Merge pull request #48 from sarneaud/glob

Rewrite globbing code to fix various minor issues
author: netblue30 <netblue30@yahoo.com> 2015-08-30 06:45:17 -0400
committer: netblue30 <netblue30@yahoo.com> 2015-08-30 06:45:17 -0400
commit: cad73e6df6927b10040121d6a969d16ccf356f58 (patch)
tree: e8245a93fb3f9d370a8bc6b5e4786c1bca1b8011 /src
parent: fixing manpages (diff)
parent: Rewrite globbing code to fix various minor issues (diff)
download: firejail-cad73e6df6927b10040121d6a969d16ccf356f58.tar.gz
firejail-cad73e6df6927b10040121d6a969d16ccf356f58.tar.zst
firejail-cad73e6df6927b10040121d6a969d16ccf356f58.zip
1 files changed, 18 insertions, 14 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 1e74257eb..14b7c1f01 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -197,24 +197,28 @@ static void disable_file(OPERATION op, const char *filename, const char *emptydi
        free(fname);
 }
-static void globbing(OPERATION op, const char *fname, const char *emptydir, const char *emptyfile) {
+// Treat pattern as a shell glob pattern and blacklist matching files
-        assert(fname);
+static void globbing(OPERATION op, const char *pattern, const char *emptydir, const char *emptyfile) {
+        assert(pattern);
        assert(emptydir);
        assert(emptyfile);
-        // filename globbing: expand * macro and continue processing for every single file
+        glob_t globbuf;
-        if (strchr(fname, '*')) {
+        // Profiles contain blacklists for files that might not exist on a user's machine.
-                glob_t globbuf;
+        // GLOB_NOCHECK makes that okay.
-                globbuf.gl_offs = 0;
+        int globerr = glob(pattern, GLOB_NOCHECK | GLOB_NOSORT, NULL, &globbuf);
-                glob(fname, GLOB_DOOFFS, NULL, &globbuf);
+        if (globerr) {
-                unsigned int i;
+                fprintf(stderr, "Error: failed to glob pattern %s\n", pattern);
-                for (i = 0; i < globbuf.gl_pathc; i++) {
+                return;
-                        assert(globbuf.gl_pathv[i]);
-                        disable_file(op, globbuf.gl_pathv[i], emptydir, emptyfile);
-                }
        }
-        else
-                disable_file(op, fname, emptydir, emptyfile);
+        size_t i;
+        for (i = 0; i < globbuf.gl_pathc; i++) {
+                char* match = globbuf.gl_pathv[i];
+                assert(match);
+                disable_file(op, match, emptydir, emptyfile);
+        }
+        globfree(&globbuf);
 }
 static void expand_path(OPERATION op, const char *path, const char *fname, const char *emptydir, const char *emptyfile) {
author	netblue30 <netblue30@yahoo.com>	2015-08-30 06:45:17 -0400
committer	netblue30 <netblue30@yahoo.com>	2015-08-30 06:45:17 -0400
commit	cad73e6df6927b10040121d6a969d16ccf356f58 (patch)
tree	e8245a93fb3f9d370a8bc6b5e4786c1bca1b8011 /src
parent	fixing manpages (diff)
parent	Rewrite globbing code to fix various minor issues (diff)
download	firejail-cad73e6df6927b10040121d6a969d16ccf356f58.tar.gz firejail-cad73e6df6927b10040121d6a969d16ccf356f58.tar.zst firejail-cad73e6df6927b10040121d6a969d16ccf356f58.zip

diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 1e74257eb..14b7c1f01 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c
@@ -197,24 +197,28 @@ static void disable_file(OPERATION op, const char filename, const char emptydi
197	free(fname);	197	free(fname);
198	}	198	}
199		199
200	static void globbing(OPERATION op, const char fname, const char emptydir, const char *emptyfile) {	200	// Treat pattern as a shell glob pattern and blacklist matching files
201	assert(fname);	201	static void globbing(OPERATION op, const char pattern, const char emptydir, const char *emptyfile) {
		202	assert(pattern);
202	assert(emptydir);	203	assert(emptydir);
203	assert(emptyfile);	204	assert(emptyfile);
204		205
205	// filename globbing: expand * macro and continue processing for every single file	206	glob_t globbuf;
206	if (strchr(fname, '*')) {	207	// Profiles contain blacklists for files that might not exist on a user's machine.
207	glob_t globbuf;	208	// GLOB_NOCHECK makes that okay.
208	globbuf.gl_offs = 0;	209	int globerr = glob(pattern, GLOB_NOCHECK \| GLOB_NOSORT, NULL, &globbuf);
209	glob(fname, GLOB_DOOFFS, NULL, &globbuf);	210	if (globerr) {
210	unsigned int i;	211	fprintf(stderr, "Error: failed to glob pattern %s\n", pattern);
211	for (i = 0; i < globbuf.gl_pathc; i++) {	212	return;
212	assert(globbuf.gl_pathv[i]);
213	disable_file(op, globbuf.gl_pathv[i], emptydir, emptyfile);
214	}
215	}	213	}
216	else	214
217	disable_file(op, fname, emptydir, emptyfile);	215	size_t i;
		216	for (i = 0; i < globbuf.gl_pathc; i++) {
		217	char* match = globbuf.gl_pathv[i];
		218	assert(match);
		219	disable_file(op, match, emptydir, emptyfile);
		220	}
		221	globfree(&globbuf);
218	}	222	}
219		223
220	static void expand_path(OPERATION op, const char path, const char fname, const char emptydir, const char emptyfile) {	224	static void expand_path(OPERATION op, const char path, const char fname, const char emptydir, const char emptyfile) {