diff options
author | netblue30 <netblue30@yahoo.com> | 2015-08-24 09:05:18 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2015-08-24 09:05:18 -0400 |
commit | 820de6829fedccffb8b3c32f079436fa7e89273e (patch) | |
tree | a1e0cf62b892e91d18de28d7459180339c5636d1 /src | |
parent | private-home testing (diff) | |
download | firejail-820de6829fedccffb8b3c32f079436fa7e89273e.tar.gz firejail-820de6829fedccffb8b3c32f079436fa7e89273e.tar.zst firejail-820de6829fedccffb8b3c32f079436fa7e89273e.zip |
added --env option
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/env.c | 78 | ||||
-rw-r--r-- | src/firejail/firejail.h | 4 | ||||
-rw-r--r-- | src/firejail/main.c | 2 | ||||
-rw-r--r-- | src/firejail/no_sandbox.c | 23 | ||||
-rw-r--r-- | src/firejail/profile.c | 5 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 3 | ||||
-rw-r--r-- | src/firejail/usage.c | 5 | ||||
-rw-r--r-- | src/lib/libnetlink.c | 4 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 12 | ||||
-rw-r--r-- | src/man/firejail.txt | 10 |
10 files changed, 141 insertions, 5 deletions
diff --git a/src/firejail/env.c b/src/firejail/env.c new file mode 100644 index 000000000..b4557e56f --- /dev/null +++ b/src/firejail/env.c | |||
@@ -0,0 +1,78 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014, 2015 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firejail.h" | ||
21 | |||
22 | typedef struct env_t { | ||
23 | struct env_t *next; | ||
24 | char *name; | ||
25 | char *value; | ||
26 | } Env; | ||
27 | static Env *envlist = NULL; | ||
28 | |||
29 | static void env_add(Env *env) { | ||
30 | env->next = envlist; | ||
31 | envlist = env; | ||
32 | } | ||
33 | |||
34 | // parse and store the environment setting | ||
35 | void env_store(const char *str) { | ||
36 | assert(str); | ||
37 | |||
38 | // some basic checking | ||
39 | if (*str == '\0') | ||
40 | goto errexit; | ||
41 | char *ptr = strchr(str, '='); | ||
42 | if (!ptr) | ||
43 | goto errexit; | ||
44 | ptr++; | ||
45 | if (*ptr == '\0') | ||
46 | goto errexit; | ||
47 | |||
48 | // build list entry | ||
49 | Env *env = malloc(sizeof(Env)); | ||
50 | if (!env) | ||
51 | errExit("malloc"); | ||
52 | memset(env, 0, sizeof(Env)); | ||
53 | env->name = strdup(str); | ||
54 | if (env->name == NULL) | ||
55 | errExit("strdup"); | ||
56 | char *ptr2 = strchr(env->name, '='); | ||
57 | assert(ptr2); | ||
58 | *ptr2 = '\0'; | ||
59 | env->value = ptr2 + 1; | ||
60 | |||
61 | // add entry to the list | ||
62 | env_add(env); | ||
63 | return; | ||
64 | |||
65 | errexit: | ||
66 | fprintf(stderr, "Error: invalid --env setting\n"); | ||
67 | exit(1); | ||
68 | } | ||
69 | |||
70 | // set env variables in the new sandbox process | ||
71 | void env_apply(void) { | ||
72 | Env *env = envlist; | ||
73 | |||
74 | while (env) { | ||
75 | setenv(env->name, env->value, 1); | ||
76 | env = env->next; | ||
77 | } | ||
78 | } | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 93265ef4f..868e1fca0 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -363,5 +363,9 @@ void fs_private_etc_list(void); | |||
363 | int check_kernel_procs(void); | 363 | int check_kernel_procs(void); |
364 | void run_no_sandbox(int argc, char **argv); | 364 | void run_no_sandbox(int argc, char **argv); |
365 | 365 | ||
366 | // env.c | ||
367 | void env_store(const char *str); | ||
368 | void env_apply(void); | ||
369 | |||
366 | #endif | 370 | #endif |
367 | 371 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index 9acfb254f..5d895c4a0 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -764,6 +764,8 @@ int main(int argc, char **argv) { | |||
764 | else if (strcmp(argv[i], "--noroot") == 0) { | 764 | else if (strcmp(argv[i], "--noroot") == 0) { |
765 | check_user_namespace(); | 765 | check_user_namespace(); |
766 | } | 766 | } |
767 | else if (strncmp(argv[i], "--env=", 6) == 0) | ||
768 | env_store(argv[i] + 6); | ||
767 | 769 | ||
768 | //************************************* | 770 | //************************************* |
769 | // network | 771 | // network |
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 9dc01435f..5603974aa 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -1,7 +1,27 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014, 2015 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
1 | #include "firejail.h" | 20 | #include "firejail.h" |
2 | #include <sys/types.h> | 21 | #include <sys/types.h> |
3 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
4 | #include <unistd.h> | 23 | #include <unistd.h> |
24 | #include <grp.h> | ||
5 | 25 | ||
6 | // check process space for kernel processes | 26 | // check process space for kernel processes |
7 | // return 1 if found, 0 if not found | 27 | // return 1 if found, 0 if not found |
@@ -112,7 +132,8 @@ void run_no_sandbox(int argc, char **argv) { | |||
112 | // start the program in /bin/sh | 132 | // start the program in /bin/sh |
113 | fprintf(stderr, "Warning: an existing sandbox was detected. " | 133 | fprintf(stderr, "Warning: an existing sandbox was detected. " |
114 | "%s will run without any additional sandboxing features in a /bin/sh shell\n", command); | 134 | "%s will run without any additional sandboxing features in a /bin/sh shell\n", command); |
115 | system(command); | 135 | rv = system(command); |
136 | (void) rv; | ||
116 | if (allocated) | 137 | if (allocated) |
117 | free(command); | 138 | free(command); |
118 | exit(1); | 139 | exit(1); |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 4341434ac..4a050db20 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -137,6 +137,11 @@ int profile_check_line(char *ptr, int lineno) { | |||
137 | return 0; | 137 | return 0; |
138 | } | 138 | } |
139 | 139 | ||
140 | if (strncmp(ptr, "env ", 4) == 0) { | ||
141 | env_store(ptr + 4); | ||
142 | return 0; | ||
143 | } | ||
144 | |||
140 | // seccomp drop list on top of default list | 145 | // seccomp drop list on top of default list |
141 | if (strncmp(ptr, "seccomp ", 8) == 0) { | 146 | if (strncmp(ptr, "seccomp ", 8) == 0) { |
142 | arg_seccomp = 1; | 147 | arg_seccomp = 1; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 6135c8eac..46cb03da7 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -359,7 +359,8 @@ int sandbox(void* sandbox_arg) { | |||
359 | //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' | 359 | //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' |
360 | if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) | 360 | if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) |
361 | errExit("setenv"); | 361 | errExit("setenv"); |
362 | 362 | // set user-supplied environment variables | |
363 | env_apply(); | ||
363 | 364 | ||
364 | // set capabilities | 365 | // set capabilities |
365 | if (!arg_noroot) | 366 | if (!arg_noroot) |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 3afe5580f..d9ca7e615 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -78,6 +78,9 @@ void usage(void) { | |||
78 | printf("\t\tby name.\n\n"); | 78 | printf("\t\tby name.\n\n"); |
79 | printf("\t--dns.print=pid - print DNS configuration of the sandbox identified.\n"); | 79 | printf("\t--dns.print=pid - print DNS configuration of the sandbox identified.\n"); |
80 | printf("\t\tby PID.\n\n"); | 80 | printf("\t\tby PID.\n\n"); |
81 | |||
82 | printf("\t--env=name=value - set environment variable in the new sandbox\n"); | ||
83 | |||
81 | printf("\t--help, -? - this help screen.\n\n"); | 84 | printf("\t--help, -? - this help screen.\n\n"); |
82 | printf("\t--ip=address - set interface IP address.\n\n"); | 85 | printf("\t--ip=address - set interface IP address.\n\n"); |
83 | printf("\t--ip=none - no IP address and no default gateway address are configured\n"); | 86 | printf("\t--ip=none - no IP address and no default gateway address are configured\n"); |
@@ -275,7 +278,7 @@ void usage(void) { | |||
275 | printf("\tPrcs - number of processes running in sandbox, including the controlling\n"); | 278 | printf("\tPrcs - number of processes running in sandbox, including the controlling\n"); |
276 | printf("\t process.\n"); | 279 | printf("\t process.\n"); |
277 | printf("\tRES - Resident Memory Size (KiB), sandbox non-swapped physical memory.\n"); | 280 | printf("\tRES - Resident Memory Size (KiB), sandbox non-swapped physical memory.\n"); |
278 | printf("\t It is a sum of the RES values for all processes running in the\n"); | 281 | printf("\t It is a sum of the RES valprivate-etcues for all processes running in the\n"); |
279 | printf("\t sandbox.\n"); | 282 | printf("\t sandbox.\n"); |
280 | printf("\tSHR - Shared Memory Size (KiB), it reflects memory shared with other\n"); | 283 | printf("\tSHR - Shared Memory Size (KiB), it reflects memory shared with other\n"); |
281 | printf("\t processes. It is a sum of the SHR values for all processes running\n"); | 284 | printf("\t processes. It is a sum of the SHR values for all processes running\n"); |
diff --git a/src/lib/libnetlink.c b/src/lib/libnetlink.c index 40fb099f7..fddbc209d 100644 --- a/src/lib/libnetlink.c +++ b/src/lib/libnetlink.c | |||
@@ -159,7 +159,7 @@ int rtnl_send_check(struct rtnl_handle *rth, const void *buf, int len) | |||
159 | return -1; | 159 | return -1; |
160 | } | 160 | } |
161 | 161 | ||
162 | for (h = (struct nlmsghdr *)resp; NLMSG_OK(h, status); | 162 | for (h = (struct nlmsghdr *)resp; NLMSG_OK(h, (unsigned) status); |
163 | h = NLMSG_NEXT(h, status)) { | 163 | h = NLMSG_NEXT(h, status)) { |
164 | if (h->nlmsg_type == NLMSG_ERROR) { | 164 | if (h->nlmsg_type == NLMSG_ERROR) { |
165 | struct nlmsgerr *err = (struct nlmsgerr*)NLMSG_DATA(h); | 165 | struct nlmsgerr *err = (struct nlmsgerr*)NLMSG_DATA(h); |
@@ -239,7 +239,7 @@ int rtnl_dump_filter_l(struct rtnl_handle *rth, | |||
239 | struct nlmsghdr *h = (struct nlmsghdr*)buf; | 239 | struct nlmsghdr *h = (struct nlmsghdr*)buf; |
240 | msglen = status; | 240 | msglen = status; |
241 | 241 | ||
242 | while (NLMSG_OK(h, msglen)) { | 242 | while (NLMSG_OK(h, (unsigned) msglen)) { |
243 | int err; | 243 | int err; |
244 | 244 | ||
245 | if (nladdr.nl_pid != 0 || | 245 | if (nladdr.nl_pid != 0 || |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 58ba39b00..59fde72a6 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -162,6 +162,18 @@ The sandbox is placed in g1 control group. | |||
162 | .SH User Environment | 162 | .SH User Environment |
163 | 163 | ||
164 | .TP | 164 | .TP |
165 | env LD_LIBRARY_PATH=/opt/test/lib | ||
166 | Set environment variable. | ||
167 | .br | ||
168 | Examples: | ||
169 | .br | ||
170 | |||
171 | .br | ||
172 | env LD_LIBRARY_PATH=/opt/test/lib | ||
173 | .br | ||
174 | env CFLAGS="-W -Wall -Werror" | ||
175 | |||
176 | .TP | ||
165 | nogroups | 177 | nogroups |
166 | Disable supplementary user groups | 178 | Disable supplementary user groups |
167 | .TP | 179 | .TP |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index ffc698edd..2e87fbb8e 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -299,6 +299,16 @@ $ firejail \-\-list | |||
299 | $ firejail \-\-dns.print=3272 | 299 | $ firejail \-\-dns.print=3272 |
300 | 300 | ||
301 | .TP | 301 | .TP |
302 | \fB\-\-env=name=value | ||
303 | Set environment variable in the new sandbox. | ||
304 | .br | ||
305 | |||
306 | .br | ||
307 | Example: | ||
308 | .br | ||
309 | $ firejail \-\-env=LD_LIBRARY_PATH=/opt/test/lib | ||
310 | |||
311 | .TP | ||
302 | \fB\-?\fR, \fB\-\-help\fR | 312 | \fB\-?\fR, \fB\-\-help\fR |
303 | Print options end exit. | 313 | Print options end exit. |
304 | .TP | 314 | .TP |