diff options
-rw-r--r-- | etc/firejail.config | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 34 | ||||
-rw-r--r-- | src/firejail/profile.c | 63 |
3 files changed, 59 insertions, 40 deletions
diff --git a/etc/firejail.config b/etc/firejail.config index 8e830f707..b37edf7a5 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -54,7 +54,7 @@ | |||
54 | # root user can always join sandboxes. | 54 | # root user can always join sandboxes. |
55 | # join yes | 55 | # join yes |
56 | 56 | ||
57 | #Enable or disable sandbox name change, default enabled. | 57 | # Enable or disable sandbox name change, default enabled. |
58 | # name-change yes | 58 | # name-change yes |
59 | 59 | ||
60 | # Enable or disable networking features, default enabled. | 60 | # Enable or disable networking features, default enabled. |
diff --git a/src/firejail/main.c b/src/firejail/main.c index c262402fa..2a8ee3e0f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -733,26 +733,30 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
733 | else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { | 733 | else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { |
734 | // NOTE: this is first part of option handler, | 734 | // NOTE: this is first part of option handler, |
735 | // sandbox name is set in other part | 735 | // sandbox name is set in other part |
736 | logargs(argc, argv); | 736 | if (checkcfg(CFG_JOIN) || getuid() == 0) { |
737 | logargs(argc, argv); | ||
737 | 738 | ||
738 | if (arg_shell_none) { | 739 | if (arg_shell_none) { |
739 | if (argc <= (i+1)) { | 740 | if (argc <= (i+1)) { |
740 | fprintf(stderr, "Error: --shell=none set, but no command specified\n"); | 741 | fprintf(stderr, "Error: --shell=none set, but no command specified\n"); |
741 | exit(1); | 742 | exit(1); |
743 | } | ||
744 | cfg.original_program_index = i + 1; | ||
742 | } | 745 | } |
743 | cfg.original_program_index = i + 1; | ||
744 | } | ||
745 | 746 | ||
746 | // try to join by name only | 747 | // try to join by name only |
747 | pid_t pid; | 748 | pid_t pid; |
748 | if (!read_pid(argv[i] + 16, &pid)) { | 749 | if (!read_pid(argv[i] + 16, &pid)) { |
749 | if (!cfg.shell && !arg_shell_none) | 750 | if (!cfg.shell && !arg_shell_none) |
750 | cfg.shell = guess_shell(); | 751 | cfg.shell = guess_shell(); |
751 | 752 | ||
752 | join(pid, argc, argv, i + 1); | 753 | join(pid, argc, argv, i + 1); |
753 | exit(0); | 754 | exit(0); |
755 | } | ||
756 | // if there no such sandbox continue argument processing | ||
754 | } | 757 | } |
755 | // if there no such sandbox continue argument processing | 758 | else |
759 | exit_err_feature("join"); | ||
756 | } | 760 | } |
757 | #ifdef HAVE_NETWORK | 761 | #ifdef HAVE_NETWORK |
758 | else if (strncmp(argv[i], "--join-network=", 15) == 0) { | 762 | else if (strncmp(argv[i], "--join-network=", 15) == 0) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 348b4e0ca..bc66aca78 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -241,6 +241,7 @@ error: | |||
241 | // return 1 if the command is to be added to the linked list of profile commands | 241 | // return 1 if the command is to be added to the linked list of profile commands |
242 | // return 0 if the command was already executed inside the function | 242 | // return 0 if the command was already executed inside the function |
243 | int profile_check_line(char *ptr, int lineno, const char *fname) { | 243 | int profile_check_line(char *ptr, int lineno, const char *fname) { |
244 | static int whitelist_warning_printed = 0; | ||
244 | EUID_ASSERT(); | 245 | EUID_ASSERT(); |
245 | 246 | ||
246 | // check and process conditional profile lines | 247 | // check and process conditional profile lines |
@@ -1126,8 +1127,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1126 | } | 1127 | } |
1127 | cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); | 1128 | cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); |
1128 | } | 1129 | } |
1129 | 1130 | else | |
1131 | warning_feature_disabled("overlayfs"); | ||
1130 | return 0; | 1132 | return 0; |
1133 | |||
1131 | } else if (strcmp(ptr, "overlay-tmpfs") == 0) { | 1134 | } else if (strcmp(ptr, "overlay-tmpfs") == 0) { |
1132 | if (checkcfg(CFG_OVERLAYFS)) { | 1135 | if (checkcfg(CFG_OVERLAYFS)) { |
1133 | if (arg_overlay) { | 1136 | if (arg_overlay) { |
@@ -1144,9 +1147,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1144 | exit(1); | 1147 | exit(1); |
1145 | } | 1148 | } |
1146 | arg_overlay = 1; | 1149 | arg_overlay = 1; |
1147 | |||
1148 | return 0; | ||
1149 | } | 1150 | } |
1151 | else | ||
1152 | warning_feature_disabled("overlayfs"); | ||
1153 | return 0; | ||
1154 | |||
1150 | } else if (strcmp(ptr, "overlay") == 0) { | 1155 | } else if (strcmp(ptr, "overlay") == 0) { |
1151 | if (checkcfg(CFG_OVERLAYFS)) { | 1156 | if (checkcfg(CFG_OVERLAYFS)) { |
1152 | if (arg_overlay) { | 1157 | if (arg_overlay) { |
@@ -1171,9 +1176,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1171 | cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); | 1176 | cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); |
1172 | 1177 | ||
1173 | free(subdirname); | 1178 | free(subdirname); |
1174 | |||
1175 | return 0; | ||
1176 | } | 1179 | } |
1180 | else | ||
1181 | warning_feature_disabled("overlayfs"); | ||
1182 | return 0; | ||
1177 | } | 1183 | } |
1178 | #endif | 1184 | #endif |
1179 | 1185 | ||
@@ -1260,26 +1266,30 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1260 | } | 1266 | } |
1261 | 1267 | ||
1262 | if (strncmp(ptr, "join-or-start ", 14) == 0) { | 1268 | if (strncmp(ptr, "join-or-start ", 14) == 0) { |
1263 | // try to join by name only | 1269 | if (checkcfg(CFG_JOIN) || getuid() == 0) { |
1264 | pid_t pid; | 1270 | // try to join by name only |
1265 | if (!name2pid(ptr + 14, &pid)) { | 1271 | pid_t pid; |
1266 | if (!cfg.shell && !arg_shell_none) | 1272 | if (!name2pid(ptr + 14, &pid)) { |
1267 | cfg.shell = guess_shell(); | 1273 | if (!cfg.shell && !arg_shell_none) |
1268 | 1274 | cfg.shell = guess_shell(); | |
1269 | // find first non-option arg | 1275 | |
1270 | int i; | 1276 | // find first non-option arg |
1271 | for (i = 1; i < cfg.original_argc && strncmp(cfg.original_argv[i], "--", 2) != 0; i++); | 1277 | int i; |
1272 | 1278 | for (i = 1; i < cfg.original_argc && strncmp(cfg.original_argv[i], "--", 2) != 0; i++); | |
1273 | join(pid, cfg.original_argc,cfg.original_argv, i + 1); | 1279 | |
1274 | exit(0); | 1280 | join(pid, cfg.original_argc,cfg.original_argv, i + 1); |
1275 | } | 1281 | exit(0); |
1282 | } | ||
1276 | 1283 | ||
1277 | // set sandbox name and start normally | 1284 | // set sandbox name and start normally |
1278 | cfg.name = ptr + 14; | 1285 | cfg.name = ptr + 14; |
1279 | if (strlen(cfg.name) == 0) { | 1286 | if (strlen(cfg.name) == 0) { |
1280 | fprintf(stderr, "Error: invalid sandbox name\n"); | 1287 | fprintf(stderr, "Error: invalid sandbox name\n"); |
1281 | exit(1); | 1288 | exit(1); |
1289 | } | ||
1282 | } | 1290 | } |
1291 | else | ||
1292 | warning_feature_disabled("join"); | ||
1283 | return 0; | 1293 | return 0; |
1284 | } | 1294 | } |
1285 | 1295 | ||
@@ -1301,8 +1311,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1301 | arg_whitelist = 1; | 1311 | arg_whitelist = 1; |
1302 | ptr += 10; | 1312 | ptr += 10; |
1303 | } | 1313 | } |
1304 | else | 1314 | else { |
1315 | if (!whitelist_warning_printed) { | ||
1316 | warning_feature_disabled("whitelist"); | ||
1317 | whitelist_warning_printed = 1; | ||
1318 | } | ||
1305 | return 0; | 1319 | return 0; |
1320 | } | ||
1306 | #else | 1321 | #else |
1307 | return 0; | 1322 | return 0; |
1308 | #endif | 1323 | #endif |