1 files changed, 33 insertions, 1 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 2a56d1725..f7191c981 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -399,6 +399,7 @@ int main(int argc, char **argv) {
        int arg_ipc = 0;
        int arg_cgroup = 0;
        int custom_profile = 0; // custom profile loaded
+        int arg_noprofile = 0; // use generic.profile if none other found/specified
        
        // initialize globals
        init_cfg();
@@ -653,6 +654,10 @@ int main(int argc, char **argv) {
                        arg_overlay = 1;
                }
                else if (strncmp(argv[i], "--profile=", 10) == 0) {
+                        if (arg_noprofile) {
+                                fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n");
+                                exit(1);
+                        }
                        // multiple profile files are allowed!
                        char *ptr = argv[i] + 10;
                        if (is_dir(ptr) || is_link(ptr) || strstr(ptr, "..")) {
@@ -669,6 +674,13 @@ int main(int argc, char **argv) {
                        profile_read(argv[i] + 10, NULL, NULL);
                        custom_profile = 1;
                }
+                else if (strcmp(argv[i], "--noprofile") == 0) {
+                        if (custom_profile) {
+                                fprintf(stderr, "Error: --profile and --noprofile options are mutually exclusive\n");
+                                exit(1);
+                        }
+                        arg_noprofile = 1;
+                }
 #ifdef HAVE_CHROOT              
                else if (strncmp(argv[i], "--chroot=", 9) == 0) {
                        if (arg_overlay) {
@@ -1054,7 +1066,7 @@ int main(int argc, char **argv) {
        }
        
        // load the profile
-        {
+        if (!arg_noprofile) {
                assert(cfg.command_name);
                if (arg_debug)
                        printf("Command name #%s#\n", cfg.command_name);                
@@ -1074,6 +1086,26 @@ int main(int argc, char **argv) {
                }
        }
+        // use generic.profile as the default
+        if (!custom_profile && !arg_noprofile) {
+                if (arg_debug)
+                        printf("Attempting to find generic.profile...");
+                // look for the profile in ~/.config/firejail directory
+                char *usercfgdir;
+                if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1)
+                        errExit("asprintf");
+                int rv = profile_find(GENERIC_PROFILE_NAME, usercfgdir);
+                free(usercfgdir);
+                custom_profile = rv;
+                if (!custom_profile) {
+                        // look for the profile in /etc/firejail directory
+                        int rv = profile_find(GENERIC_PROFILE_NAME, "/etc/firejail");
+                        custom_profile = rv;
+                }
+        }
        // check and assign an IP address - for macvlan it will be done again in the sandbox!
        if (any_bridge_configured()) {
                lockfd = open("/tmp/firejail/firejail.lock", O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR);

diff --git a/src/firejail/main.c b/src/firejail/main.c index 2a56d1725..f7191c981 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -399,6 +399,7 @@ int main(int argc, char **argv) {
399	int arg_ipc = 0;	399	int arg_ipc = 0;
400	int arg_cgroup = 0;	400	int arg_cgroup = 0;
401	int custom_profile = 0; // custom profile loaded	401	int custom_profile = 0; // custom profile loaded
		402	int arg_noprofile = 0; // use generic.profile if none other found/specified
402		403
403	// initialize globals	404	// initialize globals
404	init_cfg();	405	init_cfg();
@@ -653,6 +654,10 @@ int main(int argc, char **argv) {
653	arg_overlay = 1;	654	arg_overlay = 1;
654	}	655	}
655	else if (strncmp(argv[i], "--profile=", 10) == 0) {	656	else if (strncmp(argv[i], "--profile=", 10) == 0) {
		657	if (arg_noprofile) {
		658	fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n");
		659	exit(1);
		660	}
656	// multiple profile files are allowed!	661	// multiple profile files are allowed!
657	char *ptr = argv[i] + 10;	662	char *ptr = argv[i] + 10;
658	if (is_dir(ptr) \|\| is_link(ptr) \|\| strstr(ptr, "..")) {	663	if (is_dir(ptr) \|\| is_link(ptr) \|\| strstr(ptr, "..")) {
@@ -669,6 +674,13 @@ int main(int argc, char **argv) {
669	profile_read(argv[i] + 10, NULL, NULL);	674	profile_read(argv[i] + 10, NULL, NULL);
670	custom_profile = 1;	675	custom_profile = 1;
671	}	676	}
		677	else if (strcmp(argv[i], "--noprofile") == 0) {
		678	if (custom_profile) {
		679	fprintf(stderr, "Error: --profile and --noprofile options are mutually exclusive\n");
		680	exit(1);
		681	}
		682	arg_noprofile = 1;
		683	}
672	#ifdef HAVE_CHROOT	684	#ifdef HAVE_CHROOT
673	else if (strncmp(argv[i], "--chroot=", 9) == 0) {	685	else if (strncmp(argv[i], "--chroot=", 9) == 0) {
674	if (arg_overlay) {	686	if (arg_overlay) {
@@ -1054,7 +1066,7 @@ int main(int argc, char **argv) {
1054	}	1066	}
1055		1067
1056	// load the profile	1068	// load the profile
1057	{	1069	if (!arg_noprofile) {
1058	assert(cfg.command_name);	1070	assert(cfg.command_name);
1059	if (arg_debug)	1071	if (arg_debug)
1060	printf("Command name #%s#\n", cfg.command_name);	1072	printf("Command name #%s#\n", cfg.command_name);
@@ -1074,6 +1086,26 @@ int main(int argc, char **argv) {
1074	}	1086	}
1075	}	1087	}
1076		1088
		1089	// use generic.profile as the default
		1090	if (!custom_profile && !arg_noprofile) {
		1091	if (arg_debug)
		1092	printf("Attempting to find generic.profile...");
		1093
		1094	// look for the profile in ~/.config/firejail directory
		1095	char *usercfgdir;
		1096	if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1)
		1097	errExit("asprintf");
		1098	int rv = profile_find(GENERIC_PROFILE_NAME, usercfgdir);
		1099	free(usercfgdir);
		1100	custom_profile = rv;
		1101
		1102	if (!custom_profile) {
		1103	// look for the profile in /etc/firejail directory
		1104	int rv = profile_find(GENERIC_PROFILE_NAME, "/etc/firejail");
		1105	custom_profile = rv;
		1106	}
		1107	}
		1108
1077	// check and assign an IP address - for macvlan it will be done again in the sandbox!	1109	// check and assign an IP address - for macvlan it will be done again in the sandbox!
1078	if (any_bridge_configured()) {	1110	if (any_bridge_configured()) {
1079	lockfd = open("/tmp/firejail/firejail.lock", O_WRONLY \| O_CREAT, S_IRUSR \| S_IWUSR);	1111	lockfd = open("/tmp/firejail/firejail.lock", O_WRONLY \| O_CREAT, S_IRUSR \| S_IWUSR);