diff options
author | netblue30 <netblue30@yahoo.com> | 2017-09-19 09:47:26 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-09-19 09:47:26 -0400 |
commit | cbbc90381b41156c16bcb30934a10c843c8298c0 (patch) | |
tree | e21319a023b5883eb3aa5a50b4bd27e19e047a49 /src/fbuilder | |
parent | update KDE whitelist (diff) | |
download | firejail-cbbc90381b41156c16bcb30934a10c843c8298c0.tar.gz firejail-cbbc90381b41156c16bcb30934a10c843c8298c0.tar.zst firejail-cbbc90381b41156c16bcb30934a10c843c8298c0.zip |
add private-bin support to profile builder
Diffstat (limited to 'src/fbuilder')
-rw-r--r-- | src/fbuilder/build_bin.c | 121 | ||||
-rw-r--r-- | src/fbuilder/build_profile.c | 4 | ||||
-rw-r--r-- | src/fbuilder/fbuilder.h | 3 |
3 files changed, 126 insertions, 2 deletions
diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c new file mode 100644 index 000000000..7d0e2cb7c --- /dev/null +++ b/src/fbuilder/build_bin.c | |||
@@ -0,0 +1,121 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2017 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "fbuilder.h" | ||
21 | |||
22 | static FileDB *bin_out = NULL; | ||
23 | |||
24 | static void process_bin(const char *fname) { | ||
25 | assert(fname); | ||
26 | |||
27 | // process trace file | ||
28 | FILE *fp = fopen(fname, "r"); | ||
29 | if (!fp) { | ||
30 | fprintf(stderr, "Error: cannot open %s\n", fname); | ||
31 | exit(1); | ||
32 | } | ||
33 | |||
34 | char buf[MAX_BUF]; | ||
35 | while (fgets(buf, MAX_BUF, fp)) { | ||
36 | // remove \n | ||
37 | char *ptr = strchr(buf, '\n'); | ||
38 | if (ptr) | ||
39 | *ptr = '\0'; | ||
40 | |||
41 | // parse line: 4:galculator:access /etc/fonts/conf.d:0 | ||
42 | // number followed by : | ||
43 | ptr = buf; | ||
44 | if (!isdigit(*ptr)) | ||
45 | continue; | ||
46 | while (isdigit(*ptr)) | ||
47 | ptr++; | ||
48 | if (*ptr != ':') | ||
49 | continue; | ||
50 | ptr++; | ||
51 | |||
52 | // next : | ||
53 | ptr = strchr(ptr, ':'); | ||
54 | if (!ptr) | ||
55 | continue; | ||
56 | ptr++; | ||
57 | if (strncmp(ptr, "exec ", 5) == 0) | ||
58 | ptr += 5; | ||
59 | else | ||
60 | continue; | ||
61 | if (strncmp(ptr, "/bin/", 5) == 0) | ||
62 | ptr += 5; | ||
63 | else if (strncmp(ptr, "/sbin/", 6) == 0) | ||
64 | ptr += 6; | ||
65 | else if (strncmp(ptr, "/usr/bin/", 9) == 0) | ||
66 | ptr += 9; | ||
67 | else if (strncmp(ptr, "/usr/sbin/", 10) == 0) | ||
68 | ptr += 10; | ||
69 | else if (strncmp(ptr, "/usr/local/bin/", 15) == 0) | ||
70 | ptr += 15; | ||
71 | else if (strncmp(ptr, "/usr/local/sbin/", 16) == 0) | ||
72 | ptr += 16; | ||
73 | else if (strncmp(ptr, "/usr/games/", 11) == 0) | ||
74 | ptr += 12; | ||
75 | else if (strncmp(ptr, "/usr/local/games/", 17) == 0) | ||
76 | ptr += 17; | ||
77 | else | ||
78 | continue; | ||
79 | |||
80 | // end of filename | ||
81 | char *ptr2 = strchr(ptr, ':'); | ||
82 | if (!ptr2) | ||
83 | continue; | ||
84 | *ptr2 = '\0'; | ||
85 | |||
86 | bin_out = filedb_add(bin_out, ptr); | ||
87 | } | ||
88 | |||
89 | fclose(fp); | ||
90 | } | ||
91 | |||
92 | |||
93 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 | ||
94 | void build_bin(const char *fname) { | ||
95 | assert(fname); | ||
96 | |||
97 | // run fname | ||
98 | process_bin(fname); | ||
99 | |||
100 | // run all the rest | ||
101 | struct stat s; | ||
102 | int i; | ||
103 | for (i = 1; i <= 5; i++) { | ||
104 | char *newname; | ||
105 | if (asprintf(&newname, "%s.%d", fname, i) == -1) | ||
106 | errExit("asprintf"); | ||
107 | if (stat(newname, &s) == 0) | ||
108 | process_bin(newname); | ||
109 | free(newname); | ||
110 | } | ||
111 | |||
112 | if (bin_out) { | ||
113 | printf("# private-bin "); | ||
114 | FileDB *ptr = bin_out; | ||
115 | while (ptr) { | ||
116 | printf("%s,", ptr->fname); | ||
117 | ptr = ptr->next; | ||
118 | } | ||
119 | printf("\n"); | ||
120 | } | ||
121 | } | ||
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 5fca22648..3f5fe48ca 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -33,6 +33,7 @@ static char *cmdlist[] = { | |||
33 | "--caps.drop=all", | 33 | "--caps.drop=all", |
34 | "--nonewprivs", | 34 | "--nonewprivs", |
35 | "--trace", | 35 | "--trace", |
36 | "--shell=none", | ||
36 | "/usr/bin/strace", // also used as a marker in build_profile() | 37 | "/usr/bin/strace", // also used as a marker in build_profile() |
37 | "-c", | 38 | "-c", |
38 | "-f", | 39 | "-f", |
@@ -56,8 +57,6 @@ static void clear_tmp_files(void) { | |||
56 | } | 57 | } |
57 | 58 | ||
58 | void build_profile(int argc, char **argv, int index) { | 59 | void build_profile(int argc, char **argv, int index) { |
59 | unlink("/tmp/strace-output"); | ||
60 | |||
61 | // next index is the application name | 60 | // next index is the application name |
62 | if (index >= argc) { | 61 | if (index >= argc) { |
63 | fprintf(stderr, "Error: application name missing\n"); | 62 | fprintf(stderr, "Error: application name missing\n"); |
@@ -136,6 +135,7 @@ void build_profile(int argc, char **argv, int index) { | |||
136 | build_dev(TRACE_OUTPUT); | 135 | build_dev(TRACE_OUTPUT); |
137 | build_etc(TRACE_OUTPUT); | 136 | build_etc(TRACE_OUTPUT); |
138 | build_var(TRACE_OUTPUT); | 137 | build_var(TRACE_OUTPUT); |
138 | build_bin(TRACE_OUTPUT); | ||
139 | printf("\n"); | 139 | printf("\n"); |
140 | 140 | ||
141 | printf("### security filters\n"); | 141 | printf("### security filters\n"); |
diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h index a9049ea2d..c448f3e06 100644 --- a/src/fbuilder/fbuilder.h +++ b/src/fbuilder/fbuilder.h | |||
@@ -44,6 +44,9 @@ void build_var(const char *fname); | |||
44 | void build_tmp(const char *fname); | 44 | void build_tmp(const char *fname); |
45 | void build_dev(const char *fname); | 45 | void build_dev(const char *fname); |
46 | 46 | ||
47 | // build_bin.c | ||
48 | void build_bin(const char *fname); | ||
49 | |||
47 | // build_home.c | 50 | // build_home.c |
48 | void build_home(const char *fname); | 51 | void build_home(const char *fname); |
49 | 52 | ||