--build

author: netblue30 <netblue30@yahoo.com> 2017-09-16 08:49:05 -0400
committer: netblue30 <netblue30@yahoo.com> 2017-09-16 08:49:05 -0400
commit: 280f37eba89ebc211d0c02848d3d47d086458b25 (patch)
tree: 1398c5dfc53c4d286d7b6b528d5a3c1585a67325 /src/fbuilder/build_seccomp.c
parent: Merge pull request #1552 from SpotComms/mf (diff)
download: firejail-280f37eba89ebc211d0c02848d3d47d086458b25.tar.gz
firejail-280f37eba89ebc211d0c02848d3d47d086458b25.tar.zst
firejail-280f37eba89ebc211d0c02848d3d47d086458b25.zip
1 files changed, 191 insertions, 0 deletions
diff --git a/src/fbuilder/build_seccomp.c b/src/fbuilder/build_seccomp.c
new file mode 100644
index 000000000..18a767518
--- /dev/null
+++ b/src/fbuilder/build_seccomp.c
@@ -0,0 +1,191 @@
+/*
+ * Copyright (C) 2014-2017 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fbuilder.h"
+void build_seccomp(const char *fname) {
+        assert(fname);
+        
+        FILE *fp = fopen(fname, "r");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot open %s\n", fname);
+                exit(1);
+        }
+        
+        char buf[MAX_BUF];
+        int line = 1;
+        int position = 0;
+        int cnt = 0;
+        while (fgets(buf, MAX_BUF, fp)) {
+                // remove \n
+                char *ptr = strchr(buf, '\n');
+                if (ptr)
+                        *ptr = '\0';
+                
+                // first line:
+                //% time     seconds  usecs/call     calls    errors syscall
+                if (line == 1) {
+                        // extract syscall position
+                        ptr = strstr(buf, "syscall");
+                        if (*buf != '%' || ptr == NULL) {
+                                // skip this line, it could be garbage from strace
+                                continue;
+                        }
+                        position = (int) (ptr - buf);
+                }
+                else if (line == 2) {
+                        if (*buf != '-') {
+                                fprintf(stderr, "Error: invalid strace output\n%s\n", buf);
+                                exit(1);
+                        }
+                }
+                else {
+                        // get out on the next "----" line
+                        if (*buf == '-')
+                                break;
+                        
+                        if (line == 3)
+                                printf("# seccomp.keep %s", buf + position);
+                        else
+                                printf(",%s", buf + position);
+                        cnt++;
+                }
+                line++;
+        }
+        printf("\n");
+        printf("# %d syscalls total\n", cnt);
+        printf("# Probably you will need to add more syscalls to seccomp.keep. Look for\n");
+        printf("# seccomp errors in /var/log/syslog or /var/log/audit/audit.log while\n");
+        printf("# running your sandbox.\n");
+        fclose(fp);
+}
+//***************************************
+// protocol
+//***************************************
+int unix_s = 0;
+int inet = 0;
+int inet6 = 0;
+int netlink = 0;
+int packet = 0;
+static void process_protocol(const char *fname) {
+        assert(fname);
+        
+        // process trace file
+        FILE *fp = fopen(fname, "r");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot open %s\n", fname);
+                exit(1);
+        }
+        
+        char buf[MAX_BUF];
+        while (fgets(buf, MAX_BUF, fp)) {
+                // remove \n
+                char *ptr = strchr(buf, '\n');
+                if (ptr)
+                        *ptr = '\0';
+        
+                // parse line: 4:galculator:access /etc/fonts/conf.d:0
+                // number followed by :
+                ptr = buf;
+                if (!isdigit(*ptr))
+                        continue;
+                while (isdigit(*ptr))
+                        ptr++;
+                if (*ptr != ':')
+                        continue;
+                ptr++;
+                // next :
+                ptr = strchr(ptr, ':');
+                if (!ptr)
+                        continue;
+                ptr++;
+                if (strncmp(ptr, "socket ", 7) == 0)
+                        ptr +=  7;
+                else
+                        continue;
+                if (strncmp(ptr, "AF_LOCAL ", 9) == 0)
+                        unix_s = 1;
+                else if (strncmp(ptr, "AF_INET ", 8) == 0)
+                        inet = 1;
+                else if (strncmp(ptr, "AF_INET6 ", 9) == 0)
+                        inet6 = 1;
+                else if (strncmp(ptr, "AF_NETLINK ", 9) == 0)
+                        netlink = 1;
+                else if (strncmp(ptr, "AF_PACKET ", 9) == 0)
+                        packet = 1;
+        }
+        
+        fclose(fp);
+}
+// process fname, fname.1, fname.2, fname.3, fname.4, fname.5
+void build_protocol(const char *fname) {
+        assert(fname);
+        
+        // run fname
+        process_protocol(fname);
+        
+        // run all the rest
+        struct stat s;
+        int i;
+        for (i = 1; i <= 5; i++) {
+                char *newname;
+                if (asprintf(&newname, "%s.%d", fname, i) == -1)
+                        errExit("asprintf");
+                if (stat(newname, &s) == 0)
+                        process_protocol(newname);
+                free(newname);
+        }
+        
+        int net = 0;
+        if (unix_s || inet || inet6 || netlink || packet) {
+                printf("protocol ");
+                if (unix_s)
+                        printf("unix,");
+                if (inet) {
+                        printf("inet,");
+                        net = 1;
+                }
+                if (inet6) {
+                        printf("inet6,");
+                        net = 1;
+                }
+                if (netlink)
+                        printf("netlink,");
+                if (packet) {
+                        printf("packet");
+                        net = 1;
+                }
+                printf("\n");
+        }
+        if (net == 0)
+                printf("net none\n");
+        else {
+                printf("# net eth0\n");
+                printf("netfilter\n");
+        }
+}
author	netblue30 <netblue30@yahoo.com>	2017-09-16 08:49:05 -0400
committer	netblue30 <netblue30@yahoo.com>	2017-09-16 08:49:05 -0400
commit	280f37eba89ebc211d0c02848d3d47d086458b25 (patch)
tree	1398c5dfc53c4d286d7b6b528d5a3c1585a67325 /src/fbuilder/build_seccomp.c
parent	Merge pull request #1552 from SpotComms/mf (diff)
download	firejail-280f37eba89ebc211d0c02848d3d47d086458b25.tar.gz firejail-280f37eba89ebc211d0c02848d3d47d086458b25.tar.zst firejail-280f37eba89ebc211d0c02848d3d47d086458b25.zip

diff --git a/src/fbuilder/build_seccomp.c b/src/fbuilder/build_seccomp.c new file mode 100644 index 000000000..18a767518 --- /dev/null +++ b/src/fbuilder/build_seccomp.c
@@ -0,0 +1,191 @@
	1	/*
	2	* Copyright (C) 2014-2017 Firejail Authors
	3	*
	4	* This file is part of firejail project
	5	*
	6	* This program is free software; you can redistribute it and/or modify
	7	* it under the terms of the GNU General Public License as published by
	8	* the Free Software Foundation; either version 2 of the License, or
	9	* (at your option) any later version.
	10	*
	11	* This program is distributed in the hope that it will be useful,
	12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	14	* GNU General Public License for more details.
	15	*
	16	* You should have received a copy of the GNU General Public License along
	17	* with this program; if not, write to the Free Software Foundation, Inc.,
	18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
	19	*/
	20
	21	#include "fbuilder.h"
	22
	23	void build_seccomp(const char *fname) {
	24	assert(fname);
	25
	26	FILE *fp = fopen(fname, "r");
	27	if (!fp) {
	28	fprintf(stderr, "Error: cannot open %s\n", fname);
	29	exit(1);
	30	}
	31
	32	char buf[MAX_BUF];
	33	int line = 1;
	34	int position = 0;
	35	int cnt = 0;
	36	while (fgets(buf, MAX_BUF, fp)) {
	37	// remove \n
	38	char *ptr = strchr(buf, '\n');
	39	if (ptr)
	40	*ptr = '\0';
	41
	42	// first line:
	43	//% time seconds usecs/call calls errors syscall
	44	if (line == 1) {
	45	// extract syscall position
	46	ptr = strstr(buf, "syscall");
	47	if (*buf != '%' \|\| ptr == NULL) {
	48	// skip this line, it could be garbage from strace
	49	continue;
	50	}
	51	position = (int) (ptr - buf);
	52	}
	53	else if (line == 2) {
	54	if (*buf != '-') {
	55	fprintf(stderr, "Error: invalid strace output\n%s\n", buf);
	56	exit(1);
	57	}
	58	}
	59	else {
	60	// get out on the next "----" line
	61	if (*buf == '-')
	62	break;
	63
	64	if (line == 3)
	65	printf("# seccomp.keep %s", buf + position);
	66	else
	67	printf(",%s", buf + position);
	68	cnt++;
	69	}
	70	line++;
	71	}
	72	printf("\n");
	73	printf("# %d syscalls total\n", cnt);
	74	printf("# Probably you will need to add more syscalls to seccomp.keep. Look for\n");
	75	printf("# seccomp errors in /var/log/syslog or /var/log/audit/audit.log while\n");
	76	printf("# running your sandbox.\n");
	77
	78	fclose(fp);
	79	}
	80
	81	//***************************************
	82	// protocol
	83	//***************************************
	84	int unix_s = 0;
	85	int inet = 0;
	86	int inet6 = 0;
	87	int netlink = 0;
	88	int packet = 0;
	89	static void process_protocol(const char *fname) {
	90	assert(fname);
	91
	92	// process trace file
	93	FILE *fp = fopen(fname, "r");
	94	if (!fp) {
	95	fprintf(stderr, "Error: cannot open %s\n", fname);
	96	exit(1);
	97	}
	98
	99	char buf[MAX_BUF];
	100	while (fgets(buf, MAX_BUF, fp)) {
	101	// remove \n
	102	char *ptr = strchr(buf, '\n');
	103	if (ptr)
	104	*ptr = '\0';
	105
	106	// parse line: 4:galculator:access /etc/fonts/conf.d:0
	107	// number followed by :
	108	ptr = buf;
	109	if (!isdigit(*ptr))
	110	continue;
	111	while (isdigit(*ptr))
	112	ptr++;
	113	if (*ptr != ':')
	114	continue;
	115	ptr++;
	116
	117	// next :
	118	ptr = strchr(ptr, ':');
	119	if (!ptr)
	120	continue;
	121	ptr++;
	122	if (strncmp(ptr, "socket ", 7) == 0)
	123	ptr += 7;
	124	else
	125	continue;
	126
	127	if (strncmp(ptr, "AF_LOCAL ", 9) == 0)
	128	unix_s = 1;
	129	else if (strncmp(ptr, "AF_INET ", 8) == 0)
	130	inet = 1;
	131	else if (strncmp(ptr, "AF_INET6 ", 9) == 0)
	132	inet6 = 1;
	133	else if (strncmp(ptr, "AF_NETLINK ", 9) == 0)
	134	netlink = 1;
	135	else if (strncmp(ptr, "AF_PACKET ", 9) == 0)
	136	packet = 1;
	137	}
	138
	139	fclose(fp);
	140	}
	141
	142
	143	// process fname, fname.1, fname.2, fname.3, fname.4, fname.5
	144	void build_protocol(const char *fname) {
	145	assert(fname);
	146
	147	// run fname
	148	process_protocol(fname);
	149
	150	// run all the rest
	151	struct stat s;
	152	int i;
	153	for (i = 1; i <= 5; i++) {
	154	char *newname;
	155	if (asprintf(&newname, "%s.%d", fname, i) == -1)
	156	errExit("asprintf");
	157	if (stat(newname, &s) == 0)
	158	process_protocol(newname);
	159	free(newname);
	160	}
	161
	162	int net = 0;
	163	if (unix_s \|\| inet \|\| inet6 \|\| netlink \|\| packet) {
	164	printf("protocol ");
	165	if (unix_s)
	166	printf("unix,");
	167	if (inet) {
	168	printf("inet,");
	169	net = 1;
	170	}
	171	if (inet6) {
	172	printf("inet6,");
	173	net = 1;
	174	}
	175	if (netlink)
	176	printf("netlink,");
	177	if (packet) {
	178	printf("packet");
	179	net = 1;
	180	}
	181	printf("\n");
	182	}
	183
	184	if (net == 0)
	185	printf("net none\n");
	186	else {
	187	printf("# net eth0\n");
	188	printf("netfilter\n");
	189	}
	190	}
	191