diff options
| author |  smitsohu <smitsohu@gmail.com> | 2021-05-21 23:25:09 +0200 |
|---|---|---|
| committer | smitsohu <smitsohu@gmail.com> | 2021-05-22 15:26:57 +0200 |
| commit | e391930dca9ccb4fce225f8364813b6bf127dd9b (patch) | |
| tree | 3a3d3437220a78b30f62ff2ba1f1c3588da4d7aa | |
| parent | Fix #4282 -- Unable to open X display when running firejail chromium command (diff) | |
| download | firejail-e391930dca9ccb4fce225f8364813b6bf127dd9b.tar.gz firejail-e391930dca9ccb4fce225f8364813b6bf127dd9b.tar.zst firejail-e391930dca9ccb4fce225f8364813b6bf127dd9b.zip | |
add firejail.config switch for private-{bin,etc,opt,srv}
| -rw-r--r-- | etc/firejail.config | 22 | ||||
| -rw-r--r-- | src/firejail/checkcfg.c | 8 | ||||
| -rw-r--r-- | src/firejail/firejail.h | 10 | ||||
| -rw-r--r-- | src/firejail/main.c | 104 | ||||
| -rw-r--r-- | src/firejail/profile.c | 75 |
5 files changed, 134 insertions, 85 deletions
diff --git a/etc/firejail.config b/etc/firejail.config index 731e744dd..592d77aff 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
| @@ -35,11 +35,6 @@ | |||
| 35 | # cannot be overridden by --noblacklist or --ignore. | 35 | # cannot be overridden by --noblacklist or --ignore. |
| 36 | # disable-mnt no | 36 | # disable-mnt no |
| 37 | 37 | ||
| 38 | # Set the limit for file copy in several --private-* options. The size is set | ||
| 39 | # in megabytes. By default we allow up to 500MB. | ||
| 40 | # Note: the files are copied in RAM. | ||
| 41 | # file-copy-limit 500 | ||
| 42 | |||
| 43 | # Enable or disable file transfer support, default enabled. | 38 | # Enable or disable file transfer support, default enabled. |
| 44 | # file-transfer yes | 39 | # file-transfer yes |
| 45 | 40 | ||
| @@ -83,18 +78,35 @@ | |||
| 83 | # Enable or disable overlayfs features, default enabled. | 78 | # Enable or disable overlayfs features, default enabled. |
| 84 | # overlayfs yes | 79 | # overlayfs yes |
| 85 | 80 | ||
| 81 | # Set the limit for file copy in several --private-* options. The size is set | ||
| 82 | # in megabytes. By default we allow up to 500MB. | ||
| 83 | # Note: the files are copied in RAM. | ||
| 84 | # file-copy-limit 500 | ||
| 85 | |||
| 86 | # Enable or disable private-bin feature, default enabled. | ||
| 87 | # private-bin yes | ||
| 88 | |||
| 86 | # Remove /usr/local directories from private-bin list, default disabled. | 89 | # Remove /usr/local directories from private-bin list, default disabled. |
| 87 | # private-bin-no-local no | 90 | # private-bin-no-local no |
| 88 | 91 | ||
| 89 | # Enable or disable private-cache feature, default enabled | 92 | # Enable or disable private-cache feature, default enabled |
| 90 | # private-cache yes | 93 | # private-cache yes |
| 91 | 94 | ||
| 95 | # Enable or disable private-etc feature, default enabled. | ||
| 96 | # private-etc yes | ||
| 97 | |||
| 92 | # Enable or disable private-home feature, default enabled | 98 | # Enable or disable private-home feature, default enabled |
| 93 | # private-home yes | 99 | # private-home yes |
| 94 | 100 | ||
| 95 | # Enable or disable private-lib feature, default enabled | 101 | # Enable or disable private-lib feature, default enabled |
| 96 | # private-lib yes | 102 | # private-lib yes |
| 97 | 103 | ||
| 104 | # Enable or disable private-opt feature, default enabled. | ||
| 105 | # private-opt yes | ||
| 106 | |||
| 107 | # Enable or disable private-srv feature, default enabled. | ||
| 108 | # private-srv yes | ||
| 109 | |||
| 98 | # Enable --quiet as default every time the sandbox is started. Default disabled. | 110 | # Enable --quiet as default every time the sandbox is started. Default disabled. |
| 99 | # quiet-by-default no | 111 | # quiet-by-default no |
| 100 | 112 | ||
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index d6643cf3a..b42ae1a64 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
| @@ -110,10 +110,14 @@ int checkcfg(int val) { | |||
| 110 | PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network") | 110 | PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network") |
| 111 | PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") | 111 | PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") |
| 112 | PARSE_YESNO(CFG_OVERLAYFS, "overlayfs") | 112 | PARSE_YESNO(CFG_OVERLAYFS, "overlayfs") |
| 113 | PARSE_YESNO(CFG_PRIVATE_HOME, "private-home") | 113 | PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin") |
| 114 | PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local") | ||
| 114 | PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache") | 115 | PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache") |
| 116 | PARSE_YESNO(CFG_PRIVATE_ETC, "private-etc") | ||
| 117 | PARSE_YESNO(CFG_PRIVATE_HOME, "private-home") | ||
| 115 | PARSE_YESNO(CFG_PRIVATE_LIB, "private-lib") | 118 | PARSE_YESNO(CFG_PRIVATE_LIB, "private-lib") |
| 116 | PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local") | 119 | PARSE_YESNO(CFG_PRIVATE_OPT, "private-opt") |
| 120 | PARSE_YESNO(CFG_PRIVATE_SRV, "private-srv") | ||
| 117 | PARSE_YESNO(CFG_DISABLE_MNT, "disable-mnt") | 121 | PARSE_YESNO(CFG_DISABLE_MNT, "disable-mnt") |
| 118 | PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach") | 122 | PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach") |
| 119 | PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f") | 123 | PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f") |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index ac2fd279e..18907fc63 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -766,8 +766,14 @@ enum { | |||
| 766 | CFG_WHITELIST, | 766 | CFG_WHITELIST, |
| 767 | CFG_XEPHYR_WINDOW_TITLE, | 767 | CFG_XEPHYR_WINDOW_TITLE, |
| 768 | CFG_OVERLAYFS, | 768 | CFG_OVERLAYFS, |
| 769 | CFG_PRIVATE_HOME, | 769 | CFG_PRIVATE_BIN, |
| 770 | CFG_PRIVATE_BIN_NO_LOCAL, | 770 | CFG_PRIVATE_BIN_NO_LOCAL, |
| 771 | CFG_PRIVATE_CACHE, | ||
| 772 | CFG_PRIVATE_ETC, | ||
| 773 | CFG_PRIVATE_HOME, | ||
| 774 | CFG_PRIVATE_LIB, | ||
| 775 | CFG_PRIVATE_OPT, | ||
| 776 | CFG_PRIVATE_SRV, | ||
| 771 | CFG_FIREJAIL_PROMPT, | 777 | CFG_FIREJAIL_PROMPT, |
| 772 | CFG_FOLLOW_SYMLINK_AS_USER, | 778 | CFG_FOLLOW_SYMLINK_AS_USER, |
| 773 | CFG_DISABLE_MNT, | 779 | CFG_DISABLE_MNT, |
| @@ -776,10 +782,8 @@ enum { | |||
| 776 | CFG_XPRA_ATTACH, | 782 | CFG_XPRA_ATTACH, |
| 777 | CFG_BROWSER_DISABLE_U2F, | 783 | CFG_BROWSER_DISABLE_U2F, |
| 778 | CFG_BROWSER_ALLOW_DRM, | 784 | CFG_BROWSER_ALLOW_DRM, |
| 779 | CFG_PRIVATE_LIB, | ||
| 780 | CFG_APPARMOR, | 785 | CFG_APPARMOR, |
| 781 | CFG_DBUS, | 786 | CFG_DBUS, |
| 782 | CFG_PRIVATE_CACHE, | ||
| 783 | CFG_CGROUP, | 787 | CFG_CGROUP, |
| 784 | CFG_NAME_CHANGE, | 788 | CFG_NAME_CHANGE, |
| 785 | CFG_SECCOMP_ERROR_ACTION, | 789 | CFG_SECCOMP_ERROR_ACTION, |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 593835843..f011c5799 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
| @@ -1949,61 +1949,77 @@ int main(int argc, char **argv, char **envp) { | |||
| 1949 | arg_keep_dev_shm = 1; | 1949 | arg_keep_dev_shm = 1; |
| 1950 | } | 1950 | } |
| 1951 | else if (strncmp(argv[i], "--private-etc=", 14) == 0) { | 1951 | else if (strncmp(argv[i], "--private-etc=", 14) == 0) { |
| 1952 | if (arg_writable_etc) { | 1952 | if (checkcfg(CFG_PRIVATE_ETC)) { |
| 1953 | fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); | 1953 | if (arg_writable_etc) { |
| 1954 | exit(1); | 1954 | fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); |
| 1955 | } | 1955 | exit(1); |
| 1956 | } | ||
| 1956 | 1957 | ||
| 1957 | // extract private etc list | 1958 | // extract private etc list |
| 1958 | if (*(argv[i] + 14) == '\0') { | 1959 | if (*(argv[i] + 14) == '\0') { |
| 1959 | fprintf(stderr, "Error: invalid private-etc option\n"); | 1960 | fprintf(stderr, "Error: invalid private-etc option\n"); |
| 1960 | exit(1); | 1961 | exit(1); |
| 1962 | } | ||
| 1963 | if (cfg.etc_private_keep) { | ||
| 1964 | if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, argv[i] + 14) < 0 ) | ||
| 1965 | errExit("asprintf"); | ||
| 1966 | } else | ||
| 1967 | cfg.etc_private_keep = argv[i] + 14; | ||
| 1968 | arg_private_etc = 1; | ||
| 1961 | } | 1969 | } |
| 1962 | if (cfg.etc_private_keep) { | 1970 | else |
| 1963 | if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, argv[i] + 14) < 0 ) | 1971 | exit_err_feature("private-etc"); |
| 1964 | errExit("asprintf"); | ||
| 1965 | } else | ||
| 1966 | cfg.etc_private_keep = argv[i] + 14; | ||
| 1967 | arg_private_etc = 1; | ||
| 1968 | } | 1972 | } |
| 1969 | else if (strncmp(argv[i], "--private-opt=", 14) == 0) { | 1973 | else if (strncmp(argv[i], "--private-opt=", 14) == 0) { |
| 1970 | // extract private opt list | 1974 | if (checkcfg(CFG_PRIVATE_OPT)) { |
| 1971 | if (*(argv[i] + 14) == '\0') { | 1975 | // extract private opt list |
| 1972 | fprintf(stderr, "Error: invalid private-opt option\n"); | 1976 | if (*(argv[i] + 14) == '\0') { |
| 1973 | exit(1); | 1977 | fprintf(stderr, "Error: invalid private-opt option\n"); |
| 1978 | exit(1); | ||
| 1979 | } | ||
| 1980 | if (cfg.opt_private_keep) { | ||
| 1981 | if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, argv[i] + 14) < 0 ) | ||
| 1982 | errExit("asprintf"); | ||
| 1983 | } else | ||
| 1984 | cfg.opt_private_keep = argv[i] + 14; | ||
| 1985 | arg_private_opt = 1; | ||
| 1974 | } | 1986 | } |
| 1975 | if (cfg.opt_private_keep) { | 1987 | else |
| 1976 | if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, argv[i] + 14) < 0 ) | 1988 | exit_err_feature("private-opt"); |
| 1977 | errExit("asprintf"); | ||
| 1978 | } else | ||
| 1979 | cfg.opt_private_keep = argv[i] + 14; | ||
| 1980 | arg_private_opt = 1; | ||
| 1981 | } | 1989 | } |
| 1982 | else if (strncmp(argv[i], "--private-srv=", 14) == 0) { | 1990 | else if (strncmp(argv[i], "--private-srv=", 14) == 0) { |
| 1983 | // extract private srv list | 1991 | if (checkcfg(CFG_PRIVATE_SRV)) { |
| 1984 | if (*(argv[i] + 14) == '\0') { | 1992 | // extract private srv list |
| 1985 | fprintf(stderr, "Error: invalid private-srv option\n"); | 1993 | if (*(argv[i] + 14) == '\0') { |
| 1986 | exit(1); | 1994 | fprintf(stderr, "Error: invalid private-srv option\n"); |
| 1995 | exit(1); | ||
| 1996 | } | ||
| 1997 | if (cfg.srv_private_keep) { | ||
| 1998 | if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, argv[i] + 14) < 0 ) | ||
| 1999 | errExit("asprintf"); | ||
| 2000 | } else | ||
| 2001 | cfg.srv_private_keep = argv[i] + 14; | ||
| 2002 | arg_private_srv = 1; | ||
| 1987 | } | 2003 | } |
| 1988 | if (cfg.srv_private_keep) { | 2004 | else |
| 1989 | if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, argv[i] + 14) < 0 ) | 2005 | exit_err_feature("private-srv"); |
| 1990 | errExit("asprintf"); | ||
| 1991 | } else | ||
| 1992 | cfg.srv_private_keep = argv[i] + 14; | ||
| 1993 | arg_private_srv = 1; | ||
| 1994 | } | 2006 | } |
| 1995 | else if (strncmp(argv[i], "--private-bin=", 14) == 0) { | 2007 | else if (strncmp(argv[i], "--private-bin=", 14) == 0) { |
| 1996 | // extract private bin list | 2008 | if (checkcfg(CFG_PRIVATE_BIN)) { |
| 1997 | if (*(argv[i] + 14) == '\0') { | 2009 | // extract private bin list |
| 1998 | fprintf(stderr, "Error: invalid private-bin option\n"); | 2010 | if (*(argv[i] + 14) == '\0') { |
| 1999 | exit(1); | 2011 | fprintf(stderr, "Error: invalid private-bin option\n"); |
| 2012 | exit(1); | ||
| 2013 | } | ||
| 2014 | if (cfg.bin_private_keep) { | ||
| 2015 | if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, argv[i] + 14) < 0 ) | ||
| 2016 | errExit("asprintf"); | ||
| 2017 | } else | ||
| 2018 | cfg.bin_private_keep = argv[i] + 14; | ||
| 2019 | arg_private_bin = 1; | ||
| 2000 | } | 2020 | } |
| 2001 | if (cfg.bin_private_keep) { | 2021 | else |
| 2002 | if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, argv[i] + 14) < 0 ) | 2022 | exit_err_feature("private-bin"); |
| 2003 | errExit("asprintf"); | ||
| 2004 | } else | ||
| 2005 | cfg.bin_private_keep = argv[i] + 14; | ||
| 2006 | arg_private_bin = 1; | ||
| 2007 | } | 2023 | } |
| 2008 | else if (strncmp(argv[i], "--private-lib", 13) == 0) { | 2024 | else if (strncmp(argv[i], "--private-lib", 13) == 0) { |
| 2009 | if (checkcfg(CFG_PRIVATE_LIB)) { | 2025 | if (checkcfg(CFG_PRIVATE_LIB)) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index dd4506ac1..da28f0413 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
| @@ -1275,56 +1275,69 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
| 1275 | 1275 | ||
| 1276 | // private /etc list of files and directories | 1276 | // private /etc list of files and directories |
| 1277 | if (strncmp(ptr, "private-etc ", 12) == 0) { | 1277 | if (strncmp(ptr, "private-etc ", 12) == 0) { |
| 1278 | if (arg_writable_etc) { | 1278 | if (checkcfg(CFG_PRIVATE_ETC)) { |
| 1279 | fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); | 1279 | if (arg_writable_etc) { |
| 1280 | exit(1); | 1280 | fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); |
| 1281 | } | 1281 | exit(1); |
| 1282 | if (cfg.etc_private_keep) { | 1282 | } |
| 1283 | if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, ptr + 12) < 0 ) | 1283 | if (cfg.etc_private_keep) { |
| 1284 | errExit("asprintf"); | 1284 | if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, ptr + 12) < 0 ) |
| 1285 | } else { | 1285 | errExit("asprintf"); |
| 1286 | cfg.etc_private_keep = ptr + 12; | 1286 | } else { |
| 1287 | cfg.etc_private_keep = ptr + 12; | ||
| 1288 | } | ||
| 1289 | arg_private_etc = 1; | ||
| 1287 | } | 1290 | } |
| 1288 | arg_private_etc = 1; | 1291 | else |
| 1289 | 1292 | warning_feature_disabled("private-etc"); | |
| 1290 | return 0; | 1293 | return 0; |
| 1291 | } | 1294 | } |
| 1292 | 1295 | ||
| 1293 | // private /opt list of files and directories | 1296 | // private /opt list of files and directories |
| 1294 | if (strncmp(ptr, "private-opt ", 12) == 0) { | 1297 | if (strncmp(ptr, "private-opt ", 12) == 0) { |
| 1295 | if (cfg.opt_private_keep) { | 1298 | if (checkcfg(CFG_PRIVATE_OPT)) { |
| 1296 | if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, ptr + 12) < 0 ) | 1299 | if (cfg.opt_private_keep) { |
| 1297 | errExit("asprintf"); | 1300 | if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, ptr + 12) < 0 ) |
| 1298 | } else { | 1301 | errExit("asprintf"); |
| 1299 | cfg.opt_private_keep = ptr + 12; | 1302 | } else { |
| 1303 | cfg.opt_private_keep = ptr + 12; | ||
| 1304 | } | ||
| 1305 | arg_private_opt = 1; | ||
| 1300 | } | 1306 | } |
| 1301 | arg_private_opt = 1; | 1307 | else |
| 1302 | 1308 | warning_feature_disabled("private-opt"); | |
| 1303 | return 0; | 1309 | return 0; |
| 1304 | } | 1310 | } |
| 1305 | 1311 | ||
| 1306 | // private /srv list of files and directories | 1312 | // private /srv list of files and directories |
| 1307 | if (strncmp(ptr, "private-srv ", 12) == 0) { | 1313 | if (strncmp(ptr, "private-srv ", 12) == 0) { |
| 1308 | if (cfg.srv_private_keep) { | 1314 | if (checkcfg(CFG_PRIVATE_SRV)) { |
| 1309 | if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, ptr + 12) < 0 ) | 1315 | if (cfg.srv_private_keep) { |
| 1310 | errExit("asprintf"); | 1316 | if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, ptr + 12) < 0 ) |
| 1311 | } else { | 1317 | errExit("asprintf"); |
| 1312 | cfg.srv_private_keep = ptr + 12; | 1318 | } else { |
| 1319 | cfg.srv_private_keep = ptr + 12; | ||
| 1320 | } | ||
| 1321 | arg_private_srv = 1; | ||
| 1313 | } | 1322 | } |
| 1314 | arg_private_srv = 1; | 1323 | else |
| 1315 | 1324 | warning_feature_disabled("private-srv"); | |
| 1316 | return 0; | 1325 | return 0; |
| 1317 | } | 1326 | } |
| 1318 | 1327 | ||
| 1319 | // private /bin list of files | 1328 | // private /bin list of files |
| 1320 | if (strncmp(ptr, "private-bin ", 12) == 0) { | 1329 | if (strncmp(ptr, "private-bin ", 12) == 0) { |
| 1321 | if (cfg.bin_private_keep) { | 1330 | if (checkcfg(CFG_PRIVATE_BIN)) { |
| 1322 | if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, ptr + 12) < 0 ) | 1331 | if (cfg.bin_private_keep) { |
| 1323 | errExit("asprintf"); | 1332 | if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, ptr + 12) < 0 ) |
| 1324 | } else { | 1333 | errExit("asprintf"); |
| 1325 | cfg.bin_private_keep = ptr + 12; | 1334 | } else { |
| 1335 | cfg.bin_private_keep = ptr + 12; | ||
| 1336 | } | ||
| 1337 | arg_private_bin = 1; | ||
| 1326 | } | 1338 | } |
| 1327 | arg_private_bin = 1; | 1339 | else |
| 1340 | warning_feature_disabled("private-bin"); | ||
| 1328 | return 0; | 1341 | return 0; |
| 1329 | } | 1342 | } |
| 1330 | 1343 | ||