-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[firejail] Implement template support. OMP#JOLLA-88 JB#54034
Add two patches which change profile loading to be delayed until all arguments are parsed. This is due to the template key replacement, since templates are to be given as arguments as well. Each line in the profile line is checked and if one template is found they are replaced with the corresponding value. If no changes are required the profile line is untouched.
- Loading branch information
1 parent
2b54b75
commit 6b9a766
Showing
3 changed files
with
848 additions
and
0 deletions.
There are no files selected for viewing
149 changes: 149 additions & 0 deletions
149
rpm/0011-Add-profile-files-to-a-list-when-processing-argument.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,149 @@ | ||
| From 8452f4ebf0299a14ce0bfd6ce8d0c83b19f573ac Mon Sep 17 00:00:00 2001 | ||
| From: Jussi Laakkonen <[email protected]> | ||
| Date: Mon, 17 May 2021 17:33:30 +0300 | ||
| Subject: [PATCH 1/2] Add profile files to a list when processing arguments | ||
|
|
||
| Do not read the profile files when processing arguments. Instead append | ||
| them to a list that is processed after the arguments are processed in | ||
| order to be able to replace all template keys in the profile file lines. | ||
| Each item in the list is free'd after it has been processed. | ||
| --- | ||
| src/firejail/firejail.h | 1 + | ||
| src/firejail/main.c | 3 ++ | ||
| src/firejail/profile.c | 73 +++++++++++++++++++++++++++++++++++++++++ | ||
| 3 files changed, 77 insertions(+) | ||
|
|
||
| diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h | ||
| index e4eebe62..5ac874e0 100644 | ||
| --- a/src/firejail/firejail.h | ||
| +++ b/src/firejail/firejail.h | ||
| @@ -454,6 +454,7 @@ char *profile_list_slice(char *pos, char **ppos); | ||
| char *profile_list_normalize(char *list); | ||
| char *profile_list_compress(char *list); | ||
| void profile_list_augment(char **list, const char *items); | ||
| +void profile_read_file_list(); | ||
|
|
||
| // list.c | ||
| void list(void); | ||
| diff --git a/src/firejail/main.c b/src/firejail/main.c | ||
| index 4a367d7e..88b99de7 100644 | ||
| --- a/src/firejail/main.c | ||
| +++ b/src/firejail/main.c | ||
| @@ -2732,6 +2732,9 @@ int main(int argc, char **argv, char **envp) { | ||
| break; | ||
| } | ||
| } | ||
| + | ||
| + profile_read_file_list(); | ||
| + | ||
| EUID_ASSERT(); | ||
|
|
||
| // exit chroot, overlay and appimage sandboxes when caps are explicitly specified on command line | ||
| diff --git a/src/firejail/profile.c b/src/firejail/profile.c | ||
| index c57d8d26..d4bbef97 100644 | ||
| --- a/src/firejail/profile.c | ||
| +++ b/src/firejail/profile.c | ||
| @@ -26,6 +26,18 @@ extern char *xephyr_screen; | ||
|
|
||
| #define MAX_READ 8192 // line buffer for profile files | ||
|
|
||
| +typedef struct profile_file_name_t { | ||
| + char *fname; | ||
| + struct profile_file_name_t *next; | ||
| +} ProfileFileName; | ||
| + | ||
| +// This is initially set to make profile_read() to add the profile filename | ||
| +// to a list of profiles that are to be read after arguments have been | ||
| +// processed and templates are set in order to replace any template key | ||
| +// existing in the profile lines. | ||
| +static int read_profiles = 0; | ||
| +static ProfileFileName *profile_file_name_list = NULL; | ||
| + | ||
| // find and read the profile specified by name from dir directory | ||
| // return 1 if a profile was found | ||
| static int profile_find(const char *name, const char *dir, int add_ext) { | ||
| @@ -1643,6 +1655,38 @@ void profile_add(char *str) { | ||
| ptr->next = prf; | ||
| } | ||
|
|
||
| +// Appends entries to profile_file_name_list for later reading of the files | ||
| +void add_to_profile_file_name_list(const char *fname) | ||
| +{ | ||
| + ProfileFileName *pfn; | ||
| + ProfileFileName *iter; | ||
| + | ||
| + if (!fname || !*fname) | ||
| + return; | ||
| + | ||
| + if (arg_debug) | ||
| + printf("add profile \"%s\" to list\n", fname); | ||
| + | ||
| + pfn = malloc(sizeof(ProfileFileName)); | ||
| + if (!pfn) | ||
| + errExit("malloc"); | ||
| + | ||
| + pfn->fname = strdup(fname); | ||
| + pfn->next = NULL; | ||
| + | ||
| + if (!profile_file_name_list) { | ||
| + profile_file_name_list = pfn; | ||
| + return; | ||
| + } | ||
| + | ||
| + // Add to the end as order of the profiles may be relevant. | ||
| + iter = profile_file_name_list; | ||
| + while (iter->next) | ||
| + iter = iter->next; | ||
| + | ||
| + iter->next = pfn; | ||
| +} | ||
| + | ||
| // read a profile file | ||
| static int include_level = 0; | ||
| void profile_read(const char *fname) { | ||
| @@ -1691,6 +1735,11 @@ void profile_read(const char *fname) { | ||
| } | ||
| } | ||
|
|
||
| + if (!read_profiles) { | ||
| + add_to_profile_file_name_list(fname); | ||
| + return; | ||
| + } | ||
| + | ||
| // open profile file: | ||
| FILE *fp = fopen(fname, "r"); | ||
| if (fp == NULL) { | ||
| @@ -1779,6 +1828,30 @@ void profile_read(const char *fname) { | ||
| fclose(fp); | ||
| } | ||
|
|
||
| +void profile_read_file_list() | ||
| +{ | ||
| + ProfileFileName *iter; | ||
| + ProfileFileName *temp; | ||
| + | ||
| + read_profiles = 1; | ||
| + | ||
| + iter = profile_file_name_list; | ||
| + while (iter) { | ||
| + if (arg_debug) | ||
| + printf("Read profile \"%s\"\n", iter->fname); | ||
| + | ||
| + profile_read(iter->fname); | ||
| + | ||
| + temp = iter; | ||
| + iter = iter->next; | ||
| + | ||
| + free(temp->fname); | ||
| + free(temp); | ||
| + } | ||
| + | ||
| + profile_file_name_list = NULL; | ||
| +} | ||
| + | ||
| char *profile_list_slice(char *pos, char **ppos) | ||
| { | ||
| /* Extract token from comma separated list. | ||
| -- | ||
| 2.20.1 | ||
|
|
Oops, something went wrong.