diff options
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 12 | ||||
-rw-r--r-- | src/firejail/profile.c | 19 |
3 files changed, 23 insertions, 10 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 5590e9f54..12f792af8 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -289,7 +289,7 @@ void profile_read(const char *fname); | |||
289 | // check profile line; if line == 0, this was generated from a command line option | 289 | // check profile line; if line == 0, this was generated from a command line option |
290 | // return 1 if the command is to be added to the linked list of profile commands | 290 | // return 1 if the command is to be added to the linked list of profile commands |
291 | // return 0 if the command was already executed inside the function | 291 | // return 0 if the command was already executed inside the function |
292 | int profile_check_line(char *ptr, int lineno); | 292 | int profile_check_line(char *ptr, int lineno, const char *fname); |
293 | // add a profile entry in cfg.profile list; use str to populate the list | 293 | // add a profile entry in cfg.profile list; use str to populate the list |
294 | void profile_add(char *str); | 294 | void profile_add(char *str); |
295 | 295 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index 17a7286f7..a9ccfc9cc 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -637,7 +637,7 @@ int main(int argc, char **argv) { | |||
637 | if (asprintf(&line, "bind %s", argv[i] + 7) == -1) | 637 | if (asprintf(&line, "bind %s", argv[i] + 7) == -1) |
638 | errExit("asprintf"); | 638 | errExit("asprintf"); |
639 | 639 | ||
640 | profile_check_line(line, 0); // will exit if something wrong | 640 | profile_check_line(line, 0, NULL); // will exit if something wrong |
641 | profile_add(line); | 641 | profile_add(line); |
642 | } | 642 | } |
643 | #endif | 643 | #endif |
@@ -646,7 +646,7 @@ int main(int argc, char **argv) { | |||
646 | if (asprintf(&line, "tmpfs %s", argv[i] + 8) == -1) | 646 | if (asprintf(&line, "tmpfs %s", argv[i] + 8) == -1) |
647 | errExit("asprintf"); | 647 | errExit("asprintf"); |
648 | 648 | ||
649 | profile_check_line(line, 0); // will exit if something wrong | 649 | profile_check_line(line, 0, NULL); // will exit if something wrong |
650 | profile_add(line); | 650 | profile_add(line); |
651 | } | 651 | } |
652 | else if (strncmp(argv[i], "--blacklist=", 12) == 0) { | 652 | else if (strncmp(argv[i], "--blacklist=", 12) == 0) { |
@@ -654,7 +654,7 @@ int main(int argc, char **argv) { | |||
654 | if (asprintf(&line, "blacklist %s", argv[i] + 12) == -1) | 654 | if (asprintf(&line, "blacklist %s", argv[i] + 12) == -1) |
655 | errExit("asprintf"); | 655 | errExit("asprintf"); |
656 | 656 | ||
657 | profile_check_line(line, 0); // will exit if something wrong | 657 | profile_check_line(line, 0, NULL); // will exit if something wrong |
658 | profile_add(line); | 658 | profile_add(line); |
659 | } | 659 | } |
660 | else if (strncmp(argv[i], "--noblacklist=", 14) == 0) { | 660 | else if (strncmp(argv[i], "--noblacklist=", 14) == 0) { |
@@ -662,7 +662,7 @@ int main(int argc, char **argv) { | |||
662 | if (asprintf(&line, "noblacklist %s", argv[i] + 14) == -1) | 662 | if (asprintf(&line, "noblacklist %s", argv[i] + 14) == -1) |
663 | errExit("asprintf"); | 663 | errExit("asprintf"); |
664 | 664 | ||
665 | profile_check_line(line, 0); // will exit if something wrong | 665 | profile_check_line(line, 0, NULL); // will exit if something wrong |
666 | profile_add(line); | 666 | profile_add(line); |
667 | } | 667 | } |
668 | else if (strncmp(argv[i], "--whitelist=", 12) == 0) { | 668 | else if (strncmp(argv[i], "--whitelist=", 12) == 0) { |
@@ -670,7 +670,7 @@ int main(int argc, char **argv) { | |||
670 | if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) | 670 | if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) |
671 | errExit("asprintf"); | 671 | errExit("asprintf"); |
672 | 672 | ||
673 | profile_check_line(line, 0); // will exit if something wrong | 673 | profile_check_line(line, 0, NULL); // will exit if something wrong |
674 | profile_add(line); | 674 | profile_add(line); |
675 | } | 675 | } |
676 | else if (strncmp(argv[i], "--read-only=", 12) == 0) { | 676 | else if (strncmp(argv[i], "--read-only=", 12) == 0) { |
@@ -678,7 +678,7 @@ int main(int argc, char **argv) { | |||
678 | if (asprintf(&line, "read-only %s", argv[i] + 12) == -1) | 678 | if (asprintf(&line, "read-only %s", argv[i] + 12) == -1) |
679 | errExit("asprintf"); | 679 | errExit("asprintf"); |
680 | 680 | ||
681 | profile_check_line(line, 0); // will exit if something wrong | 681 | profile_check_line(line, 0, NULL); // will exit if something wrong |
682 | profile_add(line); | 682 | profile_add(line); |
683 | } | 683 | } |
684 | else if (strcmp(argv[i], "--overlay") == 0) { | 684 | else if (strcmp(argv[i], "--overlay") == 0) { |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 244370b98..0f6d49868 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -65,7 +65,7 @@ int profile_find(const char *name, const char *dir) { | |||
65 | // check profile line; if line == 0, this was generated from a command line option | 65 | // check profile line; if line == 0, this was generated from a command line option |
66 | // return 1 if the command is to be added to the linked list of profile commands | 66 | // return 1 if the command is to be added to the linked list of profile commands |
67 | // return 0 if the command was already executed inside the function | 67 | // return 0 if the command was already executed inside the function |
68 | int profile_check_line(char *ptr, int lineno) { | 68 | int profile_check_line(char *ptr, int lineno, const char *fname) { |
69 | // check ignore list | 69 | // check ignore list |
70 | int i; | 70 | int i; |
71 | for (i = 0; i < MAX_PROFILE_IGNORE; i++) { | 71 | for (i = 0; i < MAX_PROFILE_IGNORE; i++) { |
@@ -99,8 +99,17 @@ int profile_check_line(char *ptr, int lineno) { | |||
99 | return 0; | 99 | return 0; |
100 | } | 100 | } |
101 | 101 | ||
102 | // sandbox name | ||
103 | if (strncmp(ptr, "name ", 5) == 0) { | ||
104 | cfg.name = ptr + 5; | ||
105 | if (strlen(cfg.name) == 0) { | ||
106 | fprintf(stderr, "Error: invalid sandbox name\n"); | ||
107 | exit(1); | ||
108 | } | ||
109 | return 0; | ||
110 | } | ||
102 | // seccomp, caps, private, user namespace | 111 | // seccomp, caps, private, user namespace |
103 | if (strcmp(ptr, "noroot") == 0) { | 112 | else if (strcmp(ptr, "noroot") == 0) { |
104 | check_user_namespace(); | 113 | check_user_namespace(); |
105 | return 0; | 114 | return 0; |
106 | } | 115 | } |
@@ -395,6 +404,8 @@ int profile_check_line(char *ptr, int lineno) { | |||
395 | else { | 404 | else { |
396 | if (lineno == 0) | 405 | if (lineno == 0) |
397 | fprintf(stderr, "Error: \"%s\" as a command line option is invalid\n", ptr); | 406 | fprintf(stderr, "Error: \"%s\" as a command line option is invalid\n", ptr); |
407 | else if (fname != NULL) | ||
408 | fprintf(stderr, "Error: line %d in %s is invalid\n", lineno, fname); | ||
398 | else | 409 | else |
399 | fprintf(stderr, "Error: line %d in the custom profile is invalid\n", lineno); | 410 | fprintf(stderr, "Error: line %d in the custom profile is invalid\n", lineno); |
400 | exit(1); | 411 | exit(1); |
@@ -405,6 +416,8 @@ int profile_check_line(char *ptr, int lineno) { | |||
405 | if (strstr(ptr, "..")) { | 416 | if (strstr(ptr, "..")) { |
406 | if (lineno == 0) | 417 | if (lineno == 0) |
407 | fprintf(stderr, "Error: \"%s\" is an invalid filename\n", ptr); | 418 | fprintf(stderr, "Error: \"%s\" is an invalid filename\n", ptr); |
419 | else if (fname != NULL) | ||
420 | fprintf(stderr, "Error: line %d in %s is invalid\n", lineno, fname); | ||
408 | else | 421 | else |
409 | fprintf(stderr, "Error: line %d in the custom profile is invalid\n", lineno); | 422 | fprintf(stderr, "Error: line %d in the custom profile is invalid\n", lineno); |
410 | exit(1); | 423 | exit(1); |
@@ -492,7 +505,7 @@ void profile_read(const char *fname) { | |||
492 | } | 505 | } |
493 | 506 | ||
494 | // verify syntax, exit in case of error | 507 | // verify syntax, exit in case of error |
495 | if (profile_check_line(ptr, lineno)) | 508 | if (profile_check_line(ptr, lineno, fname)) |
496 | profile_add(ptr); | 509 | profile_add(ptr); |
497 | } | 510 | } |
498 | fclose(fp); | 511 | fclose(fp); |