feature: add 'keep-shell-rc' flag and option

This fixes #1127. This allow a user to provide their own zshrc/bashrc inside the jail. This is very useful when using firejail to develop and prevent bad pip packages to access your system.
2026-05-16 14:16:16 -06:00 · 2023-01-30 23:55:49 +01:00 · 2023-01-30 23:55:49 +01:00 · d0a12f27d6
commit d0a12f27d6
parent b55cb6a80a
9 changed files with 30 additions and 3 deletions
--- a/contrib/syntax/lists/profile_commands_arg0.list
+++ b/contrib/syntax/lists/profile_commands_arg0.list
@ -10,6 +10,7 @@ disable-mnt
 ipc-namespace
 keep-config-pulse
 keep-dev-shm
+keep-shell-rc
 keep-var-tmp
 machine-id
 memory-deny-write-execute
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@ -332,6 +332,7 @@ extern int arg_nice;		// nice value configured
 extern int arg_ipc;		// enable ipc namespace
 extern int arg_writable_etc;	// writable etc
 extern int arg_keep_config_pulse;	// disable automatic ~/.config/pulse init
+extern int arg_keep_shell_rc;	// do not copy shell configuration from /etc/skel
 extern int arg_writable_var;	// writable var
 extern int arg_keep_var_tmp; // don't overwrite /var/tmp
 extern int arg_writable_run_user;	// writable /run/user
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@ -361,7 +361,8 @@ void fs_private_homedir(void) {
 	}
 	EUID_USER();

-	skel(homedir);
+	if (!arg_keep_shell_rc)
+		skel(homedir);
 	if (xflag)
 		copy_xauthority();
 	if (aflag)
@ -430,7 +431,8 @@ void fs_private(void) {
 		selinux_relabel_path(homedir, homedir);
 	}

-	skel(homedir);
+	if (!arg_keep_shell_rc)
+		skel(homedir);
 	if (xflag)
 		copy_xauthority();
 	if (aflag)
@ -682,7 +684,8 @@ void fs_private_home_list(void) {
 		errExit("mounting tmpfs");
 	EUID_USER();

-	skel(homedir);
+	if (!arg_keep_shell_rc)
+		skel(homedir);
 	if (xflag)
 		copy_xauthority();
 	if (aflag)
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@ -127,6 +127,7 @@ int arg_nice = 0;				// nice value configured
 int arg_ipc = 0;					// enable ipc namespace
 int arg_writable_etc = 0;			// writable etc
 int arg_keep_config_pulse = 0;			// disable automatic ~/.config/pulse init
+int arg_keep_shell_rc = 0;			// do not copy shell configuration from /etc/skel
 int arg_writable_var = 0;			// writable var
 int arg_keep_var_tmp = 0;                       // don't overwrite /var/tmp
 int arg_writable_run_user = 0;			// writable /run/user
@ -1975,6 +1976,9 @@ int main(int argc, char **argv, char **envp) {
 		else if (strcmp(argv[i], "--keep-config-pulse") == 0) {
 			arg_keep_config_pulse = 1;
 		}
+		else if (strcmp(argv[i], "--keep-shell-rc") == 0) {
+			arg_keep_shell_rc = 1;
+		}
 		else if (strcmp(argv[i], "--writable-var") == 0) {
 			arg_writable_var = 1;
 		}
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@ -1235,6 +1235,11 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		return 0;
 	}

+	if (strcmp(ptr, "keep-shell-rc") == 0) {
+		arg_keep_shell_rc = 1;
+		return 0;
+	}
+
 	// writable-var
 	if (strcmp(ptr, "writable-var") == 0) {
 		arg_writable_var = 1;
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@ -129,6 +129,7 @@ static char *usage_str =
 	"    --keep-config-pulse - disable automatic ~/.config/pulse init.\n"
 	"    --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n"
 	"    --keep-fd - inherit open file descriptors to sandbox.\n"
+	"    --keep-shell-rc - do not copy shell rc files from /etc/skel\n"
 	"    --keep-var-tmp - /var/tmp directory is untouched.\n"
 	"    --list - list all sandboxes.\n"
 #ifdef HAVE_FILE_TRANSFER
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@ -288,6 +288,9 @@ pulse servers or non-standard socket paths.
 \fBkeep-dev-shm
 /dev/shm directory is untouched (even with private-dev).
 .TP
+\fBkeep-shell-rc
+Do not copy shell rc files (such as ~/.bashrc and ~/.zshrc) from /etc/skel.
+.TP
 \fBkeep-var-tmp
 /var/tmp directory is untouched.
 .TP
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@ -1223,6 +1223,14 @@ Example:
 .br
 $ firejail --keep-fd=3,4,5

+.TP
+\fB\-\-keep-shell-rc
+By default, when using a private home directory, firejail copies files from the
+system's user home template (/etc/skel) into it, which overrides attempts to
+whitelist the original files (such as ~/.bashrc and ~/.zshrc).
+This option disables this feature, and enables the user to whitelist the
+original files.
+
 .TP
 \fB\-\-keep-var-tmp
 /var/tmp directory is untouched.
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@ -104,6 +104,7 @@ _firejail_args=(
    '--keep-config-pulse[disable automatic ~/.config/pulse init]'
    '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]'
    '--keep-fd[inherit open file descriptors to sandbox]: :'
+    '--keep-shell-rc[do not copy shell rc files from /etc/skel]'
    '--keep-var-tmp[/var/tmp directory is untouched]'
    '--machine-id[spoof /etc/machine-id with a random id]'
    '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]'