diff options
| author |  netblue30 <netblue30@yahoo.com> | 2016-09-17 09:24:16 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2016-09-17 09:24:16 -0400 |
| commit | 482a38ca66c7b189a0fcc31fd680801a3bf3c893 (patch) | |
| tree | f1beb803c011dd58072e815bba43e4dce1c2632d /src | |
| parent | Merge branch 'master' of https://github.com/netblue30/firejail (diff) | |
| download | firejail-482a38ca66c7b189a0fcc31fd680801a3bf3c893.tar.gz firejail-482a38ca66c7b189a0fcc31fd680801a3bf3c893.tar.zst firejail-482a38ca66c7b189a0fcc31fd680801a3bf3c893.zip | |
bug: add support to remove /usr/local from private-bin list, issue 778
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/checkcfg.c | 9 | ||||
| -rw-r--r-- | src/firejail/firejail.h | 1 | ||||
| -rw-r--r-- | src/firejail/fs_bin.c | 7 |
3 files changed, 17 insertions, 0 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index fdd2b8edd..78c0e5c60 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
| @@ -40,6 +40,7 @@ int checkcfg(int val) { | |||
| 40 | cfg_val[i] = 1; // most of them are enabled by default | 40 | cfg_val[i] = 1; // most of them are enabled by default |
| 41 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default | 41 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default |
| 42 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default | 42 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default |
| 43 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; // disabled by default | ||
| 43 | 44 | ||
| 44 | // open configuration file | 45 | // open configuration file |
| 45 | char *fname; | 46 | char *fname; |
| @@ -258,6 +259,14 @@ int checkcfg(int val) { | |||
| 258 | else | 259 | else |
| 259 | goto errout; | 260 | goto errout; |
| 260 | } | 261 | } |
| 262 | else if (strncmp(ptr, "private-bin-no-local ", 21) == 0) { | ||
| 263 | if (strcmp(ptr + 21, "yes") == 0) | ||
| 264 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 1; | ||
| 265 | else if (strcmp(ptr + 21, "no") == 0) | ||
| 266 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; | ||
| 267 | else | ||
| 268 | goto errout; | ||
| 269 | } | ||
| 261 | else | 270 | else |
| 262 | goto errout; | 271 | goto errout; |
| 263 | 272 | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7043aa0ca..c0536502e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
| @@ -651,6 +651,7 @@ enum { | |||
| 651 | CFG_OVERLAYFS, | 651 | CFG_OVERLAYFS, |
| 652 | CFG_CHROOT_DESKTOP, | 652 | CFG_CHROOT_DESKTOP, |
| 653 | CFG_PRIVATE_HOME, | 653 | CFG_PRIVATE_HOME, |
| 654 | CFG_PRIVATE_BIN_NO_LOCAL, | ||
| 654 | CFG_MAX // this should always be the last entry | 655 | CFG_MAX // this should always be the last entry |
| 655 | }; | 656 | }; |
| 656 | extern char *xephyr_screen; | 657 | extern char *xephyr_screen; |
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 6c4db57b4..40539305f 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
| @@ -46,6 +46,13 @@ static char *check_dir_or_file(const char *name) { | |||
| 46 | 46 | ||
| 47 | int i = 0; | 47 | int i = 0; |
| 48 | while (paths[i]) { | 48 | while (paths[i]) { |
| 49 | // private-bin-no-local can be disabled in /etc/firejail/firejail.config | ||
| 50 | if (checkcfg(CFG_PRIVATE_BIN_NO_LOCAL) && strstr(paths[i], "local/")) { | ||
| 51 | i++; | ||
| 52 | continue; | ||
| 53 | } | ||
| 54 | |||
| 55 | // check file | ||
| 49 | if (asprintf(&fname, "%s/%s", paths[i], name) == -1) | 56 | if (asprintf(&fname, "%s/%s", paths[i], name) == -1) |
| 50 | errExit("asprintf"); | 57 | errExit("asprintf"); |
| 51 | if (arg_debug) | 58 | if (arg_debug) |