diff options
author | netblue30 <netblue30@yahoo.com> | 2019-02-01 09:18:29 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2019-02-01 09:18:29 -0500 |
commit | f79d62c1ea8a951fc757346dc3015ee4b009e52b (patch) | |
tree | 8ae147e23c0ef6b27fdb66c41cb9c038762efd5f | |
parent | Merge pull request #2372 from rusty-snake/additional-blacklisting (diff) | |
download | firejail-f79d62c1ea8a951fc757346dc3015ee4b009e52b.tar.gz firejail-f79d62c1ea8a951fc757346dc3015ee4b009e52b.tar.zst firejail-f79d62c1ea8a951fc757346dc3015ee4b009e52b.zip |
--name rework
-rw-r--r-- | etc/firejail.config | 3 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 9 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/run_files.c | 23 | ||||
-rw-r--r-- | src/man/firejail.txt | 16 | ||||
-rwxr-xr-x | test/utils/name.exp | 35 |
6 files changed, 44 insertions, 43 deletions
diff --git a/etc/firejail.config b/etc/firejail.config index fc13451fb..8e830f707 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -54,6 +54,9 @@ | |||
54 | # root user can always join sandboxes. | 54 | # root user can always join sandboxes. |
55 | # join yes | 55 | # join yes |
56 | 56 | ||
57 | #Enable or disable sandbox name change, default enabled. | ||
58 | # name-change yes | ||
59 | |||
57 | # Enable or disable networking features, default enabled. | 60 | # Enable or disable networking features, default enabled. |
58 | # network yes | 61 | # network yes |
59 | 62 | ||
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index ab34b7903..0a3c5dd08 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -139,6 +139,15 @@ int checkcfg(int val) { | |||
139 | else | 139 | else |
140 | goto errout; | 140 | goto errout; |
141 | } | 141 | } |
142 | // name change | ||
143 | else if (strncmp(ptr, "name-change ", 12) == 0) { | ||
144 | if (strcmp(ptr + 12, "yes") == 0) | ||
145 | cfg_val[CFG_NAME_CHANGE] = 1; | ||
146 | else if (strcmp(ptr + 12, "no") == 0) | ||
147 | cfg_val[CFG_NAME_CHANGE] = 0; | ||
148 | else | ||
149 | goto errout; | ||
150 | } | ||
142 | // user namespace | 151 | // user namespace |
143 | else if (strncmp(ptr, "userns ", 7) == 0) { | 152 | else if (strncmp(ptr, "userns ", 7) == 0) { |
144 | if (strcmp(ptr + 7, "yes") == 0) | 153 | if (strcmp(ptr + 7, "yes") == 0) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index b861bf1fa..13a10eefa 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -781,6 +781,7 @@ enum { | |||
781 | CFG_DBUS, | 781 | CFG_DBUS, |
782 | CFG_PRIVATE_CACHE, | 782 | CFG_PRIVATE_CACHE, |
783 | CFG_CGROUP, | 783 | CFG_CGROUP, |
784 | CFG_NAME_CHANGE, | ||
784 | CFG_MAX // this should always be the last entry | 785 | CFG_MAX // this should always be the last entry |
785 | }; | 786 | }; |
786 | extern char *xephyr_screen; | 787 | extern char *xephyr_screen; |
diff --git a/src/firejail/run_files.c b/src/firejail/run_files.c index 361ad1414..d4cd6d748 100644 --- a/src/firejail/run_files.c +++ b/src/firejail/run_files.c | |||
@@ -76,28 +76,19 @@ void delete_run_files(pid_t pid) { | |||
76 | } | 76 | } |
77 | 77 | ||
78 | static char *newname(char *name) { | 78 | static char *newname(char *name) { |
79 | char *rv; | 79 | char *rv = name; |
80 | pid_t pid; | 80 | pid_t pid; |
81 | 81 | ||
82 | // try the name | 82 | if (checkcfg(CFG_NAME_CHANGE)) { |
83 | if (name2pid(name, &pid)) | 83 | // try the name |
84 | return name; | 84 | if (name2pid(name, &pid)) |
85 | return name; | ||
85 | 86 | ||
86 | // try name-1 to 9 | 87 | // return name-pid |
87 | int i; | 88 | if (asprintf(&rv, "%s-%d", name, getpid()) == -1) |
88 | for (i = 1; i < 10; i++) { | ||
89 | if (asprintf(&rv, "%s-%d", name, i) == -1) | ||
90 | errExit("asprintf"); | 89 | errExit("asprintf"); |
91 | if (name2pid(rv, &pid)) { | ||
92 | fwarning("Sandbox name changed to %s\n", rv); | ||
93 | return rv; | ||
94 | } | ||
95 | free(rv); | ||
96 | } | 90 | } |
97 | 91 | ||
98 | // return name-pid | ||
99 | if (asprintf(&rv, "%s-%d", name, getpid()) == -1) | ||
100 | errExit("asprintf"); | ||
101 | return rv; | 92 | return rv; |
102 | } | 93 | } |
103 | 94 | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 2d0bd26d0..16004193d 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -770,12 +770,26 @@ $ firejail \-\-net=eth0 \-\-mtu=1492 | |||
770 | \fB\-\-name=name | 770 | \fB\-\-name=name |
771 | Set sandbox name. Several options, such as \-\-join and \-\-shutdown, can use | 771 | Set sandbox name. Several options, such as \-\-join and \-\-shutdown, can use |
772 | this name to identify a sandbox. | 772 | this name to identify a sandbox. |
773 | |||
774 | In case the name supplied by the user is already in use by another sandbox, Firejail will assign a | ||
775 | new name as "name-PID", where PID is the process ID of the sandbox. This functionality | ||
776 | can be disabled at run time in /etc/firejail/firejail.config file, by setting "name-change" flag to "no". | ||
773 | .br | 777 | .br |
774 | 778 | ||
775 | .br | 779 | .br |
776 | Example: | 780 | Example: |
777 | .br | 781 | .br |
778 | $ firejail \-\-name=mybrowser firefox | 782 | $ firejail \-\-name=browser firefox & |
783 | .br | ||
784 | $ firejail \-\-name=browser \-\-private \ | ||
785 | firefox \-\-no-remote & | ||
786 | .br | ||
787 | $ firejail --list | ||
788 | .br | ||
789 | 1198:netblue:browser:firejail --name=browser firefox | ||
790 | .br | ||
791 | 1312:netblue:browser-1312:firejail --name=browser --private firefox --no-remote | ||
792 | .br | ||
779 | 793 | ||
780 | .TP | 794 | .TP |
781 | \fB\-\-net=bridge_interface | 795 | \fB\-\-net=bridge_interface |
diff --git a/test/utils/name.exp b/test/utils/name.exp index f00b5866e..eccb0a699 100755 --- a/test/utils/name.exp +++ b/test/utils/name.exp | |||
@@ -111,39 +111,39 @@ expect { | |||
111 | } | 111 | } |
112 | expect { | 112 | expect { |
113 | timeout {puts "TESTING ERROR 13\n";exit} | 113 | timeout {puts "TESTING ERROR 13\n";exit} |
114 | ":ftest-1:" | 114 | ":ftest-" |
115 | } | 115 | } |
116 | expect { | 116 | expect { |
117 | timeout {puts "TESTING ERROR 14\n";exit} | 117 | timeout {puts "TESTING ERROR 14\n";exit} |
118 | ":ftest-2:" | 118 | ":ftest-" |
119 | } | 119 | } |
120 | expect { | 120 | expect { |
121 | timeout {puts "TESTING ERROR 15\n";exit} | 121 | timeout {puts "TESTING ERROR 15\n";exit} |
122 | ":ftest-3:" | 122 | ":ftest-" |
123 | } | 123 | } |
124 | expect { | 124 | expect { |
125 | timeout {puts "TESTING ERROR 16\n";exit} | 125 | timeout {puts "TESTING ERROR 16\n";exit} |
126 | ":ftest-4:" | 126 | ":ftest-" |
127 | } | 127 | } |
128 | expect { | 128 | expect { |
129 | timeout {puts "TESTING ERROR 17\n";exit} | 129 | timeout {puts "TESTING ERROR 17\n";exit} |
130 | ":ftest-5:" | 130 | ":ftest-" |
131 | } | 131 | } |
132 | expect { | 132 | expect { |
133 | timeout {puts "TESTING ERROR 18\n";exit} | 133 | timeout {puts "TESTING ERROR 18\n";exit} |
134 | ":ftest-6:" | 134 | ":ftest-" |
135 | } | 135 | } |
136 | expect { | 136 | expect { |
137 | timeout {puts "TESTING ERROR 19\n";exit} | 137 | timeout {puts "TESTING ERROR 19\n";exit} |
138 | ":ftest-7:" | 138 | ":ftest-" |
139 | } | 139 | } |
140 | expect { | 140 | expect { |
141 | timeout {puts "TESTING ERROR 20\n";exit} | 141 | timeout {puts "TESTING ERROR 20\n";exit} |
142 | ":ftest-8:" | 142 | ":ftest-" |
143 | } | 143 | } |
144 | expect { | 144 | expect { |
145 | timeout {puts "TESTING ERROR 21\n";exit} | 145 | timeout {puts "TESTING ERROR 21\n";exit} |
146 | ":ftest-9:" | 146 | ":ftest-" |
147 | } | 147 | } |
148 | expect { | 148 | expect { |
149 | timeout {puts "TESTING ERROR 22\n";exit} | 149 | timeout {puts "TESTING ERROR 22\n";exit} |
@@ -153,22 +153,5 @@ expect { | |||
153 | timeout {puts "TESTING ERROR 23\n";exit} | 153 | timeout {puts "TESTING ERROR 23\n";exit} |
154 | ":ftest-" | 154 | ":ftest-" |
155 | } | 155 | } |
156 | after 100 | ||
157 | |||
158 | send -- "firejail --shutdown=ftest-5\r" | ||
159 | expect { | ||
160 | timeout {puts "TESTING ERROR 11\n";exit} | ||
161 | "Sending SIGTERM" | ||
162 | } | ||
163 | sleep 1 | 156 | sleep 1 |
164 | |||
165 | spawn $env(SHELL) | ||
166 | send -- "firejail --list\r" | ||
167 | expect { | ||
168 | timeout {puts "TESTING ERROR 12\n";exit} | ||
169 | ":ftest-5:" {puts "TESTING ERROR 15\n";exit} | ||
170 | ":ftest-9:" | ||
171 | } | ||
172 | |||
173 | after 100 | ||
174 | puts "all done\n" | 157 | puts "all done\n" |