cleanup

author: netblue30 <netblue30@yahoo.com> 2015-09-01 08:25:06 -0400
committer: netblue30 <netblue30@yahoo.com> 2015-09-01 08:25:06 -0400
commit: acc124fb8ab41d9fc77fd9267754e0aa21d9d007 (patch)
tree: 9387950d865398db61023386d30ede9d770ce289
parent: using /etc/firejail/server.profile as default profile if the sandbox is start... (diff)
download: firejail-acc124fb8ab41d9fc77fd9267754e0aa21d9d007.tar.gz
firejail-acc124fb8ab41d9fc77fd9267754e0aa21d9d007.tar.zst
firejail-acc124fb8ab41d9fc77fd9267754e0aa21d9d007.zip
5 files changed, 42 insertions, 31 deletions
diff --git a/etc/evince.profile b/etc/evince.profile
index c90317ed8..023fd2444 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -5,5 +5,4 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-history.inc
 caps.drop all
 seccomp
-net none
 noroot
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 9d635436d..3b2e7e4d9 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -695,7 +695,6 @@ int main(int argc, char **argv) {
                        }
                        
                        // extract private home dirname
-printf("here %s:%d\n", __FILE__, __LINE__);                     
                        cfg.home_private = argv[i] + 10;
                        fs_check_private_dir();
                        arg_private = 1;
@@ -1058,26 +1057,35 @@ printf("here %s:%d\n", __FILE__, __LINE__);
        // use generic.profile as the default
        if (!custom_profile && !arg_noprofile) {
-                char *profile_name = DEFAULT_USER_PROFILE;
+                if (cfg.chrootdir)
-                if (getuid() == 0)
+                        fprintf(stderr, "Warning: default profile disabled by --chroot option\n");
-                        profile_name = DEFAULT_ROOT_PROFILE;
+                else if (arg_overlay)
-                if (arg_debug)
+                        fprintf(stderr, "Warning: default profile disabled by --overlay option\n");
-                        printf("Attempting to find %s.profile...", profile_name);
+                else if (cfg.home_private_keep)
+                        fprintf(stderr, "Warning: default profile disabled by --private-home option\n");
-                // look for the profile in ~/.config/firejail directory
+                else {
-                char *usercfgdir;
+                        // try to load a default profile
-                if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1)
+                        char *profile_name = DEFAULT_USER_PROFILE;
-                        errExit("asprintf");
+                        if (getuid() == 0)
-                custom_profile = profile_find(profile_name, usercfgdir);
+                                profile_name = DEFAULT_ROOT_PROFILE;
-                free(usercfgdir);
+                        if (arg_debug)
+                                printf("Attempting to find %s.profile...\n", profile_name);
-                if (!custom_profile) {
+        
-                        // look for the profile in /etc/firejail directory
+                        // look for the profile in ~/.config/firejail directory
-                        custom_profile = profile_find(profile_name, "/etc/firejail");
+                        char *usercfgdir;
+                        if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1)
+                                errExit("asprintf");
+                        custom_profile = profile_find(profile_name, usercfgdir);
+                        free(usercfgdir);
+        
+                        if (!custom_profile) {
+                                // look for the profile in /etc/firejail directory
+                                custom_profile = profile_find(profile_name, "/etc/firejail");
+                        }
+                        
+                        if (custom_profile)
+                                printf("\n** Note: %s profile can be disabled by --noprofile option **\n\n", profile_name);
                }
-                
-                if (custom_profile)
-                        printf("Note: %s profile can be disabled by --noprofile option.\n", profile_name);
        }
        // check and assign an IP address - for macvlan it will be done again in the sandbox!
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 46cb03da7..53782a288 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -179,6 +179,7 @@ int sandbox(void* sandbox_arg) {
        //****************************
        // configure filesystem
        //****************************
+        
 #ifdef HAVE_CHROOT              
        if (cfg.chrootdir) {
                fs_chroot(cfg.chrootdir);
@@ -267,6 +268,8 @@ int sandbox(void* sandbox_arg) {
        //****************************
        if (arg_nonetwork) {
                net_if_up("lo");
+                if (arg_debug)
+                        printf("Network namespace enabled, only loopback interface available\n");
        }
        else if (any_bridge_configured()) {
                // configure lo and eth0...eth3
@@ -397,7 +400,7 @@ int sandbox(void* sandbox_arg) {
        if (arg_noroot) {
                int rv = unshare(CLONE_NEWUSER);
                if (rv == -1) {
-                        fprintf(stderr, "Warning: cannot mount a new user namespace\n");
+                        fprintf(stderr, "Error: cannot mount a new user namespace\n");
                        perror("unshare");
                        drop_privs(arg_nogroups);
                }
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 17f038a2e..47988dbf4 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -179,8 +179,8 @@ static void filter_init(void) {
                return;
        }
-        if (arg_debug)
+//      if (arg_debug)
-                printf("Initialize seccomp filter\n");  
+//              printf("Initialize seccomp filter\n");  
        // allocate a filter of SECSIZE
        sfilter = malloc(sizeof(struct sock_filter) * SECSIZE);
        if (!sfilter)
@@ -220,8 +220,8 @@ static void filter_add_whitelist(int syscall) {
        assert(sfilter);
        assert(sfilter_alloc_size);
        assert(sfilter_index);
-        if (arg_debug)
+//      if (arg_debug)
-                printf("Whitelisting syscall %d %s\n", syscall, syscall_find_nr(syscall));
+//              printf("Whitelisting syscall %d %s\n", syscall, syscall_find_nr(syscall));
        
        if ((sfilter_index + 2) > sfilter_alloc_size)
                filter_realloc();
@@ -246,8 +246,8 @@ static void filter_add_blacklist(int syscall) {
        assert(sfilter);
        assert(sfilter_alloc_size);
        assert(sfilter_index);
-        if (arg_debug)
+//      if (arg_debug)
-                printf("Blacklisting syscall %d %s\n", syscall, syscall_find_nr(syscall));
+//              printf("Blacklisting syscall %d %s\n", syscall, syscall_find_nr(syscall));
        
        if ((sfilter_index + 2) > sfilter_alloc_size)
                filter_realloc();
@@ -272,8 +272,8 @@ static void filter_end_blacklist(void) {
        assert(sfilter);
        assert(sfilter_alloc_size);
        assert(sfilter_index);
-        if (arg_debug)
+//      if (arg_debug)
-                printf("Ending syscall filter\n");
+//              printf("Ending syscall filter\n");
        if ((sfilter_index + 2) > sfilter_alloc_size)
                filter_realloc();
diff --git a/todo b/todo
index b62f80b8d..4c90af913 100644
--- a/todo
+++ b/todo
@@ -27,4 +27,5 @@ Warning: failed to unmount /sys
 Child process initialized
 $
-3. default.profile creating problems for  --chroot, --private-home
+3. default.profile creating problems for  --chroot, --overlay, --private-home
author	netblue30 <netblue30@yahoo.com>	2015-09-01 08:25:06 -0400
committer	netblue30 <netblue30@yahoo.com>	2015-09-01 08:25:06 -0400
commit	acc124fb8ab41d9fc77fd9267754e0aa21d9d007 (patch)
tree	9387950d865398db61023386d30ede9d770ce289
parent	using /etc/firejail/server.profile as default profile if the sandbox is start... (diff)
download	firejail-acc124fb8ab41d9fc77fd9267754e0aa21d9d007.tar.gz firejail-acc124fb8ab41d9fc77fd9267754e0aa21d9d007.tar.zst firejail-acc124fb8ab41d9fc77fd9267754e0aa21d9d007.zip

diff --git a/etc/evince.profile b/etc/evince.profile index c90317ed8..023fd2444 100644 --- a/etc/evince.profile +++ b/etc/evince.profile
@@ -5,5 +5,4 @@ include /etc/firejail/disable-common.inc
5	include /etc/firejail/disable-history.inc	5	include /etc/firejail/disable-history.inc
6	caps.drop all	6	caps.drop all
7	seccomp	7	seccomp
8	net none
9	noroot	8	noroot


diff --git a/src/firejail/main.c b/src/firejail/main.c index 9d635436d..3b2e7e4d9 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -695,7 +695,6 @@ int main(int argc, char **argv) {
695	}	695	}
696		696
697	// extract private home dirname	697	// extract private home dirname
698	printf("here %s:%d\n", __FILE__, __LINE__);
699	cfg.home_private = argv[i] + 10;	698	cfg.home_private = argv[i] + 10;
700	fs_check_private_dir();	699	fs_check_private_dir();
701	arg_private = 1;	700	arg_private = 1;
@@ -1058,26 +1057,35 @@ printf("here %s:%d\n", __FILE__, __LINE__);
1058		1057
1059	// use generic.profile as the default	1058	// use generic.profile as the default
1060	if (!custom_profile && !arg_noprofile) {	1059	if (!custom_profile && !arg_noprofile) {
1061	char *profile_name = DEFAULT_USER_PROFILE;	1060	if (cfg.chrootdir)
1062	if (getuid() == 0)	1061	fprintf(stderr, "Warning: default profile disabled by --chroot option\n");
1063	profile_name = DEFAULT_ROOT_PROFILE;	1062	else if (arg_overlay)
1064	if (arg_debug)	1063	fprintf(stderr, "Warning: default profile disabled by --overlay option\n");
1065	printf("Attempting to find %s.profile...", profile_name);	1064	else if (cfg.home_private_keep)
1066		1065	fprintf(stderr, "Warning: default profile disabled by --private-home option\n");
1067	// look for the profile in ~/.config/firejail directory	1066	else {
1068	char *usercfgdir;	1067	// try to load a default profile
1069	if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1)	1068	char *profile_name = DEFAULT_USER_PROFILE;
1070	errExit("asprintf");	1069	if (getuid() == 0)
1071	custom_profile = profile_find(profile_name, usercfgdir);	1070	profile_name = DEFAULT_ROOT_PROFILE;
1072	free(usercfgdir);	1071	if (arg_debug)
1073		1072	printf("Attempting to find %s.profile...\n", profile_name);
1074	if (!custom_profile) {	1073
1075	// look for the profile in /etc/firejail directory	1074	// look for the profile in ~/.config/firejail directory
1076	custom_profile = profile_find(profile_name, "/etc/firejail");	1075	char *usercfgdir;
		1076	if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1)
		1077	errExit("asprintf");
		1078	custom_profile = profile_find(profile_name, usercfgdir);
		1079	free(usercfgdir);
		1080
		1081	if (!custom_profile) {
		1082	// look for the profile in /etc/firejail directory
		1083	custom_profile = profile_find(profile_name, "/etc/firejail");
		1084	}
		1085
		1086	if (custom_profile)
		1087	printf("\n Note: %s profile can be disabled by --noprofile option \n\n", profile_name);
1077	}	1088	}
1078
1079	if (custom_profile)
1080	printf("Note: %s profile can be disabled by --noprofile option.\n", profile_name);
1081	}	1089	}
1082		1090
1083	// check and assign an IP address - for macvlan it will be done again in the sandbox!	1091	// check and assign an IP address - for macvlan it will be done again in the sandbox!


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 46cb03da7..53782a288 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -179,6 +179,7 @@ int sandbox(void* sandbox_arg) {
179	//****************************	179	//****************************
180	// configure filesystem	180	// configure filesystem
181	//****************************	181	//****************************
		182
182	#ifdef HAVE_CHROOT	183	#ifdef HAVE_CHROOT
183	if (cfg.chrootdir) {	184	if (cfg.chrootdir) {
184	fs_chroot(cfg.chrootdir);	185	fs_chroot(cfg.chrootdir);
@@ -267,6 +268,8 @@ int sandbox(void* sandbox_arg) {
267	//****************************	268	//****************************
268	if (arg_nonetwork) {	269	if (arg_nonetwork) {
269	net_if_up("lo");	270	net_if_up("lo");
		271	if (arg_debug)
		272	printf("Network namespace enabled, only loopback interface available\n");
270	}	273	}
271	else if (any_bridge_configured()) {	274	else if (any_bridge_configured()) {
272	// configure lo and eth0...eth3	275	// configure lo and eth0...eth3
@@ -397,7 +400,7 @@ int sandbox(void* sandbox_arg) {
397	if (arg_noroot) {	400	if (arg_noroot) {
398	int rv = unshare(CLONE_NEWUSER);	401	int rv = unshare(CLONE_NEWUSER);
399	if (rv == -1) {	402	if (rv == -1) {
400	fprintf(stderr, "Warning: cannot mount a new user namespace\n");	403	fprintf(stderr, "Error: cannot mount a new user namespace\n");
401	perror("unshare");	404	perror("unshare");
402	drop_privs(arg_nogroups);	405	drop_privs(arg_nogroups);
403	}	406	}


diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 17f038a2e..47988dbf4 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c
@@ -179,8 +179,8 @@ static void filter_init(void) {
179	return;	179	return;
180	}	180	}
181		181
182	if (arg_debug)	182	// if (arg_debug)
183	printf("Initialize seccomp filter\n");	183	// printf("Initialize seccomp filter\n");
184	// allocate a filter of SECSIZE	184	// allocate a filter of SECSIZE
185	sfilter = malloc(sizeof(struct sock_filter) * SECSIZE);	185	sfilter = malloc(sizeof(struct sock_filter) * SECSIZE);
186	if (!sfilter)	186	if (!sfilter)
@@ -220,8 +220,8 @@ static void filter_add_whitelist(int syscall) {
220	assert(sfilter);	220	assert(sfilter);
221	assert(sfilter_alloc_size);	221	assert(sfilter_alloc_size);
222	assert(sfilter_index);	222	assert(sfilter_index);
223	if (arg_debug)	223	// if (arg_debug)
224	printf("Whitelisting syscall %d %s\n", syscall, syscall_find_nr(syscall));	224	// printf("Whitelisting syscall %d %s\n", syscall, syscall_find_nr(syscall));
225		225
226	if ((sfilter_index + 2) > sfilter_alloc_size)	226	if ((sfilter_index + 2) > sfilter_alloc_size)
227	filter_realloc();	227	filter_realloc();
@@ -246,8 +246,8 @@ static void filter_add_blacklist(int syscall) {
246	assert(sfilter);	246	assert(sfilter);
247	assert(sfilter_alloc_size);	247	assert(sfilter_alloc_size);
248	assert(sfilter_index);	248	assert(sfilter_index);
249	if (arg_debug)	249	// if (arg_debug)
250	printf("Blacklisting syscall %d %s\n", syscall, syscall_find_nr(syscall));	250	// printf("Blacklisting syscall %d %s\n", syscall, syscall_find_nr(syscall));
251		251
252	if ((sfilter_index + 2) > sfilter_alloc_size)	252	if ((sfilter_index + 2) > sfilter_alloc_size)
253	filter_realloc();	253	filter_realloc();
@@ -272,8 +272,8 @@ static void filter_end_blacklist(void) {
272	assert(sfilter);	272	assert(sfilter);
273	assert(sfilter_alloc_size);	273	assert(sfilter_alloc_size);
274	assert(sfilter_index);	274	assert(sfilter_index);
275	if (arg_debug)	275	// if (arg_debug)
276	printf("Ending syscall filter\n");	276	// printf("Ending syscall filter\n");
277		277
278	if ((sfilter_index + 2) > sfilter_alloc_size)	278	if ((sfilter_index + 2) > sfilter_alloc_size)
279	filter_realloc();	279	filter_realloc();


diff --git a/todo b/todo index b62f80b8d..4c90af913 100644 --- a/todo +++ b/todo
@@ -27,4 +27,5 @@ Warning: failed to unmount /sys
27	Child process initialized	27	Child process initialized
28	$	28	$
29		29
30	3. default.profile creating problems for --chroot, --private-home	30	3. default.profile creating problems for --chroot, --overlay, --private-home
		31