diff options
author | netblue30 <netblue30@yahoo.com> | 2016-12-19 08:02:35 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-12-19 08:02:35 -0500 |
commit | 0bac2767e3f5596b1a1adbb21028416fc933634c (patch) | |
tree | d5201c97168b2050bc5b4fce8c63334f1d3427aa | |
parent | profile updates (diff) | |
parent | Implement the --allow-private-blacklist option (diff) | |
download | firejail-0bac2767e3f5596b1a1adbb21028416fc933634c.tar.gz firejail-0bac2767e3f5596b1a1adbb21028416fc933634c.tar.zst firejail-0bac2767e3f5596b1a1adbb21028416fc933634c.zip |
Merge pull request #990 from pmillerchip/private-blacklist
Implement the --allow-private-blacklist option
-rw-r--r-- | src/firejail/firejail.h | 4 | ||||
-rw-r--r-- | src/firejail/fs.c | 9 | ||||
-rw-r--r-- | src/firejail/fs_etc.c | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 4 | ||||
-rw-r--r-- | src/firejail/usage.c | 4 |
5 files changed, 20 insertions, 2 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 8fede5a69..de939439d 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -208,7 +208,7 @@ typedef struct config_t { | |||
208 | char *bin_private_keep; // keep list for private bin directory | 208 | char *bin_private_keep; // keep list for private bin directory |
209 | char *cwd; // current working directory | 209 | char *cwd; // current working directory |
210 | char *overlay_dir; | 210 | char *overlay_dir; |
211 | char *private_template; // template dir for tmpfs home | 211 | char *private_template; // template dir for tmpfs home |
212 | 212 | ||
213 | // networking | 213 | // networking |
214 | char *name; // sandbox name | 214 | char *name; // sandbox name |
@@ -285,6 +285,7 @@ void clear_run_files(pid_t pid); | |||
285 | 285 | ||
286 | extern int arg_private; // mount private /home | 286 | extern int arg_private; // mount private /home |
287 | extern int arg_private_template; // private /home template | 287 | extern int arg_private_template; // private /home template |
288 | extern int arg_allow_private_blacklist; // blacklist things in private directories | ||
288 | extern int arg_debug; // print debug messages | 289 | extern int arg_debug; // print debug messages |
289 | extern int arg_debug_check_filename; // print debug messages for filename checking | 290 | extern int arg_debug_check_filename; // print debug messages for filename checking |
290 | extern int arg_debug_blacklists; // print debug messages for blacklists | 291 | extern int arg_debug_blacklists; // print debug messages for blacklists |
@@ -564,6 +565,7 @@ void network_del_run_file(pid_t pid); | |||
564 | void network_set_run_file(pid_t pid); | 565 | void network_set_run_file(pid_t pid); |
565 | 566 | ||
566 | // fs_etc.c | 567 | // fs_etc.c |
568 | void fs_machineid(void); | ||
567 | void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list); | 569 | void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list); |
568 | 570 | ||
569 | // no_sandbox.c | 571 | // no_sandbox.c |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 890f281aa..e2fc09533 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -216,6 +216,15 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[ | |||
216 | exit(1); | 216 | exit(1); |
217 | } | 217 | } |
218 | } | 218 | } |
219 | |||
220 | // We don't usually need to blacklist things in private home directories | ||
221 | if (okay_to_blacklist | ||
222 | && cfg.homedir | ||
223 | && arg_private | ||
224 | && (!arg_allow_private_blacklist) | ||
225 | && (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0)) | ||
226 | okay_to_blacklist = false; | ||
227 | |||
219 | if (okay_to_blacklist) | 228 | if (okay_to_blacklist) |
220 | disable_file(op, path); | 229 | disable_file(op, path); |
221 | else if (arg_debug) | 230 | else if (arg_debug) |
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index a27c0e41b..479383af2 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -21,6 +21,7 @@ | |||
21 | #include <sys/mount.h> | 21 | #include <sys/mount.h> |
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <sys/types.h> | 23 | #include <sys/types.h> |
24 | #include <time.h> | ||
24 | #include <unistd.h> | 25 | #include <unistd.h> |
25 | 26 | ||
26 | // spoof /etc/machine_id | 27 | // spoof /etc/machine_id |
diff --git a/src/firejail/main.c b/src/firejail/main.c index b25bad9f2..65d2b9d44 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -112,6 +112,7 @@ int arg_x11_block = 0; // block X11 | |||
112 | int arg_x11_xorg = 0; // use X11 security extention | 112 | int arg_x11_xorg = 0; // use X11 security extention |
113 | int arg_allusers = 0; // all user home directories visible | 113 | int arg_allusers = 0; // all user home directories visible |
114 | int arg_machineid = 0; // preserve /etc/machine-id | 114 | int arg_machineid = 0; // preserve /etc/machine-id |
115 | int arg_allow_private_blacklist = 0; // blacklist things in private directories | ||
115 | 116 | ||
116 | int login_shell = 0; | 117 | int login_shell = 0; |
117 | 118 | ||
@@ -1463,6 +1464,9 @@ int main(int argc, char **argv) { | |||
1463 | else if (strcmp(argv[i], "--machine-id") == 0) { | 1464 | else if (strcmp(argv[i], "--machine-id") == 0) { |
1464 | arg_machineid = 1; | 1465 | arg_machineid = 1; |
1465 | } | 1466 | } |
1467 | else if (strcmp(argv[i], "--allow-private-blacklist") == 0) { | ||
1468 | arg_allow_private_blacklist = 1; | ||
1469 | } | ||
1466 | else if (strcmp(argv[i], "--private") == 0) { | 1470 | else if (strcmp(argv[i], "--private") == 0) { |
1467 | arg_private = 1; | 1471 | arg_private = 1; |
1468 | } | 1472 | } |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index db3c25a5a..1131abe5f 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -30,12 +30,14 @@ void usage(void) { | |||
30 | printf("Options:\n"); | 30 | printf("Options:\n"); |
31 | printf(" -- - signal the end of options and disables further option processing.\n"); | 31 | printf(" -- - signal the end of options and disables further option processing.\n"); |
32 | printf(" --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"); | 32 | printf(" --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"); |
33 | printf(" --allow-private-blacklist - allow blacklisting things in private\n"); | ||
34 | printf("\tdirectories.\n"); | ||
33 | printf(" --allusers - all user home directories are visible inside the sandbox.\n"); | 35 | printf(" --allusers - all user home directories are visible inside the sandbox.\n"); |
34 | printf(" --apparmor - enable AppArmor confinement.\n"); | 36 | printf(" --apparmor - enable AppArmor confinement.\n"); |
35 | printf(" --appimage - sandbox an AppImage application.\n"); | 37 | printf(" --appimage - sandbox an AppImage application.\n"); |
36 | printf(" --audit[=test-program] - audit the sandbox.\n"); | 38 | printf(" --audit[=test-program] - audit the sandbox.\n"); |
37 | #ifdef HAVE_NETWORK | 39 | #ifdef HAVE_NETWORK |
38 | printf(" --bandwidth=name|pid - set bandwidth limits\n"); | 40 | printf(" --bandwidth=name|pid - set bandwidth limits.\n"); |
39 | #endif | 41 | #endif |
40 | #ifdef HAVE_BIND | 42 | #ifdef HAVE_BIND |
41 | printf(" --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n"); | 43 | printf(" --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n"); |