diff options
| author |  netblue30 <netblue30@yahoo.com> | 2020-04-01 09:56:49 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2020-04-01 09:56:49 -0400 |
| commit | 601df2fbb9cdfedc6ab71cbe47d275e39c935dca (patch) | |
| tree | 80f10643dd688d42167763a90b8c8deb3f7130f4 /src | |
| parent | profstats (diff) | |
| download | firejail-601df2fbb9cdfedc6ab71cbe47d275e39c935dca.tar.gz firejail-601df2fbb9cdfedc6ab71cbe47d275e39c935dca.tar.zst firejail-601df2fbb9cdfedc6ab71cbe47d275e39c935dca.zip | |
globbing support for whitelists
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/fs_home.c | 1 | ||||
| -rw-r--r-- | src/firejail/fs_whitelist.c | 40 |
2 files changed, 40 insertions, 1 deletions
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index bec22e5a6..dbc74bfff 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
| @@ -20,7 +20,6 @@ | |||
| 20 | #include "firejail.h" | 20 | #include "firejail.h" |
| 21 | #include <sys/mount.h> | 21 | #include <sys/mount.h> |
| 22 | #include <linux/limits.h> | 22 | #include <linux/limits.h> |
| 23 | #include <glob.h> | ||
| 24 | #include <dirent.h> | 23 | #include <dirent.h> |
| 25 | #include <errno.h> | 24 | #include <errno.h> |
| 26 | #include <sys/stat.h> | 25 | #include <sys/stat.h> |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index c5b066b12..3f3075570 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
| @@ -346,6 +346,39 @@ static void whitelist_home(int topdir) { | |||
| 346 | } | 346 | } |
| 347 | 347 | ||
| 348 | 348 | ||
| 349 | static void globbing(const char *pattern) { | ||
| 350 | assert(pattern); | ||
| 351 | |||
| 352 | // globbing | ||
| 353 | glob_t globbuf; | ||
| 354 | int globerr = glob(pattern, GLOB_NOCHECK | GLOB_NOSORT | GLOB_PERIOD, NULL, &globbuf); | ||
| 355 | if (globerr) { | ||
| 356 | fprintf(stderr, "Error: failed to glob private-bin pattern %s\n", pattern); | ||
| 357 | exit(1); | ||
| 358 | } | ||
| 359 | |||
| 360 | size_t i; | ||
| 361 | for (i = 0; i < globbuf.gl_pathc; i++) { | ||
| 362 | assert(globbuf.gl_pathv[i]); | ||
| 363 | // testing for GLOB_NOCHECK - no pattern matched returns the original pattern | ||
| 364 | if (strcmp(globbuf.gl_pathv[i], pattern) == 0) | ||
| 365 | continue; | ||
| 366 | |||
| 367 | // build the new profile command | ||
| 368 | char *newcmd; | ||
| 369 | if (asprintf(&newcmd, "whitelist %s", globbuf.gl_pathv[i]) == -1) | ||
| 370 | errExit("asprintf"); | ||
| 371 | |||
| 372 | // add the new profile command at the end of the list | ||
| 373 | if (arg_debug || arg_debug_whitelists) | ||
| 374 | printf("Adding new profile command: %s\n", newcmd); | ||
| 375 | profile_add(newcmd); | ||
| 376 | } | ||
| 377 | |||
| 378 | globfree(&globbuf); | ||
| 379 | } | ||
| 380 | |||
| 381 | |||
| 349 | void fs_whitelist(void) { | 382 | void fs_whitelist(void) { |
| 350 | ProfileEntry *entry = cfg.profile; | 383 | ProfileEntry *entry = cfg.profile; |
| 351 | if (!entry) | 384 | if (!entry) |
| @@ -444,6 +477,13 @@ void fs_whitelist(void) { | |||
| 444 | else | 477 | else |
| 445 | fname = realpath(new_name, NULL); | 478 | fname = realpath(new_name, NULL); |
| 446 | 479 | ||
| 480 | // if this is not a real path, let's try globbing | ||
| 481 | // mark this entry as EMPTY_STRING and push the new paths at the end of profile entry list | ||
| 482 | // the new profile entries will be processed in this loop | ||
| 483 | // currently there is no globbing support for nowhitelist | ||
| 484 | if (!fname && !nowhitelist_flag) | ||
| 485 | globbing(new_name); | ||
| 486 | |||
| 447 | if (!fname) { | 487 | if (!fname) { |
| 448 | // file not found, blank the entry in the list and continue | 488 | // file not found, blank the entry in the list and continue |
| 449 | if (arg_debug || arg_debug_whitelists) { | 489 | if (arg_debug || arg_debug_whitelists) { |