Merge pull request #5595 from kmk3/rename-etc-no-blacklisted

Rename etc-no-blacklisted to etc-hide-blacklisted
author: netblue30 <netblue30@protonmail.com> 2023-01-16 08:30:33 -0500
committer: GitHub <noreply@github.com> 2023-01-16 08:30:33 -0500
commit: bced772a1ece3c715eb3b3e6cd86dda6fe9d05e5 (patch)
tree: 3c51c2dfe83c63558e5dbc056f2374e0f049c6e9
parent: Merge pull request #5594 from bymoz089/master (diff)
parent: firejail.config: explain potential issues with etc-hide-blacklisted (diff)
download: firejail-bced772a1ece3c715eb3b3e6cd86dda6fe9d05e5.tar.gz
firejail-bced772a1ece3c715eb3b3e6cd86dda6fe9d05e5.tar.zst
firejail-bced772a1ece3c715eb3b3e6cd86dda6fe9d05e5.zip
5 files changed, 11 insertions, 9 deletions
diff --git a/etc/firejail.config b/etc/firejail.config
index 26125e4b6..13db32f1e 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -78,8 +78,9 @@
 # Enable or disable overlayfs features, default enabled.
 # overlayfs yes
-# Hide blacklisted files in /etc directory, default disabled.
+# Hide blacklisted files in /etc directory (enabling this may break
-# etc-no-blacklisted no
+# /etc/resolv.conf; see #5010), default disabled.
+# etc-hide-blacklisted no
 # Set the limit for file copy in several --private-* options. The size is set
 # in megabytes. By default we allow up to 500MB.
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 590543217..ce8446cc8 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -51,7 +51,7 @@ int checkcfg(int val) {
                        cfg_val[i] = 1; // most of them are enabled by default
                cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default
                cfg_val[CFG_FORCE_NONEWPRIVS] = 0;
-                cfg_val[CFG_ETC_NO_BLACKLISTED] = 0;
+                cfg_val[CFG_ETC_HIDE_BLACKLISTED] = 0;
                cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0;
                cfg_val[CFG_FIREJAIL_PROMPT] = 0;
                cfg_val[CFG_DISABLE_MNT] = 0;
@@ -116,7 +116,7 @@ int checkcfg(int val) {
                        PARSE_YESNO(CFG_TRACELOG, "tracelog")
                        PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title")
                        PARSE_YESNO(CFG_OVERLAYFS, "overlayfs")
-                        PARSE_YESNO(CFG_ETC_NO_BLACKLISTED, "etc-no-blacklisted")
+                        PARSE_YESNO(CFG_ETC_HIDE_BLACKLISTED, "etc-hide-blacklisted")
                        PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin")
                        PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local")
                        PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache")
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index cf5c5b2fa..13ee573ad 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -811,7 +811,7 @@ enum {
        CFG_FORCE_NONEWPRIVS,
        CFG_XEPHYR_WINDOW_TITLE,
        CFG_OVERLAYFS,
-        CFG_ETC_NO_BLACKLISTED,
+        CFG_ETC_HIDE_BLACKLISTED,
        CFG_PRIVATE_BIN,
        CFG_PRIVATE_BIN_NO_LOCAL,
        CFG_PRIVATE_CACHE,
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 3066c50ed..84f207fac 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -162,7 +162,7 @@ static void disable_file(OPERATION op, const char *filename) {
                                fs_logger2("blacklist-nolog", fname);
                        // files in /etc will be reprocessed during /etc rebuild
-                        if (checkcfg(CFG_ETC_NO_BLACKLISTED) && strncmp(fname, "/etc/", 5) == 0) {
+                        if (checkcfg(CFG_ETC_HIDE_BLACKLISTED) && strncmp(fname, "/etc/", 5) == 0) {
                                ProfileEntry *prf = malloc(sizeof(ProfileEntry));
                                if (!prf)
                                        errExit("malloc");
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index e58537e49..aa4d76431 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -265,9 +265,10 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c
 void fs_rebuild_etc(void) {
        int have_dhcp = 1;
        if (cfg.dns1 == NULL && !any_dhcp()) {
-                // this function has the effect that updates to files using rename(2) don't propagate into the sandbox
+                // Disabling this option ensures that updates to files using
-                // avoid this in the default setting, in order to not break /etc/resolv.conf (issue #5010)
+                // rename(2) propagate into the sandbox, in order to avoid
-                if (!checkcfg(CFG_ETC_NO_BLACKLISTED))
+                // breaking /etc/resolv.conf (issue #5010).
+                if (!checkcfg(CFG_ETC_HIDE_BLACKLISTED))
                        return;
                have_dhcp = 0;
        }
author	netblue30 <netblue30@protonmail.com>	2023-01-16 08:30:33 -0500
committer	GitHub <noreply@github.com>	2023-01-16 08:30:33 -0500
commit	bced772a1ece3c715eb3b3e6cd86dda6fe9d05e5 (patch)
tree	3c51c2dfe83c63558e5dbc056f2374e0f049c6e9
parent	Merge pull request #5594 from bymoz089/master (diff)
parent	firejail.config: explain potential issues with etc-hide-blacklisted (diff)
download	firejail-bced772a1ece3c715eb3b3e6cd86dda6fe9d05e5.tar.gz firejail-bced772a1ece3c715eb3b3e6cd86dda6fe9d05e5.tar.zst firejail-bced772a1ece3c715eb3b3e6cd86dda6fe9d05e5.zip