From df6aa573c121dfadf36715bb4b08d91e5867f3b9 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 25 Oct 2015 07:58:04 -0400 Subject: implemented --ignore option --- RELNOTES | 5 +++++ src/firejail/firejail.h | 2 ++ src/firejail/main.c | 20 ++++++++++++++++++++ src/firejail/profile.c | 10 ++++++++++ src/firejail/sandbox.c | 2 +- src/firejail/usage.c | 2 +- src/man/firejail.txt | 10 ++++++++++ 7 files changed, 49 insertions(+), 2 deletions(-) diff --git a/RELNOTES b/RELNOTES index 7f0426b31..840875028 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,3 +1,8 @@ +firejail (0.9.33) baseline; urgency=low + * added --ignore option + * bugfixes + -- netblue30 current development + firejail (0.9.32) baseline; urgency=low * added --interface option * added --mtu option diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 297624c3b..74958487c 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -81,6 +81,8 @@ typedef struct config_t { // filesystem ProfileEntry *profile; +#define MAX_PROFILE_IGNORE 16 + char *profile_ignore[MAX_PROFILE_IGNORE]; char *chrootdir; // chroot directory char *home_private; // private home directory char *home_private_keep; // keep list for private home directory diff --git a/src/firejail/main.c b/src/firejail/main.c index e76f1b4f1..0def00fa8 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -711,6 +711,26 @@ int main(int argc, char **argv) { } arg_noprofile = 1; } + else if (strncmp(argv[i], "--ignore=", 9) == 0) { + char *ptr = argv[i] + 9; + if (*(argv[i] + 9) == '\0') { + fprintf(stderr, "Error: invalid ignore option\n"); + exit(1); + } + + // find an empty entry in profile_ignore array + int j; + for (j = 0; j < MAX_PROFILE_IGNORE; j++) { + if (cfg.profile_ignore[j] == NULL) + break; + } + if (j >= MAX_PROFILE_IGNORE) { + fprintf(stderr, "Error: maximum %d --ignore options are permitted\n", MAX_PROFILE_IGNORE); + exit(1); + } + // ... and configure it + cfg.profile_ignore[j] = argv[i] + 9; + } #ifdef HAVE_CHROOT else if (strncmp(argv[i], "--chroot=", 9) == 0) { if (arg_overlay) { diff --git a/src/firejail/profile.c b/src/firejail/profile.c index e6c31bc0a..1195dd14d 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -66,6 +66,16 @@ int profile_find(const char *name, const char *dir) { // return 1 if the command is to be added to the linked list of profile commands // return 0 if the command was already executed inside the function int profile_check_line(char *ptr, int lineno) { + // check ignore list + int i; + for (i = 0; i < MAX_PROFILE_IGNORE; i++) { + if (cfg.profile_ignore[i] == NULL) + break; + + if (strncmp(ptr, cfg.profile_ignore[i], strlen(cfg.profile_ignore[i])) == 0) + return 0; // ignore line + } + // seccomp, caps, private, user namespace if (strcmp(ptr, "noroot") == 0) { check_user_namespace(); diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 6075fe23e..3c5a176e6 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -476,7 +476,7 @@ int sandbox(void* sandbox_arg) { if (arg_noroot) { set_caps(); if (arg_debug) - printf("User namespace (noroot) installed\n"); + printf("noroot user namespace installed\n"); } diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 43e21433e..d3cad1e63 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -85,7 +85,7 @@ void usage(void) { printf("\t--help, -? - this help screen.\n\n"); printf("\t--hostname=name - set sandbox hostname.\n\n"); - + printf("\t--ignore=command - ignore command in profile files.\n\n"); printf("\t--interface=name - move interface in a new network namespace. Up to\n"); printf("\t\tfour --interface options can be sepcified.\n\n"); diff --git a/src/man/firejail.txt b/src/man/firejail.txt index e311c66b0..1814fe92a 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -340,6 +340,16 @@ Example: .br $ firejail \-\-hostname=officepc firefox +.TP +\fB\-\-ignore=command +Ignore command in profile file. +.br + +.br +Example: +.br +$ firejail \-\-ignore=shell --ignore=seccomp firefox + .TP \fB\-\-interface=interface Move interface in a new network namespace. Up to four --interface options can be sepcified. -- cgit v1.2.3-70-g09d2