diff options
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 32 | ||||
-rw-r--r-- | src/firejail/usage.c | 4 | ||||
-rw-r--r-- | src/man/firejail.txt | 31 |
4 files changed, 67 insertions, 1 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 868e1fca0..351e9d045 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -28,6 +28,7 @@ | |||
28 | #define MNT_DIR "/tmp/firejail/mnt" | 28 | #define MNT_DIR "/tmp/firejail/mnt" |
29 | #define HOME_DIR "/tmp/firejail/mnt/home" | 29 | #define HOME_DIR "/tmp/firejail/mnt/home" |
30 | #define ETC_DIR "/tmp/firejail/mnt/etc" | 30 | #define ETC_DIR "/tmp/firejail/mnt/etc" |
31 | #define GENERIC_PROFILE_NAME "generic" | ||
31 | #define MAX_INCLUDE_LEVEL 6 | 32 | #define MAX_INCLUDE_LEVEL 6 |
32 | 33 | ||
33 | // main.c | 34 | // main.c |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 2a56d1725..7db18181d 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -399,6 +399,7 @@ int main(int argc, char **argv) { | |||
399 | int arg_ipc = 0; | 399 | int arg_ipc = 0; |
400 | int arg_cgroup = 0; | 400 | int arg_cgroup = 0; |
401 | int custom_profile = 0; // custom profile loaded | 401 | int custom_profile = 0; // custom profile loaded |
402 | int arg_noprofile = 0; // use generic.profile if none other found/specified | ||
402 | 403 | ||
403 | // initialize globals | 404 | // initialize globals |
404 | init_cfg(); | 405 | init_cfg(); |
@@ -653,6 +654,10 @@ int main(int argc, char **argv) { | |||
653 | arg_overlay = 1; | 654 | arg_overlay = 1; |
654 | } | 655 | } |
655 | else if (strncmp(argv[i], "--profile=", 10) == 0) { | 656 | else if (strncmp(argv[i], "--profile=", 10) == 0) { |
657 | if (arg_noprofile) { | ||
658 | fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n"); | ||
659 | exit(1); | ||
660 | } | ||
656 | // multiple profile files are allowed! | 661 | // multiple profile files are allowed! |
657 | char *ptr = argv[i] + 10; | 662 | char *ptr = argv[i] + 10; |
658 | if (is_dir(ptr) || is_link(ptr) || strstr(ptr, "..")) { | 663 | if (is_dir(ptr) || is_link(ptr) || strstr(ptr, "..")) { |
@@ -669,6 +674,13 @@ int main(int argc, char **argv) { | |||
669 | profile_read(argv[i] + 10, NULL, NULL); | 674 | profile_read(argv[i] + 10, NULL, NULL); |
670 | custom_profile = 1; | 675 | custom_profile = 1; |
671 | } | 676 | } |
677 | else if (strcmp(argv[i], "--noprofile") == 0) { | ||
678 | if (custom_profile) { | ||
679 | fprintf(stderr, "Error: --profile and --noprofile options are mutually exclusive\n"); | ||
680 | exit(1); | ||
681 | } | ||
682 | arg_noprofile = 1; | ||
683 | } | ||
672 | #ifdef HAVE_CHROOT | 684 | #ifdef HAVE_CHROOT |
673 | else if (strncmp(argv[i], "--chroot=", 9) == 0) { | 685 | else if (strncmp(argv[i], "--chroot=", 9) == 0) { |
674 | if (arg_overlay) { | 686 | if (arg_overlay) { |
@@ -1054,7 +1066,7 @@ int main(int argc, char **argv) { | |||
1054 | } | 1066 | } |
1055 | 1067 | ||
1056 | // load the profile | 1068 | // load the profile |
1057 | { | 1069 | if (!arg_noprofile) { |
1058 | assert(cfg.command_name); | 1070 | assert(cfg.command_name); |
1059 | if (arg_debug) | 1071 | if (arg_debug) |
1060 | printf("Command name #%s#\n", cfg.command_name); | 1072 | printf("Command name #%s#\n", cfg.command_name); |
@@ -1074,6 +1086,24 @@ int main(int argc, char **argv) { | |||
1074 | } | 1086 | } |
1075 | } | 1087 | } |
1076 | 1088 | ||
1089 | // use generic.profile as the default | ||
1090 | if (!custom_profile && !arg_noprofile) { | ||
1091 | if (arg_debug) | ||
1092 | printf("Attempting to find %s.profile...",GENERIC_PROFILE_NAME); | ||
1093 | |||
1094 | // look for the profile in ~/.config/firejail directory | ||
1095 | char *usercfgdir; | ||
1096 | if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1) | ||
1097 | errExit("asprintf"); | ||
1098 | custom_profile = profile_find(GENERIC_PROFILE_NAME, usercfgdir); | ||
1099 | free(usercfgdir); | ||
1100 | |||
1101 | if (!custom_profile) { | ||
1102 | // look for the profile in /etc/firejail directory | ||
1103 | custom_profile = profile_find(GENERIC_PROFILE_NAME, "/etc/firejail"); | ||
1104 | } | ||
1105 | } | ||
1106 | |||
1077 | // check and assign an IP address - for macvlan it will be done again in the sandbox! | 1107 | // check and assign an IP address - for macvlan it will be done again in the sandbox! |
1078 | if (any_bridge_configured()) { | 1108 | if (any_bridge_configured()) { |
1079 | lockfd = open("/tmp/firejail/firejail.lock", O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); | 1109 | lockfd = open("/tmp/firejail/firejail.lock", O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 1f9e37248..602b68ebb 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -134,6 +134,10 @@ void usage(void) { | |||
134 | printf("\t\tsupplementary groups are enabled for the user starting the\n"); | 134 | printf("\t\tsupplementary groups are enabled for the user starting the\n"); |
135 | printf("\t\tsandbox. For root user supplementary groups are always\n"); | 135 | printf("\t\tsandbox. For root user supplementary groups are always\n"); |
136 | printf("\t\tdisabled.\n\n"); | 136 | printf("\t\tdisabled.\n\n"); |
137 | |||
138 | printf("\t--noprofile - do not use a profile. Profile priority is use the one\n"); | ||
139 | printf("\t\tspecified on the command line, next try to find one that\n"); | ||
140 | printf("\t\tmatches the command name, and lastly use %s.profile.\n\n",GENERIC_PROFILE_NAME); | ||
137 | 141 | ||
138 | printf("\t--noroot - install a user namespace with a single user - the current\n"); | 142 | printf("\t--noroot - install a user namespace with a single user - the current\n"); |
139 | printf("\t\tuser. root user does not exist in the new namespace. This option\n"); | 143 | printf("\t\tuser. root user does not exist in the new namespace. This option\n"); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 2e87fbb8e..d78ce6723 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -565,6 +565,37 @@ uid=1000(netblue) gid=1000(netblue) groups=1000(netblue) | |||
565 | $ | 565 | $ |
566 | 566 | ||
567 | .TP | 567 | .TP |
568 | \fB\-\-noprofile | ||
569 | Do not use a profile. Profile priority is use the one | ||
570 | specified on the command line, next try to find one that | ||
571 | matches the command name, and lastly use generic.profile. | ||
572 | .br | ||
573 | |||
574 | .br | ||
575 | Example: | ||
576 | .br | ||
577 | $ firejail \-\-noprofile | ||
578 | .br | ||
579 | Parent pid 8553, child pid 8554 | ||
580 | .br | ||
581 | Child process initialized | ||
582 | .br | ||
583 | $ exit | ||
584 | .br | ||
585 | .br | ||
586 | parent is shutting down, bye... | ||
587 | .br | ||
588 | $ firejail | ||
589 | .br | ||
590 | Reading profile /etc/firejail/generic.profile | ||
591 | .br | ||
592 | Parent pid 8553, child pid 8554 | ||
593 | .br | ||
594 | Child process initialized | ||
595 | .br | ||
596 | $ | ||
597 | |||
598 | .TP | ||
568 | \fB\-\-noroot | 599 | \fB\-\-noroot |
569 | Install a user namespace with a single user - the current user. | 600 | Install a user namespace with a single user - the current user. |
570 | root user does not exist in the new namespace. This option | 601 | root user does not exist in the new namespace. This option |