From 1a03225b4407f1cf88410573c8fc67031de511c1 Mon Sep 17 00:00:00 2001 From: Tad Date: Mon, 5 Nov 2018 18:32:22 -0500 Subject: Add new config option to disable U2F in browsers, enabled by default --- src/firejail/checkcfg.c | 9 +++++++++ src/firejail/firejail.h | 1 + src/firejail/profile.c | 1 + src/man/firejail-profile.txt | 2 +- 4 files changed, 12 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 50f952e91..45e28fe40 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -371,6 +371,15 @@ int checkcfg(int val) { else goto errout; } + // browser-disable-u2f + else if (strncmp(ptr, "browser-disable-u2f ", 20) == 0) { + if (strcmp(ptr + 20, "yes") == 0) + cfg_val[CFG_BROWSER_DISABLE_U2F] = 1; + else if (strcmp(ptr + 20, "no") == 0) + cfg_val[CFG_BROWSER_DISABLE_U2F] = 0; + else + goto errout; + } else goto errout; diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7f6ed2586..d996e1dac 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -771,6 +771,7 @@ enum { CFG_JOIN, CFG_ARP_PROBES, CFG_XPRA_ATTACH, + CFG_BROWSER_DISABLE_U2F, CFG_PRIVATE_LIB, CFG_APPARMOR, CFG_DBUS, diff --git a/src/firejail/profile.c b/src/firejail/profile.c index c7c8fd9fa..a85c8f815 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -139,6 +139,7 @@ int profile_check_conditional(char *ptr, int lineno, const char *fname) { bool value; // true if set } conditionals[] = { {"HAS_APPIMAGE", strlen("HAS_APPIMAGE"), arg_appimage!=0}, + {"BROWSER_DISABLE_U2F", strlen("BROWSER_DISABLE_U2F"), checkcfg(CFG_BROWSER_DISABLE_U2F)!=0}, NULL }, *cond = conditionals; char *tmp = ptr, *msg = NULL; diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index e26b5f989..251346bd5 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -94,7 +94,7 @@ Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir" This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. -Currently the only conditional supported is HAS_APPIMAGE. +Currently the only conditionals supported are HAS_APPIMAGE and BROWSER_DISABLE_U2F. The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. -- cgit v1.2.3-54-g00ecf