Skip to content

Commit

Permalink
opt-in: skip blacklisted files in private-etc - netblue30#5010, netbl…
Browse files Browse the repository at this point in the history 
…ue30#5230
  • Loading branch information
@smitsohu
smitsohu committed Jan 15, 2023
1 parent 15011a6 commit 76e2829
Show file tree
Hide file tree
Showing 4 changed files with 7 additions and 1 deletion.
3 changes: 3 additions & 0 deletions etc/firejail.config
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,9 @@
# Enable or disable private-etc feature, default enabled.
# private-etc yes

# Remove blacklisted files from private-etc list, default disabled.
# private-etc-no-blacklisted no

# Enable or disable private-home feature, default enabled
# private-home yes

Expand Down
2 changes: 2 additions & 0 deletions src/firejail/checkcfg.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ int checkcfg(int val) {
cfg_val[CFG_RESTRICTED_NETWORK] = 0; // disabled by default
cfg_val[CFG_FORCE_NONEWPRIVS] = 0;
cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0;
cfg_val[CFG_PRIVATE_ETC_NO_BLACKLISTED] = 0;
cfg_val[CFG_FIREJAIL_PROMPT] = 0;
cfg_val[CFG_DISABLE_MNT] = 0;
cfg_val[CFG_ARP_PROBES] = DEFAULT_ARP_PROBES;
Expand Down Expand Up @@ -119,6 +120,7 @@ int checkcfg(int val) {
PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local")
PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache")
PARSE_YESNO(CFG_PRIVATE_ETC, "private-etc")
PARSE_YESNO(CFG_PRIVATE_ETC_NO_BLACKLISTED, "private-etc-no-blacklisted")
PARSE_YESNO(CFG_PRIVATE_HOME, "private-home")
PARSE_YESNO(CFG_PRIVATE_LIB, "private-lib")
PARSE_YESNO(CFG_PRIVATE_OPT, "private-opt")
Expand Down
1 change: 1 addition & 0 deletions src/firejail/firejail.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -815,6 +815,7 @@ enum {
CFG_PRIVATE_BIN_NO_LOCAL,
CFG_PRIVATE_CACHE,
CFG_PRIVATE_ETC,
CFG_PRIVATE_ETC_NO_BLACKLISTED,
CFG_PRIVATE_HOME,
CFG_PRIVATE_LIB,
CFG_PRIVATE_OPT,
Expand Down
2 changes: 1 addition & 1 deletion src/firejail/fs.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -162,7 +162,7 @@ static void disable_file(OPERATION op, const char *filename) {
fs_logger2("blacklist-nolog", fname);

// files in /etc will be reprocessed during /etc rebuild
if (strncmp(fname, "/etc/", 5) == 0) {
if (checkcfg(CFG_PRIVATE_ETC_NO_BLACKLISTED) && strncmp(fname, "/etc/", 5) == 0) {
ProfileEntry *prf = malloc(sizeof(ProfileEntry));
if (!prf)
errExit("malloc");
Expand Down

0 comments on commit 76e2829

Please sign in to comment.