using /etc/firejail/server.profile as default profile if the sandbox is started by root

5 files changed, 61 insertions, 44 deletions

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index cb841cc59..d816d42e2 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -28,7 +28,8 @@
 #define MNT_DIR "/tmp/firejail/mnt"
 #define HOME_DIR        "/tmp/firejail/mnt/home"
 #define ETC_DIR "/tmp/firejail/mnt/etc"
-#define GENERIC_PROFILE_NAME    "generic"
+#define DEFAULT_USER_PROFILE    "generic"
+#define DEFAULT_ROOT_PROFILE    "server"
 #define MAX_INCLUDE_LEVEL 6
 
 // main.c
diff --git a/src/firejail/main.c b/src/firejail/main.c
index a1e67c298..9d635436d 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1058,20 +1058,26 @@ printf("here %s:%d\n", __FILE__, __LINE__);
 
         // use generic.profile as the default
         if (!custom_profile && !arg_noprofile) {
+                char *profile_name = DEFAULT_USER_PROFILE;
+                if (getuid() == 0)
+                        profile_name = DEFAULT_ROOT_PROFILE;
                 if (arg_debug)
-                        printf("Attempting to find %s.profile...",GENERIC_PROFILE_NAME);
+                        printf("Attempting to find %s.profile...", profile_name);
 
                 // look for the profile in ~/.config/firejail directory
                 char *usercfgdir;
                 if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1)
                         errExit("asprintf");
-                custom_profile = profile_find(GENERIC_PROFILE_NAME, usercfgdir);
+                custom_profile = profile_find(profile_name, usercfgdir);
                 free(usercfgdir);
 
                 if (!custom_profile) {
                         // look for the profile in /etc/firejail directory
-                        custom_profile = profile_find(GENERIC_PROFILE_NAME, "/etc/firejail");
+                        custom_profile = profile_find(profile_name, "/etc/firejail");
                 }
+                
+                if (custom_profile)
+                        printf("Note: %s profile can be disabled by --noprofile option.\n", profile_name);
         }
 
         // check and assign an IP address - for macvlan it will be done again in the sandbox!
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 2cdc7f731..fbb36fad7 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -137,8 +137,10 @@ void usage(void) {
 
         printf("\t--noprofile - do not use a profile.  Profile priority is use the one\n");
         printf("\t\tspecified on the command line, next try to find one that\n");
-        printf("\t\tmatches the command name, and lastly use %s.profile.\n\n",GENERIC_PROFILE_NAME);
-        
+        printf("\t\tmatches the command name, and lastly use %s.profile\n", DEFAULT_USER_PROFILE);
+        printf("\t\tif running as regular user or %s.profile if running as\n", DEFAULT_ROOT_PROFILE);
+        printf("\t\troot.\n\n");
+                        
         printf("\t--noroot - install a user namespace with a single user - the current\n");
         printf("\t\tuser. root user does not exist in the new namespace. This option\n");
         printf("\t\tis not supported for --chroot and --overlay configurations.\n\n");
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 246098bb7..5167a4c42 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -7,15 +7,18 @@ profile \- Security profile file syntax for Firejail
 firejail \-\-profile=filename.profile
 
 .SH DESCRIPTION
-Several Firejail command line configuration options can be passed to the program using
-profile files. 
-Firejail chooses a security profile in the following order:
+Several command line options can be passed to the program using
+profile files. Firejail chooses the profile file as follows:
 
-1. If a profile is provided by the user with --profile option, the profile is loaded.
+1. If a profile file is provided by the user with --profile option, the profile file is loaded.
 Example:
 .PP
 .RS
 $ firejail --profile=/home/netblue/icecat.profile icecat
+.br
+Reading profile /home/netblue/icecat.profile
+.br
+[...]
 .RE
 
 2. If a profile file with the same name as the application is present in ~/.config/firejail directory or
@@ -26,7 +29,6 @@ $ firejail icecat
 .br
 Command name #icecat#
 .br
-.br
 Found icecat profile in /home/netblue/.config/firejail directory
 .br
 Reading profile /home/netblue/.config/firejail/icecat.profile
@@ -34,29 +36,31 @@ Reading profile /home/netblue/.config/firejail/icecat.profile
 [...]
 .RE
 
-3. Use the default profile in /etc/firejail/generic.profile. This can be disabled with --noprofile. Example:
+3. Use a default.profile file if the sandbox
+is started by a regular user, or a server.profile file if the sandbox
+is started by root. Firejail looks for these files in ~/.config/firejail directory, followed by /etc/firejail directory.
+To disable default profile loading, use --noroot command option. Example:
 .PP
 .RS
-$ firejail \-\-noprofile
+$ firejail
+.br
+Reading profile /etc/firejail/generic.profile
 .br
 Parent pid 8553, child pid 8554
 .br
 Child process initialized
 .br
-$ exit
+[...] 
 .br
+
 .br
-parent is shutting down, bye...
-.br
-$ firejail
-.br
-Reading profile /etc/firejail/generic.profile
+$ firejail \-\-noprofile
 .br
 Parent pid 8553, child pid 8554
 .br
 Child process initialized
 .br
-$ 
+[...]
 .RE
 
 .SH Scripting
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index c07a02c57..62176b84f 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -52,8 +52,8 @@ The default Firejail filesystem is based on the host filesystem with the main di
 Only /home, /tmp and /var directories are writable.
 .PP
 As it starts up, Firejail tries to find a security profile based on the name of the application.
-If an appropriate profile is not found, Firejail will use the default profile stored in /etc/firejail/default.profile.
-The default security profile is quite restrictive. In case the application doesn't work, use --noprofile option 
+If an appropriate profile is not found, Firejail will use a default profile.
+The default profile is quite restrictive. In case the application doesn't work, use --noprofile option 
 to disable it. For more information, please see SECURITY PROFILES section.
 .PP
 If a program argument is not specified, Firejail starts /bin/bash shell.
@@ -575,32 +575,31 @@ $
 
 .TP
 \fB\-\-noprofile
-Do not use a profile. 
+Do not use a security profile. 
 .br
 
 .br
 Example:
 .br
-$ firejail \-\-noprofile
+$ firejail
+.br
+Reading profile /etc/firejail/generic.profile
 .br
 Parent pid 8553, child pid 8554
 .br
 Child process initialized
 .br
-$ exit
+[...] 
 .br
+
 .br
-parent is shutting down, bye...
-.br
-$ firejail
-.br
-Reading profile /etc/firejail/generic.profile
+$ firejail \-\-noprofile
 .br
 Parent pid 8553, child pid 8554
 .br
 Child process initialized
 .br
-$ 
+[...]
 
 .TP
 \fB\-\-noroot
@@ -1194,14 +1193,18 @@ User
 The owner of the sandbox.
 
 .SH SECURITY PROFILES
-Several command line configuration options can be passed to the program using
-profile files. Firejail chooses a security profile in the following order:
+Several command line options can be passed to the program using
+profile files. Firejail chooses the profile file as follows:
 
-1. If a profile is provided by the user with --profile option, the profile is loaded.
+1. If a profile file is provided by the user with --profile option, the profile file is loaded.
 Example:
 .PP
 .RS
 $ firejail --profile=/home/netblue/icecat.profile icecat
+.br
+Reading profile /home/netblue/icecat.profile
+.br
+[...]
 .RE
 
 2. If a profile file with the same name as the application is present in ~/.config/firejail directory or
@@ -1212,7 +1215,6 @@ $ firejail icecat
 .br
 Command name #icecat#
 .br
-.br
 Found icecat profile in /home/netblue/.config/firejail directory
 .br
 Reading profile /home/netblue/.config/firejail/icecat.profile
@@ -1220,29 +1222,31 @@ Reading profile /home/netblue/.config/firejail/icecat.profile
 [...]
 .RE
 
-3. Use the default profile in /etc/firejail/generic.profile
+3. Use a default.profile file if the sandbox
+is started by a regular user, or a server.profile file if the sandbox
+is started by root. Firejail looks for these files in ~/.config/firejail directory, followed by /etc/firejail directory.
+To disable default profile loading, use --noroot command option. Example:
 .PP
 .RS
-$ firejail \-\-noprofile
+$ firejail
+.br
+Reading profile /etc/firejail/generic.profile
 .br
 Parent pid 8553, child pid 8554
 .br
 Child process initialized
 .br
-$ exit
+[...] 
 .br
+
 .br
-parent is shutting down, bye...
-.br
-$ firejail
-.br
-Reading profile /etc/firejail/generic.profile
+$ firejail \-\-noprofile
 .br
 Parent pid 8553, child pid 8554
 .br
 Child process initialized
 .br
-$ 
+[...]
 .RE
 
 See man 5 firejail-profile for profile file syntax information.