From 601df2fbb9cdfedc6ab71cbe47d275e39c935dca Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Wed, 1 Apr 2020 09:56:49 -0400
Subject: globbing support for whitelists

---
 src/firejail/fs_home.c      |  1 -
 src/firejail/fs_whitelist.c | 40 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index bec22e5a6..dbc74bfff 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -20,7 +20,6 @@
 #include "firejail.h"
 #include <sys/mount.h>
 #include <linux/limits.h>
-#include <glob.h>
 #include <dirent.h>
 #include <errno.h>
 #include <sys/stat.h>
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index c5b066b12..3f3075570 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -346,6 +346,39 @@ static void whitelist_home(int topdir) {
 }
 
 
+static void globbing(const char *pattern) {
+	assert(pattern);
+
+	// globbing
+	glob_t globbuf;
+	int globerr = glob(pattern, GLOB_NOCHECK | GLOB_NOSORT | GLOB_PERIOD, NULL, &globbuf);
+	if (globerr) {
+		fprintf(stderr, "Error: failed to glob private-bin pattern %s\n", pattern);
+		exit(1);
+	}
+
+	size_t i;
+	for (i = 0; i < globbuf.gl_pathc; i++) {
+		assert(globbuf.gl_pathv[i]);
+		// testing for GLOB_NOCHECK - no pattern matched returns the original pattern
+		if (strcmp(globbuf.gl_pathv[i], pattern) == 0)
+			continue;
+
+		// build the new profile command
+		char *newcmd;
+		if (asprintf(&newcmd, "whitelist %s", globbuf.gl_pathv[i]) == -1)
+			errExit("asprintf");
+
+		// add the new profile command at the end of the list
+		if (arg_debug || arg_debug_whitelists)
+			printf("Adding new profile command: %s\n", newcmd);
+		profile_add(newcmd);
+	}
+
+	globfree(&globbuf);
+}
+
+
 void fs_whitelist(void) {
 	ProfileEntry *entry = cfg.profile;
 	if (!entry)
@@ -444,6 +477,13 @@ void fs_whitelist(void) {
 		else
 			fname = realpath(new_name, NULL);
 
+		// if this is not a real path, let's try globbing
+		// mark this entry as EMPTY_STRING and push the new paths at the end of profile entry list
+		// the new profile entries will be processed in this loop
+		// currently there is no globbing support for nowhitelist
+		if (!fname && !nowhitelist_flag)
+			globbing(new_name);
+
 		if (!fname) {
 			// file not found, blank the entry in the list and continue
 			if (arg_debug || arg_debug_whitelists) {
-- 
cgit v1.2.3-70-g09d2