diff options
| author |  netblue30 <netblue30@yahoo.com> | 2017-11-02 13:03:34 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2017-11-02 13:03:34 -0400 |
| commit | ac5a936b331ab738ff5dadfb5153b6480f9b0bce (patch) | |
| tree | 417ef1eb2481f9aab8627099ec48d11aa5493483 /src | |
| parent | fixing filesystem reporting for firetools (diff) | |
| download | firejail-ac5a936b331ab738ff5dadfb5153b6480f9b0bce.tar.gz firejail-ac5a936b331ab738ff5dadfb5153b6480f9b0bce.tar.zst firejail-ac5a936b331ab738ff5dadfb5153b6480f9b0bce.zip | |
matching noblacklist in profile files with blacklist in disable-programs.inc
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/fs.c | 33 |
1 files changed, 31 insertions, 2 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index ed2c9a566..addeb619e 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
| @@ -183,10 +183,24 @@ static void disable_file(OPERATION op, const char *filename) { | |||
| 183 | free(fname); | 183 | free(fname); |
| 184 | } | 184 | } |
| 185 | 185 | ||
| 186 | // check noblacklist statements not matched by a proper blacklist in disable-*.inc files | ||
| 187 | static int nbcheck_start = 0; | ||
| 188 | static size_t nbcheck_size = 0; | ||
| 189 | static int *nbcheck = NULL; | ||
| 190 | |||
| 186 | // Treat pattern as a shell glob pattern and blacklist matching files | 191 | // Treat pattern as a shell glob pattern and blacklist matching files |
| 187 | static void globbing(OPERATION op, const char *pattern, const char *noblacklist[], size_t noblacklist_len) { | 192 | static void globbing(OPERATION op, const char *pattern, const char *noblacklist[], size_t noblacklist_len) { |
| 188 | assert(pattern); | 193 | assert(pattern); |
| 189 | 194 | ||
| 195 | if (nbcheck_start == 0) { | ||
| 196 | nbcheck_start = 1; | ||
| 197 | nbcheck_size = noblacklist_len; | ||
| 198 | nbcheck = malloc(sizeof(int) * noblacklist_len); | ||
| 199 | if (nbcheck == NULL) | ||
| 200 | errExit("malloc"); | ||
| 201 | memset(nbcheck, 0, sizeof(int) * noblacklist_len); | ||
| 202 | } | ||
| 203 | |||
| 190 | glob_t globbuf; | 204 | glob_t globbuf; |
| 191 | // Profiles contain blacklists for files that might not exist on a user's machine. | 205 | // Profiles contain blacklists for files that might not exist on a user's machine. |
| 192 | // GLOB_NOCHECK makes that okay. | 206 | // GLOB_NOCHECK makes that okay. |
| @@ -212,6 +226,8 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[ | |||
| 212 | continue; | 226 | continue; |
| 213 | else if (result == 0) { | 227 | else if (result == 0) { |
| 214 | okay_to_blacklist = false; | 228 | okay_to_blacklist = false; |
| 229 | if (j < nbcheck_size) // noblacklist checking | ||
| 230 | nbcheck[j] = 1; | ||
| 215 | break; | 231 | break; |
| 216 | } | 232 | } |
| 217 | else { | 233 | else { |
| @@ -403,8 +419,21 @@ void fs_blacklist(void) { | |||
| 403 | } | 419 | } |
| 404 | 420 | ||
| 405 | size_t i; | 421 | size_t i; |
| 406 | for (i = 0; i < noblacklist_c; i++) free(noblacklist[i]); | 422 | // noblacklist checking |
| 407 | free(noblacklist); | 423 | for (i = 0; i < nbcheck_size; i++) |
| 424 | if (!arg_quiet && !nbcheck[i]) | ||
| 425 | printf("TESTING warning: noblacklist %s not matched by a proper blacklist command in disable*.inc\n", | ||
| 426 | noblacklist[i]); | ||
| 427 | |||
| 428 | // free memory | ||
| 429 | if (nbcheck) { | ||
| 430 | free(nbcheck); | ||
| 431 | nbcheck = NULL; | ||
| 432 | nbcheck_size = 0; | ||
| 433 | } | ||
| 434 | for (i = 0; i < noblacklist_c; i++) | ||
| 435 | free(noblacklist[i]); | ||
| 436 | free(noblacklist); | ||
| 408 | } | 437 | } |
| 409 | 438 | ||
| 410 | static int get_mount_flags(const char *path, unsigned long *flags) { | 439 | static int get_mount_flags(const char *path, unsigned long *flags) { |