diff options
-rw-r--r-- | etc/inc/disable-programs.inc | 4 | ||||
-rw-r--r-- | etc/profile-a-l/audio-recorder.profile | 7 | ||||
-rw-r--r-- | etc/profile-a-l/discord-common.profile | 1 | ||||
-rw-r--r-- | etc/profile-a-l/firefox.profile | 8 | ||||
-rw-r--r-- | etc/profile-m-z/regextester.profile | 11 | ||||
-rw-r--r-- | etc/profile-m-z/steam.profile | 18 | ||||
-rw-r--r-- | etc/profile-m-z/xfce4-mixer.profile | 2 | ||||
-rw-r--r-- | src/fbuilder/build_bin.c | 2 | ||||
-rw-r--r-- | src/fbuilder/build_fs.c | 12 | ||||
-rw-r--r-- | src/fbuilder/build_home.c | 2 | ||||
-rw-r--r-- | src/fbuilder/build_profile.c | 23 | ||||
-rw-r--r-- | src/firejail/fs_etc.c | 61 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 12 | ||||
-rw-r--r-- | src/man/firejail.txt | 14 |
14 files changed, 124 insertions, 53 deletions
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index cc0c69df2..cbc8ef6d2 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -139,6 +139,7 @@ blacklist ${HOME}/.config/Rambox | |||
139 | blacklist ${HOME}/.config/Riot | 139 | blacklist ${HOME}/.config/Riot |
140 | blacklist ${HOME}/.config/Rocket.Chat | 140 | blacklist ${HOME}/.config/Rocket.Chat |
141 | blacklist ${HOME}/.config/RogueLegacy | 141 | blacklist ${HOME}/.config/RogueLegacy |
142 | blacklist ${HOME}/.config/RogueLegacyStorageContainer | ||
142 | blacklist ${HOME}/.config/Signal | 143 | blacklist ${HOME}/.config/Signal |
143 | blacklist ${HOME}/.config/Sinew Software Systems | 144 | blacklist ${HOME}/.config/Sinew Software Systems |
144 | blacklist ${HOME}/.config/Slack | 145 | blacklist ${HOME}/.config/Slack |
@@ -616,7 +617,8 @@ blacklist ${HOME}/.local/share/QGIS | |||
616 | blacklist ${HOME}/.local/share/QMediathekView | 617 | blacklist ${HOME}/.local/share/QMediathekView |
617 | blacklist ${HOME}/.local/share/QuiteRss | 618 | blacklist ${HOME}/.local/share/QuiteRss |
618 | blacklist ${HOME}/.local/share/Ricochet | 619 | blacklist ${HOME}/.local/share/Ricochet |
619 | blacklist ${HOME}/.local/share/RogueLegacy* | 620 | blacklist ${HOME}/.local/share/RogueLegacy |
621 | blacklist ${HOME}/.local/share/RogueLegacyStorageContainer | ||
620 | blacklist ${HOME}/.local/share/Shortwave | 622 | blacklist ${HOME}/.local/share/Shortwave |
621 | blacklist ${HOME}/.local/share/Steam | 623 | blacklist ${HOME}/.local/share/Steam |
622 | blacklist ${HOME}/.local/share/SteamWorldDig | 624 | blacklist ${HOME}/.local/share/SteamWorldDig |
diff --git a/etc/profile-a-l/audio-recorder.profile b/etc/profile-a-l/audio-recorder.profile index b2ed3b030..2c7fdc812 100644 --- a/etc/profile-a-l/audio-recorder.profile +++ b/etc/profile-a-l/audio-recorder.profile | |||
@@ -20,6 +20,7 @@ include disable-xdg.inc | |||
20 | whitelist ${MUSIC} | 20 | whitelist ${MUSIC} |
21 | whitelist ${DOWNLOADS} | 21 | whitelist ${DOWNLOADS} |
22 | whitelist /usr/share/audio-recorder | 22 | whitelist /usr/share/audio-recorder |
23 | whitelist /usr/share/gstreamer-1.0 | ||
23 | include whitelist-common.inc | 24 | include whitelist-common.inc |
24 | include whitelist-usr-share-common.inc | 25 | include whitelist-usr-share-common.inc |
25 | include whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
@@ -44,7 +45,11 @@ tracelog | |||
44 | disable-mnt | 45 | disable-mnt |
45 | # private-bin audio-recorder | 46 | # private-bin audio-recorder |
46 | private-cache | 47 | private-cache |
47 | private-etc alternatives,fonts | 48 | private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload |
48 | private-tmp | 49 | private-tmp |
49 | 50 | ||
51 | dbus-user filter | ||
52 | dbus-user.talk ca.desrt.dconf | ||
53 | dbus-system none | ||
54 | |||
50 | # memory-deny-write-execute - breaks on Arch | 55 | # memory-deny-write-execute - breaks on Arch |
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile index b583f1a1d..b83e626d9 100644 --- a/etc/profile-a-l/discord-common.profile +++ b/etc/profile-a-l/discord-common.profile | |||
@@ -18,6 +18,7 @@ ignore dbus-user none | |||
18 | ignore dbus-system none | 18 | ignore dbus-system none |
19 | 19 | ||
20 | ignore noexec ${HOME} | 20 | ignore noexec ${HOME} |
21 | ignore novideo | ||
21 | 22 | ||
22 | whitelist ${HOME}/.config/BetterDiscord | 23 | whitelist ${HOME}/.config/BetterDiscord |
23 | whitelist ${HOME}/.local/share/betterdiscordctl | 24 | whitelist ${HOME}/.local/share/betterdiscordctl |
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index cefba93d4..b22a78458 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile | |||
@@ -6,6 +6,14 @@ include firefox.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # NOTE: sandboxing web browsers is as important as it is complex. Users might be | ||
10 | # interested in creating custom profiles depending on use case (e.g. one for | ||
11 | # general browsing, another for banking, ...). Consult our FAQ/issue tracker for more | ||
12 | # info. Here are a few links to get you going. | ||
13 | # https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#firefox-doesnt-open-in-a-new-sandbox-instead-it-opens-a-new-tab-in-an-existing-firefox-instance | ||
14 | # https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox | ||
15 | # https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968 | ||
16 | |||
9 | noblacklist ${HOME}/.cache/mozilla | 17 | noblacklist ${HOME}/.cache/mozilla |
10 | noblacklist ${HOME}/.mozilla | 18 | noblacklist ${HOME}/.mozilla |
11 | 19 | ||
diff --git a/etc/profile-m-z/regextester.profile b/etc/profile-m-z/regextester.profile index 6fb0d4b5f..bab2badb5 100644 --- a/etc/profile-m-z/regextester.profile +++ b/etc/profile-m-z/regextester.profile | |||
@@ -16,9 +16,8 @@ include disable-shell.inc | |||
16 | include disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | whitelist /usr/share/com.github.artemanufrij.regextester | 18 | whitelist /usr/share/com.github.artemanufrij.regextester |
19 | include whitelist-usr-share-common.inc | ||
20 | |||
21 | include whitelist-common.inc | 19 | include whitelist-common.inc |
20 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
23 | 22 | ||
24 | apparmor | 23 | apparmor |
@@ -48,11 +47,9 @@ private-etc alternatives,fonts | |||
48 | private-lib libgranite.so.* | 47 | private-lib libgranite.so.* |
49 | private-tmp | 48 | private-tmp |
50 | 49 | ||
51 | # makes settings immutable | 50 | dbus-user filter |
52 | # dbus-user none | 51 | dbus-user.talk ca.desrt.dconf |
53 | # dbus-system none | 52 | dbus-system none |
54 | |||
55 | memory-deny-write-execute | ||
56 | 53 | ||
57 | # never write anything | 54 | # never write anything |
58 | read-only ${HOME} | 55 | read-only ${HOME} |
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index 0bcbe6da2..922823f98 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/Epic | |||
10 | noblacklist ${HOME}/.config/Loop_Hero | 10 | noblacklist ${HOME}/.config/Loop_Hero |
11 | noblacklist ${HOME}/.config/ModTheSpire | 11 | noblacklist ${HOME}/.config/ModTheSpire |
12 | noblacklist ${HOME}/.config/RogueLegacy | 12 | noblacklist ${HOME}/.config/RogueLegacy |
13 | noblacklist ${HOME}/.config/RogueLegacyStorageContainer | ||
13 | noblacklist ${HOME}/.killingfloor | 14 | noblacklist ${HOME}/.killingfloor |
14 | noblacklist ${HOME}/.klei | 15 | noblacklist ${HOME}/.klei |
15 | noblacklist ${HOME}/.local/share/3909/PapersPlease | 16 | noblacklist ${HOME}/.local/share/3909/PapersPlease |
@@ -22,7 +23,8 @@ noblacklist ${HOME}/.local/share/feral-interactive | |||
22 | noblacklist ${HOME}/.local/share/IntoTheBreach | 23 | noblacklist ${HOME}/.local/share/IntoTheBreach |
23 | noblacklist ${HOME}/.local/share/Paradox Interactive | 24 | noblacklist ${HOME}/.local/share/Paradox Interactive |
24 | noblacklist ${HOME}/.local/share/PillarsOfEternity | 25 | noblacklist ${HOME}/.local/share/PillarsOfEternity |
25 | noblacklist ${HOME}/.local/share/RogueLegacy* | 26 | noblacklist ${HOME}/.local/share/RogueLegacy |
27 | noblacklist ${HOME}/.local/share/RogueLegacyStorageContainer | ||
26 | noblacklist ${HOME}/.local/share/Steam | 28 | noblacklist ${HOME}/.local/share/Steam |
27 | noblacklist ${HOME}/.local/share/SteamWorldDig | 29 | noblacklist ${HOME}/.local/share/SteamWorldDig |
28 | noblacklist ${HOME}/.local/share/SteamWorld Dig 2 | 30 | noblacklist ${HOME}/.local/share/SteamWorld Dig 2 |
@@ -69,7 +71,7 @@ mkdir ${HOME}/.local/share/feral-interactive | |||
69 | mkdir ${HOME}/.local/share/IntoTheBreach | 71 | mkdir ${HOME}/.local/share/IntoTheBreach |
70 | mkdir ${HOME}/.local/share/Paradox Interactive | 72 | mkdir ${HOME}/.local/share/Paradox Interactive |
71 | mkdir ${HOME}/.local/share/PillarsOfEternity | 73 | mkdir ${HOME}/.local/share/PillarsOfEternity |
72 | mkdir ${HOME}/.local/share/RogueLegacy* | 74 | mkdir ${HOME}/.local/share/RogueLegacy |
73 | mkdir ${HOME}/.local/share/Steam | 75 | mkdir ${HOME}/.local/share/Steam |
74 | mkdir ${HOME}/.local/share/SteamWorldDig | 76 | mkdir ${HOME}/.local/share/SteamWorldDig |
75 | mkdir ${HOME}/.local/share/SteamWorld Dig 2 | 77 | mkdir ${HOME}/.local/share/SteamWorld Dig 2 |
@@ -86,6 +88,7 @@ whitelist ${HOME}/.config/Epic | |||
86 | whitelist ${HOME}/.config/Loop_Hero | 88 | whitelist ${HOME}/.config/Loop_Hero |
87 | whitelist ${HOME}/.config/ModTheSpire | 89 | whitelist ${HOME}/.config/ModTheSpire |
88 | whitelist ${HOME}/.config/RogueLegacy | 90 | whitelist ${HOME}/.config/RogueLegacy |
91 | whitelist ${HOME}/.config/RogueLegacyStorageContainer | ||
89 | whitelist ${HOME}/.config/unity3d | 92 | whitelist ${HOME}/.config/unity3d |
90 | whitelist ${HOME}/.killingfloor | 93 | whitelist ${HOME}/.killingfloor |
91 | whitelist ${HOME}/.klei | 94 | whitelist ${HOME}/.klei |
@@ -99,7 +102,8 @@ whitelist ${HOME}/.local/share/feral-interactive | |||
99 | whitelist ${HOME}/.local/share/IntoTheBreach | 102 | whitelist ${HOME}/.local/share/IntoTheBreach |
100 | whitelist ${HOME}/.local/share/Paradox Interactive | 103 | whitelist ${HOME}/.local/share/Paradox Interactive |
101 | whitelist ${HOME}/.local/share/PillarsOfEternity | 104 | whitelist ${HOME}/.local/share/PillarsOfEternity |
102 | whitelist ${HOME}/.local/share/RogueLegacy* | 105 | whitelist ${HOME}/.local/share/RogueLegacy |
106 | whitelist ${HOME}/.local/share/RogueLegacyStorageContainer | ||
103 | whitelist ${HOME}/.local/share/Steam | 107 | whitelist ${HOME}/.local/share/Steam |
104 | whitelist ${HOME}/.local/share/SteamWorldDig | 108 | whitelist ${HOME}/.local/share/SteamWorldDig |
105 | whitelist ${HOME}/.local/share/SteamWorld Dig 2 | 109 | whitelist ${HOME}/.local/share/SteamWorld Dig 2 |
@@ -115,6 +119,14 @@ whitelist ${HOME}/.steampid | |||
115 | include whitelist-common.inc | 119 | include whitelist-common.inc |
116 | include whitelist-var-common.inc | 120 | include whitelist-var-common.inc |
117 | 121 | ||
122 | # Note: The following were intentionally left out as they are alternative | ||
123 | # (i.e.: unnecessary and/or legacy) paths whose existence may potentially | ||
124 | # clobber other paths (see #4225). If you use any, either add the entry to | ||
125 | # steam.local or move the contents to a path listed above (or open an issue if | ||
126 | # it's missing above). | ||
127 | #mkdir ${HOME}/.config/RogueLegacyStorageContainer | ||
128 | #mkdir ${HOME}/.local/share/RogueLegacyStorageContainer | ||
129 | |||
118 | caps.drop all | 130 | caps.drop all |
119 | #ipc-namespace | 131 | #ipc-namespace |
120 | netfilter | 132 | netfilter |
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile index 78cb2862c..d9d1cd393 100644 --- a/etc/profile-m-z/xfce4-mixer.profile +++ b/etc/profile-m-z/xfce4-mixer.profile | |||
@@ -19,7 +19,7 @@ include disable-xdg.inc | |||
19 | 19 | ||
20 | mkfile ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml | 20 | mkfile ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml |
21 | whitelist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml | 21 | whitelist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml |
22 | whitelist /usr/share/gstreamer | 22 | whitelist /usr/share/gstreamer-* |
23 | whitelist /usr/share/xfce4 | 23 | whitelist /usr/share/xfce4 |
24 | whitelist /usr/share/xfce4-mixer | 24 | whitelist /usr/share/xfce4-mixer |
25 | include whitelist-common.inc | 25 | include whitelist-common.inc |
diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c index 96bd351f3..431aebee6 100644 --- a/src/fbuilder/build_bin.c +++ b/src/fbuilder/build_bin.c | |||
@@ -121,6 +121,6 @@ void build_bin(const char *fname, FILE *fp) { | |||
121 | ptr = ptr->next; | 121 | ptr = ptr->next; |
122 | } | 122 | } |
123 | fprintf(fp, "\n"); | 123 | fprintf(fp, "\n"); |
124 | fprintf(fp, "# private-lib\n"); | 124 | fprintf(fp, "#private-lib\n"); |
125 | } | 125 | } |
126 | } | 126 | } |
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index 495f71ab8..ac0cd455a 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c | |||
@@ -220,6 +220,10 @@ static void tmp_callback(char *ptr) { | |||
220 | // skip strace file | 220 | // skip strace file |
221 | if (strncmp(ptr, "/tmp/firejail-strace", 20) == 0) | 221 | if (strncmp(ptr, "/tmp/firejail-strace", 20) == 0) |
222 | return; | 222 | return; |
223 | if (strncmp(ptr, "/tmp/runtime-", 13) == 0) | ||
224 | return; | ||
225 | if (strcmp(ptr, "/tmp") == 0) | ||
226 | return; | ||
223 | 227 | ||
224 | tmp_out = filedb_add(tmp_out, ptr); | 228 | tmp_out = filedb_add(tmp_out, ptr); |
225 | } | 229 | } |
@@ -232,8 +236,7 @@ void build_tmp(const char *fname, FILE *fp) { | |||
232 | if (tmp_out == NULL) | 236 | if (tmp_out == NULL) |
233 | fprintf(fp, "private-tmp\n"); | 237 | fprintf(fp, "private-tmp\n"); |
234 | else { | 238 | else { |
235 | fprintf(fp, "\n"); | 239 | fprintf(fp, "#private-tmp\n"); |
236 | fprintf(fp, "# private-tmp\n"); | ||
237 | fprintf(fp, "# File accessed in /tmp directory:\n"); | 240 | fprintf(fp, "# File accessed in /tmp directory:\n"); |
238 | fprintf(fp, "# "); | 241 | fprintf(fp, "# "); |
239 | FileDB *ptr = tmp_out; | 242 | FileDB *ptr = tmp_out; |
@@ -310,9 +313,8 @@ void build_dev(const char *fname, FILE *fp) { | |||
310 | if (dev_out == NULL) | 313 | if (dev_out == NULL) |
311 | fprintf(fp, "private-dev\n"); | 314 | fprintf(fp, "private-dev\n"); |
312 | else { | 315 | else { |
313 | fprintf(fp, "\n"); | 316 | fprintf(fp, "#private-dev\n"); |
314 | fprintf(fp, "# private-dev\n"); | 317 | fprintf(fp, "# This is the list of devices accessed on top of regular private-dev devices:\n"); |
315 | fprintf(fp, "# This is the list of devices accessed (on top of regular private-dev devices:\n"); | ||
316 | fprintf(fp, "# "); | 318 | fprintf(fp, "# "); |
317 | FileDB *ptr = dev_out; | 319 | FileDB *ptr = dev_out; |
318 | while (ptr) { | 320 | while (ptr) { |
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c index 683009b71..d7706282a 100644 --- a/src/fbuilder/build_home.c +++ b/src/fbuilder/build_home.c | |||
@@ -141,7 +141,7 @@ void process_home(const char *fname, char *home, int home_len) { | |||
141 | } | 141 | } |
142 | 142 | ||
143 | // skip files and directories in whitelist-common.inc | 143 | // skip files and directories in whitelist-common.inc |
144 | if (filedb_find(db_skip, toadd)) { | 144 | if (strlen(toadd) == 0 || filedb_find(db_skip, toadd)) { |
145 | if (dir) | 145 | if (dir) |
146 | free(dir); | 146 | free(dir); |
147 | continue; | 147 | continue; |
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 96a83954d..0c1b57384 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -150,12 +150,12 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
150 | 150 | ||
151 | fprintf(fp, "### basic blacklisting\n"); | 151 | fprintf(fp, "### basic blacklisting\n"); |
152 | fprintf(fp, "include disable-common.inc\n"); | 152 | fprintf(fp, "include disable-common.inc\n"); |
153 | fprintf(fp, "# include disable-devel.inc\n"); | 153 | fprintf(fp, "#include disable-devel.inc\n"); |
154 | fprintf(fp, "# include disable-exec.inc\n"); | 154 | fprintf(fp, "#include disable-exec.inc\n"); |
155 | fprintf(fp, "# include disable-interpreters.inc\n"); | 155 | fprintf(fp, "#include disable-interpreters.inc\n"); |
156 | fprintf(fp, "include disable-passwdmgr.inc\n"); | 156 | fprintf(fp, "include disable-passwdmgr.inc\n"); |
157 | fprintf(fp, "# include disable-programs.inc\n"); | 157 | fprintf(fp, "#include disable-programs.inc\n"); |
158 | fprintf(fp, "# include disable-xdg.inc\n"); | 158 | fprintf(fp, "#include disable-xdg.inc\n"); |
159 | fprintf(fp, "\n"); | 159 | fprintf(fp, "\n"); |
160 | 160 | ||
161 | fprintf(fp, "### home directory whitelisting\n"); | 161 | fprintf(fp, "### home directory whitelisting\n"); |
@@ -163,18 +163,17 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
163 | fprintf(fp, "\n"); | 163 | fprintf(fp, "\n"); |
164 | 164 | ||
165 | fprintf(fp, "### filesystem\n"); | 165 | fprintf(fp, "### filesystem\n"); |
166 | fprintf(fp, "# /usr/share:\n"); | 166 | fprintf(fp, "### /usr/share:\n"); |
167 | build_share(trace_output, fp); | 167 | build_share(trace_output, fp); |
168 | fprintf(fp, "# /var:\n"); | 168 | fprintf(fp, "### /var:\n"); |
169 | build_var(trace_output, fp); | 169 | build_var(trace_output, fp); |
170 | fprintf(fp, "\n"); | 170 | fprintf(fp, "### /bin:\n"); |
171 | fprintf(fp, "# $PATH:\n"); | ||
172 | build_bin(trace_output, fp); | 171 | build_bin(trace_output, fp); |
173 | fprintf(fp, "# /dev:\n"); | 172 | fprintf(fp, "### /dev:\n"); |
174 | build_dev(trace_output, fp); | 173 | build_dev(trace_output, fp); |
175 | fprintf(fp, "# /etc:\n"); | 174 | fprintf(fp, "### /etc:\n"); |
176 | build_etc(trace_output, fp); | 175 | build_etc(trace_output, fp); |
177 | fprintf(fp, "# /tmp:\n"); | 176 | fprintf(fp, "### /tmp:\n"); |
178 | build_tmp(trace_output, fp); | 177 | build_tmp(trace_output, fp); |
179 | fprintf(fp, "\n"); | 178 | fprintf(fp, "\n"); |
180 | 179 | ||
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index abec25d45..8cb25a1ff 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -76,6 +76,44 @@ void fs_machineid(void) { | |||
76 | } | 76 | } |
77 | } | 77 | } |
78 | 78 | ||
79 | // Duplicate directory structure from src to dst by creating empty directories. | ||
80 | // The paths _must_ be identical after their respective prefixes. | ||
81 | // When finished, dst will point to the target directory. That is, if | ||
82 | // it starts out pointing to a file, it will instead be truncated so | ||
83 | // that it contains the parent directory instead. | ||
84 | static void build_dirs(char *src, char *dst, size_t src_prefix_len, size_t dst_prefix_len) { | ||
85 | char *p = src + src_prefix_len + 1; | ||
86 | char *q = dst + dst_prefix_len + 1; | ||
87 | char *r = dst + dst_prefix_len; | ||
88 | struct stat s; | ||
89 | bool last = false; | ||
90 | *r = '\0'; | ||
91 | for (; !last; p++, q++) { | ||
92 | if (*p == '\0') { | ||
93 | last = true; | ||
94 | } | ||
95 | if (*p == '\0' || (*p == '/' && *(p - 1) != '/')) { | ||
96 | // We found a new component of our src path. | ||
97 | // Null-terminate it temporarily here so that we can work | ||
98 | // with it. | ||
99 | *p = '\0'; | ||
100 | if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) { | ||
101 | // Null-terminate the dst path and undo its previous | ||
102 | // termination. | ||
103 | *q = '\0'; | ||
104 | *r = '/'; | ||
105 | r = q; | ||
106 | create_empty_dir_as_root(dst, s.st_mode); | ||
107 | } | ||
108 | if (!last) { | ||
109 | // If we're not at the final terminating null, restore | ||
110 | // the slash so that we can continue our traversal. | ||
111 | *p = '/'; | ||
112 | } | ||
113 | } | ||
114 | } | ||
115 | } | ||
116 | |||
79 | // return 0 if file not found, 1 if found | 117 | // return 0 if file not found, 1 if found |
80 | static int check_dir_or_file(const char *fname) { | 118 | static int check_dir_or_file(const char *fname) { |
81 | assert(fname); | 119 | assert(fname); |
@@ -103,7 +141,7 @@ errexit: | |||
103 | static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) { | 141 | static void duplicate(const char *fname, const char *private_dir, const char *private_run_dir) { |
104 | assert(fname); | 142 | assert(fname); |
105 | 143 | ||
106 | if (*fname == '~' || strchr(fname, '/') || strcmp(fname, "..") == 0) { | 144 | if (*fname == '~' || *fname == '/' || strncmp(fname, "..", 2) == 0) { |
107 | fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname); | 145 | fprintf(stderr, "Error: \"%s\" is an invalid filename\n", fname); |
108 | exit(1); | 146 | exit(1); |
109 | } | 147 | } |
@@ -119,21 +157,16 @@ static void duplicate(const char *fname, const char *private_dir, const char *pr | |||
119 | } | 157 | } |
120 | 158 | ||
121 | if (arg_debug) | 159 | if (arg_debug) |
122 | printf("copying %s to private %s\n", src, private_dir); | 160 | printf("Copying %s to private %s\n", src, private_dir); |
123 | 161 | ||
124 | struct stat s; | 162 | char *dst; |
125 | if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) { | 163 | if (asprintf(&dst, "%s/%s", private_run_dir, fname) == -1) |
126 | // create the directory in RUN_ETC_DIR | 164 | errExit("asprintf"); |
127 | char *dirname; | 165 | |
128 | if (asprintf(&dirname, "%s/%s", private_run_dir, fname) == -1) | 166 | build_dirs(src, dst, strlen(private_dir), strlen(private_run_dir)); |
129 | errExit("asprintf"); | 167 | sbox_run(SBOX_ROOT | SBOX_SECCOMP, 3, PATH_FCOPY, src, dst); |
130 | create_empty_dir_as_root(dirname, s.st_mode); | ||
131 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, dirname); | ||
132 | free(dirname); | ||
133 | } | ||
134 | else | ||
135 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, src, private_run_dir); | ||
136 | 168 | ||
169 | free(dst); | ||
137 | fs_logger2("clone", src); | 170 | fs_logger2("clone", src); |
138 | free(src); | 171 | free(src); |
139 | } | 172 | } |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index ee685da73..2bb57cee2 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -295,7 +295,9 @@ Use the options no3d, nodvd, nosound, notv, nou2f and novideo for additional res | |||
295 | Build a new /etc in a temporary | 295 | Build a new /etc in a temporary |
296 | filesystem, and copy the files and directories in the list. | 296 | filesystem, and copy the files and directories in the list. |
297 | The files and directories in the list must be expressed as relative to | 297 | The files and directories in the list must be expressed as relative to |
298 | the /etc directory. | 298 | the /etc directory, and must not contain the / character |
299 | (e.g., /etc/foo must be expressed as foo, but /etc/foo/bar -- | ||
300 | expressed as foo/bar -- is disallowed). | ||
299 | All modifications are discarded when the sandbox is closed. | 301 | All modifications are discarded when the sandbox is closed. |
300 | #ifdef HAVE_PRIVATE_HOME | 302 | #ifdef HAVE_PRIVATE_HOME |
301 | .TP | 303 | .TP |
@@ -319,14 +321,18 @@ This feature is still under development, see \fBman 1 firejail\fR for some examp | |||
319 | Build a new /opt in a temporary | 321 | Build a new /opt in a temporary |
320 | filesystem, and copy the files and directories in the list. | 322 | filesystem, and copy the files and directories in the list. |
321 | The files and directories in the list must be expressed as relative to | 323 | The files and directories in the list must be expressed as relative to |
322 | the /opt directory. | 324 | the /opt directory, and must not contain the / character |
325 | (e.g., /opt/foo must be expressed as foo, but /opt/foo/bar -- | ||
326 | expressed as foo/bar -- is disallowed). | ||
323 | All modifications are discarded when the sandbox is closed. | 327 | All modifications are discarded when the sandbox is closed. |
324 | .TP | 328 | .TP |
325 | \fBprivate-srv file,directory | 329 | \fBprivate-srv file,directory |
326 | Build a new /srv in a temporary | 330 | Build a new /srv in a temporary |
327 | filesystem, and copy the files and directories in the list. | 331 | filesystem, and copy the files and directories in the list. |
328 | The files and directories in the list must be expressed as relative to | 332 | The files and directories in the list must be expressed as relative to |
329 | the /srv directory. | 333 | the /srv directory, and must not contain the / character |
334 | (e.g., /srv/foo must be expressed as foo, but /srv/foo/bar -- | ||
335 | expressed as foo/bar -- is disallowed). | ||
330 | All modifications are discarded when the sandbox is closed. | 336 | All modifications are discarded when the sandbox is closed. |
331 | .TP | 337 | .TP |
332 | \fBprivate-tmp | 338 | \fBprivate-tmp |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index f27379a2d..1ee7ab1f1 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1883,7 +1883,9 @@ $ | |||
1883 | Build a new /etc in a temporary | 1883 | Build a new /etc in a temporary |
1884 | filesystem, and copy the files and directories in the list. | 1884 | filesystem, and copy the files and directories in the list. |
1885 | The files and directories in the list must be expressed as relative to | 1885 | The files and directories in the list must be expressed as relative to |
1886 | the /etc directory. | 1886 | the /etc directory, and must not contain the / character |
1887 | (e.g., /etc/foo must be expressed as foo, but /etc/foo/bar -- | ||
1888 | expressed as foo/bar -- is disallowed). | ||
1887 | If no listed file is found, /etc directory will be empty. | 1889 | If no listed file is found, /etc directory will be empty. |
1888 | All modifications are discarded when the sandbox is closed. | 1890 | All modifications are discarded when the sandbox is closed. |
1889 | .br | 1891 | .br |
@@ -1893,7 +1895,7 @@ Example: | |||
1893 | .br | 1895 | .br |
1894 | $ firejail --private-etc=group,hostname,localtime, \\ | 1896 | $ firejail --private-etc=group,hostname,localtime, \\ |
1895 | .br | 1897 | .br |
1896 | nsswitch.conf,passwd,resolv.conf,default/motd-news | 1898 | nsswitch.conf,passwd,resolv.conf |
1897 | #ifdef HAVE_PRIVATE_HOME | 1899 | #ifdef HAVE_PRIVATE_HOME |
1898 | .TP | 1900 | .TP |
1899 | \fB\-\-private-home=file,directory | 1901 | \fB\-\-private-home=file,directory |
@@ -1968,7 +1970,9 @@ $ | |||
1968 | Build a new /opt in a temporary | 1970 | Build a new /opt in a temporary |
1969 | filesystem, and copy the files and directories in the list. | 1971 | filesystem, and copy the files and directories in the list. |
1970 | The files and directories in the list must be expressed as relative to | 1972 | The files and directories in the list must be expressed as relative to |
1971 | the /opt directory. | 1973 | the /opt directory, and must not contain the / character |
1974 | (e.g., /opt/foo must be expressed as foo, but /opt/foo/bar -- | ||
1975 | expressed as foo/bar -- is disallowed). | ||
1972 | If no listed file is found, /opt directory will be empty. | 1976 | If no listed file is found, /opt directory will be empty. |
1973 | All modifications are discarded when the sandbox is closed. | 1977 | All modifications are discarded when the sandbox is closed. |
1974 | .br | 1978 | .br |
@@ -1983,7 +1987,9 @@ $ firejail --private-opt=firefox /opt/firefox/firefox | |||
1983 | Build a new /srv in a temporary | 1987 | Build a new /srv in a temporary |
1984 | filesystem, and copy the files and directories in the list. | 1988 | filesystem, and copy the files and directories in the list. |
1985 | The files and directories in the list must be expressed as relative to | 1989 | The files and directories in the list must be expressed as relative to |
1986 | the /srv directory. | 1990 | the /srv directory, and must not contain the / character |
1991 | (e.g., /opt/srv must be expressed as foo, but /srv/foo/bar -- | ||
1992 | expressed as srv/bar -- is disallowed). | ||
1987 | If no listed file is found, /srv directory will be empty. | 1993 | If no listed file is found, /srv directory will be empty. |
1988 | All modifications are discarded when the sandbox is closed. | 1994 | All modifications are discarded when the sandbox is closed. |
1989 | .br | 1995 | .br |