diff options
-rw-r--r-- | etc/firejail.config | 3 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 9 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/fs_bin.c | 7 |
4 files changed, 20 insertions, 0 deletions
diff --git a/etc/firejail.config b/etc/firejail.config index 08ff5380d..143400938 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -29,6 +29,9 @@ | |||
29 | # Enable or disable overlayfs features, default enabled. | 29 | # Enable or disable overlayfs features, default enabled. |
30 | # overlayfs yes | 30 | # overlayfs yes |
31 | 31 | ||
32 | # Remove /usr/local directories from private-bin list, default disabled | ||
33 | # private-bin-no-local no | ||
34 | |||
32 | # Enable or disable private-home feature, default enabled | 35 | # Enable or disable private-home feature, default enabled |
33 | # private-home yes | 36 | # private-home yes |
34 | 37 | ||
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index fdd2b8edd..78c0e5c60 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -40,6 +40,7 @@ int checkcfg(int val) { | |||
40 | cfg_val[i] = 1; // most of them are enabled by default | 40 | cfg_val[i] = 1; // most of them are enabled by default |
41 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default | 41 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default |
42 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default | 42 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default |
43 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; // disabled by default | ||
43 | 44 | ||
44 | // open configuration file | 45 | // open configuration file |
45 | char *fname; | 46 | char *fname; |
@@ -258,6 +259,14 @@ int checkcfg(int val) { | |||
258 | else | 259 | else |
259 | goto errout; | 260 | goto errout; |
260 | } | 261 | } |
262 | else if (strncmp(ptr, "private-bin-no-local ", 21) == 0) { | ||
263 | if (strcmp(ptr + 21, "yes") == 0) | ||
264 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 1; | ||
265 | else if (strcmp(ptr + 21, "no") == 0) | ||
266 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; | ||
267 | else | ||
268 | goto errout; | ||
269 | } | ||
261 | else | 270 | else |
262 | goto errout; | 271 | goto errout; |
263 | 272 | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7043aa0ca..c0536502e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -651,6 +651,7 @@ enum { | |||
651 | CFG_OVERLAYFS, | 651 | CFG_OVERLAYFS, |
652 | CFG_CHROOT_DESKTOP, | 652 | CFG_CHROOT_DESKTOP, |
653 | CFG_PRIVATE_HOME, | 653 | CFG_PRIVATE_HOME, |
654 | CFG_PRIVATE_BIN_NO_LOCAL, | ||
654 | CFG_MAX // this should always be the last entry | 655 | CFG_MAX // this should always be the last entry |
655 | }; | 656 | }; |
656 | extern char *xephyr_screen; | 657 | extern char *xephyr_screen; |
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 6c4db57b4..40539305f 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
@@ -46,6 +46,13 @@ static char *check_dir_or_file(const char *name) { | |||
46 | 46 | ||
47 | int i = 0; | 47 | int i = 0; |
48 | while (paths[i]) { | 48 | while (paths[i]) { |
49 | // private-bin-no-local can be disabled in /etc/firejail/firejail.config | ||
50 | if (checkcfg(CFG_PRIVATE_BIN_NO_LOCAL) && strstr(paths[i], "local/")) { | ||
51 | i++; | ||
52 | continue; | ||
53 | } | ||
54 | |||
55 | // check file | ||
49 | if (asprintf(&fname, "%s/%s", paths[i], name) == -1) | 56 | if (asprintf(&fname, "%s/%s", paths[i], name) == -1) |
50 | errExit("asprintf"); | 57 | errExit("asprintf"); |
51 | if (arg_debug) | 58 | if (arg_debug) |