mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-21 22:01:13 -06:00
firecfg: add ignore command and docs
Add ignore command (`!PROGRAM`), as suggested by @WhyNotHugo[1]. It prevents firecfg from creating a symlink for the given program. Also, document the paths used and the config file syntax. Note that `/etc/firejail/firecfg.d/*.conf` files are parsed before /etc/firejail/firecfg.config, so the former can ignore/override any item in the latter. Closes #2097. [1] https://github.com/netblue30/firejail/issues/2097#issuecomment-1179160459
This commit is contained in:
Kelvin M. Klann
parent
2993298aaa
commit
ef6cfb8a22
2 changed files with 97 additions and 5 deletions
|
|
@ -143,6 +143,40 @@ static void clean(void) {
|
|||
printf("\n");
|
||||
}
|
||||
|
||||
#define ignorelist_maxlen 2048
|
||||
static const char *ignorelist[ignorelist_maxlen];
|
||||
static int ignorelist_len = 0;
|
||||
|
||||
static int append_ignorelist(const char *const str) {
|
||||
assert(str);
|
||||
if (ignorelist_len >= ignorelist_maxlen) {
|
||||
fprintf(stderr, "Warning: Ignore list is full (%d/%d), skipping %s\n",
|
||||
ignorelist_len, ignorelist_maxlen, str);
|
||||
return 0;
|
||||
}
|
||||
|
||||
printf(" ignoring '%s'\n", str);
|
||||
const char *const dup = strdup(str);
|
||||
if (!dup)
|
||||
errExit("strdup");
|
||||
|
||||
ignorelist[ignorelist_len] = dup;
|
||||
ignorelist_len++;
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int in_ignorelist(const char *const str) {
|
||||
assert(str);
|
||||
int i;
|
||||
for (i = 0; i < ignorelist_len; i++) {
|
||||
if (strcmp(str, ignorelist[i]) == 0)
|
||||
return 1;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static void set_file(const char *name, const char *firejail_exec) {
|
||||
if (which(name) == 0)
|
||||
return;
|
||||
|
|
@ -206,8 +240,17 @@ static void set_links_firecfg(const char *cfgfile) {
|
|||
if (*start == '\0')
|
||||
continue;
|
||||
|
||||
// handle ignore command
|
||||
if (*start == '!') {
|
||||
append_ignorelist(start + 1);
|
||||
continue;
|
||||
}
|
||||
|
||||
// set link
|
||||
set_file(start, FIREJAIL_EXEC);
|
||||
if (!in_ignorelist(start))
|
||||
set_file(start, FIREJAIL_EXEC);
|
||||
else
|
||||
printf(" %s ignored\n", start);
|
||||
}
|
||||
|
||||
fclose(fp);
|
||||
|
|
|
|||
|
|
@ -29,9 +29,13 @@ Note: The examples use \fBsudo\fR, but \fBdoas\fR is also supported.
|
|||
To set it up, run "sudo firecfg" after installing Firejail software.
|
||||
The same command should also be run after
|
||||
installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin
|
||||
will be created. For a full list of programs supported by default run "cat /etc/firejail/firecfg.config".
|
||||
|
||||
For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR.
|
||||
will be created.
|
||||
.PP
|
||||
To configure the list of programs used by firecfg when creating symlinks, see
|
||||
\fBFILES\fR and \fBSYNTAX\fR.
|
||||
.PP
|
||||
For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in
|
||||
\fBman 1 firejail\fR.
|
||||
.SH DEFAULT ACTIONS
|
||||
The following actions are implemented by default by running sudo firecfg:
|
||||
|
||||
|
|
@ -135,8 +139,53 @@ $ sudo firecfg --clean
|
|||
/usr/local/bin/vlc removed
|
||||
.br
|
||||
[...]
|
||||
.SH FILES
|
||||
.PP
|
||||
Configuration files are searched for and parsed in the following paths:
|
||||
.PP
|
||||
.RS
|
||||
1. /etc/firejail/firecfg.d/*.conf (in alphabetical order)
|
||||
.br
|
||||
2. /etc/firejail/firecfg.config
|
||||
.RE
|
||||
.PP
|
||||
The programs that are supported by default are listed in
|
||||
/etc/firejail/firecfg.config.
|
||||
It is recommended to leave it as is and put all customizations inside
|
||||
/etc/firejail/firecfg.d/.
|
||||
.PP
|
||||
Profile files are also searched in the user configuration directory:
|
||||
.PP
|
||||
.RS
|
||||
3. ~/.config/firejail/*.profile
|
||||
.RE
|
||||
.PP
|
||||
For every \fBPROGRAM.profile\fR file found, firecfg attempts to create a
|
||||
symlink for "PROGRAM", as if "PROGRAM" was listed in a configuration file.
|
||||
.SH SYNTAX
|
||||
Configuration file syntax:
|
||||
.PP
|
||||
A line that starts with \fB#\fR is considered a comment.
|
||||
.br
|
||||
A line that starts with \fB!PROGRAM\fR means to ignore "PROGRAM" when creating
|
||||
symlinks.
|
||||
.br
|
||||
A line that starts with anything else is considered to be the name of an
|
||||
executable and firecfg will attempt to create a symlink for it.
|
||||
.PP
|
||||
For example, to prevent firecfg from creating symlinks for "firefox" and
|
||||
"patch" while attempting to create a symlink for "myprog", the following lines
|
||||
could be added to /etc/firejail/firecfg.d/10-my.conf:
|
||||
.PP
|
||||
.RS
|
||||
!firefox
|
||||
.br
|
||||
!patch
|
||||
.br
|
||||
|
||||
|
||||
.br
|
||||
myprog
|
||||
.RE
|
||||
.SH LICENSE
|
||||
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
|
||||
.PP
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue