From 894bf81a595304b0c1a843c85a607003fd419d1b Mon Sep 17 00:00:00 2001
From: Hugo Osvaldo Barrera <hugo@barrera.io>
Date: Fri, 3 Dec 2021 19:43:39 +0100
Subject: Implement a `whitelist-ro` command

This is a shortcut to:

  whitelist $PATH
  read-only $PATH

Ideally, a great deal of usages of `whitelist` should be replaced with
this instead.
---
 src/firejail/profile.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 756b370aa..7757c1814 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1789,6 +1789,17 @@ void profile_read(const char *fname) {
 			free(ptr);
 			ptr = tmp;
 		}
+		else if (strncmp(ptr, "whitelist-ro ", 13) == 0) {
+			char *whitelist, *readonly;
+			if (asprintf(&whitelist, "whitelist %s", ptr + 13) == -1)
+				errExit("asprintf");
+			profile_add(whitelist);
+			if (asprintf(&readonly, "read-only %s", ptr + 13) == -1)
+				errExit("asprintf");
+			profile_add(readonly);
+			free(ptr);
+			continue;
+		}
 
 		// process quiet
 		// todo: a quiet in the profile file cannot be disabled by --ignore on command line
-- 
cgit v1.2.3-70-g09d2