diff options
author | netblue30 <netblue30@yahoo.com> | 2017-10-22 11:09:50 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-10-22 11:09:50 -0400 |
commit | ba231088e6bd8e4c52e372f7a4d2928ee7bf223a (patch) | |
tree | 614f1fbcbdaa6ae5ac6a2148bd13cb6073b263e7 /src/fbuilder/build_seccomp.c | |
parent | --build fixes (diff) | |
download | firejail-ba231088e6bd8e4c52e372f7a4d2928ee7bf223a.tar.gz firejail-ba231088e6bd8e4c52e372f7a4d2928ee7bf223a.tar.zst firejail-ba231088e6bd8e4c52e372f7a4d2928ee7bf223a.zip |
--build: save the resulting profile in a file
Diffstat (limited to 'src/fbuilder/build_seccomp.c')
-rw-r--r-- | src/fbuilder/build_seccomp.c | 47 |
1 files changed, 24 insertions, 23 deletions
diff --git a/src/fbuilder/build_seccomp.c b/src/fbuilder/build_seccomp.c index 18a767518..63f37e34a 100644 --- a/src/fbuilder/build_seccomp.c +++ b/src/fbuilder/build_seccomp.c | |||
@@ -20,11 +20,12 @@ | |||
20 | 20 | ||
21 | #include "fbuilder.h" | 21 | #include "fbuilder.h" |
22 | 22 | ||
23 | void build_seccomp(const char *fname) { | 23 | void build_seccomp(const char *fname, FILE *fp) { |
24 | assert(fname); | 24 | assert(fname); |
25 | assert(fp); | ||
25 | 26 | ||
26 | FILE *fp = fopen(fname, "r"); | 27 | FILE *fp2 = fopen(fname, "r"); |
27 | if (!fp) { | 28 | if (!fp2) { |
28 | fprintf(stderr, "Error: cannot open %s\n", fname); | 29 | fprintf(stderr, "Error: cannot open %s\n", fname); |
29 | exit(1); | 30 | exit(1); |
30 | } | 31 | } |
@@ -33,7 +34,7 @@ void build_seccomp(const char *fname) { | |||
33 | int line = 1; | 34 | int line = 1; |
34 | int position = 0; | 35 | int position = 0; |
35 | int cnt = 0; | 36 | int cnt = 0; |
36 | while (fgets(buf, MAX_BUF, fp)) { | 37 | while (fgets(buf, MAX_BUF, fp2)) { |
37 | // remove \n | 38 | // remove \n |
38 | char *ptr = strchr(buf, '\n'); | 39 | char *ptr = strchr(buf, '\n'); |
39 | if (ptr) | 40 | if (ptr) |
@@ -62,20 +63,20 @@ void build_seccomp(const char *fname) { | |||
62 | break; | 63 | break; |
63 | 64 | ||
64 | if (line == 3) | 65 | if (line == 3) |
65 | printf("# seccomp.keep %s", buf + position); | 66 | fprintf(fp, "# seccomp.keep %s", buf + position); |
66 | else | 67 | else |
67 | printf(",%s", buf + position); | 68 | fprintf(fp, ",%s", buf + position); |
68 | cnt++; | 69 | cnt++; |
69 | } | 70 | } |
70 | line++; | 71 | line++; |
71 | } | 72 | } |
72 | printf("\n"); | 73 | fprintf(fp, "\n"); |
73 | printf("# %d syscalls total\n", cnt); | 74 | fprintf(fp, "# %d syscalls total\n", cnt); |
74 | printf("# Probably you will need to add more syscalls to seccomp.keep. Look for\n"); | 75 | fprintf(fp, "# Probably you will need to add more syscalls to seccomp.keep. Look for\n"); |
75 | printf("# seccomp errors in /var/log/syslog or /var/log/audit/audit.log while\n"); | 76 | fprintf(fp, "# seccomp errors in /var/log/syslog or /var/log/audit/audit.log while\n"); |
76 | printf("# running your sandbox.\n"); | 77 | fprintf(fp, "# running your sandbox.\n"); |
77 | 78 | ||
78 | fclose(fp); | 79 | fclose(fp2); |
79 | } | 80 | } |
80 | 81 | ||
81 | //*************************************** | 82 | //*************************************** |
@@ -141,7 +142,7 @@ static void process_protocol(const char *fname) { | |||
141 | 142 | ||
142 | 143 | ||
143 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 | 144 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 |
144 | void build_protocol(const char *fname) { | 145 | void build_protocol(const char *fname, FILE *fp) { |
145 | assert(fname); | 146 | assert(fname); |
146 | 147 | ||
147 | // run fname | 148 | // run fname |
@@ -161,31 +162,31 @@ void build_protocol(const char *fname) { | |||
161 | 162 | ||
162 | int net = 0; | 163 | int net = 0; |
163 | if (unix_s || inet || inet6 || netlink || packet) { | 164 | if (unix_s || inet || inet6 || netlink || packet) { |
164 | printf("protocol "); | 165 | fprintf(fp, "protocol "); |
165 | if (unix_s) | 166 | if (unix_s) |
166 | printf("unix,"); | 167 | fprintf(fp, "unix,"); |
167 | if (inet) { | 168 | if (inet) { |
168 | printf("inet,"); | 169 | fprintf(fp, "inet,"); |
169 | net = 1; | 170 | net = 1; |
170 | } | 171 | } |
171 | if (inet6) { | 172 | if (inet6) { |
172 | printf("inet6,"); | 173 | fprintf(fp, "inet6,"); |
173 | net = 1; | 174 | net = 1; |
174 | } | 175 | } |
175 | if (netlink) | 176 | if (netlink) |
176 | printf("netlink,"); | 177 | fprintf(fp, "netlink,"); |
177 | if (packet) { | 178 | if (packet) { |
178 | printf("packet"); | 179 | fprintf(fp, "packet"); |
179 | net = 1; | 180 | net = 1; |
180 | } | 181 | } |
181 | printf("\n"); | 182 | fprintf(fp, "\n"); |
182 | } | 183 | } |
183 | 184 | ||
184 | if (net == 0) | 185 | if (net == 0) |
185 | printf("net none\n"); | 186 | fprintf(fp, "net none\n"); |
186 | else { | 187 | else { |
187 | printf("# net eth0\n"); | 188 | fprintf(fp, "# net eth0\n"); |
188 | printf("netfilter\n"); | 189 | fprintf(fp, "netfilter\n"); |
189 | } | 190 | } |
190 | } | 191 | } |
191 | 192 | ||