From c3bd40d2404319cca625ecc521a4514d27e8f76a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 17 Nov 2015 10:41:52 -0500 Subject: allow mixing of whitelist and private --- src/firejail/fs_whitelist.c | 10 ++++++++++ src/firejail/sandbox.c | 8 +------- test/private-whitelist.exp | 36 ++++++++++++++++++++++++++++++++++++ test/test.sh | 3 +++ 4 files changed, 50 insertions(+), 7 deletions(-) create mode 100755 test/private-whitelist.exp diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index fd2a29372..9203e3d00 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -213,6 +213,15 @@ void fs_whitelist(void) { // check for supported directories if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) { + // whitelisting home directory is disabled if --private or --private-home option is present + if (arg_private) { + if (arg_debug) + printf("Removed whitelist path %s, --private option is present\n", entry->data); + + *entry->data = '\0'; + continue; + } + entry->home_dir = 1; home_dir = 1; // both path and absolute path are under /home @@ -271,6 +280,7 @@ void fs_whitelist(void) { // create mount points fs_build_mnt_dir(); + // /home/user if (home_dir) { diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 384688b54..c105894bb 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -354,13 +354,7 @@ int sandbox(void* sandbox_arg) { //**************************** if (cfg.profile) { // apply all whitelist commands ... - if (arg_whitelist) { - // whitelist commands are disabled if --private or --private-home option is present - if (arg_private == 0) - fs_whitelist(); - else - fprintf(stderr, "Warning: whitelists disabled by private or private-home\n"); - } + fs_whitelist(); // ... followed by blacklist commands fs_blacklist(); diff --git a/test/private-whitelist.exp b/test/private-whitelist.exp new file mode 100755 index 000000000..b78eb3b61 --- /dev/null +++ b/test/private-whitelist.exp @@ -0,0 +1,36 @@ +#!/usr/bin/expect -f + +set timeout 10 +spawn $env(SHELL) +match_max 100000 + +send -- "firejail --private --whitelist=/tmp/.X11-unix\r" +expect { + timeout {puts "TESTING ERROR 1\n";exit} + "Child process initialized" +} +sleep 1 + +send -- "ls -al /tmp\r" +expect { + timeout {puts "TESTING ERROR 2\n";exit} + ".X11-unix" +} +sleep 1 + +send -- "ls -a /tmp | wc\r" +expect { + timeout {puts "TESTING ERROR 3\n";exit} + "3" +} +sleep 1 + +send -- "ls -a ~ | wc\r" +expect { + timeout {puts "TESTING ERROR 4\n";exit} + "4" +} + +sleep 1 +puts "\nall done\n" + diff --git a/test/test.sh b/test/test.sh index 61e5cce35..fdb1f8ed7 100755 --- a/test/test.sh +++ b/test/test.sh @@ -30,6 +30,9 @@ echo "TESTING: private-etc" echo "TESTING: private-bin" ./private-bin.exp +echo "TESTING: private whitelist" +./private-whitelist.exp + sleep 1 rm -fr dir\ with\ space mkdir dir\ with\ space -- cgit v1.2.3-70-g09d2