From a36a7a5dd8479087d9de0669bd86fd9b25e35ce6 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 16 Jan 2023 09:07:43 -0300 Subject: Rename etc-no-blacklisted to etc-hide-blacklisted To avoid boolean confusion (`no-foo no` / `no-foo yes`) in firejail.config: etc-no-blacklisted no etc-no-blacklisted yes Commands used to search and replace: git grep -Ilz -i 'etc.no.blacklisted' -- etc src | xargs -0 -I '{}' sh -c "printf '%s\n' \"\$(sed \ -e 's/etc-no-blacklisted/etc-hide-blacklisted/' \ -e 's/ETC_NO_BLACKLISTED/ETC_HIDE_BLACKLISTED/' \ '{}')\" >'{}'" Added on commit ded50200e ("opt-in: skip blacklisted files in private-etc - #5010, #5230", 2023-01-15) / PR #5591. --- etc/firejail.config | 2 +- src/firejail/checkcfg.c | 4 ++-- src/firejail/firejail.h | 2 +- src/firejail/fs.c | 2 +- src/firejail/fs_etc.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/etc/firejail.config b/etc/firejail.config index 26125e4b6..7dd2e80e7 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -79,7 +79,7 @@ # overlayfs yes # Hide blacklisted files in /etc directory, default disabled. -# etc-no-blacklisted no +# etc-hide-blacklisted no # Set the limit for file copy in several --private-* options. The size is set # in megabytes. By default we allow up to 500MB. diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 590543217..ce8446cc8 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -51,7 +51,7 @@ int checkcfg(int val) { cfg_val[i] = 1; // most of them are enabled by default cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default cfg_val[CFG_FORCE_NONEWPRIVS] = 0; - cfg_val[CFG_ETC_NO_BLACKLISTED] = 0; + cfg_val[CFG_ETC_HIDE_BLACKLISTED] = 0; cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; cfg_val[CFG_FIREJAIL_PROMPT] = 0; cfg_val[CFG_DISABLE_MNT] = 0; @@ -116,7 +116,7 @@ int checkcfg(int val) { PARSE_YESNO(CFG_TRACELOG, "tracelog") PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") PARSE_YESNO(CFG_OVERLAYFS, "overlayfs") - PARSE_YESNO(CFG_ETC_NO_BLACKLISTED, "etc-no-blacklisted") + PARSE_YESNO(CFG_ETC_HIDE_BLACKLISTED, "etc-hide-blacklisted") PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin") PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local") PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache") diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index cf5c5b2fa..13ee573ad 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -811,7 +811,7 @@ enum { CFG_FORCE_NONEWPRIVS, CFG_XEPHYR_WINDOW_TITLE, CFG_OVERLAYFS, - CFG_ETC_NO_BLACKLISTED, + CFG_ETC_HIDE_BLACKLISTED, CFG_PRIVATE_BIN, CFG_PRIVATE_BIN_NO_LOCAL, CFG_PRIVATE_CACHE, diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 3066c50ed..84f207fac 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -162,7 +162,7 @@ static void disable_file(OPERATION op, const char *filename) { fs_logger2("blacklist-nolog", fname); // files in /etc will be reprocessed during /etc rebuild - if (checkcfg(CFG_ETC_NO_BLACKLISTED) && strncmp(fname, "/etc/", 5) == 0) { + if (checkcfg(CFG_ETC_HIDE_BLACKLISTED) && strncmp(fname, "/etc/", 5) == 0) { ProfileEntry *prf = malloc(sizeof(ProfileEntry)); if (!prf) errExit("malloc"); diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index e58537e49..dcbd297da 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -267,7 +267,7 @@ void fs_rebuild_etc(void) { if (cfg.dns1 == NULL && !any_dhcp()) { // this function has the effect that updates to files using rename(2) don't propagate into the sandbox // avoid this in the default setting, in order to not break /etc/resolv.conf (issue #5010) - if (!checkcfg(CFG_ETC_NO_BLACKLISTED)) + if (!checkcfg(CFG_ETC_HIDE_BLACKLISTED)) return; have_dhcp = 0; } -- cgit v1.2.3-54-g00ecf From bfb8f0e0ca243d572a47288a561b5fd05445d9a4 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 16 Jan 2023 09:23:21 -0300 Subject: Reword CFG_ETC_HIDE_BLACKLISTED explanation To make it clearer. Added on commit ded50200e ("opt-in: skip blacklisted files in private-etc - #5010, #5230", 2023-01-15) / PR #5591. --- src/firejail/fs_etc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index dcbd297da..aa4d76431 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -265,8 +265,9 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c void fs_rebuild_etc(void) { int have_dhcp = 1; if (cfg.dns1 == NULL && !any_dhcp()) { - // this function has the effect that updates to files using rename(2) don't propagate into the sandbox - // avoid this in the default setting, in order to not break /etc/resolv.conf (issue #5010) + // Disabling this option ensures that updates to files using + // rename(2) propagate into the sandbox, in order to avoid + // breaking /etc/resolv.conf (issue #5010). if (!checkcfg(CFG_ETC_HIDE_BLACKLISTED)) return; have_dhcp = 0; -- cgit v1.2.3-54-g00ecf From 91cbbe14895f0b386d50e859eada1432d5009eae Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 16 Jan 2023 09:25:01 -0300 Subject: firejail.config: explain potential issues with etc-hide-blacklisted Let users know that enabling this may break /etc/resolv.conf. Added on commit ded50200e ("opt-in: skip blacklisted files in private-etc - #5010, #5230", 2023-01-15) / PR #5591. --- etc/firejail.config | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/etc/firejail.config b/etc/firejail.config index 7dd2e80e7..13db32f1e 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -78,7 +78,8 @@ # Enable or disable overlayfs features, default enabled. # overlayfs yes -# Hide blacklisted files in /etc directory, default disabled. +# Hide blacklisted files in /etc directory (enabling this may break +# /etc/resolv.conf; see #5010), default disabled. # etc-hide-blacklisted no # Set the limit for file copy in several --private-* options. The size is set -- cgit v1.2.3-54-g00ecf