profile support for writable-etc and writable-var

author: netblue30 <netblue30@yahoo.com> 2016-04-20 09:16:35 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-04-20 09:16:35 -0400
commit: 66cd15982d1d763afe70852aa4b3342313d04656 (patch)
tree: 3932ee28779d6fc508d07f6c641b5732305c114b /src
parent: fix: --private-etc and --writable-etc are mutually exclusive (diff)
download: firejail-66cd15982d1d763afe70852aa4b3342313d04656.tar.gz
firejail-66cd15982d1d763afe70852aa4b3342313d04656.tar.zst
firejail-66cd15982d1d763afe70852aa4b3342313d04656.zip
3 files changed, 34 insertions, 2 deletions
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index a2336090f..9e0f0325e 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -570,6 +570,30 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                return 0;
        }
        
+        // writable-etc
+        if (strcmp(ptr, "writable-etc") == 0) {
+                if (getuid() != 0) {
+                        fprintf(stderr, "Error: writable-etc is available only for root user\n");
+                        exit(1);
+                }
+                if (cfg.etc_private_keep) {
+                        fprintf(stderr, "Error: private-etc and writable-etc are mutually exclusive\n");
+                        exit(1);
+                }
+                arg_writable_etc = 1;
+                return 0;
+        }
+        
+        // writable-var
+        if (strcmp(ptr, "writable-var") == 0) {
+                if (getuid() != 0) {
+                        fprintf(stderr, "Error: writable-var is available only for root user\n");
+                        exit(1);
+                }
+                arg_writable_var = 1;
+                return 0;
+        }
+        
        // private directory
        if (strncmp(ptr, "private ", 8) == 0) {
                cfg.home_private = ptr + 8;
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index f5610cafc..8d0b6a890 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -181,6 +181,14 @@ Build a new user home in a temporary filesystem, and mount-bind file_or_director
 The modifications to file_or_directory are persistent, everything else is discarded
 when the sandbox is closed.
 .TP
+\fBwritable-etc
+Mount /etc directory read-write. This option is  available  only
+when running the sandbox as root user.
+.TP
+\fBwritable-var
+Mount /var directory read-write. This option is  available  only
+when running the sandbox as root user.
+.TP
 \fBtracelog
 Blacklist violations logged to syslog.
 .SH Security filters
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 14b3c6a60..51abaef28 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1463,7 +1463,7 @@ $ firejail "\-\-whitelist=/home/username/My Virtual Machines"
 .TP
 \fB\-\-writable-etc
-Mount /etc directory read-write. This option is available only when running the sandbox as root user
+Mount /etc directory read-write. This option is available only when running the sandbox as root user.
 .br
 .br
@@ -1473,7 +1473,7 @@ $ sudo firejail --writable-etc
 .TP
 \fB\-\-writable-var
-Mount /var directory read-write. This option is available only when running the sandbox as root user
+Mount /var directory read-write. This option is available only when running the sandbox as root user.
 .br
 .br
author	netblue30 <netblue30@yahoo.com>	2016-04-20 09:16:35 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-04-20 09:16:35 -0400
commit	66cd15982d1d763afe70852aa4b3342313d04656 (patch)
tree	3932ee28779d6fc508d07f6c641b5732305c114b /src
parent	fix: --private-etc and --writable-etc are mutually exclusive (diff)
download	firejail-66cd15982d1d763afe70852aa4b3342313d04656.tar.gz firejail-66cd15982d1d763afe70852aa4b3342313d04656.tar.zst firejail-66cd15982d1d763afe70852aa4b3342313d04656.zip

diff --git a/src/firejail/profile.c b/src/firejail/profile.c index a2336090f..9e0f0325e 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -570,6 +570,30 @@ int profile_check_line(char ptr, int lineno, const char fname) {
570	return 0;	570	return 0;
571	}	571	}
572		572
		573	// writable-etc
		574	if (strcmp(ptr, "writable-etc") == 0) {
		575	if (getuid() != 0) {
		576	fprintf(stderr, "Error: writable-etc is available only for root user\n");
		577	exit(1);
		578	}
		579	if (cfg.etc_private_keep) {
		580	fprintf(stderr, "Error: private-etc and writable-etc are mutually exclusive\n");
		581	exit(1);
		582	}
		583	arg_writable_etc = 1;
		584	return 0;
		585	}
		586
		587	// writable-var
		588	if (strcmp(ptr, "writable-var") == 0) {
		589	if (getuid() != 0) {
		590	fprintf(stderr, "Error: writable-var is available only for root user\n");
		591	exit(1);
		592	}
		593	arg_writable_var = 1;
		594	return 0;
		595	}
		596
573	// private directory	597	// private directory
574	if (strncmp(ptr, "private ", 8) == 0) {	598	if (strncmp(ptr, "private ", 8) == 0) {
575	cfg.home_private = ptr + 8;	599	cfg.home_private = ptr + 8;


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index f5610cafc..8d0b6a890 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -181,6 +181,14 @@ Build a new user home in a temporary filesystem, and mount-bind file_or_director
181	The modifications to file_or_directory are persistent, everything else is discarded	181	The modifications to file_or_directory are persistent, everything else is discarded
182	when the sandbox is closed.	182	when the sandbox is closed.
183	.TP	183	.TP
		184	\fBwritable-etc
		185	Mount /etc directory read-write. This option is available only
		186	when running the sandbox as root user.
		187	.TP
		188	\fBwritable-var
		189	Mount /var directory read-write. This option is available only
		190	when running the sandbox as root user.
		191	.TP
184	\fBtracelog	192	\fBtracelog
185	Blacklist violations logged to syslog.	193	Blacklist violations logged to syslog.
186	.SH Security filters	194	.SH Security filters


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 14b3c6a60..51abaef28 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1463,7 +1463,7 @@ $ firejail "\-\-whitelist=/home/username/My Virtual Machines"
1463		1463
1464	.TP	1464	.TP
1465	\fB\-\-writable-etc	1465	\fB\-\-writable-etc
1466	Mount /etc directory read-write. This option is available only when running the sandbox as root user	1466	Mount /etc directory read-write. This option is available only when running the sandbox as root user.
1467	.br	1467	.br
1468		1468
1469	.br	1469	.br
@@ -1473,7 +1473,7 @@ $ sudo firejail --writable-etc
1473		1473
1474	.TP	1474	.TP
1475	\fB\-\-writable-var	1475	\fB\-\-writable-var
1476	Mount /var directory read-write. This option is available only when running the sandbox as root user	1476	Mount /var directory read-write. This option is available only when running the sandbox as root user.
1477	.br	1477	.br
1478		1478
1479	.br	1479	.br