diff options
| author |  Remco <remco@dutchcoders.io> | 2017-04-28 10:33:17 +0200 |
|---|---|---|
| committer | Remco <remco@dutchcoders.io> | 2017-04-28 10:33:17 +0200 |
| commit | 41ab4044d4281b6abdf1fd5fa19e8d32de9b1263 (patch) | |
| tree | 17301ac91c485665a62792103a24d6c81cbc4a32 | |
| parent | typo fixes for #1249 (diff) | |
| download | firejail-41ab4044d4281b6abdf1fd5fa19e8d32de9b1263.tar.gz firejail-41ab4044d4281b6abdf1fd5fa19e8d32de9b1263.tar.zst firejail-41ab4044d4281b6abdf1fd5fa19e8d32de9b1263.zip | |
Add overlay configuration to profiles
| -rw-r--r-- | src/firejail/profile.c | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 172aff121..c515accc0 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
| @@ -830,6 +830,80 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
| 830 | return 0; | 830 | return 0; |
| 831 | } | 831 | } |
| 832 | 832 | ||
| 833 | |||
| 834 | #ifdef HAVE_OVERLAYFS | ||
| 835 | if (strncmp(ptr, "overlay-named ", 14) == 0) { | ||
| 836 | if (checkcfg(CFG_OVERLAYFS)) { | ||
| 837 | if (cfg.chrootdir) { | ||
| 838 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); | ||
| 839 | exit(1); | ||
| 840 | } | ||
| 841 | struct stat s; | ||
| 842 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
| 843 | fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); | ||
| 844 | exit(1); | ||
| 845 | } | ||
| 846 | arg_overlay = 1; | ||
| 847 | arg_overlay_keep = 1; | ||
| 848 | arg_overlay_reuse = 1; | ||
| 849 | |||
| 850 | char *subdirname = ptr + 14; | ||
| 851 | if (subdirname == '\0') { | ||
| 852 | fprintf(stderr, "Error: invalid overlay option\n"); | ||
| 853 | exit(1); | ||
| 854 | } | ||
| 855 | |||
| 856 | // check name | ||
| 857 | invalid_filename(subdirname); | ||
| 858 | if (strstr(subdirname, "..") || strstr(subdirname, "/")) { | ||
| 859 | fprintf(stderr, "Error: invalid overlay name\n"); | ||
| 860 | exit(1); | ||
| 861 | } | ||
| 862 | cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); | ||
| 863 | } | ||
| 864 | |||
| 865 | return 0; | ||
| 866 | } else if (strcmp(ptr, "overlay-tmpfs") == 0) { | ||
| 867 | if (checkcfg(CFG_OVERLAYFS)) { | ||
| 868 | if (cfg.chrootdir) { | ||
| 869 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); | ||
| 870 | exit(1); | ||
| 871 | } | ||
| 872 | struct stat s; | ||
| 873 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
| 874 | fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); | ||
| 875 | exit(1); | ||
| 876 | } | ||
| 877 | arg_overlay = 1; | ||
| 878 | |||
| 879 | return 0; | ||
| 880 | } | ||
| 881 | } else if (strcmp(ptr, "overlay") == 0) { | ||
| 882 | if (checkcfg(CFG_OVERLAYFS)) { | ||
| 883 | if (cfg.chrootdir) { | ||
| 884 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); | ||
| 885 | exit(1); | ||
| 886 | } | ||
| 887 | struct stat s; | ||
| 888 | if (stat("/proc/sys/kernel/grsecurity", &s) == 0) { | ||
| 889 | fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n"); | ||
| 890 | exit(1); | ||
| 891 | } | ||
| 892 | arg_overlay = 1; | ||
| 893 | arg_overlay_keep = 1; | ||
| 894 | |||
| 895 | char *subdirname; | ||
| 896 | if (asprintf(&subdirname, "%d", getpid()) == -1) | ||
| 897 | errExit("asprintf"); | ||
| 898 | cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); | ||
| 899 | |||
| 900 | free(subdirname); | ||
| 901 | |||
| 902 | return 0; | ||
| 903 | } | ||
| 904 | } | ||
| 905 | #endif | ||
| 906 | |||
| 833 | // filesystem bind | 907 | // filesystem bind |
| 834 | if (strncmp(ptr, "bind ", 5) == 0) { | 908 | if (strncmp(ptr, "bind ", 5) == 0) { |
| 835 | #ifdef HAVE_BIND | 909 | #ifdef HAVE_BIND |