From 76e079e09e14b1da44a75ea77c92e5aed5c1061e Mon Sep 17 00:00:00 2001 From: smitsohu Date: Mon, 4 Feb 2019 16:41:51 +0100 Subject: firejail.config fixes always print a warning, treat join-or-start like join --- etc/firejail.config | 2 +- src/firejail/main.c | 34 +++++++++++++++------------ src/firejail/profile.c | 63 +++++++++++++++++++++++++++++++------------------- 3 files changed, 59 insertions(+), 40 deletions(-) diff --git a/etc/firejail.config b/etc/firejail.config index 8e830f707..b37edf7a5 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -54,7 +54,7 @@ # root user can always join sandboxes. # join yes -#Enable or disable sandbox name change, default enabled. +# Enable or disable sandbox name change, default enabled. # name-change yes # Enable or disable networking features, default enabled. diff --git a/src/firejail/main.c b/src/firejail/main.c index c262402fa..2a8ee3e0f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -733,26 +733,30 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { // NOTE: this is first part of option handler, // sandbox name is set in other part - logargs(argc, argv); + if (checkcfg(CFG_JOIN) || getuid() == 0) { + logargs(argc, argv); - if (arg_shell_none) { - if (argc <= (i+1)) { - fprintf(stderr, "Error: --shell=none set, but no command specified\n"); - exit(1); + if (arg_shell_none) { + if (argc <= (i+1)) { + fprintf(stderr, "Error: --shell=none set, but no command specified\n"); + exit(1); + } + cfg.original_program_index = i + 1; } - cfg.original_program_index = i + 1; - } - // try to join by name only - pid_t pid; - if (!read_pid(argv[i] + 16, &pid)) { - if (!cfg.shell && !arg_shell_none) - cfg.shell = guess_shell(); + // try to join by name only + pid_t pid; + if (!read_pid(argv[i] + 16, &pid)) { + if (!cfg.shell && !arg_shell_none) + cfg.shell = guess_shell(); - join(pid, argc, argv, i + 1); - exit(0); + join(pid, argc, argv, i + 1); + exit(0); + } + // if there no such sandbox continue argument processing } - // if there no such sandbox continue argument processing + else + exit_err_feature("join"); } #ifdef HAVE_NETWORK else if (strncmp(argv[i], "--join-network=", 15) == 0) { diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 348b4e0ca..bc66aca78 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -241,6 +241,7 @@ error: // return 1 if the command is to be added to the linked list of profile commands // return 0 if the command was already executed inside the function int profile_check_line(char *ptr, int lineno, const char *fname) { + static int whitelist_warning_printed = 0; EUID_ASSERT(); // check and process conditional profile lines @@ -1126,8 +1127,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); } - + else + warning_feature_disabled("overlayfs"); return 0; + } else if (strcmp(ptr, "overlay-tmpfs") == 0) { if (checkcfg(CFG_OVERLAYFS)) { if (arg_overlay) { @@ -1144,9 +1147,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { exit(1); } arg_overlay = 1; - - return 0; } + else + warning_feature_disabled("overlayfs"); + return 0; + } else if (strcmp(ptr, "overlay") == 0) { if (checkcfg(CFG_OVERLAYFS)) { if (arg_overlay) { @@ -1171,9 +1176,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { cfg.overlay_dir = fs_check_overlay_dir(subdirname, arg_overlay_reuse); free(subdirname); - - return 0; } + else + warning_feature_disabled("overlayfs"); + return 0; } #endif @@ -1260,26 +1266,30 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } if (strncmp(ptr, "join-or-start ", 14) == 0) { - // try to join by name only - pid_t pid; - if (!name2pid(ptr + 14, &pid)) { - if (!cfg.shell && !arg_shell_none) - cfg.shell = guess_shell(); - - // find first non-option arg - int i; - for (i = 1; i < cfg.original_argc && strncmp(cfg.original_argv[i], "--", 2) != 0; i++); - - join(pid, cfg.original_argc,cfg.original_argv, i + 1); - exit(0); - } + if (checkcfg(CFG_JOIN) || getuid() == 0) { + // try to join by name only + pid_t pid; + if (!name2pid(ptr + 14, &pid)) { + if (!cfg.shell && !arg_shell_none) + cfg.shell = guess_shell(); + + // find first non-option arg + int i; + for (i = 1; i < cfg.original_argc && strncmp(cfg.original_argv[i], "--", 2) != 0; i++); + + join(pid, cfg.original_argc,cfg.original_argv, i + 1); + exit(0); + } - // set sandbox name and start normally - cfg.name = ptr + 14; - if (strlen(cfg.name) == 0) { - fprintf(stderr, "Error: invalid sandbox name\n"); - exit(1); + // set sandbox name and start normally + cfg.name = ptr + 14; + if (strlen(cfg.name) == 0) { + fprintf(stderr, "Error: invalid sandbox name\n"); + exit(1); + } } + else + warning_feature_disabled("join"); return 0; } @@ -1301,8 +1311,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_whitelist = 1; ptr += 10; } - else + else { + if (!whitelist_warning_printed) { + warning_feature_disabled("whitelist"); + whitelist_warning_printed = 1; + } return 0; + } #else return 0; #endif -- cgit v1.2.3-70-g09d2