diff options
author | netblue30 <netblue30@yahoo.com> | 2020-04-01 09:56:49 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2020-04-01 09:56:49 -0400 |
commit | 601df2fbb9cdfedc6ab71cbe47d275e39c935dca (patch) | |
tree | 80f10643dd688d42167763a90b8c8deb3f7130f4 /src | |
parent | profstats (diff) | |
download | firejail-601df2fbb9cdfedc6ab71cbe47d275e39c935dca.tar.gz firejail-601df2fbb9cdfedc6ab71cbe47d275e39c935dca.tar.zst firejail-601df2fbb9cdfedc6ab71cbe47d275e39c935dca.zip |
globbing support for whitelists
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs_home.c | 1 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 40 |
2 files changed, 40 insertions, 1 deletions
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index bec22e5a6..dbc74bfff 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -20,7 +20,6 @@ | |||
20 | #include "firejail.h" | 20 | #include "firejail.h" |
21 | #include <sys/mount.h> | 21 | #include <sys/mount.h> |
22 | #include <linux/limits.h> | 22 | #include <linux/limits.h> |
23 | #include <glob.h> | ||
24 | #include <dirent.h> | 23 | #include <dirent.h> |
25 | #include <errno.h> | 24 | #include <errno.h> |
26 | #include <sys/stat.h> | 25 | #include <sys/stat.h> |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index c5b066b12..3f3075570 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -346,6 +346,39 @@ static void whitelist_home(int topdir) { | |||
346 | } | 346 | } |
347 | 347 | ||
348 | 348 | ||
349 | static void globbing(const char *pattern) { | ||
350 | assert(pattern); | ||
351 | |||
352 | // globbing | ||
353 | glob_t globbuf; | ||
354 | int globerr = glob(pattern, GLOB_NOCHECK | GLOB_NOSORT | GLOB_PERIOD, NULL, &globbuf); | ||
355 | if (globerr) { | ||
356 | fprintf(stderr, "Error: failed to glob private-bin pattern %s\n", pattern); | ||
357 | exit(1); | ||
358 | } | ||
359 | |||
360 | size_t i; | ||
361 | for (i = 0; i < globbuf.gl_pathc; i++) { | ||
362 | assert(globbuf.gl_pathv[i]); | ||
363 | // testing for GLOB_NOCHECK - no pattern matched returns the original pattern | ||
364 | if (strcmp(globbuf.gl_pathv[i], pattern) == 0) | ||
365 | continue; | ||
366 | |||
367 | // build the new profile command | ||
368 | char *newcmd; | ||
369 | if (asprintf(&newcmd, "whitelist %s", globbuf.gl_pathv[i]) == -1) | ||
370 | errExit("asprintf"); | ||
371 | |||
372 | // add the new profile command at the end of the list | ||
373 | if (arg_debug || arg_debug_whitelists) | ||
374 | printf("Adding new profile command: %s\n", newcmd); | ||
375 | profile_add(newcmd); | ||
376 | } | ||
377 | |||
378 | globfree(&globbuf); | ||
379 | } | ||
380 | |||
381 | |||
349 | void fs_whitelist(void) { | 382 | void fs_whitelist(void) { |
350 | ProfileEntry *entry = cfg.profile; | 383 | ProfileEntry *entry = cfg.profile; |
351 | if (!entry) | 384 | if (!entry) |
@@ -444,6 +477,13 @@ void fs_whitelist(void) { | |||
444 | else | 477 | else |
445 | fname = realpath(new_name, NULL); | 478 | fname = realpath(new_name, NULL); |
446 | 479 | ||
480 | // if this is not a real path, let's try globbing | ||
481 | // mark this entry as EMPTY_STRING and push the new paths at the end of profile entry list | ||
482 | // the new profile entries will be processed in this loop | ||
483 | // currently there is no globbing support for nowhitelist | ||
484 | if (!fname && !nowhitelist_flag) | ||
485 | globbing(new_name); | ||
486 | |||
447 | if (!fname) { | 487 | if (!fname) { |
448 | // file not found, blank the entry in the list and continue | 488 | // file not found, blank the entry in the list and continue |
449 | if (arg_debug || arg_debug_whitelists) { | 489 | if (arg_debug || arg_debug_whitelists) { |