add /usr/share whitelisting support in --build

author: netblue30 <netblue30@yahoo.com> 2017-10-22 08:14:04 -0400
committer: netblue30 <netblue30@yahoo.com> 2017-10-22 08:14:04 -0400
commit: ba74462631d3411e12ede6943d61de1cb612779a (patch)
tree: 92e02af59ff95c0914e93d2b70668814950d6eba /src/fbuilder
parent: Merge branch 'master' of http://github.com/netblue30/firejail (diff)
download: firejail-ba74462631d3411e12ede6943d61de1cb612779a.tar.gz
firejail-ba74462631d3411e12ede6943d61de1cb612779a.tar.zst
firejail-ba74462631d3411e12ede6943d61de1cb612779a.zip
3 files changed, 33 insertions, 0 deletions
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c
index 6f3907770..5e63c241a 100644
--- a/src/fbuilder/build_fs.c
+++ b/src/fbuilder/build_fs.c
@@ -171,6 +171,37 @@ void build_var(const char *fname) {
                filedb_print(var_out, "whitelist ");
 }
+//*******************************************
+// usr/share directory
+//*******************************************
+static FileDB *share_out = NULL;
+static void share_callback(char *ptr) {
+        // extract the directory:
+        // "/usr/share/bash-completion/bash_completion"  becomes "/usr/share/bash-completion"
+        assert(strncmp(ptr, "/usr/share", 10) == 0);
+        char *p1 = ptr + 10;
+        if (*p1 != '/')
+                return;
+        p1++;
+        char *p2 = strchr(p1, '/');
+        if (p2)
+                *p2 = '\0';
+        share_out = filedb_add(share_out, ptr);
+}
+void build_share(const char *fname) {
+        assert(fname);
+        process_files(fname, "/usr/share", share_callback);
+        if (share_out == NULL)
+                printf("blacklist /usr/share\n");
+        else
+                filedb_print(share_out, "whitelist ");
+}
 //*******************************************
 // tmp directory
 //*******************************************
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index fbe48cd4b..6d6263035 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -140,6 +140,7 @@ void build_profile(int argc, char **argv, int index) {
                build_etc(TRACE_OUTPUT);
                build_var(TRACE_OUTPUT);
                build_bin(TRACE_OUTPUT);
+                build_share(TRACE_OUTPUT);
                printf("\n");
                printf("### security filters\n");
diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h
index c448f3e06..401ae908e 100644
--- a/src/fbuilder/fbuilder.h
+++ b/src/fbuilder/fbuilder.h
@@ -43,6 +43,7 @@ void build_etc(const char *fname);
 void build_var(const char *fname);
 void build_tmp(const char *fname);
 void build_dev(const char *fname);
+void build_share(const char *fname);
 // build_bin.c
 void build_bin(const char *fname);
author	netblue30 <netblue30@yahoo.com>	2017-10-22 08:14:04 -0400
committer	netblue30 <netblue30@yahoo.com>	2017-10-22 08:14:04 -0400
commit	ba74462631d3411e12ede6943d61de1cb612779a (patch)
tree	92e02af59ff95c0914e93d2b70668814950d6eba /src/fbuilder
parent	Merge branch 'master' of http://github.com/netblue30/firejail (diff)
download	firejail-ba74462631d3411e12ede6943d61de1cb612779a.tar.gz firejail-ba74462631d3411e12ede6943d61de1cb612779a.tar.zst firejail-ba74462631d3411e12ede6943d61de1cb612779a.zip

diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index 6f3907770..5e63c241a 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c
@@ -171,6 +171,37 @@ void build_var(const char *fname) {
171	filedb_print(var_out, "whitelist ");	171	filedb_print(var_out, "whitelist ");
172	}	172	}
173		173
		174
		175	//*******************************************
		176	// usr/share directory
		177	//*******************************************
		178	static FileDB *share_out = NULL;
		179	static void share_callback(char *ptr) {
		180	// extract the directory:
		181	// "/usr/share/bash-completion/bash_completion" becomes "/usr/share/bash-completion"
		182	assert(strncmp(ptr, "/usr/share", 10) == 0);
		183	char *p1 = ptr + 10;
		184	if (*p1 != '/')
		185	return;
		186	p1++;
		187	char *p2 = strchr(p1, '/');
		188	if (p2)
		189	*p2 = '\0';
		190
		191	share_out = filedb_add(share_out, ptr);
		192	}
		193
		194	void build_share(const char *fname) {
		195	assert(fname);
		196
		197	process_files(fname, "/usr/share", share_callback);
		198
		199	if (share_out == NULL)
		200	printf("blacklist /usr/share\n");
		201	else
		202	filedb_print(share_out, "whitelist ");
		203	}
		204
174	//*******************************************	205	//*******************************************
175	// tmp directory	206	// tmp directory
176	//*******************************************	207	//*******************************************


diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index fbe48cd4b..6d6263035 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c
@@ -140,6 +140,7 @@ void build_profile(int argc, char **argv, int index) {
140	build_etc(TRACE_OUTPUT);	140	build_etc(TRACE_OUTPUT);
141	build_var(TRACE_OUTPUT);	141	build_var(TRACE_OUTPUT);
142	build_bin(TRACE_OUTPUT);	142	build_bin(TRACE_OUTPUT);
		143	build_share(TRACE_OUTPUT);
143	printf("\n");	144	printf("\n");
144		145
145	printf("### security filters\n");	146	printf("### security filters\n");


diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h index c448f3e06..401ae908e 100644 --- a/src/fbuilder/fbuilder.h +++ b/src/fbuilder/fbuilder.h
@@ -43,6 +43,7 @@ void build_etc(const char *fname);
43	void build_var(const char *fname);	43	void build_var(const char *fname);
44	void build_tmp(const char *fname);	44	void build_tmp(const char *fname);
45	void build_dev(const char *fname);	45	void build_dev(const char *fname);
		46	void build_share(const char *fname);
46		47
47	// build_bin.c	48	// build_bin.c
48	void build_bin(const char *fname);	49	void build_bin(const char *fname);