diff options
author | smitsohu <smitsohu@gmail.com> | 2023-01-15 16:21:52 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2023-01-15 19:41:04 +0100 |
commit | ded50200e0dcc0e79adf0158669791a4c7d5f911 (patch) | |
tree | 52ce471f210cda8fbe8910a0a33da0c9a591f9d6 | |
parent | Merge branch 'master' of ssh://github.com/netblue30/firejail (diff) | |
download | firejail-ded50200e.tar.gz firejail-ded50200e.tar.zst firejail-ded50200e.zip |
-rw-r--r-- | etc/firejail.config | 3 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 2 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs.c | 2 | ||||
-rw-r--r-- | src/firejail/fs_etc.c | 7 |
5 files changed, 13 insertions, 2 deletions
diff --git a/etc/firejail.config b/etc/firejail.config index e8bf45751..26125e4b6 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -78,6 +78,9 @@ | |||
78 | # Enable or disable overlayfs features, default enabled. | 78 | # Enable or disable overlayfs features, default enabled. |
79 | # overlayfs yes | 79 | # overlayfs yes |
80 | 80 | ||
81 | # Hide blacklisted files in /etc directory, default disabled. | ||
82 | # etc-no-blacklisted no | ||
83 | |||
81 | # Set the limit for file copy in several --private-* options. The size is set | 84 | # Set the limit for file copy in several --private-* options. The size is set |
82 | # in megabytes. By default we allow up to 500MB. | 85 | # in megabytes. By default we allow up to 500MB. |
83 | # Note: the files are copied in RAM. | 86 | # Note: the files are copied in RAM. |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 62b8c4dc4..590543217 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -51,6 +51,7 @@ int checkcfg(int val) { | |||
51 | cfg_val[i] = 1; // most of them are enabled by default | 51 | cfg_val[i] = 1; // most of them are enabled by default |
52 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default | 52 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default |
53 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; | 53 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; |
54 | cfg_val[CFG_ETC_NO_BLACKLISTED] = 0; | ||
54 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; | 55 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; |
55 | cfg_val[CFG_FIREJAIL_PROMPT] = 0; | 56 | cfg_val[CFG_FIREJAIL_PROMPT] = 0; |
56 | cfg_val[CFG_DISABLE_MNT] = 0; | 57 | cfg_val[CFG_DISABLE_MNT] = 0; |
@@ -115,6 +116,7 @@ int checkcfg(int val) { | |||
115 | PARSE_YESNO(CFG_TRACELOG, "tracelog") | 116 | PARSE_YESNO(CFG_TRACELOG, "tracelog") |
116 | PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") | 117 | PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") |
117 | PARSE_YESNO(CFG_OVERLAYFS, "overlayfs") | 118 | PARSE_YESNO(CFG_OVERLAYFS, "overlayfs") |
119 | PARSE_YESNO(CFG_ETC_NO_BLACKLISTED, "etc-no-blacklisted") | ||
118 | PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin") | 120 | PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin") |
119 | PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local") | 121 | PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local") |
120 | PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache") | 122 | PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache") |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 4fe3a5974..cf5c5b2fa 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -811,6 +811,7 @@ enum { | |||
811 | CFG_FORCE_NONEWPRIVS, | 811 | CFG_FORCE_NONEWPRIVS, |
812 | CFG_XEPHYR_WINDOW_TITLE, | 812 | CFG_XEPHYR_WINDOW_TITLE, |
813 | CFG_OVERLAYFS, | 813 | CFG_OVERLAYFS, |
814 | CFG_ETC_NO_BLACKLISTED, | ||
814 | CFG_PRIVATE_BIN, | 815 | CFG_PRIVATE_BIN, |
815 | CFG_PRIVATE_BIN_NO_LOCAL, | 816 | CFG_PRIVATE_BIN_NO_LOCAL, |
816 | CFG_PRIVATE_CACHE, | 817 | CFG_PRIVATE_CACHE, |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index b44eb65ee..3066c50ed 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -162,7 +162,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
162 | fs_logger2("blacklist-nolog", fname); | 162 | fs_logger2("blacklist-nolog", fname); |
163 | 163 | ||
164 | // files in /etc will be reprocessed during /etc rebuild | 164 | // files in /etc will be reprocessed during /etc rebuild |
165 | if (strncmp(fname, "/etc/", 5) == 0) { | 165 | if (checkcfg(CFG_ETC_NO_BLACKLISTED) && strncmp(fname, "/etc/", 5) == 0) { |
166 | ProfileEntry *prf = malloc(sizeof(ProfileEntry)); | 166 | ProfileEntry *prf = malloc(sizeof(ProfileEntry)); |
167 | if (!prf) | 167 | if (!prf) |
168 | errExit("malloc"); | 168 | errExit("malloc"); |
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 77fa00d6b..e58537e49 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -264,8 +264,13 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c | |||
264 | 264 | ||
265 | void fs_rebuild_etc(void) { | 265 | void fs_rebuild_etc(void) { |
266 | int have_dhcp = 1; | 266 | int have_dhcp = 1; |
267 | if (cfg.dns1 == NULL && !any_dhcp()) | 267 | if (cfg.dns1 == NULL && !any_dhcp()) { |
268 | // this function has the effect that updates to files using rename(2) don't propagate into the sandbox | ||
269 | // avoid this in the default setting, in order to not break /etc/resolv.conf (issue #5010) | ||
270 | if (!checkcfg(CFG_ETC_NO_BLACKLISTED)) | ||
271 | return; | ||
268 | have_dhcp = 0; | 272 | have_dhcp = 0; |
273 | } | ||
269 | 274 | ||
270 | if (arg_debug) | 275 | if (arg_debug) |
271 | printf("rebuilding /etc directory\n"); | 276 | printf("rebuilding /etc directory\n"); |