firecfg: add ignore command and docs

Add ignore command (`!PROGRAM`), as suggested by @WhyNotHugo[1]. It prevents firecfg from creating a symlink for the given program. Also, document the paths used and the config file syntax. Note that `/etc/firejail/firecfg.d/*.conf` files are parsed before /etc/firejail/firecfg.config, so the former can ignore/override any item in the latter. Closes #2097. [1] https://github.com/netblue30/firejail/issues/2097#issuecomment-1179160459
author: Kelvin M. Klann <kmk3.code@protonmail.com> 2023-06-29 19:54:21 -0300
committer: Kelvin M. Klann <kmk3.code@protonmail.com> 2023-08-04 17:25:20 -0300
commit: ef6cfb8a22b6b788298a0601e837856b51c60e76 (patch)
tree: f3575dd0284c61a1b004167e245dfdfd1380c453 /src/firecfg
parent: firecfg: parse config files in /etc/firejail/firecfg.d (diff)
download: firejail-ef6cfb8a22b6b788298a0601e837856b51c60e76.tar.gz
firejail-ef6cfb8a22b6b788298a0601e837856b51c60e76.tar.zst
firejail-ef6cfb8a22b6b788298a0601e837856b51c60e76.zip
1 files changed, 44 insertions, 1 deletions
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index 35fa850f1..604b12633 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -143,6 +143,40 @@ static void clean(void) {
        printf("\n");
 }
+#define ignorelist_maxlen 2048
+static const char *ignorelist[ignorelist_maxlen];
+static int ignorelist_len = 0;
+static int append_ignorelist(const char *const str) {
+        assert(str);
+        if (ignorelist_len >= ignorelist_maxlen) {
+                fprintf(stderr, "Warning: Ignore list is full (%d/%d), skipping %s\n",
+                        ignorelist_len, ignorelist_maxlen, str);
+                return 0;
+        }
+        printf("   ignoring '%s'\n", str);
+        const char *const dup = strdup(str);
+        if (!dup)
+                errExit("strdup");
+        ignorelist[ignorelist_len] = dup;
+        ignorelist_len++;
+        return 1;
+}
+static int in_ignorelist(const char *const str) {
+        assert(str);
+        int i;
+        for (i = 0; i < ignorelist_len; i++) {
+                if (strcmp(str, ignorelist[i]) == 0)
+                        return 1;
+        }
+        return 0;
+}
 static void set_file(const char *name, const char *firejail_exec) {
        if (which(name) == 0)
                return;
@@ -206,8 +240,17 @@ static void set_links_firecfg(const char *cfgfile) {
                if (*start == '\0')
                        continue;
+                // handle ignore command
+                if (*start == '!') {
+                        append_ignorelist(start + 1);
+                        continue;
+                }
                // set link
-                set_file(start, FIREJAIL_EXEC);
+                if (!in_ignorelist(start))
+                        set_file(start, FIREJAIL_EXEC);
+                else
+                        printf("   %s ignored\n", start);
        }
        fclose(fp);
author	Kelvin M. Klann <kmk3.code@protonmail.com>	2023-06-29 19:54:21 -0300
committer	Kelvin M. Klann <kmk3.code@protonmail.com>	2023-08-04 17:25:20 -0300
commit	ef6cfb8a22b6b788298a0601e837856b51c60e76 (patch)
tree	f3575dd0284c61a1b004167e245dfdfd1380c453 /src/firecfg
parent	firecfg: parse config files in /etc/firejail/firecfg.d (diff)
download	firejail-ef6cfb8a22b6b788298a0601e837856b51c60e76.tar.gz firejail-ef6cfb8a22b6b788298a0601e837856b51c60e76.tar.zst firejail-ef6cfb8a22b6b788298a0601e837856b51c60e76.zip

diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 35fa850f1..604b12633 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c
@@ -143,6 +143,40 @@ static void clean(void) {
143	printf("\n");	143	printf("\n");
144	}	144	}
145		145
		146	#define ignorelist_maxlen 2048
		147	static const char *ignorelist[ignorelist_maxlen];
		148	static int ignorelist_len = 0;
		149
		150	static int append_ignorelist(const char *const str) {
		151	assert(str);
		152	if (ignorelist_len >= ignorelist_maxlen) {
		153	fprintf(stderr, "Warning: Ignore list is full (%d/%d), skipping %s\n",
		154	ignorelist_len, ignorelist_maxlen, str);
		155	return 0;
		156	}
		157
		158	printf(" ignoring '%s'\n", str);
		159	const char *const dup = strdup(str);
		160	if (!dup)
		161	errExit("strdup");
		162
		163	ignorelist[ignorelist_len] = dup;
		164	ignorelist_len++;
		165
		166	return 1;
		167	}
		168
		169	static int in_ignorelist(const char *const str) {
		170	assert(str);
		171	int i;
		172	for (i = 0; i < ignorelist_len; i++) {
		173	if (strcmp(str, ignorelist[i]) == 0)
		174	return 1;
		175	}
		176
		177	return 0;
		178	}
		179
146	static void set_file(const char name, const char firejail_exec) {	180	static void set_file(const char name, const char firejail_exec) {
147	if (which(name) == 0)	181	if (which(name) == 0)
148	return;	182	return;
@@ -206,8 +240,17 @@ static void set_links_firecfg(const char *cfgfile) {
206	if (*start == '\0')	240	if (*start == '\0')
207	continue;	241	continue;
208		242
		243	// handle ignore command
		244	if (*start == '!') {
		245	append_ignorelist(start + 1);
		246	continue;
		247	}
		248
209	// set link	249	// set link
210	set_file(start, FIREJAIL_EXEC);	250	if (!in_ignorelist(start))
		251	set_file(start, FIREJAIL_EXEC);
		252	else
		253	printf(" %s ignored\n", start);
211	}	254	}
212		255
213	fclose(fp);	256	fclose(fp);