seccomp work 1

author: netblue30 <netblue30@yahoo.com> 2016-11-20 07:45:50 -0500
committer: netblue30 <netblue30@yahoo.com> 2016-11-20 07:45:50 -0500
commit: 64431c712ffb5d4805b61ea740bc9be98cf1b48f (patch)
tree: b0ef6c3b653192a427de181bafd70702a15d43bd /src/firejail/preproc.c
parent: qemu profile (diff)
download: firejail-64431c712ffb5d4805b61ea740bc9be98cf1b48f.tar.gz
firejail-64431c712ffb5d4805b61ea740bc9be98cf1b48f.tar.zst
firejail-64431c712ffb5d4805b61ea740bc9be98cf1b48f.zip
1 files changed, 12 insertions, 46 deletions
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index ea4e6743f..d2db7d3dd 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -56,9 +56,9 @@ void preproc_build_firejail_dir(void) {
                create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755);
        }
        
-        if (stat(RUN_MNT_DIR, &s)) {
+        if (stat(RUN_MNT_DIR, &s)) {
-                create_empty_dir_as_root(RUN_MNT_DIR, 0755);
+                create_empty_dir_as_root(RUN_MNT_DIR, 0755);
-        }
+        }
        create_empty_file_as_root(RUN_RO_FILE, S_IRUSR);
        create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR);
@@ -75,51 +75,17 @@ void preproc_mount_mnt_dir(void) {
                tmpfs_mounted = 1;
                fs_logger2("tmpfs", RUN_MNT_DIR);
                
-                // create all seccomp files
+                //copy defaultl seccomp files
-                // as root, create RUN_SECCOMP_I386 file
+                copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644);
-                create_empty_file_as_root(RUN_SECCOMP_I386, 0644);
+                copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644);
-                if (set_perms(RUN_SECCOMP_I386, getuid(), getgid(), 0644))
+                if (arg_allow_debuggers)
-                        errExit("set_perms");
+                        copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644);
+                else
-                // as root, create RUN_SECCOMP_AMD64 file
+                        copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644);
-                create_empty_file_as_root(RUN_SECCOMP_AMD64, 0644);
+                        
-                if (set_perms(RUN_SECCOMP_AMD64, getuid(), getgid(), 0644))
+                // as root, create an empty RUN_SECCOMP_PROTOCOL file
-                        errExit("set_perms");
-                // as root, create RUN_SECCOMP file
-                create_empty_file_as_root(RUN_SECCOMP_CFG, 0644);
-                if (set_perms(RUN_SECCOMP_CFG, getuid(), getgid(), 0644))
-                        errExit("set_perms");
-                // as root, create RUN_SECCOMP_PROTOCOL file
                create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644);
                if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644))
                        errExit("set_perms");
        }
 }
-// grab a copy of cp command
-void preproc_build_cp_command(void) {
-        struct stat s;
-        preproc_mount_mnt_dir();
-        if (stat(RUN_CP_COMMAND, &s)) {
-                char* fname = realpath("/bin/cp", NULL);
-                if (fname == NULL || stat(fname, &s) || is_link(fname)) {
-                        fprintf(stderr, "Error: invalid /bin/cp\n");
-                        exit(1);
-                }
-                int rv = copy_file(fname, RUN_CP_COMMAND, 0, 0, 0755);
-                if (rv) {
-                        fprintf(stderr, "Error: cannot access /bin/cp\n");
-                        exit(1);
-                }
-                ASSERT_PERMS(RUN_CP_COMMAND, 0, 0, 0755);
-                        
-                free(fname);
-        }
-}
-// delete the temporary cp command
-void preproc_delete_cp_command(void) {
-        unlink(RUN_CP_COMMAND);
-}
author	netblue30 <netblue30@yahoo.com>	2016-11-20 07:45:50 -0500
committer	netblue30 <netblue30@yahoo.com>	2016-11-20 07:45:50 -0500
commit	64431c712ffb5d4805b61ea740bc9be98cf1b48f (patch)
tree	b0ef6c3b653192a427de181bafd70702a15d43bd /src/firejail/preproc.c
parent	qemu profile (diff)
download	firejail-64431c712ffb5d4805b61ea740bc9be98cf1b48f.tar.gz firejail-64431c712ffb5d4805b61ea740bc9be98cf1b48f.tar.zst firejail-64431c712ffb5d4805b61ea740bc9be98cf1b48f.zip

diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index ea4e6743f..d2db7d3dd 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c
@@ -56,9 +56,9 @@ void preproc_build_firejail_dir(void) {
56	create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755);	56	create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755);
57	}	57	}
58		58
59	if (stat(RUN_MNT_DIR, &s)) {	59	if (stat(RUN_MNT_DIR, &s)) {
60	create_empty_dir_as_root(RUN_MNT_DIR, 0755);	60	create_empty_dir_as_root(RUN_MNT_DIR, 0755);
61	}	61	}
62		62
63	create_empty_file_as_root(RUN_RO_FILE, S_IRUSR);	63	create_empty_file_as_root(RUN_RO_FILE, S_IRUSR);
64	create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR);	64	create_empty_dir_as_root(RUN_RO_DIR, S_IRUSR);
@@ -75,51 +75,17 @@ void preproc_mount_mnt_dir(void) {
75	tmpfs_mounted = 1;	75	tmpfs_mounted = 1;
76	fs_logger2("tmpfs", RUN_MNT_DIR);	76	fs_logger2("tmpfs", RUN_MNT_DIR);
77		77
78	// create all seccomp files	78	//copy defaultl seccomp files
79	// as root, create RUN_SECCOMP_I386 file	79	copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644);
80	create_empty_file_as_root(RUN_SECCOMP_I386, 0644);	80	copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644);
81	if (set_perms(RUN_SECCOMP_I386, getuid(), getgid(), 0644))	81	if (arg_allow_debuggers)
82	errExit("set_perms");	82	copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644);
83		83	else
84	// as root, create RUN_SECCOMP_AMD64 file	84	copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644);
85	create_empty_file_as_root(RUN_SECCOMP_AMD64, 0644);	85
86	if (set_perms(RUN_SECCOMP_AMD64, getuid(), getgid(), 0644))	86	// as root, create an empty RUN_SECCOMP_PROTOCOL file
87	errExit("set_perms");
88
89	// as root, create RUN_SECCOMP file
90	create_empty_file_as_root(RUN_SECCOMP_CFG, 0644);
91	if (set_perms(RUN_SECCOMP_CFG, getuid(), getgid(), 0644))
92	errExit("set_perms");
93
94	// as root, create RUN_SECCOMP_PROTOCOL file
95	create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644);	87	create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644);
96	if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644))	88	if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644))
97	errExit("set_perms");	89	errExit("set_perms");
98	}	90	}
99	}	91	}
100
101	// grab a copy of cp command
102	void preproc_build_cp_command(void) {
103	struct stat s;
104	preproc_mount_mnt_dir();
105	if (stat(RUN_CP_COMMAND, &s)) {
106	char* fname = realpath("/bin/cp", NULL);
107	if (fname == NULL \|\| stat(fname, &s) \|\| is_link(fname)) {
108	fprintf(stderr, "Error: invalid /bin/cp\n");
109	exit(1);
110	}
111	int rv = copy_file(fname, RUN_CP_COMMAND, 0, 0, 0755);
112	if (rv) {
113	fprintf(stderr, "Error: cannot access /bin/cp\n");
114	exit(1);
115	}
116	ASSERT_PERMS(RUN_CP_COMMAND, 0, 0, 0755);
117
118	free(fname);
119	}
120	}
121
122	// delete the temporary cp command
123	void preproc_delete_cp_command(void) {
124	unlink(RUN_CP_COMMAND);
125	}