aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/firejail/firejail.h2
-rw-r--r--src/firejail/main.c12
-rw-r--r--src/firejail/profile.c19
3 files changed, 23 insertions, 10 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 5590e9f54..12f792af8 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -289,7 +289,7 @@ void profile_read(const char *fname);
289// check profile line; if line == 0, this was generated from a command line option 289// check profile line; if line == 0, this was generated from a command line option
290// return 1 if the command is to be added to the linked list of profile commands 290// return 1 if the command is to be added to the linked list of profile commands
291// return 0 if the command was already executed inside the function 291// return 0 if the command was already executed inside the function
292int profile_check_line(char *ptr, int lineno); 292int profile_check_line(char *ptr, int lineno, const char *fname);
293// add a profile entry in cfg.profile list; use str to populate the list 293// add a profile entry in cfg.profile list; use str to populate the list
294void profile_add(char *str); 294void profile_add(char *str);
295 295
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 17a7286f7..a9ccfc9cc 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -637,7 +637,7 @@ int main(int argc, char **argv) {
637 if (asprintf(&line, "bind %s", argv[i] + 7) == -1) 637 if (asprintf(&line, "bind %s", argv[i] + 7) == -1)
638 errExit("asprintf"); 638 errExit("asprintf");
639 639
640 profile_check_line(line, 0); // will exit if something wrong 640 profile_check_line(line, 0, NULL); // will exit if something wrong
641 profile_add(line); 641 profile_add(line);
642 } 642 }
643#endif 643#endif
@@ -646,7 +646,7 @@ int main(int argc, char **argv) {
646 if (asprintf(&line, "tmpfs %s", argv[i] + 8) == -1) 646 if (asprintf(&line, "tmpfs %s", argv[i] + 8) == -1)
647 errExit("asprintf"); 647 errExit("asprintf");
648 648
649 profile_check_line(line, 0); // will exit if something wrong 649 profile_check_line(line, 0, NULL); // will exit if something wrong
650 profile_add(line); 650 profile_add(line);
651 } 651 }
652 else if (strncmp(argv[i], "--blacklist=", 12) == 0) { 652 else if (strncmp(argv[i], "--blacklist=", 12) == 0) {
@@ -654,7 +654,7 @@ int main(int argc, char **argv) {
654 if (asprintf(&line, "blacklist %s", argv[i] + 12) == -1) 654 if (asprintf(&line, "blacklist %s", argv[i] + 12) == -1)
655 errExit("asprintf"); 655 errExit("asprintf");
656 656
657 profile_check_line(line, 0); // will exit if something wrong 657 profile_check_line(line, 0, NULL); // will exit if something wrong
658 profile_add(line); 658 profile_add(line);
659 } 659 }
660 else if (strncmp(argv[i], "--noblacklist=", 14) == 0) { 660 else if (strncmp(argv[i], "--noblacklist=", 14) == 0) {
@@ -662,7 +662,7 @@ int main(int argc, char **argv) {
662 if (asprintf(&line, "noblacklist %s", argv[i] + 14) == -1) 662 if (asprintf(&line, "noblacklist %s", argv[i] + 14) == -1)
663 errExit("asprintf"); 663 errExit("asprintf");
664 664
665 profile_check_line(line, 0); // will exit if something wrong 665 profile_check_line(line, 0, NULL); // will exit if something wrong
666 profile_add(line); 666 profile_add(line);
667 } 667 }
668 else if (strncmp(argv[i], "--whitelist=", 12) == 0) { 668 else if (strncmp(argv[i], "--whitelist=", 12) == 0) {
@@ -670,7 +670,7 @@ int main(int argc, char **argv) {
670 if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) 670 if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)
671 errExit("asprintf"); 671 errExit("asprintf");
672 672
673 profile_check_line(line, 0); // will exit if something wrong 673 profile_check_line(line, 0, NULL); // will exit if something wrong
674 profile_add(line); 674 profile_add(line);
675 } 675 }
676 else if (strncmp(argv[i], "--read-only=", 12) == 0) { 676 else if (strncmp(argv[i], "--read-only=", 12) == 0) {
@@ -678,7 +678,7 @@ int main(int argc, char **argv) {
678 if (asprintf(&line, "read-only %s", argv[i] + 12) == -1) 678 if (asprintf(&line, "read-only %s", argv[i] + 12) == -1)
679 errExit("asprintf"); 679 errExit("asprintf");
680 680
681 profile_check_line(line, 0); // will exit if something wrong 681 profile_check_line(line, 0, NULL); // will exit if something wrong
682 profile_add(line); 682 profile_add(line);
683 } 683 }
684 else if (strcmp(argv[i], "--overlay") == 0) { 684 else if (strcmp(argv[i], "--overlay") == 0) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 244370b98..0f6d49868 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -65,7 +65,7 @@ int profile_find(const char *name, const char *dir) {
65// check profile line; if line == 0, this was generated from a command line option 65// check profile line; if line == 0, this was generated from a command line option
66// return 1 if the command is to be added to the linked list of profile commands 66// return 1 if the command is to be added to the linked list of profile commands
67// return 0 if the command was already executed inside the function 67// return 0 if the command was already executed inside the function
68int profile_check_line(char *ptr, int lineno) { 68int profile_check_line(char *ptr, int lineno, const char *fname) {
69 // check ignore list 69 // check ignore list
70 int i; 70 int i;
71 for (i = 0; i < MAX_PROFILE_IGNORE; i++) { 71 for (i = 0; i < MAX_PROFILE_IGNORE; i++) {
@@ -99,8 +99,17 @@ int profile_check_line(char *ptr, int lineno) {
99 return 0; 99 return 0;
100 } 100 }
101 101
102 // sandbox name
103 if (strncmp(ptr, "name ", 5) == 0) {
104 cfg.name = ptr + 5;
105 if (strlen(cfg.name) == 0) {
106 fprintf(stderr, "Error: invalid sandbox name\n");
107 exit(1);
108 }
109 return 0;
110 }
102 // seccomp, caps, private, user namespace 111 // seccomp, caps, private, user namespace
103 if (strcmp(ptr, "noroot") == 0) { 112 else if (strcmp(ptr, "noroot") == 0) {
104 check_user_namespace(); 113 check_user_namespace();
105 return 0; 114 return 0;
106 } 115 }
@@ -395,6 +404,8 @@ int profile_check_line(char *ptr, int lineno) {
395 else { 404 else {
396 if (lineno == 0) 405 if (lineno == 0)
397 fprintf(stderr, "Error: \"%s\" as a command line option is invalid\n", ptr); 406 fprintf(stderr, "Error: \"%s\" as a command line option is invalid\n", ptr);
407 else if (fname != NULL)
408 fprintf(stderr, "Error: line %d in %s is invalid\n", lineno, fname);
398 else 409 else
399 fprintf(stderr, "Error: line %d in the custom profile is invalid\n", lineno); 410 fprintf(stderr, "Error: line %d in the custom profile is invalid\n", lineno);
400 exit(1); 411 exit(1);
@@ -405,6 +416,8 @@ int profile_check_line(char *ptr, int lineno) {
405 if (strstr(ptr, "..")) { 416 if (strstr(ptr, "..")) {
406 if (lineno == 0) 417 if (lineno == 0)
407 fprintf(stderr, "Error: \"%s\" is an invalid filename\n", ptr); 418 fprintf(stderr, "Error: \"%s\" is an invalid filename\n", ptr);
419 else if (fname != NULL)
420 fprintf(stderr, "Error: line %d in %s is invalid\n", lineno, fname);
408 else 421 else
409 fprintf(stderr, "Error: line %d in the custom profile is invalid\n", lineno); 422 fprintf(stderr, "Error: line %d in the custom profile is invalid\n", lineno);
410 exit(1); 423 exit(1);
@@ -492,7 +505,7 @@ void profile_read(const char *fname) {
492 } 505 }
493 506
494 // verify syntax, exit in case of error 507 // verify syntax, exit in case of error
495 if (profile_check_line(ptr, lineno)) 508 if (profile_check_line(ptr, lineno, fname))
496 profile_add(ptr); 509 profile_add(ptr);
497 } 510 }
498 fclose(fp); 511 fclose(fp);
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-17 16:23:02 +0000