diff options
-rw-r--r-- | src/firejail/cmdline.c | 44 | ||||
-rw-r--r-- | src/firejail/firejail.h | 5 | ||||
-rw-r--r-- | src/firejail/fs.c | 9 | ||||
-rw-r--r-- | src/firejail/fs_etc.c | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 6 | ||||
-rw-r--r-- | src/firejail/usage.c | 4 |
6 files changed, 66 insertions, 3 deletions
diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c index cadf4795d..dcb0a5424 100644 --- a/src/firejail/cmdline.c +++ b/src/firejail/cmdline.c | |||
@@ -157,3 +157,47 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar | |||
157 | assert(*command_line); | 157 | assert(*command_line); |
158 | assert(*window_title); | 158 | assert(*window_title); |
159 | } | 159 | } |
160 | |||
161 | void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, char *apprun_path) { | ||
162 | // index == -1 could happen if we have --shell=none and no program was specified | ||
163 | // the program should exit with an error before entering this function | ||
164 | assert(index != -1); | ||
165 | |||
166 | unsigned argcount = argc - index; | ||
167 | |||
168 | int len1 = cmdline_length(argc, argv, index); // length of argv w/o changes | ||
169 | int len2 = cmdline_length(1, &argv[index], 0); // apptest.AppImage | ||
170 | int len3 = cmdline_length(1, &apprun_path, 0); // /run/firejail/appimage/.appimage-23304/AppRun | ||
171 | int len4 = (len1 - len2 + len3) + 1; // apptest.AppImage is replaced by /path/to/AppRun | ||
172 | |||
173 | if (len4 > ARG_MAX) { | ||
174 | errno = E2BIG; | ||
175 | errExit("cmdline_length"); | ||
176 | } | ||
177 | |||
178 | // save created apprun in cfg.command_line | ||
179 | char *tmp1 = strdup(*command_line); | ||
180 | if (!tmp1) | ||
181 | errExit("strdup"); | ||
182 | |||
183 | // TODO: deal with extra allocated memory. | ||
184 | char *command_line_tmp = malloc(len1 + len3 + 1); | ||
185 | if (!command_line_tmp) | ||
186 | errExit("malloc"); | ||
187 | *window_title = malloc(len1 + len3 + 1); | ||
188 | if (!*window_title) | ||
189 | errExit("malloc"); | ||
190 | |||
191 | // run default quote_cmdline | ||
192 | quote_cmdline(command_line_tmp, *window_title, len1, argc, argv, index); | ||
193 | |||
194 | assert(command_line_tmp); | ||
195 | assert(*window_title); | ||
196 | |||
197 | // 'fix' command_line now | ||
198 | if (asprintf(command_line, "'%s' %s", tmp1, command_line_tmp + len2) == -1) | ||
199 | errExit("asprintf"); | ||
200 | |||
201 | // free strdup | ||
202 | free(tmp1); | ||
203 | } | ||
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 8fede5a69..36cf47435 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -208,7 +208,7 @@ typedef struct config_t { | |||
208 | char *bin_private_keep; // keep list for private bin directory | 208 | char *bin_private_keep; // keep list for private bin directory |
209 | char *cwd; // current working directory | 209 | char *cwd; // current working directory |
210 | char *overlay_dir; | 210 | char *overlay_dir; |
211 | char *private_template; // template dir for tmpfs home | 211 | char *private_template; // template dir for tmpfs home |
212 | 212 | ||
213 | // networking | 213 | // networking |
214 | char *name; // sandbox name | 214 | char *name; // sandbox name |
@@ -285,6 +285,7 @@ void clear_run_files(pid_t pid); | |||
285 | 285 | ||
286 | extern int arg_private; // mount private /home | 286 | extern int arg_private; // mount private /home |
287 | extern int arg_private_template; // private /home template | 287 | extern int arg_private_template; // private /home template |
288 | extern int arg_allow_private_blacklist; // blacklist things in private directories | ||
288 | extern int arg_debug; // print debug messages | 289 | extern int arg_debug; // print debug messages |
289 | extern int arg_debug_check_filename; // print debug messages for filename checking | 290 | extern int arg_debug_check_filename; // print debug messages for filename checking |
290 | extern int arg_debug_blacklists; // print debug messages for blacklists | 291 | extern int arg_debug_blacklists; // print debug messages for blacklists |
@@ -564,6 +565,7 @@ void network_del_run_file(pid_t pid); | |||
564 | void network_set_run_file(pid_t pid); | 565 | void network_set_run_file(pid_t pid); |
565 | 566 | ||
566 | // fs_etc.c | 567 | // fs_etc.c |
568 | void fs_machineid(void); | ||
567 | void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list); | 569 | void fs_private_dir_list(const char *private_dir, const char *private_run_dir, const char *private_list); |
568 | 570 | ||
569 | // no_sandbox.c | 571 | // no_sandbox.c |
@@ -681,6 +683,7 @@ long unsigned int appimage2_size(const char *fname); | |||
681 | 683 | ||
682 | // cmdline.c | 684 | // cmdline.c |
683 | void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index); | 685 | void build_cmdline(char **command_line, char **window_title, int argc, char **argv, int index); |
686 | void build_appimage_cmdline(char **command_line, char **window_title, int argc, char **argv, int index, char *apprun_path); | ||
684 | 687 | ||
685 | // sbox.c | 688 | // sbox.c |
686 | // programs | 689 | // programs |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 890f281aa..e2fc09533 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -216,6 +216,15 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[ | |||
216 | exit(1); | 216 | exit(1); |
217 | } | 217 | } |
218 | } | 218 | } |
219 | |||
220 | // We don't usually need to blacklist things in private home directories | ||
221 | if (okay_to_blacklist | ||
222 | && cfg.homedir | ||
223 | && arg_private | ||
224 | && (!arg_allow_private_blacklist) | ||
225 | && (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0)) | ||
226 | okay_to_blacklist = false; | ||
227 | |||
219 | if (okay_to_blacklist) | 228 | if (okay_to_blacklist) |
220 | disable_file(op, path); | 229 | disable_file(op, path); |
221 | else if (arg_debug) | 230 | else if (arg_debug) |
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index a27c0e41b..479383af2 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -21,6 +21,7 @@ | |||
21 | #include <sys/mount.h> | 21 | #include <sys/mount.h> |
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <sys/types.h> | 23 | #include <sys/types.h> |
24 | #include <time.h> | ||
24 | #include <unistd.h> | 25 | #include <unistd.h> |
25 | 26 | ||
26 | // spoof /etc/machine_id | 27 | // spoof /etc/machine_id |
diff --git a/src/firejail/main.c b/src/firejail/main.c index b25bad9f2..15820f7dd 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -112,6 +112,7 @@ int arg_x11_block = 0; // block X11 | |||
112 | int arg_x11_xorg = 0; // use X11 security extention | 112 | int arg_x11_xorg = 0; // use X11 security extention |
113 | int arg_allusers = 0; // all user home directories visible | 113 | int arg_allusers = 0; // all user home directories visible |
114 | int arg_machineid = 0; // preserve /etc/machine-id | 114 | int arg_machineid = 0; // preserve /etc/machine-id |
115 | int arg_allow_private_blacklist = 0; // blacklist things in private directories | ||
115 | 116 | ||
116 | int login_shell = 0; | 117 | int login_shell = 0; |
117 | 118 | ||
@@ -1463,6 +1464,9 @@ int main(int argc, char **argv) { | |||
1463 | else if (strcmp(argv[i], "--machine-id") == 0) { | 1464 | else if (strcmp(argv[i], "--machine-id") == 0) { |
1464 | arg_machineid = 1; | 1465 | arg_machineid = 1; |
1465 | } | 1466 | } |
1467 | else if (strcmp(argv[i], "--allow-private-blacklist") == 0) { | ||
1468 | arg_allow_private_blacklist = 1; | ||
1469 | } | ||
1466 | else if (strcmp(argv[i], "--private") == 0) { | 1470 | else if (strcmp(argv[i], "--private") == 0) { |
1467 | arg_private = 1; | 1471 | arg_private = 1; |
1468 | } | 1472 | } |
@@ -2156,7 +2160,7 @@ int main(int argc, char **argv) { | |||
2156 | if (arg_debug) | 2160 | if (arg_debug) |
2157 | printf("Configuring appimage environment\n"); | 2161 | printf("Configuring appimage environment\n"); |
2158 | appimage_set(cfg.command_name); | 2162 | appimage_set(cfg.command_name); |
2159 | cfg.window_title = "appimage"; | 2163 | build_appimage_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index, cfg.command_line); |
2160 | } | 2164 | } |
2161 | else { | 2165 | else { |
2162 | build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); | 2166 | build_cmdline(&cfg.command_line, &cfg.window_title, argc, argv, prog_index); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index db3c25a5a..1131abe5f 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -30,12 +30,14 @@ void usage(void) { | |||
30 | printf("Options:\n"); | 30 | printf("Options:\n"); |
31 | printf(" -- - signal the end of options and disables further option processing.\n"); | 31 | printf(" -- - signal the end of options and disables further option processing.\n"); |
32 | printf(" --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"); | 32 | printf(" --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"); |
33 | printf(" --allow-private-blacklist - allow blacklisting things in private\n"); | ||
34 | printf("\tdirectories.\n"); | ||
33 | printf(" --allusers - all user home directories are visible inside the sandbox.\n"); | 35 | printf(" --allusers - all user home directories are visible inside the sandbox.\n"); |
34 | printf(" --apparmor - enable AppArmor confinement.\n"); | 36 | printf(" --apparmor - enable AppArmor confinement.\n"); |
35 | printf(" --appimage - sandbox an AppImage application.\n"); | 37 | printf(" --appimage - sandbox an AppImage application.\n"); |
36 | printf(" --audit[=test-program] - audit the sandbox.\n"); | 38 | printf(" --audit[=test-program] - audit the sandbox.\n"); |
37 | #ifdef HAVE_NETWORK | 39 | #ifdef HAVE_NETWORK |
38 | printf(" --bandwidth=name|pid - set bandwidth limits\n"); | 40 | printf(" --bandwidth=name|pid - set bandwidth limits.\n"); |
39 | #endif | 41 | #endif |
40 | #ifdef HAVE_BIND | 42 | #ifdef HAVE_BIND |
41 | printf(" --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n"); | 43 | printf(" --bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.\n"); |