Skip to content

Commit

Permalink
firecfg: add ignore command and docs
Browse files Browse the repository at this point in the history
Add ignore command (`!PROGRAM`), as suggested by @WhyNotHugo[1].

It prevents firecfg from creating a symlink for the given program.

Also, document the paths used and the config file syntax.

Note that `/etc/firejail/firecfg.d/*.conf` files are parsed before
/etc/firejail/firecfg.config, so the former can ignore/override any item
in the latter.

Closes netblue30#2097.

[1] netblue30#2097 (comment)
  • Loading branch information
kmk3 committed Aug 4, 2023
1 parent 2993298 commit ef6cfb8
Show file tree
Hide file tree
Showing 2 changed files with 97 additions and 5 deletions.
45 changes: 44 additions & 1 deletion src/firecfg/main.c
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,40 @@ static void clean(void) {
printf("\n");
}

#define ignorelist_maxlen 2048
static const char *ignorelist[ignorelist_maxlen];
static int ignorelist_len = 0;

static int append_ignorelist(const char *const str) {
assert(str);
if (ignorelist_len >= ignorelist_maxlen) {
fprintf(stderr, "Warning: Ignore list is full (%d/%d), skipping %s\n",
ignorelist_len, ignorelist_maxlen, str);
return 0;
}

printf(" ignoring '%s'\n", str);
const char *const dup = strdup(str);
if (!dup)
errExit("strdup");

ignorelist[ignorelist_len] = dup;
ignorelist_len++;

return 1;
}

static int in_ignorelist(const char *const str) {
assert(str);
int i;
for (i = 0; i < ignorelist_len; i++) {
if (strcmp(str, ignorelist[i]) == 0)
return 1;
}

return 0;
}

static void set_file(const char *name, const char *firejail_exec) {
if (which(name) == 0)
return;
Expand Down Expand Up @@ -206,8 +240,17 @@ static void set_links_firecfg(const char *cfgfile) {
if (*start == '\0')
continue;

// handle ignore command
if (*start == '!') {
append_ignorelist(start + 1);
continue;
}

// set link
set_file(start, FIREJAIL_EXEC);
if (!in_ignorelist(start))
set_file(start, FIREJAIL_EXEC);
else
printf(" %s ignored\n", start);
}

fclose(fp);
Expand Down
57 changes: 53 additions & 4 deletions src/man/firecfg.1.in
Original file line number Diff line number Diff line change
Expand Up @@ -29,9 +29,13 @@ Note: The examples use \fBsudo\fR, but \fBdoas\fR is also supported.
To set it up, run "sudo firecfg" after installing Firejail software.
The same command should also be run after
installing new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin
will be created. For a full list of programs supported by default run "cat /etc/firejail/firecfg.config".

For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR.
will be created.
.PP
To configure the list of programs used by firecfg when creating symlinks, see
\fBFILES\fR and \fBSYNTAX\fR.
.PP
For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in
\fBman 1 firejail\fR.
.SH DEFAULT ACTIONS
The following actions are implemented by default by running sudo firecfg:

Expand Down Expand Up @@ -135,8 +139,53 @@ $ sudo firecfg --clean
/usr/local/bin/vlc removed
.br
[...]
.SH FILES
.PP
Configuration files are searched for and parsed in the following paths:
.PP
.RS
1. /etc/firejail/firecfg.d/*.conf (in alphabetical order)
.br
2. /etc/firejail/firecfg.config
.RE
.PP
The programs that are supported by default are listed in
/etc/firejail/firecfg.config.
It is recommended to leave it as is and put all customizations inside
/etc/firejail/firecfg.d/.
.PP
Profile files are also searched in the user configuration directory:
.PP
.RS
3. ~/.config/firejail/*.profile
.RE
.PP
For every \fBPROGRAM.profile\fR file found, firecfg attempts to create a
symlink for "PROGRAM", as if "PROGRAM" was listed in a configuration file.
.SH SYNTAX
Configuration file syntax:
.PP
A line that starts with \fB#\fR is considered a comment.
.br
A line that starts with \fB!PROGRAM\fR means to ignore "PROGRAM" when creating
symlinks.
.br
A line that starts with anything else is considered to be the name of an
executable and firecfg will attempt to create a symlink for it.
.PP
For example, to prevent firecfg from creating symlinks for "firefox" and
"patch" while attempting to create a symlink for "myprog", the following lines
could be added to /etc/firejail/firecfg.d/10-my.conf:
.PP
.RS
!firefox
.br
!patch
.br


.br
myprog
.RE
.SH LICENSE
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
.PP
Expand Down

0 comments on commit ef6cfb8

Please sign in to comment.