implemented --ignore option

author: netblue30 <netblue30@yahoo.com> 2015-10-25 07:58:04 -0400
committer: netblue30 <netblue30@yahoo.com> 2015-10-25 07:58:04 -0400
commit: df6aa573c121dfadf36715bb4b08d91e5867f3b9 (patch)
tree: 83809acddbbe27b6a22cfdadd98b4a622750d674 /src
parent: bug: disable whitelists if private home options are present (diff)
download: firejail-df6aa573c121dfadf36715bb4b08d91e5867f3b9.tar.gz
firejail-df6aa573c121dfadf36715bb4b08d91e5867f3b9.tar.zst
firejail-df6aa573c121dfadf36715bb4b08d91e5867f3b9.zip
6 files changed, 44 insertions, 2 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 297624c3b..74958487c 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -81,6 +81,8 @@ typedef struct config_t {
        
        // filesystem
        ProfileEntry *profile;
+#define MAX_PROFILE_IGNORE 16   
+        char *profile_ignore[MAX_PROFILE_IGNORE];
        char *chrootdir;        // chroot directory
        char *home_private;     // private home directory
        char *home_private_keep;        // keep list for private home directory
diff --git a/src/firejail/main.c b/src/firejail/main.c
index e76f1b4f1..0def00fa8 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -711,6 +711,26 @@ int main(int argc, char **argv) {
                        }
                        arg_noprofile = 1;
                }
+                else if (strncmp(argv[i], "--ignore=", 9) == 0) {
+                        char *ptr = argv[i] + 9;
+                        if (*(argv[i] + 9) == '\0') {
+                                fprintf(stderr, "Error: invalid ignore option\n");
+                                exit(1);
+                        }
+                        
+                        // find an empty entry in profile_ignore array
+                        int j;
+                        for (j = 0; j < MAX_PROFILE_IGNORE; j++) {
+                                if (cfg.profile_ignore[j] == NULL) 
+                                        break;
+                        }
+                        if (j >= MAX_PROFILE_IGNORE) {
+                                fprintf(stderr, "Error: maximum %d --ignore options are permitted\n", MAX_PROFILE_IGNORE);
+                                exit(1);
+                        }
+                        // ... and configure it
+                        cfg.profile_ignore[j] = argv[i] + 9;
+                }
 #ifdef HAVE_CHROOT              
                else if (strncmp(argv[i], "--chroot=", 9) == 0) {
                        if (arg_overlay) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index e6c31bc0a..1195dd14d 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -66,6 +66,16 @@ int profile_find(const char *name, const char *dir) {
 // return 1 if the command is to be added to the linked list of profile commands
 // return 0 if the command was already executed inside the function
 int profile_check_line(char *ptr, int lineno) {
+        // check ignore list
+        int i;
+        for (i = 0; i < MAX_PROFILE_IGNORE; i++) {
+                if (cfg.profile_ignore[i] == NULL)
+                        break;
+                
+                if (strncmp(ptr, cfg.profile_ignore[i], strlen(cfg.profile_ignore[i])) == 0)
+                        return 0;       // ignore line
+        }
        // seccomp, caps, private, user namespace
        if (strcmp(ptr, "noroot") == 0) {
                check_user_namespace();
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 6075fe23e..3c5a176e6 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -476,7 +476,7 @@ int sandbox(void* sandbox_arg) {
        if (arg_noroot) {
                set_caps();
                if (arg_debug)
-                        printf("User namespace (noroot) installed\n");
+                        printf("noroot user namespace installed\n");
        }
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 43e21433e..d3cad1e63 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -85,7 +85,7 @@ void usage(void) {
        
        printf("\t--help, -? - this help screen.\n\n");
        printf("\t--hostname=name - set sandbox hostname.\n\n");
-        
+        printf("\t--ignore=command - ignore command in profile files.\n\n");
        printf("\t--interface=name - move interface in a new network namespace. Up to\n");
        printf("\t\tfour --interface options can be sepcified.\n\n");
        
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index e311c66b0..1814fe92a 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -341,6 +341,16 @@ Example:
 $ firejail \-\-hostname=officepc firefox
 .TP
+\fB\-\-ignore=command
+Ignore command in profile file.
+.br
+.br
+Example:
+.br
+$ firejail \-\-ignore=shell --ignore=seccomp firefox
+.TP
 \fB\-\-interface=interface
 Move interface in a new network namespace. Up to four --interface options can be sepcified.
 .br
author	netblue30 <netblue30@yahoo.com>	2015-10-25 07:58:04 -0400
committer	netblue30 <netblue30@yahoo.com>	2015-10-25 07:58:04 -0400
commit	df6aa573c121dfadf36715bb4b08d91e5867f3b9 (patch)
tree	83809acddbbe27b6a22cfdadd98b4a622750d674 /src
parent	bug: disable whitelists if private home options are present (diff)
download	firejail-df6aa573c121dfadf36715bb4b08d91e5867f3b9.tar.gz firejail-df6aa573c121dfadf36715bb4b08d91e5867f3b9.tar.zst firejail-df6aa573c121dfadf36715bb4b08d91e5867f3b9.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 297624c3b..74958487c 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -81,6 +81,8 @@ typedef struct config_t {
81		81
82	// filesystem	82	// filesystem
83	ProfileEntry *profile;	83	ProfileEntry *profile;
		84	#define MAX_PROFILE_IGNORE 16
		85	char *profile_ignore[MAX_PROFILE_IGNORE];
84	char *chrootdir; // chroot directory	86	char *chrootdir; // chroot directory
85	char *home_private; // private home directory	87	char *home_private; // private home directory
86	char *home_private_keep; // keep list for private home directory	88	char *home_private_keep; // keep list for private home directory


diff --git a/src/firejail/main.c b/src/firejail/main.c index e76f1b4f1..0def00fa8 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -711,6 +711,26 @@ int main(int argc, char **argv) {
711	}	711	}
712	arg_noprofile = 1;	712	arg_noprofile = 1;
713	}	713	}
		714	else if (strncmp(argv[i], "--ignore=", 9) == 0) {
		715	char *ptr = argv[i] + 9;
		716	if (*(argv[i] + 9) == '\0') {
		717	fprintf(stderr, "Error: invalid ignore option\n");
		718	exit(1);
		719	}
		720
		721	// find an empty entry in profile_ignore array
		722	int j;
		723	for (j = 0; j < MAX_PROFILE_IGNORE; j++) {
		724	if (cfg.profile_ignore[j] == NULL)
		725	break;
		726	}
		727	if (j >= MAX_PROFILE_IGNORE) {
		728	fprintf(stderr, "Error: maximum %d --ignore options are permitted\n", MAX_PROFILE_IGNORE);
		729	exit(1);
		730	}
		731	// ... and configure it
		732	cfg.profile_ignore[j] = argv[i] + 9;
		733	}
714	#ifdef HAVE_CHROOT	734	#ifdef HAVE_CHROOT
715	else if (strncmp(argv[i], "--chroot=", 9) == 0) {	735	else if (strncmp(argv[i], "--chroot=", 9) == 0) {
716	if (arg_overlay) {	736	if (arg_overlay) {


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index e6c31bc0a..1195dd14d 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -66,6 +66,16 @@ int profile_find(const char name, const char dir) {
66	// return 1 if the command is to be added to the linked list of profile commands	66	// return 1 if the command is to be added to the linked list of profile commands
67	// return 0 if the command was already executed inside the function	67	// return 0 if the command was already executed inside the function
68	int profile_check_line(char *ptr, int lineno) {	68	int profile_check_line(char *ptr, int lineno) {
		69	// check ignore list
		70	int i;
		71	for (i = 0; i < MAX_PROFILE_IGNORE; i++) {
		72	if (cfg.profile_ignore[i] == NULL)
		73	break;
		74
		75	if (strncmp(ptr, cfg.profile_ignore[i], strlen(cfg.profile_ignore[i])) == 0)
		76	return 0; // ignore line
		77	}
		78
69	// seccomp, caps, private, user namespace	79	// seccomp, caps, private, user namespace
70	if (strcmp(ptr, "noroot") == 0) {	80	if (strcmp(ptr, "noroot") == 0) {
71	check_user_namespace();	81	check_user_namespace();


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 6075fe23e..3c5a176e6 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -476,7 +476,7 @@ int sandbox(void* sandbox_arg) {
476	if (arg_noroot) {	476	if (arg_noroot) {
477	set_caps();	477	set_caps();
478	if (arg_debug)	478	if (arg_debug)
479	printf("User namespace (noroot) installed\n");	479	printf("noroot user namespace installed\n");
480	}	480	}
481		481
482		482


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 43e21433e..d3cad1e63 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -85,7 +85,7 @@ void usage(void) {
85		85
86	printf("\t--help, -? - this help screen.\n\n");	86	printf("\t--help, -? - this help screen.\n\n");
87	printf("\t--hostname=name - set sandbox hostname.\n\n");	87	printf("\t--hostname=name - set sandbox hostname.\n\n");
88		88	printf("\t--ignore=command - ignore command in profile files.\n\n");
89	printf("\t--interface=name - move interface in a new network namespace. Up to\n");	89	printf("\t--interface=name - move interface in a new network namespace. Up to\n");
90	printf("\t\tfour --interface options can be sepcified.\n\n");	90	printf("\t\tfour --interface options can be sepcified.\n\n");
91		91


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e311c66b0..1814fe92a 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -341,6 +341,16 @@ Example:
341	$ firejail \-\-hostname=officepc firefox	341	$ firejail \-\-hostname=officepc firefox
342		342
343	.TP	343	.TP
		344	\fB\-\-ignore=command
		345	Ignore command in profile file.
		346	.br
		347
		348	.br
		349	Example:
		350	.br
		351	$ firejail \-\-ignore=shell --ignore=seccomp firefox
		352
		353	.TP
344	\fB\-\-interface=interface	354	\fB\-\-interface=interface
345	Move interface in a new network namespace. Up to four --interface options can be sepcified.	355	Move interface in a new network namespace. Up to four --interface options can be sepcified.
346	.br	356	.br