diff options
author | netblue30 <netblue30@yahoo.com> | 2017-08-27 08:04:35 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-08-27 08:04:35 -0400 |
commit | 4861cca38fcb73bae53f85ff8369c6acd535460e (patch) | |
tree | 2e190fa26c6df7dcc777636f36be7ff25254e475 | |
parent | --private-bin: restrict full paths to the directories in the list (diff) | |
download | firejail-4861cca38fcb73bae53f85ff8369c6acd535460e.tar.gz firejail-4861cca38fcb73bae53f85ff8369c6acd535460e.tar.zst firejail-4861cca38fcb73bae53f85ff8369c6acd535460e.zip |
cleanup
-rw-r--r-- | src/fseccomp/seccomp.c | 32 | ||||
-rwxr-xr-x | test/fs/private-bin.exp | 14 |
2 files changed, 9 insertions, 37 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index 7ae74c340..8abc249ec 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
@@ -164,6 +164,8 @@ void seccomp_default_drop(const char *fname1, const char *fname2, char *list, in | |||
164 | } | 164 | } |
165 | 165 | ||
166 | void seccomp_keep(const char *fname1, const char *fname2, char *list) { | 166 | void seccomp_keep(const char *fname1, const char *fname2, char *list) { |
167 | (void) fname2; | ||
168 | |||
167 | // open file for pre-exec filter | 169 | // open file for pre-exec filter |
168 | int fd = open(fname1, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); | 170 | int fd = open(fname1, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
169 | if (fd < 0) { | 171 | if (fd < 0) { |
@@ -187,36 +189,6 @@ void seccomp_keep(const char *fname1, const char *fname2, char *list) { | |||
187 | 189 | ||
188 | // close file | 190 | // close file |
189 | close(fd); | 191 | close(fd); |
190 | |||
191 | #if 0 | ||
192 | // There is something very wrong here with the file descriptors, "ls -l /proc/self/fd" will show no file | ||
193 | // after running this code. We don't need the postexec filter in this case anyway. | ||
194 | printf("@@seccomp_keep start %s %s %s\n", fname1, fname2, list); | ||
195 | system("ls -l /proc/self/fd"); | ||
196 | printf("@@seccomp_keep start %s %s %s\n", fname1, fname2, list); | ||
197 | // open file for post-exec filter | ||
198 | fd = open(fname2, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); | ||
199 | if (fd < 0) { | ||
200 | fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname2); | ||
201 | exit(1); | ||
202 | } | ||
203 | |||
204 | // build post-exec filter: whitelist without @default-keep | ||
205 | filter_init(fd); | ||
206 | |||
207 | if (syscall_check_list(list, filter_add_whitelist, fd, 0, NULL)) { | ||
208 | fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); | ||
209 | exit(1); | ||
210 | } | ||
211 | |||
212 | filter_end_whitelist(fd); | ||
213 | |||
214 | // close file | ||
215 | close(fd); | ||
216 | printf("@@seccomp_keep end %s %s %s\n", fname1, fname2, list); | ||
217 | system("ls -l /proc/self/fd"); | ||
218 | printf("@@seccomp_keep end %s %s %s\n", fname1, fname2, list); | ||
219 | #endif | ||
220 | } | 192 | } |
221 | 193 | ||
222 | void memory_deny_write_execute(const char *fname) { | 194 | void memory_deny_write_execute(const char *fname) { |
diff --git a/test/fs/private-bin.exp b/test/fs/private-bin.exp index d4cdc3a36..8403b8442 100755 --- a/test/fs/private-bin.exp +++ b/test/fs/private-bin.exp | |||
@@ -60,31 +60,31 @@ expect { | |||
60 | 60 | ||
61 | send -- "ls /bin\r" | 61 | send -- "ls /bin\r" |
62 | expect { | 62 | expect { |
63 | timeout {puts "TESTING ERROR 5\n";exit} | 63 | timeout {puts "TESTING ERROR 11\n";exit} |
64 | "ping" {puts "TESTING ERROR 6\n";exit} | 64 | "ping" {puts "TESTING ERROR 12\n";exit} |
65 | "sh" | 65 | "sh" |
66 | } | 66 | } |
67 | send -- "exit\r" | 67 | send -- "exit\r" |
68 | after 100 | 68 | after 100 |
69 | 69 | ||
70 | 70 | ||
71 | send -- "firejail --private-bin=/etc/shadow\r" | 71 | send -- "firejail --debug --private-bin=/etc/shadow \r" |
72 | expect { | 72 | expect { |
73 | timeout {puts "TESTING ERROR 8\n";exit} | 73 | timeout {puts "TESTING ERROR 13\n";exit} |
74 | "invalid filename" | 74 | "Warning: file /etc/shadow not found" |
75 | } | 75 | } |
76 | after 100 | 76 | after 100 |
77 | 77 | ||
78 | send -- "firejail --private-bin=\"bla;bla\"\r" | 78 | send -- "firejail --private-bin=\"bla;bla\"\r" |
79 | expect { | 79 | expect { |
80 | timeout {puts "TESTING ERROR 9\n";exit} | 80 | timeout {puts "TESTING ERROR 14\n";exit} |
81 | "is an invalid filename" | 81 | "is an invalid filename" |
82 | } | 82 | } |
83 | after 100 | 83 | after 100 |
84 | 84 | ||
85 | send -- "firejail --private-etc=../bin/ls\r" | 85 | send -- "firejail --private-etc=../bin/ls\r" |
86 | expect { | 86 | expect { |
87 | timeout {puts "TESTING ERROR 10\n";exit} | 87 | timeout {puts "TESTING ERROR 15\n";exit} |
88 | "is an invalid filename" | 88 | "is an invalid filename" |
89 | } | 89 | } |
90 | 90 | ||