diff options
author | netblue30 <netblue30@yahoo.com> | 2016-07-09 12:26:56 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-07-09 12:26:56 -0400 |
commit | 7c964608ba3560d8869492c674f89a07f5240850 (patch) | |
tree | 767ca55fc82c4e2c661c0fcccb16564449fe2387 /src | |
parent | seccomp filter update (diff) | |
download | firejail-7c964608ba3560d8869492c674f89a07f5240850.tar.gz firejail-7c964608ba3560d8869492c674f89a07f5240850.tar.zst firejail-7c964608ba3560d8869492c674f89a07f5240850.zip |
added --rmenv
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/env.c | 55 | ||||
-rw-r--r-- | src/firejail/firejail.h | 7 | ||||
-rw-r--r-- | src/firejail/main.c | 4 | ||||
-rw-r--r-- | src/firejail/profile.c | 6 | ||||
-rw-r--r-- | src/firejail/usage.c | 3 | ||||
-rw-r--r-- | src/man/firejail.txt | 22 |
6 files changed, 72 insertions, 25 deletions
diff --git a/src/firejail/env.c b/src/firejail/env.c index 54a6b0036..1a6236407 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c | |||
@@ -27,12 +27,27 @@ typedef struct env_t { | |||
27 | struct env_t *next; | 27 | struct env_t *next; |
28 | char *name; | 28 | char *name; |
29 | char *value; | 29 | char *value; |
30 | ENV_OP op; | ||
30 | } Env; | 31 | } Env; |
31 | static Env *envlist = NULL; | 32 | static Env *envlist = NULL; |
32 | 33 | ||
33 | static void env_add(Env *env) { | 34 | static void env_add(Env *env) { |
34 | env->next = envlist; | 35 | env->next = NULL; |
35 | envlist = env; | 36 | |
37 | // add the new entry at the end of the list | ||
38 | if (envlist == NULL) { | ||
39 | envlist = env; | ||
40 | return; | ||
41 | } | ||
42 | |||
43 | Env *ptr = envlist; | ||
44 | while (1) { | ||
45 | if (ptr->next == NULL) { | ||
46 | ptr->next = env; | ||
47 | break; | ||
48 | } | ||
49 | ptr = ptr->next; | ||
50 | } | ||
36 | } | 51 | } |
37 | 52 | ||
38 | // load IBUS env variables | 53 | // load IBUS env variables |
@@ -87,7 +102,7 @@ void env_ibus_load(void) { | |||
87 | if (arg_debug) | 102 | if (arg_debug) |
88 | printf("%s\n", buf); | 103 | printf("%s\n", buf); |
89 | EUID_USER(); | 104 | EUID_USER(); |
90 | env_store(buf); | 105 | env_store(buf, SETENV); |
91 | EUID_ROOT(); | 106 | EUID_ROOT(); |
92 | } | 107 | } |
93 | 108 | ||
@@ -126,7 +141,7 @@ void env_defaults(void) { | |||
126 | } | 141 | } |
127 | 142 | ||
128 | // parse and store the environment setting | 143 | // parse and store the environment setting |
129 | void env_store(const char *str) { | 144 | void env_store(const char *str, ENV_OP op) { |
130 | EUID_ASSERT(); | 145 | EUID_ASSERT(); |
131 | assert(str); | 146 | assert(str); |
132 | 147 | ||
@@ -134,11 +149,13 @@ void env_store(const char *str) { | |||
134 | if (*str == '\0') | 149 | if (*str == '\0') |
135 | goto errexit; | 150 | goto errexit; |
136 | char *ptr = strchr(str, '='); | 151 | char *ptr = strchr(str, '='); |
137 | if (!ptr) | 152 | if (op == SETENV) { |
138 | goto errexit; | 153 | if (!ptr) |
139 | ptr++; | 154 | goto errexit; |
140 | if (*ptr == '\0') | 155 | ptr++; |
141 | goto errexit; | 156 | if (*ptr == '\0') |
157 | goto errexit; | ||
158 | } | ||
142 | 159 | ||
143 | // build list entry | 160 | // build list entry |
144 | Env *env = malloc(sizeof(Env)); | 161 | Env *env = malloc(sizeof(Env)); |
@@ -148,10 +165,13 @@ void env_store(const char *str) { | |||
148 | env->name = strdup(str); | 165 | env->name = strdup(str); |
149 | if (env->name == NULL) | 166 | if (env->name == NULL) |
150 | errExit("strdup"); | 167 | errExit("strdup"); |
151 | char *ptr2 = strchr(env->name, '='); | 168 | if (op == SETENV) { |
152 | assert(ptr2); | 169 | char *ptr2 = strchr(env->name, '='); |
153 | *ptr2 = '\0'; | 170 | assert(ptr2); |
154 | env->value = ptr2 + 1; | 171 | *ptr2 = '\0'; |
172 | env->value = ptr2 + 1; | ||
173 | } | ||
174 | env->op = op; | ||
155 | 175 | ||
156 | // add entry to the list | 176 | // add entry to the list |
157 | env_add(env); | 177 | env_add(env); |
@@ -167,8 +187,13 @@ void env_apply(void) { | |||
167 | Env *env = envlist; | 187 | Env *env = envlist; |
168 | 188 | ||
169 | while (env) { | 189 | while (env) { |
170 | if (setenv(env->name, env->value, 1) < 0) | 190 | if (env->op == SETENV) { |
171 | errExit("setenv"); | 191 | if (setenv(env->name, env->value, 1) < 0) |
192 | errExit("setenv"); | ||
193 | } | ||
194 | else if (env->op == RMENV) { | ||
195 | unsetenv(env->name); | ||
196 | } | ||
172 | env = env->next; | 197 | env = env->next; |
173 | } | 198 | } |
174 | } | 199 | } |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 3d0e9a51b..590646f23 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -493,7 +493,12 @@ int check_kernel_procs(void); | |||
493 | void run_no_sandbox(int argc, char **argv); | 493 | void run_no_sandbox(int argc, char **argv); |
494 | 494 | ||
495 | // env.c | 495 | // env.c |
496 | void env_store(const char *str); | 496 | typedef enum { |
497 | SETENV = 0, | ||
498 | RMENV | ||
499 | } ENV_OP; | ||
500 | |||
501 | void env_store(const char *str, ENV_OP op); | ||
497 | void env_apply(void); | 502 | void env_apply(void); |
498 | void env_defaults(void); | 503 | void env_defaults(void); |
499 | void env_ibus_load(void); | 504 | void env_ibus_load(void); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index b1dd7d32c..a0225be15 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1465,7 +1465,9 @@ int main(int argc, char **argv) { | |||
1465 | arg_nonewprivs = 1; | 1465 | arg_nonewprivs = 1; |
1466 | } | 1466 | } |
1467 | else if (strncmp(argv[i], "--env=", 6) == 0) | 1467 | else if (strncmp(argv[i], "--env=", 6) == 0) |
1468 | env_store(argv[i] + 6); | 1468 | env_store(argv[i] + 6, SETENV); |
1469 | else if (strncmp(argv[i], "--rmenv=", 8) == 0) | ||
1470 | env_store(argv[i] + 8, RMENV); | ||
1469 | else if (strcmp(argv[i], "--nosound") == 0) { | 1471 | else if (strcmp(argv[i], "--nosound") == 0) { |
1470 | arg_nosound = 1; | 1472 | arg_nosound = 1; |
1471 | } | 1473 | } |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index bb834bf19..1106ed84e 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -457,7 +457,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
457 | } | 457 | } |
458 | 458 | ||
459 | if (strncmp(ptr, "env ", 4) == 0) { | 459 | if (strncmp(ptr, "env ", 4) == 0) { |
460 | env_store(ptr + 4); | 460 | env_store(ptr + 4, SETENV); |
461 | return 0; | ||
462 | } | ||
463 | if (strncmp(ptr, "rmenv ", 6) == 0) { | ||
464 | env_store(ptr + 6, RMENV); | ||
461 | return 0; | 465 | return 0; |
462 | } | 466 | } |
463 | 467 | ||
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 1efc247b5..b67300618 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -208,6 +208,7 @@ void usage(void) { | |||
208 | 208 | ||
209 | printf(" --quiet - turn off Firejail's output.\n\n"); | 209 | printf(" --quiet - turn off Firejail's output.\n\n"); |
210 | printf(" --read-only=dirname_or_filename - set directory or file read-only..\n\n"); | 210 | printf(" --read-only=dirname_or_filename - set directory or file read-only..\n\n"); |
211 | printf(" --read-write=dirname_or_filename - set directory or file read-write..\n\n"); | ||
211 | printf(" --rlimit-fsize=number - set the maximum file size that can be created\n"); | 212 | printf(" --rlimit-fsize=number - set the maximum file size that can be created\n"); |
212 | printf("\tby a process.\n\n"); | 213 | printf("\tby a process.\n\n"); |
213 | printf(" --rlimit-nofile=number - set the maximum number of files that can be\n"); | 214 | printf(" --rlimit-nofile=number - set the maximum number of files that can be\n"); |
@@ -216,7 +217,7 @@ void usage(void) { | |||
216 | printf("\tcreated for the real user ID of the calling process.\n\n"); | 217 | printf("\tcreated for the real user ID of the calling process.\n\n"); |
217 | printf(" --rlimit-sigpending=number - set the maximum number of pending signals\n"); | 218 | printf(" --rlimit-sigpending=number - set the maximum number of pending signals\n"); |
218 | printf("\tfor a process.\n\n"); | 219 | printf("\tfor a process.\n\n"); |
219 | printf(" --read-write=dirname_or_filename - set directory or file read-write..\n\n"); | 220 | printf(" --rmenv=name - remove environment variable in the new sandbox.\n\n"); |
220 | #ifdef HAVE_NETWORK | 221 | #ifdef HAVE_NETWORK |
221 | printf(" --scan - ARP-scan all the networks from inside a network namespace.\n"); | 222 | printf(" --scan - ARP-scan all the networks from inside a network namespace.\n"); |
222 | printf("\tThis makes it possible to detect macvlan kernel device drivers\n"); | 223 | printf("\tThis makes it possible to detect macvlan kernel device drivers\n"); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index cb555980d..8d20cf36b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1172,6 +1172,15 @@ make the whitelist read-only. Example: | |||
1172 | $ firejail --whitelist=~/work --read-only=~ --read-only=~/work | 1172 | $ firejail --whitelist=~/work --read-only=~ --read-only=~/work |
1173 | 1173 | ||
1174 | .TP | 1174 | .TP |
1175 | \fB\-\-read-write=dirname_or_filename | ||
1176 | By default, the sandbox mounts system directories read-only. | ||
1177 | These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. | ||
1178 | Use this option to mount read-write files or directories inside the system directories. | ||
1179 | |||
1180 | This option is available only to root user. It has no effect when --chroot or --overlay are also set. In these | ||
1181 | cases the system directories are mounted read-write. | ||
1182 | |||
1183 | .TP | ||
1175 | \fB\-\-rlimit-fsize=number | 1184 | \fB\-\-rlimit-fsize=number |
1176 | Set the maximum file size that can be created by a process. | 1185 | Set the maximum file size that can be created by a process. |
1177 | .TP | 1186 | .TP |
@@ -1185,13 +1194,14 @@ Set the maximum number of processes that can be created for the real user ID of | |||
1185 | Set the maximum number of pending signals for a process. | 1194 | Set the maximum number of pending signals for a process. |
1186 | 1195 | ||
1187 | .TP | 1196 | .TP |
1188 | \fB\-\-read-write=dirname_or_filename | 1197 | \fB\-\-rmenv=name |
1189 | By default, the sandbox mounts system directories read-only. | 1198 | Remove environment variable in the new sandbox. |
1190 | These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. | 1199 | .br |
1191 | Use this option to mount read-write files or directories inside the system directories. | ||
1192 | 1200 | ||
1193 | This option is available only to root user. It has no effect when --chroot or --overlay are also set. In these | 1201 | .br |
1194 | cases the system directories are mounted read-write. | 1202 | Example: |
1203 | .br | ||
1204 | $ firejail \-\-rmenv=DBUS_SESSION_BUS_ADDRESS | ||
1195 | 1205 | ||
1196 | .TP | 1206 | .TP |
1197 | \fB\-\-scan | 1207 | \fB\-\-scan |