diff options
-rw-r--r-- | src/firejail/checkcfg.c | 268 |
1 files changed, 38 insertions, 230 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 0a3c5dd08..167bd591d 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -71,164 +71,48 @@ int checkcfg(int val) { | |||
71 | if (*buf == '#' || *buf == '\n') | 71 | if (*buf == '#' || *buf == '\n') |
72 | continue; | 72 | continue; |
73 | 73 | ||
74 | #define PARSE_YESNO(key, string) \ | ||
75 | else if (strncmp(ptr, string " ", strlen(string)+1) == 0) { \ | ||
76 | if (strcmp(ptr + strlen(string) + 1, "yes") == 0) \ | ||
77 | cfg_val[key] = 1; \ | ||
78 | else if (strcmp(ptr + strlen(string) + 1, "no") == 0) \ | ||
79 | cfg_val[key] = 0; \ | ||
80 | else \ | ||
81 | goto errout; \ | ||
82 | } | ||
83 | |||
74 | // parse line | 84 | // parse line |
75 | ptr = line_remove_spaces(buf); | 85 | ptr = line_remove_spaces(buf); |
76 | if (!ptr) | 86 | if (!ptr) |
77 | continue; | 87 | continue; |
88 | PARSE_YESNO(CFG_FILE_TRANSFER, "file-transfer") | ||
89 | PARSE_YESNO(CFG_DBUS, "dbus") | ||
90 | PARSE_YESNO(CFG_JOIN, "join") | ||
91 | PARSE_YESNO(CFG_X11, "x11") | ||
92 | PARSE_YESNO(CFG_APPARMOR, "apparmor") | ||
93 | PARSE_YESNO(CFG_BIND, "bind") | ||
94 | PARSE_YESNO(CFG_CGROUP, "cgroup") | ||
95 | PARSE_YESNO(CFG_NAME_CHANGE, "name-change") | ||
96 | PARSE_YESNO(CFG_USERNS, "userns") | ||
97 | PARSE_YESNO(CFG_CHROOT, "chroot") | ||
98 | PARSE_YESNO(CFG_FIREJAIL_PROMPT, "firejail-prompt") | ||
99 | PARSE_YESNO(CFG_FOLLOW_SYMLINK_AS_USER, "follow-symlink-as-user") | ||
100 | PARSE_YESNO(CFG_FORCE_NONEWPRIVS, "force-nonewprivs") | ||
101 | PARSE_YESNO(CFG_SECCOMP, "seccomp") | ||
102 | PARSE_YESNO(CFG_WHITELIST, "whitelist") | ||
103 | PARSE_YESNO(CFG_NETWORK, "network") | ||
104 | PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network") | ||
105 | PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") | ||
106 | PARSE_YESNO(CFG_OVERLAYFS, "overlayfs") | ||
107 | PARSE_YESNO(CFG_PRIVATE_HOME, "private-home") | ||
108 | PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache") | ||
109 | PARSE_YESNO(CFG_PRIVATE_LIB, "private-lib") | ||
110 | PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local") | ||
111 | PARSE_YESNO(CFG_DISABLE_MNT, "disable-mnt") | ||
112 | PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach") | ||
113 | PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f") | ||
114 | #undef PARSE_YESNO | ||
78 | 115 | ||
79 | // file transfer | ||
80 | else if (strncmp(ptr, "file-transfer ", 14) == 0) { | ||
81 | if (strcmp(ptr + 14, "yes") == 0) | ||
82 | cfg_val[CFG_FILE_TRANSFER] = 1; | ||
83 | else if (strcmp(ptr + 14, "no") == 0) | ||
84 | cfg_val[CFG_FILE_TRANSFER] = 0; | ||
85 | else | ||
86 | goto errout; | ||
87 | } | ||
88 | // dbus | ||
89 | else if (strncmp(ptr, "dbus ", 5) == 0) { | ||
90 | if (strcmp(ptr + 5, "yes") == 0) | ||
91 | cfg_val[CFG_DBUS] = 1; | ||
92 | else if (strcmp(ptr + 5, "no") == 0) | ||
93 | cfg_val[CFG_DBUS] = 0; | ||
94 | else | ||
95 | goto errout; | ||
96 | } | ||
97 | // join | ||
98 | else if (strncmp(ptr, "join ", 5) == 0) { | ||
99 | if (strcmp(ptr + 5, "yes") == 0) | ||
100 | cfg_val[CFG_JOIN] = 1; | ||
101 | else if (strcmp(ptr + 5, "no") == 0) | ||
102 | cfg_val[CFG_JOIN] = 0; | ||
103 | else | ||
104 | goto errout; | ||
105 | } | ||
106 | // x11 | ||
107 | else if (strncmp(ptr, "x11 ", 4) == 0) { | ||
108 | if (strcmp(ptr + 4, "yes") == 0) | ||
109 | cfg_val[CFG_X11] = 1; | ||
110 | else if (strcmp(ptr + 4, "no") == 0) | ||
111 | cfg_val[CFG_X11] = 0; | ||
112 | else | ||
113 | goto errout; | ||
114 | } | ||
115 | // apparmor | ||
116 | else if (strncmp(ptr, "apparmor ", 9) == 0) { | ||
117 | if (strcmp(ptr + 9, "yes") == 0) | ||
118 | cfg_val[CFG_APPARMOR] = 1; | ||
119 | else if (strcmp(ptr + 9, "no") == 0) | ||
120 | cfg_val[CFG_APPARMOR] = 0; | ||
121 | else | ||
122 | goto errout; | ||
123 | } | ||
124 | // bind | ||
125 | else if (strncmp(ptr, "bind ", 5) == 0) { | ||
126 | if (strcmp(ptr + 5, "yes") == 0) | ||
127 | cfg_val[CFG_BIND] = 1; | ||
128 | else if (strcmp(ptr + 5, "no") == 0) | ||
129 | cfg_val[CFG_BIND] = 0; | ||
130 | else | ||
131 | goto errout; | ||
132 | } | ||
133 | // cgroup | ||
134 | else if (strncmp(ptr, "cgroup ", 7) == 0) { | ||
135 | if (strcmp(ptr + 7, "yes") == 0) | ||
136 | cfg_val[CFG_CGROUP] = 1; | ||
137 | else if (strcmp(ptr + 7, "no") == 0) | ||
138 | cfg_val[CFG_CGROUP] = 0; | ||
139 | else | ||
140 | goto errout; | ||
141 | } | ||
142 | // name change | ||
143 | else if (strncmp(ptr, "name-change ", 12) == 0) { | ||
144 | if (strcmp(ptr + 12, "yes") == 0) | ||
145 | cfg_val[CFG_NAME_CHANGE] = 1; | ||
146 | else if (strcmp(ptr + 12, "no") == 0) | ||
147 | cfg_val[CFG_NAME_CHANGE] = 0; | ||
148 | else | ||
149 | goto errout; | ||
150 | } | ||
151 | // user namespace | ||
152 | else if (strncmp(ptr, "userns ", 7) == 0) { | ||
153 | if (strcmp(ptr + 7, "yes") == 0) | ||
154 | cfg_val[CFG_USERNS] = 1; | ||
155 | else if (strcmp(ptr + 7, "no") == 0) | ||
156 | cfg_val[CFG_USERNS] = 0; | ||
157 | else | ||
158 | goto errout; | ||
159 | } | ||
160 | // chroot | ||
161 | else if (strncmp(ptr, "chroot ", 7) == 0) { | ||
162 | if (strcmp(ptr + 7, "yes") == 0) | ||
163 | cfg_val[CFG_CHROOT] = 1; | ||
164 | else if (strcmp(ptr + 7, "no") == 0) | ||
165 | cfg_val[CFG_CHROOT] = 0; | ||
166 | else | ||
167 | goto errout; | ||
168 | } | ||
169 | // prompt | ||
170 | else if (strncmp(ptr, "firejail-prompt ", 16) == 0) { | ||
171 | if (strcmp(ptr + 16, "yes") == 0) | ||
172 | cfg_val[CFG_FIREJAIL_PROMPT] = 1; | ||
173 | else if (strcmp(ptr + 16, "no") == 0) | ||
174 | cfg_val[CFG_FIREJAIL_PROMPT] = 0; | ||
175 | else | ||
176 | goto errout; | ||
177 | } | ||
178 | // follow symlink as user | ||
179 | else if (strncmp(ptr, "follow-symlink-as-user ", 23) == 0) { | ||
180 | if (strcmp(ptr + 23, "yes") == 0) | ||
181 | cfg_val[CFG_FOLLOW_SYMLINK_AS_USER] = 1; | ||
182 | else if (strcmp(ptr + 23, "no") == 0) | ||
183 | cfg_val[CFG_FOLLOW_SYMLINK_AS_USER] = 0; | ||
184 | else | ||
185 | goto errout; | ||
186 | } | ||
187 | // nonewprivs | ||
188 | else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { | ||
189 | if (strcmp(ptr + 17, "yes") == 0) | ||
190 | cfg_val[CFG_FORCE_NONEWPRIVS] = 1; | ||
191 | else if (strcmp(ptr + 17, "no") == 0) | ||
192 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; | ||
193 | else | ||
194 | goto errout; | ||
195 | } | ||
196 | // seccomp | ||
197 | else if (strncmp(ptr, "seccomp ", 8) == 0) { | ||
198 | if (strcmp(ptr + 8, "yes") == 0) | ||
199 | cfg_val[CFG_SECCOMP] = 1; | ||
200 | else if (strcmp(ptr + 8, "no") == 0) | ||
201 | cfg_val[CFG_SECCOMP] = 0; | ||
202 | else | ||
203 | goto errout; | ||
204 | } | ||
205 | // whitelist | ||
206 | else if (strncmp(ptr, "whitelist ", 10) == 0) { | ||
207 | if (strcmp(ptr + 10, "yes") == 0) | ||
208 | cfg_val[CFG_WHITELIST] = 1; | ||
209 | else if (strcmp(ptr + 10, "no") == 0) | ||
210 | cfg_val[CFG_WHITELIST] = 0; | ||
211 | else | ||
212 | goto errout; | ||
213 | } | ||
214 | // network | ||
215 | else if (strncmp(ptr, "network ", 8) == 0) { | ||
216 | if (strcmp(ptr + 8, "yes") == 0) | ||
217 | cfg_val[CFG_NETWORK] = 1; | ||
218 | else if (strcmp(ptr + 8, "no") == 0) | ||
219 | cfg_val[CFG_NETWORK] = 0; | ||
220 | else | ||
221 | goto errout; | ||
222 | } | ||
223 | // network | ||
224 | else if (strncmp(ptr, "restricted-network ", 19) == 0) { | ||
225 | if (strcmp(ptr + 19, "yes") == 0) | ||
226 | cfg_val[CFG_RESTRICTED_NETWORK] = 1; | ||
227 | else if (strcmp(ptr + 19, "no") == 0) | ||
228 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; | ||
229 | else | ||
230 | goto errout; | ||
231 | } | ||
232 | // netfilter | 116 | // netfilter |
233 | else if (strncmp(ptr, "netfilter-default ", 18) == 0) { | 117 | else if (strncmp(ptr, "netfilter-default ", 18) == 0) { |
234 | char *fname = ptr + 18; | 118 | char *fname = ptr + 18; |
@@ -266,16 +150,6 @@ int checkcfg(int val) { | |||
266 | errExit("asprintf"); | 150 | errExit("asprintf"); |
267 | } | 151 | } |
268 | 152 | ||
269 | // xephyr window title | ||
270 | else if (strncmp(ptr, "xephyr-window-title ", 20) == 0) { | ||
271 | if (strcmp(ptr + 20, "yes") == 0) | ||
272 | cfg_val[CFG_XEPHYR_WINDOW_TITLE] = 1; | ||
273 | else if (strcmp(ptr + 20, "no") == 0) | ||
274 | cfg_val[CFG_XEPHYR_WINDOW_TITLE] = 0; | ||
275 | else | ||
276 | goto errout; | ||
277 | } | ||
278 | |||
279 | // Xephyr command extra parameters | 153 | // Xephyr command extra parameters |
280 | else if (strncmp(ptr, "xephyr-extra-params ", 20) == 0) { | 154 | else if (strncmp(ptr, "xephyr-extra-params ", 20) == 0) { |
281 | if (*xephyr_extra_params != '\0') | 155 | if (*xephyr_extra_params != '\0') |
@@ -295,7 +169,7 @@ int checkcfg(int val) { | |||
295 | } | 169 | } |
296 | 170 | ||
297 | // Xvfb screen size | 171 | // Xvfb screen size |
298 | else if (strncmp(ptr, "xvfb-screen ", 12) == 0) { | 172 | else if (strncmp(ptr, "xvfb-screen ", 12) == 0) { |
299 | // expecting three numbers separated by x's | 173 | // expecting three numbers separated by x's |
300 | unsigned int n1; | 174 | unsigned int n1; |
301 | unsigned int n2; | 175 | unsigned int n2; |
@@ -325,54 +199,6 @@ int checkcfg(int val) { | |||
325 | else | 199 | else |
326 | goto errout; | 200 | goto errout; |
327 | } | 201 | } |
328 | else if (strncmp(ptr, "overlayfs ", 10) == 0) { | ||
329 | if (strcmp(ptr + 10, "yes") == 0) | ||
330 | cfg_val[CFG_OVERLAYFS] = 1; | ||
331 | else if (strcmp(ptr + 10, "no") == 0) | ||
332 | cfg_val[CFG_OVERLAYFS] = 0; | ||
333 | else | ||
334 | goto errout; | ||
335 | } | ||
336 | else if (strncmp(ptr, "private-home ", 13) == 0) { | ||
337 | if (strcmp(ptr + 13, "yes") == 0) | ||
338 | cfg_val[CFG_PRIVATE_HOME] = 1; | ||
339 | else if (strcmp(ptr + 13, "no") == 0) | ||
340 | cfg_val[CFG_PRIVATE_HOME] = 0; | ||
341 | else | ||
342 | goto errout; | ||
343 | } | ||
344 | else if (strncmp(ptr, "private-cache ", 14) == 0) { | ||
345 | if (strcmp(ptr + 14, "yes") == 0) | ||
346 | cfg_val[CFG_PRIVATE_CACHE] = 1; | ||
347 | else if (strcmp(ptr + 14, "no") == 0) | ||
348 | cfg_val[CFG_PRIVATE_CACHE] = 0; | ||
349 | else | ||
350 | goto errout; | ||
351 | } | ||
352 | else if (strncmp(ptr, "private-lib ", 12) == 0) { | ||
353 | if (strcmp(ptr + 12, "yes") == 0) | ||
354 | cfg_val[CFG_PRIVATE_LIB] = 1; | ||
355 | else if (strcmp(ptr + 12, "no") == 0) | ||
356 | cfg_val[CFG_PRIVATE_LIB] = 0; | ||
357 | else | ||
358 | goto errout; | ||
359 | } | ||
360 | else if (strncmp(ptr, "private-bin-no-local ", 21) == 0) { | ||
361 | if (strcmp(ptr + 21, "yes") == 0) | ||
362 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 1; | ||
363 | else if (strcmp(ptr + 21, "no") == 0) | ||
364 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; | ||
365 | else | ||
366 | goto errout; | ||
367 | } | ||
368 | else if (strncmp(ptr, "disable-mnt ", 12) == 0) { | ||
369 | if (strcmp(ptr + 12, "yes") == 0) | ||
370 | cfg_val[CFG_DISABLE_MNT] = 1; | ||
371 | else if (strcmp(ptr + 12, "no") == 0) | ||
372 | cfg_val[CFG_DISABLE_MNT] = 0; | ||
373 | else | ||
374 | goto errout; | ||
375 | } | ||
376 | // arp probes | 202 | // arp probes |
377 | else if (strncmp(ptr, "arp-probes ", 11) == 0) { | 203 | else if (strncmp(ptr, "arp-probes ", 11) == 0) { |
378 | int arp_probes = atoi(ptr + 11); | 204 | int arp_probes = atoi(ptr + 11); |
@@ -380,24 +206,6 @@ int checkcfg(int val) { | |||
380 | goto errout; | 206 | goto errout; |
381 | cfg_val[CFG_ARP_PROBES] = arp_probes; | 207 | cfg_val[CFG_ARP_PROBES] = arp_probes; |
382 | } | 208 | } |
383 | // xpra-attach | ||
384 | else if (strncmp(ptr, "xpra-attach ", 12) == 0) { | ||
385 | if (strcmp(ptr + 12, "yes") == 0) | ||
386 | cfg_val[CFG_XPRA_ATTACH] = 1; | ||
387 | else if (strcmp(ptr + 12, "no") == 0) | ||
388 | cfg_val[CFG_XPRA_ATTACH] = 0; | ||
389 | else | ||
390 | goto errout; | ||
391 | } | ||
392 | // browser-disable-u2f | ||
393 | else if (strncmp(ptr, "browser-disable-u2f ", 20) == 0) { | ||
394 | if (strcmp(ptr + 20, "yes") == 0) | ||
395 | cfg_val[CFG_BROWSER_DISABLE_U2F] = 1; | ||
396 | else if (strcmp(ptr + 20, "no") == 0) | ||
397 | cfg_val[CFG_BROWSER_DISABLE_U2F] = 0; | ||
398 | else | ||
399 | goto errout; | ||
400 | } | ||
401 | else | 209 | else |
402 | goto errout; | 210 | goto errout; |
403 | 211 | ||