Template addition

src/firejail/dbus.c

@@ -41,7 +41,7 @@
 #define DBUS_USER_DIR_FORMAT RUN_FIREJAIL_DBUS_DIR "/%d"
 #define DBUS_USER_PROXY_SOCKET_FORMAT DBUS_USER_DIR_FORMAT "/%d-user"
 #define DBUS_SYSTEM_PROXY_SOCKET_FORMAT DBUS_USER_DIR_FORMAT "/%d-system"
-#define DBUS_MAX_NAME_LENGTH 255
+// moved to firejail.h - #define DBUS_MAX_NAME_LENGTH 255
 // moved to include/common.h - #define XDG_DBUS_PROXY_PATH "/usr/bin/xdg-dbus-proxy"
 
 static pid_t dbus_proxy_pid = 0;
@@ -561,4 +561,4 @@ void dbus_apply_policy(void) {
 
 	fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n");
 }
-#endif // HAVE_DBUSPROXY
+#endif // HAVE_DBUSPROXY

src/firejail/firejail.h

@@ -454,6 +454,7 @@ char *profile_list_slice(char *pos, char **ppos);
 char *profile_list_normalize(char *list);
 char *profile_list_compress(char *list);
 void profile_list_augment(char **list, const char *items);
+void profile_read_file_list();
 
 // list.c
 void list(void);
@@ -862,6 +863,8 @@ void set_x11_run_file(pid_t pid, int display);
 void set_profile_run_file(pid_t pid, const char *fname);
 
 // dbus.c
+#define DBUS_MAX_NAME_LENGTH 255
+
 int dbus_check_name(const char *name);
 int dbus_check_call_rule(const char *name);
 void dbus_check_profile(void);
@@ -880,4 +883,10 @@ void dhcp_start(void);
 // selinux.c
 void selinux_relabel_path(const char *path, const char *inside_path);
 
+// template.c
+void check_template(char *arg);
+int template_requires_expansion(char *arg);
+char *template_replace_keys(char *arg);
+void template_print_all();
+void template_cleanup();
 #endif

src/firejail/main.c

@@ -2598,6 +2598,11 @@ int main(int argc, char **argv, char **envp) {
 				exit_err_feature("networking");
 		}
 #endif
+		else if (strncmp(argv[i], "--template=", 11) == 0) {
+			char *arg = strdup(argv[i] + 11); // Parse key in check_template()
+			check_template(arg);
+			free(arg);
+		}
 		//*************************************
 		// command
 		//*************************************
@@ -2732,6 +2737,12 @@ int main(int argc, char **argv, char **envp) {
 			break;
 		}
 	}
+
+	// Prints templates only if arg_debug is set
+	template_print_all();
+
+	profile_read_file_list();
+
 	EUID_ASSERT();
 
 	// exit chroot, overlay and appimage sandboxes when caps are explicitly specified on command line
@@ -2849,6 +2860,9 @@ int main(int argc, char **argv, char **envp) {
 	}
 	EUID_ASSERT();
 
+	// Templates are no longer needed as profile files are read
+	template_cleanup();
+
 	// block X11 sockets
 	if (arg_x11_block)
 		x11_block();

src/firejail/profile.c

@@ -26,6 +26,18 @@ extern char *xephyr_screen;
 
 #define MAX_READ 8192				  // line buffer for profile files
 
+typedef struct profile_file_name_t {
+	char *fname;
+	struct profile_file_name_t *next;
+} ProfileFileName;
+
+// This is initially set to make profile_read() to add the profile filename
+// to a list of profiles that are to be read after arguments have been
+// processed and templates are set in order to replace any template key
+// existing in the profile lines.
+static int read_profiles = 0;
+static ProfileFileName *profile_file_name_list = NULL;
+
 // find and read the profile specified by name from dir directory
 // return  1 if a profile was found
 static int profile_find(const char *name, const char *dir, int add_ext) {
@@ -1643,6 +1655,27 @@ void profile_add(char *str) {
 	ptr->next = prf;
 }
 
+// Prepends entries to profile_file_name_list for later reading of the files
+// List is reversed when the file list is processed to provide correct order
+void add_to_profile_file_name_list(const char *fname)
+{
+	ProfileFileName *pfn;
+
+	if (!fname || !*fname)
+		return;
+
+	//if (arg_debug)
+		printf("Add profile \"%s\" to list\n", fname);
+
+	pfn = malloc(sizeof(ProfileFileName));
+	if (!pfn)
+		errExit("malloc");
+
+	pfn->fname = strdup(fname);
+	pfn->next = profile_file_name_list;
+	profile_file_name_list = pfn;
+}
+
 // read a profile file
 static int include_level = 0;
 void profile_read(const char *fname) {
@@ -1691,6 +1724,11 @@ void profile_read(const char *fname) {
 		}
 	}
 
+	if (!read_profiles) {
+		add_to_profile_file_name_list(fname);
+		return;
+	}
+
 	// open profile file:
 	FILE *fp = fopen(fname, "r");
 	if (fp == NULL) {
@@ -1735,6 +1773,40 @@ void profile_read(const char *fname) {
 			msg_printed = 1;
 		}
 
+		// Replace all template keys on line if at least one non-
+		// hardcoded or not internally used is found. Since templates
+		// can be used anywhere process the keys before include.
+		char *ptr_expanded;
+
+		switch (template_requires_expansion(ptr)) {
+		case -EINVAL:
+			fprintf(stderr, "Ignoring line \"%s\", as it "
+					"contains invalid template keys\n",
+					ptr);
+			free(ptr);
+			continue;
+		case 0:
+			break;
+		case 1:
+			ptr_expanded = template_replace_keys(ptr);
+			if (ptr_expanded == NULL) {
+				fprintf(stderr, "Ignoring line \"%s\"\n", ptr);
+				free(ptr);
+				continue;
+			}
+
+			if (arg_debug)
+				printf("template keys expanded: \"%s\"\n",
+								ptr_expanded);
+
+			free(ptr);
+			ptr = ptr_expanded;
+
+			break;
+		default:
+			break;
+		}
+
 		// process include
 		if (strncmp(ptr, "include ", 8) == 0 && !is_in_ignore_list(ptr)) {
 			include_level++;
@@ -1779,6 +1851,49 @@ void profile_read(const char *fname) {
 	fclose(fp);
 }
 
+static ProfileFileName *reverse_read_file_list(ProfileFileName *head)
+{
+	ProfileFileName *curr = head;
+	ProfileFileName *prev = NULL;
+	ProfileFileName *next = NULL;
+
+	while (curr) {
+		next = curr->next;
+		curr->next = prev;
+		prev = curr;
+		curr = next;
+	}
+
+	return prev;
+}
+
+void profile_read_file_list()
+{
+	ProfileFileName *iter;
+	ProfileFileName *temp;
+
+	read_profiles = 1;
+
+	// Profile files are prepended to the list, reverse the list to
+	// read profile files in given order. Get the beginning of the
+	// reverse list and free each element as they are processed.
+	iter = reverse_read_file_list(profile_file_name_list);
+	while (iter) {
+		if (arg_debug)
+			printf("Read profile \"%s\"\n", iter->fname);
+
+		profile_read(iter->fname);
+
+		temp = iter;
+		iter = iter->next;
+
+		free(temp->fname);
+		free(temp);
+	}
+
+	profile_file_name_list = NULL;
+}
+
 char *profile_list_slice(char *pos, char **ppos)
 {
 	/* Extract token from comma separated list.