--ignore cleanup

author: startx2017 <vradu.startx@yandex.com> 2018-08-04 12:19:14 -0400
committer: startx2017 <vradu.startx@yandex.com> 2018-08-04 12:19:14 -0400
commit: 30e96ea29531e23620e484dfa80490d232ef6b06 (patch)
tree: 45cd6a57ff4c887eee914c982dac75beb71066c9 /src
parent: Merge branch 'master' of https://github.com/netblue30/firejail (diff)
download: firejail-30e96ea29531e23620e484dfa80490d232ef6b06.tar.gz
firejail-30e96ea29531e23620e484dfa80490d232ef6b06.tar.zst
firejail-30e96ea29531e23620e484dfa80490d232ef6b06.zip
5 files changed, 36 insertions, 40 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 9f7936174..471f2e55c 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -451,6 +451,7 @@ void fs_chroot(const char *rootdir);
 void fs_check_chroot_dir(const char *rootdir);
 void fs_private_tmp(void);
 void fs_private_cache(void);
+void fs_mnt(void);
 // profile.c
 // find and read the profile specified by name from dir directory
@@ -463,7 +464,7 @@ void profile_read(const char *fname);
 int profile_check_line(char *ptr, int lineno, const char *fname);
 // add a profile entry in cfg.profile list; use str to populate the list
 void profile_add(char *str);
-void fs_mnt(void);
+void profile_add_ignore(const char *str);
 // list.c
 void list(void);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 3e092a3cc..0651e2f0a 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1469,25 +1469,7 @@ int main(int argc, char **argv) {
                                fprintf(stderr, "Error: please use --profile after --ignore\n");
                                exit(1);
                        }
+                        profile_add_ignore(argv[i] + 9);
-                        if (*(argv[i] + 9) == '\0') {
-                                fprintf(stderr, "Error: invalid ignore option\n");
-                                exit(1);
-                        }
-                        // find an empty entry in profile_ignore array
-                        int j;
-                        for (j = 0; j < MAX_PROFILE_IGNORE; j++) {
-                                if (cfg.profile_ignore[j] == NULL)
-                                        break;
-                        }
-                        if (j >= MAX_PROFILE_IGNORE) {
-                                fprintf(stderr, "Error: maximum %d --ignore options are permitted\n", MAX_PROFILE_IGNORE);
-                                exit(1);
-                        }
-                        // ... and configure it
-                        else
-                                cfg.profile_ignore[j] = argv[i] + 9;
                }
 #ifdef HAVE_CHROOT
                else if (strncmp(argv[i], "--chroot=", 9) == 0) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 4b2fb3abd..60f3f86ee 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -87,6 +87,34 @@ static int is_in_ignore_list(char *ptr) {
        return 0;
 }
+void profile_add_ignore(const char *str) {
+        assert(str);
+        if (*str == '\0') {
+                fprintf(stderr, "Error: invalid ignore option\n");
+                exit(1);
+        }
+        char *ptr = strdup(str);
+        if (!ptr)
+                errExit("strdup");
+        // find an empty entry in profile_ignore array
+        int i;
+        for (i = 0; i < MAX_PROFILE_IGNORE; i++) {
+                if (cfg.profile_ignore[i] == NULL)
+                        break;
+        }
+        if (i >= MAX_PROFILE_IGNORE) {
+                fprintf(stderr, "Error: maximum %d --ignore options are permitted\n", MAX_PROFILE_IGNORE);
+                exit(1);
+        }
+        // ... and configure it
+        else {
+                cfg.profile_ignore[i] = strdup(str);
+                if (!cfg.profile_ignore[i])
+                        errExit("strdup");
+        }
+}
 // check profile line; if line == 0, this was generated from a command line option
 // return 1 if the command is to be added to the linked list of profile commands
@@ -99,25 +127,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        if (strncmp(ptr, "ignore ", 7) == 0) {
-                char *str = strdup(ptr + 7);
+                profile_add_ignore(ptr + 7);
-                if (*str == '\0') {
-                        fprintf(stderr, "Error: invalid ignore option\n");
-                        exit(1);
-                }
-                // find an empty entry in profile_ignore array
-                int j;
-                for (j = 0; j < MAX_PROFILE_IGNORE; j++) {
-                        if (cfg.profile_ignore[j] == NULL)
-                                break;
-                }
-                if (j >= MAX_PROFILE_IGNORE) {
-                        fprintf(stderr, "Error: maximum %d --ignore options are permitted\n", MAX_PROFILE_IGNORE);
-                        exit(1);
-                }
-                // ... and configure it
-                else
-                        cfg.profile_ignore[j] = str;
                return 0;
        }
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index e29cf4f4b..17562c503 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -113,6 +113,8 @@ Example: "nowhitelist ~/.config"
 Ignore command.
 Example: "ignore seccomp"
+.br
+Example: "ignore net ehh0"
 .TP
 \fBquiet
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index f29d9cddf..c6fd9cea5 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -509,7 +509,8 @@ Ignore command in profile file.
 Example:
 .br
 $ firejail \-\-ignore=shell --ignore=seccomp firefox
+.br
+$ firejail \-\-ignore="net eth0" firefox
 .TP
 \fB\-\-interface=interface
 Move interface in a new network namespace. Up to four --interface options can be specified.
author	startx2017 <vradu.startx@yandex.com>	2018-08-04 12:19:14 -0400
committer	startx2017 <vradu.startx@yandex.com>	2018-08-04 12:19:14 -0400
commit	30e96ea29531e23620e484dfa80490d232ef6b06 (patch)
tree	45cd6a57ff4c887eee914c982dac75beb71066c9 /src
parent	Merge branch 'master' of https://github.com/netblue30/firejail (diff)
download	firejail-30e96ea29531e23620e484dfa80490d232ef6b06.tar.gz firejail-30e96ea29531e23620e484dfa80490d232ef6b06.tar.zst firejail-30e96ea29531e23620e484dfa80490d232ef6b06.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 9f7936174..471f2e55c 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -451,6 +451,7 @@ void fs_chroot(const char *rootdir);
451	void fs_check_chroot_dir(const char *rootdir);	451	void fs_check_chroot_dir(const char *rootdir);
452	void fs_private_tmp(void);	452	void fs_private_tmp(void);
453	void fs_private_cache(void);	453	void fs_private_cache(void);
		454	void fs_mnt(void);
454		455
455	// profile.c	456	// profile.c
456	// find and read the profile specified by name from dir directory	457	// find and read the profile specified by name from dir directory
@@ -463,7 +464,7 @@ void profile_read(const char *fname);
463	int profile_check_line(char ptr, int lineno, const char fname);	464	int profile_check_line(char ptr, int lineno, const char fname);
464	// add a profile entry in cfg.profile list; use str to populate the list	465	// add a profile entry in cfg.profile list; use str to populate the list
465	void profile_add(char *str);	466	void profile_add(char *str);
466	void fs_mnt(void);	467	void profile_add_ignore(const char *str);
467		468
468	// list.c	469	// list.c
469	void list(void);	470	void list(void);


diff --git a/src/firejail/main.c b/src/firejail/main.c index 3e092a3cc..0651e2f0a 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -1469,25 +1469,7 @@ int main(int argc, char **argv) {
1469	fprintf(stderr, "Error: please use --profile after --ignore\n");	1469	fprintf(stderr, "Error: please use --profile after --ignore\n");
1470	exit(1);	1470	exit(1);
1471	}	1471	}
1472		1472	profile_add_ignore(argv[i] + 9);
1473	if (*(argv[i] + 9) == '\0') {
1474	fprintf(stderr, "Error: invalid ignore option\n");
1475	exit(1);
1476	}
1477
1478	// find an empty entry in profile_ignore array
1479	int j;
1480	for (j = 0; j < MAX_PROFILE_IGNORE; j++) {
1481	if (cfg.profile_ignore[j] == NULL)
1482	break;
1483	}
1484	if (j >= MAX_PROFILE_IGNORE) {
1485	fprintf(stderr, "Error: maximum %d --ignore options are permitted\n", MAX_PROFILE_IGNORE);
1486	exit(1);
1487	}
1488	// ... and configure it
1489	else
1490	cfg.profile_ignore[j] = argv[i] + 9;
1491	}	1473	}
1492	#ifdef HAVE_CHROOT	1474	#ifdef HAVE_CHROOT
1493	else if (strncmp(argv[i], "--chroot=", 9) == 0) {	1475	else if (strncmp(argv[i], "--chroot=", 9) == 0) {


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 4b2fb3abd..60f3f86ee 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -87,6 +87,34 @@ static int is_in_ignore_list(char *ptr) {
87	return 0;	87	return 0;
88	}	88	}
89		89
		90	void profile_add_ignore(const char *str) {
		91	assert(str);
		92	if (*str == '\0') {
		93	fprintf(stderr, "Error: invalid ignore option\n");
		94	exit(1);
		95	}
		96	char *ptr = strdup(str);
		97	if (!ptr)
		98	errExit("strdup");
		99
		100	// find an empty entry in profile_ignore array
		101	int i;
		102	for (i = 0; i < MAX_PROFILE_IGNORE; i++) {
		103	if (cfg.profile_ignore[i] == NULL)
		104	break;
		105	}
		106	if (i >= MAX_PROFILE_IGNORE) {
		107	fprintf(stderr, "Error: maximum %d --ignore options are permitted\n", MAX_PROFILE_IGNORE);
		108	exit(1);
		109	}
		110	// ... and configure it
		111	else {
		112	cfg.profile_ignore[i] = strdup(str);
		113	if (!cfg.profile_ignore[i])
		114	errExit("strdup");
		115	}
		116	}
		117
90		118
91	// check profile line; if line == 0, this was generated from a command line option	119	// check profile line; if line == 0, this was generated from a command line option
92	// return 1 if the command is to be added to the linked list of profile commands	120	// return 1 if the command is to be added to the linked list of profile commands
@@ -99,25 +127,7 @@ int profile_check_line(char ptr, int lineno, const char fname) {
99	return 0;	127	return 0;
100		128
101	if (strncmp(ptr, "ignore ", 7) == 0) {	129	if (strncmp(ptr, "ignore ", 7) == 0) {
102	char *str = strdup(ptr + 7);	130	profile_add_ignore(ptr + 7);
103	if (*str == '\0') {
104	fprintf(stderr, "Error: invalid ignore option\n");
105	exit(1);
106	}
107	// find an empty entry in profile_ignore array
108	int j;
109	for (j = 0; j < MAX_PROFILE_IGNORE; j++) {
110	if (cfg.profile_ignore[j] == NULL)
111	break;
112	}
113	if (j >= MAX_PROFILE_IGNORE) {
114	fprintf(stderr, "Error: maximum %d --ignore options are permitted\n", MAX_PROFILE_IGNORE);
115	exit(1);
116	}
117	// ... and configure it
118	else
119	cfg.profile_ignore[j] = str;
120
121	return 0;	131	return 0;
122	}	132	}
123		133


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index e29cf4f4b..17562c503 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -113,6 +113,8 @@ Example: "nowhitelist ~/.config"
113	Ignore command.	113	Ignore command.
114		114
115	Example: "ignore seccomp"	115	Example: "ignore seccomp"
		116	.br
		117	Example: "ignore net ehh0"
116		118
117	.TP	119	.TP
118	\fBquiet	120	\fBquiet


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index f29d9cddf..c6fd9cea5 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -509,7 +509,8 @@ Ignore command in profile file.
509	Example:	509	Example:
510	.br	510	.br
511	$ firejail \-\-ignore=shell --ignore=seccomp firefox	511	$ firejail \-\-ignore=shell --ignore=seccomp firefox
512		512	.br
		513	$ firejail \-\-ignore="net eth0" firefox
513	.TP	514	.TP
514	\fB\-\-interface=interface	515	\fB\-\-interface=interface
515	Move interface in a new network namespace. Up to four --interface options can be specified.	516	Move interface in a new network namespace. Up to four --interface options can be specified.