From ee7237f7a92378b5debb7ec29e42f974aa1a5c79 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Sat, 12 Mar 2016 14:22:59 -0500
Subject: cfg bind

---
 src/firejail/checkcfg.c |  9 +++++++
 src/firejail/firejail.h |  3 ++-
 src/firejail/fs.c       |  4 ++--
 src/firejail/main.c     | 24 ++++++++++++-------
 src/firejail/profile.c  | 62 ++++++++++++++++++++++++++++---------------------
 5 files changed, 64 insertions(+), 38 deletions(-)

diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index f868a699a..68dc6ac58 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -77,6 +77,15 @@ int checkcfg(int val) {
 				else
 					goto errout;
 			}
+			// bind
+			else if (strncmp(ptr, "bind ", 5) == 0) {
+				if (strcmp(ptr + 5, "yes") == 0)
+					cfg_val[CFG_BIND] = 1;
+				else if (strcmp(ptr + 5, "no") == 0)
+					cfg_val[CFG_BIND] = 0;
+				else
+					goto errout;
+			}
 			else
 				goto errout;
 			free(ptr);
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index d15d5a686..ff6eb485b 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -540,7 +540,8 @@ void sandboxfs(int op, pid_t pid, const char *patqh);
 // checkcfg.c
 #define CFG_FILE_TRANSFER 0
 #define CFG_X11 1
-#define CFG_MAX 2 // this should always be the last entry
+#define CFG_BIND 2
+#define CFG_MAX 3 // this should always be the last entry
 int checkcfg(int val);
 
 #endif
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index acee0ba1d..f63e8b5eb 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -435,12 +435,12 @@ void fs_blacklist(void) {
 			}
 			struct stat s;
 			if (stat(dname1, &s) == -1) {
-				fprintf(stderr, "Error: cannot find directories for bind command\n");
+				fprintf(stderr, "Error: cannot find %s for bind command\n", dname1);
 				entry = entry->next;
 				continue;
 			}
 			if (stat(dname2, &s) == -1) {
-				fprintf(stderr, "Error: cannot find directories for bind command\n");
+				fprintf(stderr, "Error: cannot find %s for bind command\n", dname2);
 				entry = entry->next;
 				continue;
 			}
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 64e6e2d98..d1d0f91a6 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -283,7 +283,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 			exit(0);
 		}
 		else {
-			fprintf(stderr, "Error: this feature is disabled in Firejail configuration file\n");
+			fprintf(stderr, "Error: --x11 feature is disabled in Firejail configuration file\n");
 			exit(1);
 		}
 	}
@@ -461,7 +461,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 			exit(0);
 		}
 		else {
-			fprintf(stderr, "Error: this feature is disabled in Firejail configuration file\n");
+			fprintf(stderr, "Error: --get feature is disabled in Firejail configuration file\n");
 			exit(1);
 		}
 	}
@@ -490,7 +490,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 			exit(0);
 		}
 		else {
-			fprintf(stderr, "Error: this feature is disabled in Firejail configuration file\n");
+			fprintf(stderr, "Error: --ls feature is disabled in Firejail configuration file\n");
 			exit(1);
 		}
 	}
@@ -887,12 +887,18 @@ int main(int argc, char **argv) {
 		//*************************************
 #ifdef HAVE_BIND		
 		else if (strncmp(argv[i], "--bind=", 7) == 0) {
-			char *line;
-			if (asprintf(&line, "bind %s", argv[i] + 7) == -1)
-				errExit("asprintf");
-
-			profile_check_line(line, 0, NULL);	// will exit if something wrong
-			profile_add(line);
+			if (checkcfg(CFG_BIND)) {
+				char *line;
+				if (asprintf(&line, "bind %s", argv[i] + 7) == -1)
+					errExit("asprintf");
+	
+				profile_check_line(line, 0, NULL);	// will exit if something wrong
+				profile_add(line);
+			}
+			else {
+				fprintf(stderr, "Error: --bind feature is disabled in Firejail configuration file\n");
+				exit(1);
+			}
 		}
 #endif
 		else if (strncmp(argv[i], "--tmpfs=", 8) == 0) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 461bcb941..36741ad4a 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -352,34 +352,44 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 
 	// filesystem bind
 	if (strncmp(ptr, "bind ", 5) == 0) {
-		if (getuid() != 0) {
-			fprintf(stderr, "Error: --bind option is available only if running as root\n");
-			exit(1);
-		}
-
-		// extract two directories
-		char *dname1 = ptr + 5;
-		char *dname2 = split_comma(dname1); // this inserts a '0 to separate the two dierctories
-		if (dname2 == NULL) {
-			fprintf(stderr, "Error: missing second directory for bind\n");
-			exit(1);
-		}
-		
-		// check directories
-		invalid_filename(dname1);
-		invalid_filename(dname2);
-		if (strstr(dname1, "..") || strstr(dname2, "..")) {
-			fprintf(stderr, "Error: invalid file name.\n");
-			exit(1);
+#ifdef HAVE_BIND		
+		if (checkcfg(CFG_BIND)) {
+			if (getuid() != 0) {
+				fprintf(stderr, "Error: --bind option is available only if running as root\n");
+				exit(1);
+			}
+	
+			// extract two directories
+			char *dname1 = ptr + 5;
+			char *dname2 = split_comma(dname1); // this inserts a '0 to separate the two dierctories
+			if (dname2 == NULL) {
+				fprintf(stderr, "Error: missing second directory for bind\n");
+				exit(1);
+			}
+			
+			// check directories
+			invalid_filename(dname1);
+			invalid_filename(dname2);
+			if (strstr(dname1, "..") || strstr(dname2, "..")) {
+				fprintf(stderr, "Error: invalid file name.\n");
+				exit(1);
+			}
+			if (is_link(dname1) || is_link(dname2)) {
+				fprintf(stderr, "Symbolic links are not allowed for bind command\n");
+				exit(1);
+			}
+			
+			// insert comma back
+			*(dname2 - 1) = ',';
+			return 1;
 		}
-		if (is_link(dname1) || is_link(dname2)) {
-			fprintf(stderr, "Symbolic links are not allowed for bind command\n");
-			exit(1);
+		else {
+			fprintf(stderr, "Warning: bind feature is disabled in Firejail configuration file\n");
+			return 0;			
 		}
-		
-		// insert comma back
-		*(dname2 - 1) = ',';
-		return 1;
+#else
+		return 0;
+#endif		
 	}
 
 	// rlimit
-- 
cgit v1.2.3-70-g09d2