diff options
author | ಚಿರಾಗ್ ನಟರಾಜ್ <chiraag.nataraj@gmail.com> | 2018-08-16 09:42:58 -0400 |
---|---|---|
committer | ಚಿರಾಗ್ ನಟರಾಜ್ <chiraag.nataraj@gmail.com> | 2018-08-16 09:42:58 -0400 |
commit | b0f49116fb026fe08fc30c495c637c42ed3195ad (patch) | |
tree | 0656986b7e39f857f48c576f7671a29001a56ace /src/fbuilder/build_profile.c | |
parent | harden private-home mounting, small improvements (diff) | |
download | firejail-b0f49116fb026fe08fc30c495c637c42ed3195ad.tar.gz firejail-b0f49116fb026fe08fc30c495c637c42ed3195ad.tar.zst firejail-b0f49116fb026fe08fc30c495c637c42ed3195ad.zip |
Generate temporary filenames instead of using a fixed one (fixes #2083)
Diffstat (limited to 'src/fbuilder/build_profile.c')
-rw-r--r-- | src/fbuilder/build_profile.c | 99 |
1 files changed, 70 insertions, 29 deletions
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 125487c41..0c65d3413 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -20,25 +20,24 @@ | |||
20 | 20 | ||
21 | #include "fbuilder.h" | 21 | #include "fbuilder.h" |
22 | #include <sys/wait.h> | 22 | #include <sys/wait.h> |
23 | #include <fcntl.h> | 23 | |
24 | 24 | #define TRACE_OUTPUT "/tmp/firejail-trace.XXXXXX" | |
25 | #define TRACE_OUTPUT "/tmp/firejail-trace" | 25 | #define STRACE_OUTPUT "/tmp/firejail-strace.XXXXXX" |
26 | #define STRACE_OUTPUT "/tmp/firejail-strace" | 26 | |
27 | 27 | /* static char *cmdlist[] = { */ | |
28 | static char *cmdlist[] = { | 28 | /* "/usr/bin/firejail", */ |
29 | "/usr/bin/firejail", | 29 | /* "--quiet", */ |
30 | "--quiet", | 30 | /* "--output=" TRACE_OUTPUT, */ |
31 | "--output=" TRACE_OUTPUT, | 31 | /* "--noprofile", */ |
32 | "--noprofile", | 32 | /* "--caps.drop=all", */ |
33 | "--caps.drop=all", | 33 | /* "--nonewprivs", */ |
34 | "--nonewprivs", | 34 | /* "--trace", */ |
35 | "--trace", | 35 | /* "--shell=none", */ |
36 | "--shell=none", | 36 | /* "/usr/bin/strace", // also used as a marker in build_profile() */ |
37 | "/usr/bin/strace", // also used as a marker in build_profile() | 37 | /* "-c", */ |
38 | "-c", | 38 | /* "-f", */ |
39 | "-f", | 39 | /* "-o" STRACE_OUTPUT, */ |
40 | "-o" STRACE_OUTPUT, | 40 | /* }; */ |
41 | }; | ||
42 | 41 | ||
43 | static void clear_tmp_files(void) { | 42 | static void clear_tmp_files(void) { |
44 | unlink(STRACE_OUTPUT); | 43 | unlink(STRACE_OUTPUT); |
@@ -64,7 +63,47 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
64 | } | 63 | } |
65 | 64 | ||
66 | // clean /tmp files | 65 | // clean /tmp files |
67 | clear_tmp_files(); | 66 | /* clear_tmp_files(); */ |
67 | |||
68 | char trace_output[] = "/tmp/firejail-trace.XXXXXX"; | ||
69 | char strace_output[] = "/tmp/firejail-strace.XXXXXX"; | ||
70 | |||
71 | int tfile = mkstemp(trace_output); | ||
72 | int stfile = mkstemp(strace_output); | ||
73 | |||
74 | if(tfile == -1 || stfile == -1) | ||
75 | errExit("mkstemp"); | ||
76 | |||
77 | FILE *tp = fdopen(tfile, "r"); | ||
78 | |||
79 | if (!tp) { | ||
80 | fprintf(stderr, "Error: cannot open %s\n", trace_output); | ||
81 | exit(1); | ||
82 | } | ||
83 | |||
84 | char *output; | ||
85 | char *stroutput; | ||
86 | |||
87 | if(asprintf(&output,"--output=%s",trace_output) == -1) | ||
88 | errExit("asprintf"); | ||
89 | |||
90 | if(asprintf(&stroutput,"-o %s",strace_output) == -1) | ||
91 | errExit("asprintf"); | ||
92 | |||
93 | char *cmdlist[] = { | ||
94 | "/usr/bin/firejail", | ||
95 | "--quiet", | ||
96 | output, | ||
97 | "--noprofile", | ||
98 | "--caps.drop=all", | ||
99 | "--nonewprivs", | ||
100 | "--trace", | ||
101 | "--shell=none", | ||
102 | "/usr/bin/strace", // also used as a marker in build_profile() | ||
103 | "-c", | ||
104 | "-f", | ||
105 | stroutput, | ||
106 | }; | ||
68 | 107 | ||
69 | // detect strace | 108 | // detect strace |
70 | int have_strace = 0; | 109 | int have_strace = 0; |
@@ -131,16 +170,16 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
131 | fprintf(fp, "\n"); | 170 | fprintf(fp, "\n"); |
132 | 171 | ||
133 | fprintf(fp, "### home directory whitelisting\n"); | 172 | fprintf(fp, "### home directory whitelisting\n"); |
134 | build_home(TRACE_OUTPUT, fp); | 173 | build_home(trace_output, tp, fp); |
135 | fprintf(fp, "\n"); | 174 | fprintf(fp, "\n"); |
136 | 175 | ||
137 | fprintf(fp, "### filesystem\n"); | 176 | fprintf(fp, "### filesystem\n"); |
138 | build_tmp(TRACE_OUTPUT, fp); | 177 | build_tmp(trace_output, tp, fp); |
139 | build_dev(TRACE_OUTPUT, fp); | 178 | build_dev(trace_output, tp, fp); |
140 | build_etc(TRACE_OUTPUT, fp); | 179 | build_etc(trace_output, tp, fp); |
141 | build_var(TRACE_OUTPUT, fp); | 180 | build_var(trace_output, tp, fp); |
142 | build_bin(TRACE_OUTPUT, fp); | 181 | build_bin(trace_output, tp, fp); |
143 | build_share(TRACE_OUTPUT, fp); | 182 | build_share(trace_output, tp, fp); |
144 | fprintf(fp, "\n"); | 183 | fprintf(fp, "\n"); |
145 | 184 | ||
146 | fprintf(fp, "### security filters\n"); | 185 | fprintf(fp, "### security filters\n"); |
@@ -148,7 +187,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
148 | fprintf(fp, "nonewprivs\n"); | 187 | fprintf(fp, "nonewprivs\n"); |
149 | fprintf(fp, "seccomp\n"); | 188 | fprintf(fp, "seccomp\n"); |
150 | if (have_strace) | 189 | if (have_strace) |
151 | build_seccomp(STRACE_OUTPUT, fp); | 190 | build_seccomp(strace_output, stfile, fp); |
152 | else { | 191 | else { |
153 | fprintf(fp, "# If you install strace on your system, Firejail will also create a\n"); | 192 | fprintf(fp, "# If you install strace on your system, Firejail will also create a\n"); |
154 | fprintf(fp, "# whitelisted seccomp filter.\n"); | 193 | fprintf(fp, "# whitelisted seccomp filter.\n"); |
@@ -156,11 +195,13 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
156 | fprintf(fp, "\n"); | 195 | fprintf(fp, "\n"); |
157 | 196 | ||
158 | fprintf(fp, "### network\n"); | 197 | fprintf(fp, "### network\n"); |
159 | build_protocol(TRACE_OUTPUT, fp); | 198 | build_protocol(trace_output, tfile, fp); |
160 | fprintf(fp, "\n"); | 199 | fprintf(fp, "\n"); |
161 | 200 | ||
162 | fprintf(fp, "### environment\n"); | 201 | fprintf(fp, "### environment\n"); |
163 | fprintf(fp, "shell none\n"); | 202 | fprintf(fp, "shell none\n"); |
203 | |||
204 | fclose(tp); | ||
164 | 205 | ||
165 | } | 206 | } |
166 | else { | 207 | else { |