From 69f804b4a3fa76a34088b1c97e9321d5afc1eb4f Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sat, 6 Jan 2024 18:25:59 -0300 Subject: firecfg: use ignorelist also for .profile files Currently it is only used when parsing the configuration files: * /etc/firecfg.d/*.conf * /etc/firecfg.config Use it when searching for profile filenames as well: * ~/.config/firejail/*.profile Relates to #5876. --- src/firecfg/main.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 604b12633..40493159e 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c @@ -314,17 +314,19 @@ static void set_links_homedir(const char *homedir) { if (!exec) errExit("strdup"); char *ptr = strrchr(exec, '.'); - if (!ptr) { - free(exec); - continue; - } - if (strcmp(ptr, ".profile") != 0) { - free(exec); - continue; - } + if (!ptr) + goto next; + if (strcmp(ptr, ".profile") != 0) + goto next; *ptr = '\0'; + if (in_ignorelist(exec)) { + printf(" %s ignored\n", exec); + goto next; + } + set_file(exec, FIREJAIL_EXEC); +next: free(exec); } closedir(dir); -- cgit v1.2.3-54-g00ecf From 46e2ab9d2e3004e43cbe2b73f2592325700a1af2 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 8 Jan 2024 09:06:21 -0300 Subject: firecfg: refactor config parse functions Changes: * Export `in_ignorelist` function * Allow only building the ignorelist without setting the symlinks * Rename the functions to reflect the above * Add a function that parses all config files (`parse_config_all`) Also, make sure that `parse_config_all` only parses config files once, even if called multiple times. Relates to #5876. --- src/firecfg/firecfg.h | 2 ++ src/firecfg/main.c | 43 ++++++++++++++++++++++++++++++------------- 2 files changed, 32 insertions(+), 13 deletions(-) diff --git a/src/firecfg/firecfg.h b/src/firecfg/firecfg.h index 11e3ebc67..d42c937cf 100644 --- a/src/firecfg/firecfg.h +++ b/src/firecfg/firecfg.h @@ -50,6 +50,8 @@ // main.c extern int arg_debug; +int in_ignorelist(const char *const str); +void parse_config_all(int do_symlink); // util.c int which(const char *program); diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 40493159e..f641c1ace 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c @@ -25,6 +25,7 @@ int arg_debug = 0; char *arg_bindir = "/usr/local/bin"; int arg_guide = 0; +int done_config = 0; static const char *const usage_str = "Firecfg is the desktop configuration utility for Firejail software. The utility\n" @@ -166,7 +167,7 @@ static int append_ignorelist(const char *const str) { return 1; } -static int in_ignorelist(const char *const str) { +int in_ignorelist(const char *const str) { assert(str); int i; for (i = 0; i < ignorelist_len; i++) { @@ -202,8 +203,11 @@ static void set_file(const char *name, const char *firejail_exec) { } // parse a single config file -static void set_links_firecfg(const char *cfgfile) { - printf("Configuring symlinks in %s based on %s\n", arg_bindir, cfgfile); +static void parse_config_file(const char *cfgfile, int do_symlink) { + if (do_symlink) + printf("Configuring symlinks in %s\n", arg_bindir); + + printf("Parsing %s\n", cfgfile); FILE *fp = fopen(cfgfile, "r"); if (!fp) { @@ -246,11 +250,15 @@ static void set_links_firecfg(const char *cfgfile) { continue; } + // skip ignored programs + if (in_ignorelist(start)) { + printf(" %s ignored\n", start); + continue; + } + // set link - if (!in_ignorelist(start)) + if (do_symlink) set_file(start, FIREJAIL_EXEC); - else - printf(" %s ignored\n", start); } fclose(fp); @@ -258,7 +266,7 @@ static void set_links_firecfg(const char *cfgfile) { } // parse all config files matching pattern -static void set_links_firecfg_glob(const char *pattern) { +static void parse_config_glob(const char *pattern, int do_symlink) { printf("Looking for config files in %s\n", pattern); glob_t globbuf; @@ -274,11 +282,23 @@ static void set_links_firecfg_glob(const char *pattern) { size_t i; for (i = 0; i < globbuf.gl_pathc; i++) - set_links_firecfg(globbuf.gl_pathv[i]); + parse_config_file(globbuf.gl_pathv[i], do_symlink); out: globfree(&globbuf); } +// parse all config files +// do_symlink 0 just builds the ignorelist, 1 creates the symlinks +void parse_config_all(int do_symlink) { + if (done_config) + return; + + parse_config_glob(FIRECFG_CONF_GLOB, do_symlink); + parse_config_file(FIRECFG_CFGFILE, do_symlink); + + done_config = 1; +} + // parse ~/.config/firejail/ directory static void set_links_homedir(const char *homedir) { assert(homedir); @@ -520,11 +540,8 @@ int main(int argc, char **argv) { // clear all symlinks clean(); - // set new symlinks based on .conf files - set_links_firecfg_glob(FIRECFG_CONF_GLOB); - - // set new symlinks based on firecfg.config - set_links_firecfg(FIRECFG_CFGFILE); + // set new symlinks based on config files + parse_config_all(1); if (getuid() == 0) { // add user to firejail access database - only for root -- cgit v1.2.3-54-g00ecf From 358af63a1ad6d9c44410d615f707ac94300a4013 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 8 Jan 2024 10:16:47 -0300 Subject: firecfg: use filename var earlier And make it const. --- src/firecfg/desktop_files.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c index 7ac60f70c..5ed15c02b 100644 --- a/src/firecfg/desktop_files.c +++ b/src/firecfg/desktop_files.c @@ -163,7 +163,8 @@ void fix_desktop_files(const char *homedir) { // copy struct dirent *entry; while ((entry = readdir(dir)) != NULL) { - if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) + const char *filename = entry->d_name; + if (strcmp(filename, ".") == 0 || strcmp(filename, "..") == 0) continue; // skip if not regular file or link @@ -172,11 +173,9 @@ void fix_desktop_files(const char *homedir) { continue; // skip if not .desktop file - if (strstr(entry->d_name,".desktop") != (entry->d_name+strlen(entry->d_name)-8)) + if (strstr(filename, ".desktop") != (filename + strlen(filename) - 8)) continue; - char *filename = entry->d_name; - // skip links - Discord on Arch #4235 seems to be a symlink to /opt directory // if (is_link(filename)) // continue; -- cgit v1.2.3-54-g00ecf From a9c851ee486bbc0c071187c7869c480c893c67a4 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 8 Jan 2024 10:05:43 -0300 Subject: firecfg: use ignorelist also for .desktop files Closes #5245. Relates to #5876. --- src/firecfg/desktop_files.c | 24 ++++++++++++++++++++++-- src/man/firecfg.1.in | 2 +- 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c index 5ed15c02b..8bd54d3e9 100644 --- a/src/firecfg/desktop_files.c +++ b/src/firecfg/desktop_files.c @@ -118,6 +118,9 @@ void fix_desktop_files(const char *homedir) { exit(1); } + // build ignorelist + parse_config_all(0); + // destination // create ~/.local/share/applications directory if necessary char *user_apps_dir; @@ -173,8 +176,25 @@ void fix_desktop_files(const char *homedir) { continue; // skip if not .desktop file - if (strstr(filename, ".desktop") != (filename + strlen(filename) - 8)) + char *exec = strdup(filename); + if (!exec) + errExit("strdup"); + char *ptr = strstr(exec, ".desktop"); + if (ptr == NULL || *(ptr + 8) != '\0') { + printf(" %s skipped (not a .desktop file)\n", exec); + free(exec); + continue; + } + + // skip if program is in ignorelist + *ptr = '\0'; + if (in_ignorelist(exec)) { + printf(" %s ignored\n", exec); + free(exec); continue; + } + + free(exec); // skip links - Discord on Arch #4235 seems to be a symlink to /opt directory // if (is_link(filename)) @@ -220,7 +240,7 @@ void fix_desktop_files(const char *homedir) { } // get executable name - char *ptr = strstr(buf,"\nExec="); + ptr = strstr(buf,"\nExec="); if (!ptr || strlen(ptr) < 7) { if (arg_debug) printf(" %s - skipped: wrong format?\n", filename); diff --git a/src/man/firecfg.1.in b/src/man/firecfg.1.in index e43a573de..79802156c 100644 --- a/src/man/firecfg.1.in +++ b/src/man/firecfg.1.in @@ -168,7 +168,7 @@ Configuration file syntax: A line that starts with \fB#\fR is considered a comment. .br A line that starts with \fB!PROGRAM\fR means to ignore "PROGRAM" when creating -symlinks. +symlinks and fixing .desktop files. .br A line that starts with anything else is considered to be the name of an executable and firecfg will attempt to create a symlink for it. -- cgit v1.2.3-54-g00ecf