From 66042d7dbc60f183e9d77fefd93a9584e3cf35ef Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 30 Oct 2017 16:09:57 -0400 Subject: fix --ignore=quiet --- RELNOTES | 6 ++--- src/firejail/profile.c | 30 ++++++++++++++++-------- test/private-lib/gnome-calculator.exp | 8 ++++--- test/profiles/ignore.exp | 43 +++++++++++++++++++++++++++++++---- test/profiles/ignore2.profile | 2 ++ test/profiles/ignore3.profile | 4 ++++ 6 files changed, 74 insertions(+), 19 deletions(-) create mode 100644 test/profiles/ignore3.profile diff --git a/RELNOTES b/RELNOTES index be8ff21c8..10800f6b0 100644 --- a/RELNOTES +++ b/RELNOTES @@ -34,9 +34,9 @@ firejail (0.9.51) baseline; urgency=low calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth,imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron, ricochet, shotcut, teamspeak3, tor, tor-browser-en, - Viber, x-terminal-emulator, zart, conky, arch-audit, ffmpeg, bluefish, cliqz, - cinelerra, openshot-qt, pinta, uefitool, aosp, pdfmod, gnome-ring, signal-desktop, - xcalc, zaproxy, kopete + Viber, x-terminal-emulator, zart, conky, arch-audit, ffmpeg, bluefish, + cinelerra, openshot-qt, pinta, uefitool, aosp, pdfmod, gnome-ring, + xcalc, zaproxy, kopete, cliqz, signal-desktop -- netblue30 Thu, 14 Sep 2017 20:00:00 -0500 diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 4851dc9ad..c8bbff3fb 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -69,13 +69,7 @@ static void warning_feature_disabled(const char *feature) { } - -// check profile line; if line == 0, this was generated from a command line option -// return 1 if the command is to be added to the linked list of profile commands -// return 0 if the command was already executed inside the function -int profile_check_line(char *ptr, int lineno, const char *fname) { - EUID_ASSERT(); - +static int is_in_ignore_list(char *ptr) { // check ignore list int i; for (i = 0; i < MAX_PROFILE_IGNORE; i++) { @@ -86,10 +80,24 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { if (strncmp(ptr, cfg.profile_ignore[i], len) == 0) { // full word match if (*(ptr + len) == '\0' || *(ptr + len) == ' ') - return 0; // ignore line + return 1; // ignore line } } + return 0; +} + + +// check profile line; if line == 0, this was generated from a command line option +// return 1 if the command is to be added to the linked list of profile commands +// return 0 if the command was already executed inside the function +int profile_check_line(char *ptr, int lineno, const char *fname) { + EUID_ASSERT(); + + // check ignore list + if (is_in_ignore_list(ptr)) + return 0; + if (strncmp(ptr, "ignore ", 7) == 0) { char *str = strdup(ptr + 7); if (*str == '\0') { @@ -1256,8 +1264,12 @@ void profile_read(const char *fname) { } // process quiet + // todo: a quiet in the profile file cannot be disabled by --ignore on command line if (strcmp(ptr, "quiet") == 0) { - arg_quiet = 1; + if (is_in_ignore_list(ptr)) + arg_quiet = 0; + else + arg_quiet = 1; free(ptr); continue; } diff --git a/test/private-lib/gnome-calculator.exp b/test/private-lib/gnome-calculator.exp index 590da34cf..6d20c36f4 100755 --- a/test/private-lib/gnome-calculator.exp +++ b/test/private-lib/gnome-calculator.exp @@ -7,7 +7,9 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "firejail gnome-calculator\r" +# gnome-calculator uses quiet at the top of the profile +# we need to use --ignore +send -- "firejail --ignore=quiet gnome-calculator\r" expect { timeout {puts "TESTING ERROR 0\n";exit} "Reading profile /etc/firejail/gnome-calculator.profile" @@ -50,7 +52,7 @@ send -- "firemon --seccomp\r" expect { timeout {puts "TESTING ERROR 5\n";exit} "need to be root" {puts "/proc mounted as hidepid, exiting...\n"; exit} - ":firejail gnome-calculator" + ":firejail --ignore=quiet gnome-calculator" } expect { timeout {puts "TESTING ERROR 5.1 (seccomp)\n";exit} @@ -64,7 +66,7 @@ after 100 send -- "firemon --caps\r" expect { timeout {puts "TESTING ERROR 6\n";exit} - ":firejail gnome-calculator" + ":firejail --ignore=quiet gnome-calculator" } expect { timeout {puts "TESTING ERROR 6.1\n";exit} diff --git a/test/profiles/ignore.exp b/test/profiles/ignore.exp index cdb38e97b..8463d6cc8 100755 --- a/test/profiles/ignore.exp +++ b/test/profiles/ignore.exp @@ -19,7 +19,7 @@ expect { BLACKLIST {puts "TESTING ERROR 2\n";exit} "Child process initialized" } -sleep 1 +after 100 send -- "exit\r" sleep 1 @@ -28,23 +28,58 @@ expect { timeout {puts "TESTING ERROR 3\n";exit} "Child process initialized" } -sleep 1 +after 100 send -- "ps aux | wc -l\r" expect { timeout {puts "TESTING ERROR 4\n";exit} "5" } +after 100 +send -- "exit\r" sleep 1 + +send -- "firejail --ignore=private --ignore=shell --profile=ignore.profile \r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "Child process initialized" +} +after 100 + +send -- "ps aux | wc -l\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "5" +} +after 100 send -- "exit\r" sleep 1 send -- "firejail --debug --profile=ignore2.profile\r" expect { - timeout {puts "TESTING ERROR 5\n";exit} - BLACKLIST {puts "TESTING ERROR 6\n";exit} + timeout {puts "TESTING ERROR 7\n";exit} + BLACKLIST {puts "TESTING ERROR 8\n";exit} "Child process initialized" } after 100 +send -- "exit\r" +sleep 1 + +send -- "firejail --ignore=quiet --ignore=shell --profile=ignore.profile \r" +expect { + timeout {puts "TESTING ERROR 9\n";exit} + "Child process initialized" +} +after 100 + +send -- "ps aux | wc -l\r" +expect { + timeout {puts "TESTING ERROR 10\n";exit} + "5" +} +after 100 +send -- "exit\r" +after 100 + puts "\nall done\n" diff --git a/test/profiles/ignore2.profile b/test/profiles/ignore2.profile index 49fcd8324..c85cd9544 100644 --- a/test/profiles/ignore2.profile +++ b/test/profiles/ignore2.profile @@ -1,3 +1,5 @@ ignore seccomp +ignore shell private seccomp +shell none diff --git a/test/profiles/ignore3.profile b/test/profiles/ignore3.profile new file mode 100644 index 000000000..f0c9699e1 --- /dev/null +++ b/test/profiles/ignore3.profile @@ -0,0 +1,4 @@ +quiet +private +seccomp +shell none -- cgit v1.2.3-70-g09d2