diff options
author | smitsohu <smitsohu@gmail.com> | 2021-05-21 23:25:09 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2021-05-22 15:26:57 +0200 |
commit | e391930dca9ccb4fce225f8364813b6bf127dd9b (patch) | |
tree | 3a3d3437220a78b30f62ff2ba1f1c3588da4d7aa /src | |
parent | Fix #4282 -- Unable to open X display when running firejail chromium command (diff) | |
download | firejail-e391930dca9ccb4fce225f8364813b6bf127dd9b.tar.gz firejail-e391930dca9ccb4fce225f8364813b6bf127dd9b.tar.zst firejail-e391930dca9ccb4fce225f8364813b6bf127dd9b.zip |
add firejail.config switch for private-{bin,etc,opt,srv}
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/checkcfg.c | 8 | ||||
-rw-r--r-- | src/firejail/firejail.h | 10 | ||||
-rw-r--r-- | src/firejail/main.c | 104 | ||||
-rw-r--r-- | src/firejail/profile.c | 75 |
4 files changed, 117 insertions, 80 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index d6643cf3a..b42ae1a64 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -110,10 +110,14 @@ int checkcfg(int val) { | |||
110 | PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network") | 110 | PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network") |
111 | PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") | 111 | PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") |
112 | PARSE_YESNO(CFG_OVERLAYFS, "overlayfs") | 112 | PARSE_YESNO(CFG_OVERLAYFS, "overlayfs") |
113 | PARSE_YESNO(CFG_PRIVATE_HOME, "private-home") | 113 | PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin") |
114 | PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local") | ||
114 | PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache") | 115 | PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache") |
116 | PARSE_YESNO(CFG_PRIVATE_ETC, "private-etc") | ||
117 | PARSE_YESNO(CFG_PRIVATE_HOME, "private-home") | ||
115 | PARSE_YESNO(CFG_PRIVATE_LIB, "private-lib") | 118 | PARSE_YESNO(CFG_PRIVATE_LIB, "private-lib") |
116 | PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local") | 119 | PARSE_YESNO(CFG_PRIVATE_OPT, "private-opt") |
120 | PARSE_YESNO(CFG_PRIVATE_SRV, "private-srv") | ||
117 | PARSE_YESNO(CFG_DISABLE_MNT, "disable-mnt") | 121 | PARSE_YESNO(CFG_DISABLE_MNT, "disable-mnt") |
118 | PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach") | 122 | PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach") |
119 | PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f") | 123 | PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f") |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index ac2fd279e..18907fc63 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -766,8 +766,14 @@ enum { | |||
766 | CFG_WHITELIST, | 766 | CFG_WHITELIST, |
767 | CFG_XEPHYR_WINDOW_TITLE, | 767 | CFG_XEPHYR_WINDOW_TITLE, |
768 | CFG_OVERLAYFS, | 768 | CFG_OVERLAYFS, |
769 | CFG_PRIVATE_HOME, | 769 | CFG_PRIVATE_BIN, |
770 | CFG_PRIVATE_BIN_NO_LOCAL, | 770 | CFG_PRIVATE_BIN_NO_LOCAL, |
771 | CFG_PRIVATE_CACHE, | ||
772 | CFG_PRIVATE_ETC, | ||
773 | CFG_PRIVATE_HOME, | ||
774 | CFG_PRIVATE_LIB, | ||
775 | CFG_PRIVATE_OPT, | ||
776 | CFG_PRIVATE_SRV, | ||
771 | CFG_FIREJAIL_PROMPT, | 777 | CFG_FIREJAIL_PROMPT, |
772 | CFG_FOLLOW_SYMLINK_AS_USER, | 778 | CFG_FOLLOW_SYMLINK_AS_USER, |
773 | CFG_DISABLE_MNT, | 779 | CFG_DISABLE_MNT, |
@@ -776,10 +782,8 @@ enum { | |||
776 | CFG_XPRA_ATTACH, | 782 | CFG_XPRA_ATTACH, |
777 | CFG_BROWSER_DISABLE_U2F, | 783 | CFG_BROWSER_DISABLE_U2F, |
778 | CFG_BROWSER_ALLOW_DRM, | 784 | CFG_BROWSER_ALLOW_DRM, |
779 | CFG_PRIVATE_LIB, | ||
780 | CFG_APPARMOR, | 785 | CFG_APPARMOR, |
781 | CFG_DBUS, | 786 | CFG_DBUS, |
782 | CFG_PRIVATE_CACHE, | ||
783 | CFG_CGROUP, | 787 | CFG_CGROUP, |
784 | CFG_NAME_CHANGE, | 788 | CFG_NAME_CHANGE, |
785 | CFG_SECCOMP_ERROR_ACTION, | 789 | CFG_SECCOMP_ERROR_ACTION, |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 593835843..f011c5799 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1949,61 +1949,77 @@ int main(int argc, char **argv, char **envp) { | |||
1949 | arg_keep_dev_shm = 1; | 1949 | arg_keep_dev_shm = 1; |
1950 | } | 1950 | } |
1951 | else if (strncmp(argv[i], "--private-etc=", 14) == 0) { | 1951 | else if (strncmp(argv[i], "--private-etc=", 14) == 0) { |
1952 | if (arg_writable_etc) { | 1952 | if (checkcfg(CFG_PRIVATE_ETC)) { |
1953 | fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); | 1953 | if (arg_writable_etc) { |
1954 | exit(1); | 1954 | fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); |
1955 | } | 1955 | exit(1); |
1956 | } | ||
1956 | 1957 | ||
1957 | // extract private etc list | 1958 | // extract private etc list |
1958 | if (*(argv[i] + 14) == '\0') { | 1959 | if (*(argv[i] + 14) == '\0') { |
1959 | fprintf(stderr, "Error: invalid private-etc option\n"); | 1960 | fprintf(stderr, "Error: invalid private-etc option\n"); |
1960 | exit(1); | 1961 | exit(1); |
1962 | } | ||
1963 | if (cfg.etc_private_keep) { | ||
1964 | if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, argv[i] + 14) < 0 ) | ||
1965 | errExit("asprintf"); | ||
1966 | } else | ||
1967 | cfg.etc_private_keep = argv[i] + 14; | ||
1968 | arg_private_etc = 1; | ||
1961 | } | 1969 | } |
1962 | if (cfg.etc_private_keep) { | 1970 | else |
1963 | if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, argv[i] + 14) < 0 ) | 1971 | exit_err_feature("private-etc"); |
1964 | errExit("asprintf"); | ||
1965 | } else | ||
1966 | cfg.etc_private_keep = argv[i] + 14; | ||
1967 | arg_private_etc = 1; | ||
1968 | } | 1972 | } |
1969 | else if (strncmp(argv[i], "--private-opt=", 14) == 0) { | 1973 | else if (strncmp(argv[i], "--private-opt=", 14) == 0) { |
1970 | // extract private opt list | 1974 | if (checkcfg(CFG_PRIVATE_OPT)) { |
1971 | if (*(argv[i] + 14) == '\0') { | 1975 | // extract private opt list |
1972 | fprintf(stderr, "Error: invalid private-opt option\n"); | 1976 | if (*(argv[i] + 14) == '\0') { |
1973 | exit(1); | 1977 | fprintf(stderr, "Error: invalid private-opt option\n"); |
1978 | exit(1); | ||
1979 | } | ||
1980 | if (cfg.opt_private_keep) { | ||
1981 | if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, argv[i] + 14) < 0 ) | ||
1982 | errExit("asprintf"); | ||
1983 | } else | ||
1984 | cfg.opt_private_keep = argv[i] + 14; | ||
1985 | arg_private_opt = 1; | ||
1974 | } | 1986 | } |
1975 | if (cfg.opt_private_keep) { | 1987 | else |
1976 | if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, argv[i] + 14) < 0 ) | 1988 | exit_err_feature("private-opt"); |
1977 | errExit("asprintf"); | ||
1978 | } else | ||
1979 | cfg.opt_private_keep = argv[i] + 14; | ||
1980 | arg_private_opt = 1; | ||
1981 | } | 1989 | } |
1982 | else if (strncmp(argv[i], "--private-srv=", 14) == 0) { | 1990 | else if (strncmp(argv[i], "--private-srv=", 14) == 0) { |
1983 | // extract private srv list | 1991 | if (checkcfg(CFG_PRIVATE_SRV)) { |
1984 | if (*(argv[i] + 14) == '\0') { | 1992 | // extract private srv list |
1985 | fprintf(stderr, "Error: invalid private-srv option\n"); | 1993 | if (*(argv[i] + 14) == '\0') { |
1986 | exit(1); | 1994 | fprintf(stderr, "Error: invalid private-srv option\n"); |
1995 | exit(1); | ||
1996 | } | ||
1997 | if (cfg.srv_private_keep) { | ||
1998 | if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, argv[i] + 14) < 0 ) | ||
1999 | errExit("asprintf"); | ||
2000 | } else | ||
2001 | cfg.srv_private_keep = argv[i] + 14; | ||
2002 | arg_private_srv = 1; | ||
1987 | } | 2003 | } |
1988 | if (cfg.srv_private_keep) { | 2004 | else |
1989 | if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, argv[i] + 14) < 0 ) | 2005 | exit_err_feature("private-srv"); |
1990 | errExit("asprintf"); | ||
1991 | } else | ||
1992 | cfg.srv_private_keep = argv[i] + 14; | ||
1993 | arg_private_srv = 1; | ||
1994 | } | 2006 | } |
1995 | else if (strncmp(argv[i], "--private-bin=", 14) == 0) { | 2007 | else if (strncmp(argv[i], "--private-bin=", 14) == 0) { |
1996 | // extract private bin list | 2008 | if (checkcfg(CFG_PRIVATE_BIN)) { |
1997 | if (*(argv[i] + 14) == '\0') { | 2009 | // extract private bin list |
1998 | fprintf(stderr, "Error: invalid private-bin option\n"); | 2010 | if (*(argv[i] + 14) == '\0') { |
1999 | exit(1); | 2011 | fprintf(stderr, "Error: invalid private-bin option\n"); |
2012 | exit(1); | ||
2013 | } | ||
2014 | if (cfg.bin_private_keep) { | ||
2015 | if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, argv[i] + 14) < 0 ) | ||
2016 | errExit("asprintf"); | ||
2017 | } else | ||
2018 | cfg.bin_private_keep = argv[i] + 14; | ||
2019 | arg_private_bin = 1; | ||
2000 | } | 2020 | } |
2001 | if (cfg.bin_private_keep) { | 2021 | else |
2002 | if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, argv[i] + 14) < 0 ) | 2022 | exit_err_feature("private-bin"); |
2003 | errExit("asprintf"); | ||
2004 | } else | ||
2005 | cfg.bin_private_keep = argv[i] + 14; | ||
2006 | arg_private_bin = 1; | ||
2007 | } | 2023 | } |
2008 | else if (strncmp(argv[i], "--private-lib", 13) == 0) { | 2024 | else if (strncmp(argv[i], "--private-lib", 13) == 0) { |
2009 | if (checkcfg(CFG_PRIVATE_LIB)) { | 2025 | if (checkcfg(CFG_PRIVATE_LIB)) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index dd4506ac1..da28f0413 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1275,56 +1275,69 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1275 | 1275 | ||
1276 | // private /etc list of files and directories | 1276 | // private /etc list of files and directories |
1277 | if (strncmp(ptr, "private-etc ", 12) == 0) { | 1277 | if (strncmp(ptr, "private-etc ", 12) == 0) { |
1278 | if (arg_writable_etc) { | 1278 | if (checkcfg(CFG_PRIVATE_ETC)) { |
1279 | fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); | 1279 | if (arg_writable_etc) { |
1280 | exit(1); | 1280 | fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); |
1281 | } | 1281 | exit(1); |
1282 | if (cfg.etc_private_keep) { | 1282 | } |
1283 | if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, ptr + 12) < 0 ) | 1283 | if (cfg.etc_private_keep) { |
1284 | errExit("asprintf"); | 1284 | if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, ptr + 12) < 0 ) |
1285 | } else { | 1285 | errExit("asprintf"); |
1286 | cfg.etc_private_keep = ptr + 12; | 1286 | } else { |
1287 | cfg.etc_private_keep = ptr + 12; | ||
1288 | } | ||
1289 | arg_private_etc = 1; | ||
1287 | } | 1290 | } |
1288 | arg_private_etc = 1; | 1291 | else |
1289 | 1292 | warning_feature_disabled("private-etc"); | |
1290 | return 0; | 1293 | return 0; |
1291 | } | 1294 | } |
1292 | 1295 | ||
1293 | // private /opt list of files and directories | 1296 | // private /opt list of files and directories |
1294 | if (strncmp(ptr, "private-opt ", 12) == 0) { | 1297 | if (strncmp(ptr, "private-opt ", 12) == 0) { |
1295 | if (cfg.opt_private_keep) { | 1298 | if (checkcfg(CFG_PRIVATE_OPT)) { |
1296 | if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, ptr + 12) < 0 ) | 1299 | if (cfg.opt_private_keep) { |
1297 | errExit("asprintf"); | 1300 | if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, ptr + 12) < 0 ) |
1298 | } else { | 1301 | errExit("asprintf"); |
1299 | cfg.opt_private_keep = ptr + 12; | 1302 | } else { |
1303 | cfg.opt_private_keep = ptr + 12; | ||
1304 | } | ||
1305 | arg_private_opt = 1; | ||
1300 | } | 1306 | } |
1301 | arg_private_opt = 1; | 1307 | else |
1302 | 1308 | warning_feature_disabled("private-opt"); | |
1303 | return 0; | 1309 | return 0; |
1304 | } | 1310 | } |
1305 | 1311 | ||
1306 | // private /srv list of files and directories | 1312 | // private /srv list of files and directories |
1307 | if (strncmp(ptr, "private-srv ", 12) == 0) { | 1313 | if (strncmp(ptr, "private-srv ", 12) == 0) { |
1308 | if (cfg.srv_private_keep) { | 1314 | if (checkcfg(CFG_PRIVATE_SRV)) { |
1309 | if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, ptr + 12) < 0 ) | 1315 | if (cfg.srv_private_keep) { |
1310 | errExit("asprintf"); | 1316 | if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, ptr + 12) < 0 ) |
1311 | } else { | 1317 | errExit("asprintf"); |
1312 | cfg.srv_private_keep = ptr + 12; | 1318 | } else { |
1319 | cfg.srv_private_keep = ptr + 12; | ||
1320 | } | ||
1321 | arg_private_srv = 1; | ||
1313 | } | 1322 | } |
1314 | arg_private_srv = 1; | 1323 | else |
1315 | 1324 | warning_feature_disabled("private-srv"); | |
1316 | return 0; | 1325 | return 0; |
1317 | } | 1326 | } |
1318 | 1327 | ||
1319 | // private /bin list of files | 1328 | // private /bin list of files |
1320 | if (strncmp(ptr, "private-bin ", 12) == 0) { | 1329 | if (strncmp(ptr, "private-bin ", 12) == 0) { |
1321 | if (cfg.bin_private_keep) { | 1330 | if (checkcfg(CFG_PRIVATE_BIN)) { |
1322 | if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, ptr + 12) < 0 ) | 1331 | if (cfg.bin_private_keep) { |
1323 | errExit("asprintf"); | 1332 | if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, ptr + 12) < 0 ) |
1324 | } else { | 1333 | errExit("asprintf"); |
1325 | cfg.bin_private_keep = ptr + 12; | 1334 | } else { |
1335 | cfg.bin_private_keep = ptr + 12; | ||
1336 | } | ||
1337 | arg_private_bin = 1; | ||
1326 | } | 1338 | } |
1327 | arg_private_bin = 1; | 1339 | else |
1340 | warning_feature_disabled("private-bin"); | ||
1328 | return 0; | 1341 | return 0; |
1329 | } | 1342 | } |
1330 | 1343 | ||