From 7415d03df0362a08b4ccf405f8f98147c76e6329 Mon Sep 17 00:00:00 2001 From: sarneaud Date: Sat, 29 Aug 2015 09:35:47 +1000 Subject: Rewrite globbing code to fix various minor issues * Plug a memory leak. * Remove the short-circuit. (This breaks when someone uses [] or ? patterns without using *. I figure it's best to use the principle of least surprise and just let the system glob() implementation do what it does.) * Stop sorting results. I've also replaced a lot of disable-history.inc with a glob pattern. Now it catches files like .sqlite_history and whatever the user runs under rlwrap. --- etc/disable-history.inc | 9 +-------- src/firejail/fs.c | 32 ++++++++++++++++++-------------- 2 files changed, 19 insertions(+), 22 deletions(-) diff --git a/etc/disable-history.inc b/etc/disable-history.inc index 66261c1cf..7a91df828 100644 --- a/etc/disable-history.inc +++ b/etc/disable-history.inc @@ -1,10 +1,3 @@ # History files in $HOME blacklist ${HOME}/.history -blacklist ${HOME}/.bash_history -blacklist ${HOME}/.zsh_history -blacklist ${HOME}/.ksh_history -blacklist ${HOME}/.sh_history -blacklist ${HOME}/.nano_history -blacklist ${HOME}/.python_history -blacklist ${HOME}/.mysql_history -blacklist ${HOME}/.pgsql_history \ No newline at end of file +blacklist ${HOME}/.*_history diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 1e74257eb..14b7c1f01 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -197,24 +197,28 @@ static void disable_file(OPERATION op, const char *filename, const char *emptydi free(fname); } -static void globbing(OPERATION op, const char *fname, const char *emptydir, const char *emptyfile) { - assert(fname); +// Treat pattern as a shell glob pattern and blacklist matching files +static void globbing(OPERATION op, const char *pattern, const char *emptydir, const char *emptyfile) { + assert(pattern); assert(emptydir); assert(emptyfile); - // filename globbing: expand * macro and continue processing for every single file - if (strchr(fname, '*')) { - glob_t globbuf; - globbuf.gl_offs = 0; - glob(fname, GLOB_DOOFFS, NULL, &globbuf); - unsigned int i; - for (i = 0; i < globbuf.gl_pathc; i++) { - assert(globbuf.gl_pathv[i]); - disable_file(op, globbuf.gl_pathv[i], emptydir, emptyfile); - } + glob_t globbuf; + // Profiles contain blacklists for files that might not exist on a user's machine. + // GLOB_NOCHECK makes that okay. + int globerr = glob(pattern, GLOB_NOCHECK | GLOB_NOSORT, NULL, &globbuf); + if (globerr) { + fprintf(stderr, "Error: failed to glob pattern %s\n", pattern); + return; } - else - disable_file(op, fname, emptydir, emptyfile); + + size_t i; + for (i = 0; i < globbuf.gl_pathc; i++) { + char* match = globbuf.gl_pathv[i]; + assert(match); + disable_file(op, match, emptydir, emptyfile); + } + globfree(&globbuf); } static void expand_path(OPERATION op, const char *path, const char *fname, const char *emptydir, const char *emptyfile) { -- cgit v1.2.3-54-g00ecf