From d39169dc0dc01e63b1b674bbf7d2eb6c3dabe05a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 17 Dec 2015 09:21:49 -0500 Subject: better error reporting for profile files --- src/firejail/firejail.h | 2 +- src/firejail/main.c | 12 ++++++------ src/firejail/profile.c | 19 ++++++++++++++++--- 3 files changed, 23 insertions(+), 10 deletions(-) (limited to 'src') diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 5590e9f54..12f792af8 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -289,7 +289,7 @@ void profile_read(const char *fname); // check profile line; if line == 0, this was generated from a command line option // return 1 if the command is to be added to the linked list of profile commands // return 0 if the command was already executed inside the function -int profile_check_line(char *ptr, int lineno); +int profile_check_line(char *ptr, int lineno, const char *fname); // add a profile entry in cfg.profile list; use str to populate the list void profile_add(char *str); diff --git a/src/firejail/main.c b/src/firejail/main.c index 17a7286f7..a9ccfc9cc 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -637,7 +637,7 @@ int main(int argc, char **argv) { if (asprintf(&line, "bind %s", argv[i] + 7) == -1) errExit("asprintf"); - profile_check_line(line, 0); // will exit if something wrong + profile_check_line(line, 0, NULL); // will exit if something wrong profile_add(line); } #endif @@ -646,7 +646,7 @@ int main(int argc, char **argv) { if (asprintf(&line, "tmpfs %s", argv[i] + 8) == -1) errExit("asprintf"); - profile_check_line(line, 0); // will exit if something wrong + profile_check_line(line, 0, NULL); // will exit if something wrong profile_add(line); } else if (strncmp(argv[i], "--blacklist=", 12) == 0) { @@ -654,7 +654,7 @@ int main(int argc, char **argv) { if (asprintf(&line, "blacklist %s", argv[i] + 12) == -1) errExit("asprintf"); - profile_check_line(line, 0); // will exit if something wrong + profile_check_line(line, 0, NULL); // will exit if something wrong profile_add(line); } else if (strncmp(argv[i], "--noblacklist=", 14) == 0) { @@ -662,7 +662,7 @@ int main(int argc, char **argv) { if (asprintf(&line, "noblacklist %s", argv[i] + 14) == -1) errExit("asprintf"); - profile_check_line(line, 0); // will exit if something wrong + profile_check_line(line, 0, NULL); // will exit if something wrong profile_add(line); } else if (strncmp(argv[i], "--whitelist=", 12) == 0) { @@ -670,7 +670,7 @@ int main(int argc, char **argv) { if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) errExit("asprintf"); - profile_check_line(line, 0); // will exit if something wrong + profile_check_line(line, 0, NULL); // will exit if something wrong profile_add(line); } else if (strncmp(argv[i], "--read-only=", 12) == 0) { @@ -678,7 +678,7 @@ int main(int argc, char **argv) { if (asprintf(&line, "read-only %s", argv[i] + 12) == -1) errExit("asprintf"); - profile_check_line(line, 0); // will exit if something wrong + profile_check_line(line, 0, NULL); // will exit if something wrong profile_add(line); } else if (strcmp(argv[i], "--overlay") == 0) { diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 244370b98..0f6d49868 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -65,7 +65,7 @@ int profile_find(const char *name, const char *dir) { // check profile line; if line == 0, this was generated from a command line option // return 1 if the command is to be added to the linked list of profile commands // return 0 if the command was already executed inside the function -int profile_check_line(char *ptr, int lineno) { +int profile_check_line(char *ptr, int lineno, const char *fname) { // check ignore list int i; for (i = 0; i < MAX_PROFILE_IGNORE; i++) { @@ -99,8 +99,17 @@ int profile_check_line(char *ptr, int lineno) { return 0; } + // sandbox name + if (strncmp(ptr, "name ", 5) == 0) { + cfg.name = ptr + 5; + if (strlen(cfg.name) == 0) { + fprintf(stderr, "Error: invalid sandbox name\n"); + exit(1); + } + return 0; + } // seccomp, caps, private, user namespace - if (strcmp(ptr, "noroot") == 0) { + else if (strcmp(ptr, "noroot") == 0) { check_user_namespace(); return 0; } @@ -395,6 +404,8 @@ int profile_check_line(char *ptr, int lineno) { else { if (lineno == 0) fprintf(stderr, "Error: \"%s\" as a command line option is invalid\n", ptr); + else if (fname != NULL) + fprintf(stderr, "Error: line %d in %s is invalid\n", lineno, fname); else fprintf(stderr, "Error: line %d in the custom profile is invalid\n", lineno); exit(1); @@ -405,6 +416,8 @@ int profile_check_line(char *ptr, int lineno) { if (strstr(ptr, "..")) { if (lineno == 0) fprintf(stderr, "Error: \"%s\" is an invalid filename\n", ptr); + else if (fname != NULL) + fprintf(stderr, "Error: line %d in %s is invalid\n", lineno, fname); else fprintf(stderr, "Error: line %d in the custom profile is invalid\n", lineno); exit(1); @@ -492,7 +505,7 @@ void profile_read(const char *fname) { } // verify syntax, exit in case of error - if (profile_check_line(ptr, lineno)) + if (profile_check_line(ptr, lineno, fname)) profile_add(ptr); } fclose(fp); -- cgit v1.2.3-54-g00ecf