diff options
author | smitsohu <smitsohu@gmail.com> | 2018-11-10 15:07:12 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2018-11-10 15:07:12 +0100 |
commit | 8f707a5f23e193f411930421ef2555282404c775 (patch) | |
tree | 9a69739b655eba1c6940f75611242bcbf7e93b91 /src | |
parent | unreadable firejail.users database fixes (diff) | |
parent | Merge pull request #2253 from crass/fix-appimage-double-dash-handling (diff) | |
download | firejail-8f707a5f23e193f411930421ef2555282404c775.tar.gz firejail-8f707a5f23e193f411930421ef2555282404c775.tar.zst firejail-8f707a5f23e193f411930421ef2555282404c775.zip |
Merge branch 'master' of https://github.com/netblue30/firejail
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/checkcfg.c | 9 | ||||
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 21 | ||||
-rw-r--r-- | src/firejail/profile.c | 13 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 2 |
5 files changed, 31 insertions, 16 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 50f952e91..45e28fe40 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -371,6 +371,15 @@ int checkcfg(int val) { | |||
371 | else | 371 | else |
372 | goto errout; | 372 | goto errout; |
373 | } | 373 | } |
374 | // browser-disable-u2f | ||
375 | else if (strncmp(ptr, "browser-disable-u2f ", 20) == 0) { | ||
376 | if (strcmp(ptr + 20, "yes") == 0) | ||
377 | cfg_val[CFG_BROWSER_DISABLE_U2F] = 1; | ||
378 | else if (strcmp(ptr + 20, "no") == 0) | ||
379 | cfg_val[CFG_BROWSER_DISABLE_U2F] = 0; | ||
380 | else | ||
381 | goto errout; | ||
382 | } | ||
374 | else | 383 | else |
375 | goto errout; | 384 | goto errout; |
376 | 385 | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7f6ed2586..8a397e3d8 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -461,7 +461,6 @@ void fs_mnt(const int enforce); | |||
461 | 461 | ||
462 | // profile.c | 462 | // profile.c |
463 | // find and read the profile specified by name from dir directory | 463 | // find and read the profile specified by name from dir directory |
464 | int profile_find(const char *name, const char *dir, int add_ext); | ||
465 | int profile_find_firejail(const char *name, int add_ext); | 464 | int profile_find_firejail(const char *name, int add_ext); |
466 | // read a profile file | 465 | // read a profile file |
467 | void profile_read(const char *fname); | 466 | void profile_read(const char *fname); |
@@ -771,6 +770,7 @@ enum { | |||
771 | CFG_JOIN, | 770 | CFG_JOIN, |
772 | CFG_ARP_PROBES, | 771 | CFG_ARP_PROBES, |
773 | CFG_XPRA_ATTACH, | 772 | CFG_XPRA_ATTACH, |
773 | CFG_BROWSER_DISABLE_U2F, | ||
774 | CFG_PRIVATE_LIB, | 774 | CFG_PRIVATE_LIB, |
775 | CFG_APPARMOR, | 775 | CFG_APPARMOR, |
776 | CFG_DBUS, | 776 | CFG_DBUS, |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 23d9a1d51..4cb87aaa6 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -2244,21 +2244,18 @@ int main(int argc, char **argv) { | |||
2244 | return 1; | 2244 | return 1; |
2245 | } | 2245 | } |
2246 | } | 2246 | } |
2247 | else if (strcmp(argv[i], "--") == 0) { | 2247 | else { |
2248 | // double dash - positional params to follow | 2248 | // double dash - positional params to follow |
2249 | arg_doubledash = 1; | 2249 | if (strcmp(argv[i], "--") == 0) { |
2250 | i++; | 2250 | arg_doubledash = 1; |
2251 | if (i >= argc) { | 2251 | i++; |
2252 | fprintf(stderr, "Error: program name not found\n"); | 2252 | if (i >= argc) { |
2253 | exit(1); | 2253 | fprintf(stderr, "Error: program name not found\n"); |
2254 | exit(1); | ||
2255 | } | ||
2254 | } | 2256 | } |
2255 | extract_command_name(i, argv); | ||
2256 | prog_index = i; | ||
2257 | break; | ||
2258 | } | ||
2259 | else { | ||
2260 | // is this an invalid option? | 2257 | // is this an invalid option? |
2261 | if (*argv[i] == '-') { | 2258 | else if (*argv[i] == '-') { |
2262 | fprintf(stderr, "Error: invalid %s command line option\n", argv[i]); | 2259 | fprintf(stderr, "Error: invalid %s command line option\n", argv[i]); |
2263 | return 1; | 2260 | return 1; |
2264 | } | 2261 | } |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index c7c8fd9fa..5f5d94ddf 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -25,7 +25,8 @@ extern char *xephyr_screen; | |||
25 | #define MAX_READ 8192 // line buffer for profile files | 25 | #define MAX_READ 8192 // line buffer for profile files |
26 | 26 | ||
27 | // find and read the profile specified by name from dir directory | 27 | // find and read the profile specified by name from dir directory |
28 | int profile_find(const char *name, const char *dir, int add_ext) { | 28 | // return 1 if a profile was found |
29 | static int profile_find(const char *name, const char *dir, int add_ext) { | ||
29 | EUID_ASSERT(); | 30 | EUID_ASSERT(); |
30 | assert(name); | 31 | assert(name); |
31 | assert(dir); | 32 | assert(dir); |
@@ -64,6 +65,7 @@ int profile_find(const char *name, const char *dir, int add_ext) { | |||
64 | } | 65 | } |
65 | 66 | ||
66 | // search and read the profile specified by name from firejail directories | 67 | // search and read the profile specified by name from firejail directories |
68 | // return 1 if a profile was found | ||
67 | int profile_find_firejail(const char *name, int add_ext) { | 69 | int profile_find_firejail(const char *name, int add_ext) { |
68 | // look for a profile in ~/.config/firejail directory | 70 | // look for a profile in ~/.config/firejail directory |
69 | char *usercfgdir; | 71 | char *usercfgdir; |
@@ -139,6 +141,7 @@ int profile_check_conditional(char *ptr, int lineno, const char *fname) { | |||
139 | bool value; // true if set | 141 | bool value; // true if set |
140 | } conditionals[] = { | 142 | } conditionals[] = { |
141 | {"HAS_APPIMAGE", strlen("HAS_APPIMAGE"), arg_appimage!=0}, | 143 | {"HAS_APPIMAGE", strlen("HAS_APPIMAGE"), arg_appimage!=0}, |
144 | {"BROWSER_DISABLE_U2F", strlen("BROWSER_DISABLE_U2F"), checkcfg(CFG_BROWSER_DISABLE_U2F)!=0}, | ||
142 | NULL | 145 | NULL |
143 | }, *cond = conditionals; | 146 | }, *cond = conditionals; |
144 | char *tmp = ptr, *msg = NULL; | 147 | char *tmp = ptr, *msg = NULL; |
@@ -1437,7 +1440,13 @@ void profile_read(const char *fname) { | |||
1437 | ptr2++; | 1440 | ptr2++; |
1438 | // profile path contains no / chars, do a search | 1441 | // profile path contains no / chars, do a search |
1439 | if (*ptr2 == '\0') { | 1442 | if (*ptr2 == '\0') { |
1440 | profile_find_firejail(newprofile, 0); | 1443 | int rv = profile_find_firejail(newprofile, 0); // returns 1 if a profile was found in sysconfig directory |
1444 | if (!rv) { | ||
1445 | // maybe this is a file in the local working directory? | ||
1446 | // it will stop the sandbox if not! | ||
1447 | // Note: if the file ends in .local it will not stop the program | ||
1448 | profile_read(newprofile); | ||
1449 | } | ||
1441 | } | 1450 | } |
1442 | else { | 1451 | else { |
1443 | profile_read(newprofile); | 1452 | profile_read(newprofile); |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index e26b5f989..251346bd5 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -94,7 +94,7 @@ Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir" | |||
94 | 94 | ||
95 | This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. | 95 | This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. |
96 | 96 | ||
97 | Currently the only conditional supported is HAS_APPIMAGE. | 97 | Currently the only conditionals supported are HAS_APPIMAGE and BROWSER_DISABLE_U2F. |
98 | 98 | ||
99 | The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. | 99 | The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. |
100 | 100 | ||