opt-in: skip blacklisted files in private-etc - #5010, #5230

2026-05-15 14:16:14 -06:00 · 2023-01-15 16:21:52 +01:00 · 2023-01-15 16:21:52 +01:00 · ded50200e0
commit ded50200e0
parent 15011a6d82
5 changed files with 13 additions and 2 deletions
--- a/etc/firejail.config
+++ b/etc/firejail.config
@ -78,6 +78,9 @@
 # Enable or disable overlayfs features, default enabled.
 # overlayfs yes

+# Hide blacklisted files in /etc directory, default disabled.
+# etc-no-blacklisted no
+
 # Set the limit for file copy in several --private-* options. The size is set
 # in megabytes. By default we allow up to 500MB.
 # Note: the files are copied in RAM.
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@ -51,6 +51,7 @@ int checkcfg(int val) {
 			cfg_val[i] = 1; // most of them are enabled by default
 		cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default
 		cfg_val[CFG_FORCE_NONEWPRIVS] = 0;
+		cfg_val[CFG_ETC_NO_BLACKLISTED] = 0;
 		cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0;
 		cfg_val[CFG_FIREJAIL_PROMPT] = 0;
 		cfg_val[CFG_DISABLE_MNT] = 0;
@ -115,6 +116,7 @@ int checkcfg(int val) {
 			PARSE_YESNO(CFG_TRACELOG, "tracelog")
 			PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title")
 			PARSE_YESNO(CFG_OVERLAYFS, "overlayfs")
+			PARSE_YESNO(CFG_ETC_NO_BLACKLISTED, "etc-no-blacklisted")
 			PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin")
 			PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local")
 			PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache")
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@ -811,6 +811,7 @@ enum {
 	CFG_FORCE_NONEWPRIVS,
 	CFG_XEPHYR_WINDOW_TITLE,
 	CFG_OVERLAYFS,
+	CFG_ETC_NO_BLACKLISTED,
 	CFG_PRIVATE_BIN,
 	CFG_PRIVATE_BIN_NO_LOCAL,
 	CFG_PRIVATE_CACHE,
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@ -162,7 +162,7 @@ static void disable_file(OPERATION op, const char *filename) {
 				fs_logger2("blacklist-nolog", fname);

 			// files in /etc will be reprocessed during /etc rebuild
-			if (strncmp(fname, "/etc/", 5) == 0) {
+			if (checkcfg(CFG_ETC_NO_BLACKLISTED) && strncmp(fname, "/etc/", 5) == 0) {
 				ProfileEntry *prf = malloc(sizeof(ProfileEntry));
 				if (!prf)
 					errExit("malloc");
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@ -264,8 +264,13 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c

 void fs_rebuild_etc(void) {
 	int have_dhcp = 1;
-	if (cfg.dns1 == NULL && !any_dhcp())
+	if (cfg.dns1 == NULL && !any_dhcp()) {
+		// this function has the effect that updates to files using rename(2) don't propagate into the sandbox
+		// avoid this in the default setting, in order to not break /etc/resolv.conf (issue #5010)
+		if (!checkcfg(CFG_ETC_NO_BLACKLISTED))
+			return;
 		have_dhcp = 0;
+	}

 	if (arg_debug)
 		printf("rebuilding /etc directory\n");