Skip to content

Commit

Permalink
Merge pull request #5595 from kmk3/rename-etc-no-blacklisted
Browse files Browse the repository at this point in the history
Rename etc-no-blacklisted to etc-hide-blacklisted
  • Loading branch information
netblue30 authored Jan 16, 2023
2 parents 0447f0e + 91cbbe1 commit bced772
Show file tree
Hide file tree
Showing 5 changed files with 11 additions and 9 deletions.
5 changes: 3 additions & 2 deletions etc/firejail.config
Original file line number Diff line number Diff line change
Expand Up @@ -78,8 +78,9 @@
# Enable or disable overlayfs features, default enabled.
# overlayfs yes

# Hide blacklisted files in /etc directory, default disabled.
# etc-no-blacklisted no
# Hide blacklisted files in /etc directory (enabling this may break
# /etc/resolv.conf; see #5010), default disabled.
# etc-hide-blacklisted no

# Set the limit for file copy in several --private-* options. The size is set
# in megabytes. By default we allow up to 500MB.
Expand Down
4 changes: 2 additions & 2 deletions src/firejail/checkcfg.c
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ int checkcfg(int val) {
cfg_val[i] = 1; // most of them are enabled by default
cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default
cfg_val[CFG_FORCE_NONEWPRIVS] = 0;
cfg_val[CFG_ETC_NO_BLACKLISTED] = 0;
cfg_val[CFG_ETC_HIDE_BLACKLISTED] = 0;
cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0;
cfg_val[CFG_FIREJAIL_PROMPT] = 0;
cfg_val[CFG_DISABLE_MNT] = 0;
Expand Down Expand Up @@ -116,7 +116,7 @@ int checkcfg(int val) {
PARSE_YESNO(CFG_TRACELOG, "tracelog")
PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title")
PARSE_YESNO(CFG_OVERLAYFS, "overlayfs")
PARSE_YESNO(CFG_ETC_NO_BLACKLISTED, "etc-no-blacklisted")
PARSE_YESNO(CFG_ETC_HIDE_BLACKLISTED, "etc-hide-blacklisted")
PARSE_YESNO(CFG_PRIVATE_BIN, "private-bin")
PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local")
PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache")
Expand Down
2 changes: 1 addition & 1 deletion src/firejail/firejail.h
Original file line number Diff line number Diff line change
Expand Up @@ -811,7 +811,7 @@ enum {
CFG_FORCE_NONEWPRIVS,
CFG_XEPHYR_WINDOW_TITLE,
CFG_OVERLAYFS,
CFG_ETC_NO_BLACKLISTED,
CFG_ETC_HIDE_BLACKLISTED,
CFG_PRIVATE_BIN,
CFG_PRIVATE_BIN_NO_LOCAL,
CFG_PRIVATE_CACHE,
Expand Down
2 changes: 1 addition & 1 deletion src/firejail/fs.c
Original file line number Diff line number Diff line change
Expand Up @@ -162,7 +162,7 @@ static void disable_file(OPERATION op, const char *filename) {
fs_logger2("blacklist-nolog", fname);

// files in /etc will be reprocessed during /etc rebuild
if (checkcfg(CFG_ETC_NO_BLACKLISTED) && strncmp(fname, "/etc/", 5) == 0) {
if (checkcfg(CFG_ETC_HIDE_BLACKLISTED) && strncmp(fname, "/etc/", 5) == 0) {
ProfileEntry *prf = malloc(sizeof(ProfileEntry));
if (!prf)
errExit("malloc");
Expand Down
7 changes: 4 additions & 3 deletions src/firejail/fs_etc.c
Original file line number Diff line number Diff line change
Expand Up @@ -265,9 +265,10 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c
void fs_rebuild_etc(void) {
int have_dhcp = 1;
if (cfg.dns1 == NULL && !any_dhcp()) {
// this function has the effect that updates to files using rename(2) don't propagate into the sandbox
// avoid this in the default setting, in order to not break /etc/resolv.conf (issue #5010)
if (!checkcfg(CFG_ETC_NO_BLACKLISTED))
// Disabling this option ensures that updates to files using
// rename(2) propagate into the sandbox, in order to avoid
// breaking /etc/resolv.conf (issue #5010).
if (!checkcfg(CFG_ETC_HIDE_BLACKLISTED))
return;
have_dhcp = 0;
}
Expand Down

0 comments on commit bced772

Please sign in to comment.