From d0a12f27d650ebed63f14102baa671f3655b50c8 Mon Sep 17 00:00:00 2001 From: Antoine Catton Date: Mon, 30 Jan 2023 23:55:49 +0100 Subject: feature: add 'keep-shell-rc' flag and option This fixes #1127. This allow a user to provide their own zshrc/bashrc inside the jail. This is very useful when using firejail to develop and prevent bad pip packages to access your system. --- contrib/syntax/lists/profile_commands_arg0.list | 1 + src/firejail/firejail.h | 1 + src/firejail/fs_home.c | 9 ++++++--- src/firejail/main.c | 4 ++++ src/firejail/profile.c | 5 +++++ src/firejail/usage.c | 1 + src/man/firejail-profile.txt | 3 +++ src/man/firejail.txt | 8 ++++++++ src/zsh_completion/_firejail.in | 1 + 9 files changed, 30 insertions(+), 3 deletions(-) diff --git a/contrib/syntax/lists/profile_commands_arg0.list b/contrib/syntax/lists/profile_commands_arg0.list index a402671a6..fd1bdb401 100644 --- a/contrib/syntax/lists/profile_commands_arg0.list +++ b/contrib/syntax/lists/profile_commands_arg0.list @@ -10,6 +10,7 @@ disable-mnt ipc-namespace keep-config-pulse keep-dev-shm +keep-shell-rc keep-var-tmp machine-id memory-deny-write-execute diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 66d2d8b83..a09158e9e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -332,6 +332,7 @@ extern int arg_nice; // nice value configured extern int arg_ipc; // enable ipc namespace extern int arg_writable_etc; // writable etc extern int arg_keep_config_pulse; // disable automatic ~/.config/pulse init +extern int arg_keep_shell_rc; // do not copy shell configuration from /etc/skel extern int arg_writable_var; // writable var extern int arg_keep_var_tmp; // don't overwrite /var/tmp extern int arg_writable_run_user; // writable /run/user diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 8c4cb3d4f..8e72f8687 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -361,7 +361,8 @@ void fs_private_homedir(void) { } EUID_USER(); - skel(homedir); + if (!arg_keep_shell_rc) + skel(homedir); if (xflag) copy_xauthority(); if (aflag) @@ -430,7 +431,8 @@ void fs_private(void) { selinux_relabel_path(homedir, homedir); } - skel(homedir); + if (!arg_keep_shell_rc) + skel(homedir); if (xflag) copy_xauthority(); if (aflag) @@ -682,7 +684,8 @@ void fs_private_home_list(void) { errExit("mounting tmpfs"); EUID_USER(); - skel(homedir); + if (!arg_keep_shell_rc) + skel(homedir); if (xflag) copy_xauthority(); if (aflag) diff --git a/src/firejail/main.c b/src/firejail/main.c index 02fcb77d7..8df6926ee 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -127,6 +127,7 @@ int arg_nice = 0; // nice value configured int arg_ipc = 0; // enable ipc namespace int arg_writable_etc = 0; // writable etc int arg_keep_config_pulse = 0; // disable automatic ~/.config/pulse init +int arg_keep_shell_rc = 0; // do not copy shell configuration from /etc/skel int arg_writable_var = 0; // writable var int arg_keep_var_tmp = 0; // don't overwrite /var/tmp int arg_writable_run_user = 0; // writable /run/user @@ -1975,6 +1976,9 @@ int main(int argc, char **argv, char **envp) { else if (strcmp(argv[i], "--keep-config-pulse") == 0) { arg_keep_config_pulse = 1; } + else if (strcmp(argv[i], "--keep-shell-rc") == 0) { + arg_keep_shell_rc = 1; + } else if (strcmp(argv[i], "--writable-var") == 0) { arg_writable_var = 1; } diff --git a/src/firejail/profile.c b/src/firejail/profile.c index d01999ec5..3924465e4 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -1235,6 +1235,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } + if (strcmp(ptr, "keep-shell-rc") == 0) { + arg_keep_shell_rc = 1; + return 0; + } + // writable-var if (strcmp(ptr, "writable-var") == 0) { arg_writable_var = 1; diff --git a/src/firejail/usage.c b/src/firejail/usage.c index bf4550dd8..e31293c66 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -129,6 +129,7 @@ static char *usage_str = " --keep-config-pulse - disable automatic ~/.config/pulse init.\n" " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n" " --keep-fd - inherit open file descriptors to sandbox.\n" + " --keep-shell-rc - do not copy shell rc files from /etc/skel\n" " --keep-var-tmp - /var/tmp directory is untouched.\n" " --list - list all sandboxes.\n" #ifdef HAVE_FILE_TRANSFER diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 5b16179ac..3fa07d1ee 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -288,6 +288,9 @@ pulse servers or non-standard socket paths. \fBkeep-dev-shm /dev/shm directory is untouched (even with private-dev). .TP +\fBkeep-shell-rc +Do not copy shell rc files (such as ~/.bashrc and ~/.zshrc) from /etc/skel. +.TP \fBkeep-var-tmp /var/tmp directory is untouched. .TP diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 1b051ab57..6068c9ff4 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1223,6 +1223,14 @@ Example: .br $ firejail --keep-fd=3,4,5 +.TP +\fB\-\-keep-shell-rc +By default, when using a private home directory, firejail copies files from the +system's user home template (/etc/skel) into it, which overrides attempts to +whitelist the original files (such as ~/.bashrc and ~/.zshrc). +This option disables this feature, and enables the user to whitelist the +original files. + .TP \fB\-\-keep-var-tmp /var/tmp directory is untouched. diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 2b67c2a00..37ce7055b 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in @@ -104,6 +104,7 @@ _firejail_args=( '--keep-config-pulse[disable automatic ~/.config/pulse init]' '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' '--keep-fd[inherit open file descriptors to sandbox]: :' + '--keep-shell-rc[do not copy shell rc files from /etc/skel]' '--keep-var-tmp[/var/tmp directory is untouched]' '--machine-id[spoof /etc/machine-id with a random id]' '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]' -- cgit v1.2.3-70-g09d2