aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar Kelvin M. Klann <kmk3.code@protonmail.com>2023-11-27 03:31:21 -0300
committerLibravatar Kelvin M. Klann <kmk3.code@protonmail.com>2023-11-27 04:05:33 -0300
commite69c1df95e604db3945538ee9c1f72c8fbe89483 (patch)
treef1acce4b97969667cbcea91ed1e6cce1a5bf17b6
parentlutris.profile: fix seccomp arguments (diff)
downloadfirejail-e69c1df95e604db3945538ee9c1f72c8fbe89483.tar.gz
firejail-e69c1df95e604db3945538ee9c1f72c8fbe89483.tar.zst
firejail-e69c1df95e604db3945538ee9c1f72c8fbe89483.zip
feature: expand simple macros in more commands
This includes macros such as `${HOME}` and `${RUNUSER}`. Commands: * --chroot= * --netfilter= * --netfilter6= * --trace= Closes #6032. Reported-by: @michelesr
Diffstat
-rw-r--r--src/firejail/main.c40
-rw-r--r--src/firejail/profile.c8
2 files changed, 6 insertions, 42 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 0c9c80137..0327f8bda 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1572,7 +1572,7 @@ int main(int argc, char **argv, char **envp) {
1572 arg_trace = 1; 1572 arg_trace = 1;
1573 else if (strncmp(argv[i], "--trace=", 8) == 0) { 1573 else if (strncmp(argv[i], "--trace=", 8) == 0) {
1574 arg_trace = 1; 1574 arg_trace = 1;
1575 arg_tracefile = argv[i] + 8; 1575 arg_tracefile = expand_macros(argv[i] + 8);
1576 if (*arg_tracefile == '\0') { 1576 if (*arg_tracefile == '\0') {
1577 fprintf(stderr, "Error: invalid trace option\n"); 1577 fprintf(stderr, "Error: invalid trace option\n");
1578 exit(1); 1578 exit(1);
@@ -1582,13 +1582,6 @@ int main(int argc, char **argv, char **envp) {
1582 fprintf(stderr, "Error: invalid file name %s\n", arg_tracefile); 1582 fprintf(stderr, "Error: invalid file name %s\n", arg_tracefile);
1583 exit(1); 1583 exit(1);
1584 } 1584 }
1585 // if the filename starts with ~, expand the home directory
1586 if (*arg_tracefile == '~') {
1587 char *tmp;
1588 if (asprintf(&tmp, "%s%s", cfg.homedir, arg_tracefile + 1) == -1)
1589 errExit("asprintf");
1590 arg_tracefile = tmp;
1591 }
1592 } 1585 }
1593 else if (strcmp(argv[i], "--tracelog") == 0) { 1586 else if (strcmp(argv[i], "--tracelog") == 0) {
1594 if (checkcfg(CFG_TRACELOG)) 1587 if (checkcfg(CFG_TRACELOG))
@@ -1953,20 +1946,13 @@ int main(int argc, char **argv, char **envp) {
1953 } 1946 }
1954 1947
1955 // extract chroot dirname 1948 // extract chroot dirname
1956 cfg.chrootdir = argv[i] + 9; 1949 cfg.chrootdir = expand_macros(argv[i] + 9);
1957 if (*cfg.chrootdir == '\0') { 1950 if (*cfg.chrootdir == '\0') {
1958 fprintf(stderr, "Error: invalid chroot option\n"); 1951 fprintf(stderr, "Error: invalid chroot option\n");
1959 exit(1); 1952 exit(1);
1960 } 1953 }
1961 invalid_filename(cfg.chrootdir, 0); // no globbing 1954 invalid_filename(cfg.chrootdir, 0); // no globbing
1962 1955
1963 // if the directory starts with ~, expand the home directory
1964 if (*cfg.chrootdir == '~') {
1965 char *tmp;
1966 if (asprintf(&tmp, "%s%s", cfg.homedir, cfg.chrootdir + 1) == -1)
1967 errExit("asprintf");
1968 cfg.chrootdir = tmp;
1969 }
1970 // check chroot directory 1956 // check chroot directory
1971 fs_check_chroot_dir(); 1957 fs_check_chroot_dir();
1972 } 1958 }
@@ -2748,16 +2734,7 @@ int main(int argc, char **argv, char **envp) {
2748 else if (strncmp(argv[i], "--netfilter=", 12) == 0) { 2734 else if (strncmp(argv[i], "--netfilter=", 12) == 0) {
2749 if (checkcfg(CFG_NETWORK)) { 2735 if (checkcfg(CFG_NETWORK)) {
2750 arg_netfilter = 1; 2736 arg_netfilter = 1;
2751 arg_netfilter_file = argv[i] + 12; 2737 arg_netfilter_file = expand_macros(argv[i] + 12);
2752
2753 // expand tilde
2754 if (*arg_netfilter_file == '~') {
2755 char *tmp;
2756 if (asprintf(&tmp, "%s%s", cfg.homedir, arg_netfilter_file + 1) == -1)
2757 errExit("asprintf");
2758 arg_netfilter_file = tmp;
2759 }
2760
2761 check_netfilter_file(arg_netfilter_file); 2738 check_netfilter_file(arg_netfilter_file);
2762 } 2739 }
2763 else 2740 else
@@ -2767,16 +2744,7 @@ int main(int argc, char **argv, char **envp) {
2767 else if (strncmp(argv[i], "--netfilter6=", 13) == 0) { 2744 else if (strncmp(argv[i], "--netfilter6=", 13) == 0) {
2768 if (checkcfg(CFG_NETWORK)) { 2745 if (checkcfg(CFG_NETWORK)) {
2769 arg_netfilter6 = 1; 2746 arg_netfilter6 = 1;
2770 arg_netfilter6_file = argv[i] + 13; 2747 arg_netfilter6_file = expand_macros(argv[i] + 13);
2771
2772 // expand tilde
2773 if (*arg_netfilter6_file == '~') {
2774 char *tmp;
2775 if (asprintf(&tmp, "%s%s", cfg.homedir, arg_netfilter6_file + 1) == -1)
2776 errExit("asprintf");
2777 arg_netfilter6_file = tmp;
2778 }
2779
2780 check_netfilter_file(arg_netfilter6_file); 2748 check_netfilter_file(arg_netfilter6_file);
2781 } 2749 }
2782 else 2750 else
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 8cc5c1166..0f60e9b7d 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -635,9 +635,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
635#ifdef HAVE_NETWORK 635#ifdef HAVE_NETWORK
636 if (checkcfg(CFG_NETWORK)) { 636 if (checkcfg(CFG_NETWORK)) {
637 arg_netfilter = 1; 637 arg_netfilter = 1;
638 arg_netfilter_file = strdup(ptr + 10); 638 arg_netfilter_file = expand_macros(ptr + 10);
639 if (!arg_netfilter_file)
640 errExit("strdup");
641 check_netfilter_file(arg_netfilter_file); 639 check_netfilter_file(arg_netfilter_file);
642 } 640 }
643 else 641 else
@@ -649,9 +647,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
649#ifdef HAVE_NETWORK 647#ifdef HAVE_NETWORK
650 if (checkcfg(CFG_NETWORK)) { 648 if (checkcfg(CFG_NETWORK)) {
651 arg_netfilter6 = 1; 649 arg_netfilter6 = 1;
652 arg_netfilter6_file = strdup(ptr + 11); 650 arg_netfilter6_file = expand_macros(ptr + 11);
653 if (!arg_netfilter6_file)
654 errExit("strdup");
655 check_netfilter_file(arg_netfilter6_file); 651 check_netfilter_file(arg_netfilter6_file);
656 } 652 }
657 else 653 else
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-29 09:39:25 +0000