--build fixes

author: netblue30 <netblue30@protonmail.com> 2021-05-04 16:46:54 -0400
committer: netblue30 <netblue30@protonmail.com> 2021-05-04 16:46:54 -0400
commit: 8988842c1bec4a41c09591e47771bf30247a5539 (patch)
tree: 274a62e6959ee23dee1084edb21b3abc6ae9f657 /src/fbuilder/build_fs.c
parent: Merge pull request #4209 from davidebeatrici/private-dev-input-support-and-no... (diff)
download: firejail-8988842c1bec4a41c09591e47771bf30247a5539.tar.gz
firejail-8988842c1bec4a41c09591e47771bf30247a5539.tar.zst
firejail-8988842c1bec4a41c09591e47771bf30247a5539.zip
1 files changed, 101 insertions, 28 deletions
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c
index ac0cd455a..b35380b96 100644
--- a/src/fbuilder/build_fs.c
+++ b/src/fbuilder/build_fs.c
@@ -177,6 +177,74 @@ void build_var(const char *fname, FILE *fp) {
 //*******************************************
 // usr/share directory
 //*******************************************
+// todo: load the list from whitelist-usr-share-common.inc
+static char *share_skip[] = {
+        "/usr/share/alsa",
+        "/usr/share/applications",
+        "/usr/share/ca-certificates",
+        "/usr/share/crypto-policies",
+        "/usr/share/cursors",
+        "/usr/share/dconf",
+        "/usr/share/distro-info",
+        "/usr/share/drirc.d",
+        "/usr/share/enchant",
+        "/usr/share/enchant-2",
+        "/usr/share/file",
+        "/usr/share/fontconfig",
+        "/usr/share/fonts",
+        "/usr/share/fonts-config",
+        "/usr/share/gir-1.0",
+        "/usr/share/gjs-1.0",
+        "/usr/share/glib-2.0",
+        "/usr/share/glvnd",
+        "/usr/share/gtk-2.0",
+        "/usr/share/gtk-3.0",
+        "/usr/share/gtk-engines",
+        "/usr/share/gtksourceview-3.0",
+        "/usr/share/gtksourceview-4",
+        "/usr/share/hunspell",
+        "/usr/share/hwdata",
+        "/usr/share/icons",
+        "/usr/share/icu",
+        "/usr/share/knotifications5",
+        "/usr/share/kservices5",
+        "/usr/share/Kvantum",
+        "/usr/share/kxmlgui5",
+        "/usr/share/libdrm",
+        "/usr/share/libthai",
+        "/usr/share/locale",
+        "/usr/share/mime",
+        "/usr/share/misc",
+        "/usr/share/Modules",
+        "/usr/share/myspell",
+        "/usr/share/p11-kit",
+        "/usr/share/perl",
+        "/usr/share/perl5",
+        "/usr/share/pixmaps",
+        "/usr/share/pki",
+        "/usr/share/plasma",
+        "/usr/share/publicsuffix",
+        "/usr/share/qt",
+        "/usr/share/qt4",
+        "/usr/share/qt5",
+        "/usr/share/qt5ct",
+        "/usr/share/sounds",
+        "/usr/share/tcl8.6",
+        "/usr/share/tcltk",
+        "/usr/share/terminfo",
+        "/usr/share/texlive",
+        "/usr/share/texmf",
+        "/usr/share/themes",
+        "/usr/share/thumbnail.so",
+        "/usr/share/uim",
+        "/usr/share/vulkan",
+        "/usr/share/X11",
+        "/usr/share/xml",
+        "/usr/share/zenity",
+        "/usr/share/zoneinfo",
+        NULL
+};
 static FileDB *share_out = NULL;
 static void share_callback(char *ptr) {
        // extract the directory:
@@ -195,8 +263,17 @@ static void share_callback(char *ptr) {
        if (p2)
                *p2 = '\0';
-        // store the file
+        int i = 0;
-        share_out = filedb_add(share_out, ptr);
+        int found = 0;
+        while (share_skip[i]) {
+                if (strncmp(ptr, share_skip[i], strlen(share_skip[i])) == 0) {
+                        found = 1;
+                        break;
+                }
+                i++;
+        }
+        if (!found)
+                share_out = filedb_add(share_out, ptr);
 }
 void build_share(const char *fname, FILE *fp) {
@@ -252,40 +329,36 @@ void build_tmp(const char *fname, FILE *fp) {
 // dev directory
 //*******************************************
 static char *dev_skip[] = {
+        "/dev/stdin",
+        "/dev/stdout",
+        "/dev/stderr",
        "/dev/zero",
        "/dev/null",
        "/dev/full",
        "/dev/random",
        "/dev/urandom",
+        "/dev/sr0",
+        "/dev/cdrom",
+        "/dev/cdrw",
+        "/dev/dvd",
+        "/dev/dvdrw",
+        "/dev/fd",
+        "/dev/pts",
+        "/dev/ptmx",
+        "/dev/log",
+        "/dev/aload",   // old ALSA devices, not covered in private-dev
+        "/dev/dsp",             // old OSS device, deprecated
        "/dev/tty",
        "/dev/snd",
        "/dev/dri",
-        "/dev/pts",
+        "/dev/nvidia",
-        "/dev/nvidia0",
+        "/dev/video",
-        "/dev/nvidia1",
-        "/dev/nvidia2",
-        "/dev/nvidia3",
-        "/dev/nvidia4",
-        "/dev/nvidia5",
-        "/dev/nvidia6",
-        "/dev/nvidia7",
-        "/dev/nvidia8",
-        "/dev/nvidia9",
-        "/dev/nvidiactl",
-        "/dev/nvidia-modeset",
-        "/dev/nvidia-uvm",
-        "/dev/video0",
-        "/dev/video1",
-        "/dev/video2",
-        "/dev/video3",
-        "/dev/video4",
-        "/dev/video5",
-        "/dev/video6",
-        "/dev/video7",
-        "/dev/video8",
-        "/dev/video9",
        "/dev/dvb",
-        "/dev/sr0",
+        "/dev/hidraw",
+        "/dev/usb",
+        "/dev/input",
        NULL
 };
@@ -295,7 +368,7 @@ static void dev_callback(char *ptr) {
        int i = 0;
        int found = 0;
        while (dev_skip[i]) {
-                if (strcmp(ptr, dev_skip[i]) == 0) {
+                if (strncmp(ptr, dev_skip[i], strlen(dev_skip[i])) == 0) {
                        found = 1;
                        break;
                }
author	netblue30 <netblue30@protonmail.com>	2021-05-04 16:46:54 -0400
committer	netblue30 <netblue30@protonmail.com>	2021-05-04 16:46:54 -0400
commit	8988842c1bec4a41c09591e47771bf30247a5539 (patch)
tree	274a62e6959ee23dee1084edb21b3abc6ae9f657 /src/fbuilder/build_fs.c
parent	Merge pull request #4209 from davidebeatrici/private-dev-input-support-and-no... (diff)
download	firejail-8988842c1bec4a41c09591e47771bf30247a5539.tar.gz firejail-8988842c1bec4a41c09591e47771bf30247a5539.tar.zst firejail-8988842c1bec4a41c09591e47771bf30247a5539.zip

diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index ac0cd455a..b35380b96 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c
@@ -177,6 +177,74 @@ void build_var(const char fname, FILE fp) {
177	//*******************************************	177	//*******************************************
178	// usr/share directory	178	// usr/share directory
179	//*******************************************	179	//*******************************************
		180	// todo: load the list from whitelist-usr-share-common.inc
		181	static char *share_skip[] = {
		182	"/usr/share/alsa",
		183	"/usr/share/applications",
		184	"/usr/share/ca-certificates",
		185	"/usr/share/crypto-policies",
		186	"/usr/share/cursors",
		187	"/usr/share/dconf",
		188	"/usr/share/distro-info",
		189	"/usr/share/drirc.d",
		190	"/usr/share/enchant",
		191	"/usr/share/enchant-2",
		192	"/usr/share/file",
		193	"/usr/share/fontconfig",
		194	"/usr/share/fonts",
		195	"/usr/share/fonts-config",
		196	"/usr/share/gir-1.0",
		197	"/usr/share/gjs-1.0",
		198	"/usr/share/glib-2.0",
		199	"/usr/share/glvnd",
		200	"/usr/share/gtk-2.0",
		201	"/usr/share/gtk-3.0",
		202	"/usr/share/gtk-engines",
		203	"/usr/share/gtksourceview-3.0",
		204	"/usr/share/gtksourceview-4",
		205	"/usr/share/hunspell",
		206	"/usr/share/hwdata",
		207	"/usr/share/icons",
		208	"/usr/share/icu",
		209	"/usr/share/knotifications5",
		210	"/usr/share/kservices5",
		211	"/usr/share/Kvantum",
		212	"/usr/share/kxmlgui5",
		213	"/usr/share/libdrm",
		214	"/usr/share/libthai",
		215	"/usr/share/locale",
		216	"/usr/share/mime",
		217	"/usr/share/misc",
		218	"/usr/share/Modules",
		219	"/usr/share/myspell",
		220	"/usr/share/p11-kit",
		221	"/usr/share/perl",
		222	"/usr/share/perl5",
		223	"/usr/share/pixmaps",
		224	"/usr/share/pki",
		225	"/usr/share/plasma",
		226	"/usr/share/publicsuffix",
		227	"/usr/share/qt",
		228	"/usr/share/qt4",
		229	"/usr/share/qt5",
		230	"/usr/share/qt5ct",
		231	"/usr/share/sounds",
		232	"/usr/share/tcl8.6",
		233	"/usr/share/tcltk",
		234	"/usr/share/terminfo",
		235	"/usr/share/texlive",
		236	"/usr/share/texmf",
		237	"/usr/share/themes",
		238	"/usr/share/thumbnail.so",
		239	"/usr/share/uim",
		240	"/usr/share/vulkan",
		241	"/usr/share/X11",
		242	"/usr/share/xml",
		243	"/usr/share/zenity",
		244	"/usr/share/zoneinfo",
		245	NULL
		246	};
		247
180	static FileDB *share_out = NULL;	248	static FileDB *share_out = NULL;
181	static void share_callback(char *ptr) {	249	static void share_callback(char *ptr) {
182	// extract the directory:	250	// extract the directory:
@@ -195,8 +263,17 @@ static void share_callback(char *ptr) {
195	if (p2)	263	if (p2)
196	*p2 = '\0';	264	*p2 = '\0';
197		265
198	// store the file	266	int i = 0;
199	share_out = filedb_add(share_out, ptr);	267	int found = 0;
		268	while (share_skip[i]) {
		269	if (strncmp(ptr, share_skip[i], strlen(share_skip[i])) == 0) {
		270	found = 1;
		271	break;
		272	}
		273	i++;
		274	}
		275	if (!found)
		276	share_out = filedb_add(share_out, ptr);
200	}	277	}
201		278
202	void build_share(const char fname, FILE fp) {	279	void build_share(const char fname, FILE fp) {
@@ -252,40 +329,36 @@ void build_tmp(const char fname, FILE fp) {
252	// dev directory	329	// dev directory
253	//*******************************************	330	//*******************************************
254	static char *dev_skip[] = {	331	static char *dev_skip[] = {
		332	"/dev/stdin",
		333	"/dev/stdout",
		334	"/dev/stderr",
255	"/dev/zero",	335	"/dev/zero",
256	"/dev/null",	336	"/dev/null",
257	"/dev/full",	337	"/dev/full",
258	"/dev/random",	338	"/dev/random",
259	"/dev/urandom",	339	"/dev/urandom",
		340	"/dev/sr0",
		341	"/dev/cdrom",
		342	"/dev/cdrw",
		343	"/dev/dvd",
		344	"/dev/dvdrw",
		345	"/dev/fd",
		346	"/dev/pts",
		347	"/dev/ptmx",
		348	"/dev/log",
		349
		350	"/dev/aload", // old ALSA devices, not covered in private-dev
		351	"/dev/dsp", // old OSS device, deprecated
		352
260	"/dev/tty",	353	"/dev/tty",
261	"/dev/snd",	354	"/dev/snd",
262	"/dev/dri",	355	"/dev/dri",
263	"/dev/pts",	356	"/dev/nvidia",
264	"/dev/nvidia0",	357	"/dev/video",
265	"/dev/nvidia1",
266	"/dev/nvidia2",
267	"/dev/nvidia3",
268	"/dev/nvidia4",
269	"/dev/nvidia5",
270	"/dev/nvidia6",
271	"/dev/nvidia7",
272	"/dev/nvidia8",
273	"/dev/nvidia9",
274	"/dev/nvidiactl",
275	"/dev/nvidia-modeset",
276	"/dev/nvidia-uvm",
277	"/dev/video0",
278	"/dev/video1",
279	"/dev/video2",
280	"/dev/video3",
281	"/dev/video4",
282	"/dev/video5",
283	"/dev/video6",
284	"/dev/video7",
285	"/dev/video8",
286	"/dev/video9",
287	"/dev/dvb",	358	"/dev/dvb",
288	"/dev/sr0",	359	"/dev/hidraw",
		360	"/dev/usb",
		361	"/dev/input",
289	NULL	362	NULL
290	};	363	};
291		364
@@ -295,7 +368,7 @@ static void dev_callback(char *ptr) {
295	int i = 0;	368	int i = 0;
296	int found = 0;	369	int found = 0;
297	while (dev_skip[i]) {	370	while (dev_skip[i]) {
298	if (strcmp(ptr, dev_skip[i]) == 0) {	371	if (strncmp(ptr, dev_skip[i], strlen(dev_skip[i])) == 0) {
299	found = 1;	372	found = 1;
300	break;	373	break;
301	}	374	}