diff options
author | SYN-cook <vinumconsult@posteo.de> | 2016-12-27 20:33:14 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-12-27 20:33:14 +0100 |
commit | 702e15dfcb0f1028c25933328a376cbfab98b0ac (patch) | |
tree | 16109908b0fc81b0465c3c6ac13769c7b7e0ed59 | |
parent | don't whitelist keepassx in browser profiles (diff) | |
parent | fixes (diff) | |
download | firejail-702e15dfcb0f1028c25933328a376cbfab98b0ac.tar.gz firejail-702e15dfcb0f1028c25933328a376cbfab98b0ac.tar.zst firejail-702e15dfcb0f1028c25933328a376cbfab98b0ac.zip |
Merge pull request #1 from netblue30/master
merge upstream
-rw-r--r-- | README | 7 | ||||
-rw-r--r-- | etc/7z.profile | 5 | ||||
-rw-r--r-- | etc/atool.profile | 3 | ||||
-rw-r--r-- | etc/cpio.profile | 3 | ||||
-rw-r--r-- | etc/elinks.profile | 3 | ||||
-rw-r--r-- | etc/exiftool.profile | 3 | ||||
-rw-r--r-- | etc/git.profile | 4 | ||||
-rw-r--r-- | etc/gnome-mplayer.profile | 2 | ||||
-rw-r--r-- | etc/gpg-agent.profile | 3 | ||||
-rw-r--r-- | etc/gpg.profile | 3 | ||||
-rw-r--r-- | etc/highlight.profile | 4 | ||||
-rw-r--r-- | etc/less.profile | 3 | ||||
-rw-r--r-- | etc/lynx.profile | 3 | ||||
-rw-r--r-- | etc/mediainfo.profile | 3 | ||||
-rw-r--r-- | etc/mutt.profile | 3 | ||||
-rw-r--r-- | etc/odt2txt.profile | 3 | ||||
-rw-r--r-- | etc/pdftotext.profile | 3 | ||||
-rw-r--r-- | etc/ssh-agent.profile | 3 | ||||
-rw-r--r-- | etc/strings.profile | 3 | ||||
-rw-r--r-- | etc/tracker.profile | 3 | ||||
-rw-r--r-- | etc/w3m.profile | 3 | ||||
-rw-r--r-- | etc/wget.profile | 2 | ||||
-rw-r--r-- | etc/xpra.profile | 2 | ||||
-rw-r--r-- | src/firejail/cmdline.c | 2 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 3 | ||||
-rw-r--r-- | src/firejail/main.c | 53 | ||||
-rw-r--r-- | src/firejail/profile.c | 34 | ||||
-rwxr-xr-x | test/fs/whitelist-dev.exp | 3 |
28 files changed, 147 insertions, 22 deletions
@@ -97,6 +97,13 @@ valoq (https://github.com/valoq) | |||
97 | - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles | 97 | - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles |
98 | - added wget profile | 98 | - added wget profile |
99 | - disable gnupg and systemd directories under /run/user | 99 | - disable gnupg and systemd directories under /run/user |
100 | eventyrer (https://github.com/eventyrer) | ||
101 | - update gnome-mplayer.profile | ||
102 | thewisenerd (https://github.com/thewisenerd) | ||
103 | - allow multiple private-home commands | ||
104 | - use $SHELL variable if the shell is not specified | ||
105 | SYN-cook (https://github.com/SYN-cook) | ||
106 | - keepass/keepassx browser fixes | ||
100 | thewisenerd (https://github.com/thewisenerd) | 107 | thewisenerd (https://github.com/thewisenerd) |
101 | - appimage: pass commandline arguments | 108 | - appimage: pass commandline arguments |
102 | KOLANICH (https://github.com/KOLANICH) | 109 | KOLANICH (https://github.com/KOLANICH) |
diff --git a/etc/7z.profile b/etc/7z.profile index 0cb72ff8d..319126540 100644 --- a/etc/7z.profile +++ b/etc/7z.profile | |||
@@ -1,9 +1,14 @@ | |||
1 | # 7zip crompression tool profile | 1 | # 7zip crompression tool profile |
2 | quiet | 2 | quiet |
3 | ignore noroot | 3 | ignore noroot |
4 | |||
4 | include /etc/firejail/default.profile | 5 | include /etc/firejail/default.profile |
6 | |||
7 | blacklist /tmp/.X11-unix | ||
8 | |||
5 | tracelog | 9 | tracelog |
6 | net none | 10 | net none |
7 | shell none | 11 | shell none |
8 | private-dev | 12 | private-dev |
9 | nosound | 13 | nosound |
14 | no3d | ||
diff --git a/etc/atool.profile b/etc/atool.profile index 3fbfb9fc7..578a88fc7 100644 --- a/etc/atool.profile +++ b/etc/atool.profile | |||
@@ -13,9 +13,12 @@ protocol unix | |||
13 | seccomp | 13 | seccomp |
14 | netfilter | 14 | netfilter |
15 | net none | 15 | net none |
16 | no3d | ||
16 | shell none | 17 | shell none |
17 | tracelog | 18 | tracelog |
18 | 19 | ||
20 | blacklist /tmp/.X11-unix | ||
21 | |||
19 | # private-bin atool | 22 | # private-bin atool |
20 | private-tmp | 23 | private-tmp |
21 | private-dev | 24 | private-dev |
diff --git a/etc/cpio.profile b/etc/cpio.profile index 519bd244c..cf89acdac 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile | |||
@@ -16,6 +16,7 @@ shell none | |||
16 | tracelog | 16 | tracelog |
17 | net none | 17 | net none |
18 | nosound | 18 | nosound |
19 | no3d | ||
19 | 20 | ||
20 | 21 | blacklist /tmp/.X11-unix | |
21 | 22 | ||
diff --git a/etc/elinks.profile b/etc/elinks.profile index df817ea56..ade15f203 100644 --- a/etc/elinks.profile +++ b/etc/elinks.profile | |||
@@ -11,12 +11,15 @@ nogroups | |||
11 | nonewprivs | 11 | nonewprivs |
12 | noroot | 12 | noroot |
13 | nosound | 13 | nosound |
14 | no3d | ||
14 | protocol unix,inet,inet6 | 15 | protocol unix,inet,inet6 |
15 | seccomp | 16 | seccomp |
16 | netfilter | 17 | netfilter |
17 | shell none | 18 | shell none |
18 | tracelog | 19 | tracelog |
19 | 20 | ||
21 | blacklist /tmp/.X11-unix | ||
22 | |||
20 | # private-bin elinks | 23 | # private-bin elinks |
21 | private-tmp | 24 | private-tmp |
22 | private-dev | 25 | private-dev |
diff --git a/etc/exiftool.profile b/etc/exiftool.profile index 384695473..1cae8c093 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile | |||
@@ -17,9 +17,12 @@ protocol unix | |||
17 | seccomp | 17 | seccomp |
18 | netfilter | 18 | netfilter |
19 | net none | 19 | net none |
20 | no3d | ||
20 | shell none | 21 | shell none |
21 | tracelog | 22 | tracelog |
22 | 23 | ||
24 | blacklist /tmp/.X11-unix | ||
25 | |||
23 | # private-bin exiftool,perl | 26 | # private-bin exiftool,perl |
24 | private-tmp | 27 | private-tmp |
25 | private-dev | 28 | private-dev |
diff --git a/etc/git.profile b/etc/git.profile index d60e58c03..80e534e20 100644 --- a/etc/git.profile +++ b/etc/git.profile | |||
@@ -12,15 +12,17 @@ include /etc/firejail/disable-common.inc | |||
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | 14 | ||
15 | |||
16 | caps.drop all | 15 | caps.drop all |
17 | netfilter | 16 | netfilter |
18 | nogroups | 17 | nogroups |
19 | nonewprivs | 18 | nonewprivs |
20 | noroot | 19 | noroot |
21 | nosound | 20 | nosound |
21 | no3d | ||
22 | protocol unix,inet,inet6 | 22 | protocol unix,inet,inet6 |
23 | seccomp | 23 | seccomp |
24 | shell none | 24 | shell none |
25 | 25 | ||
26 | blacklist /tmp/.X11-unix | ||
27 | |||
26 | private-dev | 28 | private-dev |
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index 1b0fc9807..488c7e0b8 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile | |||
@@ -12,6 +12,6 @@ protocol unix,inet,inet6 | |||
12 | seccomp | 12 | seccomp |
13 | shell none | 13 | shell none |
14 | 14 | ||
15 | private-bin gnome-mplayer | 15 | private-bin gnome-mplayer,mplayer |
16 | private-dev | 16 | private-dev |
17 | private-tmp | 17 | private-tmp |
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile index b0ebdf43c..59c7383d7 100644 --- a/etc/gpg-agent.profile +++ b/etc/gpg-agent.profile | |||
@@ -14,9 +14,12 @@ nosound | |||
14 | protocol unix | 14 | protocol unix |
15 | seccomp | 15 | seccomp |
16 | netfilter | 16 | netfilter |
17 | no3d | ||
17 | shell none | 18 | shell none |
18 | tracelog | 19 | tracelog |
19 | 20 | ||
21 | blacklist /tmp/.X11-unix | ||
22 | |||
20 | # private-bin gpg-agent,gpg | 23 | # private-bin gpg-agent,gpg |
21 | private-tmp | 24 | private-tmp |
22 | private-dev | 25 | private-dev |
diff --git a/etc/gpg.profile b/etc/gpg.profile index 31372eb90..d711c6f3e 100644 --- a/etc/gpg.profile +++ b/etc/gpg.profile | |||
@@ -15,9 +15,12 @@ protocol unix | |||
15 | seccomp | 15 | seccomp |
16 | netfilter | 16 | netfilter |
17 | net none | 17 | net none |
18 | no3d | ||
18 | shell none | 19 | shell none |
19 | tracelog | 20 | tracelog |
20 | 21 | ||
22 | blacklist /tmp/.X11-unix | ||
23 | |||
21 | # private-bin gpg,gpg-agent | 24 | # private-bin gpg,gpg-agent |
22 | private-tmp | 25 | private-tmp |
23 | private-dev | 26 | private-dev |
diff --git a/etc/highlight.profile b/etc/highlight.profile index f95f3924a..4bab18349 100644 --- a/etc/highlight.profile +++ b/etc/highlight.profile | |||
@@ -13,10 +13,14 @@ protocol unix | |||
13 | seccomp | 13 | seccomp |
14 | netfilter | 14 | netfilter |
15 | net none | 15 | net none |
16 | no3d | ||
16 | shell none | 17 | shell none |
17 | tracelog | 18 | tracelog |
18 | 19 | ||
20 | blacklist /tmp/.X11-unix | ||
21 | |||
19 | private-bin highlight | 22 | private-bin highlight |
23 | # private-etc none | ||
20 | private-tmp | 24 | private-tmp |
21 | private-dev | 25 | private-dev |
22 | 26 | ||
diff --git a/etc/less.profile b/etc/less.profile index 08758aead..c01dfc466 100644 --- a/etc/less.profile +++ b/etc/less.profile | |||
@@ -5,7 +5,10 @@ include /etc/firejail/default.profile | |||
5 | 5 | ||
6 | net none | 6 | net none |
7 | nosound | 7 | nosound |
8 | no3d | ||
8 | shell none | 9 | shell none |
9 | tracelog | 10 | tracelog |
10 | 11 | ||
12 | blacklist /tmp/.X11-unix | ||
13 | |||
11 | private-dev | 14 | private-dev |
diff --git a/etc/lynx.profile b/etc/lynx.profile index 6e150f62e..3e8d72103 100644 --- a/etc/lynx.profile +++ b/etc/lynx.profile | |||
@@ -9,12 +9,15 @@ nogroups | |||
9 | nonewprivs | 9 | nonewprivs |
10 | noroot | 10 | noroot |
11 | nosound | 11 | nosound |
12 | no3d | ||
12 | protocol unix,inet,inet6 | 13 | protocol unix,inet,inet6 |
13 | seccomp | 14 | seccomp |
14 | netfilter | 15 | netfilter |
15 | shell none | 16 | shell none |
16 | tracelog | 17 | tracelog |
17 | 18 | ||
19 | blacklist /tmp/.X11-unix | ||
20 | |||
18 | # private-bin lynx | 21 | # private-bin lynx |
19 | private-tmp | 22 | private-tmp |
20 | private-dev | 23 | private-dev |
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile index c07a9a9e8..65d12c49e 100644 --- a/etc/mediainfo.profile +++ b/etc/mediainfo.profile | |||
@@ -9,6 +9,7 @@ nogroups | |||
9 | nonewprivs | 9 | nonewprivs |
10 | noroot | 10 | noroot |
11 | nosound | 11 | nosound |
12 | no3d | ||
12 | protocol unix | 13 | protocol unix |
13 | seccomp | 14 | seccomp |
14 | netfilter | 15 | netfilter |
@@ -16,6 +17,8 @@ net none | |||
16 | shell none | 17 | shell none |
17 | tracelog | 18 | tracelog |
18 | 19 | ||
20 | blacklist /tmp/.X11-unix | ||
21 | |||
19 | private-bin mediainfo | 22 | private-bin mediainfo |
20 | private-tmp | 23 | private-tmp |
21 | private-dev | 24 | private-dev |
diff --git a/etc/mutt.profile b/etc/mutt.profile index 2718421c5..5a714de4a 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile | |||
@@ -33,8 +33,11 @@ nogroups | |||
33 | nonewprivs | 33 | nonewprivs |
34 | noroot | 34 | noroot |
35 | nosound | 35 | nosound |
36 | no3d | ||
36 | protocol unix,inet,inet6 | 37 | protocol unix,inet,inet6 |
37 | seccomp | 38 | seccomp |
38 | shell none | 39 | shell none |
39 | 40 | ||
41 | blacklist /tmp/.X11-unix | ||
42 | |||
40 | private-dev | 43 | private-dev |
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile index 329275022..c4e28f70e 100644 --- a/etc/odt2txt.profile +++ b/etc/odt2txt.profile | |||
@@ -13,9 +13,12 @@ protocol unix | |||
13 | seccomp | 13 | seccomp |
14 | netfilter | 14 | netfilter |
15 | net none | 15 | net none |
16 | no3d | ||
16 | shell none | 17 | shell none |
17 | tracelog | 18 | tracelog |
18 | 19 | ||
20 | blacklist /tmp/.X11-unix | ||
21 | |||
19 | private-bin odt2txt | 22 | private-bin odt2txt |
20 | private-tmp | 23 | private-tmp |
21 | private-dev | 24 | private-dev |
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile index 632c9d15e..fe9e9e3cd 100644 --- a/etc/pdftotext.profile +++ b/etc/pdftotext.profile | |||
@@ -13,9 +13,12 @@ protocol unix | |||
13 | seccomp | 13 | seccomp |
14 | netfilter | 14 | netfilter |
15 | net none | 15 | net none |
16 | no3d | ||
16 | shell none | 17 | shell none |
17 | tracelog | 18 | tracelog |
18 | 19 | ||
20 | blacklist /tmp/.X11-unix | ||
21 | |||
19 | private-bin pdftotext | 22 | private-bin pdftotext |
20 | private-tmp | 23 | private-tmp |
21 | private-dev | 24 | private-dev |
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index 548ede37d..bea3a6061 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile | |||
@@ -12,5 +12,8 @@ caps.drop all | |||
12 | netfilter | 12 | netfilter |
13 | nonewprivs | 13 | nonewprivs |
14 | noroot | 14 | noroot |
15 | no3d | ||
15 | protocol unix,inet,inet6 | 16 | protocol unix,inet,inet6 |
16 | seccomp | 17 | seccomp |
18 | |||
19 | blacklist /tmp/.X11-unix | ||
diff --git a/etc/strings.profile b/etc/strings.profile index 2b7724b11..2bbab1366 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
@@ -7,5 +7,6 @@ net none | |||
7 | nosound | 7 | nosound |
8 | shell none | 8 | shell none |
9 | tracelog | 9 | tracelog |
10 | |||
11 | private-dev | 10 | private-dev |
11 | no3d | ||
12 | blacklist /tmp/.X11-unix | ||
diff --git a/etc/tracker.profile b/etc/tracker.profile index 217631216..7f4f371eb 100644 --- a/etc/tracker.profile +++ b/etc/tracker.profile | |||
@@ -12,12 +12,15 @@ nogroups | |||
12 | nonewprivs | 12 | nonewprivs |
13 | noroot | 13 | noroot |
14 | nosound | 14 | nosound |
15 | no3d | ||
15 | protocol unix | 16 | protocol unix |
16 | seccomp | 17 | seccomp |
17 | netfilter | 18 | netfilter |
18 | shell none | 19 | shell none |
19 | tracelog | 20 | tracelog |
20 | 21 | ||
22 | blacklist /tmp/.X11-unix | ||
23 | |||
21 | # private-bin tracker | 24 | # private-bin tracker |
22 | # private-tmp | 25 | # private-tmp |
23 | # private-dev | 26 | # private-dev |
diff --git a/etc/w3m.profile b/etc/w3m.profile index d765217cf..7ee91bb70 100644 --- a/etc/w3m.profile +++ b/etc/w3m.profile | |||
@@ -11,12 +11,15 @@ nogroups | |||
11 | nonewprivs | 11 | nonewprivs |
12 | noroot | 12 | noroot |
13 | nosound | 13 | nosound |
14 | no3d | ||
14 | protocol unix,inet,inet6 | 15 | protocol unix,inet,inet6 |
15 | seccomp | 16 | seccomp |
16 | netfilter | 17 | netfilter |
17 | shell none | 18 | shell none |
18 | tracelog | 19 | tracelog |
19 | 20 | ||
21 | blacklist /tmp/.X11-unix | ||
22 | |||
20 | # private-bin w3m | 23 | # private-bin w3m |
21 | private-tmp | 24 | private-tmp |
22 | private-dev | 25 | private-dev |
diff --git a/etc/wget.profile b/etc/wget.profile index d9bca2acc..ff4b92bae 100644 --- a/etc/wget.profile +++ b/etc/wget.profile | |||
@@ -10,10 +10,12 @@ nonewprivs | |||
10 | noroot | 10 | noroot |
11 | nogroups | 11 | nogroups |
12 | nosound | 12 | nosound |
13 | no3d | ||
13 | protocol unix,inet,inet6 | 14 | protocol unix,inet,inet6 |
14 | seccomp | 15 | seccomp |
15 | shell none | 16 | shell none |
16 | 17 | ||
18 | blacklist /tmp/.X11-unix | ||
17 | 19 | ||
18 | # private-bin wget | 20 | # private-bin wget |
19 | # private-etc resolv.conf | 21 | # private-etc resolv.conf |
diff --git a/etc/xpra.profile b/etc/xpra.profile index 8584e4e5b..32be90b19 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile | |||
@@ -14,6 +14,8 @@ shell none | |||
14 | seccomp | 14 | seccomp |
15 | protocol unix,inet,inet6 | 15 | protocol unix,inet,inet6 |
16 | 16 | ||
17 | # blacklist /tmp/.X11-unix | ||
18 | |||
17 | # private-bin | 19 | # private-bin |
18 | private-dev | 20 | private-dev |
19 | private-tmp | 21 | private-tmp |
diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c index dcb0a5424..a17758f8b 100644 --- a/src/firejail/cmdline.c +++ b/src/firejail/cmdline.c | |||
@@ -163,7 +163,7 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc, | |||
163 | // the program should exit with an error before entering this function | 163 | // the program should exit with an error before entering this function |
164 | assert(index != -1); | 164 | assert(index != -1); |
165 | 165 | ||
166 | unsigned argcount = argc - index; | 166 | // unsigned argcount = argc - index; |
167 | 167 | ||
168 | int len1 = cmdline_length(argc, argv, index); // length of argv w/o changes | 168 | int len1 = cmdline_length(argc, argv, index); // length of argv w/o changes |
169 | int len2 = cmdline_length(1, &argv[index], 0); // apptest.AppImage | 169 | int len2 = cmdline_length(1, &argv[index], 0); // apptest.AppImage |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index b10858411..0970642db 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -95,9 +95,10 @@ static char *resolve_downloads(void) { | |||
95 | if (asprintf(&fname, "%s/%s", cfg.homedir, ptr1) == -1) | 95 | if (asprintf(&fname, "%s/%s", cfg.homedir, ptr1) == -1) |
96 | errExit("asprintf"); | 96 | errExit("asprintf"); |
97 | 97 | ||
98 | if (stat(fname, &s) == -1) | 98 | if (stat(fname, &s) == -1) { |
99 | free(fname); | 99 | free(fname); |
100 | goto errout; | 100 | goto errout; |
101 | } | ||
101 | 102 | ||
102 | char *rv; | 103 | char *rv; |
103 | if (asprintf(&rv, "whitelist ~/%s", ptr + 24) == -1) | 104 | if (asprintf(&rv, "whitelist ~/%s", ptr + 24) == -1) |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 15820f7dd..e70e20eec 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -754,12 +754,21 @@ static void delete_x11_file(pid_t pid) { | |||
754 | 754 | ||
755 | char *guess_shell(void) { | 755 | char *guess_shell(void) { |
756 | char *shell = NULL; | 756 | char *shell = NULL; |
757 | struct stat s; | ||
758 | |||
759 | shell = getenv("SHELL"); | ||
760 | if (shell) { | ||
761 | // TODO: handle rogue shell variables? | ||
762 | if (stat(shell, &s) == 0 && access(shell, R_OK) == 0) { | ||
763 | return shell; | ||
764 | } | ||
765 | } | ||
766 | |||
757 | // shells in order of preference | 767 | // shells in order of preference |
758 | char *shells[] = {"/bin/bash", "/bin/csh", "/usr/bin/zsh", "/bin/sh", "/bin/ash", NULL }; | 768 | char *shells[] = {"/bin/bash", "/bin/csh", "/usr/bin/zsh", "/bin/sh", "/bin/ash", NULL }; |
759 | 769 | ||
760 | int i = 0; | 770 | int i = 0; |
761 | while (shells[i] != NULL) { | 771 | while (shells[i] != NULL) { |
762 | struct stat s; | ||
763 | // access call checks as real UID/GID, not as effective UID/GID | 772 | // access call checks as real UID/GID, not as effective UID/GID |
764 | if (stat(shells[i], &s) == 0 && access(shells[i], R_OK) == 0) { | 773 | if (stat(shells[i], &s) == 0 && access(shells[i], R_OK) == 0) { |
765 | shell = shells[i]; | 774 | shell = shells[i]; |
@@ -1500,7 +1509,15 @@ int main(int argc, char **argv) { | |||
1500 | } | 1509 | } |
1501 | 1510 | ||
1502 | // extract private home dirname | 1511 | // extract private home dirname |
1503 | cfg.home_private_keep = argv[i] + 15; | 1512 | if (*(argv[i] + 15) == '\0') { |
1513 | fprintf(stderr, "Error: invalid private-home option\n"); | ||
1514 | exit(1); | ||
1515 | } | ||
1516 | if (cfg.home_private_keep) { | ||
1517 | if ( asprintf(&cfg.home_private_keep, "%s,%s", cfg.home_private_keep, argv[i] + 15) < 0 ) | ||
1518 | errExit("asprintf"); | ||
1519 | } else | ||
1520 | cfg.home_private_keep = argv[i] + 15; | ||
1504 | arg_private = 1; | 1521 | arg_private = 1; |
1505 | } | 1522 | } |
1506 | else | 1523 | else |
@@ -1517,38 +1534,54 @@ int main(int argc, char **argv) { | |||
1517 | } | 1534 | } |
1518 | 1535 | ||
1519 | // extract private etc list | 1536 | // extract private etc list |
1520 | cfg.etc_private_keep = argv[i] + 14; | 1537 | if (*(argv[i] + 14) == '\0') { |
1521 | if (*cfg.etc_private_keep == '\0') { | ||
1522 | fprintf(stderr, "Error: invalid private-etc option\n"); | 1538 | fprintf(stderr, "Error: invalid private-etc option\n"); |
1523 | exit(1); | 1539 | exit(1); |
1524 | } | 1540 | } |
1541 | if (cfg.etc_private_keep) { | ||
1542 | if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, argv[i] + 14) < 0 ) | ||
1543 | errExit("asprintf"); | ||
1544 | } else | ||
1545 | cfg.etc_private_keep = argv[i] + 14; | ||
1525 | arg_private_etc = 1; | 1546 | arg_private_etc = 1; |
1526 | } | 1547 | } |
1527 | else if (strncmp(argv[i], "--private-opt=", 14) == 0) { | 1548 | else if (strncmp(argv[i], "--private-opt=", 14) == 0) { |
1528 | // extract private opt list | 1549 | // extract private opt list |
1529 | cfg.opt_private_keep = argv[i] + 14; | 1550 | if (*(argv[i] + 14) == '\0') { |
1530 | if (*cfg.opt_private_keep == '\0') { | ||
1531 | fprintf(stderr, "Error: invalid private-opt option\n"); | 1551 | fprintf(stderr, "Error: invalid private-opt option\n"); |
1532 | exit(1); | 1552 | exit(1); |
1533 | } | 1553 | } |
1554 | if (cfg.opt_private_keep) { | ||
1555 | if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, argv[i] + 14) < 0 ) | ||
1556 | errExit("asprintf"); | ||
1557 | } else | ||
1558 | cfg.opt_private_keep = argv[i] + 14; | ||
1534 | arg_private_opt = 1; | 1559 | arg_private_opt = 1; |
1535 | } | 1560 | } |
1536 | else if (strncmp(argv[i], "--private-srv=", 14) == 0) { | 1561 | else if (strncmp(argv[i], "--private-srv=", 14) == 0) { |
1537 | // extract private srv list | 1562 | // extract private srv list |
1538 | cfg.srv_private_keep = argv[i] + 14; | 1563 | if (*(argv[i] + 14) == '\0') { |
1539 | if (*cfg.srv_private_keep == '\0') { | ||
1540 | fprintf(stderr, "Error: invalid private-etc option\n"); | 1564 | fprintf(stderr, "Error: invalid private-etc option\n"); |
1541 | exit(1); | 1565 | exit(1); |
1542 | } | 1566 | } |
1567 | if (cfg.srv_private_keep) { | ||
1568 | if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, argv[i] + 14) < 0 ) | ||
1569 | errExit("asprintf"); | ||
1570 | } else | ||
1571 | cfg.srv_private_keep = argv[i] + 14; | ||
1543 | arg_private_srv = 1; | 1572 | arg_private_srv = 1; |
1544 | } | 1573 | } |
1545 | else if (strncmp(argv[i], "--private-bin=", 14) == 0) { | 1574 | else if (strncmp(argv[i], "--private-bin=", 14) == 0) { |
1546 | // extract private bin list | 1575 | // extract private bin list |
1547 | cfg.bin_private_keep = argv[i] + 14; | 1576 | if (*(argv[i] + 14) == '\0') { |
1548 | if (*cfg.bin_private_keep == '\0') { | ||
1549 | fprintf(stderr, "Error: invalid private-bin option\n"); | 1577 | fprintf(stderr, "Error: invalid private-bin option\n"); |
1550 | exit(1); | 1578 | exit(1); |
1551 | } | 1579 | } |
1580 | if (cfg.bin_private_keep) { | ||
1581 | if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, argv[i] + 14) < 0 ) | ||
1582 | errExit("asprintf"); | ||
1583 | } else | ||
1584 | cfg.bin_private_keep = argv[i] + 14; | ||
1552 | arg_private_bin = 1; | 1585 | arg_private_bin = 1; |
1553 | } | 1586 | } |
1554 | else if (strcmp(argv[i], "--private-tmp") == 0) { | 1587 | else if (strcmp(argv[i], "--private-tmp") == 0) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index da3daf95a..fab4f1efa 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -179,7 +179,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
179 | if (strncmp(ptr, "private-home ", 13) == 0) { | 179 | if (strncmp(ptr, "private-home ", 13) == 0) { |
180 | #ifdef HAVE_PRIVATE_HOME | 180 | #ifdef HAVE_PRIVATE_HOME |
181 | if (checkcfg(CFG_PRIVATE_HOME)) { | 181 | if (checkcfg(CFG_PRIVATE_HOME)) { |
182 | cfg.home_private_keep = ptr + 13; | 182 | if (cfg.home_private_keep) { |
183 | if ( asprintf(&cfg.home_private_keep, "%s,%s", cfg.home_private_keep, ptr + 13) < 0 ) | ||
184 | errExit("asprintf"); | ||
185 | } else | ||
186 | cfg.home_private_keep = ptr + 13; | ||
183 | arg_private = 1; | 187 | arg_private = 1; |
184 | } | 188 | } |
185 | else | 189 | else |
@@ -748,7 +752,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
748 | fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); | 752 | fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); |
749 | exit(1); | 753 | exit(1); |
750 | } | 754 | } |
751 | cfg.etc_private_keep = ptr + 12; | 755 | if (cfg.etc_private_keep) { |
756 | if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, ptr + 12) < 0 ) | ||
757 | errExit("asprintf"); | ||
758 | } else { | ||
759 | cfg.etc_private_keep = ptr + 12; | ||
760 | } | ||
752 | arg_private_etc = 1; | 761 | arg_private_etc = 1; |
753 | 762 | ||
754 | return 0; | 763 | return 0; |
@@ -756,7 +765,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
756 | 765 | ||
757 | // private /opt list of files and directories | 766 | // private /opt list of files and directories |
758 | if (strncmp(ptr, "private-opt ", 12) == 0) { | 767 | if (strncmp(ptr, "private-opt ", 12) == 0) { |
759 | cfg.opt_private_keep = ptr + 12; | 768 | if (cfg.opt_private_keep) { |
769 | if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, ptr + 12) < 0 ) | ||
770 | errExit("asprintf"); | ||
771 | } else { | ||
772 | cfg.opt_private_keep = ptr + 12; | ||
773 | } | ||
760 | arg_private_opt = 1; | 774 | arg_private_opt = 1; |
761 | 775 | ||
762 | return 0; | 776 | return 0; |
@@ -764,7 +778,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
764 | 778 | ||
765 | // private /srv list of files and directories | 779 | // private /srv list of files and directories |
766 | if (strncmp(ptr, "private-srv ", 12) == 0) { | 780 | if (strncmp(ptr, "private-srv ", 12) == 0) { |
767 | cfg.srv_private_keep = ptr + 12; | 781 | if (cfg.srv_private_keep) { |
782 | if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, ptr + 12) < 0 ) | ||
783 | errExit("asprintf"); | ||
784 | } else { | ||
785 | cfg.srv_private_keep = ptr + 12; | ||
786 | } | ||
768 | arg_private_srv = 1; | 787 | arg_private_srv = 1; |
769 | 788 | ||
770 | return 0; | 789 | return 0; |
@@ -772,7 +791,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
772 | 791 | ||
773 | // private /bin list of files | 792 | // private /bin list of files |
774 | if (strncmp(ptr, "private-bin ", 12) == 0) { | 793 | if (strncmp(ptr, "private-bin ", 12) == 0) { |
775 | cfg.bin_private_keep = ptr + 12; | 794 | if (cfg.bin_private_keep) { |
795 | if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, ptr + 12) < 0 ) | ||
796 | errExit("asprintf"); | ||
797 | } else { | ||
798 | cfg.bin_private_keep = ptr + 12; | ||
799 | } | ||
776 | arg_private_bin = 1; | 800 | arg_private_bin = 1; |
777 | return 0; | 801 | return 0; |
778 | } | 802 | } |
diff --git a/test/fs/whitelist-dev.exp b/test/fs/whitelist-dev.exp index a2002bc0a..827f32126 100755 --- a/test/fs/whitelist-dev.exp +++ b/test/fs/whitelist-dev.exp | |||
@@ -33,7 +33,8 @@ sleep 1 | |||
33 | send -- "ls -l /dev | wc -l\r" | 33 | send -- "ls -l /dev | wc -l\r" |
34 | expect { | 34 | expect { |
35 | timeout {puts "TESTING ERROR 3\n";exit} | 35 | timeout {puts "TESTING ERROR 3\n";exit} |
36 | "13" | 36 | "13" {puts "OK\n"} |
37 | "12" {puts "OK\n"} | ||
37 | } | 38 | } |
38 | after 100 | 39 | after 100 |
39 | send -- "exit\r" | 40 | send -- "exit\r" |