diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/bash_completion/firejail.bash_completion | 4 | ||||
-rw-r--r-- | src/faudit/dbus.c | 4 | ||||
-rw-r--r-- | src/faudit/dev.c | 47 | ||||
-rw-r--r-- | src/faudit/faudit.h | 3 | ||||
-rw-r--r-- | src/faudit/main.c | 11 | ||||
-rw-r--r-- | src/firecfg/firecfg.config | 5 | ||||
-rw-r--r-- | src/firejail/firejail.h | 4 | ||||
-rw-r--r-- | src/firejail/fs.c | 41 | ||||
-rw-r--r-- | src/firejail/fs_rdwr.c | 93 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 28 | ||||
-rw-r--r-- | src/firejail/main.c | 8 | ||||
-rw-r--r-- | src/firejail/profile.c | 12 | ||||
-rw-r--r-- | src/man/firejail.txt | 23 |
13 files changed, 142 insertions, 141 deletions
diff --git a/src/bash_completion/firejail.bash_completion b/src/bash_completion/firejail.bash_completion index 78bd622fc..d3dcd57d0 100644 --- a/src/bash_completion/firejail.bash_completion +++ b/src/bash_completion/firejail.bash_completion | |||
@@ -47,6 +47,10 @@ _firejail() | |||
47 | _filedir | 47 | _filedir |
48 | return 0 | 48 | return 0 |
49 | ;; | 49 | ;; |
50 | --read-write) | ||
51 | _filedir | ||
52 | return 0 | ||
53 | ;; | ||
50 | --bind) | 54 | --bind) |
51 | _filedir | 55 | _filedir |
52 | return 0 | 56 | return 0 |
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c index 1ead2aa38..1edce5802 100644 --- a/src/faudit/dbus.c +++ b/src/faudit/dbus.c | |||
@@ -42,7 +42,7 @@ void check_session_bus(const char *sockfile) { | |||
42 | printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n"); | 42 | printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n"); |
43 | } | 43 | } |
44 | else { | 44 | else { |
45 | printf("MAYBE: I can connect to session bus. It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); | 45 | printf("MAYBE: I can connect to session bus. It could be a good idea to disable it by creating a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); |
46 | } | 46 | } |
47 | 47 | ||
48 | close(sock); | 48 | close(sock); |
@@ -65,8 +65,8 @@ void dbus_test(void) { | |||
65 | check_session_bus(sockfile); | 65 | check_session_bus(sockfile); |
66 | 66 | ||
67 | sockfile -= 13; | 67 | sockfile -= 13; |
68 | free(sockfile); | ||
69 | } | 68 | } |
69 | free(bus); | ||
70 | } | 70 | } |
71 | } | 71 | } |
72 | 72 | ||
diff --git a/src/faudit/dev.c b/src/faudit/dev.c new file mode 100644 index 000000000..92f615958 --- /dev/null +++ b/src/faudit/dev.c | |||
@@ -0,0 +1,47 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2016 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "faudit.h" | ||
21 | #include <dirent.h> | ||
22 | |||
23 | void dev_test(void) { | ||
24 | DIR *dir; | ||
25 | if (!(dir = opendir("/dev"))) { | ||
26 | fprintf(stderr, "Error: cannot open /dev directory\n"); | ||
27 | return; | ||
28 | } | ||
29 | |||
30 | struct dirent *entry; | ||
31 | printf("INFO: files visible in /dev directory: "); | ||
32 | int cnt = 0; | ||
33 | while ((entry = readdir(dir)) != NULL) { | ||
34 | if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) | ||
35 | continue; | ||
36 | |||
37 | printf("%s, ", entry->d_name); | ||
38 | cnt++; | ||
39 | } | ||
40 | printf("\n"); | ||
41 | |||
42 | if (cnt > 20) | ||
43 | printf("MAYBE: /dev directory seems to be fully populated. Use --private-dev or --whitelist to restrict the access.\n"); | ||
44 | else | ||
45 | printf("GOOD: Access to /dev directory is restricted.\n"); | ||
46 | closedir(dir); | ||
47 | } | ||
diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h index 3c08a3eab..93fb4b709 100644 --- a/src/faudit/faudit.h +++ b/src/faudit/faudit.h | |||
@@ -58,4 +58,7 @@ void network_test(void); | |||
58 | // dbus.c | 58 | // dbus.c |
59 | void dbus_test(void); | 59 | void dbus_test(void); |
60 | 60 | ||
61 | // dev.c | ||
62 | void dev_test(void); | ||
63 | |||
61 | #endif | 64 | #endif |
diff --git a/src/faudit/main.c b/src/faudit/main.c index 14794719d..6ff938d98 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c | |||
@@ -38,8 +38,9 @@ int main(int argc, char **argv) { | |||
38 | // extract program name | 38 | // extract program name |
39 | prog = realpath(argv[0], NULL); | 39 | prog = realpath(argv[0], NULL); |
40 | if (prog == NULL) { | 40 | if (prog == NULL) { |
41 | fprintf(stderr, "Error: cannot extract the path of the audit program\n"); | 41 | prog = strdup("faudit"); |
42 | return 1; | 42 | if (!prog) |
43 | errExit("strdup"); | ||
43 | } | 44 | } |
44 | printf("INFO: starting %s.\n", prog); | 45 | printf("INFO: starting %s.\n", prog); |
45 | 46 | ||
@@ -67,7 +68,11 @@ int main(int argc, char **argv) { | |||
67 | // dbus | 68 | // dbus |
68 | dbus_test(); | 69 | dbus_test(); |
69 | printf("\n"); | 70 | printf("\n"); |
70 | 71 | ||
72 | // /dev test | ||
73 | dev_test(); | ||
74 | printf("\n"); | ||
75 | |||
71 | free(prog); | 76 | free(prog); |
72 | printf("--------------------------------------------------------------------------------\n"); | 77 | printf("--------------------------------------------------------------------------------\n"); |
73 | 78 | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index ba975c4b4..48e205a58 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -40,6 +40,7 @@ midori | |||
40 | netsurf | 40 | netsurf |
41 | opera-beta | 41 | opera-beta |
42 | opera | 42 | opera |
43 | palemoon | ||
43 | qutebrowser | 44 | qutebrowser |
44 | seamonkey | 45 | seamonkey |
45 | seamonkey-bin | 46 | seamonkey-bin |
@@ -98,6 +99,7 @@ totem | |||
98 | vlc | 99 | vlc |
99 | xplayer | 100 | xplayer |
100 | xviewer | 101 | xviewer |
102 | eom | ||
101 | 103 | ||
102 | # news readers | 104 | # news readers |
103 | quiterss | 105 | quiterss |
@@ -110,10 +112,11 @@ fbreader | |||
110 | gwenview | 112 | gwenview |
111 | gthumb | 113 | gthumb |
112 | libreoffice | 114 | libreoffice |
115 | localc | ||
113 | lodraw | 116 | lodraw |
114 | loffice | 117 | loffice |
115 | lofromtemplate | 118 | lofromtemplate |
116 | loimpres | 119 | loimpress |
117 | lomath | 120 | lomath |
118 | loweb | 121 | loweb |
119 | lowriter | 122 | lowriter |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 8856986e6..29bb6c494 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -584,10 +584,6 @@ extern char *xephyr_screen; | |||
584 | extern char *xephyr_extra_params; | 584 | extern char *xephyr_extra_params; |
585 | int checkcfg(int val); | 585 | int checkcfg(int val); |
586 | 586 | ||
587 | // fs_rdwr.c | ||
588 | void fs_rdwr_add(const char *path); | ||
589 | void fs_rdwr(void); | ||
590 | |||
591 | // appimage.c | 587 | // appimage.c |
592 | void appimage_set(const char *appimage_path); | 588 | void appimage_set(const char *appimage_path); |
593 | void appimage_clear(void); | 589 | void appimage_clear(void); |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 4b2b91b17..630458549 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -27,6 +27,8 @@ | |||
27 | #include <fcntl.h> | 27 | #include <fcntl.h> |
28 | #include <errno.h> | 28 | #include <errno.h> |
29 | 29 | ||
30 | static void fs_rdwr(const char *dir); | ||
31 | |||
30 | static void create_empty_dir(void) { | 32 | static void create_empty_dir(void) { |
31 | struct stat s; | 33 | struct stat s; |
32 | 34 | ||
@@ -229,6 +231,7 @@ typedef enum { | |||
229 | MOUNT_READONLY, | 231 | MOUNT_READONLY, |
230 | MOUNT_TMPFS, | 232 | MOUNT_TMPFS, |
231 | MOUNT_NOEXEC, | 233 | MOUNT_NOEXEC, |
234 | MOUNT_RDWR, | ||
232 | OPERATION_MAX | 235 | OPERATION_MAX |
233 | } OPERATION; | 236 | } OPERATION; |
234 | 237 | ||
@@ -331,6 +334,12 @@ static void disable_file(OPERATION op, const char *filename) { | |||
331 | fs_rdonly(fname); | 334 | fs_rdonly(fname); |
332 | // todo: last_disable = SUCCESSFUL; | 335 | // todo: last_disable = SUCCESSFUL; |
333 | } | 336 | } |
337 | else if (op == MOUNT_RDWR) { | ||
338 | if (arg_debug) | ||
339 | printf("Mounting read-only %s\n", fname); | ||
340 | fs_rdwr(fname); | ||
341 | // todo: last_disable = SUCCESSFUL; | ||
342 | } | ||
334 | else if (op == MOUNT_NOEXEC) { | 343 | else if (op == MOUNT_NOEXEC) { |
335 | if (arg_debug) | 344 | if (arg_debug) |
336 | printf("Mounting noexec %s\n", fname); | 345 | printf("Mounting noexec %s\n", fname); |
@@ -492,6 +501,10 @@ void fs_blacklist(void) { | |||
492 | ptr = entry->data + 10; | 501 | ptr = entry->data + 10; |
493 | op = MOUNT_READONLY; | 502 | op = MOUNT_READONLY; |
494 | } | 503 | } |
504 | else if (strncmp(entry->data, "read-write ", 11) == 0) { | ||
505 | ptr = entry->data + 11; | ||
506 | op = MOUNT_RDWR; | ||
507 | } | ||
495 | else if (strncmp(entry->data, "noexec ", 7) == 0) { | 508 | else if (strncmp(entry->data, "noexec ", 7) == 0) { |
496 | ptr = entry->data + 7; | 509 | ptr = entry->data + 7; |
497 | op = MOUNT_NOEXEC; | 510 | op = MOUNT_NOEXEC; |
@@ -560,6 +573,29 @@ void fs_rdonly(const char *dir) { | |||
560 | } | 573 | } |
561 | } | 574 | } |
562 | 575 | ||
576 | static void fs_rdwr(const char *dir) { | ||
577 | assert(dir); | ||
578 | // check directory exists | ||
579 | struct stat s; | ||
580 | int rv = stat(dir, &s); | ||
581 | if (rv == 0) { | ||
582 | // if the file is outside /home directory, allow only root user | ||
583 | uid_t u = getuid(); | ||
584 | if (u != 0 && s.st_uid != u) { | ||
585 | fprintf(stderr, "Warning: you are not allowed to change %s to read-write\n", dir); | ||
586 | return; | ||
587 | } | ||
588 | |||
589 | // mount --bind /bin /bin | ||
590 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
591 | errExit("mount read-write"); | ||
592 | // mount --bind -o remount,rw /bin | ||
593 | if (mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0) | ||
594 | errExit("mount read-write"); | ||
595 | fs_logger2("read-write", dir); | ||
596 | } | ||
597 | } | ||
598 | |||
563 | void fs_noexec(const char *dir) { | 599 | void fs_noexec(const char *dir) { |
564 | assert(dir); | 600 | assert(dir); |
565 | // check directory exists | 601 | // check directory exists |
@@ -757,9 +793,6 @@ void fs_basic_fs(void) { | |||
757 | // firejail sandboxes (firejail --force) | 793 | // firejail sandboxes (firejail --force) |
758 | if (getuid() != 0) | 794 | if (getuid() != 0) |
759 | disable_firejail_config(); | 795 | disable_firejail_config(); |
760 | |||
761 | if (getuid() == 0) | ||
762 | fs_rdwr(); | ||
763 | } | 796 | } |
764 | 797 | ||
765 | 798 | ||
@@ -1093,7 +1126,7 @@ void fs_chroot(const char *rootdir) { | |||
1093 | if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1) | 1126 | if (asprintf(&newx11, "%s/tmp/.X11-unix", rootdir) == -1) |
1094 | errExit("asprintf"); | 1127 | errExit("asprintf"); |
1095 | if (arg_debug) | 1128 | if (arg_debug) |
1096 | printf("Mounting /tmp/.X11-unix on %s\n", newdev); | 1129 | printf("Mounting /tmp/.X11-unix on %s\n", newx11); |
1097 | if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND|MS_REC, NULL) < 0) | 1130 | if (mount("/tmp/.X11-unix", newx11, NULL, MS_BIND|MS_REC, NULL) < 0) |
1098 | errExit("mounting /tmp/.X11-unix"); | 1131 | errExit("mounting /tmp/.X11-unix"); |
1099 | free(newx11); | 1132 | free(newx11); |
diff --git a/src/firejail/fs_rdwr.c b/src/firejail/fs_rdwr.c deleted file mode 100644 index 68df6465f..000000000 --- a/src/firejail/fs_rdwr.c +++ /dev/null | |||
@@ -1,93 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2016 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firejail.h" | ||
21 | #include <sys/mount.h> | ||
22 | #include <sys/stat.h> | ||
23 | #include <sys/types.h> | ||
24 | #include <sys/wait.h> | ||
25 | #include <unistd.h> | ||
26 | |||
27 | typedef struct rdwr_t { | ||
28 | struct rdwr_t *next; | ||
29 | const char *path; | ||
30 | } RDWR; | ||
31 | |||
32 | RDWR *rdwr = NULL; | ||
33 | |||
34 | void fs_rdwr_add(const char *path) { | ||
35 | // verify path | ||
36 | if (*path != '/') { | ||
37 | fprintf(stderr, "Error: invalid path for read-write command\n"); | ||
38 | exit(1); | ||
39 | } | ||
40 | invalid_filename(path); | ||
41 | if (is_link(path)) { | ||
42 | fprintf(stderr, "Error: invalid symbolic link for read-write command\n"); | ||
43 | exit(1); | ||
44 | } | ||
45 | if (strstr(path, "..")) { | ||
46 | fprintf(stderr, "Error: invalid path for read-write command\n"); | ||
47 | exit(1); | ||
48 | } | ||
49 | |||
50 | // print warning if the file doesn't exist | ||
51 | struct stat s; | ||
52 | if (stat(path, &s) == -1) { | ||
53 | fprintf(stderr, "Warning: %s not found, skipping read-write command\n", path); | ||
54 | return; | ||
55 | } | ||
56 | |||
57 | // build list entry | ||
58 | RDWR *r = malloc(sizeof(RDWR)); | ||
59 | if (!r) | ||
60 | errExit("malloc"); | ||
61 | memset(r, 0, sizeof(RDWR)); | ||
62 | r->path = path; | ||
63 | |||
64 | // add | ||
65 | r->next = rdwr; | ||
66 | rdwr = r; | ||
67 | } | ||
68 | |||
69 | static void mount_rdwr(const char *path) { | ||
70 | assert(path); | ||
71 | // check directory exists | ||
72 | struct stat s; | ||
73 | int rv = stat(path, &s); | ||
74 | if (rv == 0) { | ||
75 | // mount --bind /bin /bin | ||
76 | if (mount(path, path, NULL, MS_BIND|MS_REC, NULL) < 0) | ||
77 | errExit("mount read-write"); | ||
78 | // mount --bind -o remount,rw /bin | ||
79 | if (mount(NULL, path, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0) | ||
80 | errExit("mount read-write"); | ||
81 | fs_logger2("read-write", path); | ||
82 | } | ||
83 | } | ||
84 | |||
85 | void fs_rdwr(void) { | ||
86 | RDWR *ptr = rdwr; | ||
87 | |||
88 | while (ptr) { | ||
89 | mount_rdwr(ptr->path); | ||
90 | ptr = ptr->next; | ||
91 | } | ||
92 | } | ||
93 | |||
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index ba6c8cd74..926e5415c 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -181,11 +181,15 @@ static void whitelist_path(ProfileEntry *entry) { | |||
181 | char *wfile = NULL; | 181 | char *wfile = NULL; |
182 | 182 | ||
183 | if (entry->home_dir) { | 183 | if (entry->home_dir) { |
184 | fname = path + strlen(cfg.homedir); | 184 | if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) { |
185 | if (*fname == '\0') { | 185 | fname = path + strlen(cfg.homedir); |
186 | fprintf(stderr, "Error: file %s is not in user home directory, exiting...\n", path); | 186 | if (*fname == '\0') { |
187 | exit(1); | 187 | fprintf(stderr, "Error: file %s is not in user home directory, exiting...\n", path); |
188 | exit(1); | ||
189 | } | ||
188 | } | 190 | } |
191 | else | ||
192 | fname = path; | ||
189 | 193 | ||
190 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1) | 194 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1) |
191 | errExit("asprintf"); | 195 | errExit("asprintf"); |
@@ -248,9 +252,6 @@ static void whitelist_path(ProfileEntry *entry) { | |||
248 | printf("Whitelisting %s\n", path); | 252 | printf("Whitelisting %s\n", path); |
249 | } | 253 | } |
250 | else { | 254 | else { |
251 | if (arg_debug || arg_debug_whitelists) { | ||
252 | fprintf(stderr, "Warning (whitelisting): %s is an invalid file, skipping...\n", path); | ||
253 | } | ||
254 | return; | 255 | return; |
255 | } | 256 | } |
256 | 257 | ||
@@ -390,13 +391,14 @@ void fs_whitelist(void) { | |||
390 | 391 | ||
391 | entry->home_dir = 1; | 392 | entry->home_dir = 1; |
392 | home_dir = 1; | 393 | home_dir = 1; |
394 | if (arg_debug) | ||
395 | fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n", | ||
396 | __LINE__, fname, cfg.homedir); | ||
397 | |||
393 | // both path and absolute path are under /home | 398 | // both path and absolute path are under /home |
394 | if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) { | 399 | // if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) != 0) { |
395 | if (arg_debug) | 400 | // goto errexit; |
396 | fprintf(stderr, "Debug %d: fname #%s#, cfg.homedir #%s#\n", | 401 | // } |
397 | __LINE__, fname, cfg.homedir); | ||
398 | goto errexit; | ||
399 | } | ||
400 | } | 402 | } |
401 | else if (strncmp(new_name, "/tmp/", 5) == 0) { | 403 | else if (strncmp(new_name, "/tmp/", 5) == 0) { |
402 | entry->tmp_dir = 1; | 404 | entry->tmp_dir = 1; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 4f1c81e2b..cbc3d57cf 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1206,7 +1206,7 @@ int main(int argc, char **argv) { | |||
1206 | errExit("asprintf"); | 1206 | errExit("asprintf"); |
1207 | 1207 | ||
1208 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1208 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1209 | // profile_add(line); is not necessary | 1209 | profile_add(line); |
1210 | } | 1210 | } |
1211 | else if (strcmp(argv[i], "--overlay") == 0) { | 1211 | else if (strcmp(argv[i], "--overlay") == 0) { |
1212 | if (cfg.chrootdir) { | 1212 | if (cfg.chrootdir) { |
@@ -2142,8 +2142,6 @@ int main(int argc, char **argv) { | |||
2142 | fprintf(stderr, "Warning: default profile disabled by --chroot option\n"); | 2142 | fprintf(stderr, "Warning: default profile disabled by --chroot option\n"); |
2143 | else if (arg_overlay) | 2143 | else if (arg_overlay) |
2144 | fprintf(stderr, "Warning: default profile disabled by --overlay option\n"); | 2144 | fprintf(stderr, "Warning: default profile disabled by --overlay option\n"); |
2145 | // else if (cfg.home_private_keep) | ||
2146 | // fprintf(stderr, "Warning: default profile disabled by --private-home option\n"); | ||
2147 | else { | 2145 | else { |
2148 | // try to load a default profile | 2146 | // try to load a default profile |
2149 | char *profile_name = DEFAULT_USER_PROFILE; | 2147 | char *profile_name = DEFAULT_USER_PROFILE; |
@@ -2166,6 +2164,10 @@ int main(int argc, char **argv) { | |||
2166 | else | 2164 | else |
2167 | custom_profile = profile_find(profile_name, SYSCONFDIR); | 2165 | custom_profile = profile_find(profile_name, SYSCONFDIR); |
2168 | } | 2166 | } |
2167 | if (!custom_profile) { | ||
2168 | fprintf(stderr, "Error: no default.profile installed\n"); | ||
2169 | exit(1); | ||
2170 | } | ||
2169 | 2171 | ||
2170 | if (custom_profile && !arg_quiet) | 2172 | if (custom_profile && !arg_quiet) |
2171 | printf("\n** Note: you can use --noprofile to disable %s.profile **\n\n", profile_name); | 2173 | printf("\n** Note: you can use --noprofile to disable %s.profile **\n\n", profile_name); |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 40e2e4330..46ef0921d 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -716,16 +716,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
716 | return 0; | 716 | return 0; |
717 | } | 717 | } |
718 | 718 | ||
719 | // read-write | ||
720 | if (strncmp(ptr, "read-write ", 11) == 0) { | ||
721 | if (getuid() != 0) { | ||
722 | fprintf(stderr, "Error: read-write command is available only for root user\n"); | ||
723 | exit(1); | ||
724 | } | ||
725 | fs_rdwr_add(ptr + 11); | ||
726 | return 0; | ||
727 | } | ||
728 | |||
729 | // rest of filesystem | 719 | // rest of filesystem |
730 | if (strncmp(ptr, "blacklist ", 10) == 0) | 720 | if (strncmp(ptr, "blacklist ", 10) == 0) |
731 | ptr += 10; | 721 | ptr += 10; |
@@ -747,6 +737,8 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
747 | } | 737 | } |
748 | else if (strncmp(ptr, "read-only ", 10) == 0) | 738 | else if (strncmp(ptr, "read-only ", 10) == 0) |
749 | ptr += 10; | 739 | ptr += 10; |
740 | else if (strncmp(ptr, "read-write ", 11) == 0) | ||
741 | ptr += 11; | ||
750 | else if (strncmp(ptr, "noexec ", 7) == 0) | 742 | else if (strncmp(ptr, "noexec ", 7) == 0) |
751 | ptr += 7; | 743 | ptr += 7; |
752 | else if (strncmp(ptr, "tmpfs ", 6) == 0) { | 744 | else if (strncmp(ptr, "tmpfs ", 6) == 0) { |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index cd9ea6a8a..fed573e6c 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1184,16 +1184,23 @@ A short note about mixing \-\-whitelist and \-\-read-only options. Whitelisted d | |||
1184 | should be made read-only independently. Making a parent directory read-only, will not | 1184 | should be made read-only independently. Making a parent directory read-only, will not |
1185 | make the whitelist read-only. Example: | 1185 | make the whitelist read-only. Example: |
1186 | .br | 1186 | .br |
1187 | |||
1188 | .br | ||
1187 | $ firejail --whitelist=~/work --read-only=~ --read-only=~/work | 1189 | $ firejail --whitelist=~/work --read-only=~ --read-only=~/work |
1188 | 1190 | ||
1189 | .TP | 1191 | .TP |
1190 | \fB\-\-read-write=dirname_or_filename | 1192 | \fB\-\-read-write=dirname_or_filename |
1191 | By default, the sandbox mounts system directories read-only. | 1193 | Set directory or file read-write. Only files or directories belonging to the current user are allowed for |
1192 | These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. | 1194 | this operation. Example: |
1193 | Use this option to mount read-write files or directories inside the system directories. | 1195 | .br |
1196 | |||
1197 | .br | ||
1198 | $ mkdir ~/test | ||
1199 | .br | ||
1200 | $ touch ~/test/a | ||
1201 | .br | ||
1202 | $ firejail --read-only=~/test --read-write=~/test/a | ||
1194 | 1203 | ||
1195 | This option is available only to root user. It has no effect when --chroot or --overlay are also set. In these | ||
1196 | cases the system directories are mounted read-write. | ||
1197 | 1204 | ||
1198 | .TP | 1205 | .TP |
1199 | \fB\-\-rlimit-fsize=number | 1206 | \fB\-\-rlimit-fsize=number |
@@ -1515,14 +1522,14 @@ firejail version 0.9.27 | |||
1515 | .TP | 1522 | .TP |
1516 | \fB\-\-whitelist=dirname_or_filename | 1523 | \fB\-\-whitelist=dirname_or_filename |
1517 | Whitelist directory or file. This feature is implemented only for user home, /dev, /media, /opt, /var, and /tmp directories. | 1524 | Whitelist directory or file. This feature is implemented only for user home, /dev, /media, /opt, /var, and /tmp directories. |
1518 | When whitlisting symbolic links, both the link and the real file should be in the same top directory | 1525 | With the exeception of user home, both the link and the real file should be in |
1519 | (home user, /media, /var etc.) | 1526 | the same top directory. |
1520 | .br | 1527 | .br |
1521 | 1528 | ||
1522 | .br | 1529 | .br |
1523 | Example: | 1530 | Example: |
1524 | .br | 1531 | .br |
1525 | $ firejail \-\-whitelist=~/.mozilla \-\-whitelist=~/Downloads | 1532 | $ firejail \-\-noprofile \-\-whitelist=~/.mozilla |
1526 | .br | 1533 | .br |
1527 | $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null | 1534 | $ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null |
1528 | .br | 1535 | .br |