2 files changed, 97 insertions, 5 deletions
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index 35fa850f1..604b12633 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -143,6 +143,40 @@ static void clean(void) {
        printf("\n");
 }
+#define ignorelist_maxlen 2048
+static const char *ignorelist[ignorelist_maxlen];
+static int ignorelist_len = 0;
+static int append_ignorelist(const char *const str) {
+        assert(str);
+        if (ignorelist_len >= ignorelist_maxlen) {
+                fprintf(stderr, "Warning: Ignore list is full (%d/%d), skipping %s\n",
+                        ignorelist_len, ignorelist_maxlen, str);
+                return 0;
+        }
+        printf("   ignoring '%s'\n", str);
+        const char *const dup = strdup(str);
+        if (!dup)
+                errExit("strdup");
+        ignorelist[ignorelist_len] = dup;
+        ignorelist_len++;
+        return 1;
+}
+static int in_ignorelist(const char *const str) {
+        assert(str);
+        int i;
+        for (i = 0; i < ignorelist_len; i++) {
+                if (strcmp(str, ignorelist[i]) == 0)
+                        return 1;
+        }
+        return 0;
+}
 static void set_file(const char *name, const char *firejail_exec) {
        if (which(name) == 0)
                return;
@@ -206,8 +240,17 @@ static void set_links_firecfg(const char *cfgfile) {
                if (*start == '\0')
                        continue;
+                // handle ignore command
+                if (*start == '!') {
+                        append_ignorelist(start + 1);
+                        continue;
+                }
                // set link
-                set_file(start, FIREJAIL_EXEC);
+                if (!in_ignorelist(start))
+                        set_file(start, FIREJAIL_EXEC);
+                else
+                        printf("   %s ignored\n", start);
        }
        fclose(fp);
diff --git a/src/man/firecfg.1.in b/src/man/firecfg.1.in
index a85fbc5da..e43a573de 100644
--- a/src/man/firecfg.1.in
+++ b/src/man/firecfg.1.in
@@ -29,9 +29,13 @@ Note: The examples use \fBsudo\fR, but \fBdoas\fR is also supported.
 To set it up, run "sudo firecfg" after installing Firejail software.
 The same command should also be run after
 installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin
-will be created. For a full list of programs supported by default run "cat /etc/firejail/firecfg.config".
+will be created.
+.PP
-For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR.
+To configure the list of programs used by firecfg when creating symlinks, see
+\fBFILES\fR and \fBSYNTAX\fR.
+.PP
+For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in
+\fBman 1 firejail\fR.
 .SH DEFAULT ACTIONS
 The following actions are implemented by default by running sudo firecfg:
@@ -135,8 +139,53 @@ $ sudo firecfg --clean
 /usr/local/bin/vlc removed
 .br
 [...]
+.SH FILES
+.PP
+Configuration files are searched for and parsed in the following paths:
+.PP
+.RS
+1. /etc/firejail/firecfg.d/*.conf (in alphabetical order)
+.br
+2. /etc/firejail/firecfg.config
+.RE
+.PP
+The programs that are supported by default are listed in
+/etc/firejail/firecfg.config.
+It is recommended to leave it as is and put all customizations inside
+/etc/firejail/firecfg.d/.
+.PP
+Profile files are also searched in the user configuration directory:
+.PP
+.RS
+3. ~/.config/firejail/*.profile
+.RE
+.PP
+For every \fBPROGRAM.profile\fR file found, firecfg attempts to create a
+symlink for "PROGRAM", as if "PROGRAM" was listed in a configuration file.
+.SH SYNTAX
+Configuration file syntax:
+.PP
+A line that starts with \fB#\fR is considered a comment.
+.br
+A line that starts with \fB!PROGRAM\fR means to ignore "PROGRAM" when creating
+symlinks.
+.br
+A line that starts with anything else is considered to be the name of an
+executable and firecfg will attempt to create a symlink for it.
+.PP
+For example, to prevent firecfg from creating symlinks for "firefox" and
+"patch" while attempting to create a symlink for "myprog", the following lines
+could be added to /etc/firejail/firecfg.d/10-my.conf:
+.PP
+.RS
+!firefox
+.br
+!patch
+.br
+.br
+myprog
+.RE
 .SH LICENSE
 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
 .PP

diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 35fa850f1..604b12633 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c
@@ -143,6 +143,40 @@ static void clean(void) {
143	printf("\n");	143	printf("\n");
144	}	144	}
145		145
		146	#define ignorelist_maxlen 2048
		147	static const char *ignorelist[ignorelist_maxlen];
		148	static int ignorelist_len = 0;
		149
		150	static int append_ignorelist(const char *const str) {
		151	assert(str);
		152	if (ignorelist_len >= ignorelist_maxlen) {
		153	fprintf(stderr, "Warning: Ignore list is full (%d/%d), skipping %s\n",
		154	ignorelist_len, ignorelist_maxlen, str);
		155	return 0;
		156	}
		157
		158	printf(" ignoring '%s'\n", str);
		159	const char *const dup = strdup(str);
		160	if (!dup)
		161	errExit("strdup");
		162
		163	ignorelist[ignorelist_len] = dup;
		164	ignorelist_len++;
		165
		166	return 1;
		167	}
		168
		169	static int in_ignorelist(const char *const str) {
		170	assert(str);
		171	int i;
		172	for (i = 0; i < ignorelist_len; i++) {
		173	if (strcmp(str, ignorelist[i]) == 0)
		174	return 1;
		175	}
		176
		177	return 0;
		178	}
		179
146	static void set_file(const char name, const char firejail_exec) {	180	static void set_file(const char name, const char firejail_exec) {
147	if (which(name) == 0)	181	if (which(name) == 0)
148	return;	182	return;
@@ -206,8 +240,17 @@ static void set_links_firecfg(const char *cfgfile) {
206	if (*start == '\0')	240	if (*start == '\0')
207	continue;	241	continue;
208		242
		243	// handle ignore command
		244	if (*start == '!') {
		245	append_ignorelist(start + 1);
		246	continue;
		247	}
		248
209	// set link	249	// set link
210	set_file(start, FIREJAIL_EXEC);	250	if (!in_ignorelist(start))
		251	set_file(start, FIREJAIL_EXEC);
		252	else
		253	printf(" %s ignored\n", start);
211	}	254	}
212		255
213	fclose(fp);	256	fclose(fp);


diff --git a/src/man/firecfg.1.in b/src/man/firecfg.1.in index a85fbc5da..e43a573de 100644 --- a/src/man/firecfg.1.in +++ b/src/man/firecfg.1.in
@@ -29,9 +29,13 @@ Note: The examples use \fBsudo\fR, but \fBdoas\fR is also supported.
29	To set it up, run "sudo firecfg" after installing Firejail software.	29	To set it up, run "sudo firecfg" after installing Firejail software.
30	The same command should also be run after	30	The same command should also be run after
31	installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin	31	installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin
32	will be created. For a full list of programs supported by default run "cat /etc/firejail/firecfg.config".	32	will be created.
33		33	.PP
34	For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR.	34	To configure the list of programs used by firecfg when creating symlinks, see
		35	\fBFILES\fR and \fBSYNTAX\fR.
		36	.PP
		37	For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in
		38	\fBman 1 firejail\fR.
35	.SH DEFAULT ACTIONS	39	.SH DEFAULT ACTIONS
36	The following actions are implemented by default by running sudo firecfg:	40	The following actions are implemented by default by running sudo firecfg:
37		41
@@ -135,8 +139,53 @@ $ sudo firecfg --clean
135	/usr/local/bin/vlc removed	139	/usr/local/bin/vlc removed
136	.br	140	.br
137	[...]	141	[...]
		142	.SH FILES
		143	.PP
		144	Configuration files are searched for and parsed in the following paths:
		145	.PP
		146	.RS
		147	1. /etc/firejail/firecfg.d/*.conf (in alphabetical order)
		148	.br
		149	2. /etc/firejail/firecfg.config
		150	.RE
		151	.PP
		152	The programs that are supported by default are listed in
		153	/etc/firejail/firecfg.config.
		154	It is recommended to leave it as is and put all customizations inside
		155	/etc/firejail/firecfg.d/.
		156	.PP
		157	Profile files are also searched in the user configuration directory:
		158	.PP
		159	.RS
		160	3. ~/.config/firejail/*.profile
		161	.RE
		162	.PP
		163	For every \fBPROGRAM.profile\fR file found, firecfg attempts to create a
		164	symlink for "PROGRAM", as if "PROGRAM" was listed in a configuration file.
		165	.SH SYNTAX
		166	Configuration file syntax:
		167	.PP
		168	A line that starts with \fB#\fR is considered a comment.
		169	.br
		170	A line that starts with \fB!PROGRAM\fR means to ignore "PROGRAM" when creating
		171	symlinks.
		172	.br
		173	A line that starts with anything else is considered to be the name of an
		174	executable and firecfg will attempt to create a symlink for it.
		175	.PP
		176	For example, to prevent firecfg from creating symlinks for "firefox" and
		177	"patch" while attempting to create a symlink for "myprog", the following lines
		178	could be added to /etc/firejail/firecfg.d/10-my.conf:
		179	.PP
		180	.RS
		181	!firefox
		182	.br
		183	!patch
		184	.br
138		185
139		186	.br
		187	myprog
		188	.RE
140	.SH LICENSE	189	.SH LICENSE
141	This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.	190	This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
142	.PP	191	.PP