From 79e828eaa999a666c7c332e81ac56cb3211486d1 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 26 Oct 2015 09:58:10 -0400 Subject: support ignore command in profile files --- src/firejail/firejail.h | 2 +- src/firejail/profile.c | 21 +++++++++++++++++++++ src/man/firejail-profile.txt | 17 ++++++++++++++--- test/ignore.exp | 9 +++++++++ 4 files changed, 45 insertions(+), 4 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 74958487c..ab2fedbd8 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -81,7 +81,7 @@ typedef struct config_t { // filesystem ProfileEntry *profile; -#define MAX_PROFILE_IGNORE 16 +#define MAX_PROFILE_IGNORE 32 char *profile_ignore[MAX_PROFILE_IGNORE]; char *chrootdir; // chroot directory char *home_private; // private home directory diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 1195dd14d..3edeabee9 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -75,6 +75,27 @@ int profile_check_line(char *ptr, int lineno) { if (strncmp(ptr, cfg.profile_ignore[i], strlen(cfg.profile_ignore[i])) == 0) return 0; // ignore line } + + if (strncmp(ptr, "ignore ", 7) == 0) { + char *str = strdup(ptr + 7); + if (*str == '\0') { + fprintf(stderr, "Error: invalid ignore option\n"); + exit(1); + } + // find an empty entry in profile_ignore array + int j; + for (j = 0; j < MAX_PROFILE_IGNORE; j++) { + if (cfg.profile_ignore[j] == NULL) + break; + } + if (j >= MAX_PROFILE_IGNORE) { + fprintf(stderr, "Error: maximum %d --ignore options are permitted\n", MAX_PROFILE_IGNORE); + exit(1); + } + // ... and configure it + cfg.profile_ignore[j] = str; + return 0; + } // seccomp, caps, private, user namespace if (strcmp(ptr, "noroot") == 0) { diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 1369fdc91..02a54e685 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -64,7 +64,10 @@ Child process initialized .RE .SH Scripting -Include and comment support: +Scripting commands: + +.TP +# this is a comment .TP \f\include other.profile exclude-token @@ -83,13 +86,21 @@ Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" Note: exclude-token is deprecated, use noblacklist command instead. .TP -# this is a comment +\f\noblacklist file_name +If the file name matches file_name, the file will not be blacklisted in any blacklist commands that follow. + +Example: "noblacklist ${HOME}/.mozilla" + +.TP +\f\ignore command +Ignore command. + +Example: "ignore seccomp" .SH Filesystem These profile entries define a chroot filesystem built on top of the existing host filesystem. Each line describes a file element that is removed from the filesystem (\fBblacklist\fR), a read-only file or directory (\fBread-only\fR), -a filter for finer control of blacklisting (\fBnoblacklist\fR), a tmpfs mounted on top of an existing directory (\fBtmpfs\fR), or mount-bind a directory or file on top of another directory or file (\fBbind\fR). Use \fBprivate\fR to set private mode. diff --git a/test/ignore.exp b/test/ignore.exp index bdbd9d28c..ab7f0655f 100755 --- a/test/ignore.exp +++ b/test/ignore.exp @@ -33,6 +33,15 @@ expect { "4" } sleep 1 +send -- "exit\r" +sleep 1 + +send -- "firejail --debug --profile=ignore2.profile\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + BLACKLIST {puts "TESTING ERROR 6\n";exit} + "Child process initialized" +} puts "\nall done\n" -- cgit v1.2.3-70-g09d2