allow/noallow/deny/nodeny aliases for whitelist/nowhitelist/blacklist/noblacklist

author: netblue30 <netblue30@protonmail.com> 2021-07-03 21:06:11 -0400
committer: netblue30 <netblue30@protonmail.com> 2021-07-03 21:06:11 -0400
commit: 45f2ba544e9934b49e03b17c0a638dddc3a44734 (patch)
tree: e1ca4f572e8d976adc765ed0e5c4e9533c9747a7
parent: deprecated --disable-whitelist at compile time (diff)
download: firejail-45f2ba544e9934b49e03b17c0a638dddc3a44734.tar.gz
firejail-45f2ba544e9934b49e03b17c0a638dddc3a44734.tar.zst
firejail-45f2ba544e9934b49e03b17c0a638dddc3a44734.zip
2 files changed, 73 insertions, 0 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index cf3f8a82d..0b7f63a24 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1565,6 +1565,8 @@ int main(int argc, char **argv, char **envp) {
                        profile_check_line(line, 0, NULL);      // will exit if something wrong
                        profile_add(line);
                }
+                // blacklist/deny
                else if (strncmp(argv[i], "--blacklist=", 12) == 0) {
                        char *line;
                        if (asprintf(&line, "blacklist %s", argv[i] + 12) == -1)
@@ -1573,6 +1575,14 @@ int main(int argc, char **argv, char **envp) {
                        profile_check_line(line, 0, NULL);      // will exit if something wrong
                        profile_add(line);
                }
+                else if (strncmp(argv[i], "--deny=", 7) == 0) {
+                        char *line;
+                        if (asprintf(&line, "blacklist %s", argv[i] + 7) == -1)
+                                errExit("asprintf");
+                        profile_check_line(line, 0, NULL);      // will exit if something wrong
+                        profile_add(line);
+                }
                else if (strncmp(argv[i], "--noblacklist=", 14) == 0) {
                        char *line;
                        if (asprintf(&line, "noblacklist %s", argv[i] + 14) == -1)
@@ -1581,6 +1591,16 @@ int main(int argc, char **argv, char **envp) {
                        profile_check_line(line, 0, NULL);      // will exit if something wrong
                        profile_add(line);
                }
+                else if (strncmp(argv[i], "--nodeny=", 9) == 0) {
+                        char *line;
+                        if (asprintf(&line, "noblacklist %s", argv[i] + 9) == -1)
+                                errExit("asprintf");
+                        profile_check_line(line, 0, NULL);      // will exit if something wrong
+                        profile_add(line);
+                }
+                // whitelist
                else if (strncmp(argv[i], "--whitelist=", 12) == 0) {
                        if (checkcfg(CFG_WHITELIST)) {
                                char *line;
@@ -1593,6 +1613,18 @@ int main(int argc, char **argv, char **envp) {
                        else
                                exit_err_feature("whitelist");
                }
+                else if (strncmp(argv[i], "--allow=", 8) == 0) {
+                        if (checkcfg(CFG_WHITELIST)) {
+                                char *line;
+                                if (asprintf(&line, "whitelist %s", argv[i] + 8) == -1)
+                                        errExit("asprintf");
+                                profile_check_line(line, 0, NULL);      // will exit if something wrong
+                                profile_add(line);
+                        }
+                        else
+                                exit_err_feature("whitelist");
+                }
                else if (strncmp(argv[i], "--nowhitelist=", 14) == 0) {
                        char *line;
                        if (asprintf(&line, "nowhitelist %s", argv[i] + 14) == -1)
@@ -1601,6 +1633,16 @@ int main(int argc, char **argv, char **envp) {
                        profile_check_line(line, 0, NULL);      // will exit if something wrong
                        profile_add(line);
                }
+                else if (strncmp(argv[i], "--noallow=", 10) == 0) {
+                        char *line;
+                        if (asprintf(&line, "nowhitelist %s", argv[i] + 10) == -1)
+                                errExit("asprintf");
+                        profile_check_line(line, 0, NULL);      // will exit if something wrong
+                        profile_add(line);
+                }
                else if (strncmp(argv[i], "--mkdir=", 8) == 0) {
                        char *line;
                        if (asprintf(&line, "mkdir %s", argv[i] + 8) == -1)
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 350122844..430187809 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1746,6 +1746,37 @@ void profile_read(const char *fname) {
                        continue;
                }
+                // translate allow/deny to whitelist/blacklist
+                if (strncmp(ptr, "allow ", 6) == 0) {
+                        char *tmp;
+                        if (asprintf(&tmp, "whitelist %s", ptr + 6) == -1)
+                                errExit("asprintf");
+                        free(ptr);
+                        ptr = tmp;
+                }
+                else if (strncmp(ptr, "deny ", 5) == 0) {
+                        char *tmp;
+                        if (asprintf(&tmp, "blacklist %s", ptr + 5) == -1)
+                                errExit("asprintf");
+                        free(ptr);
+                        ptr = tmp;
+                }
+                // translate noallow/nodeny to nowhitelist/noblacklist
+                else if (strncmp(ptr, "noallow ", 8) == 0) {
+                        char *tmp;
+                        if (asprintf(&tmp, "nowhitelist %s", ptr + 8) == -1)
+                                errExit("asprintf");
+                        free(ptr);
+                        ptr = tmp;
+                }
+                else if (strncmp(ptr, "nodeny ", 7) == 0) {
+                        char *tmp;
+                        if (asprintf(&tmp, "noblacklist %s", ptr + 7) == -1)
+                                errExit("asprintf");
+                        free(ptr);
+                        ptr = tmp;
+                }
                // process quiet
                // todo: a quiet in the profile file cannot be disabled by --ignore on command line
                if (strcmp(ptr, "quiet") == 0) {
author	netblue30 <netblue30@protonmail.com>	2021-07-03 21:06:11 -0400
committer	netblue30 <netblue30@protonmail.com>	2021-07-03 21:06:11 -0400
commit	45f2ba544e9934b49e03b17c0a638dddc3a44734 (patch)
tree	e1ca4f572e8d976adc765ed0e5c4e9533c9747a7
parent	deprecated --disable-whitelist at compile time (diff)
download	firejail-45f2ba544e9934b49e03b17c0a638dddc3a44734.tar.gz firejail-45f2ba544e9934b49e03b17c0a638dddc3a44734.tar.zst firejail-45f2ba544e9934b49e03b17c0a638dddc3a44734.zip

diff --git a/src/firejail/main.c b/src/firejail/main.c index cf3f8a82d..0b7f63a24 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -1565,6 +1565,8 @@ int main(int argc, char argv, char envp) {
1565	profile_check_line(line, 0, NULL); // will exit if something wrong	1565	profile_check_line(line, 0, NULL); // will exit if something wrong
1566	profile_add(line);	1566	profile_add(line);
1567	}	1567	}
		1568
		1569	// blacklist/deny
1568	else if (strncmp(argv[i], "--blacklist=", 12) == 0) {	1570	else if (strncmp(argv[i], "--blacklist=", 12) == 0) {
1569	char *line;	1571	char *line;
1570	if (asprintf(&line, "blacklist %s", argv[i] + 12) == -1)	1572	if (asprintf(&line, "blacklist %s", argv[i] + 12) == -1)
@@ -1573,6 +1575,14 @@ int main(int argc, char argv, char envp) {
1573	profile_check_line(line, 0, NULL); // will exit if something wrong	1575	profile_check_line(line, 0, NULL); // will exit if something wrong
1574	profile_add(line);	1576	profile_add(line);
1575	}	1577	}
		1578	else if (strncmp(argv[i], "--deny=", 7) == 0) {
		1579	char *line;
		1580	if (asprintf(&line, "blacklist %s", argv[i] + 7) == -1)
		1581	errExit("asprintf");
		1582
		1583	profile_check_line(line, 0, NULL); // will exit if something wrong
		1584	profile_add(line);
		1585	}
1576	else if (strncmp(argv[i], "--noblacklist=", 14) == 0) {	1586	else if (strncmp(argv[i], "--noblacklist=", 14) == 0) {
1577	char *line;	1587	char *line;
1578	if (asprintf(&line, "noblacklist %s", argv[i] + 14) == -1)	1588	if (asprintf(&line, "noblacklist %s", argv[i] + 14) == -1)
@@ -1581,6 +1591,16 @@ int main(int argc, char argv, char envp) {
1581	profile_check_line(line, 0, NULL); // will exit if something wrong	1591	profile_check_line(line, 0, NULL); // will exit if something wrong
1582	profile_add(line);	1592	profile_add(line);
1583	}	1593	}
		1594	else if (strncmp(argv[i], "--nodeny=", 9) == 0) {
		1595	char *line;
		1596	if (asprintf(&line, "noblacklist %s", argv[i] + 9) == -1)
		1597	errExit("asprintf");
		1598
		1599	profile_check_line(line, 0, NULL); // will exit if something wrong
		1600	profile_add(line);
		1601	}
		1602
		1603	// whitelist
1584	else if (strncmp(argv[i], "--whitelist=", 12) == 0) {	1604	else if (strncmp(argv[i], "--whitelist=", 12) == 0) {
1585	if (checkcfg(CFG_WHITELIST)) {	1605	if (checkcfg(CFG_WHITELIST)) {
1586	char *line;	1606	char *line;
@@ -1593,6 +1613,18 @@ int main(int argc, char argv, char envp) {
1593	else	1613	else
1594	exit_err_feature("whitelist");	1614	exit_err_feature("whitelist");
1595	}	1615	}
		1616	else if (strncmp(argv[i], "--allow=", 8) == 0) {
		1617	if (checkcfg(CFG_WHITELIST)) {
		1618	char *line;
		1619	if (asprintf(&line, "whitelist %s", argv[i] + 8) == -1)
		1620	errExit("asprintf");
		1621
		1622	profile_check_line(line, 0, NULL); // will exit if something wrong
		1623	profile_add(line);
		1624	}
		1625	else
		1626	exit_err_feature("whitelist");
		1627	}
1596	else if (strncmp(argv[i], "--nowhitelist=", 14) == 0) {	1628	else if (strncmp(argv[i], "--nowhitelist=", 14) == 0) {
1597	char *line;	1629	char *line;
1598	if (asprintf(&line, "nowhitelist %s", argv[i] + 14) == -1)	1630	if (asprintf(&line, "nowhitelist %s", argv[i] + 14) == -1)
@@ -1601,6 +1633,16 @@ int main(int argc, char argv, char envp) {
1601	profile_check_line(line, 0, NULL); // will exit if something wrong	1633	profile_check_line(line, 0, NULL); // will exit if something wrong
1602	profile_add(line);	1634	profile_add(line);
1603	}	1635	}
		1636	else if (strncmp(argv[i], "--noallow=", 10) == 0) {
		1637	char *line;
		1638	if (asprintf(&line, "nowhitelist %s", argv[i] + 10) == -1)
		1639	errExit("asprintf");
		1640
		1641	profile_check_line(line, 0, NULL); // will exit if something wrong
		1642	profile_add(line);
		1643	}
		1644
		1645
1604	else if (strncmp(argv[i], "--mkdir=", 8) == 0) {	1646	else if (strncmp(argv[i], "--mkdir=", 8) == 0) {
1605	char *line;	1647	char *line;
1606	if (asprintf(&line, "mkdir %s", argv[i] + 8) == -1)	1648	if (asprintf(&line, "mkdir %s", argv[i] + 8) == -1)


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 350122844..430187809 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -1746,6 +1746,37 @@ void profile_read(const char *fname) {
1746	continue;	1746	continue;
1747	}	1747	}
1748		1748
		1749	// translate allow/deny to whitelist/blacklist
		1750	if (strncmp(ptr, "allow ", 6) == 0) {
		1751	char *tmp;
		1752	if (asprintf(&tmp, "whitelist %s", ptr + 6) == -1)
		1753	errExit("asprintf");
		1754	free(ptr);
		1755	ptr = tmp;
		1756	}
		1757	else if (strncmp(ptr, "deny ", 5) == 0) {
		1758	char *tmp;
		1759	if (asprintf(&tmp, "blacklist %s", ptr + 5) == -1)
		1760	errExit("asprintf");
		1761	free(ptr);
		1762	ptr = tmp;
		1763	}
		1764	// translate noallow/nodeny to nowhitelist/noblacklist
		1765	else if (strncmp(ptr, "noallow ", 8) == 0) {
		1766	char *tmp;
		1767	if (asprintf(&tmp, "nowhitelist %s", ptr + 8) == -1)
		1768	errExit("asprintf");
		1769	free(ptr);
		1770	ptr = tmp;
		1771	}
		1772	else if (strncmp(ptr, "nodeny ", 7) == 0) {
		1773	char *tmp;
		1774	if (asprintf(&tmp, "noblacklist %s", ptr + 7) == -1)
		1775	errExit("asprintf");
		1776	free(ptr);
		1777	ptr = tmp;
		1778	}
		1779
1749	// process quiet	1780	// process quiet
1750	// todo: a quiet in the profile file cannot be disabled by --ignore on command line	1781	// todo: a quiet in the profile file cannot be disabled by --ignore on command line
1751	if (strcmp(ptr, "quiet") == 0) {	1782	if (strcmp(ptr, "quiet") == 0) {