bwrap replacement - part 7 - --allow-bwrap option

src/fbwrap/main.c

@@ -78,8 +78,6 @@ static int ok_to_run(const char *fname) {
 
 static void usage(void) {
 	printf("fbwrap - bwrap replacement for Firejail sandbox.\n"
-	       "Usage: fbwrap bwrap-program-and-arguments\n"
-	       "\n"
 	       "This program does nothing! It just starts the application\n"
 	       "bwrap was supposed to sandbox, without any sandboxing features.\n"
 	       "\n"
@@ -95,7 +93,6 @@ int main(int argc, char **argv) {
 	printf("%s:%s():%d\n", __FILE__, __PRETTY_FUNCTION__, __LINE__);
 #endif
 	if (argc == 1) {
-		fprintf(stderr, "Error: bwrap program arguments are required.\n");
 		usage();
 		return 1;
 	}

src/firejail/firejail.h

@@ -373,6 +373,7 @@ extern int arg_deterministic_shutdown;	// shut down the sandbox if first child d
 extern int arg_keep_fd_all;	// inherit all file descriptors to sandbox
 extern int arg_netlock;	// netlocker
 extern int arg_restrict_namespaces;
+extern int arg_allow_bwrap;
 
 typedef enum {
 	DBUS_POLICY_ALLOW,	// Allow unrestricted access to the bus

src/firejail/fs_bin.c

@@ -285,7 +285,8 @@ void fs_private_bin_list(void) {
 	while ((ptr = strtok(NULL, ",")) != NULL)
 		globbing(ptr);
 	free(dlist);
-	globbing("/usr/bin/bwrap");
+	if (!arg_allow_bwrap)
+		globbing("/usr/bin/bwrap");
 
 	// mount-bind
 	EUID_ROOT();

src/firejail/main.c

@@ -169,6 +169,7 @@ int login_shell = 0;
 int just_run_the_shell = 0;
 int arg_netlock = 0;
 int arg_restrict_namespaces = 0;
+int arg_allow_bwrap = 0;
 
 int parent_to_child_fds[2];
 int child_to_parent_fds[2];
@@ -1367,6 +1368,8 @@ int main(int argc, char **argv, char **envp) {
 		else if (strcmp(argv[i], "--allow-debuggers") == 0) {
 			// already handled
 		}
+		else if (strcmp(argv[i], "--allow-bwrap") == 0)
+			arg_allow_bwrap = 1;
 
 
 		//*************************************

src/firejail/sandbox.c

@@ -931,8 +931,11 @@ int sandbox(void* sandbox_arg) {
 		}
 	}
 
-	// bwrap is replaced by our own program
-	fs_bwrap();
+	if (!arg_allow_bwrap) {
+		// bwrap is replaced by our own program
+		fs_bwrap();
+	}
+	
 	// private-bin is disabled for appimages
 	if (arg_private_bin && !arg_appimage) {
 		if (cfg.chrootdir)

src/firejail/usage.c

@@ -28,6 +28,7 @@ static const char *const usage_str =
 	"\n"
 	"Options:\n"
 	"    -- - signal the end of options and disables further option processing.\n"
+	"    --allow-bwrap - allow bubblewrap sandbox running inside the sandbox.\n"
 	"    --allow-debuggers - allow tools such as strace and gdb inside the sandbox.\n"
 	"    --allusers - all user home directories are visible inside the sandbox.\n"
 #ifdef HAVE_APPARMOR

src/man/firejail.1.in

@@ -113,6 +113,39 @@ generally be disabled on the command line using \fB--ignore\fR.
 .TP
 \fB\-\-
 Signal the end of options and disables further option processing.
+.TP
+\fB\-\-allow-bwrap
+By default firejail replaces /usr/bin/bwrap executable with a do-nothing program.
+Our replacement just runs the bubblewrap target, and is visible only inside
+firejail sandbox. Use this option to disable this default functionality.
+.br
+
+.br
+Example:
+.br
+$ firejail --noprofile --allow-bwrap bwrap --help
+.br
+firejail version 0.9.77
+.br
+
+.br
+Parent pid 44129, child pid 44130
+.br
+Base filesystem installed in 0.04 ms
+.br
+Child process initialized in 5.02 ms
+.br
+usage: bwrap [OPTIONS...] [--] COMMAND [ARGS...]
+.br
+
+.br
+    --help                       Print this help
+.br
+    --version                    Print version
+.br
+    --args FD                    Parse NUL-separated args from FD
+.br
+
 .TP
 \fB\-\-allow-debuggers
 Allow tools such as strace and gdb inside the sandbox by whitelisting