diff options
author | netblue30 <netblue30@yahoo.com> | 2015-08-31 06:46:57 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2015-08-31 06:46:57 -0400 |
commit | c400b75a70af36c6f81a77f4c0fbd5bcc33fcce0 (patch) | |
tree | b222da7db5ccf3cec25f274dcad77b2c17f5ea4b /src | |
parent | admin work (diff) | |
download | firejail-c400b75a70af36c6f81a77f4c0fbd5bcc33fcce0.tar.gz firejail-c400b75a70af36c6f81a77f4c0fbd5bcc33fcce0.tar.zst firejail-c400b75a70af36c6f81a77f4c0fbd5bcc33fcce0.zip |
using /etc/firejail/server.profile as default profile if the sandbox is started by root
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 3 | ||||
-rw-r--r-- | src/firejail/main.c | 12 | ||||
-rw-r--r-- | src/firejail/usage.c | 6 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 32 | ||||
-rw-r--r-- | src/man/firejail.txt | 52 |
5 files changed, 61 insertions, 44 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index cb841cc59..d816d42e2 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -28,7 +28,8 @@ | |||
28 | #define MNT_DIR "/tmp/firejail/mnt" | 28 | #define MNT_DIR "/tmp/firejail/mnt" |
29 | #define HOME_DIR "/tmp/firejail/mnt/home" | 29 | #define HOME_DIR "/tmp/firejail/mnt/home" |
30 | #define ETC_DIR "/tmp/firejail/mnt/etc" | 30 | #define ETC_DIR "/tmp/firejail/mnt/etc" |
31 | #define GENERIC_PROFILE_NAME "generic" | 31 | #define DEFAULT_USER_PROFILE "generic" |
32 | #define DEFAULT_ROOT_PROFILE "server" | ||
32 | #define MAX_INCLUDE_LEVEL 6 | 33 | #define MAX_INCLUDE_LEVEL 6 |
33 | 34 | ||
34 | // main.c | 35 | // main.c |
diff --git a/src/firejail/main.c b/src/firejail/main.c index a1e67c298..9d635436d 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1058,20 +1058,26 @@ printf("here %s:%d\n", __FILE__, __LINE__); | |||
1058 | 1058 | ||
1059 | // use generic.profile as the default | 1059 | // use generic.profile as the default |
1060 | if (!custom_profile && !arg_noprofile) { | 1060 | if (!custom_profile && !arg_noprofile) { |
1061 | char *profile_name = DEFAULT_USER_PROFILE; | ||
1062 | if (getuid() == 0) | ||
1063 | profile_name = DEFAULT_ROOT_PROFILE; | ||
1061 | if (arg_debug) | 1064 | if (arg_debug) |
1062 | printf("Attempting to find %s.profile...",GENERIC_PROFILE_NAME); | 1065 | printf("Attempting to find %s.profile...", profile_name); |
1063 | 1066 | ||
1064 | // look for the profile in ~/.config/firejail directory | 1067 | // look for the profile in ~/.config/firejail directory |
1065 | char *usercfgdir; | 1068 | char *usercfgdir; |
1066 | if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1) | 1069 | if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1) |
1067 | errExit("asprintf"); | 1070 | errExit("asprintf"); |
1068 | custom_profile = profile_find(GENERIC_PROFILE_NAME, usercfgdir); | 1071 | custom_profile = profile_find(profile_name, usercfgdir); |
1069 | free(usercfgdir); | 1072 | free(usercfgdir); |
1070 | 1073 | ||
1071 | if (!custom_profile) { | 1074 | if (!custom_profile) { |
1072 | // look for the profile in /etc/firejail directory | 1075 | // look for the profile in /etc/firejail directory |
1073 | custom_profile = profile_find(GENERIC_PROFILE_NAME, "/etc/firejail"); | 1076 | custom_profile = profile_find(profile_name, "/etc/firejail"); |
1074 | } | 1077 | } |
1078 | |||
1079 | if (custom_profile) | ||
1080 | printf("Note: %s profile can be disabled by --noprofile option.\n", profile_name); | ||
1075 | } | 1081 | } |
1076 | 1082 | ||
1077 | // check and assign an IP address - for macvlan it will be done again in the sandbox! | 1083 | // check and assign an IP address - for macvlan it will be done again in the sandbox! |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 2cdc7f731..fbb36fad7 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -137,8 +137,10 @@ void usage(void) { | |||
137 | 137 | ||
138 | printf("\t--noprofile - do not use a profile. Profile priority is use the one\n"); | 138 | printf("\t--noprofile - do not use a profile. Profile priority is use the one\n"); |
139 | printf("\t\tspecified on the command line, next try to find one that\n"); | 139 | printf("\t\tspecified on the command line, next try to find one that\n"); |
140 | printf("\t\tmatches the command name, and lastly use %s.profile.\n\n",GENERIC_PROFILE_NAME); | 140 | printf("\t\tmatches the command name, and lastly use %s.profile\n", DEFAULT_USER_PROFILE); |
141 | 141 | printf("\t\tif running as regular user or %s.profile if running as\n", DEFAULT_ROOT_PROFILE); | |
142 | printf("\t\troot.\n\n"); | ||
143 | |||
142 | printf("\t--noroot - install a user namespace with a single user - the current\n"); | 144 | printf("\t--noroot - install a user namespace with a single user - the current\n"); |
143 | printf("\t\tuser. root user does not exist in the new namespace. This option\n"); | 145 | printf("\t\tuser. root user does not exist in the new namespace. This option\n"); |
144 | printf("\t\tis not supported for --chroot and --overlay configurations.\n\n"); | 146 | printf("\t\tis not supported for --chroot and --overlay configurations.\n\n"); |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 246098bb7..5167a4c42 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -7,15 +7,18 @@ profile \- Security profile file syntax for Firejail | |||
7 | firejail \-\-profile=filename.profile | 7 | firejail \-\-profile=filename.profile |
8 | 8 | ||
9 | .SH DESCRIPTION | 9 | .SH DESCRIPTION |
10 | Several Firejail command line configuration options can be passed to the program using | 10 | Several command line options can be passed to the program using |
11 | profile files. | 11 | profile files. Firejail chooses the profile file as follows: |
12 | Firejail chooses a security profile in the following order: | ||
13 | 12 | ||
14 | 1. If a profile is provided by the user with --profile option, the profile is loaded. | 13 | 1. If a profile file is provided by the user with --profile option, the profile file is loaded. |
15 | Example: | 14 | Example: |
16 | .PP | 15 | .PP |
17 | .RS | 16 | .RS |
18 | $ firejail --profile=/home/netblue/icecat.profile icecat | 17 | $ firejail --profile=/home/netblue/icecat.profile icecat |
18 | .br | ||
19 | Reading profile /home/netblue/icecat.profile | ||
20 | .br | ||
21 | [...] | ||
19 | .RE | 22 | .RE |
20 | 23 | ||
21 | 2. If a profile file with the same name as the application is present in ~/.config/firejail directory or | 24 | 2. If a profile file with the same name as the application is present in ~/.config/firejail directory or |
@@ -26,7 +29,6 @@ $ firejail icecat | |||
26 | .br | 29 | .br |
27 | Command name #icecat# | 30 | Command name #icecat# |
28 | .br | 31 | .br |
29 | .br | ||
30 | Found icecat profile in /home/netblue/.config/firejail directory | 32 | Found icecat profile in /home/netblue/.config/firejail directory |
31 | .br | 33 | .br |
32 | Reading profile /home/netblue/.config/firejail/icecat.profile | 34 | Reading profile /home/netblue/.config/firejail/icecat.profile |
@@ -34,29 +36,31 @@ Reading profile /home/netblue/.config/firejail/icecat.profile | |||
34 | [...] | 36 | [...] |
35 | .RE | 37 | .RE |
36 | 38 | ||
37 | 3. Use the default profile in /etc/firejail/generic.profile. This can be disabled with --noprofile. Example: | 39 | 3. Use a default.profile file if the sandbox |
40 | is started by a regular user, or a server.profile file if the sandbox | ||
41 | is started by root. Firejail looks for these files in ~/.config/firejail directory, followed by /etc/firejail directory. | ||
42 | To disable default profile loading, use --noroot command option. Example: | ||
38 | .PP | 43 | .PP |
39 | .RS | 44 | .RS |
40 | $ firejail \-\-noprofile | 45 | $ firejail |
46 | .br | ||
47 | Reading profile /etc/firejail/generic.profile | ||
41 | .br | 48 | .br |
42 | Parent pid 8553, child pid 8554 | 49 | Parent pid 8553, child pid 8554 |
43 | .br | 50 | .br |
44 | Child process initialized | 51 | Child process initialized |
45 | .br | 52 | .br |
46 | $ exit | 53 | [...] |
47 | .br | 54 | .br |
55 | |||
48 | .br | 56 | .br |
49 | parent is shutting down, bye... | 57 | $ firejail \-\-noprofile |
50 | .br | ||
51 | $ firejail | ||
52 | .br | ||
53 | Reading profile /etc/firejail/generic.profile | ||
54 | .br | 58 | .br |
55 | Parent pid 8553, child pid 8554 | 59 | Parent pid 8553, child pid 8554 |
56 | .br | 60 | .br |
57 | Child process initialized | 61 | Child process initialized |
58 | .br | 62 | .br |
59 | $ | 63 | [...] |
60 | .RE | 64 | .RE |
61 | 65 | ||
62 | .SH Scripting | 66 | .SH Scripting |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index c07a02c57..62176b84f 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -52,8 +52,8 @@ The default Firejail filesystem is based on the host filesystem with the main di | |||
52 | Only /home, /tmp and /var directories are writable. | 52 | Only /home, /tmp and /var directories are writable. |
53 | .PP | 53 | .PP |
54 | As it starts up, Firejail tries to find a security profile based on the name of the application. | 54 | As it starts up, Firejail tries to find a security profile based on the name of the application. |
55 | If an appropriate profile is not found, Firejail will use the default profile stored in /etc/firejail/default.profile. | 55 | If an appropriate profile is not found, Firejail will use a default profile. |
56 | The default security profile is quite restrictive. In case the application doesn't work, use --noprofile option | 56 | The default profile is quite restrictive. In case the application doesn't work, use --noprofile option |
57 | to disable it. For more information, please see SECURITY PROFILES section. | 57 | to disable it. For more information, please see SECURITY PROFILES section. |
58 | .PP | 58 | .PP |
59 | If a program argument is not specified, Firejail starts /bin/bash shell. | 59 | If a program argument is not specified, Firejail starts /bin/bash shell. |
@@ -575,32 +575,31 @@ $ | |||
575 | 575 | ||
576 | .TP | 576 | .TP |
577 | \fB\-\-noprofile | 577 | \fB\-\-noprofile |
578 | Do not use a profile. | 578 | Do not use a security profile. |
579 | .br | 579 | .br |
580 | 580 | ||
581 | .br | 581 | .br |
582 | Example: | 582 | Example: |
583 | .br | 583 | .br |
584 | $ firejail \-\-noprofile | 584 | $ firejail |
585 | .br | ||
586 | Reading profile /etc/firejail/generic.profile | ||
585 | .br | 587 | .br |
586 | Parent pid 8553, child pid 8554 | 588 | Parent pid 8553, child pid 8554 |
587 | .br | 589 | .br |
588 | Child process initialized | 590 | Child process initialized |
589 | .br | 591 | .br |
590 | $ exit | 592 | [...] |
591 | .br | 593 | .br |
594 | |||
592 | .br | 595 | .br |
593 | parent is shutting down, bye... | 596 | $ firejail \-\-noprofile |
594 | .br | ||
595 | $ firejail | ||
596 | .br | ||
597 | Reading profile /etc/firejail/generic.profile | ||
598 | .br | 597 | .br |
599 | Parent pid 8553, child pid 8554 | 598 | Parent pid 8553, child pid 8554 |
600 | .br | 599 | .br |
601 | Child process initialized | 600 | Child process initialized |
602 | .br | 601 | .br |
603 | $ | 602 | [...] |
604 | 603 | ||
605 | .TP | 604 | .TP |
606 | \fB\-\-noroot | 605 | \fB\-\-noroot |
@@ -1194,14 +1193,18 @@ User | |||
1194 | The owner of the sandbox. | 1193 | The owner of the sandbox. |
1195 | 1194 | ||
1196 | .SH SECURITY PROFILES | 1195 | .SH SECURITY PROFILES |
1197 | Several command line configuration options can be passed to the program using | 1196 | Several command line options can be passed to the program using |
1198 | profile files. Firejail chooses a security profile in the following order: | 1197 | profile files. Firejail chooses the profile file as follows: |
1199 | 1198 | ||
1200 | 1. If a profile is provided by the user with --profile option, the profile is loaded. | 1199 | 1. If a profile file is provided by the user with --profile option, the profile file is loaded. |
1201 | Example: | 1200 | Example: |
1202 | .PP | 1201 | .PP |
1203 | .RS | 1202 | .RS |
1204 | $ firejail --profile=/home/netblue/icecat.profile icecat | 1203 | $ firejail --profile=/home/netblue/icecat.profile icecat |
1204 | .br | ||
1205 | Reading profile /home/netblue/icecat.profile | ||
1206 | .br | ||
1207 | [...] | ||
1205 | .RE | 1208 | .RE |
1206 | 1209 | ||
1207 | 2. If a profile file with the same name as the application is present in ~/.config/firejail directory or | 1210 | 2. If a profile file with the same name as the application is present in ~/.config/firejail directory or |
@@ -1212,7 +1215,6 @@ $ firejail icecat | |||
1212 | .br | 1215 | .br |
1213 | Command name #icecat# | 1216 | Command name #icecat# |
1214 | .br | 1217 | .br |
1215 | .br | ||
1216 | Found icecat profile in /home/netblue/.config/firejail directory | 1218 | Found icecat profile in /home/netblue/.config/firejail directory |
1217 | .br | 1219 | .br |
1218 | Reading profile /home/netblue/.config/firejail/icecat.profile | 1220 | Reading profile /home/netblue/.config/firejail/icecat.profile |
@@ -1220,29 +1222,31 @@ Reading profile /home/netblue/.config/firejail/icecat.profile | |||
1220 | [...] | 1222 | [...] |
1221 | .RE | 1223 | .RE |
1222 | 1224 | ||
1223 | 3. Use the default profile in /etc/firejail/generic.profile | 1225 | 3. Use a default.profile file if the sandbox |
1226 | is started by a regular user, or a server.profile file if the sandbox | ||
1227 | is started by root. Firejail looks for these files in ~/.config/firejail directory, followed by /etc/firejail directory. | ||
1228 | To disable default profile loading, use --noroot command option. Example: | ||
1224 | .PP | 1229 | .PP |
1225 | .RS | 1230 | .RS |
1226 | $ firejail \-\-noprofile | 1231 | $ firejail |
1232 | .br | ||
1233 | Reading profile /etc/firejail/generic.profile | ||
1227 | .br | 1234 | .br |
1228 | Parent pid 8553, child pid 8554 | 1235 | Parent pid 8553, child pid 8554 |
1229 | .br | 1236 | .br |
1230 | Child process initialized | 1237 | Child process initialized |
1231 | .br | 1238 | .br |
1232 | $ exit | 1239 | [...] |
1233 | .br | 1240 | .br |
1241 | |||
1234 | .br | 1242 | .br |
1235 | parent is shutting down, bye... | 1243 | $ firejail \-\-noprofile |
1236 | .br | ||
1237 | $ firejail | ||
1238 | .br | ||
1239 | Reading profile /etc/firejail/generic.profile | ||
1240 | .br | 1244 | .br |
1241 | Parent pid 8553, child pid 8554 | 1245 | Parent pid 8553, child pid 8554 |
1242 | .br | 1246 | .br |
1243 | Child process initialized | 1247 | Child process initialized |
1244 | .br | 1248 | .br |
1245 | $ | 1249 | [...] |
1246 | .RE | 1250 | .RE |
1247 | 1251 | ||
1248 | See man 5 firejail-profile for profile file syntax information. | 1252 | See man 5 firejail-profile for profile file syntax information. |