From a9ade4123b46363029b9f5a0202067448fccd65a Mon Sep 17 00:00:00 2001 From: iiotx Date: Wed, 26 Aug 2015 22:31:58 -0400 Subject: Use generic.profile by default --- src/firejail/firejail.h | 1 + src/firejail/main.c | 34 +++++++++++++++++++++++++++++++++- src/firejail/usage.c | 4 ++++ src/man/firejail.txt | 31 +++++++++++++++++++++++++++++++ 4 files changed, 69 insertions(+), 1 deletion(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 868e1fca0..351e9d045 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -28,6 +28,7 @@ #define MNT_DIR "/tmp/firejail/mnt" #define HOME_DIR "/tmp/firejail/mnt/home" #define ETC_DIR "/tmp/firejail/mnt/etc" +#define GENERIC_PROFILE_NAME "generic" #define MAX_INCLUDE_LEVEL 6 // main.c diff --git a/src/firejail/main.c b/src/firejail/main.c index 2a56d1725..f7191c981 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -399,6 +399,7 @@ int main(int argc, char **argv) { int arg_ipc = 0; int arg_cgroup = 0; int custom_profile = 0; // custom profile loaded + int arg_noprofile = 0; // use generic.profile if none other found/specified // initialize globals init_cfg(); @@ -653,6 +654,10 @@ int main(int argc, char **argv) { arg_overlay = 1; } else if (strncmp(argv[i], "--profile=", 10) == 0) { + if (arg_noprofile) { + fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n"); + exit(1); + } // multiple profile files are allowed! char *ptr = argv[i] + 10; if (is_dir(ptr) || is_link(ptr) || strstr(ptr, "..")) { @@ -669,6 +674,13 @@ int main(int argc, char **argv) { profile_read(argv[i] + 10, NULL, NULL); custom_profile = 1; } + else if (strcmp(argv[i], "--noprofile") == 0) { + if (custom_profile) { + fprintf(stderr, "Error: --profile and --noprofile options are mutually exclusive\n"); + exit(1); + } + arg_noprofile = 1; + } #ifdef HAVE_CHROOT else if (strncmp(argv[i], "--chroot=", 9) == 0) { if (arg_overlay) { @@ -1054,7 +1066,7 @@ int main(int argc, char **argv) { } // load the profile - { + if (!arg_noprofile) { assert(cfg.command_name); if (arg_debug) printf("Command name #%s#\n", cfg.command_name); @@ -1074,6 +1086,26 @@ int main(int argc, char **argv) { } } + // use generic.profile as the default + if (!custom_profile && !arg_noprofile) { + if (arg_debug) + printf("Attempting to find generic.profile..."); + + // look for the profile in ~/.config/firejail directory + char *usercfgdir; + if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1) + errExit("asprintf"); + int rv = profile_find(GENERIC_PROFILE_NAME, usercfgdir); + free(usercfgdir); + custom_profile = rv; + + if (!custom_profile) { + // look for the profile in /etc/firejail directory + int rv = profile_find(GENERIC_PROFILE_NAME, "/etc/firejail"); + custom_profile = rv; + } + } + // check and assign an IP address - for macvlan it will be done again in the sandbox! if (any_bridge_configured()) { lockfd = open("/tmp/firejail/firejail.lock", O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR); diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 1f9e37248..602b68ebb 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -134,6 +134,10 @@ void usage(void) { printf("\t\tsupplementary groups are enabled for the user starting the\n"); printf("\t\tsandbox. For root user supplementary groups are always\n"); printf("\t\tdisabled.\n\n"); + + printf("\t--noprofile - do not use a profile. Profile priority is use the one\n"); + printf("\t\tspecified on the command line, next try to find one that\n"); + printf("\t\tmatches the command name, and lastly use %s.profile.\n\n",GENERIC_PROFILE_NAME); printf("\t--noroot - install a user namespace with a single user - the current\n"); printf("\t\tuser. root user does not exist in the new namespace. This option\n"); diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 2e87fbb8e..d78ce6723 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -564,6 +564,37 @@ uid=1000(netblue) gid=1000(netblue) groups=1000(netblue) .br $ +.TP +\fB\-\-noprofile +Do not use a profile. Profile priority is use the one +specified on the command line, next try to find one that +matches the command name, and lastly use generic.profile. +.br + +.br +Example: +.br +$ firejail \-\-noprofile +.br +Parent pid 8553, child pid 8554 +.br +Child process initialized +.br +$ exit +.br +.br +parent is shutting down, bye... +.br +$ firejail +.br +Reading profile /etc/firejail/generic.profile +.br +Parent pid 8553, child pid 8554 +.br +Child process initialized +.br +$ + .TP \fB\-\-noroot Install a user namespace with a single user - the current user. -- cgit v1.2.3-54-g00ecf From 7ced6a935c25c4bb184514817349e84bd91f428a Mon Sep 17 00:00:00 2001 From: iiotx Date: Thu, 27 Aug 2015 06:52:57 -0400 Subject: Use generic.profile by default: fixes --- src/firejail/main.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index f7191c981..7db18181d 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1089,20 +1089,18 @@ int main(int argc, char **argv) { // use generic.profile as the default if (!custom_profile && !arg_noprofile) { if (arg_debug) - printf("Attempting to find generic.profile..."); + printf("Attempting to find %s.profile...",GENERIC_PROFILE_NAME); // look for the profile in ~/.config/firejail directory char *usercfgdir; if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1) errExit("asprintf"); - int rv = profile_find(GENERIC_PROFILE_NAME, usercfgdir); + custom_profile = profile_find(GENERIC_PROFILE_NAME, usercfgdir); free(usercfgdir); - custom_profile = rv; if (!custom_profile) { // look for the profile in /etc/firejail directory - int rv = profile_find(GENERIC_PROFILE_NAME, "/etc/firejail"); - custom_profile = rv; + custom_profile = profile_find(GENERIC_PROFILE_NAME, "/etc/firejail"); } } -- cgit v1.2.3-54-g00ecf