diff options
author | crass <development@efficientek.com> | 2018-10-17 00:20:09 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-10-17 00:20:09 -0500 |
commit | b26d21e586a0f11e8b9e10a1e62bacdc8e3e40fc (patch) | |
tree | 67d8468fd420488becad805730ed8bc9061303dc /src | |
parent | firejail.config: clarify disable-mnt behaviour (diff) | |
parent | Update documentation for profile conditionals. (diff) | |
download | firejail-b26d21e586a0f11e8b9e10a1e62bacdc8e3e40fc.tar.gz firejail-b26d21e586a0f11e8b9e10a1e62bacdc8e3e40fc.tar.zst firejail-b26d21e586a0f11e8b9e10a1e62bacdc8e3e40fc.zip |
Merge pull request #2158 from crass/profile_conditional
#2158: Add support for rudimentary conditionals in profiles
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/profile.c | 87 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 12 |
2 files changed, 99 insertions, 0 deletions
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 4fc710f39..751347b29 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -132,12 +132,99 @@ void profile_add_ignore(const char *str) { | |||
132 | } | 132 | } |
133 | 133 | ||
134 | 134 | ||
135 | int profile_check_conditional(char *ptr, int lineno, const char *fname) { | ||
136 | struct cond_t { | ||
137 | char *name; // conditional name | ||
138 | size_t len; // length of name | ||
139 | bool value; // true if set | ||
140 | } conditionals[] = { | ||
141 | {"HAS_APPIMAGE", strlen("HAS_APPIMAGE"), arg_appimage!=0}, | ||
142 | NULL | ||
143 | }, *cond = conditionals; | ||
144 | char *tmp = ptr, *msg = NULL; | ||
145 | |||
146 | if (*ptr++ != '?') | ||
147 | return 1; | ||
148 | |||
149 | while (cond->name) { | ||
150 | // continue if not this conditional | ||
151 | if (strncmp(ptr, cond->name, cond->len) != 0) { | ||
152 | cond++; | ||
153 | continue; | ||
154 | } | ||
155 | ptr += cond->len; | ||
156 | |||
157 | if (*ptr == ' ') | ||
158 | ptr++; | ||
159 | if (*ptr++ != ':') { | ||
160 | msg = "invalid syntax: colon must come after conditional"; | ||
161 | ptr = tmp; | ||
162 | goto error; | ||
163 | } | ||
164 | if (*ptr == '\0') { | ||
165 | msg = "invalid conditional line: no profile line after conditional"; | ||
166 | ptr = tmp; | ||
167 | goto error; | ||
168 | } | ||
169 | if (*ptr == ' ') | ||
170 | ptr++; | ||
171 | |||
172 | // if set, continue processing statement in caller | ||
173 | if (cond->value) { | ||
174 | // move ptr to start of profile line | ||
175 | ptr = strdup(ptr); | ||
176 | if (!ptr) | ||
177 | errExit("strdup"); | ||
178 | |||
179 | // check that the profile line does not contain either | ||
180 | // quiet or include directives | ||
181 | if ((strncmp(ptr, "quiet", 5) == 0) || | ||
182 | (strncmp(ptr, "include", 7) == 0)) { | ||
183 | msg = "invalid profile line: quiet and include not allowed in conditionals"; | ||
184 | ptr = tmp; | ||
185 | goto error; | ||
186 | } | ||
187 | free(tmp); | ||
188 | |||
189 | // verify syntax, exit in case of error | ||
190 | if (profile_check_line(ptr, lineno, fname)) | ||
191 | profile_add(ptr); | ||
192 | } | ||
193 | // tell caller to ignore | ||
194 | return 0; | ||
195 | } | ||
196 | |||
197 | tmp = ptr; | ||
198 | // get the conditional used | ||
199 | while (*tmp != ':' && *tmp != '\0') | ||
200 | tmp++; | ||
201 | *tmp = '\0'; | ||
202 | |||
203 | // this was a '?' prefix, but didn't match any of the conditionals | ||
204 | msg = "invalid/unsupported conditional"; | ||
205 | |||
206 | error: | ||
207 | fprintf(stderr, "Error: %s (\"%s\"", msg, ptr); | ||
208 | if (lineno == 0) ; | ||
209 | else if (fname != NULL) | ||
210 | fprintf(stderr, " on line %d in %s", lineno, fname); | ||
211 | else | ||
212 | fprintf(stderr, " on line %d in the custom profile", lineno); | ||
213 | fprintf(stderr, ")\n"); | ||
214 | exit(1); | ||
215 | } | ||
216 | |||
217 | |||
135 | // check profile line; if line == 0, this was generated from a command line option | 218 | // check profile line; if line == 0, this was generated from a command line option |
136 | // return 1 if the command is to be added to the linked list of profile commands | 219 | // return 1 if the command is to be added to the linked list of profile commands |
137 | // return 0 if the command was already executed inside the function | 220 | // return 0 if the command was already executed inside the function |
138 | int profile_check_line(char *ptr, int lineno, const char *fname) { | 221 | int profile_check_line(char *ptr, int lineno, const char *fname) { |
139 | EUID_ASSERT(); | 222 | EUID_ASSERT(); |
140 | 223 | ||
224 | // check and process conditional profile lines | ||
225 | if (profile_check_conditional(ptr, lineno, fname) == 0) | ||
226 | return 0; | ||
227 | |||
141 | // check ignore list | 228 | // check ignore list |
142 | if (is_in_ignore_list(ptr)) | 229 | if (is_in_ignore_list(ptr)) |
143 | return 0; | 230 | return 0; |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 5daca8abd..ca7b52a51 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -87,6 +87,18 @@ Example: "blacklist ~/My Virtual Machines" | |||
87 | \fB# this is a comment | 87 | \fB# this is a comment |
88 | 88 | ||
89 | .TP | 89 | .TP |
90 | \fB?CONDITIONAL: profile line | ||
91 | Conditionally add profile line. | ||
92 | |||
93 | Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir" | ||
94 | |||
95 | This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. | ||
96 | |||
97 | Currently the only conditional supported is HAS_APPIMAGE. | ||
98 | |||
99 | The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. | ||
100 | |||
101 | .TP | ||
90 | \fBinclude other.profile | 102 | \fBinclude other.profile |
91 | Include other.profile file. | 103 | Include other.profile file. |
92 | 104 | ||