diff options
author | netblue30 <netblue30@yahoo.com> | 2015-10-25 07:58:04 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2015-10-25 07:58:04 -0400 |
commit | df6aa573c121dfadf36715bb4b08d91e5867f3b9 (patch) | |
tree | 83809acddbbe27b6a22cfdadd98b4a622750d674 /src | |
parent | bug: disable whitelists if private home options are present (diff) | |
download | firejail-df6aa573c121dfadf36715bb4b08d91e5867f3b9.tar.gz firejail-df6aa573c121dfadf36715bb4b08d91e5867f3b9.tar.zst firejail-df6aa573c121dfadf36715bb4b08d91e5867f3b9.zip |
implemented --ignore option
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 20 | ||||
-rw-r--r-- | src/firejail/profile.c | 10 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 2 | ||||
-rw-r--r-- | src/firejail/usage.c | 2 | ||||
-rw-r--r-- | src/man/firejail.txt | 10 |
6 files changed, 44 insertions, 2 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 297624c3b..74958487c 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -81,6 +81,8 @@ typedef struct config_t { | |||
81 | 81 | ||
82 | // filesystem | 82 | // filesystem |
83 | ProfileEntry *profile; | 83 | ProfileEntry *profile; |
84 | #define MAX_PROFILE_IGNORE 16 | ||
85 | char *profile_ignore[MAX_PROFILE_IGNORE]; | ||
84 | char *chrootdir; // chroot directory | 86 | char *chrootdir; // chroot directory |
85 | char *home_private; // private home directory | 87 | char *home_private; // private home directory |
86 | char *home_private_keep; // keep list for private home directory | 88 | char *home_private_keep; // keep list for private home directory |
diff --git a/src/firejail/main.c b/src/firejail/main.c index e76f1b4f1..0def00fa8 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -711,6 +711,26 @@ int main(int argc, char **argv) { | |||
711 | } | 711 | } |
712 | arg_noprofile = 1; | 712 | arg_noprofile = 1; |
713 | } | 713 | } |
714 | else if (strncmp(argv[i], "--ignore=", 9) == 0) { | ||
715 | char *ptr = argv[i] + 9; | ||
716 | if (*(argv[i] + 9) == '\0') { | ||
717 | fprintf(stderr, "Error: invalid ignore option\n"); | ||
718 | exit(1); | ||
719 | } | ||
720 | |||
721 | // find an empty entry in profile_ignore array | ||
722 | int j; | ||
723 | for (j = 0; j < MAX_PROFILE_IGNORE; j++) { | ||
724 | if (cfg.profile_ignore[j] == NULL) | ||
725 | break; | ||
726 | } | ||
727 | if (j >= MAX_PROFILE_IGNORE) { | ||
728 | fprintf(stderr, "Error: maximum %d --ignore options are permitted\n", MAX_PROFILE_IGNORE); | ||
729 | exit(1); | ||
730 | } | ||
731 | // ... and configure it | ||
732 | cfg.profile_ignore[j] = argv[i] + 9; | ||
733 | } | ||
714 | #ifdef HAVE_CHROOT | 734 | #ifdef HAVE_CHROOT |
715 | else if (strncmp(argv[i], "--chroot=", 9) == 0) { | 735 | else if (strncmp(argv[i], "--chroot=", 9) == 0) { |
716 | if (arg_overlay) { | 736 | if (arg_overlay) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index e6c31bc0a..1195dd14d 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -66,6 +66,16 @@ int profile_find(const char *name, const char *dir) { | |||
66 | // return 1 if the command is to be added to the linked list of profile commands | 66 | // return 1 if the command is to be added to the linked list of profile commands |
67 | // return 0 if the command was already executed inside the function | 67 | // return 0 if the command was already executed inside the function |
68 | int profile_check_line(char *ptr, int lineno) { | 68 | int profile_check_line(char *ptr, int lineno) { |
69 | // check ignore list | ||
70 | int i; | ||
71 | for (i = 0; i < MAX_PROFILE_IGNORE; i++) { | ||
72 | if (cfg.profile_ignore[i] == NULL) | ||
73 | break; | ||
74 | |||
75 | if (strncmp(ptr, cfg.profile_ignore[i], strlen(cfg.profile_ignore[i])) == 0) | ||
76 | return 0; // ignore line | ||
77 | } | ||
78 | |||
69 | // seccomp, caps, private, user namespace | 79 | // seccomp, caps, private, user namespace |
70 | if (strcmp(ptr, "noroot") == 0) { | 80 | if (strcmp(ptr, "noroot") == 0) { |
71 | check_user_namespace(); | 81 | check_user_namespace(); |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 6075fe23e..3c5a176e6 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -476,7 +476,7 @@ int sandbox(void* sandbox_arg) { | |||
476 | if (arg_noroot) { | 476 | if (arg_noroot) { |
477 | set_caps(); | 477 | set_caps(); |
478 | if (arg_debug) | 478 | if (arg_debug) |
479 | printf("User namespace (noroot) installed\n"); | 479 | printf("noroot user namespace installed\n"); |
480 | } | 480 | } |
481 | 481 | ||
482 | 482 | ||
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 43e21433e..d3cad1e63 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -85,7 +85,7 @@ void usage(void) { | |||
85 | 85 | ||
86 | printf("\t--help, -? - this help screen.\n\n"); | 86 | printf("\t--help, -? - this help screen.\n\n"); |
87 | printf("\t--hostname=name - set sandbox hostname.\n\n"); | 87 | printf("\t--hostname=name - set sandbox hostname.\n\n"); |
88 | 88 | printf("\t--ignore=command - ignore command in profile files.\n\n"); | |
89 | printf("\t--interface=name - move interface in a new network namespace. Up to\n"); | 89 | printf("\t--interface=name - move interface in a new network namespace. Up to\n"); |
90 | printf("\t\tfour --interface options can be sepcified.\n\n"); | 90 | printf("\t\tfour --interface options can be sepcified.\n\n"); |
91 | 91 | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e311c66b0..1814fe92a 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -341,6 +341,16 @@ Example: | |||
341 | $ firejail \-\-hostname=officepc firefox | 341 | $ firejail \-\-hostname=officepc firefox |
342 | 342 | ||
343 | .TP | 343 | .TP |
344 | \fB\-\-ignore=command | ||
345 | Ignore command in profile file. | ||
346 | .br | ||
347 | |||
348 | .br | ||
349 | Example: | ||
350 | .br | ||
351 | $ firejail \-\-ignore=shell --ignore=seccomp firefox | ||
352 | |||
353 | .TP | ||
344 | \fB\-\-interface=interface | 354 | \fB\-\-interface=interface |
345 | Move interface in a new network namespace. Up to four --interface options can be sepcified. | 355 | Move interface in a new network namespace. Up to four --interface options can be sepcified. |
346 | .br | 356 | .br |