aboutsummaryrefslogtreecommitdiffstats
path: root/src/fbuilder/build_profile.c
diff options
context:
space:
mode:
authorLibravatar ಚಿರಾಗ್ ನಟರಾಜ್ <chiraag.nataraj@gmail.com>2018-08-16 09:42:58 -0400
committerLibravatar ಚಿರಾಗ್ ನಟರಾಜ್ <chiraag.nataraj@gmail.com>2018-08-16 09:42:58 -0400
commitb0f49116fb026fe08fc30c495c637c42ed3195ad (patch)
tree0656986b7e39f857f48c576f7671a29001a56ace /src/fbuilder/build_profile.c
parentharden private-home mounting, small improvements (diff)
downloadfirejail-b0f49116fb026fe08fc30c495c637c42ed3195ad.tar.gz
firejail-b0f49116fb026fe08fc30c495c637c42ed3195ad.tar.zst
firejail-b0f49116fb026fe08fc30c495c637c42ed3195ad.zip
Generate temporary filenames instead of using a fixed one (fixes #2083)
Diffstat (limited to 'src/fbuilder/build_profile.c')
-rw-r--r--src/fbuilder/build_profile.c99
1 files changed, 70 insertions, 29 deletions
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index 125487c41..0c65d3413 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -20,25 +20,24 @@
20 20
21#include "fbuilder.h" 21#include "fbuilder.h"
22#include <sys/wait.h> 22#include <sys/wait.h>
23#include <fcntl.h> 23
24 24#define TRACE_OUTPUT "/tmp/firejail-trace.XXXXXX"
25#define TRACE_OUTPUT "/tmp/firejail-trace" 25#define STRACE_OUTPUT "/tmp/firejail-strace.XXXXXX"
26#define STRACE_OUTPUT "/tmp/firejail-strace" 26
27 27/* static char *cmdlist[] = { */
28static char *cmdlist[] = { 28/* "/usr/bin/firejail", */
29 "/usr/bin/firejail", 29/* "--quiet", */
30 "--quiet", 30/* "--output=" TRACE_OUTPUT, */
31 "--output=" TRACE_OUTPUT, 31/* "--noprofile", */
32 "--noprofile", 32/* "--caps.drop=all", */
33 "--caps.drop=all", 33/* "--nonewprivs", */
34 "--nonewprivs", 34/* "--trace", */
35 "--trace", 35/* "--shell=none", */
36 "--shell=none", 36/* "/usr/bin/strace", // also used as a marker in build_profile() */
37 "/usr/bin/strace", // also used as a marker in build_profile() 37/* "-c", */
38 "-c", 38/* "-f", */
39 "-f", 39/* "-o" STRACE_OUTPUT, */
40 "-o" STRACE_OUTPUT, 40/* }; */
41};
42 41
43static void clear_tmp_files(void) { 42static void clear_tmp_files(void) {
44 unlink(STRACE_OUTPUT); 43 unlink(STRACE_OUTPUT);
@@ -64,7 +63,47 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
64 } 63 }
65 64
66 // clean /tmp files 65 // clean /tmp files
67 clear_tmp_files(); 66 /* clear_tmp_files(); */
67
68 char trace_output[] = "/tmp/firejail-trace.XXXXXX";
69 char strace_output[] = "/tmp/firejail-strace.XXXXXX";
70
71 int tfile = mkstemp(trace_output);
72 int stfile = mkstemp(strace_output);
73
74 if(tfile == -1 || stfile == -1)
75 errExit("mkstemp");
76
77 FILE *tp = fdopen(tfile, "r");
78
79 if (!tp) {
80 fprintf(stderr, "Error: cannot open %s\n", trace_output);
81 exit(1);
82 }
83
84 char *output;
85 char *stroutput;
86
87 if(asprintf(&output,"--output=%s",trace_output) == -1)
88 errExit("asprintf");
89
90 if(asprintf(&stroutput,"-o %s",strace_output) == -1)
91 errExit("asprintf");
92
93 char *cmdlist[] = {
94 "/usr/bin/firejail",
95 "--quiet",
96 output,
97 "--noprofile",
98 "--caps.drop=all",
99 "--nonewprivs",
100 "--trace",
101 "--shell=none",
102 "/usr/bin/strace", // also used as a marker in build_profile()
103 "-c",
104 "-f",
105 stroutput,
106 };
68 107
69 // detect strace 108 // detect strace
70 int have_strace = 0; 109 int have_strace = 0;
@@ -131,16 +170,16 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
131 fprintf(fp, "\n"); 170 fprintf(fp, "\n");
132 171
133 fprintf(fp, "### home directory whitelisting\n"); 172 fprintf(fp, "### home directory whitelisting\n");
134 build_home(TRACE_OUTPUT, fp); 173 build_home(trace_output, tp, fp);
135 fprintf(fp, "\n"); 174 fprintf(fp, "\n");
136 175
137 fprintf(fp, "### filesystem\n"); 176 fprintf(fp, "### filesystem\n");
138 build_tmp(TRACE_OUTPUT, fp); 177 build_tmp(trace_output, tp, fp);
139 build_dev(TRACE_OUTPUT, fp); 178 build_dev(trace_output, tp, fp);
140 build_etc(TRACE_OUTPUT, fp); 179 build_etc(trace_output, tp, fp);
141 build_var(TRACE_OUTPUT, fp); 180 build_var(trace_output, tp, fp);
142 build_bin(TRACE_OUTPUT, fp); 181 build_bin(trace_output, tp, fp);
143 build_share(TRACE_OUTPUT, fp); 182 build_share(trace_output, tp, fp);
144 fprintf(fp, "\n"); 183 fprintf(fp, "\n");
145 184
146 fprintf(fp, "### security filters\n"); 185 fprintf(fp, "### security filters\n");
@@ -148,7 +187,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
148 fprintf(fp, "nonewprivs\n"); 187 fprintf(fp, "nonewprivs\n");
149 fprintf(fp, "seccomp\n"); 188 fprintf(fp, "seccomp\n");
150 if (have_strace) 189 if (have_strace)
151 build_seccomp(STRACE_OUTPUT, fp); 190 build_seccomp(strace_output, stfile, fp);
152 else { 191 else {
153 fprintf(fp, "# If you install strace on your system, Firejail will also create a\n"); 192 fprintf(fp, "# If you install strace on your system, Firejail will also create a\n");
154 fprintf(fp, "# whitelisted seccomp filter.\n"); 193 fprintf(fp, "# whitelisted seccomp filter.\n");
@@ -156,11 +195,13 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
156 fprintf(fp, "\n"); 195 fprintf(fp, "\n");
157 196
158 fprintf(fp, "### network\n"); 197 fprintf(fp, "### network\n");
159 build_protocol(TRACE_OUTPUT, fp); 198 build_protocol(trace_output, tfile, fp);
160 fprintf(fp, "\n"); 199 fprintf(fp, "\n");
161 200
162 fprintf(fp, "### environment\n"); 201 fprintf(fp, "### environment\n");
163 fprintf(fp, "shell none\n"); 202 fprintf(fp, "shell none\n");
203
204 fclose(tp);
164 205
165 } 206 }
166 else { 207 else {
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-01 00:16:21 +0000