diff options
author | netblue30 <netblue30@yahoo.com> | 2015-10-26 09:58:10 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2015-10-26 09:58:10 -0400 |
commit | 79e828eaa999a666c7c332e81ac56cb3211486d1 (patch) | |
tree | 0e26d6f0084d7f85dd93d24f8155c1e4f7388e89 /src | |
parent | support ignore command in profile files (diff) | |
download | firejail-79e828eaa999a666c7c332e81ac56cb3211486d1.tar.gz firejail-79e828eaa999a666c7c332e81ac56cb3211486d1.tar.zst firejail-79e828eaa999a666c7c332e81ac56cb3211486d1.zip |
support ignore command in profile files
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/profile.c | 21 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 17 |
3 files changed, 36 insertions, 4 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 74958487c..ab2fedbd8 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -81,7 +81,7 @@ typedef struct config_t { | |||
81 | 81 | ||
82 | // filesystem | 82 | // filesystem |
83 | ProfileEntry *profile; | 83 | ProfileEntry *profile; |
84 | #define MAX_PROFILE_IGNORE 16 | 84 | #define MAX_PROFILE_IGNORE 32 |
85 | char *profile_ignore[MAX_PROFILE_IGNORE]; | 85 | char *profile_ignore[MAX_PROFILE_IGNORE]; |
86 | char *chrootdir; // chroot directory | 86 | char *chrootdir; // chroot directory |
87 | char *home_private; // private home directory | 87 | char *home_private; // private home directory |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 1195dd14d..3edeabee9 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -75,6 +75,27 @@ int profile_check_line(char *ptr, int lineno) { | |||
75 | if (strncmp(ptr, cfg.profile_ignore[i], strlen(cfg.profile_ignore[i])) == 0) | 75 | if (strncmp(ptr, cfg.profile_ignore[i], strlen(cfg.profile_ignore[i])) == 0) |
76 | return 0; // ignore line | 76 | return 0; // ignore line |
77 | } | 77 | } |
78 | |||
79 | if (strncmp(ptr, "ignore ", 7) == 0) { | ||
80 | char *str = strdup(ptr + 7); | ||
81 | if (*str == '\0') { | ||
82 | fprintf(stderr, "Error: invalid ignore option\n"); | ||
83 | exit(1); | ||
84 | } | ||
85 | // find an empty entry in profile_ignore array | ||
86 | int j; | ||
87 | for (j = 0; j < MAX_PROFILE_IGNORE; j++) { | ||
88 | if (cfg.profile_ignore[j] == NULL) | ||
89 | break; | ||
90 | } | ||
91 | if (j >= MAX_PROFILE_IGNORE) { | ||
92 | fprintf(stderr, "Error: maximum %d --ignore options are permitted\n", MAX_PROFILE_IGNORE); | ||
93 | exit(1); | ||
94 | } | ||
95 | // ... and configure it | ||
96 | cfg.profile_ignore[j] = str; | ||
97 | return 0; | ||
98 | } | ||
78 | 99 | ||
79 | // seccomp, caps, private, user namespace | 100 | // seccomp, caps, private, user namespace |
80 | if (strcmp(ptr, "noroot") == 0) { | 101 | if (strcmp(ptr, "noroot") == 0) { |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 1369fdc91..02a54e685 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -64,7 +64,10 @@ Child process initialized | |||
64 | .RE | 64 | .RE |
65 | 65 | ||
66 | .SH Scripting | 66 | .SH Scripting |
67 | Include and comment support: | 67 | Scripting commands: |
68 | |||
69 | .TP | ||
70 | # this is a comment | ||
68 | 71 | ||
69 | .TP | 72 | .TP |
70 | \f\include other.profile exclude-token | 73 | \f\include other.profile exclude-token |
@@ -83,13 +86,21 @@ Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" | |||
83 | Note: exclude-token is deprecated, use noblacklist command instead. | 86 | Note: exclude-token is deprecated, use noblacklist command instead. |
84 | 87 | ||
85 | .TP | 88 | .TP |
86 | # this is a comment | 89 | \f\noblacklist file_name |
90 | If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow. | ||
91 | |||
92 | Example: "noblacklist ${HOME}/.mozilla" | ||
93 | |||
94 | .TP | ||
95 | \f\ignore command | ||
96 | Ignore command. | ||
97 | |||
98 | Example: "ignore seccomp" | ||
87 | 99 | ||
88 | .SH Filesystem | 100 | .SH Filesystem |
89 | These profile entries define a chroot filesystem built on top of the existing | 101 | These profile entries define a chroot filesystem built on top of the existing |
90 | host filesystem. Each line describes a file element that is removed from | 102 | host filesystem. Each line describes a file element that is removed from |
91 | the filesystem (\fBblacklist\fR), a read-only file or directory (\fBread-only\fR), | 103 | the filesystem (\fBblacklist\fR), a read-only file or directory (\fBread-only\fR), |
92 | a filter for finer control of blacklisting (\fBnoblacklist\fR), | ||
93 | a tmpfs mounted on top of an existing directory (\fBtmpfs\fR), | 104 | a tmpfs mounted on top of an existing directory (\fBtmpfs\fR), |
94 | or mount-bind a directory or file on top of another directory or file (\fBbind\fR). | 105 | or mount-bind a directory or file on top of another directory or file (\fBbind\fR). |
95 | Use \fBprivate\fR to set private mode. | 106 | Use \fBprivate\fR to set private mode. |