From 878cd16973307ff164289c8c6762efbb23b519a6 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 10 Aug 2015 12:33:28 -0400 Subject: fixing issues 2 and 4 --- configure | 18 +++++++++--------- configure.ac | 2 +- src/firejail/profile.c | 11 ++++++++++- src/man/firejail-login.txt | 2 +- src/man/firejail-profile.txt | 24 +++++++++++++++++++----- src/man/firejail.txt | 2 +- src/man/firemon.txt | 2 +- 7 files changed, 42 insertions(+), 19 deletions(-) diff --git a/configure b/configure index 50abe97c2..fb8051518 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for firejail 0.9.28. +# Generated by GNU Autoconf 2.69 for firejail 0.9.29-github. # # Report bugs to . # @@ -580,8 +580,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='firejail' PACKAGE_TARNAME='firejail' -PACKAGE_VERSION='0.9.28' -PACKAGE_STRING='firejail 0.9.28' +PACKAGE_VERSION='0.9.29-github' +PACKAGE_STRING='firejail 0.9.29-github' PACKAGE_BUGREPORT='netblue30@yahoo.com' PACKAGE_URL='http://firejail.sourceforge.net' @@ -1236,7 +1236,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures firejail 0.9.28 to adapt to many kinds of systems. +\`configure' configures firejail 0.9.29-github to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1297,7 +1297,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of firejail 0.9.28:";; + short | recursive ) echo "Configuration of firejail 0.9.29-github:";; esac cat <<\_ACEOF @@ -1386,7 +1386,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -firejail configure 0.9.28 +firejail configure 0.9.29-github generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1688,7 +1688,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by firejail $as_me 0.9.28, which was +It was created by firejail $as_me 0.9.29-github, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4087,7 +4087,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by firejail $as_me 0.9.28, which was +This file was extended by firejail $as_me 0.9.29-github, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4141,7 +4141,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -firejail config.status 0.9.28 +firejail config.status 0.9.29-github configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 9e34aec20..8c5a65397 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.68]) -AC_INIT(firejail, 0.9.28, netblue30@yahoo.com, , http://firejail.sourceforge.net) +AC_INIT(firejail, 0.9.29-github, netblue30@yahoo.com, , http://firejail.sourceforge.net) AC_CONFIG_SRCDIR([src/firejail/main.c]) #AC_CONFIG_HEADERS([config.h]) diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 343907584..877428637 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -415,9 +415,18 @@ void profile_read(const char *fname, const char *skip1, const char *skip2) { p++; } + // expand ${HOME}/ in front of the new profile file + char *newprofile2 = NULL; + if (strncmp(newprofile, "${HOME}", 7) == 0) { + if (asprintf(&newprofile2, "%s%s", cfg.homedir, newprofile + 7) == -1) + errExit("asprintf"); + } + // recursivity - profile_read(newprofile, newskip1, newskip2); + profile_read((newprofile2)? newprofile2:newprofile, newskip1, newskip2); include_level--; + if (newprofile2) + free(newprofile2); free(ptr); continue; } diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt index 6613dc044..768896872 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.txt @@ -1,4 +1,4 @@ -.TH man 5 "MONTH YEAR" "VERSION" "firejail login.users man page" +.TH FIREJAIL-LOGIN 5 "MONTH YEAR" "VERSION" "firejail login.users man page" .SH NAME login.users \- Login file syntax for Firejail diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 46da19ecd..f85e10171 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -1,4 +1,4 @@ -.TH man 5 "MONTH YEAR" "VERSION" "firejail profiles man page" +.TH FIREJAIL-PROFILE 5 "MONTH YEAR" "VERSION" "firejail profiles man page" .SH NAME profile \- Profile file syntax for Firejail @@ -15,8 +15,19 @@ directory and ~/.config/firejail directory. Include and comment support: .TP -\f\include other.profile -Include other.profile file. +\f\include other.profile exclude-token +Include other.profile file. exclued-token disables blacklist commands in other.profile +if exclude-token word is found in the name section of blacklist command. +exclude-tyoken is optional. + +Example: "include /etc/firejail/disable-common.inc .filezilla" +loads disable-common.inc file disables "blacklist ${HOME}/.filezilla" command in this file. + +other.profile file name can be prefixed with ${HOME}. This will force Firejail to look for the +file in user home directory. + +Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file. + .TP # this is a comment @@ -81,14 +92,17 @@ Enable default Linux capabilities filter. caps.drop all Blacklist all Linux capabilities. .TP -caps.drop capability,capability,capability +caps.keep capability,capability,capability Blacklist Linux capabilities filter. .TP caps.drop capability,capability,capability Whitelist Linux capabilities filter. .TP \f\seccomp -Enable default seccomp filter. +Enable default seccomp filter. The default list is as follows: +mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module, +iopl, ioperm, swapon, swapoff, mknode, syslog, process_vm_readv and process_vm_writev, +sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp. .TP \f\seccomp syscall,syscall,syscall Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter. diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 51f21975e..4e8d96d31 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1,4 +1,4 @@ -.TH man 1 "MONTH YEAR" "VERSION" "firejail man page" +.TH FIREJAIL 1 "MONTH YEAR" "VERSION" "firejail man page" .SH NAME Firejail \- Linux namespaces sandbox program .SH SYNOPSIS diff --git a/src/man/firemon.txt b/src/man/firemon.txt index b6010f46e..293547a3b 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt @@ -1,4 +1,4 @@ -.TH man 1 "MONTH YEAR" "VERSION" "firemon man page" +.TH FIREMON 1 "MONTH YEAR" "VERSION" "firemon man page" .SH NAME Firemon \- Monitoring program for processes started in a Firejail sandbox. .SH SYNOPSIS -- cgit v1.2.3-70-g09d2