fixing issues 2 and 4

author: netblue30 <netblue30@yahoo.com> 2015-08-10 12:33:28 -0400
committer: netblue30 <netblue30@yahoo.com> 2015-08-10 12:33:28 -0400
commit: 878cd16973307ff164289c8c6762efbb23b519a6 (patch)
tree: 19938aedf9bcf7798e93007eb5c4a5f28693ea0f /src
parent: description (diff)
download: firejail-878cd16973307ff164289c8c6762efbb23b519a6.tar.gz
firejail-878cd16973307ff164289c8c6762efbb23b519a6.tar.zst
firejail-878cd16973307ff164289c8c6762efbb23b519a6.zip
5 files changed, 32 insertions, 9 deletions
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 343907584..877428637 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -415,9 +415,18 @@ void profile_read(const char *fname, const char *skip1, const char *skip2) {
                                p++;
                        }
                        
+                        // expand ${HOME}/ in front of the new profile file
+                        char *newprofile2 = NULL;
+                        if (strncmp(newprofile, "${HOME}", 7) == 0) {
+                                if (asprintf(&newprofile2, "%s%s", cfg.homedir, newprofile + 7) == -1)
+                                        errExit("asprintf");
+                        }                               
+                        
                        // recursivity
-                        profile_read(newprofile, newskip1, newskip2);
+                        profile_read((newprofile2)? newprofile2:newprofile, newskip1, newskip2);
                        include_level--;
+                        if (newprofile2)
+                                free(newprofile2);
                        free(ptr);
                        continue;
                }
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt
index 6613dc044..768896872 100644
--- a/src/man/firejail-login.txt
+++ b/src/man/firejail-login.txt
@@ -1,4 +1,4 @@
-.TH man 5 "MONTH YEAR" "VERSION" "firejail login.users man page"
+.TH FIREJAIL-LOGIN 5 "MONTH YEAR" "VERSION" "firejail login.users man page"
 .SH NAME
 login.users \- Login file syntax for Firejail
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 46da19ecd..f85e10171 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -1,4 +1,4 @@
-.TH man 5 "MONTH YEAR" "VERSION" "firejail profiles man page"
+.TH FIREJAIL-PROFILE 5 "MONTH YEAR" "VERSION" "firejail profiles man page"
 .SH NAME
 profile \- Profile file syntax for Firejail
@@ -15,8 +15,19 @@ directory and ~/.config/firejail directory.
 Include and comment support:
 .TP
-\f\include other.profile
+\f\include other.profile exclude-token
-Include other.profile file.
+Include other.profile file. exclued-token disables blacklist commands in other.profile
+if exclude-token word is found in the name section of blacklist command.
+exclude-tyoken is optional.
+Example: "include /etc/firejail/disable-common.inc .filezilla"
+loads disable-common.inc file disables "blacklist ${HOME}/.filezilla" command in this file.
+other.profile file name can be prefixed with ${HOME}. This will force Firejail to look for the
+file in user home directory.
+Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file.
 .TP
 # this is a comment
@@ -81,14 +92,17 @@ Enable default Linux capabilities filter.
 caps.drop all
 Blacklist all Linux capabilities.
 .TP
-caps.drop capability,capability,capability
+caps.keep capability,capability,capability
 Blacklist Linux capabilities filter.
 .TP
 caps.drop capability,capability,capability
 Whitelist Linux capabilities filter.
 .TP
 \f\seccomp
-Enable default seccomp filter.
+Enable default seccomp filter.  The default list is as follows:
+mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module,
+iopl, ioperm, swapon, swapoff, mknode, syslog, process_vm_readv and process_vm_writev,
+sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp.
 .TP
 \f\seccomp syscall,syscall,syscall
 Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 51f21975e..4e8d96d31 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1,4 +1,4 @@
-.TH man 1 "MONTH YEAR" "VERSION" "firejail man page"
+.TH FIREJAIL 1 "MONTH YEAR" "VERSION" "firejail man page"
 .SH NAME
 Firejail \- Linux namespaces sandbox program
 .SH SYNOPSIS
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index b6010f46e..293547a3b 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -1,4 +1,4 @@
-.TH man 1 "MONTH YEAR" "VERSION" "firemon man page"
+.TH FIREMON 1 "MONTH YEAR" "VERSION" "firemon man page"
 .SH NAME
 Firemon \- Monitoring program for processes started in a Firejail sandbox.
 .SH SYNOPSIS
author	netblue30 <netblue30@yahoo.com>	2015-08-10 12:33:28 -0400
committer	netblue30 <netblue30@yahoo.com>	2015-08-10 12:33:28 -0400
commit	878cd16973307ff164289c8c6762efbb23b519a6 (patch)
tree	19938aedf9bcf7798e93007eb5c4a5f28693ea0f /src
parent	description (diff)
download	firejail-878cd16973307ff164289c8c6762efbb23b519a6.tar.gz firejail-878cd16973307ff164289c8c6762efbb23b519a6.tar.zst firejail-878cd16973307ff164289c8c6762efbb23b519a6.zip