diff options
author | netblue30 <netblue30@yahoo.com> | 2016-12-01 12:30:11 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-12-01 12:30:11 -0500 |
commit | fbcf885bcdcf71c6a9f88bed8ae38e686f5f7f21 (patch) | |
tree | 360060483d8250a1235885376c2c1493f68e41ba | |
parent | private-opt, private-srv (diff) | |
download | firejail-fbcf885bcdcf71c6a9f88bed8ae38e686f5f7f21.tar.gz firejail-fbcf885bcdcf71c6a9f88bed8ae38e686f5f7f21.tar.zst firejail-fbcf885bcdcf71c6a9f88bed8ae38e686f5f7f21.zip |
cleanup
-rw-r--r-- | src/firejail/main.c | 291 | ||||
-rw-r--r-- | src/firejail/profile.c | 102 | ||||
-rwxr-xr-x | test/root/join.exp | 52 | ||||
-rwxr-xr-x | test/root/root.sh | 6 | ||||
-rwxr-xr-x | test/utils/join.exp | 15 |
5 files changed, 233 insertions, 233 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index 4ccbb6a86..aa855b7eb 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -250,10 +250,8 @@ static void check_network(Bridge *br) { | |||
250 | #ifdef HAVE_USERNS | 250 | #ifdef HAVE_USERNS |
251 | void check_user_namespace(void) { | 251 | void check_user_namespace(void) { |
252 | EUID_ASSERT(); | 252 | EUID_ASSERT(); |
253 | if (getuid() == 0) { | 253 | if (getuid() == 0) |
254 | fprintf(stderr, "Error: --noroot option cannot be used when starting the sandbox as root.\n"); | 254 | goto errout; |
255 | exit(1); | ||
256 | } | ||
257 | 255 | ||
258 | // test user namespaces available in the kernel | 256 | // test user namespaces available in the kernel |
259 | struct stat s1; | 257 | struct stat s1; |
@@ -263,16 +261,27 @@ void check_user_namespace(void) { | |||
263 | stat("/proc/self/uid_map", &s2) == 0 && | 261 | stat("/proc/self/uid_map", &s2) == 0 && |
264 | stat("/proc/self/gid_map", &s3) == 0) | 262 | stat("/proc/self/gid_map", &s3) == 0) |
265 | arg_noroot = 1; | 263 | arg_noroot = 1; |
266 | else { | 264 | else |
267 | if (!arg_quiet || arg_debug) | 265 | goto errout; |
268 | fprintf(stderr, "Warning: user namespaces not available in the current kernel.\n"); | 266 | |
269 | arg_noroot = 0; | 267 | return; |
270 | } | 268 | |
269 | errout: | ||
270 | if (!arg_quiet || arg_debug) | ||
271 | fprintf(stderr, "Warning: noroot option is not available\n"); | ||
272 | arg_noroot = 0; | ||
273 | |||
271 | } | 274 | } |
272 | #endif | 275 | #endif |
273 | 276 | ||
274 | 277 | ||
275 | // exit commands | 278 | static void exit_err_feature(const char *feature) { |
279 | fprintf(stderr, "Error: %s feature is disabled in Firejail configuration file\n", feature); | ||
280 | exit(1); | ||
281 | } | ||
282 | |||
283 | // run independent commands and exit program | ||
284 | // this function handles command line options such as --version and --help | ||
276 | static void run_cmd_and_exit(int i, int argc, char **argv) { | 285 | static void run_cmd_and_exit(int i, int argc, char **argv) { |
277 | EUID_ASSERT(); | 286 | EUID_ASSERT(); |
278 | 287 | ||
@@ -298,21 +307,15 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
298 | if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1) | 307 | if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1) |
299 | errExit("asprintf"); | 308 | errExit("asprintf"); |
300 | EUID_ROOT(); | 309 | EUID_ROOT(); |
301 | if (setreuid(0, 0) < 0) | 310 | if (setreuid(0, 0) < 0 || |
302 | errExit("setreuid"); | 311 | setregid(0, 0) < 0) |
303 | if (setregid(0, 0) < 0) | 312 | errExit("setreuid/setregid"); |
304 | errExit("setregid"); | ||
305 | errno = 0; | 313 | errno = 0; |
306 | int rv = remove_directory(path); | 314 | if (remove_directory(path)) |
307 | if (rv) { | 315 | errExit("remove_directory"); |
308 | fprintf(stderr, "Error: cannot removed overlays stored in ~/.firejail directory, errno %d\n", errno); | ||
309 | exit(1); | ||
310 | } | ||
311 | } | ||
312 | else { | ||
313 | fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); | ||
314 | exit(1); | ||
315 | } | 316 | } |
317 | else | ||
318 | exit_err_feature("overlayfs"); | ||
316 | exit(0); | 319 | exit(0); |
317 | } | 320 | } |
318 | #endif | 321 | #endif |
@@ -322,30 +325,24 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
322 | x11_start(argc, argv); | 325 | x11_start(argc, argv); |
323 | exit(0); | 326 | exit(0); |
324 | } | 327 | } |
325 | else { | 328 | else |
326 | fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n"); | 329 | exit_err_feature("x11"); |
327 | exit(1); | ||
328 | } | ||
329 | } | 330 | } |
330 | else if (strcmp(argv[i], "--x11=xpra") == 0) { | 331 | else if (strcmp(argv[i], "--x11=xpra") == 0) { |
331 | if (checkcfg(CFG_X11)) { | 332 | if (checkcfg(CFG_X11)) { |
332 | x11_start_xpra(argc, argv); | 333 | x11_start_xpra(argc, argv); |
333 | exit(0); | 334 | exit(0); |
334 | } | 335 | } |
335 | else { | 336 | else |
336 | fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n"); | 337 | exit_err_feature("x11"); |
337 | exit(1); | ||
338 | } | ||
339 | } | 338 | } |
340 | else if (strcmp(argv[i], "--x11=xephyr") == 0) { | 339 | else if (strcmp(argv[i], "--x11=xephyr") == 0) { |
341 | if (checkcfg(CFG_X11)) { | 340 | if (checkcfg(CFG_X11)) { |
342 | x11_start_xephyr(argc, argv); | 341 | x11_start_xephyr(argc, argv); |
343 | exit(0); | 342 | exit(0); |
344 | } | 343 | } |
345 | else { | 344 | else |
346 | fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n"); | 345 | exit_err_feature("x11"); |
347 | exit(1); | ||
348 | } | ||
349 | } | 346 | } |
350 | #endif | 347 | #endif |
351 | #ifdef HAVE_NETWORK | 348 | #ifdef HAVE_NETWORK |
@@ -406,10 +403,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
406 | pid_t pid = read_pid(argv[i] + 12); | 403 | pid_t pid = read_pid(argv[i] + 12); |
407 | bandwidth_pid(pid, cmd, dev, down, up); | 404 | bandwidth_pid(pid, cmd, dev, down, up); |
408 | } | 405 | } |
409 | else { | 406 | else |
410 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | 407 | exit_err_feature("networking"); |
411 | exit(1); | ||
412 | } | ||
413 | exit(0); | 408 | exit(0); |
414 | } | 409 | } |
415 | #endif | 410 | #endif |
@@ -422,20 +417,16 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
422 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-syscalls"); | 417 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-syscalls"); |
423 | exit(rv); | 418 | exit(rv); |
424 | } | 419 | } |
425 | else { | 420 | else |
426 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); | 421 | exit_err_feature("seccomp"); |
427 | exit(1); | ||
428 | } | ||
429 | } | 422 | } |
430 | else if (strcmp(argv[i], "--debug-errnos") == 0) { | 423 | else if (strcmp(argv[i], "--debug-errnos") == 0) { |
431 | if (checkcfg(CFG_SECCOMP)) { | 424 | if (checkcfg(CFG_SECCOMP)) { |
432 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-errnos"); | 425 | int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP, "debug-errnos"); |
433 | exit(rv); | 426 | exit(rv); |
434 | } | 427 | } |
435 | else { | 428 | else |
436 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); | 429 | exit_err_feature("seccomp"); |
437 | exit(1); | ||
438 | } | ||
439 | exit(0); | 430 | exit(0); |
440 | } | 431 | } |
441 | else if (strncmp(argv[i], "--seccomp.print=", 16) == 0) { | 432 | else if (strncmp(argv[i], "--seccomp.print=", 16) == 0) { |
@@ -444,10 +435,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
444 | pid_t pid = read_pid(argv[i] + 16); | 435 | pid_t pid = read_pid(argv[i] + 16); |
445 | seccomp_print_filter(pid); | 436 | seccomp_print_filter(pid); |
446 | } | 437 | } |
447 | else { | 438 | else |
448 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); | 439 | exit_err_feature("seccomp"); |
449 | exit(1); | ||
450 | } | ||
451 | exit(0); | 440 | exit(0); |
452 | } | 441 | } |
453 | else if (strcmp(argv[i], "--debug-protocols") == 0) { | 442 | else if (strcmp(argv[i], "--debug-protocols") == 0) { |
@@ -460,10 +449,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
460 | pid_t pid = read_pid(argv[i] + 17); | 449 | pid_t pid = read_pid(argv[i] + 17); |
461 | protocol_print_filter(pid); | 450 | protocol_print_filter(pid); |
462 | } | 451 | } |
463 | else { | 452 | else |
464 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); | 453 | exit_err_feature("seccomp"); |
465 | exit(1); | ||
466 | } | ||
467 | exit(0); | 454 | exit(0); |
468 | } | 455 | } |
469 | #endif | 456 | #endif |
@@ -530,10 +517,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
530 | 2, PATH_FIREMON, "--netstats"); | 517 | 2, PATH_FIREMON, "--netstats"); |
531 | exit(0); | 518 | exit(0); |
532 | } | 519 | } |
533 | else { | 520 | else |
534 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | 521 | exit_err_feature("networking"); |
535 | exit(1); | ||
536 | } | ||
537 | } | 522 | } |
538 | #endif | 523 | #endif |
539 | #ifdef HAVE_FILE_TRANSFER | 524 | #ifdef HAVE_FILE_TRANSFER |
@@ -558,10 +543,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
558 | sandboxfs(SANDBOX_FS_GET, pid, path, NULL); | 543 | sandboxfs(SANDBOX_FS_GET, pid, path, NULL); |
559 | exit(0); | 544 | exit(0); |
560 | } | 545 | } |
561 | else { | 546 | else |
562 | fprintf(stderr, "Error: --get feature is disabled in Firejail configuration file\n"); | 547 | exit_err_feature("file transfer"); |
563 | exit(1); | ||
564 | } | ||
565 | } | 548 | } |
566 | else if (strncmp(argv[i], "--put=", 6) == 0) { | 549 | else if (strncmp(argv[i], "--put=", 6) == 0) { |
567 | if (checkcfg(CFG_FILE_TRANSFER)) { | 550 | if (checkcfg(CFG_FILE_TRANSFER)) { |
@@ -590,10 +573,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
590 | sandboxfs(SANDBOX_FS_PUT, pid, path1, path2); | 573 | sandboxfs(SANDBOX_FS_PUT, pid, path1, path2); |
591 | exit(0); | 574 | exit(0); |
592 | } | 575 | } |
593 | else { | 576 | else |
594 | fprintf(stderr, "Error: --get feature is disabled in Firejail configuration file\n"); | 577 | exit_err_feature("file transfer"); |
595 | exit(1); | ||
596 | } | ||
597 | } | 578 | } |
598 | else if (strncmp(argv[i], "--ls=", 5) == 0) { | 579 | else if (strncmp(argv[i], "--ls=", 5) == 0) { |
599 | if (checkcfg(CFG_FILE_TRANSFER)) { | 580 | if (checkcfg(CFG_FILE_TRANSFER)) { |
@@ -616,10 +597,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
616 | sandboxfs(SANDBOX_FS_LS, pid, path, NULL); | 597 | sandboxfs(SANDBOX_FS_LS, pid, path, NULL); |
617 | exit(0); | 598 | exit(0); |
618 | } | 599 | } |
619 | else { | 600 | else |
620 | fprintf(stderr, "Error: --ls feature is disabled in Firejail configuration file\n"); | 601 | exit_err_feature("file transfer"); |
621 | exit(1); | ||
622 | } | ||
623 | } | 602 | } |
624 | #endif | 603 | #endif |
625 | else if (strncmp(argv[i], "--join=", 7) == 0) { | 604 | else if (strncmp(argv[i], "--join=", 7) == 0) { |
@@ -685,11 +664,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
685 | pid_t pid = read_pid(argv[i] + 15); | 664 | pid_t pid = read_pid(argv[i] + 15); |
686 | join(pid, argc, argv, i + 1); | 665 | join(pid, argc, argv, i + 1); |
687 | } | 666 | } |
688 | else { | 667 | else |
689 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | 668 | exit_err_feature("networking"); |
690 | exit(1); | ||
691 | } | ||
692 | |||
693 | exit(0); | 669 | exit(0); |
694 | } | 670 | } |
695 | #endif | 671 | #endif |
@@ -1117,10 +1093,8 @@ int main(int argc, char **argv) { | |||
1117 | errExit("strdup"); | 1093 | errExit("strdup"); |
1118 | } | 1094 | } |
1119 | } | 1095 | } |
1120 | else { | 1096 | else |
1121 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); | 1097 | exit_err_feature("seccomp"); |
1122 | exit(1); | ||
1123 | } | ||
1124 | } | 1098 | } |
1125 | else if (strcmp(argv[i], "--seccomp") == 0) { | 1099 | else if (strcmp(argv[i], "--seccomp") == 0) { |
1126 | if (checkcfg(CFG_SECCOMP)) { | 1100 | if (checkcfg(CFG_SECCOMP)) { |
@@ -1130,10 +1104,8 @@ int main(int argc, char **argv) { | |||
1130 | } | 1104 | } |
1131 | arg_seccomp = 1; | 1105 | arg_seccomp = 1; |
1132 | } | 1106 | } |
1133 | else { | 1107 | else |
1134 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); | 1108 | exit_err_feature("seccomp"); |
1135 | exit(1); | ||
1136 | } | ||
1137 | } | 1109 | } |
1138 | else if (strncmp(argv[i], "--seccomp=", 10) == 0) { | 1110 | else if (strncmp(argv[i], "--seccomp=", 10) == 0) { |
1139 | if (checkcfg(CFG_SECCOMP)) { | 1111 | if (checkcfg(CFG_SECCOMP)) { |
@@ -1144,10 +1116,8 @@ int main(int argc, char **argv) { | |||
1144 | arg_seccomp = 1; | 1116 | arg_seccomp = 1; |
1145 | cfg.seccomp_list = seccomp_check_list(argv[i] + 10); | 1117 | cfg.seccomp_list = seccomp_check_list(argv[i] + 10); |
1146 | } | 1118 | } |
1147 | else { | 1119 | else |
1148 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); | 1120 | exit_err_feature("seccomp"); |
1149 | exit(1); | ||
1150 | } | ||
1151 | } | 1121 | } |
1152 | else if (strncmp(argv[i], "--seccomp.drop=", 15) == 0) { | 1122 | else if (strncmp(argv[i], "--seccomp.drop=", 15) == 0) { |
1153 | if (checkcfg(CFG_SECCOMP)) { | 1123 | if (checkcfg(CFG_SECCOMP)) { |
@@ -1158,10 +1128,8 @@ int main(int argc, char **argv) { | |||
1158 | arg_seccomp = 1; | 1128 | arg_seccomp = 1; |
1159 | cfg.seccomp_list_drop = seccomp_check_list(argv[i] + 15); | 1129 | cfg.seccomp_list_drop = seccomp_check_list(argv[i] + 15); |
1160 | } | 1130 | } |
1161 | else { | 1131 | else |
1162 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); | 1132 | exit_err_feature("seccomp"); |
1163 | exit(1); | ||
1164 | } | ||
1165 | } | 1133 | } |
1166 | else if (strncmp(argv[i], "--seccomp.keep=", 15) == 0) { | 1134 | else if (strncmp(argv[i], "--seccomp.keep=", 15) == 0) { |
1167 | if (checkcfg(CFG_SECCOMP)) { | 1135 | if (checkcfg(CFG_SECCOMP)) { |
@@ -1172,10 +1140,8 @@ int main(int argc, char **argv) { | |||
1172 | arg_seccomp = 1; | 1140 | arg_seccomp = 1; |
1173 | cfg.seccomp_list_keep = seccomp_check_list(argv[i] + 15); | 1141 | cfg.seccomp_list_keep = seccomp_check_list(argv[i] + 15); |
1174 | } | 1142 | } |
1175 | else { | 1143 | else |
1176 | fprintf(stderr, "Error: seccomp feature is disabled in Firejail configuration file\n"); | 1144 | exit_err_feature("seccomp"); |
1177 | exit(1); | ||
1178 | } | ||
1179 | } | 1145 | } |
1180 | #endif | 1146 | #endif |
1181 | else if (strcmp(argv[i], "--caps") == 0) | 1147 | else if (strcmp(argv[i], "--caps") == 0) |
@@ -1274,10 +1240,8 @@ int main(int argc, char **argv) { | |||
1274 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1240 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1275 | profile_add(line); | 1241 | profile_add(line); |
1276 | } | 1242 | } |
1277 | else { | 1243 | else |
1278 | fprintf(stderr, "Error: --bind feature is disabled in Firejail configuration file\n"); | 1244 | exit_err_feature("bind"); |
1279 | exit(1); | ||
1280 | } | ||
1281 | } | 1245 | } |
1282 | #endif | 1246 | #endif |
1283 | else if (strncmp(argv[i], "--tmpfs=", 8) == 0) { | 1247 | else if (strncmp(argv[i], "--tmpfs=", 8) == 0) { |
@@ -1315,10 +1279,8 @@ int main(int argc, char **argv) { | |||
1315 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1279 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1316 | profile_add(line); | 1280 | profile_add(line); |
1317 | } | 1281 | } |
1318 | else { | 1282 | else |
1319 | fprintf(stderr, "Error: whitelist feature is disabled in Firejail configuration file\n"); | 1283 | exit_err_feature("whitelist"); |
1320 | exit(1); | ||
1321 | } | ||
1322 | } | 1284 | } |
1323 | #endif | 1285 | #endif |
1324 | 1286 | ||
@@ -1368,10 +1330,8 @@ int main(int argc, char **argv) { | |||
1368 | 1330 | ||
1369 | free(subdirname); | 1331 | free(subdirname); |
1370 | } | 1332 | } |
1371 | else { | 1333 | else |
1372 | fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); | 1334 | exit_err_feature("overlayfs"); |
1373 | exit(1); | ||
1374 | } | ||
1375 | } | 1335 | } |
1376 | else if (strncmp(argv[i], "--overlay-named=", 16) == 0) { | 1336 | else if (strncmp(argv[i], "--overlay-named=", 16) == 0) { |
1377 | if (checkcfg(CFG_OVERLAYFS)) { | 1337 | if (checkcfg(CFG_OVERLAYFS)) { |
@@ -1402,11 +1362,8 @@ int main(int argc, char **argv) { | |||
1402 | } | 1362 | } |
1403 | cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); | 1363 | cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); |
1404 | } | 1364 | } |
1405 | else { | 1365 | else |
1406 | fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); | 1366 | exit_err_feature("overlayfs"); |
1407 | exit(1); | ||
1408 | } | ||
1409 | |||
1410 | } | 1367 | } |
1411 | else if (strcmp(argv[i], "--overlay-tmpfs") == 0) { | 1368 | else if (strcmp(argv[i], "--overlay-tmpfs") == 0) { |
1412 | if (checkcfg(CFG_OVERLAYFS)) { | 1369 | if (checkcfg(CFG_OVERLAYFS)) { |
@@ -1421,10 +1378,8 @@ int main(int argc, char **argv) { | |||
1421 | } | 1378 | } |
1422 | arg_overlay = 1; | 1379 | arg_overlay = 1; |
1423 | } | 1380 | } |
1424 | else { | 1381 | else |
1425 | fprintf(stderr, "Error: overlayfs feature is disabled in Firejail configuration file\n"); | 1382 | exit_err_feature("overlayfs"); |
1426 | exit(1); | ||
1427 | } | ||
1428 | } | 1383 | } |
1429 | #endif | 1384 | #endif |
1430 | else if (strncmp(argv[i], "--profile=", 10) == 0) { | 1385 | else if (strncmp(argv[i], "--profile=", 10) == 0) { |
@@ -1551,10 +1506,8 @@ int main(int argc, char **argv) { | |||
1551 | exit(1); | 1506 | exit(1); |
1552 | } | 1507 | } |
1553 | } | 1508 | } |
1554 | else { | 1509 | else |
1555 | fprintf(stderr, "Error: --chroot feature is disabled in Firejail configuration file\n"); | 1510 | exit_err_feature("chroot"); |
1556 | exit(1); | ||
1557 | } | ||
1558 | } | 1511 | } |
1559 | #endif | 1512 | #endif |
1560 | else if (strcmp(argv[i], "--writable-etc") == 0) { | 1513 | else if (strcmp(argv[i], "--writable-etc") == 0) { |
@@ -1603,10 +1556,8 @@ int main(int argc, char **argv) { | |||
1603 | cfg.home_private_keep = argv[i] + 15; | 1556 | cfg.home_private_keep = argv[i] + 15; |
1604 | arg_private = 1; | 1557 | arg_private = 1; |
1605 | } | 1558 | } |
1606 | else { | 1559 | else |
1607 | fprintf(stderr, "Error: --private-home feature is disabled in Firejail configuration file\n"); | 1560 | exit_err_feature("private-home"); |
1608 | exit(1); | ||
1609 | } | ||
1610 | } | 1561 | } |
1611 | #endif | 1562 | #endif |
1612 | else if (strcmp(argv[i], "--private-dev") == 0) { | 1563 | else if (strcmp(argv[i], "--private-dev") == 0) { |
@@ -1680,10 +1631,8 @@ int main(int argc, char **argv) { | |||
1680 | else if (strcmp(argv[i], "--noroot") == 0) { | 1631 | else if (strcmp(argv[i], "--noroot") == 0) { |
1681 | if (checkcfg(CFG_USERNS)) | 1632 | if (checkcfg(CFG_USERNS)) |
1682 | check_user_namespace(); | 1633 | check_user_namespace(); |
1683 | else { | 1634 | else |
1684 | fprintf(stderr, "Error: --noroot feature is disabled in Firejail configuration file\n"); | 1635 | exit_err_feature("noroot"); |
1685 | exit(1); | ||
1686 | } | ||
1687 | } | 1636 | } |
1688 | #endif | 1637 | #endif |
1689 | else if (strcmp(argv[i], "--nonewprivs") == 0) { | 1638 | else if (strcmp(argv[i], "--nonewprivs") == 0) { |
@@ -1758,10 +1707,8 @@ int main(int argc, char **argv) { | |||
1758 | } | 1707 | } |
1759 | intf->configured = 1; | 1708 | intf->configured = 1; |
1760 | } | 1709 | } |
1761 | else { | 1710 | else |
1762 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | 1711 | exit_err_feature("networking"); |
1763 | exit(1); | ||
1764 | } | ||
1765 | } | 1712 | } |
1766 | 1713 | ||
1767 | else if (strncmp(argv[i], "--net=", 6) == 0) { | 1714 | else if (strncmp(argv[i], "--net=", 6) == 0) { |
@@ -1811,10 +1758,8 @@ int main(int argc, char **argv) { | |||
1811 | } | 1758 | } |
1812 | net_configure_bridge(br, argv[i] + 6); | 1759 | net_configure_bridge(br, argv[i] + 6); |
1813 | } | 1760 | } |
1814 | else { | 1761 | else |
1815 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | 1762 | exit_err_feature("networking"); |
1816 | exit(1); | ||
1817 | } | ||
1818 | } | 1763 | } |
1819 | 1764 | ||
1820 | else if (strncmp(argv[i], "--veth-name=", 12) == 0) { | 1765 | else if (strncmp(argv[i], "--veth-name=", 12) == 0) { |
@@ -1832,20 +1777,16 @@ int main(int argc, char **argv) { | |||
1832 | exit(1); | 1777 | exit(1); |
1833 | } | 1778 | } |
1834 | } | 1779 | } |
1835 | else { | 1780 | else |
1836 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | 1781 | exit_err_feature("networking"); |
1837 | exit(1); | ||
1838 | } | ||
1839 | } | 1782 | } |
1840 | 1783 | ||
1841 | else if (strcmp(argv[i], "--scan") == 0) { | 1784 | else if (strcmp(argv[i], "--scan") == 0) { |
1842 | if (checkcfg(CFG_NETWORK)) { | 1785 | if (checkcfg(CFG_NETWORK)) { |
1843 | arg_scan = 1; | 1786 | arg_scan = 1; |
1844 | } | 1787 | } |
1845 | else { | 1788 | else |
1846 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | 1789 | exit_err_feature("networking"); |
1847 | exit(1); | ||
1848 | } | ||
1849 | } | 1790 | } |
1850 | else if (strncmp(argv[i], "--iprange=", 10) == 0) { | 1791 | else if (strncmp(argv[i], "--iprange=", 10) == 0) { |
1851 | if (checkcfg(CFG_NETWORK)) { | 1792 | if (checkcfg(CFG_NETWORK)) { |
@@ -1885,10 +1826,8 @@ int main(int argc, char **argv) { | |||
1885 | return 1; | 1826 | return 1; |
1886 | } | 1827 | } |
1887 | } | 1828 | } |
1888 | else { | 1829 | else |
1889 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | 1830 | exit_err_feature("networking"); |
1890 | exit(1); | ||
1891 | } | ||
1892 | } | 1831 | } |
1893 | 1832 | ||
1894 | else if (strncmp(argv[i], "--mac=", 6) == 0) { | 1833 | else if (strncmp(argv[i], "--mac=", 6) == 0) { |
@@ -1909,10 +1848,8 @@ int main(int argc, char **argv) { | |||
1909 | exit(1); | 1848 | exit(1); |
1910 | } | 1849 | } |
1911 | } | 1850 | } |
1912 | else { | 1851 | else |
1913 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | 1852 | exit_err_feature("networking"); |
1914 | exit(1); | ||
1915 | } | ||
1916 | } | 1853 | } |
1917 | 1854 | ||
1918 | else if (strncmp(argv[i], "--mtu=", 6) == 0) { | 1855 | else if (strncmp(argv[i], "--mtu=", 6) == 0) { |
@@ -1928,10 +1865,8 @@ int main(int argc, char **argv) { | |||
1928 | exit(1); | 1865 | exit(1); |
1929 | } | 1866 | } |
1930 | } | 1867 | } |
1931 | else { | 1868 | else |
1932 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | 1869 | exit_err_feature("networking"); |
1933 | exit(1); | ||
1934 | } | ||
1935 | } | 1870 | } |
1936 | 1871 | ||
1937 | else if (strncmp(argv[i], "--ip=", 5) == 0) { | 1872 | else if (strncmp(argv[i], "--ip=", 5) == 0) { |
@@ -1956,10 +1891,8 @@ int main(int argc, char **argv) { | |||
1956 | } | 1891 | } |
1957 | } | 1892 | } |
1958 | } | 1893 | } |
1959 | else { | 1894 | else |
1960 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | 1895 | exit_err_feature("networking"); |
1961 | exit(1); | ||
1962 | } | ||
1963 | } | 1896 | } |
1964 | 1897 | ||
1965 | else if (strncmp(argv[i], "--ip6=", 6) == 0) { | 1898 | else if (strncmp(argv[i], "--ip6=", 6) == 0) { |
@@ -1982,10 +1915,8 @@ int main(int argc, char **argv) { | |||
1982 | // exit(1); | 1915 | // exit(1); |
1983 | // } | 1916 | // } |
1984 | } | 1917 | } |
1985 | else { | 1918 | else |
1986 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | 1919 | exit_err_feature("networking"); |
1987 | exit(1); | ||
1988 | } | ||
1989 | } | 1920 | } |
1990 | 1921 | ||
1991 | 1922 | ||
@@ -1996,10 +1927,8 @@ int main(int argc, char **argv) { | |||
1996 | exit(1); | 1927 | exit(1); |
1997 | } | 1928 | } |
1998 | } | 1929 | } |
1999 | else { | 1930 | else |
2000 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | 1931 | exit_err_feature("networking"); |
2001 | exit(1); | ||
2002 | } | ||
2003 | } | 1932 | } |
2004 | #endif | 1933 | #endif |
2005 | else if (strncmp(argv[i], "--dns=", 6) == 0) { | 1934 | else if (strncmp(argv[i], "--dns=", 6) == 0) { |
@@ -2038,10 +1967,8 @@ int main(int argc, char **argv) { | |||
2038 | if (checkcfg(CFG_NETWORK)) { | 1967 | if (checkcfg(CFG_NETWORK)) { |
2039 | arg_netfilter = 1; | 1968 | arg_netfilter = 1; |
2040 | } | 1969 | } |
2041 | else { | 1970 | else |
2042 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | 1971 | exit_err_feature("networking"); |
2043 | exit(1); | ||
2044 | } | ||
2045 | } | 1972 | } |
2046 | 1973 | ||
2047 | else if (strncmp(argv[i], "--netfilter=", 12) == 0) { | 1974 | else if (strncmp(argv[i], "--netfilter=", 12) == 0) { |
@@ -2062,10 +1989,8 @@ int main(int argc, char **argv) { | |||
2062 | arg_netfilter_file = argv[i] + 12; | 1989 | arg_netfilter_file = argv[i] + 12; |
2063 | check_netfilter_file(arg_netfilter_file); | 1990 | check_netfilter_file(arg_netfilter_file); |
2064 | } | 1991 | } |
2065 | else { | 1992 | else |
2066 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | 1993 | exit_err_feature("networking"); |
2067 | exit(1); | ||
2068 | } | ||
2069 | } | 1994 | } |
2070 | 1995 | ||
2071 | else if (strncmp(argv[i], "--netfilter6=", 13) == 0) { | 1996 | else if (strncmp(argv[i], "--netfilter6=", 13) == 0) { |
@@ -2074,10 +1999,8 @@ int main(int argc, char **argv) { | |||
2074 | arg_netfilter6_file = argv[i] + 13; | 1999 | arg_netfilter6_file = argv[i] + 13; |
2075 | check_netfilter_file(arg_netfilter6_file); | 2000 | check_netfilter_file(arg_netfilter6_file); |
2076 | } | 2001 | } |
2077 | else { | 2002 | else |
2078 | fprintf(stderr, "Error: networking features are disabled in Firejail configuration file\n"); | 2003 | exit_err_feature("networking"); |
2079 | exit(1); | ||
2080 | } | ||
2081 | } | 2004 | } |
2082 | #endif | 2005 | #endif |
2083 | //************************************* | 2006 | //************************************* |
@@ -2184,10 +2107,8 @@ int main(int argc, char **argv) { | |||
2184 | else if (strcmp(argv[i], "--x11=xorg") == 0) { | 2107 | else if (strcmp(argv[i], "--x11=xorg") == 0) { |
2185 | if (checkcfg(CFG_X11)) | 2108 | if (checkcfg(CFG_X11)) |
2186 | arg_x11_xorg = 1; | 2109 | arg_x11_xorg = 1; |
2187 | else { | 2110 | else |
2188 | fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n"); | 2111 | exit_err_feature("x11"); |
2189 | exit(1); | ||
2190 | } | ||
2191 | } | 2112 | } |
2192 | #endif | 2113 | #endif |
2193 | else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { | 2114 | else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 2be6948f0..3697b54b9 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -63,6 +63,13 @@ int profile_find(const char *name, const char *dir) { | |||
63 | // run-time profiles | 63 | // run-time profiles |
64 | //*************************************************** | 64 | //*************************************************** |
65 | 65 | ||
66 | static void warning_feature_disabled(const char *feature) { | ||
67 | if (!arg_quiet) | ||
68 | fprintf(stderr, "Warning: %s feature is disabled in Firejail configuration file\n", feature); | ||
69 | } | ||
70 | |||
71 | |||
72 | |||
66 | // check profile line; if line == 0, this was generated from a command line option | 73 | // check profile line; if line == 0, this was generated from a command line option |
67 | // return 1 if the command is to be added to the linked list of profile commands | 74 | // return 1 if the command is to be added to the linked list of profile commands |
68 | // return 0 if the command was already executed inside the function | 75 | // return 0 if the command was already executed inside the function |
@@ -130,8 +137,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
130 | #if HAVE_USERNS | 137 | #if HAVE_USERNS |
131 | if (checkcfg(CFG_USERNS)) | 138 | if (checkcfg(CFG_USERNS)) |
132 | check_user_namespace(); | 139 | check_user_namespace(); |
133 | else if (!arg_quiet) | 140 | else |
134 | fprintf(stderr, "Warning: user namespace feature is disabled in Firejail configuration file\n"); | 141 | warning_feature_disabled("noroot"); |
135 | #endif | 142 | #endif |
136 | 143 | ||
137 | return 0; | 144 | return 0; |
@@ -144,8 +151,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
144 | #ifdef HAVE_SECCOMP | 151 | #ifdef HAVE_SECCOMP |
145 | if (checkcfg(CFG_SECCOMP)) | 152 | if (checkcfg(CFG_SECCOMP)) |
146 | arg_seccomp = 1; | 153 | arg_seccomp = 1; |
147 | else if (!arg_quiet) | 154 | else |
148 | fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); | 155 | warning_feature_disabled("seccomp"); |
149 | #endif | 156 | #endif |
150 | return 0; | 157 | return 0; |
151 | } | 158 | } |
@@ -175,8 +182,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
175 | cfg.home_private_keep = ptr + 13; | 182 | cfg.home_private_keep = ptr + 13; |
176 | arg_private = 1; | 183 | arg_private = 1; |
177 | } | 184 | } |
178 | else if (!arg_quiet) | 185 | else |
179 | fprintf(stderr, "Warning: private-home is disabled in Firejail configuration file\n"); | 186 | warning_feature_disabled("private-home"); |
180 | #endif | 187 | #endif |
181 | return 0; | 188 | return 0; |
182 | } | 189 | } |
@@ -208,8 +215,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
208 | #ifdef HAVE_NETWORK | 215 | #ifdef HAVE_NETWORK |
209 | if (checkcfg(CFG_NETWORK)) | 216 | if (checkcfg(CFG_NETWORK)) |
210 | arg_netfilter = 1; | 217 | arg_netfilter = 1; |
211 | else if (!arg_quiet) | 218 | else |
212 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | 219 | warning_feature_disabled("networking"); |
213 | #endif | 220 | #endif |
214 | return 0; | 221 | return 0; |
215 | } | 222 | } |
@@ -222,8 +229,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
222 | errExit("strdup"); | 229 | errExit("strdup"); |
223 | check_netfilter_file(arg_netfilter_file); | 230 | check_netfilter_file(arg_netfilter_file); |
224 | } | 231 | } |
225 | else if (!arg_quiet) | 232 | else |
226 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | 233 | warning_feature_disabled("networking"); |
227 | #endif | 234 | #endif |
228 | return 0; | 235 | return 0; |
229 | } | 236 | } |
@@ -236,8 +243,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
236 | errExit("strdup"); | 243 | errExit("strdup"); |
237 | check_netfilter_file(arg_netfilter6_file); | 244 | check_netfilter_file(arg_netfilter6_file); |
238 | } | 245 | } |
239 | else if (!arg_quiet) | 246 | else |
240 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | 247 | warning_feature_disabled("networking"); |
241 | #endif | 248 | #endif |
242 | return 0; | 249 | return 0; |
243 | } | 250 | } |
@@ -254,8 +261,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
254 | cfg.interface2.configured = 0; | 261 | cfg.interface2.configured = 0; |
255 | cfg.interface3.configured = 0; | 262 | cfg.interface3.configured = 0; |
256 | } | 263 | } |
257 | else if (!arg_quiet) | 264 | else |
258 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | 265 | warning_feature_disabled("networking"); |
259 | #endif | 266 | #endif |
260 | return 0; | 267 | return 0; |
261 | } | 268 | } |
@@ -295,8 +302,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
295 | } | 302 | } |
296 | net_configure_bridge(br, ptr + 4); | 303 | net_configure_bridge(br, ptr + 4); |
297 | } | 304 | } |
298 | else if (!arg_quiet) | 305 | else |
299 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | 306 | warning_feature_disabled("networking"); |
300 | #endif | 307 | #endif |
301 | return 0; | 308 | return 0; |
302 | } | 309 | } |
@@ -318,8 +325,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
318 | exit(1); | 325 | exit(1); |
319 | } | 326 | } |
320 | } | 327 | } |
321 | else if (!arg_quiet) | 328 | else |
322 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | 329 | warning_feature_disabled("networking"); |
323 | #endif | 330 | #endif |
324 | return 0; | 331 | return 0; |
325 | } | 332 | } |
@@ -363,8 +370,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
363 | exit(1); | 370 | exit(1); |
364 | } | 371 | } |
365 | } | 372 | } |
366 | else if (!arg_quiet) | 373 | else |
367 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | 374 | warning_feature_disabled("networking"); |
368 | #endif | 375 | #endif |
369 | return 0; | 376 | return 0; |
370 | } | 377 | } |
@@ -390,8 +397,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
390 | exit(1); | 397 | exit(1); |
391 | } | 398 | } |
392 | } | 399 | } |
393 | else if (!arg_quiet) | 400 | else |
394 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | 401 | warning_feature_disabled("networking"); |
395 | #endif | 402 | #endif |
396 | return 0; | 403 | return 0; |
397 | } | 404 | } |
@@ -410,8 +417,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
410 | exit(1); | 417 | exit(1); |
411 | } | 418 | } |
412 | } | 419 | } |
413 | else if (!arg_quiet) | 420 | else |
414 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | 421 | warning_feature_disabled("networking"); |
415 | #endif | 422 | #endif |
416 | return 0; | 423 | return 0; |
417 | } | 424 | } |
@@ -439,8 +446,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
439 | } | 446 | } |
440 | } | 447 | } |
441 | } | 448 | } |
442 | else if (!arg_quiet) | 449 | else |
443 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | 450 | warning_feature_disabled("networking"); |
444 | #endif | 451 | #endif |
445 | return 0; | 452 | return 0; |
446 | } | 453 | } |
@@ -467,8 +474,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
467 | // } | 474 | // } |
468 | 475 | ||
469 | } | 476 | } |
470 | else if (!arg_quiet) | 477 | else |
471 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | 478 | warning_feature_disabled("networking"); |
472 | #endif | 479 | #endif |
473 | return 0; | 480 | return 0; |
474 | } | 481 | } |
@@ -481,8 +488,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
481 | exit(1); | 488 | exit(1); |
482 | } | 489 | } |
483 | } | 490 | } |
484 | else if (!arg_quiet) | 491 | else |
485 | fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); | 492 | warning_feature_disabled("networking"); |
486 | #endif | 493 | #endif |
487 | return 0; | 494 | return 0; |
488 | } | 495 | } |
@@ -508,8 +515,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
508 | if (!cfg.protocol) | 515 | if (!cfg.protocol) |
509 | errExit("strdup"); | 516 | errExit("strdup"); |
510 | } | 517 | } |
511 | else if (!arg_quiet) | 518 | else |
512 | fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); | 519 | warning_feature_disabled("seccomp"); |
513 | #endif | 520 | #endif |
514 | return 0; | 521 | return 0; |
515 | } | 522 | } |
@@ -531,7 +538,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
531 | cfg.seccomp_list = seccomp_check_list(ptr + 8); | 538 | cfg.seccomp_list = seccomp_check_list(ptr + 8); |
532 | } | 539 | } |
533 | else if (!arg_quiet) | 540 | else if (!arg_quiet) |
534 | fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); | 541 | warning_feature_disabled("seccomp"); |
535 | #endif | 542 | #endif |
536 | 543 | ||
537 | return 0; | 544 | return 0; |
@@ -544,8 +551,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
544 | arg_seccomp = 1; | 551 | arg_seccomp = 1; |
545 | cfg.seccomp_list_drop = seccomp_check_list(ptr + 13); | 552 | cfg.seccomp_list_drop = seccomp_check_list(ptr + 13); |
546 | } | 553 | } |
547 | else if (!arg_quiet) | 554 | else |
548 | fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); | 555 | warning_feature_disabled("seccomp"); |
549 | #endif | 556 | #endif |
550 | return 0; | 557 | return 0; |
551 | } | 558 | } |
@@ -557,8 +564,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
557 | arg_seccomp = 1; | 564 | arg_seccomp = 1; |
558 | cfg.seccomp_list_keep= seccomp_check_list(ptr + 13); | 565 | cfg.seccomp_list_keep= seccomp_check_list(ptr + 13); |
559 | } | 566 | } |
560 | else if (!arg_quiet) | 567 | else |
561 | fprintf(stderr, "Warning: user seccomp feature is disabled in Firejail configuration file\n"); | 568 | warning_feature_disabled("seccomp"); |
562 | #endif | 569 | #endif |
563 | return 0; | 570 | return 0; |
564 | } | 571 | } |
@@ -676,6 +683,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
676 | exit(0); | 683 | exit(0); |
677 | } | 684 | } |
678 | } | 685 | } |
686 | else | ||
687 | warning_feature_disabled("x11"); | ||
679 | #endif | 688 | #endif |
680 | return 0; | 689 | return 0; |
681 | } | 690 | } |
@@ -684,10 +693,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
684 | #ifdef HAVE_X11 | 693 | #ifdef HAVE_X11 |
685 | if (checkcfg(CFG_X11)) | 694 | if (checkcfg(CFG_X11)) |
686 | arg_x11_xorg = 1; | 695 | arg_x11_xorg = 1; |
687 | else { | 696 | else |
688 | fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n"); | 697 | warning_feature_disabled("x11"); |
689 | return 0; | ||
690 | } | ||
691 | #endif | 698 | #endif |
692 | return 0; | 699 | return 0; |
693 | } | 700 | } |
@@ -705,6 +712,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
705 | exit(0); | 712 | exit(0); |
706 | } | 713 | } |
707 | } | 714 | } |
715 | else | ||
716 | warning_feature_disabled("x11"); | ||
708 | #endif | 717 | #endif |
709 | return 0; | 718 | return 0; |
710 | } | 719 | } |
@@ -723,6 +732,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
723 | exit(0); | 732 | exit(0); |
724 | } | 733 | } |
725 | } | 734 | } |
735 | else | ||
736 | warning_feature_disabled("x11"); | ||
726 | #endif | 737 | #endif |
727 | return 0; | 738 | return 0; |
728 | } | 739 | } |
@@ -795,13 +806,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
795 | *(dname2 - 1) = ','; | 806 | *(dname2 - 1) = ','; |
796 | return 1; | 807 | return 1; |
797 | } | 808 | } |
798 | else if (!arg_quiet) { | 809 | else |
799 | fprintf(stderr, "Warning: bind feature is disabled in Firejail configuration file\n"); | 810 | warning_feature_disabled("bind"); |
800 | return 0; | ||
801 | } | ||
802 | #else | ||
803 | return 0; | ||
804 | #endif | 811 | #endif |
812 | return 0; | ||
805 | } | 813 | } |
806 | 814 | ||
807 | // rlimit | 815 | // rlimit |
diff --git a/test/root/join.exp b/test/root/join.exp new file mode 100755 index 000000000..e4a4e87af --- /dev/null +++ b/test/root/join.exp | |||
@@ -0,0 +1,52 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2016 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | cd /home | ||
8 | spawn $env(SHELL) | ||
9 | match_max 100000 | ||
10 | |||
11 | send -- "firejail --name=jointesting --cpu=0 --nice=2\r" | ||
12 | expect { | ||
13 | timeout {puts "TESTING ERROR 0\n";exit} | ||
14 | "Child process initialized" | ||
15 | } | ||
16 | sleep 2 | ||
17 | |||
18 | spawn $env(SHELL) | ||
19 | send -- "firejail --join=jointesting\r" | ||
20 | expect { | ||
21 | timeout {puts "TESTING ERROR 1\n";exit} | ||
22 | "Switching to pid" | ||
23 | } | ||
24 | sleep 1 | ||
25 | send -- "ps aux\r" | ||
26 | expect { | ||
27 | timeout {puts "TESTING ERROR 2\n";exit} | ||
28 | "/bin/bash" | ||
29 | } | ||
30 | expect { | ||
31 | timeout {puts "TESTING ERROR 3\n";exit} | ||
32 | "/bin/bash" | ||
33 | } | ||
34 | |||
35 | send -- "exit\r" | ||
36 | sleep 1 | ||
37 | send -- "firejail --join-network=jointesting\r" | ||
38 | expect { | ||
39 | timeout {puts "TESTING ERROR 4\n";exit} | ||
40 | "Child process initialized" | ||
41 | } | ||
42 | send -- "exit\r" | ||
43 | sleep 1 | ||
44 | send -- "firejail --join-filesystem=jointesting\r" | ||
45 | expect { | ||
46 | timeout {puts "TESTING ERROR 5\n";exit} | ||
47 | "Child process initialized" | ||
48 | } | ||
49 | |||
50 | after 100 | ||
51 | |||
52 | puts "\nall done\n" | ||
diff --git a/test/root/root.sh b/test/root/root.sh index 371bccdff..9764b3804 100755 --- a/test/root/root.sh +++ b/test/root/root.sh | |||
@@ -57,6 +57,12 @@ echo "TESTING: fs whitelist mnt, opt, media (test/root/whitelist-mnt.exp)" | |||
57 | ./whitelist.exp | 57 | ./whitelist.exp |
58 | 58 | ||
59 | #******************************** | 59 | #******************************** |
60 | # utils | ||
61 | #******************************** | ||
62 | echo "TESTING: join (test/root/join.exp)" | ||
63 | ./join.exp | ||
64 | |||
65 | #******************************** | ||
60 | # seccomp | 66 | # seccomp |
61 | #******************************** | 67 | #******************************** |
62 | echo "TESTING: seccomp umount (test/root/seccomp-umount.exp)" | 68 | echo "TESTING: seccomp umount (test/root/seccomp-umount.exp)" |
diff --git a/test/utils/join.exp b/test/utils/join.exp index fc30bc6a4..79fe99f2d 100755 --- a/test/utils/join.exp +++ b/test/utils/join.exp | |||
@@ -32,7 +32,20 @@ expect { | |||
32 | "/bin/bash" | 32 | "/bin/bash" |
33 | } | 33 | } |
34 | 34 | ||
35 | send -- "exit" | 35 | send -- "exit\r" |
36 | sleep 1 | ||
37 | send -- "firejail --join-network=jointesting\r" | ||
38 | expect { | ||
39 | timeout {puts "TESTING ERROR 4\n";exit} | ||
40 | "is only available to root user" | ||
41 | } | ||
42 | after 100 | ||
43 | send -- "firejail --join-filesystem=jointesting\r" | ||
44 | expect { | ||
45 | timeout {puts "TESTING ERROR 5\n";exit} | ||
46 | "is only available to root user" | ||
47 | } | ||
48 | |||
36 | after 100 | 49 | after 100 |
37 | 50 | ||
38 | puts "\nall done\n" | 51 | puts "\nall done\n" |