--profile-path option

4 files changed, 107 insertions, 43 deletions

diff --git a/src/firejail/main.c b/src/firejail/main.c
index c1cd9564e..eecb5b0a0 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -414,6 +414,7 @@ int main(int argc, char **argv) {
         int arg_ipc = 0;
         int arg_cgroup = 0;
         int custom_profile = 0; // custom profile loaded
+        char *custom_profile_dir = NULL; // custom profile directory
         int arg_noprofile = 0; // use generic.profile if none other found/specified
 #ifdef HAVE_SECCOMP
         int highest_errno = errno_highest_nr();
@@ -739,6 +740,25 @@ int main(int argc, char **argv) {
                         profile_read(argv[i] + 10);
                         custom_profile = 1;
                 }
+                else if (strncmp(argv[i], "--profile-path=", 15) == 0) {
+                        if (arg_noprofile) {
+                                fprintf(stderr, "Error: --noprofile and --profile-path options are mutually exclusive\n");
+                                exit(1);
+                        }
+                        custom_profile_dir = expand_home(argv[i] + 15, cfg.homedir);
+                        invalid_filename(custom_profile_dir);
+                        char *ptr = argv[i] + 15;
+                        if (!is_dir(custom_profile_dir) || is_link(custom_profile_dir) || strstr(custom_profile_dir, "..")) {
+                                fprintf(stderr, "Error: invalid profile path\n");
+                                exit(1);
+                        }
+                        
+                        // access call checks as real UID/GID, not as effective UID/GID
+                        if (access(custom_profile_dir, R_OK)) {
+                                fprintf(stderr, "Error: cannot access profile directory\n");
+                                return 1;
+                        }
+                }
                 else if (strcmp(argv[i], "--noprofile") == 0) {
                         if (custom_profile) {
                                 fprintf(stderr, "Error: --profile and --noprofile options are mutually exclusive\n");
@@ -1245,7 +1265,11 @@ int main(int argc, char **argv) {
                 }
                 if (!custom_profile) {
                         // look for a user profile in /etc/firejail directory
-                        int rv = profile_find(cfg.command_name, SYSCONFDIR);
+                        int rv;
+                        if (custom_profile_dir)
+                                rv = profile_find(cfg.command_name, custom_profile_dir);
+                        else
+                                rv = profile_find(cfg.command_name, SYSCONFDIR);
                         custom_profile = rv;
                 }
         }
@@ -1275,7 +1299,10 @@ int main(int argc, char **argv) {
         
                         if (!custom_profile) {
                                 // look for the profile in /etc/firejail directory
-                                custom_profile = profile_find(profile_name, SYSCONFDIR);
+                                if (custom_profile_dir)
+                                        custom_profile = profile_find(profile_name, custom_profile_dir);
+                                else
+                                        custom_profile = profile_find(profile_name, SYSCONFDIR);
                         }
                         
                         if (custom_profile && !arg_quiet)
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index d060af5eb..9d5549a77 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -201,6 +201,7 @@ void usage(void) {
         printf("\t\tAll modifications are discarded when the sandbox is closed.\n\n");
         
         printf("\t--profile=filename - use a custom profile.\n\n");
+        printf("\t--profile-path=directory - use this directory to look for profile files.\n\n");
         
         printf("\t--protocol=protocol,protocol,protocol - enable protocol filter.\n");
         printf("\t\tProtocol values: unix, inet, inet6, netlink, packet.\n\n");
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 1713b74dd..91c151fe8 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -81,7 +81,7 @@ file in user home directory.
 Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file.
 
 .TP
-\f\noblacklist file_name
+\f\ noblacklist file_name
 If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow.
 
 Example: "noblacklist ${HOME}/.mozilla"
@@ -102,37 +102,31 @@ Use \fBprivate\fR to set private mode.
 File globbing is supported, and PATH and HOME directories are searched.
 Examples:
 .TP
-\f\blacklist /usr/bin
-Remove /usr/bin directory.
-.TP
-\f\blacklist /etc/passwd
-Remove /etc/passwd file.
-.TP
-\f\read-only /etc/passwd
-Read-only /etc/passwd file.
-.TP
-tmpfs /etc
-Mount an empty tmpfs filesystem on top of /etc directory.
-.TP
-bind /root/config/ssh,/etc/ssh
-Mount-bind /root/config/ssh on /etc/ssh.
+\f\blacklist file_or_directory
+Blacklist directory or file. Examples:
+.br
+
+.br
+blacklist /usr/bin
+.br
+blacklist /usr/bin/gcc*
+.br
+blacklist ${PATH}/ifconfig
+.br
+blacklist ${HOME}/.ssh
+
 .TP
-\f\blacklist /usr/bin/gcc*
-Remove all gcc files in /usr/bin (file globbing).
+\f\read-only file_or_directory
+Make directory or file read-only.
 .TP
-\f\blacklist ${PATH}/ifconfig
-Remove ifconfig command from the regular path directories.
+\f\ tmpfs directory
+Mount an empty tmpfs filesystem on top of directory.
 .TP
-\f\blacklist ${HOME}/.ssh
-Remove .ssh directory from user home directory.
+\f\bind directory1,directory2
+Mount-bind directory1 on top of directory2. This option is only available when running as root.
 .TP
-\f\noblacklist ${HOME}/config/evince
-Prevent any new blacklist commands from blacklisting
-config/evince in the user home directory. Useful for defining
-exceptions before including a large blacklist from a file. Note
-that blacklisting ${HOME}/config can still make
-${HOME}/config/evince effectively unreachable through filesystem
-traversal.
+\f\bind file1,file2
+Mount-bind file1 on top of file2. This option is only available when running as root.
 .TP
 \f\private
 Mount new /root and /home/user directories in temporary
@@ -153,7 +147,7 @@ new home. All modifications are discarded when the sandbox is
 closed.
 .TP
 \f\private-dev
-Create a new /dev directory. Only null, full, zero, tty, pts, ptmx, random, urandom and shm devices are available.
+Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, urandom, log and shm devices are available.
 .TP
 \f\private-etc file,directory
 Build a new /etc in a temporary
@@ -240,10 +234,8 @@ The sandbox is placed in g1 control group.
 .SH User Environment
 
 .TP
-env LD_LIBRARY_PATH=/opt/test/lib
-Set environment variable.
-.br
-Examples:
+env name=value
+Set environment variable. Examples:
 .br
 
 .br
@@ -284,6 +276,36 @@ Set a DNS server for the sandbox. Up to three DNS servers can be defined.
 hostname name
 Set a hostname for the sandbox.
 
+.SH RELOCATING PROFILES
+For various reasons some users might want to keep the profile files in a different directory.
+Using \fB--profile-path\fR command line option, Firejail can be instructed to look for profiles
+into this directory.
+
+This is an example of relocating the profile files into a new
+directory, /home/netblue/myprofiles. Start by creating the new directory and copy all
+the profile files in:
+.br
+
+.br
+$ mkdir ~/myprofiles && cd ~/myprofiles && cp /etc/firejail/* .
+.br
+
+.br
+Using \fBsed\fR utility, modify the absolute paths for \fBinclude\fR commands:
+.br
+
+.br
+$ sed -i "s/\\/etc\\/firejail/\\/home\\/netblue\\/myprofiles/g" *.profile
+.br
+$ sed -i "s/\\/etc\\/firejail/\\/home\\/netblue\\/myprofiles/g" *.inc
+.br
+
+.br
+Start Firejail using the new path:
+.br
+
+.br
+$ firejail --profile-path=~/myprofile
 
 .SH FILES
 /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 62225c407..e2382eb9f 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -52,7 +52,7 @@ Only /home and /tmp are writable.
 As it starts up, Firejail tries to find a security profile based on the name of the application.
 If an appropriate profile is not found, Firejail will use a default profile.
 The default profile is quite restrictive. In case the application doesn't work, use --noprofile option 
-to disable it. For more information, please see SECURITY PROFILES section.
+to disable it. For more information, please see \fBSECURITY PROFILES\fR section.
 .PP
 If a program argument is not specified, Firejail starts /bin/bash shell.
 Examples:
@@ -69,10 +69,10 @@ $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
 Signal the end of options and disables further option processing.
 .TP
 \fB\-\-bandwidth=name
-Set bandwidth limits for the sandbox identified by name, see TRAFFIC SHAPING section for more details.
+Set bandwidth limits for the sandbox identified by name, see \fBTRAFFIC SHAPING\fR section for more details.
 .TP
 \fB\-\-bandwidth=pid
-Set bandwidth limits for the sandbox identified by PID, see TRAFFIC SHAPING section for more details.
+Set bandwidth limits for the sandbox identified by PID, see \fBTRAFFIC SHAPING\fR section for more details.
 .TP
 \fB\-\-bind=dirname1,dirname2
 Mount-bind dirname1 on top of dirname2. This option is only available when running the sandbox as root.
@@ -478,7 +478,7 @@ $ firejail \-\-join=3272
 
 .TP
 \fB\-\-list
-List all sandboxes, see MONITORING section for more details.
+List all sandboxes, see \fBMONITORING\fR section for more details.
 .br
 
 .br
@@ -645,7 +645,7 @@ $ firejail --netfilter=/etc/firejail/nolocal.net \\
 --net=eth0 firefox
 .TP
 \fB\-\-netstats
-Monitor network namespace statistics, see MONITORING section for more details.
+Monitor network namespace statistics, see \fBMONITORING\fR section for more details.
 .br
 
 .br
@@ -919,7 +919,7 @@ nsswitch.conf,passwd,resolv.conf
 .TP
 \fB\-\-profile=filename
 Load a custom security profile from filename. For filename use an absolute path or a path relative to the current path.
-For more information, see SECURITY PROFILES section below.
+For more information, see \fBSECURITY PROFILES\fR section below.
 .br
 
 .br
@@ -928,6 +928,20 @@ Example:
 $ firejail \-\-profile=myprofile
 
 .TP
+\fB\-\-profile-path=directory
+Use this directory to look for profile files. Use an absolute path or a path in the home directory starting with ~/.
+For more information, see \fBSECURITY PROFILES\fR section below and \fBRELOCATING PROFILE FILES\fR in
+\fBman 5 firejail-profile\fR.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-profile-path=~/myprofiles
+.br
+$ firejail \-\-profile-path=/home/netblue/myprofiles
+
+.TP
 \fB\-\-protocol=protocol,protocol,protocol
 Enable protocol filter. The filter is based on seccomp and the first argument to socket system call.
 Recognized values: unix, inet, inet6, netlink and packet.
@@ -1255,7 +1269,7 @@ Example:
 $ firejail \-\-tmpfs=/var
 .TP
 \fB\-\-top
-Monitor the most CPU-intensive sandboxes, see MONITORING section for more details.
+Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details.
 .br
 
 .br
@@ -1321,7 +1335,7 @@ Dec  3 11:46:17 debian firejail[70]: blacklist violation - sandbox 26370, exe fi
 [...]
 .TP
 \fB\-\-tree
-Print a tree of all sandboxed processes, see MONITORING section for more details.
+Print a tree of all sandboxed processes, see \fBMONITORING\fR section for more details.
 .br
 
 .br