cleanup

author: netblue30 <netblue30@yahoo.com> 2017-08-27 08:04:35 -0400
committer: netblue30 <netblue30@yahoo.com> 2017-08-27 08:04:35 -0400
commit: 4861cca38fcb73bae53f85ff8369c6acd535460e (patch)
tree: 2e190fa26c6df7dcc777636f36be7ff25254e475
parent: --private-bin: restrict full paths to the directories in the list (diff)
download: firejail-4861cca38fcb73bae53f85ff8369c6acd535460e.tar.gz
firejail-4861cca38fcb73bae53f85ff8369c6acd535460e.tar.zst
firejail-4861cca38fcb73bae53f85ff8369c6acd535460e.zip
2 files changed, 9 insertions, 37 deletions
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
index 7ae74c340..8abc249ec 100644
--- a/src/fseccomp/seccomp.c
+++ b/src/fseccomp/seccomp.c
@@ -164,6 +164,8 @@ void seccomp_default_drop(const char *fname1, const char *fname2, char *list, in
 }
 void seccomp_keep(const char *fname1, const char *fname2, char *list) {
+        (void) fname2;
+        
        // open file for pre-exec filter
        int fd = open(fname1, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
        if (fd < 0) {
@@ -187,36 +189,6 @@ void seccomp_keep(const char *fname1, const char *fname2, char *list) {
        // close file
        close(fd);
-#if 0
-// There is something very wrong here with the file descriptors, "ls -l /proc/self/fd" will show no file
-// after running this code. We don't need the postexec filter in this case anyway.
-printf("@@seccomp_keep start %s %s %s\n", fname1, fname2, list);
-system("ls -l /proc/self/fd");
-printf("@@seccomp_keep start %s %s %s\n", fname1, fname2, list);
-        // open file for post-exec filter
-        fd = open(fname2, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
-        if (fd < 0) {
-                fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname2);
-                exit(1);
-        }
-        // build post-exec filter: whitelist without @default-keep
-        filter_init(fd);
-        if (syscall_check_list(list, filter_add_whitelist, fd, 0, NULL)) {
-                fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
-                exit(1);
-        }
-        filter_end_whitelist(fd);
-        // close file
-        close(fd);
-printf("@@seccomp_keep end %s %s %s\n", fname1, fname2, list);
-system("ls -l /proc/self/fd");
-printf("@@seccomp_keep end %s %s %s\n", fname1, fname2, list);
-#endif
 }
 void memory_deny_write_execute(const char *fname) {
diff --git a/test/fs/private-bin.exp b/test/fs/private-bin.exp
index d4cdc3a36..8403b8442 100755
--- a/test/fs/private-bin.exp
+++ b/test/fs/private-bin.exp
@@ -60,31 +60,31 @@ expect {
 send -- "ls /bin\r"
 expect {
-        timeout {puts "TESTING ERROR 5\n";exit}
+        timeout {puts "TESTING ERROR 11\n";exit}
-        "ping" {puts "TESTING ERROR 6\n";exit}
+        "ping" {puts "TESTING ERROR 12\n";exit}
        "sh"
 }
 send -- "exit\r"
 after 100
-send -- "firejail --private-bin=/etc/shadow\r"
+send -- "firejail --debug --private-bin=/etc/shadow \r"
 expect {
-        timeout {puts "TESTING ERROR 8\n";exit}
+        timeout {puts "TESTING ERROR 13\n";exit}
-        "invalid filename"
+        "Warning: file /etc/shadow not found"
 }
 after 100
 send -- "firejail --private-bin=\"bla;bla\"\r"
 expect {
-        timeout {puts "TESTING ERROR 9\n";exit}
+        timeout {puts "TESTING ERROR 14\n";exit}
        "is an invalid filename"
 }
 after 100
 send -- "firejail --private-etc=../bin/ls\r"
 expect {
-        timeout {puts "TESTING ERROR 10\n";exit}
+        timeout {puts "TESTING ERROR 15\n";exit}
        "is an invalid filename"
 }
author	netblue30 <netblue30@yahoo.com>	2017-08-27 08:04:35 -0400
committer	netblue30 <netblue30@yahoo.com>	2017-08-27 08:04:35 -0400
commit	4861cca38fcb73bae53f85ff8369c6acd535460e (patch)
tree	2e190fa26c6df7dcc777636f36be7ff25254e475
parent	--private-bin: restrict full paths to the directories in the list (diff)
download	firejail-4861cca38fcb73bae53f85ff8369c6acd535460e.tar.gz firejail-4861cca38fcb73bae53f85ff8369c6acd535460e.tar.zst firejail-4861cca38fcb73bae53f85ff8369c6acd535460e.zip