github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-22 06:05:38 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions

Merge pull request #21 from pmillerchip/private-home

Browse source 
Implement the --private-home option
This commit is contained in:
netblue30 2015-08-14 07:31:47 -04:00
commit 167d4af438
9 changed files with 17 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/firejail/arg-checking.txt
View file

@ -59,7 +59,7 @@ arg checking:
- check same owner
- unit test
9. --private.keep=filelist
9. --private-home=filelist
- supported in profiles
- checking no ".."
- checking file found

6
src/firejail/firejail.h
View file

@ -282,9 +282,9 @@ void fs_private_dev(void);
void fs_private(void);
// private mode (--private=homedir)
void fs_private_homedir(void);
// private mode (--private.keep=list)
// private mode (--private-home=list)
void fs_private_home_list(void);
// check directory linst specified by user (--private.keep option) - exit if it fails
// check directory list specified by user (--private-home option) - exit if it fails
void fs_check_home_list(void);
// check new private home directory (--private= option) - exit if it fails
void fs_check_private_dir(void);
@ -357,4 +357,4 @@ void network_shm_set_file(pid_t pid);
void fs_check_etc_list(void);
void fs_private_etc_list(void);
#endif
#endif

6
src/firejail/fs_home.c
View file

@ -302,10 +302,10 @@ static void check_dir_or_file(const char *name) {
exit(1);
}
// check directory linst specified by user (--private.keep option) - exit if it fails
// check directory list specified by user (--private-home option) - exit if it fails
void fs_check_home_list(void) {
if (strstr(cfg.home_private_keep, "..")) {
fprintf(stderr, "Error: invalid private.keep list\n");
fprintf(stderr, "Error: invalid private-home list\n");
exit(1);
}
@ -385,7 +385,7 @@ static void duplicate(char *fname) {
}
// private mode (--private.keep=list):
// private mode (--private-home=list):
// mount homedir on top of /home/user,
// tmpfs on top of /root in nonroot mode,
// tmpfs on top of /tmp in root mode,

5
src/firejail/main.c
View file

@ -677,7 +677,7 @@ int main(int argc, char **argv) {
arg_private = 1;
else if (strncmp(argv[i], "--private=", 10) == 0) {
if (cfg.home_private_keep) {
fprintf(stderr, "Error: a private list of files was already defined with --private.keep option.\n");
fprintf(stderr, "Error: a private list of files was already defined with --private-home option.\n");
exit(1);
}
@ -686,7 +686,8 @@ int main(int argc, char **argv) {
fs_check_private_dir();
arg_private = 1;
}
else if (strncmp(argv[i], "--private.keep=", 15) == 0) {
else if ((strncmp(argv[i], "--private.keep=", 15) == 0)
|| (strncmp(argv[i], "--private-home=", 15) == 0)) {
if (cfg.home_private) {
fprintf(stderr, "Error: a private home directory was already defined with --private option.\n");
exit(1);

3
src/firejail/profile.c
View file

@ -228,7 +228,8 @@ int profile_check_line(char *ptr, int lineno) {
}
// private home list of files and directories
if (strncmp(ptr, "private.keep ", 13) == 0) {
if ((strncmp(ptr, "private.keep ", 13) == 0)
|| (strncmp(ptr, "private-home ", 13) == 0)) {
cfg.home_private_keep = ptr + 13;
fs_check_home_list();
arg_private = 1;

2
src/firejail/sandbox.c
View file

@ -237,7 +237,7 @@ int sandbox(void* sandbox_arg) {
if (arg_private) {
if (cfg.home_private) // --private=
fs_private_homedir();
else if (cfg.home_private_keep) // --private.keep=
else if (cfg.home_private_keep) // --private-home=
fs_private_home_list();
else // --private
fs_private();

2
src/firejail/usage.c
View file

@ -148,7 +148,7 @@ void usage(void) {
printf("\t\tfilesystems. All modifications are discarded when the sandbox is\n");
printf("\t\tclosed.\n\n");
printf("\t--private=directory - use directory as user home.\n\n");
printf("\t--private.keep=file,directory - build a new user home in a temporary\n");
printf("\t--private-home=file,directory - build a new user home in a temporary\n");
printf("\t\tfilesystem, and copy the files and directories in the list in\n");
printf("\t\tthe new home. All modifications are discarded when the sandbox\n");
printf("\t\tis closed.\n\n");

2
src/man/firejail-profile.txt
View file

@ -73,7 +73,7 @@ closed.
\f\private directory
Use directory as user home.
.TP
\f\private.keep file,directory
\f\private-home file,directory
Build a new user home in a temporary
filesystem, and copy the files and directories in the list in the
new home. All modifications are discarded when the sandbox is

4
src/man/firejail.txt
View file

@ -639,7 +639,7 @@ Example:
$ firejail \-\-private=/home/netblue/firefox-home firefox
.TP
\fB\-\-private.keep=file,directory
\fB\-\-private-home=file,directory
Build a new user home in a temporary
filesystem, and copy the files and directories in the list in the
new home. All modifications are discarded when the sandbox is
@ -649,7 +649,7 @@ closed.
.br
Example:
.br
$ firejail \-\-private.keep=.mozilla firefox
$ firejail \-\-private-home=.mozilla firefox
.TP
\fB\-\-private-dev
Create a new /dev directory. Only null, full, zero, tty, pts, ptmx, random, urandom and shm devices are available.