From 93d9d7aece7f5951ccfd106cf5b94636074ece67 Mon Sep 17 00:00:00 2001 From: thewisenerd Date: Sat, 24 Dec 2016 06:46:42 +0530 Subject: argv: private-home: exit on invalid option --- src/firejail/main.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/firejail/main.c b/src/firejail/main.c index 15820f7dd..f9742cc3f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1500,6 +1500,10 @@ int main(int argc, char **argv) { } // extract private home dirname + if (*(argv[i] + 15) == '\0') { + fprintf(stderr, "Error: invalid private-home option\n"); + exit(1); + } cfg.home_private_keep = argv[i] + 15; arg_private = 1; } -- cgit v1.2.3-54-g00ecf From ee338c3757e3b02765689623a6e81ee8b6c55905 Mon Sep 17 00:00:00 2001 From: thewisenerd Date: Sat, 24 Dec 2016 07:04:28 +0530 Subject: firejail: private-* : check, then assign. --- src/firejail/main.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index f9742cc3f..c7470c33b 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1521,38 +1521,38 @@ int main(int argc, char **argv) { } // extract private etc list - cfg.etc_private_keep = argv[i] + 14; - if (*cfg.etc_private_keep == '\0') { + if (*(argv[i] + 14) == '\0') { fprintf(stderr, "Error: invalid private-etc option\n"); exit(1); } + cfg.etc_private_keep = argv[i] + 14; arg_private_etc = 1; } else if (strncmp(argv[i], "--private-opt=", 14) == 0) { // extract private opt list - cfg.opt_private_keep = argv[i] + 14; - if (*cfg.opt_private_keep == '\0') { + if (*(argv[i] + 14) == '\0') { fprintf(stderr, "Error: invalid private-opt option\n"); exit(1); } + cfg.opt_private_keep = argv[i] + 14; arg_private_opt = 1; } else if (strncmp(argv[i], "--private-srv=", 14) == 0) { // extract private srv list - cfg.srv_private_keep = argv[i] + 14; - if (*cfg.srv_private_keep == '\0') { + if (*(argv[i] + 14) == '\0') { fprintf(stderr, "Error: invalid private-etc option\n"); exit(1); } + cfg.srv_private_keep = argv[i] + 14; arg_private_srv = 1; } else if (strncmp(argv[i], "--private-bin=", 14) == 0) { // extract private bin list - cfg.bin_private_keep = argv[i] + 14; - if (*cfg.bin_private_keep == '\0') { + if (*(argv[i] + 14) == '\0') { fprintf(stderr, "Error: invalid private-bin option\n"); exit(1); } + cfg.bin_private_keep = argv[i] + 14; arg_private_bin = 1; } else if (strcmp(argv[i], "--private-tmp") == 0) { -- cgit v1.2.3-54-g00ecf From ef75c0c22e35bc1cb5339519871de8e1dc4ed5c7 Mon Sep 17 00:00:00 2001 From: thewisenerd Date: Sat, 24 Dec 2016 07:10:24 +0530 Subject: firejail: profile: allow multiple private-* options --- src/firejail/profile.c | 34 +++++++++++++++++++++++++++++----- 1 file changed, 29 insertions(+), 5 deletions(-) diff --git a/src/firejail/profile.c b/src/firejail/profile.c index da3daf95a..fab4f1efa 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -179,7 +179,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { if (strncmp(ptr, "private-home ", 13) == 0) { #ifdef HAVE_PRIVATE_HOME if (checkcfg(CFG_PRIVATE_HOME)) { - cfg.home_private_keep = ptr + 13; + if (cfg.home_private_keep) { + if ( asprintf(&cfg.home_private_keep, "%s,%s", cfg.home_private_keep, ptr + 13) < 0 ) + errExit("asprintf"); + } else + cfg.home_private_keep = ptr + 13; arg_private = 1; } else @@ -748,7 +752,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n"); exit(1); } - cfg.etc_private_keep = ptr + 12; + if (cfg.etc_private_keep) { + if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, ptr + 12) < 0 ) + errExit("asprintf"); + } else { + cfg.etc_private_keep = ptr + 12; + } arg_private_etc = 1; return 0; @@ -756,7 +765,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { // private /opt list of files and directories if (strncmp(ptr, "private-opt ", 12) == 0) { - cfg.opt_private_keep = ptr + 12; + if (cfg.opt_private_keep) { + if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, ptr + 12) < 0 ) + errExit("asprintf"); + } else { + cfg.opt_private_keep = ptr + 12; + } arg_private_opt = 1; return 0; @@ -764,7 +778,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { // private /srv list of files and directories if (strncmp(ptr, "private-srv ", 12) == 0) { - cfg.srv_private_keep = ptr + 12; + if (cfg.srv_private_keep) { + if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, ptr + 12) < 0 ) + errExit("asprintf"); + } else { + cfg.srv_private_keep = ptr + 12; + } arg_private_srv = 1; return 0; @@ -772,7 +791,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { // private /bin list of files if (strncmp(ptr, "private-bin ", 12) == 0) { - cfg.bin_private_keep = ptr + 12; + if (cfg.bin_private_keep) { + if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, ptr + 12) < 0 ) + errExit("asprintf"); + } else { + cfg.bin_private_keep = ptr + 12; + } arg_private_bin = 1; return 0; } -- cgit v1.2.3-54-g00ecf From df38295faa992dbcb02b4f18dedbd60b770d4d22 Mon Sep 17 00:00:00 2001 From: thewisenerd Date: Sat, 24 Dec 2016 07:14:16 +0530 Subject: firejail: argv: allow multiple private-* options --- src/firejail/main.c | 30 +++++++++++++++++++++++++----- 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index c7470c33b..f1095d41f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1504,7 +1504,11 @@ int main(int argc, char **argv) { fprintf(stderr, "Error: invalid private-home option\n"); exit(1); } - cfg.home_private_keep = argv[i] + 15; + if (cfg.home_private_keep) { + if ( asprintf(&cfg.home_private_keep, "%s,%s", cfg.home_private_keep, argv[i] + 15) < 0 ) + errExit("asprintf"); + } else + cfg.home_private_keep = argv[i] + 15; arg_private = 1; } else @@ -1525,7 +1529,11 @@ int main(int argc, char **argv) { fprintf(stderr, "Error: invalid private-etc option\n"); exit(1); } - cfg.etc_private_keep = argv[i] + 14; + if (cfg.etc_private_keep) { + if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, argv[i] + 14) < 0 ) + errExit("asprintf"); + } else + cfg.etc_private_keep = argv[i] + 14; arg_private_etc = 1; } else if (strncmp(argv[i], "--private-opt=", 14) == 0) { @@ -1534,7 +1542,11 @@ int main(int argc, char **argv) { fprintf(stderr, "Error: invalid private-opt option\n"); exit(1); } - cfg.opt_private_keep = argv[i] + 14; + if (cfg.opt_private_keep) { + if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, argv[i] + 14) < 0 ) + errExit("asprintf"); + } else + cfg.opt_private_keep = argv[i] + 14; arg_private_opt = 1; } else if (strncmp(argv[i], "--private-srv=", 14) == 0) { @@ -1543,7 +1555,11 @@ int main(int argc, char **argv) { fprintf(stderr, "Error: invalid private-etc option\n"); exit(1); } - cfg.srv_private_keep = argv[i] + 14; + if (cfg.srv_private_keep) { + if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, argv[i] + 14) < 0 ) + errExit("asprintf"); + } else + cfg.srv_private_keep = argv[i] + 14; arg_private_srv = 1; } else if (strncmp(argv[i], "--private-bin=", 14) == 0) { @@ -1552,7 +1568,11 @@ int main(int argc, char **argv) { fprintf(stderr, "Error: invalid private-bin option\n"); exit(1); } - cfg.bin_private_keep = argv[i] + 14; + if (cfg.bin_private_keep) { + if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, argv[i] + 14) < 0 ) + errExit("asprintf"); + } else + cfg.bin_private_keep = argv[i] + 14; arg_private_bin = 1; } else if (strcmp(argv[i], "--private-tmp") == 0) { -- cgit v1.2.3-54-g00ecf