From 85c8cc454d3df3a83667556f7ddfafe66a78d421 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 9 Feb 2017 09:03:35 -0500 Subject: adding macro for include command in profile files --- src/firejail/main.c | 15 ++------------- src/firejail/profile.c | 22 ++++++++++++++++------ src/firejail/util.c | 5 +++++ src/man/firejail-profile.txt | 16 +++++++++++----- 4 files changed, 34 insertions(+), 24 deletions(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index b90e30cca..4149f1342 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1362,6 +1362,8 @@ int main(int argc, char **argv) { } #endif else if (strncmp(argv[i], "--profile=", 10) == 0) { + // multiple profile files are allowed! + if (arg_noprofile) { fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n"); exit(1); @@ -1370,19 +1372,6 @@ int main(int argc, char **argv) { char *ppath = expand_home(argv[i] + 10, cfg.homedir); if (!ppath) errExit("strdup"); - invalid_filename(ppath); - - // multiple profile files are allowed! - if (is_dir(ppath) || is_link(ppath) || strstr(ppath, "..")) { - fprintf(stderr, "Error: invalid profile file\n"); - exit(1); - } - - // access call checks as real UID/GID, not as effective UID/GID - if (access(ppath, R_OK)) { - fprintf(stderr, "Error: cannot access profile file\n"); - return 1; - } profile_read(ppath); custom_profile = 1; diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 4856b31ae..9b3e58ab4 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -1013,10 +1013,25 @@ void profile_read(const char *fname) { exit(1); } + // check file if (strlen(fname) == 0) { fprintf(stderr, "Error: invalid profile file\n"); exit(1); } + invalid_filename(fname); + if (is_dir(fname) || is_link(fname) || strstr(fname, "..")) { + fprintf(stderr, "Error: invalid profile file\n"); + exit(1); + } + if (access(fname, R_OK)) { + // if the file ends in ".local", do not exit + char *ptr = strstr(fname, ".local"); + if (ptr && strlen(ptr) == 6) + return; + + fprintf(stderr, "Error: cannot access profile file\n"); + exit(1); + } // allow debuggers if (arg_allow_debuggers) { @@ -1027,15 +1042,10 @@ void profile_read(const char *fname) { return; } } - + // open profile file: FILE *fp = fopen(fname, "r"); if (fp == NULL) { - // if the file ends in ".local", do not exit - char *ptr = strstr(fname, ".local"); - if (ptr && strlen(ptr) == 6) - return; - fprintf(stderr, "Error: cannot open profile file %s\n", fname); exit(1); } diff --git a/src/firejail/util.c b/src/firejail/util.c index 44891ce2d..fbaf0b5ac 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -648,6 +648,11 @@ char *expand_home(const char *path, const char* homedir) { errExit("asprintf"); return new_name; } + else if (strncmp(path, "${CFG}", 6) == 0) { + if (asprintf(&new_name, "%s%s", SYSCONFDIR, path + 6) == -1) + errExit("asprintf"); + return new_name; + } char *rv = strdup(path); if (!rv) diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 90dca19bf..aa1aec567 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -81,14 +81,20 @@ Include other.profile file. Example: "include /etc/firejail/disable-common.inc" -other.profile file name can be prefixed with ${HOME}. This will force Firejail to look for the -file in user home directory. +The file name can be prefixed with a macro such as ${HOME} or ${CFG}. +${HOME} is expanded as user home directory, and ${CFG} is expanded as +Firejail system configuration directory - in most cases /etc/firejail or +/usr/local/etc/firejail. Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file. -If the file is not found, and the file name does not end in ".local", the sandbox exist immediately -with an error printed on stderr. ".local" files can be used to customize the global configuration -in /etc/firejail directory. These files are not overwritten during software install. +Example: "include ${CFG}/firefox.profile" will load "/etc/firejail/firefox.profile" file. + +System configuration files in ${CFG} are overwritten during software installation. +Persistent configuration at system level is handled in ".local" files. For every +profile file in ${CFG} directory, the user can create a corresponding .local file +storing modifications to the persistent configuration. Persistent .local files +are included at the start of regular profile files. .TP \fBnoblacklist file_name -- cgit v1.2.3-54-g00ecf