Add new condition ALLOW_TRAY

netblue30 · Sep 4, 2021 · c86cae2 · c86cae2
1 parent 263e3fe
commit c86cae2
Show file tree

Hide file tree

Showing 6 changed files with 13 additions and 2 deletions.
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim
@@ -72,7 +72,7 @@ syn match fjCommandNoCond /quiet$/ contained
 
 " Conditionals grabbed from: src/firejail/profile.c
 " Generate list with: awk -- 'BEGIN {process=0;} /^Cond conditionals\[\] = \{$/ {process=1;} /\t*\{"[^"]+".*/ { if (process) {print gensub(/^\t*\{"([^"]+)".*$/, "\\1", 1);} } /^\t\{ NULL, NULL \}$/ {process=0;}' src/firejail/profile.c | sort -u | tr $'\n' '|'
-syn match fjConditional /\v\?(BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained
+syn match fjConditional /\v\?(ALLOW_TRAY|BROWSER_ALLOW_DRM|BROWSER_DISABLE_U2F|HAS_APPIMAGE|HAS_NET|HAS_NODBUS|HAS_NOSOUND|HAS_X11) ?:/ nextgroup=fjCommand skipwhite contained
 
 " A line is either a command, a conditional or a comment
 syn match fjStatement /^/ nextgroup=fjCommand,fjCommandNoCond,fjConditional,fjComment

diff --git a/etc/firejail.config b/etc/firejail.config
@@ -2,6 +2,9 @@
 # keyword-argument pairs, one per line. Most features are enabled by default.
 # Use 'yes' or 'no' as configuration values.
 
+# Allow programs to display a tray icon
+# allow-tray no
+
 # Enable AppArmor functionality, default enabled.
 # apparmor yes
 

diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
@@ -58,6 +58,7 @@ int checkcfg(int val) {
  cfg_val[CFG_XPRA_ATTACH] = 0;
  cfg_val[CFG_SECCOMP_ERROR_ACTION] = -1;
  cfg_val[CFG_BROWSER_ALLOW_DRM] = 0;
+ cfg_val[CFG_ALLOW_TRAY] = 0;
 
  // open configuration file
  const char *fname = SYSCONFDIR "/firejail.config";
@@ -122,6 +123,7 @@ int checkcfg(int val) {
  PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach")
  PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f")
  PARSE_YESNO(CFG_BROWSER_ALLOW_DRM, "browser-allow-drm")
+ PARSE_YESNO(CFG_ALLOW_TRAY, "allow-tray")
 #undef PARSE_YESNO
 
  // netfilter

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
@@ -801,6 +801,7 @@ enum {
  CFG_NAME_CHANGE,
  CFG_SECCOMP_ERROR_ACTION,
  // CFG_FILE_COPY_LIMIT - file copy limit handled using setenv/getenv
+ CFG_ALLOW_TRAY,
  CFG_MAX // this should always be the last entry
 };
 extern char *xephyr_screen;

diff --git a/src/firejail/profile.c b/src/firejail/profile.c
@@ -175,6 +175,10 @@ static int check_allow_drm(void) {
  return checkcfg(CFG_BROWSER_ALLOW_DRM) != 0;
 }
 
+static int check_allow_tray(void) {
+ return checkcfg(CFG_ALLOW_TRAY) != 0;
+}
+
 Cond conditionals[] = {
  {"HAS_APPIMAGE", check_appimage},
  {"HAS_NET", check_netoptions},
@@ -184,6 +188,7 @@ Cond conditionals[] = {
  {"HAS_X11", check_x11},
  {"BROWSER_DISABLE_U2F", check_disable_u2f},
  {"BROWSER_ALLOW_DRM", check_allow_drm},
+ {"ALLOW_TRAY", check_allow_tray},
  { NULL, NULL }
 };
 

diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
@@ -174,7 +174,7 @@ Example: "?HAS_APPIMAGE: allow ${HOME}/special/appimage/dir"
 
 This example will load the profile line only if the \-\-appimage option has been specified on the command line.
 
-Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM
+Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals ALLOW_TRAY, BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM
 can be enabled or disabled globally in Firejail's configuration file.
 
 The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines.