Merge branch 'master' of https://github.com/netblue30/firejail

author: smitsohu <smitsohu@gmail.com> 2018-11-10 15:07:12 +0100
committer: smitsohu <smitsohu@gmail.com> 2018-11-10 15:07:12 +0100
commit: 8f707a5f23e193f411930421ef2555282404c775 (patch)
tree: 9a69739b655eba1c6940f75611242bcbf7e93b91 /src
parent: unreadable firejail.users database fixes (diff)
parent: Merge pull request #2253 from crass/fix-appimage-double-dash-handling (diff)
download: firejail-8f707a5f23e193f411930421ef2555282404c775.tar.gz
firejail-8f707a5f23e193f411930421ef2555282404c775.tar.zst
firejail-8f707a5f23e193f411930421ef2555282404c775.zip
5 files changed, 31 insertions, 16 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 50f952e91..45e28fe40 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -371,6 +371,15 @@ int checkcfg(int val) {
                                else
                                        goto errout;
                        }
+                        // browser-disable-u2f
+                        else if (strncmp(ptr, "browser-disable-u2f ", 20) == 0) {
+                                if (strcmp(ptr + 20, "yes") == 0)
+                                        cfg_val[CFG_BROWSER_DISABLE_U2F] = 1;
+                                else if (strcmp(ptr + 20, "no") == 0)
+                                        cfg_val[CFG_BROWSER_DISABLE_U2F] = 0;
+                                else
+                                        goto errout;
+                        }
                        else
                                goto errout;
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 7f6ed2586..8a397e3d8 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -461,7 +461,6 @@ void fs_mnt(const int enforce);
 // profile.c
 // find and read the profile specified by name from dir directory
-int profile_find(const char *name, const char *dir, int add_ext);
 int profile_find_firejail(const char *name, int add_ext);
 // read a profile file
 void profile_read(const char *fname);
@@ -771,6 +770,7 @@ enum {
        CFG_JOIN,
        CFG_ARP_PROBES,
        CFG_XPRA_ATTACH,
+        CFG_BROWSER_DISABLE_U2F,
        CFG_PRIVATE_LIB,
        CFG_APPARMOR,
        CFG_DBUS,
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 23d9a1d51..4cb87aaa6 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -2244,21 +2244,18 @@ int main(int argc, char **argv) {
                                return 1;
                        }
                }
-                else if (strcmp(argv[i], "--") == 0) {
+                else {
                        // double dash - positional params to follow
-                        arg_doubledash = 1;
+                        if (strcmp(argv[i], "--") == 0) {
-                        i++;
+                                arg_doubledash = 1;
-                        if (i  >= argc) {
+                                i++;
-                                fprintf(stderr, "Error: program name not found\n");
+                                if (i  >= argc) {
-                                exit(1);
+                                        fprintf(stderr, "Error: program name not found\n");
+                                        exit(1);
+                                }
                        }
-                        extract_command_name(i, argv);
-                        prog_index = i;
-                        break;
-                }
-                else {
                        // is this an invalid option?
-                        if (*argv[i] == '-') {
+                        else if (*argv[i] == '-') {
                                fprintf(stderr, "Error: invalid %s command line option\n", argv[i]);
                                return 1;
                        }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index c7c8fd9fa..5f5d94ddf 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -25,7 +25,8 @@ extern char *xephyr_screen;
 #define MAX_READ 8192                             // line buffer for profile files
 // find and read the profile specified by name from dir directory
-int profile_find(const char *name, const char *dir, int add_ext) {
+// return  1 if a profile was found
+static int profile_find(const char *name, const char *dir, int add_ext) {
        EUID_ASSERT();
        assert(name);
        assert(dir);
@@ -64,6 +65,7 @@ int profile_find(const char *name, const char *dir, int add_ext) {
 }
 // search and read the profile specified by name from firejail directories
+// return  1 if a profile was found
 int profile_find_firejail(const char *name, int add_ext) {
        // look for a profile in ~/.config/firejail directory
        char *usercfgdir;
@@ -139,6 +141,7 @@ int profile_check_conditional(char *ptr, int lineno, const char *fname) {
                bool value;     // true if set
        } conditionals[] = {
                {"HAS_APPIMAGE", strlen("HAS_APPIMAGE"), arg_appimage!=0},
+                {"BROWSER_DISABLE_U2F", strlen("BROWSER_DISABLE_U2F"), checkcfg(CFG_BROWSER_DISABLE_U2F)!=0},
                NULL
        }, *cond = conditionals;
        char *tmp = ptr, *msg = NULL;
@@ -1437,7 +1440,13 @@ void profile_read(const char *fname) {
                                ptr2++;
                        // profile path contains no / chars, do a search
                        if (*ptr2 == '\0') {
-                                profile_find_firejail(newprofile, 0);
+                                int rv = profile_find_firejail(newprofile, 0); // returns 1 if a profile was found in sysconfig directory
+                                if (!rv) {
+                                        // maybe this is a file in the local working directory?
+                                        // it will stop the sandbox if not!
+                                        // Note: if the file ends in .local it will not stop the program
+                                        profile_read(newprofile);
+                                }
                        }
                        else {
                                profile_read(newprofile);
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index e26b5f989..251346bd5 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -94,7 +94,7 @@ Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
 This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line.
-Currently the only conditional supported is HAS_APPIMAGE.
+Currently the only conditionals supported are HAS_APPIMAGE and BROWSER_DISABLE_U2F.
 The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines.
author	smitsohu <smitsohu@gmail.com>	2018-11-10 15:07:12 +0100
committer	smitsohu <smitsohu@gmail.com>	2018-11-10 15:07:12 +0100
commit	8f707a5f23e193f411930421ef2555282404c775 (patch)
tree	9a69739b655eba1c6940f75611242bcbf7e93b91 /src
parent	unreadable firejail.users database fixes (diff)
parent	Merge pull request #2253 from crass/fix-appimage-double-dash-handling (diff)
download	firejail-8f707a5f23e193f411930421ef2555282404c775.tar.gz firejail-8f707a5f23e193f411930421ef2555282404c775.tar.zst firejail-8f707a5f23e193f411930421ef2555282404c775.zip