aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@protonmail.com>2023-02-06 09:04:27 -0500
committerLibravatar GitHub <noreply@github.com>2023-02-06 09:04:27 -0500
commit82c244f292dcbcf8a9ccffa979a6b464751ab369 (patch)
treed286ee744a7c7e88b5203fcfc5c0611bfd76d4f5 /src
parentprivate-etc: pushing vulkan into games group (diff)
parentfeature: add 'keep-shell-rc' flag and option (diff)
downloadfirejail-82c244f292dcbcf8a9ccffa979a6b464751ab369.tar.gz
firejail-82c244f292dcbcf8a9ccffa979a6b464751ab369.tar.zst
firejail-82c244f292dcbcf8a9ccffa979a6b464751ab369.zip
Merge pull request #5634 from acatton/master
feature: Add 'keep-shell-rc' command and option
Diffstat (limited to 'src')
-rw-r--r--src/firejail/firejail.h1
-rw-r--r--src/firejail/fs_home.c9
-rw-r--r--src/firejail/main.c4
-rw-r--r--src/firejail/profile.c5
-rw-r--r--src/firejail/usage.c1
-rw-r--r--src/man/firejail-profile.txt3
-rw-r--r--src/man/firejail.txt8
-rw-r--r--src/zsh_completion/_firejail.in1
8 files changed, 29 insertions, 3 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 66d2d8b83..a09158e9e 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -332,6 +332,7 @@ extern int arg_nice; // nice value configured
332extern int arg_ipc; // enable ipc namespace 332extern int arg_ipc; // enable ipc namespace
333extern int arg_writable_etc; // writable etc 333extern int arg_writable_etc; // writable etc
334extern int arg_keep_config_pulse; // disable automatic ~/.config/pulse init 334extern int arg_keep_config_pulse; // disable automatic ~/.config/pulse init
335extern int arg_keep_shell_rc; // do not copy shell configuration from /etc/skel
335extern int arg_writable_var; // writable var 336extern int arg_writable_var; // writable var
336extern int arg_keep_var_tmp; // don't overwrite /var/tmp 337extern int arg_keep_var_tmp; // don't overwrite /var/tmp
337extern int arg_writable_run_user; // writable /run/user 338extern int arg_writable_run_user; // writable /run/user
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 8c4cb3d4f..8e72f8687 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -361,7 +361,8 @@ void fs_private_homedir(void) {
361 } 361 }
362 EUID_USER(); 362 EUID_USER();
363 363
364 skel(homedir); 364 if (!arg_keep_shell_rc)
365 skel(homedir);
365 if (xflag) 366 if (xflag)
366 copy_xauthority(); 367 copy_xauthority();
367 if (aflag) 368 if (aflag)
@@ -430,7 +431,8 @@ void fs_private(void) {
430 selinux_relabel_path(homedir, homedir); 431 selinux_relabel_path(homedir, homedir);
431 } 432 }
432 433
433 skel(homedir); 434 if (!arg_keep_shell_rc)
435 skel(homedir);
434 if (xflag) 436 if (xflag)
435 copy_xauthority(); 437 copy_xauthority();
436 if (aflag) 438 if (aflag)
@@ -682,7 +684,8 @@ void fs_private_home_list(void) {
682 errExit("mounting tmpfs"); 684 errExit("mounting tmpfs");
683 EUID_USER(); 685 EUID_USER();
684 686
685 skel(homedir); 687 if (!arg_keep_shell_rc)
688 skel(homedir);
686 if (xflag) 689 if (xflag)
687 copy_xauthority(); 690 copy_xauthority();
688 if (aflag) 691 if (aflag)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 02fcb77d7..8df6926ee 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -127,6 +127,7 @@ int arg_nice = 0; // nice value configured
127int arg_ipc = 0; // enable ipc namespace 127int arg_ipc = 0; // enable ipc namespace
128int arg_writable_etc = 0; // writable etc 128int arg_writable_etc = 0; // writable etc
129int arg_keep_config_pulse = 0; // disable automatic ~/.config/pulse init 129int arg_keep_config_pulse = 0; // disable automatic ~/.config/pulse init
130int arg_keep_shell_rc = 0; // do not copy shell configuration from /etc/skel
130int arg_writable_var = 0; // writable var 131int arg_writable_var = 0; // writable var
131int arg_keep_var_tmp = 0; // don't overwrite /var/tmp 132int arg_keep_var_tmp = 0; // don't overwrite /var/tmp
132int arg_writable_run_user = 0; // writable /run/user 133int arg_writable_run_user = 0; // writable /run/user
@@ -1975,6 +1976,9 @@ int main(int argc, char **argv, char **envp) {
1975 else if (strcmp(argv[i], "--keep-config-pulse") == 0) { 1976 else if (strcmp(argv[i], "--keep-config-pulse") == 0) {
1976 arg_keep_config_pulse = 1; 1977 arg_keep_config_pulse = 1;
1977 } 1978 }
1979 else if (strcmp(argv[i], "--keep-shell-rc") == 0) {
1980 arg_keep_shell_rc = 1;
1981 }
1978 else if (strcmp(argv[i], "--writable-var") == 0) { 1982 else if (strcmp(argv[i], "--writable-var") == 0) {
1979 arg_writable_var = 1; 1983 arg_writable_var = 1;
1980 } 1984 }
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index d01999ec5..3924465e4 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1235,6 +1235,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
1235 return 0; 1235 return 0;
1236 } 1236 }
1237 1237
1238 if (strcmp(ptr, "keep-shell-rc") == 0) {
1239 arg_keep_shell_rc = 1;
1240 return 0;
1241 }
1242
1238 // writable-var 1243 // writable-var
1239 if (strcmp(ptr, "writable-var") == 0) { 1244 if (strcmp(ptr, "writable-var") == 0) {
1240 arg_writable_var = 1; 1245 arg_writable_var = 1;
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index bf4550dd8..e31293c66 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -129,6 +129,7 @@ static char *usage_str =
129 " --keep-config-pulse - disable automatic ~/.config/pulse init.\n" 129 " --keep-config-pulse - disable automatic ~/.config/pulse init.\n"
130 " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n" 130 " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n"
131 " --keep-fd - inherit open file descriptors to sandbox.\n" 131 " --keep-fd - inherit open file descriptors to sandbox.\n"
132 " --keep-shell-rc - do not copy shell rc files from /etc/skel\n"
132 " --keep-var-tmp - /var/tmp directory is untouched.\n" 133 " --keep-var-tmp - /var/tmp directory is untouched.\n"
133 " --list - list all sandboxes.\n" 134 " --list - list all sandboxes.\n"
134#ifdef HAVE_FILE_TRANSFER 135#ifdef HAVE_FILE_TRANSFER
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 5b16179ac..3fa07d1ee 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -288,6 +288,9 @@ pulse servers or non-standard socket paths.
288\fBkeep-dev-shm 288\fBkeep-dev-shm
289/dev/shm directory is untouched (even with private-dev). 289/dev/shm directory is untouched (even with private-dev).
290.TP 290.TP
291\fBkeep-shell-rc
292Do not copy shell rc files (such as ~/.bashrc and ~/.zshrc) from /etc/skel.
293.TP
291\fBkeep-var-tmp 294\fBkeep-var-tmp
292/var/tmp directory is untouched. 295/var/tmp directory is untouched.
293.TP 296.TP
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 1b051ab57..6068c9ff4 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1224,6 +1224,14 @@ Example:
1224$ firejail --keep-fd=3,4,5 1224$ firejail --keep-fd=3,4,5
1225 1225
1226.TP 1226.TP
1227\fB\-\-keep-shell-rc
1228By default, when using a private home directory, firejail copies files from the
1229system's user home template (/etc/skel) into it, which overrides attempts to
1230whitelist the original files (such as ~/.bashrc and ~/.zshrc).
1231This option disables this feature, and enables the user to whitelist the
1232original files.
1233
1234.TP
1227\fB\-\-keep-var-tmp 1235\fB\-\-keep-var-tmp
1228/var/tmp directory is untouched. 1236/var/tmp directory is untouched.
1229.br 1237.br
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index 2b67c2a00..37ce7055b 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -104,6 +104,7 @@ _firejail_args=(
104 '--keep-config-pulse[disable automatic ~/.config/pulse init]' 104 '--keep-config-pulse[disable automatic ~/.config/pulse init]'
105 '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' 105 '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]'
106 '--keep-fd[inherit open file descriptors to sandbox]: :' 106 '--keep-fd[inherit open file descriptors to sandbox]: :'
107 '--keep-shell-rc[do not copy shell rc files from /etc/skel]'
107 '--keep-var-tmp[/var/tmp directory is untouched]' 108 '--keep-var-tmp[/var/tmp directory is untouched]'
108 '--machine-id[spoof /etc/machine-id with a random id]' 109 '--machine-id[spoof /etc/machine-id with a random id]'
109 '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]' 110 '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]'
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-28 18:35:16 +0000