cfg bind

author: netblue30 <netblue30@yahoo.com> 2016-03-12 14:22:59 -0500
committer: netblue30 <netblue30@yahoo.com> 2016-03-12 14:22:59 -0500
commit: ee7237f7a92378b5debb7ec29e42f974aa1a5c79 (patch)
tree: f834e05602bdf9138c4a637c8b7e459595098623
parent: cfg x11 (diff)
download: firejail-ee7237f7a92378b5debb7ec29e42f974aa1a5c79.tar.gz
firejail-ee7237f7a92378b5debb7ec29e42f974aa1a5c79.tar.zst
firejail-ee7237f7a92378b5debb7ec29e42f974aa1a5c79.zip
5 files changed, 64 insertions, 38 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index f868a699a..68dc6ac58 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -77,6 +77,15 @@ int checkcfg(int val) {
                                else
                                        goto errout;
                        }
+                        // bind
+                        else if (strncmp(ptr, "bind ", 5) == 0) {
+                                if (strcmp(ptr + 5, "yes") == 0)
+                                        cfg_val[CFG_BIND] = 1;
+                                else if (strcmp(ptr + 5, "no") == 0)
+                                        cfg_val[CFG_BIND] = 0;
+                                else
+                                        goto errout;
+                        }
                        else
                                goto errout;
                        free(ptr);
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index d15d5a686..ff6eb485b 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -540,7 +540,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh);
 // checkcfg.c
 #define CFG_FILE_TRANSFER 0
 #define CFG_X11 1
-#define CFG_MAX 2 // this should always be the last entry
+#define CFG_BIND 2
+#define CFG_MAX 3 // this should always be the last entry
 int checkcfg(int val);
 #endif
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index acee0ba1d..f63e8b5eb 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -435,12 +435,12 @@ void fs_blacklist(void) {
                        }
                        struct stat s;
                        if (stat(dname1, &s) == -1) {
-                                fprintf(stderr, "Error: cannot find directories for bind command\n");
+                                fprintf(stderr, "Error: cannot find %s for bind command\n", dname1);
                                entry = entry->next;
                                continue;
                        }
                        if (stat(dname2, &s) == -1) {
-                                fprintf(stderr, "Error: cannot find directories for bind command\n");
+                                fprintf(stderr, "Error: cannot find %s for bind command\n", dname2);
                                entry = entry->next;
                                continue;
                        }
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 64e6e2d98..d1d0f91a6 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -283,7 +283,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                        exit(0);
                }
                else {
-                        fprintf(stderr, "Error: this feature is disabled in Firejail configuration file\n");
+                        fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n");
                        exit(1);
                }
        }
@@ -461,7 +461,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                        exit(0);
                }
                else {
-                        fprintf(stderr, "Error: this feature is disabled in Firejail configuration file\n");
+                        fprintf(stderr, "Error: --get feature is disabled in Firejail configuration file\n");
                        exit(1);
                }
        }
@@ -490,7 +490,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                        exit(0);
                }
                else {
-                        fprintf(stderr, "Error: this feature is disabled in Firejail configuration file\n");
+                        fprintf(stderr, "Error: --ls feature is disabled in Firejail configuration file\n");
                        exit(1);
                }
        }
@@ -887,12 +887,18 @@ int main(int argc, char **argv) {
                //*************************************
 #ifdef HAVE_BIND                
                else if (strncmp(argv[i], "--bind=", 7) == 0) {
-                        char *line;
+                        if (checkcfg(CFG_BIND)) {
-                        if (asprintf(&line, "bind %s", argv[i] + 7) == -1)
+                                char *line;
-                                errExit("asprintf");
+                                if (asprintf(&line, "bind %s", argv[i] + 7) == -1)
+                                        errExit("asprintf");
-                        profile_check_line(line, 0, NULL);      // will exit if something wrong
+        
-                        profile_add(line);
+                                profile_check_line(line, 0, NULL);      // will exit if something wrong
+                                profile_add(line);
+                        }
+                        else {
+                                fprintf(stderr, "Error: --bind feature is disabled in Firejail configuration file\n");
+                                exit(1);
+                        }
                }
 #endif
                else if (strncmp(argv[i], "--tmpfs=", 8) == 0) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 461bcb941..36741ad4a 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -352,34 +352,44 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
        // filesystem bind
        if (strncmp(ptr, "bind ", 5) == 0) {
-                if (getuid() != 0) {
+#ifdef HAVE_BIND                
-                        fprintf(stderr, "Error: --bind option is available only if running as root\n");
+                if (checkcfg(CFG_BIND)) {
-                        exit(1);
+                        if (getuid() != 0) {
-                }
+                                fprintf(stderr, "Error: --bind option is available only if running as root\n");
+                                exit(1);
-                // extract two directories
+                        }
-                char *dname1 = ptr + 5;
+        
-                char *dname2 = split_comma(dname1); // this inserts a '0 to separate the two dierctories
+                        // extract two directories
-                if (dname2 == NULL) {
+                        char *dname1 = ptr + 5;
-                        fprintf(stderr, "Error: missing second directory for bind\n");
+                        char *dname2 = split_comma(dname1); // this inserts a '0 to separate the two dierctories
-                        exit(1);
+                        if (dname2 == NULL) {
-                }
+                                fprintf(stderr, "Error: missing second directory for bind\n");
-                
+                                exit(1);
-                // check directories
+                        }
-                invalid_filename(dname1);
+                        
-                invalid_filename(dname2);
+                        // check directories
-                if (strstr(dname1, "..") || strstr(dname2, "..")) {
+                        invalid_filename(dname1);
-                        fprintf(stderr, "Error: invalid file name.\n");
+                        invalid_filename(dname2);
-                        exit(1);
+                        if (strstr(dname1, "..") || strstr(dname2, "..")) {
+                                fprintf(stderr, "Error: invalid file name.\n");
+                                exit(1);
+                        }
+                        if (is_link(dname1) || is_link(dname2)) {
+                                fprintf(stderr, "Symbolic links are not allowed for bind command\n");
+                                exit(1);
+                        }
+                        
+                        // insert comma back
+                        *(dname2 - 1) = ',';
+                        return 1;
                }
-                if (is_link(dname1) || is_link(dname2)) {
+                else {
-                        fprintf(stderr, "Symbolic links are not allowed for bind command\n");
+                        fprintf(stderr, "Warning: bind feature is disabled in Firejail configuration file\n");
-                        exit(1);
+                        return 0;                       
                }
-                
+#else
-                // insert comma back
+                return 0;
-                *(dname2 - 1) = ',';
+#endif          
-                return 1;
        }
        // rlimit
author	netblue30 <netblue30@yahoo.com>	2016-03-12 14:22:59 -0500
committer	netblue30 <netblue30@yahoo.com>	2016-03-12 14:22:59 -0500
commit	ee7237f7a92378b5debb7ec29e42f974aa1a5c79 (patch)
tree	f834e05602bdf9138c4a637c8b7e459595098623
parent	cfg x11 (diff)
download	firejail-ee7237f7a92378b5debb7ec29e42f974aa1a5c79.tar.gz firejail-ee7237f7a92378b5debb7ec29e42f974aa1a5c79.tar.zst firejail-ee7237f7a92378b5debb7ec29e42f974aa1a5c79.zip

diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index f868a699a..68dc6ac58 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c
@@ -77,6 +77,15 @@ int checkcfg(int val) {
77	else	77	else
78	goto errout;	78	goto errout;
79	}	79	}
		80	// bind
		81	else if (strncmp(ptr, "bind ", 5) == 0) {
		82	if (strcmp(ptr + 5, "yes") == 0)
		83	cfg_val[CFG_BIND] = 1;
		84	else if (strcmp(ptr + 5, "no") == 0)
		85	cfg_val[CFG_BIND] = 0;
		86	else
		87	goto errout;
		88	}
80	else	89	else
81	goto errout;	90	goto errout;
82	free(ptr);	91	free(ptr);


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index d15d5a686..ff6eb485b 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -540,7 +540,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh);
540	// checkcfg.c	540	// checkcfg.c
541	#define CFG_FILE_TRANSFER 0	541	#define CFG_FILE_TRANSFER 0
542	#define CFG_X11 1	542	#define CFG_X11 1
543	#define CFG_MAX 2 // this should always be the last entry	543	#define CFG_BIND 2
		544	#define CFG_MAX 3 // this should always be the last entry
544	int checkcfg(int val);	545	int checkcfg(int val);
545		546
546	#endif	547	#endif


diff --git a/src/firejail/fs.c b/src/firejail/fs.c index acee0ba1d..f63e8b5eb 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -435,12 +435,12 @@ void fs_blacklist(void) {
435	}	435	}
436	struct stat s;	436	struct stat s;
437	if (stat(dname1, &s) == -1) {	437	if (stat(dname1, &s) == -1) {
438	fprintf(stderr, "Error: cannot find directories for bind command\n");	438	fprintf(stderr, "Error: cannot find %s for bind command\n", dname1);
439	entry = entry->next;	439	entry = entry->next;
440	continue;	440	continue;
441	}	441	}
442	if (stat(dname2, &s) == -1) {	442	if (stat(dname2, &s) == -1) {
443	fprintf(stderr, "Error: cannot find directories for bind command\n");	443	fprintf(stderr, "Error: cannot find %s for bind command\n", dname2);
444	entry = entry->next;	444	entry = entry->next;
445	continue;	445	continue;
446	}	446	}


diff --git a/src/firejail/main.c b/src/firejail/main.c index 64e6e2d98..d1d0f91a6 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -283,7 +283,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
283	exit(0);	283	exit(0);
284	}	284	}
285	else {	285	else {
286	fprintf(stderr, "Error: this feature is disabled in Firejail configuration file\n");	286	fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n");
287	exit(1);	287	exit(1);
288	}	288	}
289	}	289	}
@@ -461,7 +461,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
461	exit(0);	461	exit(0);
462	}	462	}
463	else {	463	else {
464	fprintf(stderr, "Error: this feature is disabled in Firejail configuration file\n");	464	fprintf(stderr, "Error: --get feature is disabled in Firejail configuration file\n");
465	exit(1);	465	exit(1);
466	}	466	}
467	}	467	}
@@ -490,7 +490,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
490	exit(0);	490	exit(0);
491	}	491	}
492	else {	492	else {
493	fprintf(stderr, "Error: this feature is disabled in Firejail configuration file\n");	493	fprintf(stderr, "Error: --ls feature is disabled in Firejail configuration file\n");
494	exit(1);	494	exit(1);
495	}	495	}
496	}	496	}
@@ -887,12 +887,18 @@ int main(int argc, char **argv) {
887	//*************************************	887	//*************************************
888	#ifdef HAVE_BIND	888	#ifdef HAVE_BIND
889	else if (strncmp(argv[i], "--bind=", 7) == 0) {	889	else if (strncmp(argv[i], "--bind=", 7) == 0) {
890	char *line;	890	if (checkcfg(CFG_BIND)) {
891	if (asprintf(&line, "bind %s", argv[i] + 7) == -1)	891	char *line;
892	errExit("asprintf");	892	if (asprintf(&line, "bind %s", argv[i] + 7) == -1)
893		893	errExit("asprintf");
894	profile_check_line(line, 0, NULL); // will exit if something wrong	894
895	profile_add(line);	895	profile_check_line(line, 0, NULL); // will exit if something wrong
		896	profile_add(line);
		897	}
		898	else {
		899	fprintf(stderr, "Error: --bind feature is disabled in Firejail configuration file\n");
		900	exit(1);
		901	}
896	}	902	}
897	#endif	903	#endif
898	else if (strncmp(argv[i], "--tmpfs=", 8) == 0) {	904	else if (strncmp(argv[i], "--tmpfs=", 8) == 0) {


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 461bcb941..36741ad4a 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -352,34 +352,44 @@ int profile_check_line(char ptr, int lineno, const char fname) {
352		352
353	// filesystem bind	353	// filesystem bind
354	if (strncmp(ptr, "bind ", 5) == 0) {	354	if (strncmp(ptr, "bind ", 5) == 0) {
355	if (getuid() != 0) {	355	#ifdef HAVE_BIND
356	fprintf(stderr, "Error: --bind option is available only if running as root\n");	356	if (checkcfg(CFG_BIND)) {
357	exit(1);	357	if (getuid() != 0) {
358	}	358	fprintf(stderr, "Error: --bind option is available only if running as root\n");
359		359	exit(1);
360	// extract two directories	360	}
361	char *dname1 = ptr + 5;	361
362	char *dname2 = split_comma(dname1); // this inserts a '0 to separate the two dierctories	362	// extract two directories
363	if (dname2 == NULL) {	363	char *dname1 = ptr + 5;
364	fprintf(stderr, "Error: missing second directory for bind\n");	364	char *dname2 = split_comma(dname1); // this inserts a '0 to separate the two dierctories
365	exit(1);	365	if (dname2 == NULL) {
366	}	366	fprintf(stderr, "Error: missing second directory for bind\n");
367		367	exit(1);
368	// check directories	368	}
369	invalid_filename(dname1);	369
370	invalid_filename(dname2);	370	// check directories
371	if (strstr(dname1, "..") \|\| strstr(dname2, "..")) {	371	invalid_filename(dname1);
372	fprintf(stderr, "Error: invalid file name.\n");	372	invalid_filename(dname2);
373	exit(1);	373	if (strstr(dname1, "..") \|\| strstr(dname2, "..")) {
		374	fprintf(stderr, "Error: invalid file name.\n");
		375	exit(1);
		376	}
		377	if (is_link(dname1) \|\| is_link(dname2)) {
		378	fprintf(stderr, "Symbolic links are not allowed for bind command\n");
		379	exit(1);
		380	}
		381
		382	// insert comma back
		383	*(dname2 - 1) = ',';
		384	return 1;
374	}	385	}
375	if (is_link(dname1) \|\| is_link(dname2)) {	386	else {
376	fprintf(stderr, "Symbolic links are not allowed for bind command\n");	387	fprintf(stderr, "Warning: bind feature is disabled in Firejail configuration file\n");
377	exit(1);	388	return 0;
378	}	389	}
379		390	#else
380	// insert comma back	391	return 0;
381	*(dname2 - 1) = ',';	392	#endif
382	return 1;
383	}	393	}
384		394
385	// rlimit	395	// rlimit