fixed --profile option

author: netblue30 <netblue30@yahoo.com> 2016-04-16 08:39:25 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-04-16 08:39:25 -0400
commit: 128c4882110cf1a35efff623d0dd348cc1025e73 (patch)
tree: a9c40b4548ca1697274c4ea6adf9354e6f3174a6 /src
parent: x11 fixes (diff)
download: firejail-128c4882110cf1a35efff623d0dd348cc1025e73.tar.gz
firejail-128c4882110cf1a35efff623d0dd348cc1025e73.tar.zst
firejail-128c4882110cf1a35efff623d0dd348cc1025e73.zip
1 files changed, 9 insertions, 5 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index bdf960b96..6b50b450c 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1154,23 +1154,27 @@ int main(int argc, char **argv) {
                                fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n");
                                exit(1);
                        }
-                        invalid_filename(argv[i] + 10);
+                        
+                        char *ppath = expand_home(argv[i] + 10, cfg.homedir);
+                        if (!ppath)
+                                errExit("strdup");
+                        invalid_filename(ppath);
                        
                        // multiple profile files are allowed!
-                        char *ptr = argv[i] + 10;
+                        if (is_dir(ppath) || is_link(ppath) || strstr(ppath, "..")) {
-                        if (is_dir(ptr) || is_link(ptr) || strstr(ptr, "..")) {
                                fprintf(stderr, "Error: invalid profile file\n");
                                exit(1);
                        }
                        
                        // access call checks as real UID/GID, not as effective UID/GID
-                        if (access(argv[i] + 10, R_OK)) {
+                        if (access(ppath, R_OK)) {
                                fprintf(stderr, "Error: cannot access profile file\n");
                                return 1;
                        }
-                        profile_read(argv[i] + 10);
+                        profile_read(ppath);
                        custom_profile = 1;
+                        free(ppath);
                }
                else if (strncmp(argv[i], "--profile-path=", 15) == 0) {
                        if (arg_noprofile) {
author	netblue30 <netblue30@yahoo.com>	2016-04-16 08:39:25 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-04-16 08:39:25 -0400
commit	128c4882110cf1a35efff623d0dd348cc1025e73 (patch)
tree	a9c40b4548ca1697274c4ea6adf9354e6f3174a6 /src
parent	x11 fixes (diff)
download	firejail-128c4882110cf1a35efff623d0dd348cc1025e73.tar.gz firejail-128c4882110cf1a35efff623d0dd348cc1025e73.tar.zst firejail-128c4882110cf1a35efff623d0dd348cc1025e73.zip

diff --git a/src/firejail/main.c b/src/firejail/main.c index bdf960b96..6b50b450c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -1154,23 +1154,27 @@ int main(int argc, char **argv) {
1154	fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n");	1154	fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n");
1155	exit(1);	1155	exit(1);
1156	}	1156	}
1157	invalid_filename(argv[i] + 10);	1157
		1158	char *ppath = expand_home(argv[i] + 10, cfg.homedir);
		1159	if (!ppath)
		1160	errExit("strdup");
		1161	invalid_filename(ppath);
1158		1162
1159	// multiple profile files are allowed!	1163	// multiple profile files are allowed!
1160	char *ptr = argv[i] + 10;	1164	if (is_dir(ppath) \|\| is_link(ppath) \|\| strstr(ppath, "..")) {
1161	if (is_dir(ptr) \|\| is_link(ptr) \|\| strstr(ptr, "..")) {
1162	fprintf(stderr, "Error: invalid profile file\n");	1165	fprintf(stderr, "Error: invalid profile file\n");
1163	exit(1);	1166	exit(1);
1164	}	1167	}
1165		1168
1166	// access call checks as real UID/GID, not as effective UID/GID	1169	// access call checks as real UID/GID, not as effective UID/GID
1167	if (access(argv[i] + 10, R_OK)) {	1170	if (access(ppath, R_OK)) {
1168	fprintf(stderr, "Error: cannot access profile file\n");	1171	fprintf(stderr, "Error: cannot access profile file\n");
1169	return 1;	1172	return 1;
1170	}	1173	}
1171		1174
1172	profile_read(argv[i] + 10);	1175	profile_read(ppath);
1173	custom_profile = 1;	1176	custom_profile = 1;
		1177	free(ppath);
1174	}	1178	}
1175	else if (strncmp(argv[i], "--profile-path=", 15) == 0) {	1179	else if (strncmp(argv[i], "--profile-path=", 15) == 0) {
1176	if (arg_noprofile) {	1180	if (arg_noprofile) {