diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 10 | ||||
-rw-r--r-- | src/firejail/main.c | 8 | ||||
-rw-r--r-- | src/firejail/profile.c | 3 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 4 | ||||
-rw-r--r-- | src/firejail/usage.c | 17 | ||||
-rw-r--r-- | src/man/firejail.txt | 12 |
6 files changed, 35 insertions, 19 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index a3b573acc..755ed4979 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -81,19 +81,23 @@ | |||
81 | assert(file);\ | 81 | assert(file);\ |
82 | struct stat s;\ | 82 | struct stat s;\ |
83 | if (stat(file, &s) == -1) errExit("stat");\ | 83 | if (stat(file, &s) == -1) errExit("stat");\ |
84 | assert(s.st_uid == uid && s.st_gid == gid && (s.st_mode & 07777) == mode);\ | 84 | assert(s.st_uid == uid);\ |
85 | assert(s.st_gid == gid);\ | ||
86 | assert((s.st_mode & 07777) == (mode));\ | ||
85 | } while (0) | 87 | } while (0) |
86 | #define ASSERT_PERMS_FD(fd, uid, gid, mode) \ | 88 | #define ASSERT_PERMS_FD(fd, uid, gid, mode) \ |
87 | do { \ | 89 | do { \ |
88 | struct stat s;\ | 90 | struct stat s;\ |
89 | if (stat(fd, &s) == -1) errExit("stat");\ | 91 | if (stat(fd, &s) == -1) errExit("stat");\ |
90 | assert(s.st_uid == uid && s.st_gid == gid && (s.st_mode & 07777) == mode);\ | 92 | assert(s.st_uid == uid);\ |
93 | assert(s.st_gid == gid);\ | ||
94 | assert((s.st_mode & 07777) == (mode));\ | ||
91 | } while (0) | 95 | } while (0) |
92 | #define ASSERT_PERMS_STREAM(file, uid, gid, mode) \ | 96 | #define ASSERT_PERMS_STREAM(file, uid, gid, mode) \ |
93 | do { \ | 97 | do { \ |
94 | int fd = fileno(file);\ | 98 | int fd = fileno(file);\ |
95 | if (fd == -1) errExit("fileno");\ | 99 | if (fd == -1) errExit("fileno");\ |
96 | ASSERT_PERMS_FD(fd, uid, gid, mode);\ | 100 | ASSERT_PERMS_FD(fd, uid, gid, (mode));\ |
97 | } while (0) | 101 | } while (0) |
98 | 102 | ||
99 | // main.c | 103 | // main.c |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 27e2a7f1a..2181a274b 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1561,17 +1561,21 @@ int main(int argc, char **argv) { | |||
1561 | arg_writable_var = 1; | 1561 | arg_writable_var = 1; |
1562 | } | 1562 | } |
1563 | else if (strcmp(argv[i], "--private") == 0) { | 1563 | else if (strcmp(argv[i], "--private") == 0) { |
1564 | #if 0 | ||
1564 | if (arg_private_template) { | 1565 | if (arg_private_template) { |
1565 | fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n"); | 1566 | fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n"); |
1566 | exit(1); | 1567 | exit(1); |
1567 | } | 1568 | } |
1569 | #endif | ||
1568 | arg_private = 1; | 1570 | arg_private = 1; |
1569 | } | 1571 | } |
1570 | else if (strncmp(argv[i], "--private=", 10) == 0) { | 1572 | else if (strncmp(argv[i], "--private=", 10) == 0) { |
1573 | #if 0 | ||
1571 | if (arg_private_template) { | 1574 | if (arg_private_template) { |
1572 | fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n"); | 1575 | fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n"); |
1573 | exit(1); | 1576 | exit(1); |
1574 | } | 1577 | } |
1578 | #endif | ||
1575 | // extract private home dirname | 1579 | // extract private home dirname |
1576 | cfg.home_private = argv[i] + 10; | 1580 | cfg.home_private = argv[i] + 10; |
1577 | if (*cfg.home_private == '\0') { | 1581 | if (*cfg.home_private == '\0') { |
@@ -1581,6 +1585,7 @@ int main(int argc, char **argv) { | |||
1581 | fs_check_private_dir(); | 1585 | fs_check_private_dir(); |
1582 | arg_private = 1; | 1586 | arg_private = 1; |
1583 | } | 1587 | } |
1588 | #if 0 | ||
1584 | else if (strncmp(argv[i], "--private-template=", 19) == 0) { | 1589 | else if (strncmp(argv[i], "--private-template=", 19) == 0) { |
1585 | cfg.private_template = argv[i] + 19; | 1590 | cfg.private_template = argv[i] + 19; |
1586 | if (arg_private) { | 1591 | if (arg_private) { |
@@ -1594,6 +1599,7 @@ int main(int argc, char **argv) { | |||
1594 | fs_check_private_template(); | 1599 | fs_check_private_template(); |
1595 | arg_private_template = 1; | 1600 | arg_private_template = 1; |
1596 | } | 1601 | } |
1602 | #endif | ||
1597 | else if (strcmp(argv[i], "--private-dev") == 0) { | 1603 | else if (strcmp(argv[i], "--private-dev") == 0) { |
1598 | arg_private_dev = 1; | 1604 | arg_private_dev = 1; |
1599 | } | 1605 | } |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 916e39892..ee5d8c159 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -630,7 +630,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
630 | return 0; | 630 | return 0; |
631 | } | 631 | } |
632 | 632 | ||
633 | 633 | #if 0 | |
634 | if (strncmp(ptr, "private-template ", 17) == 0) { | 634 | if (strncmp(ptr, "private-template ", 17) == 0) { |
635 | if (arg_private) { | 635 | if (arg_private) { |
636 | fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n"); | 636 | fprintf(stderr, "Error: --private and --private-template are mutually exclusive\n"); |
@@ -642,6 +642,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
642 | 642 | ||
643 | return 0; | 643 | return 0; |
644 | } | 644 | } |
645 | #endif | ||
645 | // private /etc list of files and directories | 646 | // private /etc list of files and directories |
646 | if (strncmp(ptr, "private-etc ", 12) == 0) { | 647 | if (strncmp(ptr, "private-etc ", 12) == 0) { |
647 | if (arg_writable_etc) { | 648 | if (arg_writable_etc) { |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 40df00a98..5f845fbd3 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -544,9 +544,11 @@ int sandbox(void* sandbox_arg) { | |||
544 | else // --private | 544 | else // --private |
545 | fs_private(); | 545 | fs_private(); |
546 | } | 546 | } |
547 | 547 | ||
548 | #if 0 | ||
548 | if (arg_private_template) | 549 | if (arg_private_template) |
549 | fs_private_template(); | 550 | fs_private_template(); |
551 | #endif | ||
550 | 552 | ||
551 | if (arg_private_dev) { | 553 | if (arg_private_dev) { |
552 | if (cfg.chrootdir) | 554 | if (cfg.chrootdir) |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index d4eab7802..363f973e8 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -221,10 +221,25 @@ $ firejail \-\-overlay-path=~/jails/jail1 firefox | |||
221 | printf("\tfilesystems. All modifications are discarded when the sandbox is\n"); | 221 | printf("\tfilesystems. All modifications are discarded when the sandbox is\n"); |
222 | printf("\tclosed.\n\n"); | 222 | printf("\tclosed.\n\n"); |
223 | printf(" --private=directory - use directory as user home.\n\n"); | 223 | printf(" --private=directory - use directory as user home.\n\n"); |
224 | 224 | #if 0 | |
225 | printf(" --private-template=directory - same as --private but copy the\n"); | 225 | printf(" --private-template=directory - same as --private but copy the\n"); |
226 | printf("\ttemplatedirectory in the tmpfs mounted user home.\n\n"); | 226 | printf("\ttemplatedirectory in the tmpfs mounted user home.\n\n"); |
227 | 227 | ||
228 | .TP | ||
229 | \fB\-\-private-template=templatedir | ||
230 | Mount new /root and /home/user directories in temporary | ||
231 | filesystems, and copy all files in templatedir. All modifications are discarded when the sandbox is | ||
232 | closed. | ||
233 | .br | ||
234 | |||
235 | .br | ||
236 | Example: | ||
237 | .br | ||
238 | $ firejail \-\-private-template=/home/netblue/.config/mozilla firefox | ||
239 | #endif | ||
240 | |||
241 | |||
242 | |||
228 | printf(" --private-bin=file,file - build a new /bin in a temporary filesystem,\n"); | 243 | printf(" --private-bin=file,file - build a new /bin in a temporary filesystem,\n"); |
229 | printf("\tand copy the programs in the list.\n\n"); | 244 | printf("\tand copy the programs in the list.\n\n"); |
230 | 245 | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 19fca9854..434c29c0f 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1086,18 +1086,6 @@ Example: | |||
1086 | $ firejail \-\-private=/home/netblue/firefox-home firefox | 1086 | $ firejail \-\-private=/home/netblue/firefox-home firefox |
1087 | 1087 | ||
1088 | .TP | 1088 | .TP |
1089 | \fB\-\-private-template=templatedir | ||
1090 | Mount new /root and /home/user directories in temporary | ||
1091 | filesystems, and copy all files in templatedir. All modifications are discarded when the sandbox is | ||
1092 | closed. | ||
1093 | .br | ||
1094 | |||
1095 | .br | ||
1096 | Example: | ||
1097 | .br | ||
1098 | $ firejail \-\-private-template=/home/netblue/.config/mozilla firefox | ||
1099 | |||
1100 | .TP | ||
1101 | \fB\-\-private-bin=file,file | 1089 | \fB\-\-private-bin=file,file |
1102 | Build a new /bin in a temporary filesystem, and copy the programs in the list. | 1090 | Build a new /bin in a temporary filesystem, and copy the programs in the list. |
1103 | If no listed file is found, /bin directory will be empty. | 1091 | If no listed file is found, /bin directory will be empty. |