implemented --ignore option

2026-05-21 06:45:29 -06:00 · 2015-10-25 07:58:04 -04:00 · 2015-10-25 07:58:04 -04:00 · df6aa573c1
commit df6aa573c1
parent a1a651d9ea
7 changed files with 49 additions and 2 deletions
--- a/5
+++ b/5
@ -1,3 +1,8 @@
+firejail (0.9.33) baseline; urgency=low
+  * added --ignore option
+  * bugfixes
+ -- netblue30 <netblue30@yahoo.com>  current development
+
 firejail (0.9.32) baseline; urgency=low
  * added --interface option
  * added --mtu option
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@ -81,6 +81,8 @@ typedef struct config_t {
 	
 	// filesystem
 	ProfileEntry *profile;
+#define MAX_PROFILE_IGNORE 16	
+	char *profile_ignore[MAX_PROFILE_IGNORE];
 	char *chrootdir;	// chroot directory
 	char *home_private;	// private home directory
 	char *home_private_keep;	// keep list for private home directory
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@ -711,6 +711,26 @@ int main(int argc, char **argv) {
 			}
 			arg_noprofile = 1;
 		}
+		else if (strncmp(argv[i], "--ignore=", 9) == 0) {
+			char *ptr = argv[i] + 9;
+			if (*(argv[i] + 9) == '\0') {
+				fprintf(stderr, "Error: invalid ignore option\n");
+				exit(1);
+			}
+			
+			// find an empty entry in profile_ignore array
+			int j;
+			for (j = 0; j < MAX_PROFILE_IGNORE; j++) {
+				if (cfg.profile_ignore[j] == NULL) 
+					break;
+			}
+			if (j >= MAX_PROFILE_IGNORE) {
+				fprintf(stderr, "Error: maximum %d --ignore options are permitted\n", MAX_PROFILE_IGNORE);
+				exit(1);
+			}
+			// ... and configure it
+			cfg.profile_ignore[j] = argv[i] + 9;
+		}
 #ifdef HAVE_CHROOT		
 		else if (strncmp(argv[i], "--chroot=", 9) == 0) {
 			if (arg_overlay) {
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@ -66,6 +66,16 @@ int profile_find(const char *name, const char *dir) {
 // return 1 if the command is to be added to the linked list of profile commands
 // return 0 if the command was already executed inside the function
 int profile_check_line(char *ptr, int lineno) {
+	// check ignore list
+	int i;
+	for (i = 0; i < MAX_PROFILE_IGNORE; i++) {
+		if (cfg.profile_ignore[i] == NULL)
+			break;
+		
+		if (strncmp(ptr, cfg.profile_ignore[i], strlen(cfg.profile_ignore[i])) == 0)
+			return 0;	// ignore line
+	}
+
 	// seccomp, caps, private, user namespace
 	if (strcmp(ptr, "noroot") == 0) {
 		check_user_namespace();
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@ -476,7 +476,7 @@ int sandbox(void* sandbox_arg) {
 	if (arg_noroot) {
 		set_caps();
 		if (arg_debug)
-			printf("User namespace (noroot) installed\n");
+			printf("noroot user namespace installed\n");
 	}


--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@ -85,7 +85,7 @@ void usage(void) {
 	
 	printf("\t--help, -? - this help screen.\n\n");
 	printf("\t--hostname=name - set sandbox hostname.\n\n");
-	
+	printf("\t--ignore=command - ignore command in profile files.\n\n");
 	printf("\t--interface=name - move interface in a new network namespace. Up to\n");
 	printf("\t\tfour --interface options can be sepcified.\n\n");
 	
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@ -340,6 +340,16 @@ Example:
 .br
 $ firejail \-\-hostname=officepc firefox

+.TP
+\fB\-\-ignore=command
+Ignore command in profile file.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-ignore=shell --ignore=seccomp firefox
+
 .TP
 \fB\-\-interface=interface
 Move interface in a new network namespace. Up to four --interface options can be sepcified.