diff options
author | smitsohu <smitsohu@gmail.com> | 2022-03-13 21:55:35 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2022-03-13 22:33:23 +0100 |
commit | 75160510d43dcdaf7f61061d8f986e70db4a9e8c (patch) | |
tree | e51c2ce86bea007e873a5a0f3173cd26c526d77a /src/fbuilder/build_fs.c | |
parent | fbuilder: unify callback functions (diff) | |
download | firejail-75160510d43dcdaf7f61061d8f986e70db4a9e8c.tar.gz firejail-75160510d43dcdaf7f61061d8f986e70db4a9e8c.tar.zst firejail-75160510d43dcdaf7f61061d8f986e70db4a9e8c.zip |
fbuilder: whitelist-run-common.inc and whitelist-runuser-common.inc support
Diffstat (limited to 'src/fbuilder/build_fs.c')
-rw-r--r-- | src/fbuilder/build_fs.c | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index 9038e1953..ce01648e1 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c | |||
@@ -222,6 +222,88 @@ void build_var(const char *fname, FILE *fp) { | |||
222 | fprintf(fp, "include whitelist-var-common.inc\n"); | 222 | fprintf(fp, "include whitelist-var-common.inc\n"); |
223 | } | 223 | } |
224 | 224 | ||
225 | //******************************************* | ||
226 | // run directory | ||
227 | //******************************************* | ||
228 | static FileDB *run_out = NULL; | ||
229 | static FileDB *run_skip = NULL; | ||
230 | static void run_callback(char *ptr) { | ||
231 | // skip /run/firejail | ||
232 | if (strncmp(ptr, "/run/firejail", 13) == 0) | ||
233 | return; | ||
234 | // skip files in /run/user | ||
235 | if (strncmp(ptr, "/run/user", 9) == 0) | ||
236 | return; | ||
237 | |||
238 | // extract the directory: | ||
239 | assert(strncmp(ptr, "/run", 4) == 0); | ||
240 | char *p1 = ptr + 4; | ||
241 | if (*p1 != '/') | ||
242 | return; | ||
243 | p1++; | ||
244 | |||
245 | if (*p1 == '/') // double '/' | ||
246 | p1++; | ||
247 | if (*p1 == '\0') | ||
248 | return; | ||
249 | |||
250 | if (!filedb_find(run_skip, p1)) | ||
251 | run_out = filedb_add(run_out, p1); | ||
252 | } | ||
253 | |||
254 | void build_run(const char *fname, FILE *fp) { | ||
255 | assert(fname); | ||
256 | |||
257 | run_skip = filedb_load_whitelist(run_skip, "whitelist-run-common.inc", "whitelist /run/"); | ||
258 | process_files(fname, "/run", run_callback); | ||
259 | |||
260 | // always whitelist /run | ||
261 | if (run_out) | ||
262 | filedb_print(run_out, "whitelist /run/", fp); | ||
263 | fprintf(fp, "include whitelist-run-common.inc\n"); | ||
264 | } | ||
265 | |||
266 | //******************************************* | ||
267 | // ${RUNUSER} directory | ||
268 | //******************************************* | ||
269 | static char *runuser_fname = NULL; | ||
270 | static FileDB *runuser_out = NULL; | ||
271 | static FileDB *runuser_skip = NULL; | ||
272 | static void runuser_callback(char *ptr) { | ||
273 | // extract the directory: | ||
274 | assert(runuser_fname); | ||
275 | assert(strncmp(ptr, runuser_fname, strlen(runuser_fname)) == 0); | ||
276 | char *p1 = ptr + strlen(runuser_fname); | ||
277 | if (*p1 != '/') | ||
278 | return; | ||
279 | p1++; | ||
280 | |||
281 | if (*p1 == '/') // double '/' | ||
282 | p1++; | ||
283 | if (*p1 == '\0') | ||
284 | return; | ||
285 | |||
286 | if (!filedb_find(runuser_skip, p1)) | ||
287 | runuser_out = filedb_add(runuser_out, p1); | ||
288 | } | ||
289 | |||
290 | void build_runuser(const char *fname, FILE *fp) { | ||
291 | assert(fname); | ||
292 | |||
293 | if (asprintf(&runuser_fname, "/run/user/%d", getuid()) < 0) | ||
294 | errExit("asprintf"); | ||
295 | |||
296 | if (!is_dir(runuser_fname)) | ||
297 | return; | ||
298 | |||
299 | runuser_skip = filedb_load_whitelist(runuser_skip, "whitelist-runuser-common.inc", "whitelist ${RUNUSER}/"); | ||
300 | process_files(fname, runuser_fname, runuser_callback); | ||
301 | |||
302 | // always whitelist /run/user/$UID | ||
303 | if (runuser_out) | ||
304 | filedb_print(runuser_out, "whitelist ${RUNUSER}/", fp); | ||
305 | fprintf(fp, "include whitelist-runuser-common.inc\n"); | ||
306 | } | ||
225 | 307 | ||
226 | //******************************************* | 308 | //******************************************* |
227 | // usr/share directory | 309 | // usr/share directory |