From cafb5cfaa6ec36a6dc26d3cb699f25a1dac82a1f Mon Sep 17 00:00:00 2001 From: netblue30 Date: Fri, 4 Aug 2017 09:33:36 -0400 Subject: private-lib: support for /etc/firejail/firejail.config --- etc/firejail.config | 3 +++ src/firejail/checkcfg.c | 8 ++++++++ src/firejail/firejail.h | 1 + src/firejail/main.c | 20 ++++++++++++-------- src/firejail/profile.c | 18 +++++++++++------- 5 files changed, 35 insertions(+), 15 deletions(-) diff --git a/etc/firejail.config b/etc/firejail.config index 82847ea37..b597ed603 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -63,6 +63,9 @@ # Enable or disable private-home feature, default enabled # private-home yes +# Enable or disable private-lib feature, default enabled +# private-lib yes + # Enable --quiet as default every time the sandbox is started. Default disabled. # quiet-by-default no diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 50a96fc7a..7f371b299 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -324,6 +324,14 @@ int checkcfg(int val) { else goto errout; } + else if (strncmp(ptr, "private-lib ", 12) == 0) { + if (strcmp(ptr + 12, "yes") == 0) + cfg_val[CFG_PRIVATE_LIB] = 1; + else if (strcmp(ptr + 12, "no") == 0) + cfg_val[CFG_PRIVATE_LIB] = 0; + else + goto errout; + } else if (strncmp(ptr, "chroot-desktop ", 15) == 0) { if (strcmp(ptr + 15, "yes") == 0) cfg_val[CFG_CHROOT_DESKTOP] = 1; diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 19edb40a0..8e47a72d5 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -708,6 +708,7 @@ enum { CFG_JOIN, CFG_ARP_PROBES, CFG_XPRA_ATTACH, + CFG_PRIVATE_LIB, CFG_MAX // this should always be the last entry }; extern char *xephyr_screen; diff --git a/src/firejail/main.c b/src/firejail/main.c index ff57a5693..9cff080a0 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1631,15 +1631,19 @@ int main(int argc, char **argv) { arg_private_bin = 1; } else if (strncmp(argv[i], "--private-lib", 13) == 0) { - // extract private lib list (if any) - if (argv[i][13] == '=') { - if (cfg.lib_private_keep) { - if (argv[i][14] != '\0' && asprintf(&cfg.lib_private_keep, "%s,%s", cfg.lib_private_keep, argv[i] + 14) < 0) - errExit("asprintf"); - } else - cfg.lib_private_keep = argv[i] + 14; + if (checkcfg(CFG_PRIVATE_LIB)) { + // extract private lib list (if any) + if (argv[i][13] == '=') { + if (cfg.lib_private_keep) { + if (argv[i][14] != '\0' && asprintf(&cfg.lib_private_keep, "%s,%s", cfg.lib_private_keep, argv[i] + 14) < 0) + errExit("asprintf"); + } else + cfg.lib_private_keep = argv[i] + 14; + } + arg_private_lib = 1; } - arg_private_lib = 1; + else + exit_err_feature("private-lib"); } else if (strcmp(argv[i], "--private-tmp") == 0) { arg_private_tmp = 1; diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 972f5932d..708251b0b 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -862,15 +862,19 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { // private /lib list of files if (strncmp(ptr, "private-lib", 11) == 0) { - if (ptr[11] == ' ') { - if (cfg.lib_private_keep) { - if (ptr[12] != '\0' && asprintf(&cfg.lib_private_keep, "%s,%s", cfg.lib_private_keep, ptr + 12) < 0) - errExit("asprintf"); - } else { - cfg.lib_private_keep = ptr + 12; + if (checkcfg(CFG_PRIVATE_LIB)) { + if (ptr[11] == ' ') { + if (cfg.lib_private_keep) { + if (ptr[12] != '\0' && asprintf(&cfg.lib_private_keep, "%s,%s", cfg.lib_private_keep, ptr + 12) < 0) + errExit("asprintf"); + } else { + cfg.lib_private_keep = ptr + 12; + } } + arg_private_lib = 1; } - arg_private_lib = 1; + else + warning_feature_disabled("private-lib"); return 0; } -- cgit v1.2.3-70-g09d2