aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2016-12-01 12:30:11 -0500
committerLibravatar netblue30 <netblue30@yahoo.com>2016-12-01 12:30:11 -0500
commitfbcf885bcdcf71c6a9f88bed8ae38e686f5f7f21 (patch)
tree360060483d8250a1235885376c2c1493f68e41ba
parentprivate-opt, private-srv (diff)
downloadfirejail-fbcf885bcdcf71c6a9f88bed8ae38e686f5f7f21.tar.gz
firejail-fbcf885bcdcf71c6a9f88bed8ae38e686f5f7f21.tar.zst
firejail-fbcf885bcdcf71c6a9f88bed8ae38e686f5f7f21.zip
cleanup
Diffstat
-rw-r--r--src/firejail/main.c291
-rw-r--r--src/firejail/profile.c102
-rwxr-xr-xtest/root/join.exp52
-rwxr-xr-xtest/root/root.sh6
-rwxr-xr-xtest/utils/join.exp15
5 files changed, 233 insertions, 233 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 4ccbb6a86..aa855b7eb 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -250,10 +250,8 @@ static void check_network(Bridge *br) {
250#ifdef HAVE_USERNS 250#ifdef HAVE_USERNS
251void check_user_namespace(void) { 251void check_user_namespace(void) {
252 EUID_ASSERT(); 252 EUID_ASSERT();
253 if (getuid() == 0) { 253 if (getuid() == 0)
254 fprintf(stderr, "Error: --noroot option cannot be used when starting the sandbox as root.\n"); 254 goto errout;
255 exit(1);
256 }
257 255
258 // test user namespaces available in the kernel 256 // test user namespaces available in the kernel
259 struct stat s1; 257 struct stat s1;
@@ -263,16 +261,27 @@ void check_user_namespace(void) {
263 stat("/proc/self/uid_map", &s2) == 0 && 261 stat("/proc/self/uid_map", &s2) == 0 &&
264 stat("/proc/self/gid_map", &s3) == 0) 262 stat("/proc/self/gid_map", &s3) == 0)
265 arg_noroot = 1; 263 arg_noroot = 1;
266 else { 264 else
267 if (!arg_quiet || arg_debug) 265 goto errout;
268 fprintf(stderr, "Warning: user namespaces not available in the current kernel.\n"); 266
269 arg_noroot = 0; 267 return;
270 } 268
269errout:
270 if (!arg_quiet || arg_debug)
271 fprintf(stderr, "Warning: noroot option is not available\n");
272 arg_noroot = 0;
273
271} 274}
272#endif 275#endif
273 276
274 277
275// exit commands 278static void exit_err_feature(const char *feature) {
279 fprintf(stderr, "Error: %s feature is disabled in Firejail configuration file\n", feature);
280 exit(1);
281}
282
283// run independent commands and exit program
284// this function handles command line options such as --version and --help
276static void run_cmd_and_exit(int i, int argc, char **argv) { 285static void run_cmd_and_exit(int i, int argc, char **argv) {
277 EUID_ASSERT(); 286 EUID_ASSERT();
278 287
@@ -298,21 +307,15 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
298 if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1) 307 if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1)
299 errExit("asprintf"); 308 errExit("asprintf");
300 EUID_ROOT(); 309 EUID_ROOT();
301 if (setreuid(0, 0) < 0) 310 if (setreuid(0, 0) < 0 ||
302 errExit("setreuid"); 311 setregid(0, 0) < 0)
303 if (setregid(0, 0) < 0) 312 errExit("setreuid/setregid");
304 errExit("setregid");
305 errno = 0; 313 errno = 0;
306 int rv = remove_directory(path); 314 if (remove_directory(path))
307 if (rv) { 315 errExit("remove_directory");
308 fprintf(stderr, "Error: cannot removed overlays stored in ~/.firejail directory, errno %d\n", errno);
309 exit(1);
310 }
311 }
312 else {
313 fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n");
314 exit(1);
315 } 316 }
317 else
318 exit_err_feature("overlayfs");
316 exit(0); 319 exit(0);
317 } 320 }
318#endif 321#endif
@@ -322,30 +325,24 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
322 x11_start(argc, argv); 325 x11_start(argc, argv);
323 exit(0); 326 exit(0);
324 } 327 }
325 else { 328 else
326 fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n"); 329 exit_err_feature("x11");
327 exit(1);
328 }
329 } 330 }
330 else if (strcmp(argv[i], "--x11=xpra") == 0) { 331 else if (strcmp(argv[i], "--x11=xpra") == 0) {
331 if (checkcfg(CFG_X11)) { 332 if (checkcfg(CFG_X11)) {
332 x11_start_xpra(argc, argv); 333 x11_start_xpra(argc, argv);
333 exit(0); 334 exit(0);
334 } 335 }
335 else { 336 else
336 fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n"); 337 exit_err_feature("x11");
337 exit(1);
338 }
339 } 338 }
340 else if (strcmp(argv[i], "--x11=xephyr") == 0) { 339 else if (strcmp(argv[i], "--x11=xephyr") == 0) {
341 if (checkcfg(CFG_X11)) { 340 if (checkcfg(CFG_X11)) {
342 x11_start_xephyr(argc, argv); 341 x11_start_xephyr(argc, argv);
343 exit(0); 342 exit(0);
344 } 343 }
345 else { 344 else
346 fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n"); 345 exit_err_feature("x11");
347 exit(1);
348 }
349 } 346 }
350#endif 347#endif
351#ifdef HAVE_NETWORK 348#ifdef HAVE_NETWORK
@@ -406,10 +403,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
406 pid_t pid = read_pid(argv[i] + 12); 403 pid_t pid = read_pid(argv[i] + 12);
407 bandwidth_pid(pid, cmd, dev, down, up); 404 bandwidth_pid(pid, cmd, dev, down, up);
408 } 405 }
409 else { 406 else
410 fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); 407 exit_err_feature("networking");
411 exit(1);
412 }
413 exit(0); 408 exit(0);
414 } 409 }
415#endif 410#endif
@@ -422,20 +417,16 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
422 int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-syscalls"); 417 int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-syscalls");
423 exit(rv); 418 exit(rv);
424 } 419 }
425 else { 420 else
426 fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); 421 exit_err_feature("seccomp");
427 exit(1);
428 }
429 } 422 }
430 else if (strcmp(argv[i], "--debug-errnos") == 0) { 423 else if (strcmp(argv[i], "--debug-errnos") == 0) {
431 if (checkcfg(CFG_SECCOMP)) { 424 if (checkcfg(CFG_SECCOMP)) {
432 int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-errnos"); 425 int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-errnos");
433 exit(rv); 426 exit(rv);
434 } 427 }
435 else { 428 else
436 fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); 429 exit_err_feature("seccomp");
437 exit(1);
438 }
439 exit(0); 430 exit(0);
440 } 431 }
441 else if (strncmp(argv[i], "--seccomp.print=", 16) == 0) { 432 else if (strncmp(argv[i], "--seccomp.print=", 16) == 0) {
@@ -444,10 +435,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
444 pid_t pid = read_pid(argv[i] + 16); 435 pid_t pid = read_pid(argv[i] + 16);
445 seccomp_print_filter(pid); 436 seccomp_print_filter(pid);
446 } 437 }
447 else { 438 else
448 fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); 439 exit_err_feature("seccomp");
449 exit(1);
450 }
451 exit(0); 440 exit(0);
452 } 441 }
453 else if (strcmp(argv[i], "--debug-protocols") == 0) { 442 else if (strcmp(argv[i], "--debug-protocols") == 0) {
@@ -460,10 +449,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
460 pid_t pid = read_pid(argv[i] + 17); 449 pid_t pid = read_pid(argv[i] + 17);
461 protocol_print_filter(pid); 450 protocol_print_filter(pid);
462 } 451 }
463 else { 452 else
464 fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); 453 exit_err_feature("seccomp");
465 exit(1);
466 }
467 exit(0); 454 exit(0);
468 } 455 }
469#endif 456#endif
@@ -530,10 +517,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
530 2, PATH_FIREMON, "--netstats"); 517 2, PATH_FIREMON, "--netstats");
531 exit(0); 518 exit(0);
532 } 519 }
533 else { 520 else
534 fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); 521 exit_err_feature("networking");
535 exit(1);
536 }
537 } 522 }
538#endif 523#endif
539#ifdef HAVE_FILE_TRANSFER 524#ifdef HAVE_FILE_TRANSFER
@@ -558,10 +543,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
558 sandboxfs(SANDBOX_FS_GET, pid, path, NULL); 543 sandboxfs(SANDBOX_FS_GET, pid, path, NULL);
559 exit(0); 544 exit(0);
560 } 545 }
561 else { 546 else
562 fprintf(stderr, "Error: --get feature is disabled in Firejail configuration file\n"); 547 exit_err_feature("file transfer");
563 exit(1);
564 }
565 } 548 }
566 else if (strncmp(argv[i], "--put=", 6) == 0) { 549 else if (strncmp(argv[i], "--put=", 6) == 0) {
567 if (checkcfg(CFG_FILE_TRANSFER)) { 550 if (checkcfg(CFG_FILE_TRANSFER)) {
@@ -590,10 +573,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
590 sandboxfs(SANDBOX_FS_PUT, pid, path1, path2); 573 sandboxfs(SANDBOX_FS_PUT, pid, path1, path2);
591 exit(0); 574 exit(0);
592 } 575 }
593 else { 576 else
594 fprintf(stderr, "Error: --get feature is disabled in Firejail configuration file\n"); 577 exit_err_feature("file transfer");
595 exit(1);
596 }
597 } 578 }
598 else if (strncmp(argv[i], "--ls=", 5) == 0) { 579 else if (strncmp(argv[i], "--ls=", 5) == 0) {
599 if (checkcfg(CFG_FILE_TRANSFER)) { 580 if (checkcfg(CFG_FILE_TRANSFER)) {
@@ -616,10 +597,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
616 sandboxfs(SANDBOX_FS_LS, pid, path, NULL); 597 sandboxfs(SANDBOX_FS_LS, pid, path, NULL);
617 exit(0); 598 exit(0);
618 } 599 }
619 else { 600 else
620 fprintf(stderr, "Error: --ls feature is disabled in Firejail configuration file\n"); 601 exit_err_feature("file transfer");
621 exit(1);
622 }
623 } 602 }
624#endif 603#endif
625 else if (strncmp(argv[i], "--join=", 7) == 0) { 604 else if (strncmp(argv[i], "--join=", 7) == 0) {
@@ -685,11 +664,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
685 pid_t pid = read_pid(argv[i] + 15); 664 pid_t pid = read_pid(argv[i] + 15);
686 join(pid, argc, argv, i + 1); 665 join(pid, argc, argv, i + 1);
687 } 666 }
688 else { 667 else
689 fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); 668 exit_err_feature("networking");
690 exit(1);
691 }
692
693 exit(0); 669 exit(0);
694 } 670 }
695#endif 671#endif
@@ -1117,10 +1093,8 @@ int main(int argc, char **argv) {
1117 errExit("strdup"); 1093 errExit("strdup");
1118 } 1094 }
1119 } 1095 }
1120 else { 1096 else
1121 fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); 1097 exit_err_feature("seccomp");
1122 exit(1);
1123 }
1124 } 1098 }
1125 else if (strcmp(argv[i], "--seccomp") == 0) { 1099 else if (strcmp(argv[i], "--seccomp") == 0) {
1126 if (checkcfg(CFG_SECCOMP)) { 1100 if (checkcfg(CFG_SECCOMP)) {
@@ -1130,10 +1104,8 @@ int main(int argc, char **argv) {
1130 } 1104 }
1131 arg_seccomp = 1; 1105 arg_seccomp = 1;
1132 } 1106 }
1133 else { 1107 else
1134 fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); 1108 exit_err_feature("seccomp");
1135 exit(1);
1136 }
1137 } 1109 }
1138 else if (strncmp(argv[i], "--seccomp=", 10) == 0) { 1110 else if (strncmp(argv[i], "--seccomp=", 10) == 0) {
1139 if (checkcfg(CFG_SECCOMP)) { 1111 if (checkcfg(CFG_SECCOMP)) {
@@ -1144,10 +1116,8 @@ int main(int argc, char **argv) {
1144 arg_seccomp = 1; 1116 arg_seccomp = 1;
1145 cfg.seccomp_list = seccomp_check_list(argv[i] + 10); 1117 cfg.seccomp_list = seccomp_check_list(argv[i] + 10);
1146 } 1118 }
1147 else { 1119 else
1148 fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); 1120 exit_err_feature("seccomp");
1149 exit(1);
1150 }
1151 } 1121 }
1152 else if (strncmp(argv[i], "--seccomp.drop=", 15) == 0) { 1122 else if (strncmp(argv[i], "--seccomp.drop=", 15) == 0) {
1153 if (checkcfg(CFG_SECCOMP)) { 1123 if (checkcfg(CFG_SECCOMP)) {
@@ -1158,10 +1128,8 @@ int main(int argc, char **argv) {
1158 arg_seccomp = 1; 1128 arg_seccomp = 1;
1159 cfg.seccomp_list_drop = seccomp_check_list(argv[i] + 15); 1129 cfg.seccomp_list_drop = seccomp_check_list(argv[i] + 15);
1160 } 1130 }
1161 else { 1131 else
1162 fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); 1132 exit_err_feature("seccomp");
1163 exit(1);
1164 }
1165 } 1133 }
1166 else if (strncmp(argv[i], "--seccomp.keep=", 15) == 0) { 1134 else if (strncmp(argv[i], "--seccomp.keep=", 15) == 0) {
1167 if (checkcfg(CFG_SECCOMP)) { 1135 if (checkcfg(CFG_SECCOMP)) {
@@ -1172,10 +1140,8 @@ int main(int argc, char **argv) {
1172 arg_seccomp = 1; 1140 arg_seccomp = 1;
1173 cfg.seccomp_list_keep = seccomp_check_list(argv[i] + 15); 1141 cfg.seccomp_list_keep = seccomp_check_list(argv[i] + 15);
1174 } 1142 }
1175 else { 1143 else
1176 fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); 1144 exit_err_feature("seccomp");
1177 exit(1);
1178 }
1179 } 1145 }
1180#endif 1146#endif
1181 else if (strcmp(argv[i], "--caps") == 0) 1147 else if (strcmp(argv[i], "--caps") == 0)
@@ -1274,10 +1240,8 @@ int main(int argc, char **argv) {
1274 profile_check_line(line, 0, NULL); // will exit if something wrong 1240 profile_check_line(line, 0, NULL); // will exit if something wrong
1275 profile_add(line); 1241 profile_add(line);
1276 } 1242 }
1277 else { 1243 else
1278 fprintf(stderr, "Error: --bind feature is disabled in Firejail configuration file\n"); 1244 exit_err_feature("bind");
1279 exit(1);
1280 }
1281 } 1245 }
1282#endif 1246#endif
1283 else if (strncmp(argv[i], "--tmpfs=", 8) == 0) { 1247 else if (strncmp(argv[i], "--tmpfs=", 8) == 0) {
@@ -1315,10 +1279,8 @@ int main(int argc, char **argv) {
1315 profile_check_line(line, 0, NULL); // will exit if something wrong 1279 profile_check_line(line, 0, NULL); // will exit if something wrong
1316 profile_add(line); 1280 profile_add(line);
1317 } 1281 }
1318 else { 1282 else
1319 fprintf(stderr, "Error: whitelist feature is disabled in Firejail configuration file\n"); 1283 exit_err_feature("whitelist");
1320 exit(1);
1321 }
1322 } 1284 }
1323#endif 1285#endif
1324 1286
@@ -1368,10 +1330,8 @@ int main(int argc, char **argv) {
1368 1330
1369 free(subdirname); 1331 free(subdirname);
1370 } 1332 }
1371 else { 1333 else
1372 fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); 1334 exit_err_feature("overlayfs");
1373 exit(1);
1374 }
1375 } 1335 }
1376 else if (strncmp(argv[i], "--overlay-named=", 16) == 0) { 1336 else if (strncmp(argv[i], "--overlay-named=", 16) == 0) {
1377 if (checkcfg(CFG_OVERLAYFS)) { 1337 if (checkcfg(CFG_OVERLAYFS)) {
@@ -1402,11 +1362,8 @@ int main(int argc, char **argv) {
1402 } 1362 }
1403 cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); 1363 cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse);
1404 } 1364 }
1405 else { 1365 else
1406 fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); 1366 exit_err_feature("overlayfs");
1407 exit(1);
1408 }
1409
1410 } 1367 }
1411 else if (strcmp(argv[i], "--overlay-tmpfs") == 0) { 1368 else if (strcmp(argv[i], "--overlay-tmpfs") == 0) {
1412 if (checkcfg(CFG_OVERLAYFS)) { 1369 if (checkcfg(CFG_OVERLAYFS)) {
@@ -1421,10 +1378,8 @@ int main(int argc, char **argv) {
1421 } 1378 }
1422 arg_overlay = 1; 1379 arg_overlay = 1;
1423 } 1380 }
1424 else { 1381 else
1425 fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); 1382 exit_err_feature("overlayfs");
1426 exit(1);
1427 }
1428 } 1383 }
1429#endif 1384#endif
1430 else if (strncmp(argv[i], "--profile=", 10) == 0) { 1385 else if (strncmp(argv[i], "--profile=", 10) == 0) {
@@ -1551,10 +1506,8 @@ int main(int argc, char **argv) {
1551 exit(1); 1506 exit(1);
1552 } 1507 }
1553 } 1508 }
1554 else { 1509 else
1555 fprintf(stderr, "Error: --chroot feature is disabled in Firejail configuration file\n"); 1510 exit_err_feature("chroot");
1556 exit(1);
1557 }
1558 } 1511 }
1559#endif 1512#endif
1560 else if (strcmp(argv[i], "--writable-etc") == 0) { 1513 else if (strcmp(argv[i], "--writable-etc") == 0) {
@@ -1603,10 +1556,8 @@ int main(int argc, char **argv) {
1603 cfg.home_private_keep = argv[i] + 15; 1556 cfg.home_private_keep = argv[i] + 15;
1604 arg_private = 1; 1557 arg_private = 1;
1605 } 1558 }
1606 else { 1559 else
1607 fprintf(stderr, "Error: --private-home feature is disabled in Firejail configuration file\n"); 1560 exit_err_feature("private-home");
1608 exit(1);
1609 }
1610 } 1561 }
1611#endif 1562#endif
1612 else if (strcmp(argv[i], "--private-dev") == 0) { 1563 else if (strcmp(argv[i], "--private-dev") == 0) {
@@ -1680,10 +1631,8 @@ int main(int argc, char **argv) {
1680 else if (strcmp(argv[i], "--noroot") == 0) { 1631 else if (strcmp(argv[i], "--noroot") == 0) {
1681 if (checkcfg(CFG_USERNS)) 1632 if (checkcfg(CFG_USERNS))
1682 check_user_namespace(); 1633 check_user_namespace();
1683 else { 1634 else
1684 fprintf(stderr, "Error: --noroot feature is disabled in Firejail configuration file\n"); 1635 exit_err_feature("noroot");
1685 exit(1);
1686 }
1687 } 1636 }
1688#endif 1637#endif
1689 else if (strcmp(argv[i], "--nonewprivs") == 0) { 1638 else if (strcmp(argv[i], "--nonewprivs") == 0) {
@@ -1758,10 +1707,8 @@ int main(int argc, char **argv) {
1758 } 1707 }
1759 intf->configured = 1; 1708 intf->configured = 1;
1760 } 1709 }
1761 else { 1710 else
1762 fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); 1711 exit_err_feature("networking");
1763 exit(1);
1764 }
1765 } 1712 }
1766 1713
1767 else if (strncmp(argv[i], "--net=", 6) == 0) { 1714 else if (strncmp(argv[i], "--net=", 6) == 0) {
@@ -1811,10 +1758,8 @@ int main(int argc, char **argv) {
1811 } 1758 }
1812 net_configure_bridge(br, argv[i] + 6); 1759 net_configure_bridge(br, argv[i] + 6);
1813 } 1760 }
1814 else { 1761 else
1815 fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); 1762 exit_err_feature("networking");
1816 exit(1);
1817 }
1818 } 1763 }
1819 1764
1820 else if (strncmp(argv[i], "--veth-name=", 12) == 0) { 1765 else if (strncmp(argv[i], "--veth-name=", 12) == 0) {
@@ -1832,20 +1777,16 @@ int main(int argc, char **argv) {
1832 exit(1); 1777 exit(1);
1833 } 1778 }
1834 } 1779 }
1835 else { 1780 else
1836 fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); 1781 exit_err_feature("networking");
1837 exit(1);
1838 }
1839 } 1782 }
1840 1783
1841 else if (strcmp(argv[i], "--scan") == 0) { 1784 else if (strcmp(argv[i], "--scan") == 0) {
1842 if (checkcfg(CFG_NETWORK)) { 1785 if (checkcfg(CFG_NETWORK)) {
1843 arg_scan = 1; 1786 arg_scan = 1;
1844 } 1787 }
1845 else { 1788 else
1846 fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); 1789 exit_err_feature("networking");
1847 exit(1);
1848 }
1849 } 1790 }
1850 else if (strncmp(argv[i], "--iprange=", 10) == 0) { 1791 else if (strncmp(argv[i], "--iprange=", 10) == 0) {
1851 if (checkcfg(CFG_NETWORK)) { 1792 if (checkcfg(CFG_NETWORK)) {
@@ -1885,10 +1826,8 @@ int main(int argc, char **argv) {
1885 return 1; 1826 return 1;
1886 } 1827 }
1887 } 1828 }
1888 else { 1829 else
1889 fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); 1830 exit_err_feature("networking");
1890 exit(1);
1891 }
1892 } 1831 }
1893 1832
1894 else if (strncmp(argv[i], "--mac=", 6) == 0) { 1833 else if (strncmp(argv[i], "--mac=", 6) == 0) {
@@ -1909,10 +1848,8 @@ int main(int argc, char **argv) {
1909 exit(1); 1848 exit(1);
1910 } 1849 }
1911 } 1850 }
1912 else { 1851 else
1913 fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); 1852 exit_err_feature("networking");
1914 exit(1);
1915 }
1916 } 1853 }
1917 1854
1918 else if (strncmp(argv[i], "--mtu=", 6) == 0) { 1855 else if (strncmp(argv[i], "--mtu=", 6) == 0) {
@@ -1928,10 +1865,8 @@ int main(int argc, char **argv) {
1928 exit(1); 1865 exit(1);
1929 } 1866 }
1930 } 1867 }
1931 else { 1868 else
1932 fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); 1869 exit_err_feature("networking");
1933 exit(1);
1934 }
1935 } 1870 }
1936 1871
1937 else if (strncmp(argv[i], "--ip=", 5) == 0) { 1872 else if (strncmp(argv[i], "--ip=", 5) == 0) {
@@ -1956,10 +1891,8 @@ int main(int argc, char **argv) {
1956 } 1891 }
1957 } 1892 }
1958 } 1893 }
1959 else { 1894 else
1960 fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); 1895 exit_err_feature("networking");
1961 exit(1);
1962 }
1963 } 1896 }
1964 1897
1965 else if (strncmp(argv[i], "--ip6=", 6) == 0) { 1898 else if (strncmp(argv[i], "--ip6=", 6) == 0) {
@@ -1982,10 +1915,8 @@ int main(int argc, char **argv) {
1982// exit(1); 1915// exit(1);
1983// } 1916// }
1984 } 1917 }
1985 else { 1918 else
1986 fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); 1919 exit_err_feature("networking");
1987 exit(1);
1988 }
1989 } 1920 }
1990 1921
1991 1922
@@ -1996,10 +1927,8 @@ int main(int argc, char **argv) {
1996 exit(1); 1927 exit(1);
1997 } 1928 }
1998 } 1929 }
1999 else { 1930 else
2000 fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); 1931 exit_err_feature("networking");
2001 exit(1);
2002 }
2003 } 1932 }
2004#endif 1933#endif
2005 else if (strncmp(argv[i], "--dns=", 6) == 0) { 1934 else if (strncmp(argv[i], "--dns=", 6) == 0) {
@@ -2038,10 +1967,8 @@ int main(int argc, char **argv) {
2038 if (checkcfg(CFG_NETWORK)) { 1967 if (checkcfg(CFG_NETWORK)) {
2039 arg_netfilter = 1; 1968 arg_netfilter = 1;
2040 } 1969 }
2041 else { 1970 else
2042 fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); 1971 exit_err_feature("networking");
2043 exit(1);
2044 }
2045 } 1972 }
2046 1973
2047 else if (strncmp(argv[i], "--netfilter=", 12) == 0) { 1974 else if (strncmp(argv[i], "--netfilter=", 12) == 0) {
@@ -2062,10 +1989,8 @@ int main(int argc, char **argv) {
2062 arg_netfilter_file = argv[i] + 12; 1989 arg_netfilter_file = argv[i] + 12;
2063 check_netfilter_file(arg_netfilter_file); 1990 check_netfilter_file(arg_netfilter_file);
2064 } 1991 }
2065 else { 1992 else
2066 fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); 1993 exit_err_feature("networking");
2067 exit(1);
2068 }
2069 } 1994 }
2070 1995
2071 else if (strncmp(argv[i], "--netfilter6=", 13) == 0) { 1996 else if (strncmp(argv[i], "--netfilter6=", 13) == 0) {
@@ -2074,10 +1999,8 @@ int main(int argc, char **argv) {
2074 arg_netfilter6_file = argv[i] + 13; 1999 arg_netfilter6_file = argv[i] + 13;
2075 check_netfilter_file(arg_netfilter6_file); 2000 check_netfilter_file(arg_netfilter6_file);
2076 } 2001 }
2077 else { 2002 else
2078 fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); 2003 exit_err_feature("networking");
2079 exit(1);
2080 }
2081 } 2004 }
2082#endif 2005#endif
2083 //************************************* 2006 //*************************************
@@ -2184,10 +2107,8 @@ int main(int argc, char **argv) {
2184 else if (strcmp(argv[i], "--x11=xorg") == 0) { 2107 else if (strcmp(argv[i], "--x11=xorg") == 0) {
2185 if (checkcfg(CFG_X11)) 2108 if (checkcfg(CFG_X11))
2186 arg_x11_xorg = 1; 2109 arg_x11_xorg = 1;
2187 else { 2110 else
2188 fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n"); 2111 exit_err_feature("x11");
2189 exit(1);
2190 }
2191 } 2112 }
2192#endif 2113#endif
2193 else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { 2114 else if (strncmp(argv[i], "--join-or-start=", 16) == 0) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 2be6948f0..3697b54b9 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -63,6 +63,13 @@ int profile_find(const char *name, const char *dir) {
63// run-time profiles 63// run-time profiles
64//*************************************************** 64//***************************************************
65 65
66static void warning_feature_disabled(const char *feature) {
67 if (!arg_quiet)
68 fprintf(stderr, "Warning: %s feature is disabled in Firejail configuration file\n", feature);
69}
70
71
72
66// check profile line; if line == 0, this was generated from a command line option 73// check profile line; if line == 0, this was generated from a command line option
67// return 1 if the command is to be added to the linked list of profile commands 74// return 1 if the command is to be added to the linked list of profile commands
68// return 0 if the command was already executed inside the function 75// return 0 if the command was already executed inside the function
@@ -130,8 +137,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
130#if HAVE_USERNS 137#if HAVE_USERNS
131 if (checkcfg(CFG_USERNS)) 138 if (checkcfg(CFG_USERNS))
132 check_user_namespace(); 139 check_user_namespace();
133 else if (!arg_quiet) 140 else
134 fprintf(stderr, "Warning: user namespace feature is disabled in Firejail configuration file\n"); 141 warning_feature_disabled("noroot");
135#endif 142#endif
136 143
137 return 0; 144 return 0;
@@ -144,8 +151,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
144#ifdef HAVE_SECCOMP 151#ifdef HAVE_SECCOMP
145 if (checkcfg(CFG_SECCOMP)) 152 if (checkcfg(CFG_SECCOMP))
146 arg_seccomp = 1; 153 arg_seccomp = 1;
147 else if (!arg_quiet) 154 else
148 fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); 155 warning_feature_disabled("seccomp");
149#endif 156#endif
150 return 0; 157 return 0;
151 } 158 }
@@ -175,8 +182,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
175 cfg.home_private_keep = ptr + 13; 182 cfg.home_private_keep = ptr + 13;
176 arg_private = 1; 183 arg_private = 1;
177 } 184 }
178 else if (!arg_quiet) 185 else
179 fprintf(stderr, "Warning: private-home is disabled in Firejail configuration file\n"); 186 warning_feature_disabled("private-home");
180#endif 187#endif
181 return 0; 188 return 0;
182 } 189 }
@@ -208,8 +215,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
208#ifdef HAVE_NETWORK 215#ifdef HAVE_NETWORK
209 if (checkcfg(CFG_NETWORK)) 216 if (checkcfg(CFG_NETWORK))
210 arg_netfilter = 1; 217 arg_netfilter = 1;
211 else if (!arg_quiet) 218 else
212 fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); 219 warning_feature_disabled("networking");
213#endif 220#endif
214 return 0; 221 return 0;
215 } 222 }
@@ -222,8 +229,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
222 errExit("strdup"); 229 errExit("strdup");
223 check_netfilter_file(arg_netfilter_file); 230 check_netfilter_file(arg_netfilter_file);
224 } 231 }
225 else if (!arg_quiet) 232 else
226 fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); 233 warning_feature_disabled("networking");
227#endif 234#endif
228 return 0; 235 return 0;
229 } 236 }
@@ -236,8 +243,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
236 errExit("strdup"); 243 errExit("strdup");
237 check_netfilter_file(arg_netfilter6_file); 244 check_netfilter_file(arg_netfilter6_file);
238 } 245 }
239 else if (!arg_quiet) 246 else
240 fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); 247 warning_feature_disabled("networking");
241#endif 248#endif
242 return 0; 249 return 0;
243 } 250 }
@@ -254,8 +261,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
254 cfg.interface2.configured = 0; 261 cfg.interface2.configured = 0;
255 cfg.interface3.configured = 0; 262 cfg.interface3.configured = 0;
256 } 263 }
257 else if (!arg_quiet) 264 else
258 fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); 265 warning_feature_disabled("networking");
259#endif 266#endif
260 return 0; 267 return 0;
261 } 268 }
@@ -295,8 +302,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
295 } 302 }
296 net_configure_bridge(br, ptr + 4); 303 net_configure_bridge(br, ptr + 4);
297 } 304 }
298 else if (!arg_quiet) 305 else
299 fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); 306 warning_feature_disabled("networking");
300#endif 307#endif
301 return 0; 308 return 0;
302 } 309 }
@@ -318,8 +325,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
318 exit(1); 325 exit(1);
319 } 326 }
320 } 327 }
321 else if (!arg_quiet) 328 else
322 fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); 329 warning_feature_disabled("networking");
323#endif 330#endif
324 return 0; 331 return 0;
325 } 332 }
@@ -363,8 +370,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
363 exit(1); 370 exit(1);
364 } 371 }
365 } 372 }
366 else if (!arg_quiet) 373 else
367 fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); 374 warning_feature_disabled("networking");
368#endif 375#endif
369 return 0; 376 return 0;
370 } 377 }
@@ -390,8 +397,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
390 exit(1); 397 exit(1);
391 } 398 }
392 } 399 }
393 else if (!arg_quiet) 400 else
394 fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); 401 warning_feature_disabled("networking");
395#endif 402#endif
396 return 0; 403 return 0;
397 } 404 }
@@ -410,8 +417,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
410 exit(1); 417 exit(1);
411 } 418 }
412 } 419 }
413 else if (!arg_quiet) 420 else
414 fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); 421 warning_feature_disabled("networking");
415#endif 422#endif
416 return 0; 423 return 0;
417 } 424 }
@@ -439,8 +446,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
439 } 446 }
440 } 447 }
441 } 448 }
442 else if (!arg_quiet) 449 else
443 fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); 450 warning_feature_disabled("networking");
444#endif 451#endif
445 return 0; 452 return 0;
446 } 453 }
@@ -467,8 +474,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
467// } 474// }
468 475
469 } 476 }
470 else if (!arg_quiet) 477 else
471 fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); 478 warning_feature_disabled("networking");
472#endif 479#endif
473 return 0; 480 return 0;
474 } 481 }
@@ -481,8 +488,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
481 exit(1); 488 exit(1);
482 } 489 }
483 } 490 }
484 else if (!arg_quiet) 491 else
485 fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); 492 warning_feature_disabled("networking");
486#endif 493#endif
487 return 0; 494 return 0;
488 } 495 }
@@ -508,8 +515,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
508 if (!cfg.protocol) 515 if (!cfg.protocol)
509 errExit("strdup"); 516 errExit("strdup");
510 } 517 }
511 else if (!arg_quiet) 518 else
512 fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); 519 warning_feature_disabled("seccomp");
513#endif 520#endif
514 return 0; 521 return 0;
515 } 522 }
@@ -531,7 +538,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
531 cfg.seccomp_list = seccomp_check_list(ptr + 8); 538 cfg.seccomp_list = seccomp_check_list(ptr + 8);
532 } 539 }
533 else if (!arg_quiet) 540 else if (!arg_quiet)
534 fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); 541 warning_feature_disabled("seccomp");
535#endif 542#endif
536 543
537 return 0; 544 return 0;
@@ -544,8 +551,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
544 arg_seccomp = 1; 551 arg_seccomp = 1;
545 cfg.seccomp_list_drop = seccomp_check_list(ptr + 13); 552 cfg.seccomp_list_drop = seccomp_check_list(ptr + 13);
546 } 553 }
547 else if (!arg_quiet) 554 else
548 fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); 555 warning_feature_disabled("seccomp");
549#endif 556#endif
550 return 0; 557 return 0;
551 } 558 }
@@ -557,8 +564,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
557 arg_seccomp = 1; 564 arg_seccomp = 1;
558 cfg.seccomp_list_keep= seccomp_check_list(ptr + 13); 565 cfg.seccomp_list_keep= seccomp_check_list(ptr + 13);
559 } 566 }
560 else if (!arg_quiet) 567 else
561 fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); 568 warning_feature_disabled("seccomp");
562#endif 569#endif
563 return 0; 570 return 0;
564 } 571 }
@@ -676,6 +683,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
676 exit(0); 683 exit(0);
677 } 684 }
678 } 685 }
686 else
687 warning_feature_disabled("x11");
679#endif 688#endif
680 return 0; 689 return 0;
681 } 690 }
@@ -684,10 +693,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
684#ifdef HAVE_X11 693#ifdef HAVE_X11
685 if (checkcfg(CFG_X11)) 694 if (checkcfg(CFG_X11))
686 arg_x11_xorg = 1; 695 arg_x11_xorg = 1;
687 else { 696 else
688 fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n"); 697 warning_feature_disabled("x11");
689 return 0;
690 }
691#endif 698#endif
692 return 0; 699 return 0;
693 } 700 }
@@ -705,6 +712,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
705 exit(0); 712 exit(0);
706 } 713 }
707 } 714 }
715 else
716 warning_feature_disabled("x11");
708#endif 717#endif
709 return 0; 718 return 0;
710 } 719 }
@@ -723,6 +732,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
723 exit(0); 732 exit(0);
724 } 733 }
725 } 734 }
735 else
736 warning_feature_disabled("x11");
726#endif 737#endif
727 return 0; 738 return 0;
728 } 739 }
@@ -795,13 +806,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
795 *(dname2 - 1) = ','; 806 *(dname2 - 1) = ',';
796 return 1; 807 return 1;
797 } 808 }
798 else if (!arg_quiet) { 809 else
799 fprintf(stderr, "Warning: bind feature is disabled in Firejail configuration file\n"); 810 warning_feature_disabled("bind");
800 return 0;
801 }
802#else
803 return 0;
804#endif 811#endif
812 return 0;
805 } 813 }
806 814
807 // rlimit 815 // rlimit
diff --git a/test/root/join.exp b/test/root/join.exp
new file mode 100755
index 000000000..e4a4e87af
--- /dev/null
+++ b/test/root/join.exp
@@ -0,0 +1,52 @@
1#!/usr/bin/expect -f
2# This file is part of Firejail project
3# Copyright (C) 2014-2016 Firejail Authors
4# License GPL v2
5
6set timeout 10
7cd /home
8spawn $env(SHELL)
9match_max 100000
10
11send -- "firejail --name=jointesting --cpu=0 --nice=2\r"
12expect {
13 timeout {puts "TESTING ERROR 0\n";exit}
14 "Child process initialized"
15}
16sleep 2
17
18spawn $env(SHELL)
19send -- "firejail --join=jointesting\r"
20expect {
21 timeout {puts "TESTING ERROR 1\n";exit}
22 "Switching to pid"
23}
24sleep 1
25send -- "ps aux\r"
26expect {
27 timeout {puts "TESTING ERROR 2\n";exit}
28 "/bin/bash"
29}
30expect {
31 timeout {puts "TESTING ERROR 3\n";exit}
32 "/bin/bash"
33}
34
35send -- "exit\r"
36sleep 1
37send -- "firejail --join-network=jointesting\r"
38expect {
39 timeout {puts "TESTING ERROR 4\n";exit}
40 "Child process initialized"
41}
42send -- "exit\r"
43sleep 1
44send -- "firejail --join-filesystem=jointesting\r"
45expect {
46 timeout {puts "TESTING ERROR 5\n";exit}
47 "Child process initialized"
48}
49
50after 100
51
52puts "\nall done\n"
diff --git a/test/root/root.sh b/test/root/root.sh
index 371bccdff..9764b3804 100755
--- a/test/root/root.sh
+++ b/test/root/root.sh
@@ -57,6 +57,12 @@ echo "TESTING: fs whitelist mnt, opt, media (test/root/whitelist-mnt.exp)"
57./whitelist.exp 57./whitelist.exp
58 58
59#******************************** 59#********************************
60# utils
61#********************************
62echo "TESTING: join (test/root/join.exp)"
63./join.exp
64
65#********************************
60# seccomp 66# seccomp
61#******************************** 67#********************************
62echo "TESTING: seccomp umount (test/root/seccomp-umount.exp)" 68echo "TESTING: seccomp umount (test/root/seccomp-umount.exp)"
diff --git a/test/utils/join.exp b/test/utils/join.exp
index fc30bc6a4..79fe99f2d 100755
--- a/test/utils/join.exp
+++ b/test/utils/join.exp
@@ -32,7 +32,20 @@ expect {
32 "/bin/bash" 32 "/bin/bash"
33} 33}
34 34
35send -- "exit" 35send -- "exit\r"
36sleep 1
37send -- "firejail --join-network=jointesting\r"
38expect {
39 timeout {puts "TESTING ERROR 4\n";exit}
40 "is only available to root user"
41}
42after 100
43send -- "firejail --join-filesystem=jointesting\r"
44expect {
45 timeout {puts "TESTING ERROR 5\n";exit}
46 "is only available to root user"
47}
48
36after 100 49after 100
37 50
38puts "\nall done\n" 51puts "\nall done\n"
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-04 03:07:30 +0000