fix --ignore=quiet

author: netblue30 <netblue30@yahoo.com> 2017-10-30 16:09:57 -0400
committer: netblue30 <netblue30@yahoo.com> 2017-10-30 16:09:57 -0400
commit: 66042d7dbc60f183e9d77fefd93a9584e3cf35ef (patch)
tree: 9d54205a755125c61c87f7f8e9c0e48743c28b88
parent: testing, fixed cryptocat.profile (diff)
download: firejail-66042d7dbc60f183e9d77fefd93a9584e3cf35ef.tar.gz
firejail-66042d7dbc60f183e9d77fefd93a9584e3cf35ef.tar.zst
firejail-66042d7dbc60f183e9d77fefd93a9584e3cf35ef.zip
6 files changed, 74 insertions, 19 deletions
diff --git a/RELNOTES b/RELNOTES
index be8ff21c8..10800f6b0 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -34,9 +34,9 @@ firejail (0.9.51) baseline; urgency=low
      calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd,
      google-earth,imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion,
      mpd, natron, Natron, ricochet, shotcut, teamspeak3, tor, tor-browser-en, 
-      Viber, x-terminal-emulator, zart, conky, arch-audit, ffmpeg, bluefish, cliqz,
+      Viber, x-terminal-emulator, zart, conky, arch-audit, ffmpeg, bluefish,
-      cinelerra, openshot-qt, pinta, uefitool, aosp, pdfmod, gnome-ring, signal-desktop,
+      cinelerra, openshot-qt, pinta, uefitool, aosp, pdfmod, gnome-ring,
-      xcalc, zaproxy, kopete
+      xcalc, zaproxy, kopete, cliqz, signal-desktop
   
 -- netblue30 <netblue30@yahoo.com>  Thu, 14 Sep 2017 20:00:00 -0500
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 4851dc9ad..c8bbff3fb 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -69,13 +69,7 @@ static void warning_feature_disabled(const char *feature) {
 }
+static int is_in_ignore_list(char *ptr) {
-// check profile line; if line == 0, this was generated from a command line option
-// return 1 if the command is to be added to the linked list of profile commands
-// return 0 if the command was already executed inside the function
-int profile_check_line(char *ptr, int lineno, const char *fname) {
-        EUID_ASSERT();
        // check ignore list
        int i;
        for (i = 0; i < MAX_PROFILE_IGNORE; i++) {
@@ -86,10 +80,24 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                if (strncmp(ptr, cfg.profile_ignore[i], len) == 0) {
                        // full word match
                        if (*(ptr + len) == '\0' || *(ptr + len) == ' ')
-                                return 0;       // ignore line
+                                return 1;       // ignore line
                }
        }
+        return 0;
+}
+// check profile line; if line == 0, this was generated from a command line option
+// return 1 if the command is to be added to the linked list of profile commands
+// return 0 if the command was already executed inside the function
+int profile_check_line(char *ptr, int lineno, const char *fname) {
+        EUID_ASSERT();
+        // check ignore list
+        if (is_in_ignore_list(ptr))
+                return 0;
        if (strncmp(ptr, "ignore ", 7) == 0) {
                char *str = strdup(ptr + 7);
                if (*str == '\0') {
@@ -1256,8 +1264,12 @@ void profile_read(const char *fname) {
                }
                // process quiet
+                // todo: a quiet in the profile file cannot be disabled by --ignore on command line
                if (strcmp(ptr, "quiet") == 0) {
-                        arg_quiet = 1;
+                        if (is_in_ignore_list(ptr))
+                                arg_quiet = 0;
+                        else
+                                arg_quiet = 1;
                        free(ptr);
                        continue;
                }
diff --git a/test/private-lib/gnome-calculator.exp b/test/private-lib/gnome-calculator.exp
index 590da34cf..6d20c36f4 100755
--- a/test/private-lib/gnome-calculator.exp
+++ b/test/private-lib/gnome-calculator.exp
@@ -7,7 +7,9 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send -- "firejail gnome-calculator\r"
+# gnome-calculator uses quiet at the top of the profile
+# we need to use --ignore
+send -- "firejail --ignore=quiet gnome-calculator\r"
 expect {
        timeout {puts "TESTING ERROR 0\n";exit}
        "Reading profile /etc/firejail/gnome-calculator.profile"
@@ -50,7 +52,7 @@ send -- "firemon --seccomp\r"
 expect {
        timeout {puts "TESTING ERROR 5\n";exit}
        "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
-        ":firejail gnome-calculator"
+        ":firejail --ignore=quiet gnome-calculator"
 }
 expect {
        timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
@@ -64,7 +66,7 @@ after 100
 send -- "firemon --caps\r"
 expect {
        timeout {puts "TESTING ERROR 6\n";exit}
-        ":firejail gnome-calculator"
+        ":firejail --ignore=quiet gnome-calculator"
 }
 expect {
        timeout {puts "TESTING ERROR 6.1\n";exit}
diff --git a/test/profiles/ignore.exp b/test/profiles/ignore.exp
index cdb38e97b..8463d6cc8 100755
--- a/test/profiles/ignore.exp
+++ b/test/profiles/ignore.exp
@@ -19,7 +19,7 @@ expect {
        BLACKLIST {puts "TESTING ERROR 2\n";exit}
        "Child process initialized"
 }
-sleep 1
+after 100
 send -- "exit\r"
 sleep 1
@@ -28,23 +28,58 @@ expect {
        timeout {puts "TESTING ERROR 3\n";exit}
        "Child process initialized"
 }
-sleep 1
+after 100
 send -- "ps aux | wc -l\r"
 expect {
        timeout {puts "TESTING ERROR 4\n";exit}
        "5"
 }
+after 100
+send -- "exit\r"
 sleep 1
+send -- "firejail --ignore=private --ignore=shell --profile=ignore.profile \r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "Child process initialized"
+}
+after 100
+send -- "ps aux | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "5"
+}
+after 100
 send -- "exit\r"
 sleep 1
 send -- "firejail --debug --profile=ignore2.profile\r"
 expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
+        timeout {puts "TESTING ERROR 7\n";exit}
-        BLACKLIST {puts "TESTING ERROR 6\n";exit}
+        BLACKLIST {puts "TESTING ERROR 8\n";exit}
        "Child process initialized"
 }
 after 100
+send -- "exit\r"
+sleep 1
+send -- "firejail --ignore=quiet --ignore=shell --profile=ignore.profile \r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "Child process initialized"
+}
+after 100
+send -- "ps aux | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "5"
+}
+after 100
+send -- "exit\r"
+after 100
 puts "\nall done\n"
diff --git a/test/profiles/ignore2.profile b/test/profiles/ignore2.profile
index 49fcd8324..c85cd9544 100644
--- a/test/profiles/ignore2.profile
+++ b/test/profiles/ignore2.profile
@@ -1,3 +1,5 @@
 ignore seccomp
+ignore shell
 private
 seccomp
+shell none
diff --git a/test/profiles/ignore3.profile b/test/profiles/ignore3.profile
new file mode 100644
index 000000000..f0c9699e1
--- /dev/null
+++ b/test/profiles/ignore3.profile
@@ -0,0 +1,4 @@
+quiet
+private
+seccomp
+shell none
author	netblue30 <netblue30@yahoo.com>	2017-10-30 16:09:57 -0400
committer	netblue30 <netblue30@yahoo.com>	2017-10-30 16:09:57 -0400
commit	66042d7dbc60f183e9d77fefd93a9584e3cf35ef (patch)
tree	9d54205a755125c61c87f7f8e9c0e48743c28b88
parent	testing, fixed cryptocat.profile (diff)
download	firejail-66042d7dbc60f183e9d77fefd93a9584e3cf35ef.tar.gz firejail-66042d7dbc60f183e9d77fefd93a9584e3cf35ef.tar.zst firejail-66042d7dbc60f183e9d77fefd93a9584e3cf35ef.zip

diff --git a/RELNOTES b/RELNOTES index be8ff21c8..10800f6b0 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -34,9 +34,9 @@ firejail (0.9.51) baseline; urgency=low
34	calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd,	34	calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd,
35	google-earth,imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion,	35	google-earth,imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion,
36	mpd, natron, Natron, ricochet, shotcut, teamspeak3, tor, tor-browser-en,	36	mpd, natron, Natron, ricochet, shotcut, teamspeak3, tor, tor-browser-en,
37	Viber, x-terminal-emulator, zart, conky, arch-audit, ffmpeg, bluefish, cliqz,	37	Viber, x-terminal-emulator, zart, conky, arch-audit, ffmpeg, bluefish,
38	cinelerra, openshot-qt, pinta, uefitool, aosp, pdfmod, gnome-ring, signal-desktop,	38	cinelerra, openshot-qt, pinta, uefitool, aosp, pdfmod, gnome-ring,
39	xcalc, zaproxy, kopete	39	xcalc, zaproxy, kopete, cliqz, signal-desktop
40		40
41	-- netblue30 <netblue30@yahoo.com> Thu, 14 Sep 2017 20:00:00 -0500	41	-- netblue30 <netblue30@yahoo.com> Thu, 14 Sep 2017 20:00:00 -0500
42		42


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 4851dc9ad..c8bbff3fb 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -69,13 +69,7 @@ static void warning_feature_disabled(const char *feature) {
69	}	69	}
70		70
71		71
72		72	static int is_in_ignore_list(char *ptr) {
73	// check profile line; if line == 0, this was generated from a command line option
74	// return 1 if the command is to be added to the linked list of profile commands
75	// return 0 if the command was already executed inside the function
76	int profile_check_line(char ptr, int lineno, const char fname) {
77	EUID_ASSERT();
78
79	// check ignore list	73	// check ignore list
80	int i;	74	int i;
81	for (i = 0; i < MAX_PROFILE_IGNORE; i++) {	75	for (i = 0; i < MAX_PROFILE_IGNORE; i++) {
@@ -86,10 +80,24 @@ int profile_check_line(char ptr, int lineno, const char fname) {
86	if (strncmp(ptr, cfg.profile_ignore[i], len) == 0) {	80	if (strncmp(ptr, cfg.profile_ignore[i], len) == 0) {
87	// full word match	81	// full word match
88	if ((ptr + len) == '\0' \|\| (ptr + len) == ' ')	82	if ((ptr + len) == '\0' \|\| (ptr + len) == ' ')
89	return 0; // ignore line	83	return 1; // ignore line
90	}	84	}
91	}	85	}
92		86
		87	return 0;
		88	}
		89
		90
		91	// check profile line; if line == 0, this was generated from a command line option
		92	// return 1 if the command is to be added to the linked list of profile commands
		93	// return 0 if the command was already executed inside the function
		94	int profile_check_line(char ptr, int lineno, const char fname) {
		95	EUID_ASSERT();
		96
		97	// check ignore list
		98	if (is_in_ignore_list(ptr))
		99	return 0;
		100
93	if (strncmp(ptr, "ignore ", 7) == 0) {	101	if (strncmp(ptr, "ignore ", 7) == 0) {
94	char *str = strdup(ptr + 7);	102	char *str = strdup(ptr + 7);
95	if (*str == '\0') {	103	if (*str == '\0') {
@@ -1256,8 +1264,12 @@ void profile_read(const char *fname) {
1256	}	1264	}
1257		1265
1258	// process quiet	1266	// process quiet
		1267	// todo: a quiet in the profile file cannot be disabled by --ignore on command line
1259	if (strcmp(ptr, "quiet") == 0) {	1268	if (strcmp(ptr, "quiet") == 0) {
1260	arg_quiet = 1;	1269	if (is_in_ignore_list(ptr))
		1270	arg_quiet = 0;
		1271	else
		1272	arg_quiet = 1;
1261	free(ptr);	1273	free(ptr);
1262	continue;	1274	continue;
1263	}	1275	}


diff --git a/test/private-lib/gnome-calculator.exp b/test/private-lib/gnome-calculator.exp index 590da34cf..6d20c36f4 100755 --- a/test/private-lib/gnome-calculator.exp +++ b/test/private-lib/gnome-calculator.exp
@@ -7,7 +7,9 @@ set timeout 10
7	spawn $env(SHELL)	7	spawn $env(SHELL)
8	match_max 100000	8	match_max 100000
9		9
10	send -- "firejail gnome-calculator\r"	10	# gnome-calculator uses quiet at the top of the profile
		11	# we need to use --ignore
		12	send -- "firejail --ignore=quiet gnome-calculator\r"
11	expect {	13	expect {
12	timeout {puts "TESTING ERROR 0\n";exit}	14	timeout {puts "TESTING ERROR 0\n";exit}
13	"Reading profile /etc/firejail/gnome-calculator.profile"	15	"Reading profile /etc/firejail/gnome-calculator.profile"
@@ -50,7 +52,7 @@ send -- "firemon --seccomp\r"
50	expect {	52	expect {
51	timeout {puts "TESTING ERROR 5\n";exit}	53	timeout {puts "TESTING ERROR 5\n";exit}
52	"need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}	54	"need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit}
53	":firejail gnome-calculator"	55	":firejail --ignore=quiet gnome-calculator"
54	}	56	}
55	expect {	57	expect {
56	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}	58	timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit}
@@ -64,7 +66,7 @@ after 100
64	send -- "firemon --caps\r"	66	send -- "firemon --caps\r"
65	expect {	67	expect {
66	timeout {puts "TESTING ERROR 6\n";exit}	68	timeout {puts "TESTING ERROR 6\n";exit}
67	":firejail gnome-calculator"	69	":firejail --ignore=quiet gnome-calculator"
68	}	70	}
69	expect {	71	expect {
70	timeout {puts "TESTING ERROR 6.1\n";exit}	72	timeout {puts "TESTING ERROR 6.1\n";exit}


diff --git a/test/profiles/ignore.exp b/test/profiles/ignore.exp index cdb38e97b..8463d6cc8 100755 --- a/test/profiles/ignore.exp +++ b/test/profiles/ignore.exp
@@ -19,7 +19,7 @@ expect {
19	BLACKLIST {puts "TESTING ERROR 2\n";exit}	19	BLACKLIST {puts "TESTING ERROR 2\n";exit}
20	"Child process initialized"	20	"Child process initialized"
21	}	21	}
22	sleep 1	22	after 100
23	send -- "exit\r"	23	send -- "exit\r"
24	sleep 1	24	sleep 1
25		25
@@ -28,23 +28,58 @@ expect {
28	timeout {puts "TESTING ERROR 3\n";exit}	28	timeout {puts "TESTING ERROR 3\n";exit}
29	"Child process initialized"	29	"Child process initialized"
30	}	30	}
31	sleep 1	31	after 100
32		32
33	send -- "ps aux \| wc -l\r"	33	send -- "ps aux \| wc -l\r"
34	expect {	34	expect {
35	timeout {puts "TESTING ERROR 4\n";exit}	35	timeout {puts "TESTING ERROR 4\n";exit}
36	"5"	36	"5"
37	}	37	}
		38	after 100
		39	send -- "exit\r"
38	sleep 1	40	sleep 1
		41
		42	send -- "firejail --ignore=private --ignore=shell --profile=ignore.profile \r"
		43	expect {
		44	timeout {puts "TESTING ERROR 5\n";exit}
		45	"Child process initialized"
		46	}
		47	after 100
		48
		49	send -- "ps aux \| wc -l\r"
		50	expect {
		51	timeout {puts "TESTING ERROR 6\n";exit}
		52	"5"
		53	}
		54	after 100
39	send -- "exit\r"	55	send -- "exit\r"
40	sleep 1	56	sleep 1
41		57
42	send -- "firejail --debug --profile=ignore2.profile\r"	58	send -- "firejail --debug --profile=ignore2.profile\r"
43	expect {	59	expect {
44	timeout {puts "TESTING ERROR 5\n";exit}	60	timeout {puts "TESTING ERROR 7\n";exit}
45	BLACKLIST {puts "TESTING ERROR 6\n";exit}	61	BLACKLIST {puts "TESTING ERROR 8\n";exit}
46	"Child process initialized"	62	"Child process initialized"
47	}	63	}
48		64
49	after 100	65	after 100
		66	send -- "exit\r"
		67	sleep 1
		68
		69	send -- "firejail --ignore=quiet --ignore=shell --profile=ignore.profile \r"
		70	expect {
		71	timeout {puts "TESTING ERROR 9\n";exit}
		72	"Child process initialized"
		73	}
		74	after 100
		75
		76	send -- "ps aux \| wc -l\r"
		77	expect {
		78	timeout {puts "TESTING ERROR 10\n";exit}
		79	"5"
		80	}
		81	after 100
		82	send -- "exit\r"
		83	after 100
		84
50	puts "\nall done\n"	85	puts "\nall done\n"


diff --git a/test/profiles/ignore2.profile b/test/profiles/ignore2.profile index 49fcd8324..c85cd9544 100644 --- a/test/profiles/ignore2.profile +++ b/test/profiles/ignore2.profile
@@ -1,3 +1,5 @@
1	ignore seccomp	1	ignore seccomp
		2	ignore shell
2	private	3	private
3	seccomp	4	seccomp
		5	shell none


diff --git a/test/profiles/ignore3.profile b/test/profiles/ignore3.profile new file mode 100644 index 000000000..f0c9699e1 --- /dev/null +++ b/test/profiles/ignore3.profile
@@ -0,0 +1,4 @@
		1	quiet
		2	private
		3	seccomp
		4	shell none