diff options
| author |  ಚಿರಾಗ್ ನಟರಾಜ್ <chiraag.nataraj@gmail.com> | 2018-08-16 09:42:58 -0400 |
|---|---|---|
| committer | ಚಿರಾಗ್ ನಟರಾಜ್ <chiraag.nataraj@gmail.com> | 2018-08-16 09:42:58 -0400 |
| commit | b0f49116fb026fe08fc30c495c637c42ed3195ad (patch) | |
| tree | 0656986b7e39f857f48c576f7671a29001a56ace /src/fbuilder | |
| parent | harden private-home mounting, small improvements (diff) | |
| download | firejail-b0f49116fb026fe08fc30c495c637c42ed3195ad.tar.gz firejail-b0f49116fb026fe08fc30c495c637c42ed3195ad.tar.zst firejail-b0f49116fb026fe08fc30c495c637c42ed3195ad.zip | |
Generate temporary filenames instead of using a fixed one (fixes #2083)
Diffstat (limited to 'src/fbuilder')
| -rw-r--r-- | src/fbuilder/build_bin.c | 36 | ||||
| -rw-r--r-- | src/fbuilder/build_fs.c | 100 | ||||
| -rw-r--r-- | src/fbuilder/build_home.c | 37 | ||||
| -rw-r--r-- | src/fbuilder/build_profile.c | 99 | ||||
| -rw-r--r-- | src/fbuilder/build_seccomp.c | 22 | ||||
| -rw-r--r-- | src/fbuilder/fbuilder.h | 21 |
6 files changed, 197 insertions, 118 deletions
diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c index 1230fb780..602610750 100644 --- a/src/fbuilder/build_bin.c +++ b/src/fbuilder/build_bin.c | |||
| @@ -21,15 +21,16 @@ | |||
| 21 | 21 | ||
| 22 | static FileDB *bin_out = NULL; | 22 | static FileDB *bin_out = NULL; |
| 23 | 23 | ||
| 24 | static void process_bin(const char *fname) { | 24 | static void process_bin(char *fname, FILE *fp) { |
| 25 | assert(fname); | 25 | assert(fname); |
| 26 | assert(fp); | ||
| 26 | 27 | ||
| 27 | // process trace file | 28 | // process trace file |
| 28 | FILE *fp = fopen(fname, "r"); | 29 | /* FILE *fp = fdopen(fd, "r"); */ |
| 29 | if (!fp) { | 30 | /* if (!fp) { */ |
| 30 | fprintf(stderr, "Error: cannot open %s\n", fname); | 31 | /* fprintf(stderr, "Error: cannot open %s\n", fname); */ |
| 31 | exit(1); | 32 | /* exit(1); */ |
| 32 | } | 33 | /* } */ |
| 33 | 34 | ||
| 34 | char buf[MAX_BUF]; | 35 | char buf[MAX_BUF]; |
| 35 | while (fgets(buf, MAX_BUF, fp)) { | 36 | while (fgets(buf, MAX_BUF, fp)) { |
| @@ -90,16 +91,18 @@ static void process_bin(const char *fname) { | |||
| 90 | bin_out = filedb_add(bin_out, ptr); | 91 | bin_out = filedb_add(bin_out, ptr); |
| 91 | } | 92 | } |
| 92 | 93 | ||
| 93 | fclose(fp); | 94 | /* fclose(fp); */ |
| 94 | } | 95 | } |
| 95 | 96 | ||
| 96 | 97 | ||
| 97 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 | 98 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 |
| 98 | void build_bin(const char *fname, FILE *fp) { | 99 | void build_bin(char *fname, FILE *fp, FILE *fpo) { |
| 99 | assert(fname); | 100 | assert(fname); |
| 101 | assert(fp); | ||
| 102 | assert(fpo); | ||
| 100 | 103 | ||
| 101 | // run fname | 104 | // run fname |
| 102 | process_bin(fname); | 105 | process_bin(fname, fp); |
| 103 | 106 | ||
| 104 | // run all the rest | 107 | // run all the rest |
| 105 | struct stat s; | 108 | struct stat s; |
| @@ -109,18 +112,23 @@ void build_bin(const char *fname, FILE *fp) { | |||
| 109 | if (asprintf(&newname, "%s.%d", fname, i) == -1) | 112 | if (asprintf(&newname, "%s.%d", fname, i) == -1) |
| 110 | errExit("asprintf"); | 113 | errExit("asprintf"); |
| 111 | if (stat(newname, &s) == 0) | 114 | if (stat(newname, &s) == 0) |
| 112 | process_bin(newname); | 115 | { |
| 116 | int nfd = open(newname, O_RDONLY); | ||
| 117 | FILE *nfp = fdopen(nfd, "r"); | ||
| 118 | process_bin(newname, nfp); | ||
| 119 | fclose(nfp); | ||
| 120 | } | ||
| 113 | free(newname); | 121 | free(newname); |
| 114 | } | 122 | } |
| 115 | 123 | ||
| 116 | if (bin_out) { | 124 | if (bin_out) { |
| 117 | fprintf(fp, "private-bin "); | 125 | fprintf(fpo, "private-bin "); |
| 118 | FileDB *ptr = bin_out; | 126 | FileDB *ptr = bin_out; |
| 119 | while (ptr) { | 127 | while (ptr) { |
| 120 | fprintf(fp, "%s,", ptr->fname); | 128 | fprintf(fpo, "%s,", ptr->fname); |
| 121 | ptr = ptr->next; | 129 | ptr = ptr->next; |
| 122 | } | 130 | } |
| 123 | fprintf(fp, "\n"); | 131 | fprintf(fpo, "\n"); |
| 124 | fprintf(fp, "# private-lib\n"); | 132 | fprintf(fpo, "# private-lib\n"); |
| 125 | } | 133 | } |
| 126 | } | 134 | } |
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index 771dc94cb..5ef47979e 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c | |||
| @@ -21,19 +21,20 @@ | |||
| 21 | #include "fbuilder.h" | 21 | #include "fbuilder.h" |
| 22 | 22 | ||
| 23 | // common file processing function, using the callback for each line in the file | 23 | // common file processing function, using the callback for each line in the file |
| 24 | static void process_file(const char *fname, const char *dir, void (*callback)(char *)) { | 24 | static void process_file(char *fname, FILE *fp, const char *dir, void (*callback)(char *)) { |
| 25 | assert(fname); | 25 | assert(fname); |
| 26 | assert(fp); | ||
| 26 | assert(dir); | 27 | assert(dir); |
| 27 | assert(callback); | 28 | assert(callback); |
| 28 | 29 | ||
| 29 | int dir_len = strlen(dir); | 30 | int dir_len = strlen(dir); |
| 30 | 31 | ||
| 31 | // process trace file | 32 | // process trace file |
| 32 | FILE *fp = fopen(fname, "r"); | 33 | /* FILE *fp = fdopen(fd, "r"); */ |
| 33 | if (!fp) { | 34 | /* if (!fp) { */ |
| 34 | fprintf(stderr, "Error: cannot open %s\n", fname); | 35 | /* fprintf(stderr, "Error: cannot open %s\n", fname); */ |
| 35 | exit(1); | 36 | /* exit(1); */ |
| 36 | } | 37 | /* } */ |
| 37 | 38 | ||
| 38 | char buf[MAX_BUF]; | 39 | char buf[MAX_BUF]; |
| 39 | while (fgets(buf, MAX_BUF, fp)) { | 40 | while (fgets(buf, MAX_BUF, fp)) { |
| @@ -82,17 +83,18 @@ static void process_file(const char *fname, const char *dir, void (*callback)(ch | |||
| 82 | callback(ptr); | 83 | callback(ptr); |
| 83 | } | 84 | } |
| 84 | 85 | ||
| 85 | fclose(fp); | 86 | /* fclose(fp); */ |
| 86 | } | 87 | } |
| 87 | 88 | ||
| 88 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 | 89 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 |
| 89 | static void process_files(const char *fname, const char *dir, void (*callback)(char *)) { | 90 | static void process_files(char *fname, FILE *fp, const char *dir, void (*callback)(char *)) { |
| 90 | assert(fname); | 91 | assert(fname); |
| 92 | assert(fp); | ||
| 91 | assert(dir); | 93 | assert(dir); |
| 92 | assert(callback); | 94 | assert(callback); |
| 93 | 95 | ||
| 94 | // run fname | 96 | // run fname |
| 95 | process_file(fname, dir, callback); | 97 | process_file(fname, fp, dir, callback); |
| 96 | 98 | ||
| 97 | // run all the rest | 99 | // run all the rest |
| 98 | struct stat s; | 100 | struct stat s; |
| @@ -101,8 +103,12 @@ static void process_files(const char *fname, const char *dir, void (*callback)(c | |||
| 101 | char *newname; | 103 | char *newname; |
| 102 | if (asprintf(&newname, "%s.%d", fname, i) == -1) | 104 | if (asprintf(&newname, "%s.%d", fname, i) == -1) |
| 103 | errExit("asprintf"); | 105 | errExit("asprintf"); |
| 104 | if (stat(newname, &s) == 0) | 106 | if (stat(newname, &s) == 0) { |
| 105 | process_file(newname, dir, callback); | 107 | int nfd = open(newname, O_RDONLY); |
| 108 | FILE *nfp = fdopen(nfd, "r"); | ||
| 109 | process_file(newname, nfp, dir, callback); | ||
| 110 | fclose(nfp); | ||
| 111 | } | ||
| 106 | free(newname); | 112 | free(newname); |
| 107 | } | 113 | } |
| 108 | } | 114 | } |
| @@ -125,21 +131,23 @@ static void etc_callback(char *ptr) { | |||
| 125 | etc_out = filedb_add(etc_out, ptr); | 131 | etc_out = filedb_add(etc_out, ptr); |
| 126 | } | 132 | } |
| 127 | 133 | ||
| 128 | void build_etc(const char *fname, FILE *fp) { | 134 | void build_etc(char *fname, FILE *fp, FILE *fpo) { |
| 129 | assert(fname); | 135 | assert(fname); |
| 136 | assert(fp); | ||
| 137 | assert(fpo); | ||
| 130 | 138 | ||
| 131 | process_files(fname, "/etc", etc_callback); | 139 | process_files(fname, fp, "/etc", etc_callback); |
| 132 | 140 | ||
| 133 | fprintf(fp, "private-etc "); | 141 | fprintf(fpo, "private-etc "); |
| 134 | if (etc_out == NULL) | 142 | if (etc_out == NULL) |
| 135 | fprintf(fp, "none\n"); | 143 | fprintf(fpo, "none\n"); |
| 136 | else { | 144 | else { |
| 137 | FileDB *ptr = etc_out; | 145 | FileDB *ptr = etc_out; |
| 138 | while (ptr) { | 146 | while (ptr) { |
| 139 | fprintf(fp, "%s,", ptr->fname); | 147 | fprintf(fpo, "%s,", ptr->fname); |
| 140 | ptr = ptr->next; | 148 | ptr = ptr->next; |
| 141 | } | 149 | } |
| 142 | fprintf(fp, "\n"); | 150 | fprintf(fpo, "\n"); |
| 143 | } | 151 | } |
| 144 | } | 152 | } |
| 145 | 153 | ||
| @@ -160,15 +168,17 @@ static void var_callback(char *ptr) { | |||
| 160 | var_out = filedb_add(var_out, ptr); | 168 | var_out = filedb_add(var_out, ptr); |
| 161 | } | 169 | } |
| 162 | 170 | ||
| 163 | void build_var(const char *fname, FILE *fp) { | 171 | void build_var(char *fname, FILE *fp, FILE *fpo) { |
| 164 | assert(fname); | 172 | assert(fname); |
| 173 | assert(fp); | ||
| 174 | assert(fpo); | ||
| 165 | 175 | ||
| 166 | process_files(fname, "/var", var_callback); | 176 | process_files(fname, fp, "/var", var_callback); |
| 167 | 177 | ||
| 168 | if (var_out == NULL) | 178 | if (var_out == NULL) |
| 169 | fprintf(fp, "blacklist /var\n"); | 179 | fprintf(fpo, "blacklist /var\n"); |
| 170 | else | 180 | else |
| 171 | filedb_print(var_out, "whitelist ", fp); | 181 | filedb_print(var_out, "whitelist ", fpo); |
| 172 | } | 182 | } |
| 173 | 183 | ||
| 174 | 184 | ||
| @@ -197,15 +207,17 @@ static void share_callback(char *ptr) { | |||
| 197 | share_out = filedb_add(share_out, ptr); | 207 | share_out = filedb_add(share_out, ptr); |
| 198 | } | 208 | } |
| 199 | 209 | ||
| 200 | void build_share(const char *fname, FILE *fp) { | 210 | void build_share(char *fname, FILE *fp, FILE *fpo) { |
| 201 | assert(fname); | 211 | assert(fname); |
| 212 | assert(fp); | ||
| 213 | assert(fpo); | ||
| 202 | 214 | ||
| 203 | process_files(fname, "/usr/share", share_callback); | 215 | process_files(fname, fp, "/usr/share", share_callback); |
| 204 | 216 | ||
| 205 | if (share_out == NULL) | 217 | if (share_out == NULL) |
| 206 | fprintf(fp, "blacklist /usr/share\n"); | 218 | fprintf(fpo, "blacklist /usr/share\n"); |
| 207 | else | 219 | else |
| 208 | filedb_print(share_out, "whitelist ", fp); | 220 | filedb_print(share_out, "whitelist ", fpo); |
| 209 | } | 221 | } |
| 210 | 222 | ||
| 211 | //******************************************* | 223 | //******************************************* |
| @@ -216,21 +228,23 @@ static void tmp_callback(char *ptr) { | |||
| 216 | filedb_add(tmp_out, ptr); | 228 | filedb_add(tmp_out, ptr); |
| 217 | } | 229 | } |
| 218 | 230 | ||
| 219 | void build_tmp(const char *fname, FILE *fp) { | 231 | void build_tmp(char *fname, FILE *fp, FILE *fpo) { |
| 220 | assert(fname); | 232 | assert(fname); |
| 233 | assert(fp); | ||
| 234 | assert(fpo); | ||
| 221 | 235 | ||
| 222 | process_files(fname, "/tmp", tmp_callback); | 236 | process_files(fname, fp, "/tmp", tmp_callback); |
| 223 | 237 | ||
| 224 | if (tmp_out == NULL) | 238 | if (tmp_out == NULL) |
| 225 | fprintf(fp, "private-tmp\n"); | 239 | fprintf(fpo, "private-tmp\n"); |
| 226 | else { | 240 | else { |
| 227 | fprintf(fp, "\n"); | 241 | fprintf(fpo, "\n"); |
| 228 | fprintf(fp, "# private-tmp\n"); | 242 | fprintf(fpo, "# private-tmp\n"); |
| 229 | fprintf(fp, "# File accessed in /tmp directory:\n"); | 243 | fprintf(fpo, "# File accessed in /tmp directory:\n"); |
| 230 | fprintf(fp, "# "); | 244 | fprintf(fpo, "# "); |
| 231 | FileDB *ptr = tmp_out; | 245 | FileDB *ptr = tmp_out; |
| 232 | while (ptr) { | 246 | while (ptr) { |
| 233 | fprintf(fp, "%s,", ptr->fname); | 247 | fprintf(fpo, "%s,", ptr->fname); |
| 234 | ptr = ptr->next; | 248 | ptr = ptr->next; |
| 235 | } | 249 | } |
| 236 | printf("\n"); | 250 | printf("\n"); |
| @@ -294,24 +308,26 @@ static void dev_callback(char *ptr) { | |||
| 294 | filedb_add(dev_out, ptr); | 308 | filedb_add(dev_out, ptr); |
| 295 | } | 309 | } |
| 296 | 310 | ||
| 297 | void build_dev(const char *fname, FILE *fp) { | 311 | void build_dev(char *fname, FILE *fp, FILE *fpo) { |
| 298 | assert(fname); | 312 | assert(fname); |
| 313 | assert(fp); | ||
| 314 | assert(fpo); | ||
| 299 | 315 | ||
| 300 | process_files(fname, "/dev", dev_callback); | 316 | process_files(fname, fp, "/dev", dev_callback); |
| 301 | 317 | ||
| 302 | if (dev_out == NULL) | 318 | if (dev_out == NULL) |
| 303 | fprintf(fp, "private-dev\n"); | 319 | fprintf(fpo, "private-dev\n"); |
| 304 | else { | 320 | else { |
| 305 | fprintf(fp, "\n"); | 321 | fprintf(fpo, "\n"); |
| 306 | fprintf(fp, "# private-dev\n"); | 322 | fprintf(fpo, "# private-dev\n"); |
| 307 | fprintf(fp, "# This is the list of devices accessed (on top of regular private-dev devices:\n"); | 323 | fprintf(fpo, "# This is the list of devices accessed (on top of regular private-dev devices:\n"); |
| 308 | fprintf(fp, "# "); | 324 | fprintf(fpo, "# "); |
| 309 | FileDB *ptr = dev_out; | 325 | FileDB *ptr = dev_out; |
| 310 | while (ptr) { | 326 | while (ptr) { |
| 311 | fprintf(fp, "%s,", ptr->fname); | 327 | fprintf(fpo, "%s,", ptr->fname); |
| 312 | ptr = ptr->next; | 328 | ptr = ptr->next; |
| 313 | } | 329 | } |
| 314 | fprintf(fp, "\n"); | 330 | fprintf(fpo, "\n"); |
| 315 | } | 331 | } |
| 316 | } | 332 | } |
| 317 | 333 | ||
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c index 7470a8d10..d97b6b33a 100644 --- a/src/fbuilder/build_home.c +++ b/src/fbuilder/build_home.c | |||
| @@ -47,17 +47,18 @@ static void load_whitelist_common(void) { | |||
| 47 | fclose(fp); | 47 | fclose(fp); |
| 48 | } | 48 | } |
| 49 | 49 | ||
| 50 | void process_home(const char *fname, char *home, int home_len) { | 50 | void process_home(char *fname, FILE *fp, char *home, int home_len) { |
| 51 | assert(fname); | 51 | assert(fname); |
| 52 | assert(fp); | ||
| 52 | assert(home); | 53 | assert(home); |
| 53 | assert(home_len); | 54 | assert(home_len); |
| 54 | 55 | ||
| 55 | // process trace file | 56 | // process trace file |
| 56 | FILE *fp = fopen(fname, "r"); | 57 | /* FILE *fp = fdopen(fd, "r"); */ |
| 57 | if (!fp) { | 58 | /* if (!fp) { */ |
| 58 | fprintf(stderr, "Error: cannot open %s\n", fname); | 59 | /* fprintf(stderr, "Error: cannot open %s\n", fname); */ |
| 59 | exit(1); | 60 | /* exit(1); */ |
| 60 | } | 61 | /* } */ |
| 61 | 62 | ||
| 62 | char buf[MAX_BUF]; | 63 | char buf[MAX_BUF]; |
| 63 | while (fgets(buf, MAX_BUF, fp)) { | 64 | while (fgets(buf, MAX_BUF, fp)) { |
| @@ -153,13 +154,15 @@ void process_home(const char *fname, char *home, int home_len) { | |||
| 153 | free(dir); | 154 | free(dir); |
| 154 | 155 | ||
| 155 | } | 156 | } |
| 156 | fclose(fp); | 157 | /* fclose(fp); */ |
| 157 | } | 158 | } |
| 158 | 159 | ||
| 159 | 160 | ||
| 160 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 | 161 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 |
| 161 | void build_home(const char *fname, FILE *fp) { | 162 | void build_home(char *fname, FILE *fp, FILE *fpo) { |
| 162 | assert(fname); | 163 | assert(fname); |
| 164 | assert(fp); | ||
| 165 | assert(fpo); | ||
| 163 | 166 | ||
| 164 | // load whitelist common | 167 | // load whitelist common |
| 165 | load_whitelist_common(); | 168 | load_whitelist_common(); |
| @@ -174,7 +177,7 @@ void build_home(const char *fname, FILE *fp) { | |||
| 174 | int home_len = strlen(home); | 177 | int home_len = strlen(home); |
| 175 | 178 | ||
| 176 | // run fname | 179 | // run fname |
| 177 | process_home(fname, home, home_len); | 180 | process_home(fname, fp, home, home_len); |
| 178 | 181 | ||
| 179 | // run all the rest | 182 | // run all the rest |
| 180 | struct stat s; | 183 | struct stat s; |
| @@ -183,17 +186,21 @@ void build_home(const char *fname, FILE *fp) { | |||
| 183 | char *newname; | 186 | char *newname; |
| 184 | if (asprintf(&newname, "%s.%d", fname, i) == -1) | 187 | if (asprintf(&newname, "%s.%d", fname, i) == -1) |
| 185 | errExit("asprintf"); | 188 | errExit("asprintf"); |
| 186 | if (stat(newname, &s) == 0) | 189 | if (stat(newname, &s) == 0) { |
| 187 | process_home(newname, home, home_len); | 190 | int nfd = open(newname, O_RDONLY); |
| 191 | FILE *nfp = fdopen(nfd, "r"); | ||
| 192 | process_home(newname, nfp, home, home_len); | ||
| 193 | fclose(nfp); | ||
| 194 | } | ||
| 188 | free(newname); | 195 | free(newname); |
| 189 | } | 196 | } |
| 190 | 197 | ||
| 191 | // print the out list if any | 198 | // print the out list if any |
| 192 | if (db_out) { | 199 | if (db_out) { |
| 193 | filedb_print(db_out, "whitelist ~/", fp); | 200 | filedb_print(db_out, "whitelist ~/", fpo); |
| 194 | fprintf(fp, "include /etc/firejail/whitelist-common.inc\n"); | 201 | fprintf(fpo, "include /etc/firejail/whitelist-common.inc\n"); |
| 195 | } | 202 | } |
| 196 | else | 203 | else |
| 197 | fprintf(fp, "private\n"); | 204 | fprintf(fpo, "private\n"); |
| 198 | 205 | ||
| 199 | } \ No newline at end of file | 206 | } |
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 125487c41..0c65d3413 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
| @@ -20,25 +20,24 @@ | |||
| 20 | 20 | ||
| 21 | #include "fbuilder.h" | 21 | #include "fbuilder.h" |
| 22 | #include <sys/wait.h> | 22 | #include <sys/wait.h> |
| 23 | #include <fcntl.h> | 23 | |
| 24 | 24 | #define TRACE_OUTPUT "/tmp/firejail-trace.XXXXXX" | |
| 25 | #define TRACE_OUTPUT "/tmp/firejail-trace" | 25 | #define STRACE_OUTPUT "/tmp/firejail-strace.XXXXXX" |
| 26 | #define STRACE_OUTPUT "/tmp/firejail-strace" | 26 | |
| 27 | 27 | /* static char *cmdlist[] = { */ | |
| 28 | static char *cmdlist[] = { | 28 | /* "/usr/bin/firejail", */ |
| 29 | "/usr/bin/firejail", | 29 | /* "--quiet", */ |
| 30 | "--quiet", | 30 | /* "--output=" TRACE_OUTPUT, */ |
| 31 | "--output=" TRACE_OUTPUT, | 31 | /* "--noprofile", */ |
| 32 | "--noprofile", | 32 | /* "--caps.drop=all", */ |
| 33 | "--caps.drop=all", | 33 | /* "--nonewprivs", */ |
| 34 | "--nonewprivs", | 34 | /* "--trace", */ |
| 35 | "--trace", | 35 | /* "--shell=none", */ |
| 36 | "--shell=none", | 36 | /* "/usr/bin/strace", // also used as a marker in build_profile() */ |
| 37 | "/usr/bin/strace", // also used as a marker in build_profile() | 37 | /* "-c", */ |
| 38 | "-c", | 38 | /* "-f", */ |
| 39 | "-f", | 39 | /* "-o" STRACE_OUTPUT, */ |
| 40 | "-o" STRACE_OUTPUT, | 40 | /* }; */ |
| 41 | }; | ||
| 42 | 41 | ||
| 43 | static void clear_tmp_files(void) { | 42 | static void clear_tmp_files(void) { |
| 44 | unlink(STRACE_OUTPUT); | 43 | unlink(STRACE_OUTPUT); |
| @@ -64,7 +63,47 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
| 64 | } | 63 | } |
| 65 | 64 | ||
| 66 | // clean /tmp files | 65 | // clean /tmp files |
| 67 | clear_tmp_files(); | 66 | /* clear_tmp_files(); */ |
| 67 | |||
| 68 | char trace_output[] = "/tmp/firejail-trace.XXXXXX"; | ||
| 69 | char strace_output[] = "/tmp/firejail-strace.XXXXXX"; | ||
| 70 | |||
| 71 | int tfile = mkstemp(trace_output); | ||
| 72 | int stfile = mkstemp(strace_output); | ||
| 73 | |||
| 74 | if(tfile == -1 || stfile == -1) | ||
| 75 | errExit("mkstemp"); | ||
| 76 | |||
| 77 | FILE *tp = fdopen(tfile, "r"); | ||
| 78 | |||
| 79 | if (!tp) { | ||
| 80 | fprintf(stderr, "Error: cannot open %s\n", trace_output); | ||
| 81 | exit(1); | ||
| 82 | } | ||
| 83 | |||
| 84 | char *output; | ||
| 85 | char *stroutput; | ||
| 86 | |||
| 87 | if(asprintf(&output,"--output=%s",trace_output) == -1) | ||
| 88 | errExit("asprintf"); | ||
| 89 | |||
| 90 | if(asprintf(&stroutput,"-o %s",strace_output) == -1) | ||
| 91 | errExit("asprintf"); | ||
| 92 | |||
| 93 | char *cmdlist[] = { | ||
| 94 | "/usr/bin/firejail", | ||
| 95 | "--quiet", | ||
| 96 | output, | ||
| 97 | "--noprofile", | ||
| 98 | "--caps.drop=all", | ||
| 99 | "--nonewprivs", | ||
| 100 | "--trace", | ||
| 101 | "--shell=none", | ||
| 102 | "/usr/bin/strace", // also used as a marker in build_profile() | ||
| 103 | "-c", | ||
| 104 | "-f", | ||
| 105 | stroutput, | ||
| 106 | }; | ||
| 68 | 107 | ||
| 69 | // detect strace | 108 | // detect strace |
| 70 | int have_strace = 0; | 109 | int have_strace = 0; |
| @@ -131,16 +170,16 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
| 131 | fprintf(fp, "\n"); | 170 | fprintf(fp, "\n"); |
| 132 | 171 | ||
| 133 | fprintf(fp, "### home directory whitelisting\n"); | 172 | fprintf(fp, "### home directory whitelisting\n"); |
| 134 | build_home(TRACE_OUTPUT, fp); | 173 | build_home(trace_output, tp, fp); |
| 135 | fprintf(fp, "\n"); | 174 | fprintf(fp, "\n"); |
| 136 | 175 | ||
| 137 | fprintf(fp, "### filesystem\n"); | 176 | fprintf(fp, "### filesystem\n"); |
| 138 | build_tmp(TRACE_OUTPUT, fp); | 177 | build_tmp(trace_output, tp, fp); |
| 139 | build_dev(TRACE_OUTPUT, fp); | 178 | build_dev(trace_output, tp, fp); |
| 140 | build_etc(TRACE_OUTPUT, fp); | 179 | build_etc(trace_output, tp, fp); |
| 141 | build_var(TRACE_OUTPUT, fp); | 180 | build_var(trace_output, tp, fp); |
| 142 | build_bin(TRACE_OUTPUT, fp); | 181 | build_bin(trace_output, tp, fp); |
| 143 | build_share(TRACE_OUTPUT, fp); | 182 | build_share(trace_output, tp, fp); |
| 144 | fprintf(fp, "\n"); | 183 | fprintf(fp, "\n"); |
| 145 | 184 | ||
| 146 | fprintf(fp, "### security filters\n"); | 185 | fprintf(fp, "### security filters\n"); |
| @@ -148,7 +187,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
| 148 | fprintf(fp, "nonewprivs\n"); | 187 | fprintf(fp, "nonewprivs\n"); |
| 149 | fprintf(fp, "seccomp\n"); | 188 | fprintf(fp, "seccomp\n"); |
| 150 | if (have_strace) | 189 | if (have_strace) |
| 151 | build_seccomp(STRACE_OUTPUT, fp); | 190 | build_seccomp(strace_output, stfile, fp); |
| 152 | else { | 191 | else { |
| 153 | fprintf(fp, "# If you install strace on your system, Firejail will also create a\n"); | 192 | fprintf(fp, "# If you install strace on your system, Firejail will also create a\n"); |
| 154 | fprintf(fp, "# whitelisted seccomp filter.\n"); | 193 | fprintf(fp, "# whitelisted seccomp filter.\n"); |
| @@ -156,11 +195,13 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
| 156 | fprintf(fp, "\n"); | 195 | fprintf(fp, "\n"); |
| 157 | 196 | ||
| 158 | fprintf(fp, "### network\n"); | 197 | fprintf(fp, "### network\n"); |
| 159 | build_protocol(TRACE_OUTPUT, fp); | 198 | build_protocol(trace_output, tfile, fp); |
| 160 | fprintf(fp, "\n"); | 199 | fprintf(fp, "\n"); |
| 161 | 200 | ||
| 162 | fprintf(fp, "### environment\n"); | 201 | fprintf(fp, "### environment\n"); |
| 163 | fprintf(fp, "shell none\n"); | 202 | fprintf(fp, "shell none\n"); |
| 203 | |||
| 204 | fclose(tp); | ||
| 164 | 205 | ||
| 165 | } | 206 | } |
| 166 | else { | 207 | else { |
diff --git a/src/fbuilder/build_seccomp.c b/src/fbuilder/build_seccomp.c index fbc0e06f4..f275caf80 100644 --- a/src/fbuilder/build_seccomp.c +++ b/src/fbuilder/build_seccomp.c | |||
| @@ -20,11 +20,12 @@ | |||
| 20 | 20 | ||
| 21 | #include "fbuilder.h" | 21 | #include "fbuilder.h" |
| 22 | 22 | ||
| 23 | void build_seccomp(const char *fname, FILE *fp) { | 23 | void build_seccomp(char *fname, int fd, FILE *fp) { |
| 24 | assert(fname); | 24 | assert(fname); |
| 25 | assert(fd); | ||
| 25 | assert(fp); | 26 | assert(fp); |
| 26 | 27 | ||
| 27 | FILE *fp2 = fopen(fname, "r"); | 28 | FILE *fp2 = fdopen(fd, "r"); |
| 28 | if (!fp2) { | 29 | if (!fp2) { |
| 29 | fprintf(stderr, "Error: cannot open %s\n", fname); | 30 | fprintf(stderr, "Error: cannot open %s\n", fname); |
| 30 | exit(1); | 31 | exit(1); |
| @@ -87,11 +88,12 @@ int inet = 0; | |||
| 87 | int inet6 = 0; | 88 | int inet6 = 0; |
| 88 | int netlink = 0; | 89 | int netlink = 0; |
| 89 | int packet = 0; | 90 | int packet = 0; |
| 90 | static void process_protocol(const char *fname) { | 91 | static void process_protocol(char *fname, int fd) { |
| 91 | assert(fname); | 92 | assert(fname); |
| 93 | assert(fd); | ||
| 92 | 94 | ||
| 93 | // process trace file | 95 | // process trace file |
| 94 | FILE *fp = fopen(fname, "r"); | 96 | FILE *fp = fdopen(fd, "r"); |
| 95 | if (!fp) { | 97 | if (!fp) { |
| 96 | fprintf(stderr, "Error: cannot open %s\n", fname); | 98 | fprintf(stderr, "Error: cannot open %s\n", fname); |
| 97 | exit(1); | 99 | exit(1); |
| @@ -142,11 +144,13 @@ static void process_protocol(const char *fname) { | |||
| 142 | 144 | ||
| 143 | 145 | ||
| 144 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 | 146 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 |
| 145 | void build_protocol(const char *fname, FILE *fp) { | 147 | void build_protocol(char *fname, int fd, FILE *fp) { |
| 146 | assert(fname); | 148 | assert(fname); |
| 149 | assert(fd); | ||
| 150 | assert(fp); | ||
| 147 | 151 | ||
| 148 | // run fname | 152 | // run fname |
| 149 | process_protocol(fname); | 153 | process_protocol(fname, fd); |
| 150 | 154 | ||
| 151 | // run all the rest | 155 | // run all the rest |
| 152 | struct stat s; | 156 | struct stat s; |
| @@ -155,8 +159,10 @@ void build_protocol(const char *fname, FILE *fp) { | |||
| 155 | char *newname; | 159 | char *newname; |
| 156 | if (asprintf(&newname, "%s.%d", fname, i) == -1) | 160 | if (asprintf(&newname, "%s.%d", fname, i) == -1) |
| 157 | errExit("asprintf"); | 161 | errExit("asprintf"); |
| 158 | if (stat(newname, &s) == 0) | 162 | if (stat(newname, &s) == 0) { |
| 159 | process_protocol(newname); | 163 | int nfd = open(newname, O_RDONLY); |
| 164 | process_protocol(newname, nfd); | ||
| 165 | } | ||
| 160 | free(newname); | 166 | free(newname); |
| 161 | } | 167 | } |
| 162 | 168 | ||
diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h index 0a0fd42c9..480569027 100644 --- a/src/fbuilder/fbuilder.h +++ b/src/fbuilder/fbuilder.h | |||
| @@ -25,6 +25,7 @@ | |||
| 25 | #include <pwd.h> | 25 | #include <pwd.h> |
| 26 | #include <sys/types.h> | 26 | #include <sys/types.h> |
| 27 | #include <sys/stat.h> | 27 | #include <sys/stat.h> |
| 28 | #include <fcntl.h> | ||
| 28 | 29 | ||
| 29 | 30 | ||
| 30 | #define MAX_BUF 4096 | 31 | #define MAX_BUF 4096 |
| @@ -35,21 +36,21 @@ extern int arg_debug; | |||
| 35 | void build_profile(int argc, char **argv, int index, FILE *fp); | 36 | void build_profile(int argc, char **argv, int index, FILE *fp); |
| 36 | 37 | ||
| 37 | // build_seccomp.c | 38 | // build_seccomp.c |
| 38 | void build_seccomp(const char *fname, FILE *fp); | 39 | void build_seccomp(char *fname, int fd, FILE *fp); |
| 39 | void build_protocol(const char *fname, FILE *fp); | 40 | void build_protocol(char *fname, int fd, FILE *fp); |
| 40 | 41 | ||
| 41 | // build_fs.c | 42 | // build_fs.c |
| 42 | void build_etc(const char *fname, FILE *fp); | 43 | void build_etc(char *fname, FILE *fp, FILE *fpo); |
| 43 | void build_var(const char *fname, FILE *fp); | 44 | void build_var(char *fname, FILE *fp, FILE *fpo); |
| 44 | void build_tmp(const char *fname, FILE *fp); | 45 | void build_tmp(char *fname, FILE *fp, FILE *fpo); |
| 45 | void build_dev(const char *fname, FILE *fp); | 46 | void build_dev(char *fname, FILE *fp, FILE *fpo); |
| 46 | void build_share(const char *fname, FILE *fp); | 47 | void build_share(char *fname, FILE *fp, FILE *fpo); |
| 47 | 48 | ||
| 48 | // build_bin.c | 49 | // build_bin.c |
| 49 | void build_bin(const char *fname, FILE *fp); | 50 | void build_bin(char *fname, FILE *fp, FILE *fpo); |
| 50 | 51 | ||
| 51 | // build_home.c | 52 | // build_home.c |
| 52 | void build_home(const char *fname, FILE *fp); | 53 | void build_home(char *fname, FILE *fp, FILE *fpo); |
| 53 | 54 | ||
| 54 | // utils.c | 55 | // utils.c |
| 55 | int is_dir(const char *fname); | 56 | int is_dir(const char *fname); |
| @@ -66,4 +67,4 @@ FileDB *filedb_add(FileDB *head, const char *fname); | |||
| 66 | FileDB *filedb_find(FileDB *head, const char *fname); | 67 | FileDB *filedb_find(FileDB *head, const char *fname); |
| 67 | void filedb_print(FileDB *head, const char *prefix, FILE *fp); | 68 | void filedb_print(FileDB *head, const char *prefix, FILE *fp); |
| 68 | 69 | ||
| 69 | #endif \ No newline at end of file | 70 | #endif |