diff options
| author |  netblue30 <netblue30@yahoo.com> | 2018-08-28 13:04:13 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2018-08-28 13:04:13 -0400 |
| commit | 8ce3b7ab971d6ab02463fd6c7591a73465526cb1 (patch) | |
| tree | 2df83450626433978a970dbae4fb38d84754600e /src/fbuilder | |
| parent | memory leaks (diff) | |
| download | firejail-8ce3b7ab971d6ab02463fd6c7591a73465526cb1.tar.gz firejail-8ce3b7ab971d6ab02463fd6c7591a73465526cb1.tar.zst firejail-8ce3b7ab971d6ab02463fd6c7591a73465526cb1.zip | |
fbuider cleanup
Diffstat (limited to 'src/fbuilder')
| -rw-r--r-- | src/fbuilder/build_bin.c | 37 | ||||
| -rw-r--r-- | src/fbuilder/build_fs.c | 101 | ||||
| -rw-r--r-- | src/fbuilder/build_home.c | 38 | ||||
| -rw-r--r-- | src/fbuilder/build_profile.c | 36 | ||||
| -rw-r--r-- | src/fbuilder/build_seccomp.c | 23 | ||||
| -rw-r--r-- | src/fbuilder/fbuilder.h | 20 |
6 files changed, 104 insertions, 151 deletions
diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c index 1b9343216..1230fb780 100644 --- a/src/fbuilder/build_bin.c +++ b/src/fbuilder/build_bin.c | |||
| @@ -21,16 +21,15 @@ | |||
| 21 | 21 | ||
| 22 | static FileDB *bin_out = NULL; | 22 | static FileDB *bin_out = NULL; |
| 23 | 23 | ||
| 24 | static void process_bin(char *fname, FILE *fp) { | 24 | static void process_bin(const char *fname) { |
| 25 | assert(fname); | 25 | assert(fname); |
| 26 | assert(fp); | ||
| 27 | 26 | ||
| 28 | // process trace file | 27 | // process trace file |
| 29 | /* FILE *fp = fdopen(fd, "r"); */ | 28 | FILE *fp = fopen(fname, "r"); |
| 30 | /* if (!fp) { */ | 29 | if (!fp) { |
| 31 | /* fprintf(stderr, "Error: cannot open %s\n", fname); */ | 30 | fprintf(stderr, "Error: cannot open %s\n", fname); |
| 32 | /* exit(1); */ | 31 | exit(1); |
| 33 | /* } */ | 32 | } |
| 34 | 33 | ||
| 35 | char buf[MAX_BUF]; | 34 | char buf[MAX_BUF]; |
| 36 | while (fgets(buf, MAX_BUF, fp)) { | 35 | while (fgets(buf, MAX_BUF, fp)) { |
| @@ -91,18 +90,16 @@ static void process_bin(char *fname, FILE *fp) { | |||
| 91 | bin_out = filedb_add(bin_out, ptr); | 90 | bin_out = filedb_add(bin_out, ptr); |
| 92 | } | 91 | } |
| 93 | 92 | ||
| 94 | /* fclose(fp); */ | 93 | fclose(fp); |
| 95 | } | 94 | } |
| 96 | 95 | ||
| 97 | 96 | ||
| 98 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 | 97 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 |
| 99 | void build_bin(char *fname, FILE *fp, FILE *fpo) { | 98 | void build_bin(const char *fname, FILE *fp) { |
| 100 | assert(fname); | 99 | assert(fname); |
| 101 | assert(fp); | ||
| 102 | assert(fpo); | ||
| 103 | 100 | ||
| 104 | // run fname | 101 | // run fname |
| 105 | process_bin(fname, fp); | 102 | process_bin(fname); |
| 106 | 103 | ||
| 107 | // run all the rest | 104 | // run all the rest |
| 108 | struct stat s; | 105 | struct stat s; |
| @@ -112,24 +109,18 @@ void build_bin(char *fname, FILE *fp, FILE *fpo) { | |||
| 112 | if (asprintf(&newname, "%s.%d", fname, i) == -1) | 109 | if (asprintf(&newname, "%s.%d", fname, i) == -1) |
| 113 | errExit("asprintf"); | 110 | errExit("asprintf"); |
| 114 | if (stat(newname, &s) == 0) | 111 | if (stat(newname, &s) == 0) |
| 115 | { | 112 | process_bin(newname); |
| 116 | int nfd = open(newname, O_RDONLY); | ||
| 117 | FILE *nfp = fdopen(nfd, "r"); | ||
| 118 | process_bin(newname, nfp); | ||
| 119 | fclose(nfp); | ||
| 120 | unlink(newname); | ||
| 121 | } | ||
| 122 | free(newname); | 113 | free(newname); |
| 123 | } | 114 | } |
| 124 | 115 | ||
| 125 | if (bin_out) { | 116 | if (bin_out) { |
| 126 | fprintf(fpo, "private-bin "); | 117 | fprintf(fp, "private-bin "); |
| 127 | FileDB *ptr = bin_out; | 118 | FileDB *ptr = bin_out; |
| 128 | while (ptr) { | 119 | while (ptr) { |
| 129 | fprintf(fpo, "%s,", ptr->fname); | 120 | fprintf(fp, "%s,", ptr->fname); |
| 130 | ptr = ptr->next; | 121 | ptr = ptr->next; |
| 131 | } | 122 | } |
| 132 | fprintf(fpo, "\n"); | 123 | fprintf(fp, "\n"); |
| 133 | fprintf(fpo, "# private-lib\n"); | 124 | fprintf(fp, "# private-lib\n"); |
| 134 | } | 125 | } |
| 135 | } | 126 | } |
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index 2d63c6fb9..771dc94cb 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c | |||
| @@ -21,20 +21,19 @@ | |||
| 21 | #include "fbuilder.h" | 21 | #include "fbuilder.h" |
| 22 | 22 | ||
| 23 | // common file processing function, using the callback for each line in the file | 23 | // common file processing function, using the callback for each line in the file |
| 24 | static void process_file(char *fname, FILE *fp, const char *dir, void (*callback)(char *)) { | 24 | static void process_file(const char *fname, const char *dir, void (*callback)(char *)) { |
| 25 | assert(fname); | 25 | assert(fname); |
| 26 | assert(fp); | ||
| 27 | assert(dir); | 26 | assert(dir); |
| 28 | assert(callback); | 27 | assert(callback); |
| 29 | 28 | ||
| 30 | int dir_len = strlen(dir); | 29 | int dir_len = strlen(dir); |
| 31 | 30 | ||
| 32 | // process trace file | 31 | // process trace file |
| 33 | /* FILE *fp = fdopen(fd, "r"); */ | 32 | FILE *fp = fopen(fname, "r"); |
| 34 | /* if (!fp) { */ | 33 | if (!fp) { |
| 35 | /* fprintf(stderr, "Error: cannot open %s\n", fname); */ | 34 | fprintf(stderr, "Error: cannot open %s\n", fname); |
| 36 | /* exit(1); */ | 35 | exit(1); |
| 37 | /* } */ | 36 | } |
| 38 | 37 | ||
| 39 | char buf[MAX_BUF]; | 38 | char buf[MAX_BUF]; |
| 40 | while (fgets(buf, MAX_BUF, fp)) { | 39 | while (fgets(buf, MAX_BUF, fp)) { |
| @@ -83,18 +82,17 @@ static void process_file(char *fname, FILE *fp, const char *dir, void (*callback | |||
| 83 | callback(ptr); | 82 | callback(ptr); |
| 84 | } | 83 | } |
| 85 | 84 | ||
| 86 | /* fclose(fp); */ | 85 | fclose(fp); |
| 87 | } | 86 | } |
| 88 | 87 | ||
| 89 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 | 88 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 |
| 90 | static void process_files(char *fname, FILE *fp, const char *dir, void (*callback)(char *)) { | 89 | static void process_files(const char *fname, const char *dir, void (*callback)(char *)) { |
| 91 | assert(fname); | 90 | assert(fname); |
| 92 | assert(fp); | ||
| 93 | assert(dir); | 91 | assert(dir); |
| 94 | assert(callback); | 92 | assert(callback); |
| 95 | 93 | ||
| 96 | // run fname | 94 | // run fname |
| 97 | process_file(fname, fp, dir, callback); | 95 | process_file(fname, dir, callback); |
| 98 | 96 | ||
| 99 | // run all the rest | 97 | // run all the rest |
| 100 | struct stat s; | 98 | struct stat s; |
| @@ -103,13 +101,8 @@ static void process_files(char *fname, FILE *fp, const char *dir, void (*callbac | |||
| 103 | char *newname; | 101 | char *newname; |
| 104 | if (asprintf(&newname, "%s.%d", fname, i) == -1) | 102 | if (asprintf(&newname, "%s.%d", fname, i) == -1) |
| 105 | errExit("asprintf"); | 103 | errExit("asprintf"); |
| 106 | if (stat(newname, &s) == 0) { | 104 | if (stat(newname, &s) == 0) |
| 107 | int nfd = open(newname, O_RDONLY); | 105 | process_file(newname, dir, callback); |
| 108 | FILE *nfp = fdopen(nfd, "r"); | ||
| 109 | process_file(newname, nfp, dir, callback); | ||
| 110 | fclose(nfp); | ||
| 111 | unlink(newname); | ||
| 112 | } | ||
| 113 | free(newname); | 106 | free(newname); |
| 114 | } | 107 | } |
| 115 | } | 108 | } |
| @@ -132,23 +125,21 @@ static void etc_callback(char *ptr) { | |||
| 132 | etc_out = filedb_add(etc_out, ptr); | 125 | etc_out = filedb_add(etc_out, ptr); |
| 133 | } | 126 | } |
| 134 | 127 | ||
| 135 | void build_etc(char *fname, FILE *fp, FILE *fpo) { | 128 | void build_etc(const char *fname, FILE *fp) { |
| 136 | assert(fname); | 129 | assert(fname); |
| 137 | assert(fp); | ||
| 138 | assert(fpo); | ||
| 139 | 130 | ||
| 140 | process_files(fname, fp, "/etc", etc_callback); | 131 | process_files(fname, "/etc", etc_callback); |
| 141 | 132 | ||
| 142 | fprintf(fpo, "private-etc "); | 133 | fprintf(fp, "private-etc "); |
| 143 | if (etc_out == NULL) | 134 | if (etc_out == NULL) |
| 144 | fprintf(fpo, "none\n"); | 135 | fprintf(fp, "none\n"); |
| 145 | else { | 136 | else { |
| 146 | FileDB *ptr = etc_out; | 137 | FileDB *ptr = etc_out; |
| 147 | while (ptr) { | 138 | while (ptr) { |
| 148 | fprintf(fpo, "%s,", ptr->fname); | 139 | fprintf(fp, "%s,", ptr->fname); |
| 149 | ptr = ptr->next; | 140 | ptr = ptr->next; |
| 150 | } | 141 | } |
| 151 | fprintf(fpo, "\n"); | 142 | fprintf(fp, "\n"); |
| 152 | } | 143 | } |
| 153 | } | 144 | } |
| 154 | 145 | ||
| @@ -169,17 +160,15 @@ static void var_callback(char *ptr) { | |||
| 169 | var_out = filedb_add(var_out, ptr); | 160 | var_out = filedb_add(var_out, ptr); |
| 170 | } | 161 | } |
| 171 | 162 | ||
| 172 | void build_var(char *fname, FILE *fp, FILE *fpo) { | 163 | void build_var(const char *fname, FILE *fp) { |
| 173 | assert(fname); | 164 | assert(fname); |
| 174 | assert(fp); | ||
| 175 | assert(fpo); | ||
| 176 | 165 | ||
| 177 | process_files(fname, fp, "/var", var_callback); | 166 | process_files(fname, "/var", var_callback); |
| 178 | 167 | ||
| 179 | if (var_out == NULL) | 168 | if (var_out == NULL) |
| 180 | fprintf(fpo, "blacklist /var\n"); | 169 | fprintf(fp, "blacklist /var\n"); |
| 181 | else | 170 | else |
| 182 | filedb_print(var_out, "whitelist ", fpo); | 171 | filedb_print(var_out, "whitelist ", fp); |
| 183 | } | 172 | } |
| 184 | 173 | ||
| 185 | 174 | ||
| @@ -208,17 +197,15 @@ static void share_callback(char *ptr) { | |||
| 208 | share_out = filedb_add(share_out, ptr); | 197 | share_out = filedb_add(share_out, ptr); |
| 209 | } | 198 | } |
| 210 | 199 | ||
| 211 | void build_share(char *fname, FILE *fp, FILE *fpo) { | 200 | void build_share(const char *fname, FILE *fp) { |
| 212 | assert(fname); | 201 | assert(fname); |
| 213 | assert(fp); | ||
| 214 | assert(fpo); | ||
| 215 | 202 | ||
| 216 | process_files(fname, fp, "/usr/share", share_callback); | 203 | process_files(fname, "/usr/share", share_callback); |
| 217 | 204 | ||
| 218 | if (share_out == NULL) | 205 | if (share_out == NULL) |
| 219 | fprintf(fpo, "blacklist /usr/share\n"); | 206 | fprintf(fp, "blacklist /usr/share\n"); |
| 220 | else | 207 | else |
| 221 | filedb_print(share_out, "whitelist ", fpo); | 208 | filedb_print(share_out, "whitelist ", fp); |
| 222 | } | 209 | } |
| 223 | 210 | ||
| 224 | //******************************************* | 211 | //******************************************* |
| @@ -229,23 +216,21 @@ static void tmp_callback(char *ptr) { | |||
| 229 | filedb_add(tmp_out, ptr); | 216 | filedb_add(tmp_out, ptr); |
| 230 | } | 217 | } |
| 231 | 218 | ||
| 232 | void build_tmp(char *fname, FILE *fp, FILE *fpo) { | 219 | void build_tmp(const char *fname, FILE *fp) { |
| 233 | assert(fname); | 220 | assert(fname); |
| 234 | assert(fp); | ||
| 235 | assert(fpo); | ||
| 236 | 221 | ||
| 237 | process_files(fname, fp, "/tmp", tmp_callback); | 222 | process_files(fname, "/tmp", tmp_callback); |
| 238 | 223 | ||
| 239 | if (tmp_out == NULL) | 224 | if (tmp_out == NULL) |
| 240 | fprintf(fpo, "private-tmp\n"); | 225 | fprintf(fp, "private-tmp\n"); |
| 241 | else { | 226 | else { |
| 242 | fprintf(fpo, "\n"); | 227 | fprintf(fp, "\n"); |
| 243 | fprintf(fpo, "# private-tmp\n"); | 228 | fprintf(fp, "# private-tmp\n"); |
| 244 | fprintf(fpo, "# File accessed in /tmp directory:\n"); | 229 | fprintf(fp, "# File accessed in /tmp directory:\n"); |
| 245 | fprintf(fpo, "# "); | 230 | fprintf(fp, "# "); |
| 246 | FileDB *ptr = tmp_out; | 231 | FileDB *ptr = tmp_out; |
| 247 | while (ptr) { | 232 | while (ptr) { |
| 248 | fprintf(fpo, "%s,", ptr->fname); | 233 | fprintf(fp, "%s,", ptr->fname); |
| 249 | ptr = ptr->next; | 234 | ptr = ptr->next; |
| 250 | } | 235 | } |
| 251 | printf("\n"); | 236 | printf("\n"); |
| @@ -309,26 +294,24 @@ static void dev_callback(char *ptr) { | |||
| 309 | filedb_add(dev_out, ptr); | 294 | filedb_add(dev_out, ptr); |
| 310 | } | 295 | } |
| 311 | 296 | ||
| 312 | void build_dev(char *fname, FILE *fp, FILE *fpo) { | 297 | void build_dev(const char *fname, FILE *fp) { |
| 313 | assert(fname); | 298 | assert(fname); |
| 314 | assert(fp); | ||
| 315 | assert(fpo); | ||
| 316 | 299 | ||
| 317 | process_files(fname, fp, "/dev", dev_callback); | 300 | process_files(fname, "/dev", dev_callback); |
| 318 | 301 | ||
| 319 | if (dev_out == NULL) | 302 | if (dev_out == NULL) |
| 320 | fprintf(fpo, "private-dev\n"); | 303 | fprintf(fp, "private-dev\n"); |
| 321 | else { | 304 | else { |
| 322 | fprintf(fpo, "\n"); | 305 | fprintf(fp, "\n"); |
| 323 | fprintf(fpo, "# private-dev\n"); | 306 | fprintf(fp, "# private-dev\n"); |
| 324 | fprintf(fpo, "# This is the list of devices accessed (on top of regular private-dev devices:\n"); | 307 | fprintf(fp, "# This is the list of devices accessed (on top of regular private-dev devices:\n"); |
| 325 | fprintf(fpo, "# "); | 308 | fprintf(fp, "# "); |
| 326 | FileDB *ptr = dev_out; | 309 | FileDB *ptr = dev_out; |
| 327 | while (ptr) { | 310 | while (ptr) { |
| 328 | fprintf(fpo, "%s,", ptr->fname); | 311 | fprintf(fp, "%s,", ptr->fname); |
| 329 | ptr = ptr->next; | 312 | ptr = ptr->next; |
| 330 | } | 313 | } |
| 331 | fprintf(fpo, "\n"); | 314 | fprintf(fp, "\n"); |
| 332 | } | 315 | } |
| 333 | } | 316 | } |
| 334 | 317 | ||
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c index b582b89bf..7470a8d10 100644 --- a/src/fbuilder/build_home.c +++ b/src/fbuilder/build_home.c | |||
| @@ -47,18 +47,17 @@ static void load_whitelist_common(void) { | |||
| 47 | fclose(fp); | 47 | fclose(fp); |
| 48 | } | 48 | } |
| 49 | 49 | ||
| 50 | void process_home(char *fname, FILE *fp, char *home, int home_len) { | 50 | void process_home(const char *fname, char *home, int home_len) { |
| 51 | assert(fname); | 51 | assert(fname); |
| 52 | assert(fp); | ||
| 53 | assert(home); | 52 | assert(home); |
| 54 | assert(home_len); | 53 | assert(home_len); |
| 55 | 54 | ||
| 56 | // process trace file | 55 | // process trace file |
| 57 | /* FILE *fp = fdopen(fd, "r"); */ | 56 | FILE *fp = fopen(fname, "r"); |
| 58 | /* if (!fp) { */ | 57 | if (!fp) { |
| 59 | /* fprintf(stderr, "Error: cannot open %s\n", fname); */ | 58 | fprintf(stderr, "Error: cannot open %s\n", fname); |
| 60 | /* exit(1); */ | 59 | exit(1); |
| 61 | /* } */ | 60 | } |
| 62 | 61 | ||
| 63 | char buf[MAX_BUF]; | 62 | char buf[MAX_BUF]; |
| 64 | while (fgets(buf, MAX_BUF, fp)) { | 63 | while (fgets(buf, MAX_BUF, fp)) { |
| @@ -154,15 +153,13 @@ void process_home(char *fname, FILE *fp, char *home, int home_len) { | |||
| 154 | free(dir); | 153 | free(dir); |
| 155 | 154 | ||
| 156 | } | 155 | } |
| 157 | /* fclose(fp); */ | 156 | fclose(fp); |
| 158 | } | 157 | } |
| 159 | 158 | ||
| 160 | 159 | ||
| 161 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 | 160 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 |
| 162 | void build_home(char *fname, FILE *fp, FILE *fpo) { | 161 | void build_home(const char *fname, FILE *fp) { |
| 163 | assert(fname); | 162 | assert(fname); |
| 164 | assert(fp); | ||
| 165 | assert(fpo); | ||
| 166 | 163 | ||
| 167 | // load whitelist common | 164 | // load whitelist common |
| 168 | load_whitelist_common(); | 165 | load_whitelist_common(); |
| @@ -177,7 +174,7 @@ void build_home(char *fname, FILE *fp, FILE *fpo) { | |||
| 177 | int home_len = strlen(home); | 174 | int home_len = strlen(home); |
| 178 | 175 | ||
| 179 | // run fname | 176 | // run fname |
| 180 | process_home(fname, fp, home, home_len); | 177 | process_home(fname, home, home_len); |
| 181 | 178 | ||
| 182 | // run all the rest | 179 | // run all the rest |
| 183 | struct stat s; | 180 | struct stat s; |
| @@ -186,22 +183,17 @@ void build_home(char *fname, FILE *fp, FILE *fpo) { | |||
| 186 | char *newname; | 183 | char *newname; |
| 187 | if (asprintf(&newname, "%s.%d", fname, i) == -1) | 184 | if (asprintf(&newname, "%s.%d", fname, i) == -1) |
| 188 | errExit("asprintf"); | 185 | errExit("asprintf"); |
| 189 | if (stat(newname, &s) == 0) { | 186 | if (stat(newname, &s) == 0) |
| 190 | int nfd = open(newname, O_RDONLY); | 187 | process_home(newname, home, home_len); |
| 191 | FILE *nfp = fdopen(nfd, "r"); | ||
| 192 | process_home(newname, nfp, home, home_len); | ||
| 193 | fclose(nfp); | ||
| 194 | unlink(newname); | ||
| 195 | } | ||
| 196 | free(newname); | 188 | free(newname); |
| 197 | } | 189 | } |
| 198 | 190 | ||
| 199 | // print the out list if any | 191 | // print the out list if any |
| 200 | if (db_out) { | 192 | if (db_out) { |
| 201 | filedb_print(db_out, "whitelist ~/", fpo); | 193 | filedb_print(db_out, "whitelist ~/", fp); |
| 202 | fprintf(fpo, "include /etc/firejail/whitelist-common.inc\n"); | 194 | fprintf(fp, "include /etc/firejail/whitelist-common.inc\n"); |
| 203 | } | 195 | } |
| 204 | else | 196 | else |
| 205 | fprintf(fpo, "private\n"); | 197 | fprintf(fp, "private\n"); |
| 206 | 198 | ||
| 207 | } | 199 | } \ No newline at end of file |
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 79de7063f..74f0da226 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
| @@ -51,25 +51,20 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
| 51 | 51 | ||
| 52 | int tfile = mkstemp(trace_output); | 52 | int tfile = mkstemp(trace_output); |
| 53 | int stfile = mkstemp(strace_output); | 53 | int stfile = mkstemp(strace_output); |
| 54 | |||
| 55 | if(tfile == -1 || stfile == -1) | 54 | if(tfile == -1 || stfile == -1) |
| 56 | errExit("mkstemp"); | 55 | errExit("mkstemp"); |
| 57 | 56 | ||
| 58 | FILE *tp = fdopen(tfile, "r"); | 57 | // close the files, firejail/strace will overwrite them! |
| 58 | close(tfile); | ||
| 59 | close(stfile); | ||
| 59 | 60 | ||
| 60 | if (!tp) { | ||
| 61 | fprintf(stderr, "Error: cannot open %s\n", trace_output); | ||
| 62 | exit(1); | ||
| 63 | } | ||
| 64 | 61 | ||
| 65 | char *output; | 62 | char *output; |
| 66 | char *stroutput; | 63 | char *stroutput; |
| 67 | |||
| 68 | if(asprintf(&output,"--output=%s",trace_output) == -1) | 64 | if(asprintf(&output,"--output=%s",trace_output) == -1) |
| 69 | errExit("asprintf"); | 65 | errExit("asprintf"); |
| 70 | |||
| 71 | if(asprintf(&stroutput,"-o %s",strace_output) == -1) | 66 | if(asprintf(&stroutput,"-o %s",strace_output) == -1) |
| 72 | errExit("asprintf"); | 67 | errExit("asprintf"); |
| 73 | 68 | ||
| 74 | char *cmdlist[] = { | 69 | char *cmdlist[] = { |
| 75 | "/usr/bin/firejail", | 70 | "/usr/bin/firejail", |
| @@ -151,16 +146,16 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
| 151 | fprintf(fp, "\n"); | 146 | fprintf(fp, "\n"); |
| 152 | 147 | ||
| 153 | fprintf(fp, "### home directory whitelisting\n"); | 148 | fprintf(fp, "### home directory whitelisting\n"); |
| 154 | build_home(trace_output, tp, fp); | 149 | build_home(trace_output, fp); |
| 155 | fprintf(fp, "\n"); | 150 | fprintf(fp, "\n"); |
| 156 | 151 | ||
| 157 | fprintf(fp, "### filesystem\n"); | 152 | fprintf(fp, "### filesystem\n"); |
| 158 | build_tmp(trace_output, tp, fp); | 153 | build_tmp(trace_output, fp); |
| 159 | build_dev(trace_output, tp, fp); | 154 | build_dev(trace_output, fp); |
| 160 | build_etc(trace_output, tp, fp); | 155 | build_etc(trace_output, fp); |
| 161 | build_var(trace_output, tp, fp); | 156 | build_var(trace_output, fp); |
| 162 | build_bin(trace_output, tp, fp); | 157 | build_bin(trace_output, fp); |
| 163 | build_share(trace_output, tp, fp); | 158 | build_share(trace_output, fp); |
| 164 | fprintf(fp, "\n"); | 159 | fprintf(fp, "\n"); |
| 165 | 160 | ||
| 166 | fprintf(fp, "### security filters\n"); | 161 | fprintf(fp, "### security filters\n"); |
| @@ -168,7 +163,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
| 168 | fprintf(fp, "nonewprivs\n"); | 163 | fprintf(fp, "nonewprivs\n"); |
| 169 | fprintf(fp, "seccomp\n"); | 164 | fprintf(fp, "seccomp\n"); |
| 170 | if (have_strace) | 165 | if (have_strace) |
| 171 | build_seccomp(strace_output, stfile, fp); | 166 | build_seccomp(strace_output, fp); |
| 172 | else { | 167 | else { |
| 173 | fprintf(fp, "# If you install strace on your system, Firejail will also create a\n"); | 168 | fprintf(fp, "# If you install strace on your system, Firejail will also create a\n"); |
| 174 | fprintf(fp, "# whitelisted seccomp filter.\n"); | 169 | fprintf(fp, "# whitelisted seccomp filter.\n"); |
| @@ -176,13 +171,12 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
| 176 | fprintf(fp, "\n"); | 171 | fprintf(fp, "\n"); |
| 177 | 172 | ||
| 178 | fprintf(fp, "### network\n"); | 173 | fprintf(fp, "### network\n"); |
| 179 | build_protocol(trace_output, tfile, fp); | 174 | build_protocol(trace_output, fp); |
| 180 | fprintf(fp, "\n"); | 175 | fprintf(fp, "\n"); |
| 181 | 176 | ||
| 182 | fprintf(fp, "### environment\n"); | 177 | fprintf(fp, "### environment\n"); |
| 183 | fprintf(fp, "shell none\n"); | 178 | fprintf(fp, "shell none\n"); |
| 184 | 179 | ||
| 185 | fclose(tp); | ||
| 186 | unlink(trace_output); | 180 | unlink(trace_output); |
| 187 | unlink(strace_output); | 181 | unlink(strace_output); |
| 188 | 182 | ||
diff --git a/src/fbuilder/build_seccomp.c b/src/fbuilder/build_seccomp.c index 64bcac586..fbc0e06f4 100644 --- a/src/fbuilder/build_seccomp.c +++ b/src/fbuilder/build_seccomp.c | |||
| @@ -20,12 +20,11 @@ | |||
| 20 | 20 | ||
| 21 | #include "fbuilder.h" | 21 | #include "fbuilder.h" |
| 22 | 22 | ||
| 23 | void build_seccomp(char *fname, int fd, FILE *fp) { | 23 | void build_seccomp(const char *fname, FILE *fp) { |
| 24 | assert(fname); | 24 | assert(fname); |
| 25 | assert(fd); | ||
| 26 | assert(fp); | 25 | assert(fp); |
| 27 | 26 | ||
| 28 | FILE *fp2 = fdopen(fd, "r"); | 27 | FILE *fp2 = fopen(fname, "r"); |
| 29 | if (!fp2) { | 28 | if (!fp2) { |
| 30 | fprintf(stderr, "Error: cannot open %s\n", fname); | 29 | fprintf(stderr, "Error: cannot open %s\n", fname); |
| 31 | exit(1); | 30 | exit(1); |
| @@ -88,12 +87,11 @@ int inet = 0; | |||
| 88 | int inet6 = 0; | 87 | int inet6 = 0; |
| 89 | int netlink = 0; | 88 | int netlink = 0; |
| 90 | int packet = 0; | 89 | int packet = 0; |
| 91 | static void process_protocol(char *fname, int fd) { | 90 | static void process_protocol(const char *fname) { |
| 92 | assert(fname); | 91 | assert(fname); |
| 93 | assert(fd); | ||
| 94 | 92 | ||
| 95 | // process trace file | 93 | // process trace file |
| 96 | FILE *fp = fdopen(fd, "r"); | 94 | FILE *fp = fopen(fname, "r"); |
| 97 | if (!fp) { | 95 | if (!fp) { |
| 98 | fprintf(stderr, "Error: cannot open %s\n", fname); | 96 | fprintf(stderr, "Error: cannot open %s\n", fname); |
| 99 | exit(1); | 97 | exit(1); |
| @@ -144,13 +142,11 @@ static void process_protocol(char *fname, int fd) { | |||
| 144 | 142 | ||
| 145 | 143 | ||
| 146 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 | 144 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 |
| 147 | void build_protocol(char *fname, int fd, FILE *fp) { | 145 | void build_protocol(const char *fname, FILE *fp) { |
| 148 | assert(fname); | 146 | assert(fname); |
| 149 | assert(fd); | ||
| 150 | assert(fp); | ||
| 151 | 147 | ||
| 152 | // run fname | 148 | // run fname |
| 153 | process_protocol(fname, fd); | 149 | process_protocol(fname); |
| 154 | 150 | ||
| 155 | // run all the rest | 151 | // run all the rest |
| 156 | struct stat s; | 152 | struct stat s; |
| @@ -159,11 +155,8 @@ void build_protocol(char *fname, int fd, FILE *fp) { | |||
| 159 | char *newname; | 155 | char *newname; |
| 160 | if (asprintf(&newname, "%s.%d", fname, i) == -1) | 156 | if (asprintf(&newname, "%s.%d", fname, i) == -1) |
| 161 | errExit("asprintf"); | 157 | errExit("asprintf"); |
| 162 | if (stat(newname, &s) == 0) { | 158 | if (stat(newname, &s) == 0) |
| 163 | int nfd = open(newname, O_RDONLY); | 159 | process_protocol(newname); |
| 164 | process_protocol(newname, nfd); | ||
| 165 | unlink(newname); | ||
| 166 | } | ||
| 167 | free(newname); | 160 | free(newname); |
| 168 | } | 161 | } |
| 169 | 162 | ||
diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h index 480569027..f0d16eb26 100644 --- a/src/fbuilder/fbuilder.h +++ b/src/fbuilder/fbuilder.h | |||
| @@ -36,21 +36,21 @@ extern int arg_debug; | |||
| 36 | void build_profile(int argc, char **argv, int index, FILE *fp); | 36 | void build_profile(int argc, char **argv, int index, FILE *fp); |
| 37 | 37 | ||
| 38 | // build_seccomp.c | 38 | // build_seccomp.c |
| 39 | void build_seccomp(char *fname, int fd, FILE *fp); | 39 | void build_seccomp(const char *fname, FILE *fp); |
| 40 | void build_protocol(char *fname, int fd, FILE *fp); | 40 | void build_protocol(const char *fname, FILE *fp); |
| 41 | 41 | ||
| 42 | // build_fs.c | 42 | // build_fs.c |
| 43 | void build_etc(char *fname, FILE *fp, FILE *fpo); | 43 | void build_etc(const char *fname, FILE *fp); |
| 44 | void build_var(char *fname, FILE *fp, FILE *fpo); | 44 | void build_var(const char *fname, FILE *fp); |
| 45 | void build_tmp(char *fname, FILE *fp, FILE *fpo); | 45 | void build_tmp(const char *fname, FILE *fp); |
| 46 | void build_dev(char *fname, FILE *fp, FILE *fpo); | 46 | void build_dev(const char *fname, FILE *fp); |
| 47 | void build_share(char *fname, FILE *fp, FILE *fpo); | 47 | void build_share(const char *fname, FILE *fp); |
| 48 | 48 | ||
| 49 | // build_bin.c | 49 | // build_bin.c |
| 50 | void build_bin(char *fname, FILE *fp, FILE *fpo); | 50 | void build_bin(const char *fname, FILE *fp); |
| 51 | 51 | ||
| 52 | // build_home.c | 52 | // build_home.c |
| 53 | void build_home(char *fname, FILE *fp, FILE *fpo); | 53 | void build_home(const char *fname, FILE *fp); |
| 54 | 54 | ||
| 55 | // utils.c | 55 | // utils.c |
| 56 | int is_dir(const char *fname); | 56 | int is_dir(const char *fname); |
| @@ -67,4 +67,4 @@ FileDB *filedb_add(FileDB *head, const char *fname); | |||
| 67 | FileDB *filedb_find(FileDB *head, const char *fname); | 67 | FileDB *filedb_find(FileDB *head, const char *fname); |
| 68 | void filedb_print(FileDB *head, const char *prefix, FILE *fp); | 68 | void filedb_print(FileDB *head, const char *prefix, FILE *fp); |
| 69 | 69 | ||
| 70 | #endif | 70 | #endif \ No newline at end of file |