aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@protonmail.com>2021-06-04 06:40:16 -0500
committerLibravatar GitHub <noreply@github.com>2021-06-04 06:40:16 -0500
commited261d9471a042adcbb8733e1b1de13c934c3fe0 (patch)
tree8aeab84172400499132e35a197669ea2f8509a2e
parentFix seahorse-adventures + CI (diff)
parentadd firejail.config switch for private-{bin,etc,opt,srv} (diff)
downloadfirejail-ed261d9471a042adcbb8733e1b1de13c934c3fe0.tar.gz
firejail-ed261d9471a042adcbb8733e1b1de13c934c3fe0.tar.zst
firejail-ed261d9471a042adcbb8733e1b1de13c934c3fe0.zip
Merge pull request #4330 from smitsohu/fjconfig
add firejail.config switch for private-{bin,etc,opt,srv}
-rw-r--r--etc/firejail.config22
-rw-r--r--src/firejail/checkcfg.c8
-rw-r--r--src/firejail/firejail.h10
-rw-r--r--src/firejail/main.c104
-rw-r--r--src/firejail/profile.c75
5 files changed, 134 insertions, 85 deletions
diff --git a/etc/firejail.config b/etc/firejail.config
index c671efef9..f5b3d5efa 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -35,11 +35,6 @@
35# cannot be overridden by --noblacklist or --ignore. 35# cannot be overridden by --noblacklist or --ignore.
36# disable-mnt no 36# disable-mnt no
37 37
38# Set the limit for file copy in several --private-* options. The size is set
39# in megabytes. By default we allow up to 500MB.
40# Note: the files are copied in RAM.
41# file-copy-limit 500
42
43# Enable or disable file transfer support, default enabled. 38# Enable or disable file transfer support, default enabled.
44# file-transfer yes 39# file-transfer yes
45 40
@@ -77,18 +72,35 @@
77# Enable or disable overlayfs features, default enabled. 72# Enable or disable overlayfs features, default enabled.
78# overlayfs yes 73# overlayfs yes
79 74
75# Set the limit for file copy in several --private-* options. The size is set
76# in megabytes. By default we allow up to 500MB.
77# Note: the files are copied in RAM.
78# file-copy-limit 500
79
80# Enable or disable private-bin feature, default enabled.
81# private-bin yes
82
80# Remove /usr/local directories from private-bin list, default disabled. 83# Remove /usr/local directories from private-bin list, default disabled.
81# private-bin-no-local no 84# private-bin-no-local no
82 85
83# Enable or disable private-cache feature, default enabled 86# Enable or disable private-cache feature, default enabled
84# private-cache yes 87# private-cache yes
85 88
89# Enable or disable private-etc feature, default enabled.
90# private-etc yes
91
86# Enable or disable private-home feature, default enabled 92# Enable or disable private-home feature, default enabled
87# private-home yes 93# private-home yes
88 94
89# Enable or disable private-lib feature, default enabled 95# Enable or disable private-lib feature, default enabled
90# private-lib yes 96# private-lib yes
91 97
98# Enable or disable private-opt feature, default enabled.
99# private-opt yes
100
101# Enable or disable private-srv feature, default enabled.
102# private-srv yes
103
92# Enable --quiet as default every time the sandbox is started. Default disabled. 104# Enable --quiet as default every time the sandbox is started. Default disabled.
93# quiet-by-default no 105# quiet-by-default no
94 106
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 6726abdc8..d7690a4fc 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -110,10 +110,14 @@ int checkcfg(int val) {
110 PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network") 110 PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network")
111 PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") 111 PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title")
112 PARSE_YESNO(CFG_OVERLAYFS, "overlayfs") 112 PARSE_YESNO(CFG_OVERLAYFS, "overlayfs")
113 PARSE_YESNO(CFG_PRIVATE_HOME, "private-home") 113 PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin")
114 PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local")
114 PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache") 115 PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache")
116 PARSE_YESNO(CFG_PRIVATE_ETC, "private-etc")
117 PARSE_YESNO(CFG_PRIVATE_HOME, "private-home")
115 PARSE_YESNO(CFG_PRIVATE_LIB, "private-lib") 118 PARSE_YESNO(CFG_PRIVATE_LIB, "private-lib")
116 PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local") 119 PARSE_YESNO(CFG_PRIVATE_OPT, "private-opt")
120 PARSE_YESNO(CFG_PRIVATE_SRV, "private-srv")
117 PARSE_YESNO(CFG_DISABLE_MNT, "disable-mnt") 121 PARSE_YESNO(CFG_DISABLE_MNT, "disable-mnt")
118 PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach") 122 PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach")
119 PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f") 123 PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f")
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 1da70fd54..dbe4c9dbb 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -762,8 +762,14 @@ enum {
762 CFG_WHITELIST, 762 CFG_WHITELIST,
763 CFG_XEPHYR_WINDOW_TITLE, 763 CFG_XEPHYR_WINDOW_TITLE,
764 CFG_OVERLAYFS, 764 CFG_OVERLAYFS,
765 CFG_PRIVATE_HOME, 765 CFG_PRIVATE_BIN,
766 CFG_PRIVATE_BIN_NO_LOCAL, 766 CFG_PRIVATE_BIN_NO_LOCAL,
767 CFG_PRIVATE_CACHE,
768 CFG_PRIVATE_ETC,
769 CFG_PRIVATE_HOME,
770 CFG_PRIVATE_LIB,
771 CFG_PRIVATE_OPT,
772 CFG_PRIVATE_SRV,
767 CFG_FIREJAIL_PROMPT, 773 CFG_FIREJAIL_PROMPT,
768 CFG_DISABLE_MNT, 774 CFG_DISABLE_MNT,
769 CFG_JOIN, 775 CFG_JOIN,
@@ -771,10 +777,8 @@ enum {
771 CFG_XPRA_ATTACH, 777 CFG_XPRA_ATTACH,
772 CFG_BROWSER_DISABLE_U2F, 778 CFG_BROWSER_DISABLE_U2F,
773 CFG_BROWSER_ALLOW_DRM, 779 CFG_BROWSER_ALLOW_DRM,
774 CFG_PRIVATE_LIB,
775 CFG_APPARMOR, 780 CFG_APPARMOR,
776 CFG_DBUS, 781 CFG_DBUS,
777 CFG_PRIVATE_CACHE,
778 CFG_CGROUP, 782 CFG_CGROUP,
779 CFG_NAME_CHANGE, 783 CFG_NAME_CHANGE,
780 CFG_SECCOMP_ERROR_ACTION, 784 CFG_SECCOMP_ERROR_ACTION,
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 089d80a68..bbabe533f 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1959,61 +1959,77 @@ int main(int argc, char **argv, char **envp) {
1959 arg_keep_dev_shm = 1; 1959 arg_keep_dev_shm = 1;
1960 } 1960 }
1961 else if (strncmp(argv[i], "--private-etc=", 14) == 0) { 1961 else if (strncmp(argv[i], "--private-etc=", 14) == 0) {
1962 if (arg_writable_etc) { 1962 if (checkcfg(CFG_PRIVATE_ETC)) {
1963 fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); 1963 if (arg_writable_etc) {
1964 exit(1); 1964 fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
1965 } 1965 exit(1);
1966 }
1966 1967
1967 // extract private etc list 1968 // extract private etc list
1968 if (*(argv[i] + 14) == '\0') { 1969 if (*(argv[i] + 14) == '\0') {
1969 fprintf(stderr, "Error: invalid private-etc option\n"); 1970 fprintf(stderr, "Error: invalid private-etc option\n");
1970 exit(1); 1971 exit(1);
1972 }
1973 if (cfg.etc_private_keep) {
1974 if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, argv[i] + 14) < 0 )
1975 errExit("asprintf");
1976 } else
1977 cfg.etc_private_keep = argv[i] + 14;
1978 arg_private_etc = 1;
1971 } 1979 }
1972 if (cfg.etc_private_keep) { 1980 else
1973 if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, argv[i] + 14) < 0 ) 1981 exit_err_feature("private-etc");
1974 errExit("asprintf");
1975 } else
1976 cfg.etc_private_keep = argv[i] + 14;
1977 arg_private_etc = 1;
1978 } 1982 }
1979 else if (strncmp(argv[i], "--private-opt=", 14) == 0) { 1983 else if (strncmp(argv[i], "--private-opt=", 14) == 0) {
1980 // extract private opt list 1984 if (checkcfg(CFG_PRIVATE_OPT)) {
1981 if (*(argv[i] + 14) == '\0') { 1985 // extract private opt list
1982 fprintf(stderr, "Error: invalid private-opt option\n"); 1986 if (*(argv[i] + 14) == '\0') {
1983 exit(1); 1987 fprintf(stderr, "Error: invalid private-opt option\n");
1988 exit(1);
1989 }
1990 if (cfg.opt_private_keep) {
1991 if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, argv[i] + 14) < 0 )
1992 errExit("asprintf");
1993 } else
1994 cfg.opt_private_keep = argv[i] + 14;
1995 arg_private_opt = 1;
1984 } 1996 }
1985 if (cfg.opt_private_keep) { 1997 else
1986 if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, argv[i] + 14) < 0 ) 1998 exit_err_feature("private-opt");
1987 errExit("asprintf");
1988 } else
1989 cfg.opt_private_keep = argv[i] + 14;
1990 arg_private_opt = 1;
1991 } 1999 }
1992 else if (strncmp(argv[i], "--private-srv=", 14) == 0) { 2000 else if (strncmp(argv[i], "--private-srv=", 14) == 0) {
1993 // extract private srv list 2001 if (checkcfg(CFG_PRIVATE_SRV)) {
1994 if (*(argv[i] + 14) == '\0') { 2002 // extract private srv list
1995 fprintf(stderr, "Error: invalid private-srv option\n"); 2003 if (*(argv[i] + 14) == '\0') {
1996 exit(1); 2004 fprintf(stderr, "Error: invalid private-srv option\n");
2005 exit(1);
2006 }
2007 if (cfg.srv_private_keep) {
2008 if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, argv[i] + 14) < 0 )
2009 errExit("asprintf");
2010 } else
2011 cfg.srv_private_keep = argv[i] + 14;
2012 arg_private_srv = 1;
1997 } 2013 }
1998 if (cfg.srv_private_keep) { 2014 else
1999 if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, argv[i] + 14) < 0 ) 2015 exit_err_feature("private-srv");
2000 errExit("asprintf");
2001 } else
2002 cfg.srv_private_keep = argv[i] + 14;
2003 arg_private_srv = 1;
2004 } 2016 }
2005 else if (strncmp(argv[i], "--private-bin=", 14) == 0) { 2017 else if (strncmp(argv[i], "--private-bin=", 14) == 0) {
2006 // extract private bin list 2018 if (checkcfg(CFG_PRIVATE_BIN)) {
2007 if (*(argv[i] + 14) == '\0') { 2019 // extract private bin list
2008 fprintf(stderr, "Error: invalid private-bin option\n"); 2020 if (*(argv[i] + 14) == '\0') {
2009 exit(1); 2021 fprintf(stderr, "Error: invalid private-bin option\n");
2022 exit(1);
2023 }
2024 if (cfg.bin_private_keep) {
2025 if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, argv[i] + 14) < 0 )
2026 errExit("asprintf");
2027 } else
2028 cfg.bin_private_keep = argv[i] + 14;
2029 arg_private_bin = 1;
2010 } 2030 }
2011 if (cfg.bin_private_keep) { 2031 else
2012 if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, argv[i] + 14) < 0 ) 2032 exit_err_feature("private-bin");
2013 errExit("asprintf");
2014 } else
2015 cfg.bin_private_keep = argv[i] + 14;
2016 arg_private_bin = 1;
2017 } 2033 }
2018 else if (strncmp(argv[i], "--private-lib", 13) == 0) { 2034 else if (strncmp(argv[i], "--private-lib", 13) == 0) {
2019 if (checkcfg(CFG_PRIVATE_LIB)) { 2035 if (checkcfg(CFG_PRIVATE_LIB)) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index af28cd488..40e4f788e 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1275,56 +1275,69 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
1275 1275
1276 // private /etc list of files and directories 1276 // private /etc list of files and directories
1277 if (strncmp(ptr, "private-etc ", 12) == 0) { 1277 if (strncmp(ptr, "private-etc ", 12) == 0) {
1278 if (arg_writable_etc) { 1278 if (checkcfg(CFG_PRIVATE_ETC)) {
1279 fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); 1279 if (arg_writable_etc) {
1280 exit(1); 1280 fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
1281 } 1281 exit(1);
1282 if (cfg.etc_private_keep) { 1282 }
1283 if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, ptr + 12) < 0 ) 1283 if (cfg.etc_private_keep) {
1284 errExit("asprintf"); 1284 if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, ptr + 12) < 0 )
1285 } else { 1285 errExit("asprintf");
1286 cfg.etc_private_keep = ptr + 12; 1286 } else {
1287 cfg.etc_private_keep = ptr + 12;
1288 }
1289 arg_private_etc = 1;
1287 } 1290 }
1288 arg_private_etc = 1; 1291 else
1289 1292 warning_feature_disabled("private-etc");
1290 return 0; 1293 return 0;
1291 } 1294 }
1292 1295
1293 // private /opt list of files and directories 1296 // private /opt list of files and directories
1294 if (strncmp(ptr, "private-opt ", 12) == 0) { 1297 if (strncmp(ptr, "private-opt ", 12) == 0) {
1295 if (cfg.opt_private_keep) { 1298 if (checkcfg(CFG_PRIVATE_OPT)) {
1296 if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, ptr + 12) < 0 ) 1299 if (cfg.opt_private_keep) {
1297 errExit("asprintf"); 1300 if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, ptr + 12) < 0 )
1298 } else { 1301 errExit("asprintf");
1299 cfg.opt_private_keep = ptr + 12; 1302 } else {
1303 cfg.opt_private_keep = ptr + 12;
1304 }
1305 arg_private_opt = 1;
1300 } 1306 }
1301 arg_private_opt = 1; 1307 else
1302 1308 warning_feature_disabled("private-opt");
1303 return 0; 1309 return 0;
1304 } 1310 }
1305 1311
1306 // private /srv list of files and directories 1312 // private /srv list of files and directories
1307 if (strncmp(ptr, "private-srv ", 12) == 0) { 1313 if (strncmp(ptr, "private-srv ", 12) == 0) {
1308 if (cfg.srv_private_keep) { 1314 if (checkcfg(CFG_PRIVATE_SRV)) {
1309 if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, ptr + 12) < 0 ) 1315 if (cfg.srv_private_keep) {
1310 errExit("asprintf"); 1316 if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, ptr + 12) < 0 )
1311 } else { 1317 errExit("asprintf");
1312 cfg.srv_private_keep = ptr + 12; 1318 } else {
1319 cfg.srv_private_keep = ptr + 12;
1320 }
1321 arg_private_srv = 1;
1313 } 1322 }
1314 arg_private_srv = 1; 1323 else
1315 1324 warning_feature_disabled("private-srv");
1316 return 0; 1325 return 0;
1317 } 1326 }
1318 1327
1319 // private /bin list of files 1328 // private /bin list of files
1320 if (strncmp(ptr, "private-bin ", 12) == 0) { 1329 if (strncmp(ptr, "private-bin ", 12) == 0) {
1321 if (cfg.bin_private_keep) { 1330 if (checkcfg(CFG_PRIVATE_BIN)) {
1322 if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, ptr + 12) < 0 ) 1331 if (cfg.bin_private_keep) {
1323 errExit("asprintf"); 1332 if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, ptr + 12) < 0 )
1324 } else { 1333 errExit("asprintf");
1325 cfg.bin_private_keep = ptr + 12; 1334 } else {
1335 cfg.bin_private_keep = ptr + 12;
1336 }
1337 arg_private_bin = 1;
1326 } 1338 }
1327 arg_private_bin = 1; 1339 else
1340 warning_feature_disabled("private-bin");
1328 return 0; 1341 return 0;
1329 } 1342 }
1330 1343