added --env option

author: netblue30 <netblue30@yahoo.com> 2015-08-24 09:05:18 -0400
committer: netblue30 <netblue30@yahoo.com> 2015-08-24 09:05:18 -0400
commit: 820de6829fedccffb8b3c32f079436fa7e89273e (patch)
tree: a1e0cf62b892e91d18de28d7459180339c5636d1 /src
parent: private-home testing (diff)
download: firejail-820de6829fedccffb8b3c32f079436fa7e89273e.tar.gz
firejail-820de6829fedccffb8b3c32f079436fa7e89273e.tar.zst
firejail-820de6829fedccffb8b3c32f079436fa7e89273e.zip
10 files changed, 141 insertions, 5 deletions
diff --git a/src/firejail/env.c b/src/firejail/env.c
new file mode 100644
index 000000000..b4557e56f
--- /dev/null
+++ b/src/firejail/env.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2014, 2015 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#include "firejail.h"
+typedef struct env_t {
+        struct env_t *next;
+        char *name;
+        char *value;
+} Env;
+static Env *envlist = NULL;
+static void env_add(Env *env) {
+        env->next = envlist;
+        envlist = env;
+}
+// parse and store the environment setting 
+void env_store(const char *str) {
+        assert(str);
+        
+        // some basic checking
+        if (*str == '\0')
+                goto errexit;
+        char *ptr = strchr(str, '=');
+        if (!ptr)
+                goto errexit;
+        ptr++;
+        if (*ptr == '\0')
+                goto errexit;
+        // build list entry
+        Env *env = malloc(sizeof(Env));
+        if (!env)
+                errExit("malloc");
+        memset(env, 0, sizeof(Env));
+        env->name = strdup(str);
+        if (env->name == NULL)
+                errExit("strdup");
+        char *ptr2 = strchr(env->name, '=');
+        assert(ptr2);
+        *ptr2 = '\0';
+        env->value = ptr2 + 1;
+        
+        // add entry to the list
+        env_add(env);
+        return;
+        
+errexit:
+        fprintf(stderr, "Error: invalid --env setting\n");
+        exit(1);
+}
+// set env variables in the new sandbox process
+void env_apply(void) {
+        Env *env = envlist;
+        
+        while (env) {
+                setenv(env->name, env->value, 1);
+                env = env->next;
+        }
+}
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 93265ef4f..868e1fca0 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -363,5 +363,9 @@ void fs_private_etc_list(void);
 int check_kernel_procs(void);
 void run_no_sandbox(int argc, char **argv);
+// env.c
+void env_store(const char *str);
+void env_apply(void);
 #endif
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 9acfb254f..5d895c4a0 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -764,6 +764,8 @@ int main(int argc, char **argv) {
                else if (strcmp(argv[i], "--noroot") == 0) {
                        check_user_namespace();
                }
+                else if (strncmp(argv[i], "--env=", 6) == 0)
+                        env_store(argv[i] + 6);
                
                //*************************************
                // network
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 9dc01435f..5603974aa 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -1,7 +1,27 @@
+/*
+ * Copyright (C) 2014, 2015 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
 #include "firejail.h"
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <unistd.h>
+#include <grp.h>
 // check process space for kernel processes
 // return 1 if found, 0 if not found
@@ -112,7 +132,8 @@ void run_no_sandbox(int argc, char **argv) {
        // start the program in /bin/sh
        fprintf(stderr, "Warning: an existing sandbox was detected. "
                "%s will run without any additional sandboxing features in a /bin/sh shell\n", command);
-        system(command);
+        rv = system(command);
+        (void) rv;
        if (allocated)
                free(command);
        exit(1);
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 4341434ac..4a050db20 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -137,6 +137,11 @@ int profile_check_line(char *ptr, int lineno) {
                return 0;
        }
        
+        if (strncmp(ptr, "env ", 4) == 0) {
+                env_store(ptr + 4);
+                return 0;
+        }
+        
        // seccomp drop list on top of default list
        if (strncmp(ptr, "seccomp ", 8) == 0) {
                arg_seccomp = 1;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 6135c8eac..46cb03da7 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -359,7 +359,8 @@ int sandbox(void* sandbox_arg) {
        //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] '
        if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0)
                errExit("setenv");
-                
+        // set user-supplied environment variables
+        env_apply();
        // set capabilities
        if (!arg_noroot)
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 3afe5580f..d9ca7e615 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -78,6 +78,9 @@ void usage(void) {
        printf("\t\tby name.\n\n");
        printf("\t--dns.print=pid - print DNS configuration of the sandbox identified.\n");
        printf("\t\tby PID.\n\n");
+        
+        printf("\t--env=name=value - set environment variable in the new sandbox\n");
+        
        printf("\t--help, -? - this help screen.\n\n");
        printf("\t--ip=address - set interface IP address.\n\n");
        printf("\t--ip=none - no IP address and no default gateway address are configured\n");
@@ -275,7 +278,7 @@ void usage(void) {
        printf("\tPrcs - number of processes running in sandbox, including the controlling\n");
        printf("\t       process.\n");
        printf("\tRES - Resident Memory Size (KiB), sandbox non-swapped physical memory.\n");
-        printf("\t      It is a sum of the RES values for all processes running in the\n");
+        printf("\t      It is a sum of the RES valprivate-etcues for all processes running in the\n");
        printf("\t      sandbox.\n");
        printf("\tSHR - Shared Memory Size (KiB), it reflects memory shared with other\n");
        printf("\t      processes. It is a sum of the SHR values for all processes running\n");
diff --git a/src/lib/libnetlink.c b/src/lib/libnetlink.c
index 40fb099f7..fddbc209d 100644
--- a/src/lib/libnetlink.c
+++ b/src/lib/libnetlink.c
@@ -159,7 +159,7 @@ int rtnl_send_check(struct rtnl_handle *rth, const void *buf, int len)
                return -1;
        }
-        for (h = (struct nlmsghdr *)resp; NLMSG_OK(h, status);
+        for (h = (struct nlmsghdr *)resp; NLMSG_OK(h, (unsigned) status);
             h = NLMSG_NEXT(h, status)) {
                if (h->nlmsg_type == NLMSG_ERROR) {
                        struct nlmsgerr *err = (struct nlmsgerr*)NLMSG_DATA(h);
@@ -239,7 +239,7 @@ int rtnl_dump_filter_l(struct rtnl_handle *rth,
                        struct nlmsghdr *h = (struct nlmsghdr*)buf;
                        msglen = status;
-                        while (NLMSG_OK(h, msglen)) {
+                        while (NLMSG_OK(h, (unsigned) msglen)) {
                                int err;
                                if (nladdr.nl_pid != 0 ||
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 58ba39b00..59fde72a6 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -162,6 +162,18 @@ The sandbox is placed in g1 control group.
 .SH User Environment
 .TP
+env LD_LIBRARY_PATH=/opt/test/lib
+Set environment variable.
+.br
+Examples:
+.br
+.br
+env LD_LIBRARY_PATH=/opt/test/lib
+.br
+env CFLAGS="-W -Wall -Werror"
+.TP
 nogroups
 Disable supplementary user groups
 .TP
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index ffc698edd..2e87fbb8e 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -299,6 +299,16 @@ $ firejail \-\-list
 $ firejail \-\-dns.print=3272
 .TP
+\fB\-\-env=name=value
+Set environment variable in the new sandbox.
+.br
+.br
+Example:
+.br
+$ firejail \-\-env=LD_LIBRARY_PATH=/opt/test/lib
+.TP
 \fB\-?\fR, \fB\-\-help\fR
 Print options end exit.
 .TP
author	netblue30 <netblue30@yahoo.com>	2015-08-24 09:05:18 -0400
committer	netblue30 <netblue30@yahoo.com>	2015-08-24 09:05:18 -0400
commit	820de6829fedccffb8b3c32f079436fa7e89273e (patch)
tree	a1e0cf62b892e91d18de28d7459180339c5636d1 /src
parent	private-home testing (diff)
download	firejail-820de6829fedccffb8b3c32f079436fa7e89273e.tar.gz firejail-820de6829fedccffb8b3c32f079436fa7e89273e.tar.zst firejail-820de6829fedccffb8b3c32f079436fa7e89273e.zip

diff --git a/src/firejail/env.c b/src/firejail/env.c new file mode 100644 index 000000000..b4557e56f --- /dev/null +++ b/src/firejail/env.c
@@ -0,0 +1,78 @@
		1	/*
		2	* Copyright (C) 2014, 2015 Firejail Authors
		3	*
		4	* This file is part of firejail project
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License as published by
		8	* the Free Software Foundation; either version 2 of the License, or
		9	* (at your option) any later version.
		10	*
		11	* This program is distributed in the hope that it will be useful,
		12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		14	* GNU General Public License for more details.
		15	*
		16	* You should have received a copy of the GNU General Public License along
		17	* with this program; if not, write to the Free Software Foundation, Inc.,
		18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
		19	*/
		20	#include "firejail.h"
		21
		22	typedef struct env_t {
		23	struct env_t *next;
		24	char *name;
		25	char *value;
		26	} Env;
		27	static Env *envlist = NULL;
		28
		29	static void env_add(Env *env) {
		30	env->next = envlist;
		31	envlist = env;
		32	}
		33
		34	// parse and store the environment setting
		35	void env_store(const char *str) {
		36	assert(str);
		37
		38	// some basic checking
		39	if (*str == '\0')
		40	goto errexit;
		41	char *ptr = strchr(str, '=');
		42	if (!ptr)
		43	goto errexit;
		44	ptr++;
		45	if (*ptr == '\0')
		46	goto errexit;
		47
		48	// build list entry
		49	Env *env = malloc(sizeof(Env));
		50	if (!env)
		51	errExit("malloc");
		52	memset(env, 0, sizeof(Env));
		53	env->name = strdup(str);
		54	if (env->name == NULL)
		55	errExit("strdup");
		56	char *ptr2 = strchr(env->name, '=');
		57	assert(ptr2);
		58	*ptr2 = '\0';
		59	env->value = ptr2 + 1;
		60
		61	// add entry to the list
		62	env_add(env);
		63	return;
		64
		65	errexit:
		66	fprintf(stderr, "Error: invalid --env setting\n");
		67	exit(1);
		68	}
		69
		70	// set env variables in the new sandbox process
		71	void env_apply(void) {
		72	Env *env = envlist;
		73
		74	while (env) {
		75	setenv(env->name, env->value, 1);
		76	env = env->next;
		77	}
		78	}


diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 93265ef4f..868e1fca0 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -363,5 +363,9 @@ void fs_private_etc_list(void);
363	int check_kernel_procs(void);	363	int check_kernel_procs(void);
364	void run_no_sandbox(int argc, char **argv);	364	void run_no_sandbox(int argc, char **argv);
365		365
		366	// env.c
		367	void env_store(const char *str);
		368	void env_apply(void);
		369
366	#endif	370	#endif
367		371


diff --git a/src/firejail/main.c b/src/firejail/main.c index 9acfb254f..5d895c4a0 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -764,6 +764,8 @@ int main(int argc, char **argv) {
764	else if (strcmp(argv[i], "--noroot") == 0) {	764	else if (strcmp(argv[i], "--noroot") == 0) {
765	check_user_namespace();	765	check_user_namespace();
766	}	766	}
		767	else if (strncmp(argv[i], "--env=", 6) == 0)
		768	env_store(argv[i] + 6);
767		769
768	//*************************************	770	//*************************************
769	// network	771	// network


diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 9dc01435f..5603974aa 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c
@@ -1,7 +1,27 @@
		1	/*
		2	* Copyright (C) 2014, 2015 Firejail Authors
		3	*
		4	* This file is part of firejail project
		5	*
		6	* This program is free software; you can redistribute it and/or modify
		7	* it under the terms of the GNU General Public License as published by
		8	* the Free Software Foundation; either version 2 of the License, or
		9	* (at your option) any later version.
		10	*
		11	* This program is distributed in the hope that it will be useful,
		12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
		13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		14	* GNU General Public License for more details.
		15	*
		16	* You should have received a copy of the GNU General Public License along
		17	* with this program; if not, write to the Free Software Foundation, Inc.,
		18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
		19	*/
1	#include "firejail.h"	20	#include "firejail.h"
2	#include <sys/types.h>	21	#include <sys/types.h>
3	#include <sys/stat.h>	22	#include <sys/stat.h>
4	#include <unistd.h>	23	#include <unistd.h>
		24	#include <grp.h>
5		25
6	// check process space for kernel processes	26	// check process space for kernel processes
7	// return 1 if found, 0 if not found	27	// return 1 if found, 0 if not found
@@ -112,7 +132,8 @@ void run_no_sandbox(int argc, char **argv) {
112	// start the program in /bin/sh	132	// start the program in /bin/sh
113	fprintf(stderr, "Warning: an existing sandbox was detected. "	133	fprintf(stderr, "Warning: an existing sandbox was detected. "
114	"%s will run without any additional sandboxing features in a /bin/sh shell\n", command);	134	"%s will run without any additional sandboxing features in a /bin/sh shell\n", command);
115	system(command);	135	rv = system(command);
		136	(void) rv;
116	if (allocated)	137	if (allocated)
117	free(command);	138	free(command);
118	exit(1);	139	exit(1);


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 4341434ac..4a050db20 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -137,6 +137,11 @@ int profile_check_line(char *ptr, int lineno) {
137	return 0;	137	return 0;
138	}	138	}
139		139
		140	if (strncmp(ptr, "env ", 4) == 0) {
		141	env_store(ptr + 4);
		142	return 0;
		143	}
		144
140	// seccomp drop list on top of default list	145	// seccomp drop list on top of default list
141	if (strncmp(ptr, "seccomp ", 8) == 0) {	146	if (strncmp(ptr, "seccomp ", 8) == 0) {
142	arg_seccomp = 1;	147	arg_seccomp = 1;


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 6135c8eac..46cb03da7 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -359,7 +359,8 @@ int sandbox(void* sandbox_arg) {
359	//export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] '	359	//export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] '
360	if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0)	360	if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0)
361	errExit("setenv");	361	errExit("setenv");
362		362	// set user-supplied environment variables
		363	env_apply();
363		364
364	// set capabilities	365	// set capabilities
365	if (!arg_noroot)	366	if (!arg_noroot)


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 3afe5580f..d9ca7e615 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -78,6 +78,9 @@ void usage(void) {
78	printf("\t\tby name.\n\n");	78	printf("\t\tby name.\n\n");
79	printf("\t--dns.print=pid - print DNS configuration of the sandbox identified.\n");	79	printf("\t--dns.print=pid - print DNS configuration of the sandbox identified.\n");
80	printf("\t\tby PID.\n\n");	80	printf("\t\tby PID.\n\n");
		81
		82	printf("\t--env=name=value - set environment variable in the new sandbox\n");
		83
81	printf("\t--help, -? - this help screen.\n\n");	84	printf("\t--help, -? - this help screen.\n\n");
82	printf("\t--ip=address - set interface IP address.\n\n");	85	printf("\t--ip=address - set interface IP address.\n\n");
83	printf("\t--ip=none - no IP address and no default gateway address are configured\n");	86	printf("\t--ip=none - no IP address and no default gateway address are configured\n");
@@ -275,7 +278,7 @@ void usage(void) {
275	printf("\tPrcs - number of processes running in sandbox, including the controlling\n");	278	printf("\tPrcs - number of processes running in sandbox, including the controlling\n");
276	printf("\t process.\n");	279	printf("\t process.\n");
277	printf("\tRES - Resident Memory Size (KiB), sandbox non-swapped physical memory.\n");	280	printf("\tRES - Resident Memory Size (KiB), sandbox non-swapped physical memory.\n");
278	printf("\t It is a sum of the RES values for all processes running in the\n");	281	printf("\t It is a sum of the RES valprivate-etcues for all processes running in the\n");
279	printf("\t sandbox.\n");	282	printf("\t sandbox.\n");
280	printf("\tSHR - Shared Memory Size (KiB), it reflects memory shared with other\n");	283	printf("\tSHR - Shared Memory Size (KiB), it reflects memory shared with other\n");
281	printf("\t processes. It is a sum of the SHR values for all processes running\n");	284	printf("\t processes. It is a sum of the SHR values for all processes running\n");


diff --git a/src/lib/libnetlink.c b/src/lib/libnetlink.c index 40fb099f7..fddbc209d 100644 --- a/src/lib/libnetlink.c +++ b/src/lib/libnetlink.c
@@ -159,7 +159,7 @@ int rtnl_send_check(struct rtnl_handle rth, const void buf, int len)
159	return -1;	159	return -1;
160	}	160	}
161		161
162	for (h = (struct nlmsghdr *)resp; NLMSG_OK(h, status);	162	for (h = (struct nlmsghdr *)resp; NLMSG_OK(h, (unsigned) status);
163	h = NLMSG_NEXT(h, status)) {	163	h = NLMSG_NEXT(h, status)) {
164	if (h->nlmsg_type == NLMSG_ERROR) {	164	if (h->nlmsg_type == NLMSG_ERROR) {
165	struct nlmsgerr err = (struct nlmsgerr)NLMSG_DATA(h);	165	struct nlmsgerr err = (struct nlmsgerr)NLMSG_DATA(h);
@@ -239,7 +239,7 @@ int rtnl_dump_filter_l(struct rtnl_handle *rth,
239	struct nlmsghdr h = (struct nlmsghdr)buf;	239	struct nlmsghdr h = (struct nlmsghdr)buf;
240	msglen = status;	240	msglen = status;
241		241
242	while (NLMSG_OK(h, msglen)) {	242	while (NLMSG_OK(h, (unsigned) msglen)) {
243	int err;	243	int err;
244		244
245	if (nladdr.nl_pid != 0 \|\|	245	if (nladdr.nl_pid != 0 \|\|


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 58ba39b00..59fde72a6 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -162,6 +162,18 @@ The sandbox is placed in g1 control group.
162	.SH User Environment	162	.SH User Environment
163		163
164	.TP	164	.TP
		165	env LD_LIBRARY_PATH=/opt/test/lib
		166	Set environment variable.
		167	.br
		168	Examples:
		169	.br
		170
		171	.br
		172	env LD_LIBRARY_PATH=/opt/test/lib
		173	.br
		174	env CFLAGS="-W -Wall -Werror"
		175
		176	.TP
165	nogroups	177	nogroups
166	Disable supplementary user groups	178	Disable supplementary user groups
167	.TP	179	.TP


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index ffc698edd..2e87fbb8e 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -299,6 +299,16 @@ $ firejail \-\-list
299	$ firejail \-\-dns.print=3272	299	$ firejail \-\-dns.print=3272
300		300
301	.TP	301	.TP
		302	\fB\-\-env=name=value
		303	Set environment variable in the new sandbox.
		304	.br
		305
		306	.br
		307	Example:
		308	.br
		309	$ firejail \-\-env=LD_LIBRARY_PATH=/opt/test/lib
		310
		311	.TP
302	\fB\-?\fR, \fB\-\-help\fR	312	\fB\-?\fR, \fB\-\-help\fR
303	Print options end exit.	313	Print options end exit.
304	.TP	314	.TP