From d073a425b3e3ed3829a0e042e8c41963f0f40f0e Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Thu, 9 Jun 2016 08:42:59 -0400
Subject: whitelist support in /etc/firejail/firejail.config

---
 configure                   | 17 +++++++++++++++++
 configure.ac                |  9 +++++++++
 etc/firejail.config         | 15 +++++++++------
 src/firejail/Makefile.in    |  3 ++-
 src/firejail/checkcfg.c     | 11 ++++++++++-
 src/firejail/firejail.h     |  3 ++-
 src/firejail/main.c         | 25 +++++++++++++++++++------
 src/firejail/profile.c      | 12 ++++++++++--
 src/firejail/usage.c        |  6 ++++--
 src/man/firejail-config.txt | 19 +++++++++++--------
 10 files changed, 93 insertions(+), 27 deletions(-)

diff --git a/configure b/configure
index 66b1663f9..da7d370d3 100755
--- a/configure
+++ b/configure
@@ -629,6 +629,7 @@ EGREP
 GREP
 CPP
 HAVE_FATAL_WARNINGS
+HAVE_WHITELIST
 HAVE_FILE_TRANSFER
 HAVE_X11
 HAVE_USERNS
@@ -695,6 +696,7 @@ enable_network
 enable_userns
 enable_x11
 enable_file_transfer
+enable_whitelist
 enable_fatal_warnings
 '
       ac_precious_vars='build_alias
@@ -1324,6 +1326,7 @@ Optional Features:
   --disable-userns        disable user namespace
   --disable-x11           disable X11 sandboxing support
   --disable-file-transfer disable file transfer
+  --disable-whitelist     disable whitelist
   --enable-fatal-warnings -W -Wall -Werror
 
 Some influential environment variables:
@@ -3161,6 +3164,19 @@ if test "x$enable_file_transfer" != "xno"; then :
 	HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER"
 
 
+fi
+
+HAVE_WHITELIST=""
+# Check whether --enable-whitelist was given.
+if test "${enable_whitelist+set}" = set; then :
+  enableval=$enable_whitelist;
+fi
+
+if test "x$enable_whitelist" != "xno"; then :
+
+	HAVE_WHITELIST="-DHAVE_WHITELIST"
+
+
 fi
 
 HAVE_FATAL_WARNINGS=""
@@ -4823,6 +4839,7 @@ echo "   bind: $HAVE_BIND"
 echo "   network: $HAVE_NETWORK"
 echo "   user namespace: $HAVE_USERNS"
 echo "   X11 sandboxing support: $HAVE_X11"
+echo "   whitelisting: $HAVE_WHITELIST"
 echo "   file transfer support: $HAVE_FILE_TRANSFER"
 echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
 echo
diff --git a/configure.ac b/configure.ac
index ef6a11af5..c9061f219 100644
--- a/configure.ac
+++ b/configure.ac
@@ -70,6 +70,14 @@ AS_IF([test "x$enable_file_transfer" != "xno"], [
 	AC_SUBST(HAVE_FILE_TRANSFER)
 ])
 
+HAVE_WHITELIST=""
+AC_ARG_ENABLE([whitelist],
+    AS_HELP_STRING([--disable-whitelist], [disable whitelist]))
+AS_IF([test "x$enable_whitelist" != "xno"], [
+	HAVE_WHITELIST="-DHAVE_WHITELIST"
+	AC_SUBST(HAVE_WHITELIST)
+])
+
 HAVE_FATAL_WARNINGS=""
 AC_ARG_ENABLE([fatal_warnings],
     AS_HELP_STRING([--enable-fatal-warnings], [-W -Wall -Werror]))
@@ -103,6 +111,7 @@ echo "   bind: $HAVE_BIND"
 echo "   network: $HAVE_NETWORK"
 echo "   user namespace: $HAVE_USERNS"
 echo "   X11 sandboxing support: $HAVE_X11"
+echo "   whitelisting: $HAVE_WHITELIST"
 echo "   file transfer support: $HAVE_FILE_TRANSFER"
 echo "   fatal warnings: $HAVE_FATAL_WARNINGS"
 echo
diff --git a/etc/firejail.config b/etc/firejail.config
index 55d2faa9f..4fcaee213 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -12,6 +12,12 @@
 # Enable or disable file transfer support, default enabled.
 # file-transfer yes
 
+# Force use of nonewprivs.  This mitigates the possibility of
+# a user abusing firejail's features to trick a privileged (suid
+# or file capabilities) process into loading code or configuration
+# that is partially under their control.  Default disabled
+# force-nonewprivs no
+
 # Enable or disable networking features, default enabled.
 # network yes
 
@@ -27,15 +33,12 @@
 # Enable or disable user namespace support, default enabled.
 # userns yes
 
+# Enable or disable whitelisting support, default enabled
+# whitelist yes
+
 # Enable or disable X11 sandboxing support, default enabled.
 # x11 yes
 
-# Force use of nonewprivs.  This mitigates the possibility of
-# a user abusing firejail's features to trick a privileged (suid
-# or file capabilities) process into loading code or configuration
-# that is partially under their control.  Default disabled
-# force-nonewprivs no
-
 # Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
 # a full list of resolutions available on your specific setup.
 # xephyr-screen 640x480
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 3ad4ba75e..a8af1a4e0 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -16,13 +16,14 @@ HAVE_NETWORK=@HAVE_NETWORK@
 HAVE_USERNS=@HAVE_USERNS@
 HAVE_X11=@HAVE_X11@
 HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
+HAVE_WHITELIST=@HAVE_WHITELIST@
 
 
 H_FILE_LIST       = $(sort $(wildcard *.[h]))
 C_FILE_LIST       = $(sort $(wildcard *.c))
 OBJS = $(C_FILE_LIST:.c=.o)
 BINOBJS =  $(foreach file, $(OBJS), $file)
-CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
+CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"'  -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 
 %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 3ea8caf5b..bf85436c3 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -38,7 +38,7 @@ int checkcfg(int val) {
 			cfg_val[i] = 1; // most of them are enabled by default
 
 		cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default
-		cfg_val[CFG_FORCE_NONEWPRIVS  ] = 0; // disabled by default
+		cfg_val[CFG_FORCE_NONEWPRIVS] = 0; // disabled by default
 		
 		// open configuration file
 		char *fname;
@@ -126,6 +126,15 @@ int checkcfg(int val) {
 				else
 					goto errout;
 			}
+			// whitelist
+			else if (strncmp(ptr, "whitelist ", 10) == 0) {
+				if (strcmp(ptr + 10, "yes") == 0)
+					cfg_val[CFG_WHITELIST] = 1;
+				else if (strcmp(ptr + 10, "no") == 0)
+					cfg_val[CFG_WHITELIST] = 0;
+				else
+					goto errout;
+			}
 			// network
 			else if (strncmp(ptr, "network ", 8) == 0) {
 				if (strcmp(ptr + 8, "yes") == 0)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 2d5e05f79..026273aa3 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -568,7 +568,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh);
 #define CFG_NETWORK 6
 #define CFG_RESTRICTED_NETWORK 7
 #define CFG_FORCE_NONEWPRIVS 8
-#define CFG_MAX 9 // this should always be the last entry
+#define CFG_WHITELIST 9
+#define CFG_MAX 10 // this should always be the last entry
 int checkcfg(int val);
 
 // fs_rdwr.c
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 1c2f021bb..1621d810f 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -276,6 +276,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 #endif
 #ifndef HAVE_FILE_TRANSFER
 		printf("File transfer support is disabled.\n");
+#endif
+#ifndef HAVE_WHITELIST
+		printf("whitelisting support is disabled.\n");
 #endif
 		exit(0);
 	}
@@ -1114,14 +1117,24 @@ int main(int argc, char **argv) {
 			profile_check_line(line, 0, NULL);	// will exit if something wrong
 			profile_add(line);
 		}
+
+#ifdef HAVE_WHITELIST
 		else if (strncmp(argv[i], "--whitelist=", 12) == 0) {
-			char *line;
-			if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)
-				errExit("asprintf");
-			
-			profile_check_line(line, 0, NULL);	// will exit if something wrong
-			profile_add(line);
+			if (checkcfg(CFG_WHITELIST)) {
+				char *line;
+				if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1)
+					errExit("asprintf");
+				
+				profile_check_line(line, 0, NULL);	// will exit if something wrong
+				profile_add(line);
+			}
+			else {
+				fprintf(stderr, "Error: whitelist feature is disabled in Firejail configuration file\n");
+				exit(1);
+			}
 		}
+#endif		
+
 		else if (strncmp(argv[i], "--read-only=", 12) == 0) {
 			char *line;
 			if (asprintf(&line, "read-only %s", argv[i] + 12) == -1)
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 192f36974..a64f28c9a 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -726,8 +726,16 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 	else if (strncmp(ptr, "noblacklist ", 12) == 0)
 		ptr += 12;
 	else if (strncmp(ptr, "whitelist ", 10) == 0) {
-		arg_whitelist = 1;
-		ptr += 10;
+#ifdef HAVE_WHITELIST		
+		if (checkcfg(CFG_WHITELIST)) {
+			arg_whitelist = 1;
+			ptr += 10;
+		}
+		else
+			return 0;
+#else		
+		return 0;
+#endif
 	}
 	else if (strncmp(ptr, "read-only ", 10) == 0)
 		ptr += 10;
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index d2f7d9460..af1a30ac3 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -72,8 +72,9 @@ void usage(void) {
 	printf("\tsoftware build.\n\n");
 	printf("    --debug-syscalls - print all recognized system calls in the current Firejail\n");
 	printf("\tsoftware build.\n\n");
+#ifdef HAVE_WHITELIST	
 	printf("    --debug-whitelists - debug whitelisting.\n\n");
-
+#endif
 
 
 #ifdef HAVE_NETWORK	
@@ -250,8 +251,9 @@ void usage(void) {
 	printf("    --tree - print a tree of all sandboxed processes.\n\n");
 	printf("    --user=new_user - switch the user before starting the sandbox.\n\n");
 	printf("    --version - print program version and exit.\n\n");
+#ifdef HAVE_WHITELIST	
 	printf("    --whitelist=dirname_or_filename - whitelist directory or file.\n\n");
-	
+#endif	
 	printf("    --writable-etc - /etc directory is mounted read-write.\n\n");
 	printf("    --writable-var - /var directory is mounted read-write.\n\n");
 	
diff --git a/src/man/firejail-config.txt b/src/man/firejail-config.txt
index 026765f1a..6a66c7f75 100644
--- a/src/man/firejail-config.txt
+++ b/src/man/firejail-config.txt
@@ -25,6 +25,13 @@ Enable or disable chroot support, default enabled.
 \fBfile-transfer
 Enable or disable file transfer support, default enabled.
 
+.TP
+\fBforce-nonewprivs
+Force use of nonewprivs.  This mitigates the possibility of
+a user abusing firejail's features to trick a privileged (suid
+or file capabilities) process into loading code or configuration
+that is partially under their control.  Default disabled.
+
 .TP
 \fBnetwork
 Enable or disable networking features, default enabled.
@@ -45,16 +52,12 @@ Enable or disable seccomp support, default enabled.
 Enable or disable user namespace support, default enabled.
 
 .TP
-\fBx11
-Enable or disable X11 sandboxing support, default enabled.
+\fBwhitelist
+Enable or disable whitelisting support, default enabled.
 
 .TP
-\fBforce-nonewprivs
-Force use of nonewprivs.  This mitigates the possibility of
-a user abusing firejail's features to trick a privileged (suid
-or file capabilities) process into loading code or configuration
-that is partially under their control.  Default disabled.
-
+\fBx11
+Enable or disable X11 sandboxing support, default enabled.
 
 .TP
 \fBxephyr-screen
-- 
cgit v1.2.3-54-g00ecf