diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/checkcfg.c | 2 | ||||
-rw-r--r-- | src/firejail/firejail.h | 32 | ||||
-rw-r--r-- | src/firejail/main.c | 11 | ||||
-rw-r--r-- | src/firejail/profile.c | 4 |
4 files changed, 26 insertions, 23 deletions
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index e2fab1265..62b8c4dc4 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -62,6 +62,7 @@ int checkcfg(int val) { | |||
62 | cfg_val[CFG_CHROOT] = 0; | 62 | cfg_val[CFG_CHROOT] = 0; |
63 | cfg_val[CFG_SECCOMP_LOG] = 0; | 63 | cfg_val[CFG_SECCOMP_LOG] = 0; |
64 | cfg_val[CFG_PRIVATE_LIB] = 0; | 64 | cfg_val[CFG_PRIVATE_LIB] = 0; |
65 | cfg_val[CFG_TRACELOG] = 0; | ||
65 | 66 | ||
66 | // open configuration file | 67 | // open configuration file |
67 | const char *fname = SYSCONFDIR "/firejail.config"; | 68 | const char *fname = SYSCONFDIR "/firejail.config"; |
@@ -111,6 +112,7 @@ int checkcfg(int val) { | |||
111 | PARSE_YESNO(CFG_SECCOMP, "seccomp") | 112 | PARSE_YESNO(CFG_SECCOMP, "seccomp") |
112 | PARSE_YESNO(CFG_NETWORK, "network") | 113 | PARSE_YESNO(CFG_NETWORK, "network") |
113 | PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network") | 114 | PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network") |
115 | PARSE_YESNO(CFG_TRACELOG, "tracelog") | ||
114 | PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") | 116 | PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") |
115 | PARSE_YESNO(CFG_OVERLAYFS, "overlayfs") | 117 | PARSE_YESNO(CFG_OVERLAYFS, "overlayfs") |
116 | PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin") | 118 | PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin") |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 9c2b53c18..a3b38b5e0 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -32,25 +32,6 @@ | |||
32 | // debug restricted shell | 32 | // debug restricted shell |
33 | //#define DEBUG_RESTRICTED_SHELL | 33 | //#define DEBUG_RESTRICTED_SHELL |
34 | 34 | ||
35 | #ifdef HAVE_LANDLOCK | ||
36 | |||
37 | extern int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags); | ||
38 | |||
39 | extern int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags); | ||
40 | |||
41 | extern int landlock_restrict_self(int fd,__u32 flags); | ||
42 | |||
43 | extern int create_full_ruleset(); | ||
44 | |||
45 | extern int add_read_access_rule_by_path(int rset_fd,char *allowed_path); | ||
46 | |||
47 | extern int add_write_access_rule_by_path(int rset_fd,char *allowed_path); | ||
48 | |||
49 | extern int add_create_special_rule_by_path(int rset_fd,char *allowed_path); | ||
50 | |||
51 | extern int add_execute_rule_by_path(int rset_fd,char *allowed_path); | ||
52 | |||
53 | #endif | ||
54 | 35 | ||
55 | // profiles | 36 | // profiles |
56 | #define DEFAULT_USER_PROFILE "default" | 37 | #define DEFAULT_USER_PROFILE "default" |
@@ -857,6 +838,7 @@ enum { | |||
857 | // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv | 838 | // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv |
858 | CFG_ALLOW_TRAY, | 839 | CFG_ALLOW_TRAY, |
859 | CFG_SECCOMP_LOG, | 840 | CFG_SECCOMP_LOG, |
841 | CFG_TRACELOG, | ||
860 | CFG_MAX // this should always be the last entry | 842 | CFG_MAX // this should always be the last entry |
861 | }; | 843 | }; |
862 | extern char *xephyr_screen; | 844 | extern char *xephyr_screen; |
@@ -963,4 +945,16 @@ void run_ids(int argc, char **argv); | |||
963 | // oom.c | 945 | // oom.c |
964 | void oom_set(const char *oom_string); | 946 | void oom_set(const char *oom_string); |
965 | 947 | ||
948 | // landlock.c | ||
949 | #ifdef HAVE_LANDLOCK | ||
950 | int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags); | ||
951 | int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags); | ||
952 | int landlock_restrict_self(int fd,__u32 flags); | ||
953 | int create_full_ruleset(); | ||
954 | int add_read_access_rule_by_path(int rset_fd,char *allowed_path); | ||
955 | int add_write_access_rule_by_path(int rset_fd,char *allowed_path); | ||
956 | int add_create_special_rule_by_path(int rset_fd,char *allowed_path); | ||
957 | int add_execute_rule_by_path(int rset_fd,char *allowed_path); | ||
958 | #endif | ||
959 | |||
966 | #endif | 960 | #endif |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 3f0dc960a..1daf0da35 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -348,7 +348,8 @@ errout: | |||
348 | 348 | ||
349 | 349 | ||
350 | static void exit_err_feature(const char *feature) { | 350 | static void exit_err_feature(const char *feature) { |
351 | fprintf(stderr, "Error: %s feature is disabled in Firejail configuration file\n", feature); | 351 | fprintf(stderr, "Error: %s feature is disabled in Firejail configuration file %s\n", |
352 | feature, SYSCONFDIR "/firejail.config"); | ||
352 | exit(1); | 353 | exit(1); |
353 | } | 354 | } |
354 | 355 | ||
@@ -1570,8 +1571,12 @@ int main(int argc, char **argv, char **envp) { | |||
1570 | arg_tracefile = tmp; | 1571 | arg_tracefile = tmp; |
1571 | } | 1572 | } |
1572 | } | 1573 | } |
1573 | else if (strcmp(argv[i], "--tracelog") == 0) | 1574 | else if (strcmp(argv[i], "--tracelog") == 0) { |
1574 | arg_tracelog = 1; | 1575 | if (checkcfg(CFG_TRACELOG)) |
1576 | arg_tracelog = 1; | ||
1577 | else | ||
1578 | exit_err_feature("tracelog"); | ||
1579 | } | ||
1575 | else if (strncmp(argv[i], "--rlimit-cpu=", 13) == 0) { | 1580 | else if (strncmp(argv[i], "--rlimit-cpu=", 13) == 0) { |
1576 | check_unsigned(argv[i] + 13, "Error: invalid rlimit"); | 1581 | check_unsigned(argv[i] + 13, "Error: invalid rlimit"); |
1577 | sscanf(argv[i] + 13, "%llu", &cfg.rlimit_cpu); | 1582 | sscanf(argv[i] + 13, "%llu", &cfg.rlimit_cpu); |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 9a2f8c82c..9f677c11d 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -372,7 +372,9 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
372 | return 0; | 372 | return 0; |
373 | } | 373 | } |
374 | else if (strcmp(ptr, "tracelog") == 0) { | 374 | else if (strcmp(ptr, "tracelog") == 0) { |
375 | arg_tracelog = 1; | 375 | if (checkcfg(CFG_TRACELOG)) |
376 | arg_tracelog = 1; | ||
377 | // no warning, we have tracelog in over 400 profiles | ||
376 | return 0; | 378 | return 0; |
377 | } | 379 | } |
378 | else if (strcmp(ptr, "private") == 0) { | 380 | else if (strcmp(ptr, "private") == 0) { |