fs_check_home_list(void);
 // check new private home directory (--private= option) - exit if it fails
 void fs_check_private_dir(void);
@@ -357,4 +357,4 @@ void network_shm_set_file(pid_t pid);
 void fs_check_etc_list(void);
 void fs_private_etc_list(void);
-#endif
-\ No newline at end of file
+#endif
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index ca4691751..e726d6f10 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -302,10 +302,10 @@ static void check_dir_or_file(const char *name) {
        exit(1);
 }
-// check directory linst specified by user (--private.keep option) - exit if it fails
+// check directory list specified by user (--private-home option) - exit if it fails
 void fs_check_home_list(void) {
        if (strstr(cfg.home_private_keep, "..")) {
-                fprintf(stderr, "Error: invalid private.keep list\n");
+                fprintf(stderr, "Error: invalid private-home list\n");
                exit(1);
        }
        
@@ -385,7 +385,7 @@ static void duplicate(char *fname) {
 }
-// private mode (--private.keep=list):
+// private mode (--private-home=list):
 //      mount homedir on top of /home/user,
 //      tmpfs on top of  /root in nonroot mode,
 //      tmpfs on top of /tmp in root mode,
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 1f4574c5c..6c5d9a44e 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -677,7 +677,7 @@ int main(int argc, char **argv) {
                        arg_private = 1;
                else if (strncmp(argv[i], "--private=", 10) == 0) {
                        if (cfg.home_private_keep) {
-                                fprintf(stderr, "Error: a private list of files was already defined with --private.keep option.\n");
+                                fprintf(stderr, "Error: a private list of files was already defined with --private-home option.\n");
                                exit(1);
                        }
                        
@@ -686,7 +686,8 @@ int main(int argc, char **argv) {
                        fs_check_private_dir();
                        arg_private = 1;
                }
-                else if (strncmp(argv[i], "--private.keep=", 15) == 0) {
+                else if ((strncmp(argv[i], "--private.keep=", 15) == 0)
+                      || (strncmp(argv[i], "--private-home=", 15) == 0)) {
                        if (cfg.home_private) {
                                fprintf(stderr, "Error: a private home directory was already defined with --private option.\n");
                                exit(1);
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index a6843cc6d..a73582499 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -228,7 +228,8 @@ int profile_check_line(char *ptr, int lineno) {
        }
        // private home list of files and directories
-        if (strncmp(ptr, "private.keep ", 13) == 0) {
+        if ((strncmp(ptr, "private.keep ", 13) == 0)
+         || (strncmp(ptr, "private-home ", 13) == 0)) {
                cfg.home_private_keep = ptr + 13;
                fs_check_home_list();
                arg_private = 1;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 2beb31099..2cdc67d1c 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -237,7 +237,7 @@ int sandbox(void* sandbox_arg) {
        if (arg_private) {
                if (cfg.home_private)   // --private=
                        fs_private_homedir();
-                else if (cfg.home_private_keep) // --private.keep=
+                else if (cfg.home_private_keep) // --private-home=
                        fs_private_home_list();
                else // --private
                        fs_private();
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 2beeddb70..3ddd85aac 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -148,7 +148,7 @@ void usage(void) {
        printf("\t\tfilesystems. All modifications are discarded when the sandbox is\n");
        printf("\t\tclosed.\n\n");
        printf("\t--private=directory - use directory as user home.\n\n");
-        printf("\t--private.keep=file,directory - build a new user home in a temporary\n");
+        printf("\t--private-home=file,directory - build a new user home in a temporary\n");
        printf("\t\tfilesystem, and copy the files and directories in the list in\n");
        printf("\t\tthe new home. All modifications are discarded when the sandbox\n");
        printf("\t\tis closed.\n\n");
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 59f014d4a..ff265c198 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -73,7 +73,7 @@ closed.
 \f\private directory
 Use directory as user home.
 .TP
-\f\private.keep file,directory
+\f\private-home file,directory
 Build a new user home in a temporary
 filesystem, and copy the files and directories in the list in the
 new home. All modifications are discarded when the sandbox is
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index dbffe68ed..21310aebc 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -639,7 +639,7 @@ Example:
 $ firejail \-\-private=/home/netblue/firefox-home firefox
 .TP
-\fB\-\-private.keep=file,directory
+\fB\-\-private-home=file,directory
 Build a new user home in a temporary
 filesystem, and copy the files and directories in the list in the
 new home. All modifications are discarded when the sandbox is
@@ -649,7 +649,7 @@ closed.
 .br
 Example:
 .br
-$ firejail \-\-private.keep=.mozilla firefox
+$ firejail \-\-private-home=.mozilla firefox
 .TP
 \fB\-\-private-dev
 Create a new /dev directory. Only null, full, zero, tty, pts, ptmx, random, urandom and shm devices are available.
author	netblue30 <netblue30@yahoo.com>	2015-08-14 07:31:47 -0400
committer	netblue30 <netblue30@yahoo.com>	2015-08-14 07:31:47 -0400
commit	167d4af4382341c7bb5336a791f640f3cbf4c045 (patch)
tree	c03fad72153118888617936db9136c8cbba6fabf
parent	Merge pull request #19 from pmillerchip/manpage-fixes (diff)
parent	Implement the --private-home option as an alternative name for --private.keep (diff)
download	firejail-167d4af4382341c7bb5336a791f640f3cbf4c045.tar.gz firejail-167d4af4382341c7bb5336a791f640f3cbf4c045.tar.zst firejail-167d4af4382341c7bb5336a791f640f3cbf4c045.zip