diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-06-29 19:54:21 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-08-04 17:25:20 -0300 |
commit | ef6cfb8a22b6b788298a0601e837856b51c60e76 (patch) | |
tree | f3575dd0284c61a1b004167e245dfdfd1380c453 /src/firecfg/main.c | |
parent | firecfg: parse config files in /etc/firejail/firecfg.d (diff) | |
download | firejail-ef6cfb8a22b6b788298a0601e837856b51c60e76.tar.gz firejail-ef6cfb8a22b6b788298a0601e837856b51c60e76.tar.zst firejail-ef6cfb8a22b6b788298a0601e837856b51c60e76.zip |
firecfg: add ignore command and docs
Add ignore command (`!PROGRAM`), as suggested by @WhyNotHugo[1].
It prevents firecfg from creating a symlink for the given program.
Also, document the paths used and the config file syntax.
Note that `/etc/firejail/firecfg.d/*.conf` files are parsed before
/etc/firejail/firecfg.config, so the former can ignore/override any item
in the latter.
Closes #2097.
[1] https://github.com/netblue30/firejail/issues/2097#issuecomment-1179160459
Diffstat (limited to 'src/firecfg/main.c')
-rw-r--r-- | src/firecfg/main.c | 45 |
1 files changed, 44 insertions, 1 deletions
diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 35fa850f1..604b12633 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c | |||
@@ -143,6 +143,40 @@ static void clean(void) { | |||
143 | printf("\n"); | 143 | printf("\n"); |
144 | } | 144 | } |
145 | 145 | ||
146 | #define ignorelist_maxlen 2048 | ||
147 | static const char *ignorelist[ignorelist_maxlen]; | ||
148 | static int ignorelist_len = 0; | ||
149 | |||
150 | static int append_ignorelist(const char *const str) { | ||
151 | assert(str); | ||
152 | if (ignorelist_len >= ignorelist_maxlen) { | ||
153 | fprintf(stderr, "Warning: Ignore list is full (%d/%d), skipping %s\n", | ||
154 | ignorelist_len, ignorelist_maxlen, str); | ||
155 | return 0; | ||
156 | } | ||
157 | |||
158 | printf(" ignoring '%s'\n", str); | ||
159 | const char *const dup = strdup(str); | ||
160 | if (!dup) | ||
161 | errExit("strdup"); | ||
162 | |||
163 | ignorelist[ignorelist_len] = dup; | ||
164 | ignorelist_len++; | ||
165 | |||
166 | return 1; | ||
167 | } | ||
168 | |||
169 | static int in_ignorelist(const char *const str) { | ||
170 | assert(str); | ||
171 | int i; | ||
172 | for (i = 0; i < ignorelist_len; i++) { | ||
173 | if (strcmp(str, ignorelist[i]) == 0) | ||
174 | return 1; | ||
175 | } | ||
176 | |||
177 | return 0; | ||
178 | } | ||
179 | |||
146 | static void set_file(const char *name, const char *firejail_exec) { | 180 | static void set_file(const char *name, const char *firejail_exec) { |
147 | if (which(name) == 0) | 181 | if (which(name) == 0) |
148 | return; | 182 | return; |
@@ -206,8 +240,17 @@ static void set_links_firecfg(const char *cfgfile) { | |||
206 | if (*start == '\0') | 240 | if (*start == '\0') |
207 | continue; | 241 | continue; |
208 | 242 | ||
243 | // handle ignore command | ||
244 | if (*start == '!') { | ||
245 | append_ignorelist(start + 1); | ||
246 | continue; | ||
247 | } | ||
248 | |||
209 | // set link | 249 | // set link |
210 | set_file(start, FIREJAIL_EXEC); | 250 | if (!in_ignorelist(start)) |
251 | set_file(start, FIREJAIL_EXEC); | ||
252 | else | ||
253 | printf(" %s ignored\n", start); | ||
211 | } | 254 | } |
212 | 255 | ||
213 | fclose(fp); | 256 | fclose(fp); |