diff options
author | netblue30 <netblue30@protonmail.com> | 2021-06-04 06:40:16 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-06-04 06:40:16 -0500 |
commit | ed261d9471a042adcbb8733e1b1de13c934c3fe0 (patch) | |
tree | 8aeab84172400499132e35a197669ea2f8509a2e /src | |
parent | Fix seahorse-adventures + CI (diff) | |
parent | add firejail.config switch for private-{bin,etc,opt,srv} (diff) | |
download | firejail-ed261d9471a042adcbb8733e1b1de13c934c3fe0.tar.gz firejail-ed261d9471a042adcbb8733e1b1de13c934c3fe0.tar.zst firejail-ed261d9471a042adcbb8733e1b1de13c934c3fe0.zip |
Merge pull request #4330 from smitsohu/fjconfig
add firejail.config switch for private-{bin,etc,opt,srv}
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/checkcfg.c | 8 | ||||
-rw-r--r-- | src/firejail/firejail.h | 10 | ||||
-rw-r--r-- | src/firejail/main.c | 104 | ||||
-rw-r--r-- | src/firejail/profile.c | 75 |
4 files changed, 117 insertions, 80 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 6726abdc8..d7690a4fc 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -110,10 +110,14 @@ int checkcfg(int val) { | |||
110 | PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network") | 110 | PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network") |
111 | PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") | 111 | PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") |
112 | PARSE_YESNO(CFG_OVERLAYFS, "overlayfs") | 112 | PARSE_YESNO(CFG_OVERLAYFS, "overlayfs") |
113 | PARSE_YESNO(CFG_PRIVATE_HOME, "private-home") | 113 | PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin") |
114 | PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local") | ||
114 | PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache") | 115 | PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache") |
116 | PARSE_YESNO(CFG_PRIVATE_ETC, "private-etc") | ||
117 | PARSE_YESNO(CFG_PRIVATE_HOME, "private-home") | ||
115 | PARSE_YESNO(CFG_PRIVATE_LIB, "private-lib") | 118 | PARSE_YESNO(CFG_PRIVATE_LIB, "private-lib") |
116 | PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local") | 119 | PARSE_YESNO(CFG_PRIVATE_OPT, "private-opt") |
120 | PARSE_YESNO(CFG_PRIVATE_SRV, "private-srv") | ||
117 | PARSE_YESNO(CFG_DISABLE_MNT, "disable-mnt") | 121 | PARSE_YESNO(CFG_DISABLE_MNT, "disable-mnt") |
118 | PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach") | 122 | PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach") |
119 | PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f") | 123 | PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f") |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 1da70fd54..dbe4c9dbb 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -762,8 +762,14 @@ enum { | |||
762 | CFG_WHITELIST, | 762 | CFG_WHITELIST, |
763 | CFG_XEPHYR_WINDOW_TITLE, | 763 | CFG_XEPHYR_WINDOW_TITLE, |
764 | CFG_OVERLAYFS, | 764 | CFG_OVERLAYFS, |
765 | CFG_PRIVATE_HOME, | 765 | CFG_PRIVATE_BIN, |
766 | CFG_PRIVATE_BIN_NO_LOCAL, | 766 | CFG_PRIVATE_BIN_NO_LOCAL, |
767 | CFG_PRIVATE_CACHE, | ||
768 | CFG_PRIVATE_ETC, | ||
769 | CFG_PRIVATE_HOME, | ||
770 | CFG_PRIVATE_LIB, | ||
771 | CFG_PRIVATE_OPT, | ||
772 | CFG_PRIVATE_SRV, | ||
767 | CFG_FIREJAIL_PROMPT, | 773 | CFG_FIREJAIL_PROMPT, |
768 | CFG_DISABLE_MNT, | 774 | CFG_DISABLE_MNT, |
769 | CFG_JOIN, | 775 | CFG_JOIN, |
@@ -771,10 +777,8 @@ enum { | |||
771 | CFG_XPRA_ATTACH, | 777 | CFG_XPRA_ATTACH, |
772 | CFG_BROWSER_DISABLE_U2F, | 778 | CFG_BROWSER_DISABLE_U2F, |
773 | CFG_BROWSER_ALLOW_DRM, | 779 | CFG_BROWSER_ALLOW_DRM, |
774 | CFG_PRIVATE_LIB, | ||
775 | CFG_APPARMOR, | 780 | CFG_APPARMOR, |
776 | CFG_DBUS, | 781 | CFG_DBUS, |
777 | CFG_PRIVATE_CACHE, | ||
778 | CFG_CGROUP, | 782 | CFG_CGROUP, |
779 | CFG_NAME_CHANGE, | 783 | CFG_NAME_CHANGE, |
780 | CFG_SECCOMP_ERROR_ACTION, | 784 | CFG_SECCOMP_ERROR_ACTION, |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 089d80a68..bbabe533f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1959,61 +1959,77 @@ int main(int argc, char **argv, char **envp) { | |||
1959 | arg_keep_dev_shm = 1; | 1959 | arg_keep_dev_shm = 1; |
1960 | } | 1960 | } |
1961 | else if (strncmp(argv[i], "--private-etc=", 14) == 0) { | 1961 | else if (strncmp(argv[i], "--private-etc=", 14) == 0) { |
1962 | if (arg_writable_etc) { | 1962 | if (checkcfg(CFG_PRIVATE_ETC)) { |
1963 | fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); | 1963 | if (arg_writable_etc) { |
1964 | exit(1); | 1964 | fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); |
1965 | } | 1965 | exit(1); |
1966 | } | ||
1966 | 1967 | ||
1967 | // extract private etc list | 1968 | // extract private etc list |
1968 | if (*(argv[i] + 14) == '\0') { | 1969 | if (*(argv[i] + 14) == '\0') { |
1969 | fprintf(stderr, "Error: invalid private-etc option\n"); | 1970 | fprintf(stderr, "Error: invalid private-etc option\n"); |
1970 | exit(1); | 1971 | exit(1); |
1972 | } | ||
1973 | if (cfg.etc_private_keep) { | ||
1974 | if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, argv[i] + 14) < 0 ) | ||
1975 | errExit("asprintf"); | ||
1976 | } else | ||
1977 | cfg.etc_private_keep = argv[i] + 14; | ||
1978 | arg_private_etc = 1; | ||
1971 | } | 1979 | } |
1972 | if (cfg.etc_private_keep) { | 1980 | else |
1973 | if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, argv[i] + 14) < 0 ) | 1981 | exit_err_feature("private-etc"); |
1974 | errExit("asprintf"); | ||
1975 | } else | ||
1976 | cfg.etc_private_keep = argv[i] + 14; | ||
1977 | arg_private_etc = 1; | ||
1978 | } | 1982 | } |
1979 | else if (strncmp(argv[i], "--private-opt=", 14) == 0) { | 1983 | else if (strncmp(argv[i], "--private-opt=", 14) == 0) { |
1980 | // extract private opt list | 1984 | if (checkcfg(CFG_PRIVATE_OPT)) { |
1981 | if (*(argv[i] + 14) == '\0') { | 1985 | // extract private opt list |
1982 | fprintf(stderr, "Error: invalid private-opt option\n"); | 1986 | if (*(argv[i] + 14) == '\0') { |
1983 | exit(1); | 1987 | fprintf(stderr, "Error: invalid private-opt option\n"); |
1988 | exit(1); | ||
1989 | } | ||
1990 | if (cfg.opt_private_keep) { | ||
1991 | if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, argv[i] + 14) < 0 ) | ||
1992 | errExit("asprintf"); | ||
1993 | } else | ||
1994 | cfg.opt_private_keep = argv[i] + 14; | ||
1995 | arg_private_opt = 1; | ||
1984 | } | 1996 | } |
1985 | if (cfg.opt_private_keep) { | 1997 | else |
1986 | if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, argv[i] + 14) < 0 ) | 1998 | exit_err_feature("private-opt"); |
1987 | errExit("asprintf"); | ||
1988 | } else | ||
1989 | cfg.opt_private_keep = argv[i] + 14; | ||
1990 | arg_private_opt = 1; | ||
1991 | } | 1999 | } |
1992 | else if (strncmp(argv[i], "--private-srv=", 14) == 0) { | 2000 | else if (strncmp(argv[i], "--private-srv=", 14) == 0) { |
1993 | // extract private srv list | 2001 | if (checkcfg(CFG_PRIVATE_SRV)) { |
1994 | if (*(argv[i] + 14) == '\0') { | 2002 | // extract private srv list |
1995 | fprintf(stderr, "Error: invalid private-srv option\n"); | 2003 | if (*(argv[i] + 14) == '\0') { |
1996 | exit(1); | 2004 | fprintf(stderr, "Error: invalid private-srv option\n"); |
2005 | exit(1); | ||
2006 | } | ||
2007 | if (cfg.srv_private_keep) { | ||
2008 | if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, argv[i] + 14) < 0 ) | ||
2009 | errExit("asprintf"); | ||
2010 | } else | ||
2011 | cfg.srv_private_keep = argv[i] + 14; | ||
2012 | arg_private_srv = 1; | ||
1997 | } | 2013 | } |
1998 | if (cfg.srv_private_keep) { | 2014 | else |
1999 | if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, argv[i] + 14) < 0 ) | 2015 | exit_err_feature("private-srv"); |
2000 | errExit("asprintf"); | ||
2001 | } else | ||
2002 | cfg.srv_private_keep = argv[i] + 14; | ||
2003 | arg_private_srv = 1; | ||
2004 | } | 2016 | } |
2005 | else if (strncmp(argv[i], "--private-bin=", 14) == 0) { | 2017 | else if (strncmp(argv[i], "--private-bin=", 14) == 0) { |
2006 | // extract private bin list | 2018 | if (checkcfg(CFG_PRIVATE_BIN)) { |
2007 | if (*(argv[i] + 14) == '\0') { | 2019 | // extract private bin list |
2008 | fprintf(stderr, "Error: invalid private-bin option\n"); | 2020 | if (*(argv[i] + 14) == '\0') { |
2009 | exit(1); | 2021 | fprintf(stderr, "Error: invalid private-bin option\n"); |
2022 | exit(1); | ||
2023 | } | ||
2024 | if (cfg.bin_private_keep) { | ||
2025 | if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, argv[i] + 14) < 0 ) | ||
2026 | errExit("asprintf"); | ||
2027 | } else | ||
2028 | cfg.bin_private_keep = argv[i] + 14; | ||
2029 | arg_private_bin = 1; | ||
2010 | } | 2030 | } |
2011 | if (cfg.bin_private_keep) { | 2031 | else |
2012 | if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, argv[i] + 14) < 0 ) | 2032 | exit_err_feature("private-bin"); |
2013 | errExit("asprintf"); | ||
2014 | } else | ||
2015 | cfg.bin_private_keep = argv[i] + 14; | ||
2016 | arg_private_bin = 1; | ||
2017 | } | 2033 | } |
2018 | else if (strncmp(argv[i], "--private-lib", 13) == 0) { | 2034 | else if (strncmp(argv[i], "--private-lib", 13) == 0) { |
2019 | if (checkcfg(CFG_PRIVATE_LIB)) { | 2035 | if (checkcfg(CFG_PRIVATE_LIB)) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index af28cd488..40e4f788e 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1275,56 +1275,69 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1275 | 1275 | ||
1276 | // private /etc list of files and directories | 1276 | // private /etc list of files and directories |
1277 | if (strncmp(ptr, "private-etc ", 12) == 0) { | 1277 | if (strncmp(ptr, "private-etc ", 12) == 0) { |
1278 | if (arg_writable_etc) { | 1278 | if (checkcfg(CFG_PRIVATE_ETC)) { |
1279 | fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); | 1279 | if (arg_writable_etc) { |
1280 | exit(1); | 1280 | fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); |
1281 | } | 1281 | exit(1); |
1282 | if (cfg.etc_private_keep) { | 1282 | } |
1283 | if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, ptr + 12) < 0 ) | 1283 | if (cfg.etc_private_keep) { |
1284 | errExit("asprintf"); | 1284 | if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, ptr + 12) < 0 ) |
1285 | } else { | 1285 | errExit("asprintf"); |
1286 | cfg.etc_private_keep = ptr + 12; | 1286 | } else { |
1287 | cfg.etc_private_keep = ptr + 12; | ||
1288 | } | ||
1289 | arg_private_etc = 1; | ||
1287 | } | 1290 | } |
1288 | arg_private_etc = 1; | 1291 | else |
1289 | 1292 | warning_feature_disabled("private-etc"); | |
1290 | return 0; | 1293 | return 0; |
1291 | } | 1294 | } |
1292 | 1295 | ||
1293 | // private /opt list of files and directories | 1296 | // private /opt list of files and directories |
1294 | if (strncmp(ptr, "private-opt ", 12) == 0) { | 1297 | if (strncmp(ptr, "private-opt ", 12) == 0) { |
1295 | if (cfg.opt_private_keep) { | 1298 | if (checkcfg(CFG_PRIVATE_OPT)) { |
1296 | if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, ptr + 12) < 0 ) | 1299 | if (cfg.opt_private_keep) { |
1297 | errExit("asprintf"); | 1300 | if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, ptr + 12) < 0 ) |
1298 | } else { | 1301 | errExit("asprintf"); |
1299 | cfg.opt_private_keep = ptr + 12; | 1302 | } else { |
1303 | cfg.opt_private_keep = ptr + 12; | ||
1304 | } | ||
1305 | arg_private_opt = 1; | ||
1300 | } | 1306 | } |
1301 | arg_private_opt = 1; | 1307 | else |
1302 | 1308 | warning_feature_disabled("private-opt"); | |
1303 | return 0; | 1309 | return 0; |
1304 | } | 1310 | } |
1305 | 1311 | ||
1306 | // private /srv list of files and directories | 1312 | // private /srv list of files and directories |
1307 | if (strncmp(ptr, "private-srv ", 12) == 0) { | 1313 | if (strncmp(ptr, "private-srv ", 12) == 0) { |
1308 | if (cfg.srv_private_keep) { | 1314 | if (checkcfg(CFG_PRIVATE_SRV)) { |
1309 | if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, ptr + 12) < 0 ) | 1315 | if (cfg.srv_private_keep) { |
1310 | errExit("asprintf"); | 1316 | if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, ptr + 12) < 0 ) |
1311 | } else { | 1317 | errExit("asprintf"); |
1312 | cfg.srv_private_keep = ptr + 12; | 1318 | } else { |
1319 | cfg.srv_private_keep = ptr + 12; | ||
1320 | } | ||
1321 | arg_private_srv = 1; | ||
1313 | } | 1322 | } |
1314 | arg_private_srv = 1; | 1323 | else |
1315 | 1324 | warning_feature_disabled("private-srv"); | |
1316 | return 0; | 1325 | return 0; |
1317 | } | 1326 | } |
1318 | 1327 | ||
1319 | // private /bin list of files | 1328 | // private /bin list of files |
1320 | if (strncmp(ptr, "private-bin ", 12) == 0) { | 1329 | if (strncmp(ptr, "private-bin ", 12) == 0) { |
1321 | if (cfg.bin_private_keep) { | 1330 | if (checkcfg(CFG_PRIVATE_BIN)) { |
1322 | if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, ptr + 12) < 0 ) | 1331 | if (cfg.bin_private_keep) { |
1323 | errExit("asprintf"); | 1332 | if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, ptr + 12) < 0 ) |
1324 | } else { | 1333 | errExit("asprintf"); |
1325 | cfg.bin_private_keep = ptr + 12; | 1334 | } else { |
1335 | cfg.bin_private_keep = ptr + 12; | ||
1336 | } | ||
1337 | arg_private_bin = 1; | ||
1326 | } | 1338 | } |
1327 | arg_private_bin = 1; | 1339 | else |
1340 | warning_feature_disabled("private-bin"); | ||
1328 | return 0; | 1341 | return 0; |
1329 | } | 1342 | } |
1330 | 1343 | ||