diff options
-rw-r--r-- | src/firejail/firejail.h | 5 | ||||
-rw-r--r-- | src/firejail/fs.c | 6 | ||||
-rw-r--r-- | src/firejail/fs_home.c | 4 | ||||
-rw-r--r-- | src/firejail/fs_hostname.c | 2 | ||||
-rw-r--r-- | src/firejail/fs_mkdir.c | 4 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 2 | ||||
-rw-r--r-- | src/firejail/macros.c | 7 | ||||
-rw-r--r-- | src/firejail/main.c | 60 | ||||
-rw-r--r-- | src/firejail/profile.c | 35 | ||||
-rw-r--r-- | src/firejail/usage.c | 2 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 13 | ||||
-rw-r--r-- | src/man/firejail.txt | 13 |
12 files changed, 97 insertions, 56 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 441042233..8145c1bb5 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -458,7 +458,8 @@ void fs_mnt(const int enforce); | |||
458 | 458 | ||
459 | // profile.c | 459 | // profile.c |
460 | // find and read the profile specified by name from dir directory | 460 | // find and read the profile specified by name from dir directory |
461 | int profile_find(const char *name, const char *dir); | 461 | int profile_find(const char *name, const char *dir, int add_ext); |
462 | int profile_find_firejail(const char *name, int add_ext); | ||
462 | // read a profile file | 463 | // read a profile file |
463 | void profile_read(const char *fname); | 464 | void profile_read(const char *fname); |
464 | // check profile line; if line == 0, this was generated from a command line option | 465 | // check profile line; if line == 0, this was generated from a command line option |
@@ -496,7 +497,7 @@ int arp_check(const char *dev, uint32_t destaddr); | |||
496 | uint32_t arp_assign(const char *dev, Bridge *br); | 497 | uint32_t arp_assign(const char *dev, Bridge *br); |
497 | 498 | ||
498 | // macros.c | 499 | // macros.c |
499 | char *expand_home(const char *path, const char *homedir); | 500 | char *expand_macros(const char *path); |
500 | char *resolve_macro(const char *name); | 501 | char *resolve_macro(const char *name); |
501 | void invalid_filename(const char *fname, int globbing); | 502 | void invalid_filename(const char *fname, int globbing); |
502 | int is_macro(const char *name); | 503 | int is_macro(const char *name); |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 9f0dac4e0..f70c5ac8a 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -257,8 +257,6 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[ | |||
257 | 257 | ||
258 | // blacklist files or directories by mounting empty files on top of them | 258 | // blacklist files or directories by mounting empty files on top of them |
259 | void fs_blacklist(void) { | 259 | void fs_blacklist(void) { |
260 | char *homedir = cfg.homedir; | ||
261 | assert(homedir); | ||
262 | ProfileEntry *entry = cfg.profile; | 260 | ProfileEntry *entry = cfg.profile; |
263 | if (!entry) | 261 | if (!entry) |
264 | return; | 262 | return; |
@@ -335,7 +333,7 @@ void fs_blacklist(void) { | |||
335 | enames = calloc(2, sizeof(char *)); | 333 | enames = calloc(2, sizeof(char *)); |
336 | if (!enames) | 334 | if (!enames) |
337 | errExit("calloc"); | 335 | errExit("calloc"); |
338 | enames[0] = expand_home(entry->data + 12, homedir); | 336 | enames[0] = expand_macros(entry->data + 12); |
339 | assert(enames[1] == 0); | 337 | assert(enames[1] == 0); |
340 | } | 338 | } |
341 | 339 | ||
@@ -401,7 +399,7 @@ void fs_blacklist(void) { | |||
401 | } | 399 | } |
402 | 400 | ||
403 | // replace home macro in blacklist array | 401 | // replace home macro in blacklist array |
404 | char *new_name = expand_home(ptr, homedir); | 402 | char *new_name = expand_macros(ptr); |
405 | ptr = new_name; | 403 | ptr = new_name; |
406 | 404 | ||
407 | // expand path macro - look for the file in /usr/local/bin, /usr/local/sbin, /bin, /usr/bin, /sbin and /usr/sbin directories | 405 | // expand path macro - look for the file in /usr/local/bin, /usr/local/sbin, /bin, /usr/bin, /sbin and /usr/sbin directories |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 42c67452c..47261d7c1 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -355,7 +355,7 @@ void fs_check_private_dir(void) { | |||
355 | invalid_filename(cfg.home_private, 0); // no globbing | 355 | invalid_filename(cfg.home_private, 0); // no globbing |
356 | 356 | ||
357 | // Expand the home directory | 357 | // Expand the home directory |
358 | char *tmp = expand_home(cfg.home_private, cfg.homedir); | 358 | char *tmp = expand_macros(cfg.home_private); |
359 | cfg.home_private = realpath(tmp, NULL); | 359 | cfg.home_private = realpath(tmp, NULL); |
360 | free(tmp); | 360 | free(tmp); |
361 | 361 | ||
@@ -378,7 +378,7 @@ static char *check_dir_or_file(const char *name) { | |||
378 | printf("Private home: checking %s\n", name); | 378 | printf("Private home: checking %s\n", name); |
379 | 379 | ||
380 | // expand home directory | 380 | // expand home directory |
381 | char *fname = expand_home(name, cfg.homedir); | 381 | char *fname = expand_macros(name); |
382 | assert(fname); | 382 | assert(fname); |
383 | 383 | ||
384 | // If it doesn't start with '/', it must be relative to homedir | 384 | // If it doesn't start with '/', it must be relative to homedir |
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index 1884f6597..1fbb073f4 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c | |||
@@ -189,7 +189,7 @@ void fs_resolvconf(void) { | |||
189 | char *fs_check_hosts_file(const char *fname) { | 189 | char *fs_check_hosts_file(const char *fname) { |
190 | assert(fname); | 190 | assert(fname); |
191 | invalid_filename(fname, 0); // no globbing | 191 | invalid_filename(fname, 0); // no globbing |
192 | char *rv = expand_home(fname, cfg.homedir); | 192 | char *rv = expand_macros(fname); |
193 | 193 | ||
194 | // no a link | 194 | // no a link |
195 | if (is_link(rv)) | 195 | if (is_link(rv)) |
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index b66068a95..913f7502d 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c | |||
@@ -60,7 +60,7 @@ void fs_mkdir(const char *name) { | |||
60 | 60 | ||
61 | // check directory name | 61 | // check directory name |
62 | invalid_filename(name, 0); // no globbing | 62 | invalid_filename(name, 0); // no globbing |
63 | char *expanded = expand_home(name, cfg.homedir); | 63 | char *expanded = expand_macros(name); |
64 | if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0 && | 64 | if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0 && |
65 | strncmp(expanded, "/tmp", 4) != 0) { | 65 | strncmp(expanded, "/tmp", 4) != 0) { |
66 | fprintf(stderr, "Error: only directories in user home or /tmp are supported by mkdir\n"); | 66 | fprintf(stderr, "Error: only directories in user home or /tmp are supported by mkdir\n"); |
@@ -100,7 +100,7 @@ void fs_mkfile(const char *name) { | |||
100 | 100 | ||
101 | // check file name | 101 | // check file name |
102 | invalid_filename(name, 0); // no globbing | 102 | invalid_filename(name, 0); // no globbing |
103 | char *expanded = expand_home(name, cfg.homedir); | 103 | char *expanded = expand_macros(name); |
104 | if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0 && | 104 | if (strncmp(expanded, cfg.homedir, strlen(cfg.homedir)) != 0 && |
105 | strncmp(expanded, "/tmp", 4) != 0) { | 105 | strncmp(expanded, "/tmp", 4) != 0) { |
106 | fprintf(stderr, "Error: only files in user home or /tmp are supported by mkfile\n"); | 106 | fprintf(stderr, "Error: only files in user home or /tmp are supported by mkfile\n"); |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 454715a71..8ef948239 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -368,7 +368,7 @@ void fs_whitelist(void) { | |||
368 | char *dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10; | 368 | char *dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10; |
369 | 369 | ||
370 | // replace ~/ or ${HOME} into /home/username or resolve macro | 370 | // replace ~/ or ${HOME} into /home/username or resolve macro |
371 | new_name = expand_home(dataptr, cfg.homedir); | 371 | new_name = expand_macros(dataptr); |
372 | assert(new_name); | 372 | assert(new_name); |
373 | 373 | ||
374 | // mount empty home directory if resolving the macro was not successful | 374 | // mount empty home directory if resolving the macro was not successful |
diff --git a/src/firejail/macros.c b/src/firejail/macros.c index 4bf3d3589..59b5db3d8 100644 --- a/src/firejail/macros.c +++ b/src/firejail/macros.c | |||
@@ -192,9 +192,8 @@ char *resolve_macro(const char *name) { | |||
192 | // directory (supplied). | 192 | // directory (supplied). |
193 | // The return value is allocated using malloc and must be freed by the caller. | 193 | // The return value is allocated using malloc and must be freed by the caller. |
194 | // The function returns NULL if there are any errors. | 194 | // The function returns NULL if there are any errors. |
195 | char *expand_home(const char *path, const char *homedir) { | 195 | char *expand_macros(const char *path) { |
196 | assert(path); | 196 | assert(path); |
197 | assert(homedir); | ||
198 | 197 | ||
199 | int called_as_root = 0; | 198 | int called_as_root = 0; |
200 | 199 | ||
@@ -210,14 +209,14 @@ char *expand_home(const char *path, const char *homedir) { | |||
210 | // Replace home macro | 209 | // Replace home macro |
211 | char *new_name = NULL; | 210 | char *new_name = NULL; |
212 | if (strncmp(path, "${HOME}", 7) == 0) { | 211 | if (strncmp(path, "${HOME}", 7) == 0) { |
213 | if (asprintf(&new_name, "%s%s", homedir, path + 7) == -1) | 212 | if (asprintf(&new_name, "%s%s", cfg.homedir, path + 7) == -1) |
214 | errExit("asprintf"); | 213 | errExit("asprintf"); |
215 | if(called_as_root) | 214 | if(called_as_root) |
216 | EUID_ROOT(); | 215 | EUID_ROOT(); |
217 | return new_name; | 216 | return new_name; |
218 | } | 217 | } |
219 | else if (*path == '~') { | 218 | else if (*path == '~') { |
220 | if (asprintf(&new_name, "%s%s", homedir, path + 1) == -1) | 219 | if (asprintf(&new_name, "%s%s", cfg.homedir, path + 1) == -1) |
221 | errExit("asprintf"); | 220 | errExit("asprintf"); |
222 | if(called_as_root) | 221 | if(called_as_root) |
223 | EUID_ROOT(); | 222 | EUID_ROOT(); |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 315a7260a..680ce5800 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -868,6 +868,7 @@ int main(int argc, char **argv) { | |||
868 | 868 | ||
869 | // check if the user is allowed to use firejail | 869 | // check if the user is allowed to use firejail |
870 | init_cfg(argc, argv); | 870 | init_cfg(argc, argv); |
871 | assert(cfg.homedir); | ||
871 | 872 | ||
872 | // get starting timestamp, process --quiet | 873 | // get starting timestamp, process --quiet |
873 | start_timestamp = getticks(); | 874 | start_timestamp = getticks(); |
@@ -1480,12 +1481,37 @@ int main(int argc, char **argv) { | |||
1480 | exit(1); | 1481 | exit(1); |
1481 | } | 1482 | } |
1482 | 1483 | ||
1483 | char *ppath = expand_home(argv[i] + 10, cfg.homedir); | 1484 | char *ppath = expand_macros(argv[i] + 10); |
1484 | if (!ppath) | 1485 | if (!ppath) |
1485 | errExit("strdup"); | 1486 | errExit("strdup"); |
1486 | 1487 | ||
1487 | profile_read(ppath); | 1488 | if (access(ppath, R_OK)) { |
1488 | custom_profile = 1; | 1489 | char *ptr = ppath; |
1490 | while (*ptr != '/' && *ptr != '.' && *ptr != '\0') | ||
1491 | ptr++; | ||
1492 | // profile path contains no / or . chars, | ||
1493 | // assume its a profile name | ||
1494 | if (*ptr != '\0') { | ||
1495 | fprintf(stderr, "Error: inaccessible profile file: %s\n", ppath); | ||
1496 | exit(1); | ||
1497 | } | ||
1498 | |||
1499 | // profile was not read in previously, try to see if | ||
1500 | // we were given a profile name. | ||
1501 | if (!profile_find_firejail(ppath, 1)) { | ||
1502 | // do not fall through to default profile, | ||
1503 | // because the user should be notified that | ||
1504 | // given profile arg could not be used. | ||
1505 | fprintf(stderr, "Error: no profile with name \"%s\" found.\n", ppath); | ||
1506 | exit(1); | ||
1507 | } | ||
1508 | else | ||
1509 | custom_profile = 1; | ||
1510 | } | ||
1511 | else { | ||
1512 | profile_read(ppath); | ||
1513 | custom_profile = 1; | ||
1514 | } | ||
1489 | free(ppath); | 1515 | free(ppath); |
1490 | } | 1516 | } |
1491 | else if (strcmp(argv[i], "--noprofile") == 0) { | 1517 | else if (strcmp(argv[i], "--noprofile") == 0) { |
@@ -2326,21 +2352,8 @@ int main(int argc, char **argv) { | |||
2326 | 2352 | ||
2327 | 2353 | ||
2328 | // load the profile | 2354 | // load the profile |
2329 | if (!arg_noprofile) { | 2355 | if (!arg_noprofile && !custom_profile) { |
2330 | if (!custom_profile) { | 2356 | custom_profile = profile_find_firejail(cfg.command_name, 1); |
2331 | // look for a profile in ~/.config/firejail directory | ||
2332 | char *usercfgdir; | ||
2333 | if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1) | ||
2334 | errExit("asprintf"); | ||
2335 | int rv = profile_find(cfg.command_name, usercfgdir); | ||
2336 | free(usercfgdir); | ||
2337 | custom_profile = rv; | ||
2338 | } | ||
2339 | if (!custom_profile) { | ||
2340 | // look for a user profile in /etc/firejail directory | ||
2341 | int rv = profile_find(cfg.command_name, SYSCONFDIR); | ||
2342 | custom_profile = rv; | ||
2343 | } | ||
2344 | } | 2357 | } |
2345 | 2358 | ||
2346 | // use default.profile as the default | 2359 | // use default.profile as the default |
@@ -2351,16 +2364,7 @@ int main(int argc, char **argv) { | |||
2351 | if (arg_debug) | 2364 | if (arg_debug) |
2352 | printf("Attempting to find %s.profile...\n", profile_name); | 2365 | printf("Attempting to find %s.profile...\n", profile_name); |
2353 | 2366 | ||
2354 | // look for the profile in ~/.config/firejail directory | 2367 | custom_profile = profile_find_firejail(profile_name, 1); |
2355 | char *usercfgdir; | ||
2356 | if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1) | ||
2357 | errExit("asprintf"); | ||
2358 | custom_profile = profile_find(profile_name, usercfgdir); | ||
2359 | free(usercfgdir); | ||
2360 | |||
2361 | if (!custom_profile) | ||
2362 | // look for the profile in /etc/firejail directory | ||
2363 | custom_profile = profile_find(profile_name, SYSCONFDIR); | ||
2364 | 2368 | ||
2365 | if (!custom_profile) { | 2369 | if (!custom_profile) { |
2366 | fprintf(stderr, "Error: no default.profile installed\n"); | 2370 | fprintf(stderr, "Error: no default.profile installed\n"); |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index db58d2e0b..4fc710f39 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -25,26 +25,29 @@ extern char *xephyr_screen; | |||
25 | #define MAX_READ 8192 // line buffer for profile files | 25 | #define MAX_READ 8192 // line buffer for profile files |
26 | 26 | ||
27 | // find and read the profile specified by name from dir directory | 27 | // find and read the profile specified by name from dir directory |
28 | int profile_find(const char *name, const char *dir) { | 28 | int profile_find(const char *name, const char *dir, int add_ext) { |
29 | EUID_ASSERT(); | 29 | EUID_ASSERT(); |
30 | assert(name); | 30 | assert(name); |
31 | assert(dir); | 31 | assert(dir); |
32 | 32 | ||
33 | int rv = 0; | 33 | int rv = 0; |
34 | DIR *dp; | 34 | DIR *dp; |
35 | char *pname; | 35 | char *pname = NULL; |
36 | if (asprintf(&pname, "%s.profile", name) == -1) | 36 | if (add_ext) |
37 | errExit("asprintf"); | 37 | if (asprintf(&pname, "%s.profile", name) == -1) |
38 | errExit("asprintf"); | ||
39 | else | ||
40 | name = pname; | ||
38 | 41 | ||
39 | dp = opendir (dir); | 42 | dp = opendir (dir); |
40 | if (dp != NULL) { | 43 | if (dp != NULL) { |
41 | struct dirent *ep; | 44 | struct dirent *ep; |
42 | while ((ep = readdir(dp)) != NULL) { | 45 | while ((ep = readdir(dp)) != NULL) { |
43 | if (strcmp(ep->d_name, pname) == 0) { | 46 | if (strcmp(ep->d_name, name) == 0) { |
44 | if (arg_debug) | 47 | if (arg_debug) |
45 | printf("Found %s profile in %s directory\n", name, dir); | 48 | printf("Found %s profile in %s directory\n", name, dir); |
46 | char *etcpname; | 49 | char *etcpname; |
47 | if (asprintf(&etcpname, "%s/%s", dir, pname) == -1) | 50 | if (asprintf(&etcpname, "%s/%s", dir, name) == -1) |
48 | errExit("asprintf"); | 51 | errExit("asprintf"); |
49 | profile_read(etcpname); | 52 | profile_read(etcpname); |
50 | free(etcpname); | 53 | free(etcpname); |
@@ -55,10 +58,26 @@ int profile_find(const char *name, const char *dir) { | |||
55 | (void) closedir (dp); | 58 | (void) closedir (dp); |
56 | } | 59 | } |
57 | 60 | ||
58 | free(pname); | 61 | if (pname) |
62 | free(pname); | ||
59 | return rv; | 63 | return rv; |
60 | } | 64 | } |
61 | 65 | ||
66 | // search and read the profile specified by name from firejail directories | ||
67 | int profile_find_firejail(const char *name, int add_ext) { | ||
68 | // look for a profile in ~/.config/firejail directory | ||
69 | char *usercfgdir; | ||
70 | if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1) | ||
71 | errExit("asprintf"); | ||
72 | int rv = profile_find(name, usercfgdir, add_ext); | ||
73 | free(usercfgdir); | ||
74 | |||
75 | if (!rv) | ||
76 | // look for a user profile in /etc/firejail directory | ||
77 | rv = profile_find(name, SYSCONFDIR, add_ext); | ||
78 | |||
79 | return rv; | ||
80 | } | ||
62 | 81 | ||
63 | //*************************************************** | 82 | //*************************************************** |
64 | // run-time profiles | 83 | // run-time profiles |
@@ -1327,7 +1346,7 @@ void profile_read(const char *fname) { | |||
1327 | char *newprofile = ptr + 8; // profile name | 1346 | char *newprofile = ptr + 8; // profile name |
1328 | 1347 | ||
1329 | // expand ${HOME}/ in front of the new profile file | 1348 | // expand ${HOME}/ in front of the new profile file |
1330 | char *newprofile2 = expand_home(newprofile, cfg.homedir); | 1349 | char *newprofile2 = expand_macros(newprofile); |
1331 | 1350 | ||
1332 | // recursivity | 1351 | // recursivity |
1333 | profile_read((newprofile2)? newprofile2:newprofile); | 1352 | profile_read((newprofile2)? newprofile2:newprofile); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index f54e6f744..b8f8b4f2f 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -164,7 +164,7 @@ static char *usage_str = | |||
164 | " --private-tmp - mount a tmpfs on top of /tmp directory.\n" | 164 | " --private-tmp - mount a tmpfs on top of /tmp directory.\n" |
165 | " --private-opt=file,directory - build a new /opt in a temporary filesystem.\n" | 165 | " --private-opt=file,directory - build a new /opt in a temporary filesystem.\n" |
166 | " --private-srv=file,directory - build a new /srv in a temporary filesystem.\n" | 166 | " --private-srv=file,directory - build a new /srv in a temporary filesystem.\n" |
167 | " --profile=filename - use a custom profile.\n" | 167 | " --profile=filename|profile_name - use a custom profile.\n" |
168 | " --profile.print=name|pid - print the name of profile file.\n" | 168 | " --profile.print=name|pid - print the name of profile file.\n" |
169 | " --profile-path=directory - use this directory to look for profile files.\n" | 169 | " --profile-path=directory - use this directory to look for profile files.\n" |
170 | " --protocol=protocol,protocol,protocol - enable protocol filter.\n" | 170 | " --protocol=protocol,protocol,protocol - enable protocol filter.\n" |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 17562c503..5daca8abd 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -5,12 +5,14 @@ profile \- Security profile file syntax for Firejail | |||
5 | .SH USAGE | 5 | .SH USAGE |
6 | .TP | 6 | .TP |
7 | firejail \-\-profile=filename.profile | 7 | firejail \-\-profile=filename.profile |
8 | .RE | ||
9 | firejail \-\-profile=profile_name | ||
8 | 10 | ||
9 | .SH DESCRIPTION | 11 | .SH DESCRIPTION |
10 | Several command line options can be passed to the program using | 12 | Several command line options can be passed to the program using |
11 | profile files. Firejail chooses the profile file as follows: | 13 | profile files. Firejail chooses the profile file as follows: |
12 | 14 | ||
13 | \fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. | 15 | \fB1.\fR If a profile file is provided by the user with \-\-profile option, the profile file is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. |
14 | Example: | 16 | Example: |
15 | .PP | 17 | .PP |
16 | .RS | 18 | .RS |
@@ -21,6 +23,15 @@ Reading profile /home/netblue/icecat.profile | |||
21 | [...] | 23 | [...] |
22 | .RE | 24 | .RE |
23 | 25 | ||
26 | .PP | ||
27 | .RS | ||
28 | $ firejail --profile=icecat icecat-wrapper.sh | ||
29 | .br | ||
30 | Reading profile /home/netblue/icecat.profile | ||
31 | .br | ||
32 | [...] | ||
33 | .RE | ||
34 | |||
24 | \fB2.\fR If a profile file with the same name as the application is present in ~/.config/firejail directory or | 35 | \fB2.\fR If a profile file with the same name as the application is present in ~/.config/firejail directory or |
25 | in /etc/firejail, the profile is loaded. ~/.config/firejail takes precedence over /etc/firejail. Example: | 36 | in /etc/firejail, the profile is loaded. ~/.config/firejail takes precedence over /etc/firejail. Example: |
26 | .PP | 37 | .PP |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 7427b1009..5a374ac55 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1531,7 +1531,7 @@ drwxrwxrwt 2 nobody nogroup 4096 Apr 30 10:52 .X11-unix | |||
1531 | 1531 | ||
1532 | 1532 | ||
1533 | .TP | 1533 | .TP |
1534 | \fB\-\-profile=filename | 1534 | \fB\-\-profile=filename_or_profilename |
1535 | Load a custom security profile from filename. For filename use an absolute path or a path relative to the current path. | 1535 | Load a custom security profile from filename. For filename use an absolute path or a path relative to the current path. |
1536 | For more information, see \fBSECURITY PROFILES\fR section below. | 1536 | For more information, see \fBSECURITY PROFILES\fR section below. |
1537 | .br | 1537 | .br |
@@ -2701,7 +2701,7 @@ The owner of the sandbox. | |||
2701 | Several command line options can be passed to the program using | 2701 | Several command line options can be passed to the program using |
2702 | profile files. Firejail chooses the profile file as follows: | 2702 | profile files. Firejail chooses the profile file as follows: |
2703 | 2703 | ||
2704 | 1. If a profile file is provided by the user with --profile option, the profile file is loaded. | 2704 | 1. If a profile file is provided by the user with --profile option, the profile file is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. |
2705 | Example: | 2705 | Example: |
2706 | .PP | 2706 | .PP |
2707 | .RS | 2707 | .RS |
@@ -2712,6 +2712,15 @@ Reading profile /home/netblue/icecat.profile | |||
2712 | [...] | 2712 | [...] |
2713 | .RE | 2713 | .RE |
2714 | 2714 | ||
2715 | .PP | ||
2716 | .RS | ||
2717 | $ firejail --profile=icecat icecat-wrapper.sh | ||
2718 | .br | ||
2719 | Reading profile /home/netblue/icecat.profile | ||
2720 | .br | ||
2721 | [...] | ||
2722 | .RE | ||
2723 | |||
2715 | 2. If a profile file with the same name as the application is present in ~/.config/firejail directory or | 2724 | 2. If a profile file with the same name as the application is present in ~/.config/firejail directory or |
2716 | in /etc/firejail, the profile is loaded. ~/.config/firejail takes precedence over /etc/firejail. Example: | 2725 | in /etc/firejail, the profile is loaded. ~/.config/firejail takes precedence over /etc/firejail. Example: |
2717 | .PP | 2726 | .PP |