diff options
author | netblue30 <netblue30@yahoo.com> | 2017-11-02 13:03:34 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-11-02 13:03:34 -0400 |
commit | ac5a936b331ab738ff5dadfb5153b6480f9b0bce (patch) | |
tree | 417ef1eb2481f9aab8627099ec48d11aa5493483 /src | |
parent | fixing filesystem reporting for firetools (diff) | |
download | firejail-ac5a936b331ab738ff5dadfb5153b6480f9b0bce.tar.gz firejail-ac5a936b331ab738ff5dadfb5153b6480f9b0bce.tar.zst firejail-ac5a936b331ab738ff5dadfb5153b6480f9b0bce.zip |
matching noblacklist in profile files with blacklist in disable-programs.inc
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs.c | 33 |
1 files changed, 31 insertions, 2 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index ed2c9a566..addeb619e 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -183,10 +183,24 @@ static void disable_file(OPERATION op, const char *filename) { | |||
183 | free(fname); | 183 | free(fname); |
184 | } | 184 | } |
185 | 185 | ||
186 | // check noblacklist statements not matched by a proper blacklist in disable-*.inc files | ||
187 | static int nbcheck_start = 0; | ||
188 | static size_t nbcheck_size = 0; | ||
189 | static int *nbcheck = NULL; | ||
190 | |||
186 | // Treat pattern as a shell glob pattern and blacklist matching files | 191 | // Treat pattern as a shell glob pattern and blacklist matching files |
187 | static void globbing(OPERATION op, const char *pattern, const char *noblacklist[], size_t noblacklist_len) { | 192 | static void globbing(OPERATION op, const char *pattern, const char *noblacklist[], size_t noblacklist_len) { |
188 | assert(pattern); | 193 | assert(pattern); |
189 | 194 | ||
195 | if (nbcheck_start == 0) { | ||
196 | nbcheck_start = 1; | ||
197 | nbcheck_size = noblacklist_len; | ||
198 | nbcheck = malloc(sizeof(int) * noblacklist_len); | ||
199 | if (nbcheck == NULL) | ||
200 | errExit("malloc"); | ||
201 | memset(nbcheck, 0, sizeof(int) * noblacklist_len); | ||
202 | } | ||
203 | |||
190 | glob_t globbuf; | 204 | glob_t globbuf; |
191 | // Profiles contain blacklists for files that might not exist on a user's machine. | 205 | // Profiles contain blacklists for files that might not exist on a user's machine. |
192 | // GLOB_NOCHECK makes that okay. | 206 | // GLOB_NOCHECK makes that okay. |
@@ -212,6 +226,8 @@ static void globbing(OPERATION op, const char *pattern, const char *noblacklist[ | |||
212 | continue; | 226 | continue; |
213 | else if (result == 0) { | 227 | else if (result == 0) { |
214 | okay_to_blacklist = false; | 228 | okay_to_blacklist = false; |
229 | if (j < nbcheck_size) // noblacklist checking | ||
230 | nbcheck[j] = 1; | ||
215 | break; | 231 | break; |
216 | } | 232 | } |
217 | else { | 233 | else { |
@@ -403,8 +419,21 @@ void fs_blacklist(void) { | |||
403 | } | 419 | } |
404 | 420 | ||
405 | size_t i; | 421 | size_t i; |
406 | for (i = 0; i < noblacklist_c; i++) free(noblacklist[i]); | 422 | // noblacklist checking |
407 | free(noblacklist); | 423 | for (i = 0; i < nbcheck_size; i++) |
424 | if (!arg_quiet && !nbcheck[i]) | ||
425 | printf("TESTING warning: noblacklist %s not matched by a proper blacklist command in disable*.inc\n", | ||
426 | noblacklist[i]); | ||
427 | |||
428 | // free memory | ||
429 | if (nbcheck) { | ||
430 | free(nbcheck); | ||
431 | nbcheck = NULL; | ||
432 | nbcheck_size = 0; | ||
433 | } | ||
434 | for (i = 0; i < noblacklist_c; i++) | ||
435 | free(noblacklist[i]); | ||
436 | free(noblacklist); | ||
408 | } | 437 | } |
409 | 438 | ||
410 | static int get_mount_flags(const char *path, unsigned long *flags) { | 439 | static int get_mount_flags(const char *path, unsigned long *flags) { |