diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/main.c | 15 | ||||
-rw-r--r-- | src/firejail/profile.c | 22 | ||||
-rw-r--r-- | src/firejail/util.c | 5 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 16 |
4 files changed, 34 insertions, 24 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index b90e30cca..4149f1342 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1362,6 +1362,8 @@ int main(int argc, char **argv) { | |||
1362 | } | 1362 | } |
1363 | #endif | 1363 | #endif |
1364 | else if (strncmp(argv[i], "--profile=", 10) == 0) { | 1364 | else if (strncmp(argv[i], "--profile=", 10) == 0) { |
1365 | // multiple profile files are allowed! | ||
1366 | |||
1365 | if (arg_noprofile) { | 1367 | if (arg_noprofile) { |
1366 | fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n"); | 1368 | fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n"); |
1367 | exit(1); | 1369 | exit(1); |
@@ -1370,19 +1372,6 @@ int main(int argc, char **argv) { | |||
1370 | char *ppath = expand_home(argv[i] + 10, cfg.homedir); | 1372 | char *ppath = expand_home(argv[i] + 10, cfg.homedir); |
1371 | if (!ppath) | 1373 | if (!ppath) |
1372 | errExit("strdup"); | 1374 | errExit("strdup"); |
1373 | invalid_filename(ppath); | ||
1374 | |||
1375 | // multiple profile files are allowed! | ||
1376 | if (is_dir(ppath) || is_link(ppath) || strstr(ppath, "..")) { | ||
1377 | fprintf(stderr, "Error: invalid profile file\n"); | ||
1378 | exit(1); | ||
1379 | } | ||
1380 | |||
1381 | // access call checks as real UID/GID, not as effective UID/GID | ||
1382 | if (access(ppath, R_OK)) { | ||
1383 | fprintf(stderr, "Error: cannot access profile file\n"); | ||
1384 | return 1; | ||
1385 | } | ||
1386 | 1375 | ||
1387 | profile_read(ppath); | 1376 | profile_read(ppath); |
1388 | custom_profile = 1; | 1377 | custom_profile = 1; |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 4856b31ae..9b3e58ab4 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1013,10 +1013,25 @@ void profile_read(const char *fname) { | |||
1013 | exit(1); | 1013 | exit(1); |
1014 | } | 1014 | } |
1015 | 1015 | ||
1016 | // check file | ||
1016 | if (strlen(fname) == 0) { | 1017 | if (strlen(fname) == 0) { |
1017 | fprintf(stderr, "Error: invalid profile file\n"); | 1018 | fprintf(stderr, "Error: invalid profile file\n"); |
1018 | exit(1); | 1019 | exit(1); |
1019 | } | 1020 | } |
1021 | invalid_filename(fname); | ||
1022 | if (is_dir(fname) || is_link(fname) || strstr(fname, "..")) { | ||
1023 | fprintf(stderr, "Error: invalid profile file\n"); | ||
1024 | exit(1); | ||
1025 | } | ||
1026 | if (access(fname, R_OK)) { | ||
1027 | // if the file ends in ".local", do not exit | ||
1028 | char *ptr = strstr(fname, ".local"); | ||
1029 | if (ptr && strlen(ptr) == 6) | ||
1030 | return; | ||
1031 | |||
1032 | fprintf(stderr, "Error: cannot access profile file\n"); | ||
1033 | exit(1); | ||
1034 | } | ||
1020 | 1035 | ||
1021 | // allow debuggers | 1036 | // allow debuggers |
1022 | if (arg_allow_debuggers) { | 1037 | if (arg_allow_debuggers) { |
@@ -1027,15 +1042,10 @@ void profile_read(const char *fname) { | |||
1027 | return; | 1042 | return; |
1028 | } | 1043 | } |
1029 | } | 1044 | } |
1030 | 1045 | ||
1031 | // open profile file: | 1046 | // open profile file: |
1032 | FILE *fp = fopen(fname, "r"); | 1047 | FILE *fp = fopen(fname, "r"); |
1033 | if (fp == NULL) { | 1048 | if (fp == NULL) { |
1034 | // if the file ends in ".local", do not exit | ||
1035 | char *ptr = strstr(fname, ".local"); | ||
1036 | if (ptr && strlen(ptr) == 6) | ||
1037 | return; | ||
1038 | |||
1039 | fprintf(stderr, "Error: cannot open profile file %s\n", fname); | 1049 | fprintf(stderr, "Error: cannot open profile file %s\n", fname); |
1040 | exit(1); | 1050 | exit(1); |
1041 | } | 1051 | } |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 44891ce2d..fbaf0b5ac 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -648,6 +648,11 @@ char *expand_home(const char *path, const char* homedir) { | |||
648 | errExit("asprintf"); | 648 | errExit("asprintf"); |
649 | return new_name; | 649 | return new_name; |
650 | } | 650 | } |
651 | else if (strncmp(path, "${CFG}", 6) == 0) { | ||
652 | if (asprintf(&new_name, "%s%s", SYSCONFDIR, path + 6) == -1) | ||
653 | errExit("asprintf"); | ||
654 | return new_name; | ||
655 | } | ||
651 | 656 | ||
652 | char *rv = strdup(path); | 657 | char *rv = strdup(path); |
653 | if (!rv) | 658 | if (!rv) |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 90dca19bf..aa1aec567 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -81,14 +81,20 @@ Include other.profile file. | |||
81 | 81 | ||
82 | Example: "include /etc/firejail/disable-common.inc" | 82 | Example: "include /etc/firejail/disable-common.inc" |
83 | 83 | ||
84 | other.profile file name can be prefixed with ${HOME}. This will force Firejail to look for the | 84 | The file name can be prefixed with a macro such as ${HOME} or ${CFG}. |
85 | file in user home directory. | 85 | ${HOME} is expanded as user home directory, and ${CFG} is expanded as |
86 | Firejail system configuration directory - in most cases /etc/firejail or | ||
87 | /usr/local/etc/firejail. | ||
86 | 88 | ||
87 | Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file. | 89 | Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file. |
88 | 90 | ||
89 | If the file is not found, and the file name does not end in ".local", the sandbox exist immediately | 91 | Example: "include ${CFG}/firefox.profile" will load "/etc/firejail/firefox.profile" file. |
90 | with an error printed on stderr. ".local" files can be used to customize the global configuration | 92 | |
91 | in /etc/firejail directory. These files are not overwritten during software install. | 93 | System configuration files in ${CFG} are overwritten during software installation. |
94 | Persistent configuration at system level is handled in ".local" files. For every | ||
95 | profile file in ${CFG} directory, the user can create a corresponding .local file | ||
96 | storing modifications to the persistent configuration. Persistent .local files | ||
97 | are included at the start of regular profile files. | ||
92 | 98 | ||
93 | .TP | 99 | .TP |
94 | \fBnoblacklist file_name | 100 | \fBnoblacklist file_name |