From 41ab4044d4281b6abdf1fd5fa19e8d32de9b1263 Mon Sep 17 00:00:00 2001
From: Remco <remco@dutchcoders.io>
Date: Fri, 28 Apr 2017 10:33:17 +0200
Subject: Add overlay configuration to profiles

---
 src/firejail/profile.c | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 74 insertions(+)

diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 172aff121..c515accc0 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -830,6 +830,80 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		return 0;
 	}
 
+
+#ifdef HAVE_OVERLAYFS
+	if (strncmp(ptr, "overlay-named ", 14) == 0) {
+		if (checkcfg(CFG_OVERLAYFS)) {
+			if (cfg.chrootdir) {
+				fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
+				exit(1);
+			}
+			struct stat s;
+			if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+				fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
+				exit(1);
+			}
+			arg_overlay = 1;
+			arg_overlay_keep = 1;
+			arg_overlay_reuse = 1;
+
+			char *subdirname = ptr + 14;
+			if (subdirname == '\0') {
+				fprintf(stderr, "Error: invalid overlay option\n");
+				exit(1);
+			}
+
+			// check name
+			invalid_filename(subdirname);
+			if (strstr(subdirname, "..") || strstr(subdirname, "/")) {
+				fprintf(stderr, "Error: invalid overlay name\n");
+				exit(1);
+			}
+			cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse);
+		}
+
+		return 0;
+	} else if (strcmp(ptr, "overlay-tmpfs") == 0) {
+		if (checkcfg(CFG_OVERLAYFS)) {
+			if (cfg.chrootdir) {
+				fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
+				exit(1);
+			}
+			struct stat s;
+			if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+				fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
+				exit(1);
+			}
+			arg_overlay = 1;
+
+			return 0;
+		}
+	} else if (strcmp(ptr, "overlay") == 0) {
+		if (checkcfg(CFG_OVERLAYFS)) {
+			if (cfg.chrootdir) {
+				fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n");
+				exit(1);
+			}
+			struct stat s;
+			if (stat("/proc/sys/kernel/grsecurity", &s) == 0) {
+				fprintf(stderr, "Error: --overlay option is not available on Grsecurity systems\n");
+				exit(1);
+			}
+			arg_overlay = 1;
+			arg_overlay_keep = 1;
+
+			char *subdirname;
+			if (asprintf(&subdirname, "%d", getpid()) == -1)
+				errExit("asprintf");
+			cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse);
+
+			free(subdirname);
+
+			return 0;
+		}
+	}
+#endif
+
 	// filesystem bind
 	if (strncmp(ptr, "bind ", 5) == 0) {
 #ifdef HAVE_BIND		
-- 
cgit v1.2.3-54-g00ecf