From e391930dca9ccb4fce225f8364813b6bf127dd9b Mon Sep 17 00:00:00 2001
From: smitsohu <smitsohu@gmail.com>
Date: Fri, 21 May 2021 23:25:09 +0200
Subject: add firejail.config switch for private-{bin,etc,opt,srv}

---
 src/firejail/checkcfg.c |   8 +++-
 src/firejail/firejail.h |  10 +++--
 src/firejail/main.c     | 104 ++++++++++++++++++++++++++++--------------------
 src/firejail/profile.c  |  75 +++++++++++++++++++---------------
 4 files changed, 117 insertions(+), 80 deletions(-)

(limited to 'src')

diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index d6643cf3a..b42ae1a64 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -110,10 +110,14 @@ int checkcfg(int val) {
 			PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network")
 			PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title")
 			PARSE_YESNO(CFG_OVERLAYFS, "overlayfs")
-			PARSE_YESNO(CFG_PRIVATE_HOME, "private-home")
+			PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin")
+			PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local")
 			PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache")
+			PARSE_YESNO(CFG_PRIVATE_ETC, "private-etc")
+			PARSE_YESNO(CFG_PRIVATE_HOME, "private-home")
 			PARSE_YESNO(CFG_PRIVATE_LIB, "private-lib")
-			PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local")
+			PARSE_YESNO(CFG_PRIVATE_OPT, "private-opt")
+			PARSE_YESNO(CFG_PRIVATE_SRV, "private-srv")
 			PARSE_YESNO(CFG_DISABLE_MNT, "disable-mnt")
 			PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach")
 			PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f")
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index ac2fd279e..18907fc63 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -766,8 +766,14 @@ enum {
 	CFG_WHITELIST,
 	CFG_XEPHYR_WINDOW_TITLE,
 	CFG_OVERLAYFS,
-	CFG_PRIVATE_HOME,
+	CFG_PRIVATE_BIN,
 	CFG_PRIVATE_BIN_NO_LOCAL,
+	CFG_PRIVATE_CACHE,
+	CFG_PRIVATE_ETC,
+	CFG_PRIVATE_HOME,
+	CFG_PRIVATE_LIB,
+	CFG_PRIVATE_OPT,
+	CFG_PRIVATE_SRV,
 	CFG_FIREJAIL_PROMPT,
 	CFG_FOLLOW_SYMLINK_AS_USER,
 	CFG_DISABLE_MNT,
@@ -776,10 +782,8 @@ enum {
 	CFG_XPRA_ATTACH,
 	CFG_BROWSER_DISABLE_U2F,
 	CFG_BROWSER_ALLOW_DRM,
-	CFG_PRIVATE_LIB,
 	CFG_APPARMOR,
 	CFG_DBUS,
-	CFG_PRIVATE_CACHE,
 	CFG_CGROUP,
 	CFG_NAME_CHANGE,
 	CFG_SECCOMP_ERROR_ACTION,
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 593835843..f011c5799 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1949,61 +1949,77 @@ int main(int argc, char **argv, char **envp) {
 			arg_keep_dev_shm = 1;
 		}
 		else if (strncmp(argv[i], "--private-etc=", 14) == 0) {
-			if (arg_writable_etc) {
-				fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
-				exit(1);
-			}
+			if (checkcfg(CFG_PRIVATE_ETC)) {
+				if (arg_writable_etc) {
+					fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
+					exit(1);
+				}
 
-			// extract private etc list
-			if (*(argv[i] + 14) == '\0') {
-				fprintf(stderr, "Error: invalid private-etc option\n");
-				exit(1);
+				// extract private etc list
+				if (*(argv[i] + 14) == '\0') {
+					fprintf(stderr, "Error: invalid private-etc option\n");
+					exit(1);
+				}
+				if (cfg.etc_private_keep) {
+					if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, argv[i] + 14) < 0 )
+						errExit("asprintf");
+				} else
+					cfg.etc_private_keep = argv[i] + 14;
+				arg_private_etc = 1;
 			}
-			if (cfg.etc_private_keep) {
-				if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, argv[i] + 14) < 0 )
-					errExit("asprintf");
-			} else
-				cfg.etc_private_keep = argv[i] + 14;
-			arg_private_etc = 1;
+			else
+				exit_err_feature("private-etc");
 		}
 		else if (strncmp(argv[i], "--private-opt=", 14) == 0) {
-			// extract private opt list
-			if (*(argv[i] + 14) == '\0') {
-				fprintf(stderr, "Error: invalid private-opt option\n");
-				exit(1);
+			if (checkcfg(CFG_PRIVATE_OPT)) {
+				// extract private opt list
+				if (*(argv[i] + 14) == '\0') {
+					fprintf(stderr, "Error: invalid private-opt option\n");
+					exit(1);
+				}
+				if (cfg.opt_private_keep) {
+					if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, argv[i] + 14) < 0 )
+						errExit("asprintf");
+				} else
+					cfg.opt_private_keep = argv[i] + 14;
+				arg_private_opt = 1;
 			}
-			if (cfg.opt_private_keep) {
-				if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, argv[i] + 14) < 0 )
-					errExit("asprintf");
-			} else
-				cfg.opt_private_keep = argv[i] + 14;
-			arg_private_opt = 1;
+			else
+				exit_err_feature("private-opt");
 		}
 		else if (strncmp(argv[i], "--private-srv=", 14) == 0) {
-			// extract private srv list
-			if (*(argv[i] + 14) == '\0') {
-				fprintf(stderr, "Error: invalid private-srv option\n");
-				exit(1);
+			if (checkcfg(CFG_PRIVATE_SRV)) {
+				// extract private srv list
+				if (*(argv[i] + 14) == '\0') {
+					fprintf(stderr, "Error: invalid private-srv option\n");
+					exit(1);
+				}
+				if (cfg.srv_private_keep) {
+					if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, argv[i] + 14) < 0 )
+						errExit("asprintf");
+				} else
+					cfg.srv_private_keep = argv[i] + 14;
+				arg_private_srv = 1;
 			}
-			if (cfg.srv_private_keep) {
-				if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, argv[i] + 14) < 0 )
-					errExit("asprintf");
-			} else
-				cfg.srv_private_keep = argv[i] + 14;
-			arg_private_srv = 1;
+			else
+				exit_err_feature("private-srv");
 		}
 		else if (strncmp(argv[i], "--private-bin=", 14) == 0) {
-			// extract private bin list
-			if (*(argv[i] + 14) == '\0') {
-				fprintf(stderr, "Error: invalid private-bin option\n");
-				exit(1);
+			if (checkcfg(CFG_PRIVATE_BIN)) {
+				// extract private bin list
+				if (*(argv[i] + 14) == '\0') {
+					fprintf(stderr, "Error: invalid private-bin option\n");
+					exit(1);
+				}
+				if (cfg.bin_private_keep) {
+					if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, argv[i] + 14) < 0 )
+						errExit("asprintf");
+				} else
+					cfg.bin_private_keep = argv[i] + 14;
+				arg_private_bin = 1;
 			}
-			if (cfg.bin_private_keep) {
-				if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, argv[i] + 14) < 0 )
-					errExit("asprintf");
-			} else
-				cfg.bin_private_keep = argv[i] + 14;
-			arg_private_bin = 1;
+			else
+				exit_err_feature("private-bin");
 		}
 		else if (strncmp(argv[i], "--private-lib", 13) == 0) {
 			if (checkcfg(CFG_PRIVATE_LIB)) {
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index dd4506ac1..da28f0413 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1275,56 +1275,69 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 
 	// private /etc list of files and directories
 	if (strncmp(ptr, "private-etc ", 12) == 0) {
-		if (arg_writable_etc) {
-			fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
-			exit(1);
-		}
-		if (cfg.etc_private_keep) {
-			if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, ptr + 12) < 0 )
-				errExit("asprintf");
-		} else {
-			cfg.etc_private_keep = ptr + 12;
+		if (checkcfg(CFG_PRIVATE_ETC)) {
+			if (arg_writable_etc) {
+				fprintf(stderr, "Error: --private-etc and --writable-etc are mutually exclusive\n");
+				exit(1);
+			}
+			if (cfg.etc_private_keep) {
+				if ( asprintf(&cfg.etc_private_keep, "%s,%s", cfg.etc_private_keep, ptr + 12) < 0 )
+					errExit("asprintf");
+			} else {
+				cfg.etc_private_keep = ptr + 12;
+			}
+			arg_private_etc = 1;
 		}
-		arg_private_etc = 1;
-
+		else
+			warning_feature_disabled("private-etc");
 		return 0;
 	}
 
 	// private /opt list of files and directories
 	if (strncmp(ptr, "private-opt ", 12) == 0) {
-		if (cfg.opt_private_keep) {
-			if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, ptr + 12) < 0 )
-				errExit("asprintf");
-		} else {
-			cfg.opt_private_keep = ptr + 12;
+		if (checkcfg(CFG_PRIVATE_OPT)) {
+			if (cfg.opt_private_keep) {
+				if ( asprintf(&cfg.opt_private_keep, "%s,%s", cfg.opt_private_keep, ptr + 12) < 0 )
+					errExit("asprintf");
+			} else {
+				cfg.opt_private_keep = ptr + 12;
+			}
+			arg_private_opt = 1;
 		}
-		arg_private_opt = 1;
-
+		else
+			warning_feature_disabled("private-opt");
 		return 0;
 	}
 
 	// private /srv list of files and directories
 	if (strncmp(ptr, "private-srv ", 12) == 0) {
-		if (cfg.srv_private_keep) {
-			if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, ptr + 12) < 0 )
-				errExit("asprintf");
-		} else {
-			cfg.srv_private_keep = ptr + 12;
+		if (checkcfg(CFG_PRIVATE_SRV)) {
+			if (cfg.srv_private_keep) {
+				if ( asprintf(&cfg.srv_private_keep, "%s,%s", cfg.srv_private_keep, ptr + 12) < 0 )
+					errExit("asprintf");
+			} else {
+				cfg.srv_private_keep = ptr + 12;
+			}
+			arg_private_srv = 1;
 		}
-		arg_private_srv = 1;
-
+		else
+			warning_feature_disabled("private-srv");
 		return 0;
 	}
 
 	// private /bin list of files
 	if (strncmp(ptr, "private-bin ", 12) == 0) {
-		if (cfg.bin_private_keep) {
-			if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, ptr + 12) < 0 )
-				errExit("asprintf");
-		} else {
-			cfg.bin_private_keep = ptr + 12;
+		if (checkcfg(CFG_PRIVATE_BIN)) {
+			if (cfg.bin_private_keep) {
+				if ( asprintf(&cfg.bin_private_keep, "%s,%s", cfg.bin_private_keep, ptr + 12) < 0 )
+					errExit("asprintf");
+			} else {
+				cfg.bin_private_keep = ptr + 12;
+			}
+			arg_private_bin = 1;
 		}
-		arg_private_bin = 1;
+		else
+			warning_feature_disabled("private-bin");
 		return 0;
 	}
 
-- 
cgit v1.2.3-54-g00ecf