void x11_block(void) {
#ifdef HAVE_X11
mask_x11_abstract_socket = 1;
#if 0
// check abstract socket presence and network namespace options
if ((!arg_nonetwork && !cfg.bridge0.configured && !cfg.interface0.configured)
&& x11_abstract_sockets_present()) {
fprintf(stderr, "ERROR: --x11=block specified, but abstract X11 socket still accessible.\n"
"Additional setup required. To block abstract X11 socket you can either:\n"
" * use network namespace in firejail (--net=none, --net=...)\n"
" * add \"-nolisten local\" to xserver options\n"
" (eg. to your display manager config, or /etc/X11/xinit/xserverrc)\n");
exit(1);
}
#endif
// blacklist sockets
profile_check_line("blacklist /tmp/.X11-unix", 0, NULL);
profile_add(strdup("blacklist /tmp/.X11-unix"));
// blacklist .Xauthority
profile_check_line("blacklist ${HOME}/.Xauthority", 0, NULL);
profile_add(strdup("blacklist ${HOME}/.Xauthority"));
char *xauthority = getenv("XAUTHORITY");
if (xauthority) {
char *line;
if (asprintf(&line, "blacklist %s", xauthority) == -1)
errExit("asprintf");
profile_check_line(line, 0, NULL);
profile_add(line);
}
// clear environment
env_store("DISPLAY", RMENV);
env_store("XAUTHORITY", RMENV);
#endif
}
void profile_read(const char *fname) {
EUID_ASSERT();
// exit program if maximum include level was reached
if (include_level > MAX_INCLUDE_LEVEL) {
fprintf(stderr, "Error: maximum profile include level was reached\n");
exit(1);
}
// check file
invalid_filename(fname);
if (strlen(fname) == 0 || is_dir(fname)) {
fprintf(stderr, "Error: invalid profile file\n");
exit(1);
}
if (access(fname, R_OK)) {
// if the file ends in ".local", do not exit
const char *base = gnu_basename(fname);
char *ptr = strstr(base, ".local");
if (ptr && strlen(ptr) == 6)
return;
fprintf(stderr, "Error: cannot access profile file\n");
exit(1);
}
// allow debuggers
if (arg_allow_debuggers) {
char *tmp = strrchr(fname, '/');
if (tmp && *(tmp + 1) != '\0') {
tmp++;
if (strcmp(tmp, "disable-devel.inc") == 0)
return;
}
}
// open profile file:
FILE *fp = fopen(fname, "r");
if (fp == NULL) {
fprintf(stderr, "Error: cannot open profile file %s\n", fname);
exit(1);
}
int msg_printed = 0;
// read the file line by line
char buf[MAX_READ + 1];
int lineno = 0;
while (fgets(buf, MAX_READ, fp)) {
++lineno;
// remove empty space - ptr in allocated memory
char *ptr = line_remove_spaces(buf);
if (ptr == NULL)
continue;
// comments
if (*ptr == '#' || *ptr == '\0') {
free(ptr);
continue;
}
// process quiet
if (strcmp(ptr, "quiet") == 0) {
arg_quiet = 1;
free(ptr);
continue;
}
if (!msg_printed) {
if (!arg_quiet)
fprintf(stderr, "Reading profile %s\n", fname);
msg_printed = 1;
}
// process include
if (strncmp(ptr, "include ", 8) == 0) {
include_level++;
// extract profile filename and new skip params
char *newprofile = ptr + 8; // profile name
// expand ${HOME}/ in front of the new profile file
char *newprofile2 = expand_home(newprofile, cfg.homedir);
// recursivity
profile_read((newprofile2)? newprofile2:newprofile);
include_level--;
if (newprofile2)
free(newprofile2);
free(ptr);
continue;
}
// verify syntax, exit in case of error
if (profile_check_line(ptr, lineno, fname))
profile_add(ptr);
// we cannot free ptr here, data is extracted from ptr and linked as a pointer in cfg structure
// else {
// free(ptr);
// }
#ifdef HAVE_GCOV
__gcov_flush();
#endif
}
fclose(fp);
}
void profile_read(const char *fname) {
EUID_ASSERT();
// exit program if maximum include level was reached
if (include_level > MAX_INCLUDE_LEVEL) {
fprintf(stderr, "Error: maximum profile include level was reached\n");
exit(1);
}
if (strlen(fname) == 0) {
fprintf(stderr, "Error: invalid profile file\n");
exit(1);
}
// open profile file:
FILE *fp = fopen(fname, "r");
if (fp == NULL) {
fprintf(stderr, "Error: cannot open profile file %s\n", fname);
exit(1);
}
if (!arg_quiet)
fprintf(stderr, "Reading profile %s\n", fname);
// read the file line by line
char buf[MAX_READ + 1];
int lineno = 0;
while (fgets(buf, MAX_READ, fp)) {
++lineno;
// remove empty space - ptr in allocated memory
char *ptr = line_remove_spaces(buf);
if (ptr == NULL)
continue;
// comments
if (*ptr == '#' || *ptr == '\0') {
free(ptr);
continue;
}
// process include
if (strncmp(ptr, "include ", 8) == 0) {
include_level++;
// extract profile filename and new skip params
char *newprofile = ptr + 8; // profile name
// expand ${HOME}/ in front of the new profile file
char *newprofile2 = expand_home(newprofile, cfg.homedir);
// recursivity
profile_read((newprofile2)? newprofile2:newprofile);
include_level--;
if (newprofile2)
free(newprofile2);
free(ptr);
continue;
}
// verify syntax, exit in case of error
if (profile_check_line(ptr, lineno, fname))
profile_add(ptr);
// we cannot free ptr here, data is extracted from ptr and linked as a pointer in cfg structure
// else {
// free(ptr);
// }
}
fclose(fp);
}
// skip1, skip2 - if the string is found in the line, the line is not interpreted
void profile_read(const char *fname, const char *skip1, const char *skip2) {
// exit program if maximum include level was reached
if (include_level > MAX_INCLUDE_LEVEL) {
fprintf(stderr, "Error: maximum profile include level was reached\n");
exit(1);
}
if (strlen(fname) == 0) {
fprintf(stderr, "Error: invalid profile file\n");
exit(1);
}
// open profile file:
FILE *fp = fopen(fname, "r");
if (fp == NULL) {
fprintf(stderr, "Error: cannot open profile file\n");
exit(1);
}
if (!arg_quiet)
fprintf(stderr, "Reading profile %s\n", fname);
// read the file line by line
char buf[MAX_READ + 1];
int lineno = 0;
while (fgets(buf, MAX_READ, fp)) {
++lineno;
// remove empty space - ptr in allocated memory
char *ptr = line_remove_spaces(buf);
if (ptr == NULL)
continue;
// comments
if (*ptr == '#' || *ptr == '\0') {
free(ptr);
continue;
}
// process include
if (strncmp(ptr, "include ", 8) == 0) {
include_level++;
// extract profile filename and new skip params
char *newprofile = ptr + 8; // profile name
char *newskip1 = NULL; // new skip1
char *newskip2 = NULL; // new skip2
char *p = newprofile;
while (*p != '\0') {
if (*p == ' ') {
*p = '\0';
if (newskip1 == NULL)
newskip1 = p + 1;
else if (newskip2 == NULL)
newskip2 = p + 1;
}
p++;
}
// expand ${HOME}/ in front of the new profile file
char *newprofile2 = expand_home(newprofile, cfg.homedir);
// recursivity
profile_read((newprofile2)? newprofile2:newprofile, newskip1, newskip2);
include_level--;
if (newprofile2)
free(newprofile2);
free(ptr);
continue;
}
// skip
if (skip1) {
if (strstr(ptr, skip1)) {
free(ptr);
continue;
}
}
if (skip2) {
if (strstr(ptr, skip2)) {
free(ptr);
continue;
}
}
// verify syntax, exit in case of error
if (profile_check_line(ptr, lineno))
profile_add(ptr);
}
fclose(fp);
}
void profile_read(const char *fname) {
// exit program if maximum include level was reached
if (include_level > MAX_INCLUDE_LEVEL) {
fprintf(stderr, "Error: maximum profile include level was reached\n");
exit(1);
}
if (strlen(fname) == 0) {
fprintf(stderr, "Error: invalid profile file\n");
exit(1);
}
// open profile file:
FILE *fp = fopen(fname, "r");
if (fp == NULL) {
fprintf(stderr, "Error: cannot open profile file\n");
exit(1);
}
printf("Reading %s\n", fname);
// linked list of lines
struct mylist {
char *line;
struct mylist *next;
}
m = {
NULL, NULL
};
struct mylist *mptr = &m;
int mylist_cnt = 1;
// read the file line by line
char buf[MAX_READ + 1];
int lineno = 0;
while (fgets(buf, MAX_READ, fp)) {
++lineno;
// remove empty space
char *ptr = line_remove_spaces(buf);
if (ptr == NULL || *ptr == '\0')
continue;
// comments
if (*ptr == '#')
continue;
// process include
if (strncmp(ptr, "include ", 8) == 0) {
include_level++;
// recursivity
profile_read(ptr + 8);
include_level--;
continue;
}
// verify syntax, exit in case of error
if (profile_check_line(ptr, lineno))
profile_add(ptr);
}
fclose(fp);
}
