From ef6cfb8a22b6b788298a0601e837856b51c60e76 Mon Sep 17 00:00:00 2001
From: "Kelvin M. Klann" <kmk3.code@protonmail.com>
Date: Thu, 29 Jun 2023 19:54:21 -0300
Subject: firecfg: add ignore command and docs

Add ignore command (`!PROGRAM`), as suggested by @WhyNotHugo[1].

It prevents firecfg from creating a symlink for the given program.

Also, document the paths used and the config file syntax.

Note that `/etc/firejail/firecfg.d/*.conf` files are parsed before
/etc/firejail/firecfg.config, so the former can ignore/override any item
in the latter.

Closes #2097.

[1] https://github.com/netblue30/firejail/issues/2097#issuecomment-1179160459
---
 src/firecfg/main.c | 45 ++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 44 insertions(+), 1 deletion(-)

(limited to 'src/firecfg')

diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index 35fa850f1..604b12633 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -143,6 +143,40 @@ static void clean(void) {
 	printf("\n");
 }
 
+#define ignorelist_maxlen 2048
+static const char *ignorelist[ignorelist_maxlen];
+static int ignorelist_len = 0;
+
+static int append_ignorelist(const char *const str) {
+	assert(str);
+	if (ignorelist_len >= ignorelist_maxlen) {
+		fprintf(stderr, "Warning: Ignore list is full (%d/%d), skipping %s\n",
+			ignorelist_len, ignorelist_maxlen, str);
+		return 0;
+	}
+
+	printf("   ignoring '%s'\n", str);
+	const char *const dup = strdup(str);
+	if (!dup)
+		errExit("strdup");
+
+	ignorelist[ignorelist_len] = dup;
+	ignorelist_len++;
+
+	return 1;
+}
+
+static int in_ignorelist(const char *const str) {
+	assert(str);
+	int i;
+	for (i = 0; i < ignorelist_len; i++) {
+		if (strcmp(str, ignorelist[i]) == 0)
+			return 1;
+	}
+
+	return 0;
+}
+
 static void set_file(const char *name, const char *firejail_exec) {
 	if (which(name) == 0)
 		return;
@@ -206,8 +240,17 @@ static void set_links_firecfg(const char *cfgfile) {
 		if (*start == '\0')
 			continue;
 
+		// handle ignore command
+		if (*start == '!') {
+			append_ignorelist(start + 1);
+			continue;
+		}
+
 		// set link
-		set_file(start, FIREJAIL_EXEC);
+		if (!in_ignorelist(start))
+			set_file(start, FIREJAIL_EXEC);
+		else
+			printf("   %s ignored\n", start);
 	}
 
 	fclose(fp);
-- 
cgit v1.2.3-54-g00ecf