4 files changed, 45 insertions, 4 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 74958487c..ab2fedbd8 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -81,7 +81,7 @@ typedef struct config_t {
        
        // filesystem
        ProfileEntry *profile;
-#define MAX_PROFILE_IGNORE 16   
+#define MAX_PROFILE_IGNORE 32   
        char *profile_ignore[MAX_PROFILE_IGNORE];
        char *chrootdir;        // chroot directory
        char *home_private;     // private home directory
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 1195dd14d..3edeabee9 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -75,6 +75,27 @@ int profile_check_line(char *ptr, int lineno) {
                if (strncmp(ptr, cfg.profile_ignore[i], strlen(cfg.profile_ignore[i])) == 0)
                        return 0;       // ignore line
        }
+        
+        if (strncmp(ptr, "ignore ", 7) == 0) {
+                char *str = strdup(ptr + 7);
+                if (*str == '\0') {
+                        fprintf(stderr, "Error: invalid ignore option\n");
+                        exit(1);
+                }
+                // find an empty entry in profile_ignore array
+                int j;
+                for (j = 0; j < MAX_PROFILE_IGNORE; j++) {
+                        if (cfg.profile_ignore[j] == NULL) 
+                                break;
+                }
+                if (j >= MAX_PROFILE_IGNORE) {
+                        fprintf(stderr, "Error: maximum %d --ignore options are permitted\n", MAX_PROFILE_IGNORE);
+                        exit(1);
+                }
+                // ... and configure it
+                cfg.profile_ignore[j] = str;
+                return 0;
+        }
        // seccomp, caps, private, user namespace
        if (strcmp(ptr, "noroot") == 0) {
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 1369fdc91..02a54e685 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -64,7 +64,10 @@ Child process initialized
 .RE
 .SH Scripting
-Include and comment support:
+Scripting commands:
+.TP
+# this is a comment
 .TP
 \f\include other.profile exclude-token
@@ -83,13 +86,21 @@ Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1"
 Note: exclude-token is deprecated, use noblacklist command instead.
 .TP
-# this is a comment
+\f\noblacklist file_name
+If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow.
+Example: "noblacklist ${HOME}/.mozilla"
+.TP
+\f\ignore command
+Ignore command.
+Example: "ignore seccomp"
 .SH Filesystem
 These profile entries define a chroot filesystem built on top of the existing
 host filesystem. Each line describes a file element that is removed from
 the filesystem (\fBblacklist\fR), a read-only file or directory (\fBread-only\fR),
-a filter for finer control of blacklisting (\fBnoblacklist\fR),
 a tmpfs mounted on top of an existing directory (\fBtmpfs\fR),
 or mount-bind a directory  or file on top of another directory or file (\fBbind\fR).
 Use \fBprivate\fR to set private mode.
diff --git a/test/ignore.exp b/test/ignore.exp
index bdbd9d28c..ab7f0655f 100755
--- a/test/ignore.exp
+++ b/test/ignore.exp
@@ -33,6 +33,15 @@ expect {
        "4"
 }
 sleep 1
+send -- "exit\r"
+sleep 1
+send -- "firejail --debug --profile=ignore2.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        BLACKLIST {puts "TESTING ERROR 6\n";exit}
+        "Child process initialized"
+}
 puts "\nall done\n"

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 74958487c..ab2fedbd8 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -81,7 +81,7 @@ typedef struct config_t {
81		81
82	// filesystem	82	// filesystem
83	ProfileEntry *profile;	83	ProfileEntry *profile;
84	#define MAX_PROFILE_IGNORE 16	84	#define MAX_PROFILE_IGNORE 32
85	char *profile_ignore[MAX_PROFILE_IGNORE];	85	char *profile_ignore[MAX_PROFILE_IGNORE];
86	char *chrootdir; // chroot directory	86	char *chrootdir; // chroot directory
87	char *home_private; // private home directory	87	char *home_private; // private home directory


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 1195dd14d..3edeabee9 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -75,6 +75,27 @@ int profile_check_line(char *ptr, int lineno) {
75	if (strncmp(ptr, cfg.profile_ignore[i], strlen(cfg.profile_ignore[i])) == 0)	75	if (strncmp(ptr, cfg.profile_ignore[i], strlen(cfg.profile_ignore[i])) == 0)
76	return 0; // ignore line	76	return 0; // ignore line
77	}	77	}
		78
		79	if (strncmp(ptr, "ignore ", 7) == 0) {
		80	char *str = strdup(ptr + 7);
		81	if (*str == '\0') {
		82	fprintf(stderr, "Error: invalid ignore option\n");
		83	exit(1);
		84	}
		85	// find an empty entry in profile_ignore array
		86	int j;
		87	for (j = 0; j < MAX_PROFILE_IGNORE; j++) {
		88	if (cfg.profile_ignore[j] == NULL)
		89	break;
		90	}
		91	if (j >= MAX_PROFILE_IGNORE) {
		92	fprintf(stderr, "Error: maximum %d --ignore options are permitted\n", MAX_PROFILE_IGNORE);
		93	exit(1);
		94	}
		95	// ... and configure it
		96	cfg.profile_ignore[j] = str;
		97	return 0;
		98	}
78		99
79	// seccomp, caps, private, user namespace	100	// seccomp, caps, private, user namespace
80	if (strcmp(ptr, "noroot") == 0) {	101	if (strcmp(ptr, "noroot") == 0) {


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 1369fdc91..02a54e685 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -64,7 +64,10 @@ Child process initialized
64	.RE	64	.RE
65		65
66	.SH Scripting	66	.SH Scripting
67	Include and comment support:	67	Scripting commands:
		68
		69	.TP
		70	# this is a comment
68		71
69	.TP	72	.TP
70	\f\include other.profile exclude-token	73	\f\include other.profile exclude-token
@@ -83,13 +86,21 @@ Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1"
83	Note: exclude-token is deprecated, use noblacklist command instead.	86	Note: exclude-token is deprecated, use noblacklist command instead.
84		87
85	.TP	88	.TP
86	# this is a comment	89	\f\noblacklist file_name
		90	If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow.
		91
		92	Example: "noblacklist ${HOME}/.mozilla"
		93
		94	.TP
		95	\f\ignore command
		96	Ignore command.
		97
		98	Example: "ignore seccomp"
87		99
88	.SH Filesystem	100	.SH Filesystem
89	These profile entries define a chroot filesystem built on top of the existing	101	These profile entries define a chroot filesystem built on top of the existing
90	host filesystem. Each line describes a file element that is removed from	102	host filesystem. Each line describes a file element that is removed from
91	the filesystem (\fBblacklist\fR), a read-only file or directory (\fBread-only\fR),	103	the filesystem (\fBblacklist\fR), a read-only file or directory (\fBread-only\fR),
92	a filter for finer control of blacklisting (\fBnoblacklist\fR),
93	a tmpfs mounted on top of an existing directory (\fBtmpfs\fR),	104	a tmpfs mounted on top of an existing directory (\fBtmpfs\fR),
94	or mount-bind a directory or file on top of another directory or file (\fBbind\fR).	105	or mount-bind a directory or file on top of another directory or file (\fBbind\fR).
95	Use \fBprivate\fR to set private mode.	106	Use \fBprivate\fR to set private mode.


diff --git a/test/ignore.exp b/test/ignore.exp index bdbd9d28c..ab7f0655f 100755 --- a/test/ignore.exp +++ b/test/ignore.exp
@@ -33,6 +33,15 @@ expect {
33	"4"	33	"4"
34	}	34	}
35	sleep 1	35	sleep 1
		36	send -- "exit\r"
		37	sleep 1
		38
		39	send -- "firejail --debug --profile=ignore2.profile\r"
		40	expect {
		41	timeout {puts "TESTING ERROR 5\n";exit}
		42	BLACKLIST {puts "TESTING ERROR 6\n";exit}
		43	"Child process initialized"
		44	}
36		45
37		46
38	puts "\nall done\n"	47	puts "\nall done\n"