diff options
author | netblue30 <netblue30@protonmail.com> | 2021-05-04 16:46:54 -0400 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2021-05-04 16:46:54 -0400 |
commit | 8988842c1bec4a41c09591e47771bf30247a5539 (patch) | |
tree | 274a62e6959ee23dee1084edb21b3abc6ae9f657 /src/fbuilder | |
parent | Merge pull request #4209 from davidebeatrici/private-dev-input-support-and-no... (diff) | |
download | firejail-8988842c1bec4a41c09591e47771bf30247a5539.tar.gz firejail-8988842c1bec4a41c09591e47771bf30247a5539.tar.zst firejail-8988842c1bec4a41c09591e47771bf30247a5539.zip |
--build fixes
Diffstat (limited to 'src/fbuilder')
-rw-r--r-- | src/fbuilder/build_fs.c | 129 | ||||
-rw-r--r-- | src/fbuilder/build_profile.c | 23 |
2 files changed, 110 insertions, 42 deletions
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index ac0cd455a..b35380b96 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c | |||
@@ -177,6 +177,74 @@ void build_var(const char *fname, FILE *fp) { | |||
177 | //******************************************* | 177 | //******************************************* |
178 | // usr/share directory | 178 | // usr/share directory |
179 | //******************************************* | 179 | //******************************************* |
180 | // todo: load the list from whitelist-usr-share-common.inc | ||
181 | static char *share_skip[] = { | ||
182 | "/usr/share/alsa", | ||
183 | "/usr/share/applications", | ||
184 | "/usr/share/ca-certificates", | ||
185 | "/usr/share/crypto-policies", | ||
186 | "/usr/share/cursors", | ||
187 | "/usr/share/dconf", | ||
188 | "/usr/share/distro-info", | ||
189 | "/usr/share/drirc.d", | ||
190 | "/usr/share/enchant", | ||
191 | "/usr/share/enchant-2", | ||
192 | "/usr/share/file", | ||
193 | "/usr/share/fontconfig", | ||
194 | "/usr/share/fonts", | ||
195 | "/usr/share/fonts-config", | ||
196 | "/usr/share/gir-1.0", | ||
197 | "/usr/share/gjs-1.0", | ||
198 | "/usr/share/glib-2.0", | ||
199 | "/usr/share/glvnd", | ||
200 | "/usr/share/gtk-2.0", | ||
201 | "/usr/share/gtk-3.0", | ||
202 | "/usr/share/gtk-engines", | ||
203 | "/usr/share/gtksourceview-3.0", | ||
204 | "/usr/share/gtksourceview-4", | ||
205 | "/usr/share/hunspell", | ||
206 | "/usr/share/hwdata", | ||
207 | "/usr/share/icons", | ||
208 | "/usr/share/icu", | ||
209 | "/usr/share/knotifications5", | ||
210 | "/usr/share/kservices5", | ||
211 | "/usr/share/Kvantum", | ||
212 | "/usr/share/kxmlgui5", | ||
213 | "/usr/share/libdrm", | ||
214 | "/usr/share/libthai", | ||
215 | "/usr/share/locale", | ||
216 | "/usr/share/mime", | ||
217 | "/usr/share/misc", | ||
218 | "/usr/share/Modules", | ||
219 | "/usr/share/myspell", | ||
220 | "/usr/share/p11-kit", | ||
221 | "/usr/share/perl", | ||
222 | "/usr/share/perl5", | ||
223 | "/usr/share/pixmaps", | ||
224 | "/usr/share/pki", | ||
225 | "/usr/share/plasma", | ||
226 | "/usr/share/publicsuffix", | ||
227 | "/usr/share/qt", | ||
228 | "/usr/share/qt4", | ||
229 | "/usr/share/qt5", | ||
230 | "/usr/share/qt5ct", | ||
231 | "/usr/share/sounds", | ||
232 | "/usr/share/tcl8.6", | ||
233 | "/usr/share/tcltk", | ||
234 | "/usr/share/terminfo", | ||
235 | "/usr/share/texlive", | ||
236 | "/usr/share/texmf", | ||
237 | "/usr/share/themes", | ||
238 | "/usr/share/thumbnail.so", | ||
239 | "/usr/share/uim", | ||
240 | "/usr/share/vulkan", | ||
241 | "/usr/share/X11", | ||
242 | "/usr/share/xml", | ||
243 | "/usr/share/zenity", | ||
244 | "/usr/share/zoneinfo", | ||
245 | NULL | ||
246 | }; | ||
247 | |||
180 | static FileDB *share_out = NULL; | 248 | static FileDB *share_out = NULL; |
181 | static void share_callback(char *ptr) { | 249 | static void share_callback(char *ptr) { |
182 | // extract the directory: | 250 | // extract the directory: |
@@ -195,8 +263,17 @@ static void share_callback(char *ptr) { | |||
195 | if (p2) | 263 | if (p2) |
196 | *p2 = '\0'; | 264 | *p2 = '\0'; |
197 | 265 | ||
198 | // store the file | 266 | int i = 0; |
199 | share_out = filedb_add(share_out, ptr); | 267 | int found = 0; |
268 | while (share_skip[i]) { | ||
269 | if (strncmp(ptr, share_skip[i], strlen(share_skip[i])) == 0) { | ||
270 | found = 1; | ||
271 | break; | ||
272 | } | ||
273 | i++; | ||
274 | } | ||
275 | if (!found) | ||
276 | share_out = filedb_add(share_out, ptr); | ||
200 | } | 277 | } |
201 | 278 | ||
202 | void build_share(const char *fname, FILE *fp) { | 279 | void build_share(const char *fname, FILE *fp) { |
@@ -252,40 +329,36 @@ void build_tmp(const char *fname, FILE *fp) { | |||
252 | // dev directory | 329 | // dev directory |
253 | //******************************************* | 330 | //******************************************* |
254 | static char *dev_skip[] = { | 331 | static char *dev_skip[] = { |
332 | "/dev/stdin", | ||
333 | "/dev/stdout", | ||
334 | "/dev/stderr", | ||
255 | "/dev/zero", | 335 | "/dev/zero", |
256 | "/dev/null", | 336 | "/dev/null", |
257 | "/dev/full", | 337 | "/dev/full", |
258 | "/dev/random", | 338 | "/dev/random", |
259 | "/dev/urandom", | 339 | "/dev/urandom", |
340 | "/dev/sr0", | ||
341 | "/dev/cdrom", | ||
342 | "/dev/cdrw", | ||
343 | "/dev/dvd", | ||
344 | "/dev/dvdrw", | ||
345 | "/dev/fd", | ||
346 | "/dev/pts", | ||
347 | "/dev/ptmx", | ||
348 | "/dev/log", | ||
349 | |||
350 | "/dev/aload", // old ALSA devices, not covered in private-dev | ||
351 | "/dev/dsp", // old OSS device, deprecated | ||
352 | |||
260 | "/dev/tty", | 353 | "/dev/tty", |
261 | "/dev/snd", | 354 | "/dev/snd", |
262 | "/dev/dri", | 355 | "/dev/dri", |
263 | "/dev/pts", | 356 | "/dev/nvidia", |
264 | "/dev/nvidia0", | 357 | "/dev/video", |
265 | "/dev/nvidia1", | ||
266 | "/dev/nvidia2", | ||
267 | "/dev/nvidia3", | ||
268 | "/dev/nvidia4", | ||
269 | "/dev/nvidia5", | ||
270 | "/dev/nvidia6", | ||
271 | "/dev/nvidia7", | ||
272 | "/dev/nvidia8", | ||
273 | "/dev/nvidia9", | ||
274 | "/dev/nvidiactl", | ||
275 | "/dev/nvidia-modeset", | ||
276 | "/dev/nvidia-uvm", | ||
277 | "/dev/video0", | ||
278 | "/dev/video1", | ||
279 | "/dev/video2", | ||
280 | "/dev/video3", | ||
281 | "/dev/video4", | ||
282 | "/dev/video5", | ||
283 | "/dev/video6", | ||
284 | "/dev/video7", | ||
285 | "/dev/video8", | ||
286 | "/dev/video9", | ||
287 | "/dev/dvb", | 358 | "/dev/dvb", |
288 | "/dev/sr0", | 359 | "/dev/hidraw", |
360 | "/dev/usb", | ||
361 | "/dev/input", | ||
289 | NULL | 362 | NULL |
290 | }; | 363 | }; |
291 | 364 | ||
@@ -295,7 +368,7 @@ static void dev_callback(char *ptr) { | |||
295 | int i = 0; | 368 | int i = 0; |
296 | int found = 0; | 369 | int found = 0; |
297 | while (dev_skip[i]) { | 370 | while (dev_skip[i]) { |
298 | if (strcmp(ptr, dev_skip[i]) == 0) { | 371 | if (strncmp(ptr, dev_skip[i], strlen(dev_skip[i])) == 0) { |
299 | found = 1; | 372 | found = 1; |
300 | break; | 373 | break; |
301 | } | 374 | } |
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 0c1b57384..100630eb9 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -160,24 +160,21 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
160 | 160 | ||
161 | fprintf(fp, "### home directory whitelisting\n"); | 161 | fprintf(fp, "### home directory whitelisting\n"); |
162 | build_home(trace_output, fp); | 162 | build_home(trace_output, fp); |
163 | fprintf(fp, "\n"); | ||
164 | 163 | ||
165 | fprintf(fp, "### filesystem\n"); | 164 | fprintf(fp, "\n### /usr/share:\n"); |
166 | fprintf(fp, "### /usr/share:\n"); | ||
167 | build_share(trace_output, fp); | 165 | build_share(trace_output, fp); |
168 | fprintf(fp, "### /var:\n"); | 166 | fprintf(fp, "\n### /var:\n"); |
169 | build_var(trace_output, fp); | 167 | build_var(trace_output, fp); |
170 | fprintf(fp, "### /bin:\n"); | 168 | fprintf(fp, "\n### /bin:\n"); |
171 | build_bin(trace_output, fp); | 169 | build_bin(trace_output, fp); |
172 | fprintf(fp, "### /dev:\n"); | 170 | fprintf(fp, "\n### /dev:\n"); |
173 | build_dev(trace_output, fp); | 171 | build_dev(trace_output, fp); |
174 | fprintf(fp, "### /etc:\n"); | 172 | fprintf(fp, "\n### /etc:\n"); |
175 | build_etc(trace_output, fp); | 173 | build_etc(trace_output, fp); |
176 | fprintf(fp, "### /tmp:\n"); | 174 | fprintf(fp, "\n### /tmp:\n"); |
177 | build_tmp(trace_output, fp); | 175 | build_tmp(trace_output, fp); |
178 | fprintf(fp, "\n"); | ||
179 | 176 | ||
180 | fprintf(fp, "### security filters\n"); | 177 | fprintf(fp, "\n### security filters\n"); |
181 | fprintf(fp, "caps.drop all\n"); | 178 | fprintf(fp, "caps.drop all\n"); |
182 | fprintf(fp, "nonewprivs\n"); | 179 | fprintf(fp, "nonewprivs\n"); |
183 | fprintf(fp, "seccomp\n"); | 180 | fprintf(fp, "seccomp\n"); |
@@ -189,13 +186,11 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
189 | fprintf(fp, "# Yama security module prevents creation of a whitelisted seccomp filter\n"); | 186 | fprintf(fp, "# Yama security module prevents creation of a whitelisted seccomp filter\n"); |
190 | else | 187 | else |
191 | build_seccomp(strace_output, fp); | 188 | build_seccomp(strace_output, fp); |
192 | fprintf(fp, "\n"); | ||
193 | 189 | ||
194 | fprintf(fp, "### network\n"); | 190 | fprintf(fp, "\n### network\n"); |
195 | build_protocol(trace_output, fp); | 191 | build_protocol(trace_output, fp); |
196 | fprintf(fp, "\n"); | ||
197 | 192 | ||
198 | fprintf(fp, "### environment\n"); | 193 | fprintf(fp, "\n### environment\n"); |
199 | fprintf(fp, "shell none\n"); | 194 | fprintf(fp, "shell none\n"); |
200 | 195 | ||
201 | if (!arg_debug) { | 196 | if (!arg_debug) { |