add support for arbitrary whitelist directories

etc/firejail.config

@@ -116,6 +116,10 @@
 # Enable or disable whitelisting support, default enabled.
 # whitelist yes
 
+# Disable whitelist top level directories, in addition to those
+# that are disabled out of the box. None by default; this is an example.
+# whitelist-disable-topdir /etc,/usr/etc
+
 # Enable or disable X11 sandboxing support, default enabled.
 # x11 yes
 

src/firejail/checkcfg.c

@@ -35,6 +35,7 @@ char *xvfb_extra_params = "";
 char *netfilter_default = NULL;
 unsigned long join_timeout = 5000000; // microseconds
 char *config_seccomp_error_action_str = "EPERM";
+char **whitelist_reject_topdirs = NULL;
 
 int checkcfg(int val) {
 	assert(val < CFG_MAX);
@@ -238,6 +239,31 @@ int checkcfg(int val) {
 					errExit("strdup");
 			}
 
+			else if (strncmp(ptr, "whitelist-disable-topdir ", 25) == 0) {
+				char *str = strdup(ptr + 25);
+				if (!str)
+					errExit("strdup");
+
+				size_t cnt = 0;
+				size_t sz = 4;
+				whitelist_reject_topdirs = malloc(sz * sizeof(char *));
+				if (!whitelist_reject_topdirs)
+					errExit("malloc");
+
+				char *tok = strtok(str, ",");
+				while (tok) {
+					whitelist_reject_topdirs[cnt++] = tok;
+					if (cnt >= sz) {
+						sz *= 2;
+						whitelist_reject_topdirs = realloc(whitelist_reject_topdirs, sz * sizeof(char *));
+						if (!whitelist_reject_topdirs)
+							errExit("realloc");
+					}
+					tok = strtok(NULL, ",");
+				}
+				whitelist_reject_topdirs[cnt] = NULL;
+			}
+
 			else
 				goto errout;
 

src/firejail/firejail.h

@@ -122,26 +122,22 @@ typedef struct interface_t {
 	uint8_t configured;
 } Interface;
 
+typedef struct topdir_t {
+	char *path;
+	int fd;
+} TopDir;
+
 typedef struct profile_entry_t {
 	struct profile_entry_t *next;
 	char *data;	// command
 
 	// whitelist command parameters
-	char *link;	// link name - set if the file is a link
-	enum {
-		WLDIR_HOME = 1,	// whitelist in home directory
-		WLDIR_TMP,	// whitelist in /tmp directory
-		WLDIR_MEDIA,	// whitelist in /media directory
-		WLDIR_MNT,	// whitelist in /mnt directory
-		WLDIR_VAR,	// whitelist in /var directory
-		WLDIR_DEV,	// whitelist in /dev directory
-		WLDIR_OPT,	// whitelist in /opt directory
-		WLDIR_SRV,	// whitelist in /srv directory
-		WLDIR_ETC,	// whitelist in /etc directory
-		WLDIR_SHARE,	// whitelist in /usr/share directory
-		WLDIR_MODULE,	// whitelist in /sys/module directory
-		WLDIR_RUN	// whitelist in /run/user/$uid directory
-	} wldir;
+	struct wparam_t {
+		char *file;		// resolved file path
+		char *link;		// link path
+		TopDir *top;	// top level directory
+	} *wparam;
+
 } ProfileEntry;
 
 typedef struct config_t {
@@ -792,6 +788,7 @@ extern char *xvfb_extra_params;
 extern char *netfilter_default;
 extern unsigned long join_timeout;
 extern char *config_seccomp_error_action_str;
+extern char **whitelist_reject_topdirs;
 
 int checkcfg(int val);
 void print_compiletime_support(void);

src/include/rundefs.h

@@ -84,18 +84,6 @@
 #define RUN_DEVLOG_FILE			RUN_MNT_DIR "/devlog"
 
 #define RUN_WHITELIST_X11_DIR		RUN_MNT_DIR "/orig-x11"
-#define RUN_WHITELIST_HOME_USER_DIR	RUN_MNT_DIR "/orig-home-user"		// home directory whitelisting
-#define RUN_WHITELIST_RUN_USER_DIR	RUN_MNT_DIR "/orig-run-user"		// run directory whitelisting
-#define RUN_WHITELIST_TMP_DIR		RUN_MNT_DIR "/orig-tmp"
-#define RUN_WHITELIST_MEDIA_DIR		RUN_MNT_DIR "/orig-media"
-#define RUN_WHITELIST_MNT_DIR		RUN_MNT_DIR "/orig-mnt"
-#define RUN_WHITELIST_VAR_DIR		RUN_MNT_DIR "/orig-var"
-#define RUN_WHITELIST_DEV_DIR		RUN_MNT_DIR "/orig-dev"
-#define RUN_WHITELIST_OPT_DIR		RUN_MNT_DIR "/orig-opt"
-#define RUN_WHITELIST_SRV_DIR   	RUN_MNT_DIR "/orig-srv"
-#define RUN_WHITELIST_ETC_DIR   	RUN_MNT_DIR "/orig-etc"
-#define RUN_WHITELIST_SHARE_DIR		RUN_MNT_DIR "/orig-share"
-#define RUN_WHITELIST_MODULE_DIR	RUN_MNT_DIR "/orig-module"
 
 #define RUN_XAUTHORITY_FILE		RUN_MNT_DIR "/.Xauthority"		// private options
 #define RUN_XAUTH_FILE			RUN_MNT_DIR "/xauth"			// x11=xorg