From acc124fb8ab41d9fc77fd9267754e0aa21d9d007 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 1 Sep 2015 08:25:06 -0400 Subject: cleanup --- etc/evince.profile | 1 - src/firejail/main.c | 48 ++++++++++++++++++++++++++++-------------------- src/firejail/sandbox.c | 5 ++++- src/firejail/seccomp.c | 16 ++++++++-------- todo | 3 ++- 5 files changed, 42 insertions(+), 31 deletions(-) diff --git a/etc/evince.profile b/etc/evince.profile index c90317ed8..023fd2444 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -5,5 +5,4 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-history.inc caps.drop all seccomp -net none noroot diff --git a/src/firejail/main.c b/src/firejail/main.c index 9d635436d..3b2e7e4d9 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -695,7 +695,6 @@ int main(int argc, char **argv) { } // extract private home dirname -printf("here %s:%d\n", __FILE__, __LINE__); cfg.home_private = argv[i] + 10; fs_check_private_dir(); arg_private = 1; @@ -1058,26 +1057,35 @@ printf("here %s:%d\n", __FILE__, __LINE__); // use generic.profile as the default if (!custom_profile && !arg_noprofile) { - char *profile_name = DEFAULT_USER_PROFILE; - if (getuid() == 0) - profile_name = DEFAULT_ROOT_PROFILE; - if (arg_debug) - printf("Attempting to find %s.profile...", profile_name); - - // look for the profile in ~/.config/firejail directory - char *usercfgdir; - if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1) - errExit("asprintf"); - custom_profile = profile_find(profile_name, usercfgdir); - free(usercfgdir); - - if (!custom_profile) { - // look for the profile in /etc/firejail directory - custom_profile = profile_find(profile_name, "/etc/firejail"); + if (cfg.chrootdir) + fprintf(stderr, "Warning: default profile disabled by --chroot option\n"); + else if (arg_overlay) + fprintf(stderr, "Warning: default profile disabled by --overlay option\n"); + else if (cfg.home_private_keep) + fprintf(stderr, "Warning: default profile disabled by --private-home option\n"); + else { + // try to load a default profile + char *profile_name = DEFAULT_USER_PROFILE; + if (getuid() == 0) + profile_name = DEFAULT_ROOT_PROFILE; + if (arg_debug) + printf("Attempting to find %s.profile...\n", profile_name); + + // look for the profile in ~/.config/firejail directory + char *usercfgdir; + if (asprintf(&usercfgdir, "%s/.config/firejail", cfg.homedir) == -1) + errExit("asprintf"); + custom_profile = profile_find(profile_name, usercfgdir); + free(usercfgdir); + + if (!custom_profile) { + // look for the profile in /etc/firejail directory + custom_profile = profile_find(profile_name, "/etc/firejail"); + } + + if (custom_profile) + printf("\n** Note: %s profile can be disabled by --noprofile option **\n\n", profile_name); } - - if (custom_profile) - printf("Note: %s profile can be disabled by --noprofile option.\n", profile_name); } // check and assign an IP address - for macvlan it will be done again in the sandbox! diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 46cb03da7..53782a288 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -179,6 +179,7 @@ int sandbox(void* sandbox_arg) { //**************************** // configure filesystem //**************************** + #ifdef HAVE_CHROOT if (cfg.chrootdir) { fs_chroot(cfg.chrootdir); @@ -267,6 +268,8 @@ int sandbox(void* sandbox_arg) { //**************************** if (arg_nonetwork) { net_if_up("lo"); + if (arg_debug) + printf("Network namespace enabled, only loopback interface available\n"); } else if (any_bridge_configured()) { // configure lo and eth0...eth3 @@ -397,7 +400,7 @@ int sandbox(void* sandbox_arg) { if (arg_noroot) { int rv = unshare(CLONE_NEWUSER); if (rv == -1) { - fprintf(stderr, "Warning: cannot mount a new user namespace\n"); + fprintf(stderr, "Error: cannot mount a new user namespace\n"); perror("unshare"); drop_privs(arg_nogroups); } diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 17f038a2e..47988dbf4 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -179,8 +179,8 @@ static void filter_init(void) { return; } - if (arg_debug) - printf("Initialize seccomp filter\n"); +// if (arg_debug) +// printf("Initialize seccomp filter\n"); // allocate a filter of SECSIZE sfilter = malloc(sizeof(struct sock_filter) * SECSIZE); if (!sfilter) @@ -220,8 +220,8 @@ static void filter_add_whitelist(int syscall) { assert(sfilter); assert(sfilter_alloc_size); assert(sfilter_index); - if (arg_debug) - printf("Whitelisting syscall %d %s\n", syscall, syscall_find_nr(syscall)); +// if (arg_debug) +// printf("Whitelisting syscall %d %s\n", syscall, syscall_find_nr(syscall)); if ((sfilter_index + 2) > sfilter_alloc_size) filter_realloc(); @@ -246,8 +246,8 @@ static void filter_add_blacklist(int syscall) { assert(sfilter); assert(sfilter_alloc_size); assert(sfilter_index); - if (arg_debug) - printf("Blacklisting syscall %d %s\n", syscall, syscall_find_nr(syscall)); +// if (arg_debug) +// printf("Blacklisting syscall %d %s\n", syscall, syscall_find_nr(syscall)); if ((sfilter_index + 2) > sfilter_alloc_size) filter_realloc(); @@ -272,8 +272,8 @@ static void filter_end_blacklist(void) { assert(sfilter); assert(sfilter_alloc_size); assert(sfilter_index); - if (arg_debug) - printf("Ending syscall filter\n"); +// if (arg_debug) +// printf("Ending syscall filter\n"); if ((sfilter_index + 2) > sfilter_alloc_size) filter_realloc(); diff --git a/todo b/todo index b62f80b8d..4c90af913 100644 --- a/todo +++ b/todo @@ -27,4 +27,5 @@ Warning: failed to unmount /sys Child process initialized $ -3. default.profile creating problems for --chroot, --private-home +3. default.profile creating problems for --chroot, --overlay, --private-home + -- cgit v1.2.3-54-g00ecf