diff options
author | ಚಿರಾಗ್ ನಟರಾಜ್ <chiraag.nataraj@gmail.com> | 2018-08-16 09:42:58 -0400 |
---|---|---|
committer | ಚಿರಾಗ್ ನಟರಾಜ್ <chiraag.nataraj@gmail.com> | 2018-08-16 09:42:58 -0400 |
commit | b0f49116fb026fe08fc30c495c637c42ed3195ad (patch) | |
tree | 0656986b7e39f857f48c576f7671a29001a56ace /src | |
parent | harden private-home mounting, small improvements (diff) | |
download | firejail-b0f49116fb026fe08fc30c495c637c42ed3195ad.tar.gz firejail-b0f49116fb026fe08fc30c495c637c42ed3195ad.tar.zst firejail-b0f49116fb026fe08fc30c495c637c42ed3195ad.zip |
Generate temporary filenames instead of using a fixed one (fixes #2083)
Diffstat (limited to 'src')
-rw-r--r-- | src/fbuilder/build_bin.c | 36 | ||||
-rw-r--r-- | src/fbuilder/build_fs.c | 100 | ||||
-rw-r--r-- | src/fbuilder/build_home.c | 37 | ||||
-rw-r--r-- | src/fbuilder/build_profile.c | 99 | ||||
-rw-r--r-- | src/fbuilder/build_seccomp.c | 22 | ||||
-rw-r--r-- | src/fbuilder/fbuilder.h | 21 |
6 files changed, 197 insertions, 118 deletions
diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c index 1230fb780..602610750 100644 --- a/src/fbuilder/build_bin.c +++ b/src/fbuilder/build_bin.c | |||
@@ -21,15 +21,16 @@ | |||
21 | 21 | ||
22 | static FileDB *bin_out = NULL; | 22 | static FileDB *bin_out = NULL; |
23 | 23 | ||
24 | static void process_bin(const char *fname) { | 24 | static void process_bin(char *fname, FILE *fp) { |
25 | assert(fname); | 25 | assert(fname); |
26 | assert(fp); | ||
26 | 27 | ||
27 | // process trace file | 28 | // process trace file |
28 | FILE *fp = fopen(fname, "r"); | 29 | /* FILE *fp = fdopen(fd, "r"); */ |
29 | if (!fp) { | 30 | /* if (!fp) { */ |
30 | fprintf(stderr, "Error: cannot open %s\n", fname); | 31 | /* fprintf(stderr, "Error: cannot open %s\n", fname); */ |
31 | exit(1); | 32 | /* exit(1); */ |
32 | } | 33 | /* } */ |
33 | 34 | ||
34 | char buf[MAX_BUF]; | 35 | char buf[MAX_BUF]; |
35 | while (fgets(buf, MAX_BUF, fp)) { | 36 | while (fgets(buf, MAX_BUF, fp)) { |
@@ -90,16 +91,18 @@ static void process_bin(const char *fname) { | |||
90 | bin_out = filedb_add(bin_out, ptr); | 91 | bin_out = filedb_add(bin_out, ptr); |
91 | } | 92 | } |
92 | 93 | ||
93 | fclose(fp); | 94 | /* fclose(fp); */ |
94 | } | 95 | } |
95 | 96 | ||
96 | 97 | ||
97 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 | 98 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 |
98 | void build_bin(const char *fname, FILE *fp) { | 99 | void build_bin(char *fname, FILE *fp, FILE *fpo) { |
99 | assert(fname); | 100 | assert(fname); |
101 | assert(fp); | ||
102 | assert(fpo); | ||
100 | 103 | ||
101 | // run fname | 104 | // run fname |
102 | process_bin(fname); | 105 | process_bin(fname, fp); |
103 | 106 | ||
104 | // run all the rest | 107 | // run all the rest |
105 | struct stat s; | 108 | struct stat s; |
@@ -109,18 +112,23 @@ void build_bin(const char *fname, FILE *fp) { | |||
109 | if (asprintf(&newname, "%s.%d", fname, i) == -1) | 112 | if (asprintf(&newname, "%s.%d", fname, i) == -1) |
110 | errExit("asprintf"); | 113 | errExit("asprintf"); |
111 | if (stat(newname, &s) == 0) | 114 | if (stat(newname, &s) == 0) |
112 | process_bin(newname); | 115 | { |
116 | int nfd = open(newname, O_RDONLY); | ||
117 | FILE *nfp = fdopen(nfd, "r"); | ||
118 | process_bin(newname, nfp); | ||
119 | fclose(nfp); | ||
120 | } | ||
113 | free(newname); | 121 | free(newname); |
114 | } | 122 | } |
115 | 123 | ||
116 | if (bin_out) { | 124 | if (bin_out) { |
117 | fprintf(fp, "private-bin "); | 125 | fprintf(fpo, "private-bin "); |
118 | FileDB *ptr = bin_out; | 126 | FileDB *ptr = bin_out; |
119 | while (ptr) { | 127 | while (ptr) { |
120 | fprintf(fp, "%s,", ptr->fname); | 128 | fprintf(fpo, "%s,", ptr->fname); |
121 | ptr = ptr->next; | 129 | ptr = ptr->next; |
122 | } | 130 | } |
123 | fprintf(fp, "\n"); | 131 | fprintf(fpo, "\n"); |
124 | fprintf(fp, "# private-lib\n"); | 132 | fprintf(fpo, "# private-lib\n"); |
125 | } | 133 | } |
126 | } | 134 | } |
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index 771dc94cb..5ef47979e 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c | |||
@@ -21,19 +21,20 @@ | |||
21 | #include "fbuilder.h" | 21 | #include "fbuilder.h" |
22 | 22 | ||
23 | // common file processing function, using the callback for each line in the file | 23 | // common file processing function, using the callback for each line in the file |
24 | static void process_file(const char *fname, const char *dir, void (*callback)(char *)) { | 24 | static void process_file(char *fname, FILE *fp, const char *dir, void (*callback)(char *)) { |
25 | assert(fname); | 25 | assert(fname); |
26 | assert(fp); | ||
26 | assert(dir); | 27 | assert(dir); |
27 | assert(callback); | 28 | assert(callback); |
28 | 29 | ||
29 | int dir_len = strlen(dir); | 30 | int dir_len = strlen(dir); |
30 | 31 | ||
31 | // process trace file | 32 | // process trace file |
32 | FILE *fp = fopen(fname, "r"); | 33 | /* FILE *fp = fdopen(fd, "r"); */ |
33 | if (!fp) { | 34 | /* if (!fp) { */ |
34 | fprintf(stderr, "Error: cannot open %s\n", fname); | 35 | /* fprintf(stderr, "Error: cannot open %s\n", fname); */ |
35 | exit(1); | 36 | /* exit(1); */ |
36 | } | 37 | /* } */ |
37 | 38 | ||
38 | char buf[MAX_BUF]; | 39 | char buf[MAX_BUF]; |
39 | while (fgets(buf, MAX_BUF, fp)) { | 40 | while (fgets(buf, MAX_BUF, fp)) { |
@@ -82,17 +83,18 @@ static void process_file(const char *fname, const char *dir, void (*callback)(ch | |||
82 | callback(ptr); | 83 | callback(ptr); |
83 | } | 84 | } |
84 | 85 | ||
85 | fclose(fp); | 86 | /* fclose(fp); */ |
86 | } | 87 | } |
87 | 88 | ||
88 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 | 89 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 |
89 | static void process_files(const char *fname, const char *dir, void (*callback)(char *)) { | 90 | static void process_files(char *fname, FILE *fp, const char *dir, void (*callback)(char *)) { |
90 | assert(fname); | 91 | assert(fname); |
92 | assert(fp); | ||
91 | assert(dir); | 93 | assert(dir); |
92 | assert(callback); | 94 | assert(callback); |
93 | 95 | ||
94 | // run fname | 96 | // run fname |
95 | process_file(fname, dir, callback); | 97 | process_file(fname, fp, dir, callback); |
96 | 98 | ||
97 | // run all the rest | 99 | // run all the rest |
98 | struct stat s; | 100 | struct stat s; |
@@ -101,8 +103,12 @@ static void process_files(const char *fname, const char *dir, void (*callback)(c | |||
101 | char *newname; | 103 | char *newname; |
102 | if (asprintf(&newname, "%s.%d", fname, i) == -1) | 104 | if (asprintf(&newname, "%s.%d", fname, i) == -1) |
103 | errExit("asprintf"); | 105 | errExit("asprintf"); |
104 | if (stat(newname, &s) == 0) | 106 | if (stat(newname, &s) == 0) { |
105 | process_file(newname, dir, callback); | 107 | int nfd = open(newname, O_RDONLY); |
108 | FILE *nfp = fdopen(nfd, "r"); | ||
109 | process_file(newname, nfp, dir, callback); | ||
110 | fclose(nfp); | ||
111 | } | ||
106 | free(newname); | 112 | free(newname); |
107 | } | 113 | } |
108 | } | 114 | } |
@@ -125,21 +131,23 @@ static void etc_callback(char *ptr) { | |||
125 | etc_out = filedb_add(etc_out, ptr); | 131 | etc_out = filedb_add(etc_out, ptr); |
126 | } | 132 | } |
127 | 133 | ||
128 | void build_etc(const char *fname, FILE *fp) { | 134 | void build_etc(char *fname, FILE *fp, FILE *fpo) { |
129 | assert(fname); | 135 | assert(fname); |
136 | assert(fp); | ||
137 | assert(fpo); | ||
130 | 138 | ||
131 | process_files(fname, "/etc", etc_callback); | 139 | process_files(fname, fp, "/etc", etc_callback); |
132 | 140 | ||
133 | fprintf(fp, "private-etc "); | 141 | fprintf(fpo, "private-etc "); |
134 | if (etc_out == NULL) | 142 | if (etc_out == NULL) |
135 | fprintf(fp, "none\n"); | 143 | fprintf(fpo, "none\n"); |
136 | else { | 144 | else { |
137 | FileDB *ptr = etc_out; | 145 | FileDB *ptr = etc_out; |
138 | while (ptr) { | 146 | while (ptr) { |
139 | fprintf(fp, "%s,", ptr->fname); | 147 | fprintf(fpo, "%s,", ptr->fname); |
140 | ptr = ptr->next; | 148 | ptr = ptr->next; |
141 | } | 149 | } |
142 | fprintf(fp, "\n"); | 150 | fprintf(fpo, "\n"); |
143 | } | 151 | } |
144 | } | 152 | } |
145 | 153 | ||
@@ -160,15 +168,17 @@ static void var_callback(char *ptr) { | |||
160 | var_out = filedb_add(var_out, ptr); | 168 | var_out = filedb_add(var_out, ptr); |
161 | } | 169 | } |
162 | 170 | ||
163 | void build_var(const char *fname, FILE *fp) { | 171 | void build_var(char *fname, FILE *fp, FILE *fpo) { |
164 | assert(fname); | 172 | assert(fname); |
173 | assert(fp); | ||
174 | assert(fpo); | ||
165 | 175 | ||
166 | process_files(fname, "/var", var_callback); | 176 | process_files(fname, fp, "/var", var_callback); |
167 | 177 | ||
168 | if (var_out == NULL) | 178 | if (var_out == NULL) |
169 | fprintf(fp, "blacklist /var\n"); | 179 | fprintf(fpo, "blacklist /var\n"); |
170 | else | 180 | else |
171 | filedb_print(var_out, "whitelist ", fp); | 181 | filedb_print(var_out, "whitelist ", fpo); |
172 | } | 182 | } |
173 | 183 | ||
174 | 184 | ||
@@ -197,15 +207,17 @@ static void share_callback(char *ptr) { | |||
197 | share_out = filedb_add(share_out, ptr); | 207 | share_out = filedb_add(share_out, ptr); |
198 | } | 208 | } |
199 | 209 | ||
200 | void build_share(const char *fname, FILE *fp) { | 210 | void build_share(char *fname, FILE *fp, FILE *fpo) { |
201 | assert(fname); | 211 | assert(fname); |
212 | assert(fp); | ||
213 | assert(fpo); | ||
202 | 214 | ||
203 | process_files(fname, "/usr/share", share_callback); | 215 | process_files(fname, fp, "/usr/share", share_callback); |
204 | 216 | ||
205 | if (share_out == NULL) | 217 | if (share_out == NULL) |
206 | fprintf(fp, "blacklist /usr/share\n"); | 218 | fprintf(fpo, "blacklist /usr/share\n"); |
207 | else | 219 | else |
208 | filedb_print(share_out, "whitelist ", fp); | 220 | filedb_print(share_out, "whitelist ", fpo); |
209 | } | 221 | } |
210 | 222 | ||
211 | //******************************************* | 223 | //******************************************* |
@@ -216,21 +228,23 @@ static void tmp_callback(char *ptr) { | |||
216 | filedb_add(tmp_out, ptr); | 228 | filedb_add(tmp_out, ptr); |
217 | } | 229 | } |
218 | 230 | ||
219 | void build_tmp(const char *fname, FILE *fp) { | 231 | void build_tmp(char *fname, FILE *fp, FILE *fpo) { |
220 | assert(fname); | 232 | assert(fname); |
233 | assert(fp); | ||
234 | assert(fpo); | ||
221 | 235 | ||
222 | process_files(fname, "/tmp", tmp_callback); | 236 | process_files(fname, fp, "/tmp", tmp_callback); |
223 | 237 | ||
224 | if (tmp_out == NULL) | 238 | if (tmp_out == NULL) |
225 | fprintf(fp, "private-tmp\n"); | 239 | fprintf(fpo, "private-tmp\n"); |
226 | else { | 240 | else { |
227 | fprintf(fp, "\n"); | 241 | fprintf(fpo, "\n"); |
228 | fprintf(fp, "# private-tmp\n"); | 242 | fprintf(fpo, "# private-tmp\n"); |
229 | fprintf(fp, "# File accessed in /tmp directory:\n"); | 243 | fprintf(fpo, "# File accessed in /tmp directory:\n"); |
230 | fprintf(fp, "# "); | 244 | fprintf(fpo, "# "); |
231 | FileDB *ptr = tmp_out; | 245 | FileDB *ptr = tmp_out; |
232 | while (ptr) { | 246 | while (ptr) { |
233 | fprintf(fp, "%s,", ptr->fname); | 247 | fprintf(fpo, "%s,", ptr->fname); |
234 | ptr = ptr->next; | 248 | ptr = ptr->next; |
235 | } | 249 | } |
236 | printf("\n"); | 250 | printf("\n"); |
@@ -294,24 +308,26 @@ static void dev_callback(char *ptr) { | |||
294 | filedb_add(dev_out, ptr); | 308 | filedb_add(dev_out, ptr); |
295 | } | 309 | } |
296 | 310 | ||
297 | void build_dev(const char *fname, FILE *fp) { | 311 | void build_dev(char *fname, FILE *fp, FILE *fpo) { |
298 | assert(fname); | 312 | assert(fname); |
313 | assert(fp); | ||
314 | assert(fpo); | ||
299 | 315 | ||
300 | process_files(fname, "/dev", dev_callback); | 316 | process_files(fname, fp, "/dev", dev_callback); |
301 | 317 | ||
302 | if (dev_out == NULL) | 318 | if (dev_out == NULL) |
303 | fprintf(fp, "private-dev\n"); | 319 | fprintf(fpo, "private-dev\n"); |
304 | else { | 320 | else { |
305 | fprintf(fp, "\n"); | 321 | fprintf(fpo, "\n"); |
306 | fprintf(fp, "# private-dev\n"); | 322 | fprintf(fpo, "# private-dev\n"); |
307 | fprintf(fp, "# This is the list of devices accessed (on top of regular private-dev devices:\n"); | 323 | fprintf(fpo, "# This is the list of devices accessed (on top of regular private-dev devices:\n"); |
308 | fprintf(fp, "# "); | 324 | fprintf(fpo, "# "); |
309 | FileDB *ptr = dev_out; | 325 | FileDB *ptr = dev_out; |
310 | while (ptr) { | 326 | while (ptr) { |
311 | fprintf(fp, "%s,", ptr->fname); | 327 | fprintf(fpo, "%s,", ptr->fname); |
312 | ptr = ptr->next; | 328 | ptr = ptr->next; |
313 | } | 329 | } |
314 | fprintf(fp, "\n"); | 330 | fprintf(fpo, "\n"); |
315 | } | 331 | } |
316 | } | 332 | } |
317 | 333 | ||
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c index 7470a8d10..d97b6b33a 100644 --- a/src/fbuilder/build_home.c +++ b/src/fbuilder/build_home.c | |||
@@ -47,17 +47,18 @@ static void load_whitelist_common(void) { | |||
47 | fclose(fp); | 47 | fclose(fp); |
48 | } | 48 | } |
49 | 49 | ||
50 | void process_home(const char *fname, char *home, int home_len) { | 50 | void process_home(char *fname, FILE *fp, char *home, int home_len) { |
51 | assert(fname); | 51 | assert(fname); |
52 | assert(fp); | ||
52 | assert(home); | 53 | assert(home); |
53 | assert(home_len); | 54 | assert(home_len); |
54 | 55 | ||
55 | // process trace file | 56 | // process trace file |
56 | FILE *fp = fopen(fname, "r"); | 57 | /* FILE *fp = fdopen(fd, "r"); */ |
57 | if (!fp) { | 58 | /* if (!fp) { */ |
58 | fprintf(stderr, "Error: cannot open %s\n", fname); | 59 | /* fprintf(stderr, "Error: cannot open %s\n", fname); */ |
59 | exit(1); | 60 | /* exit(1); */ |
60 | } | 61 | /* } */ |
61 | 62 | ||
62 | char buf[MAX_BUF]; | 63 | char buf[MAX_BUF]; |
63 | while (fgets(buf, MAX_BUF, fp)) { | 64 | while (fgets(buf, MAX_BUF, fp)) { |
@@ -153,13 +154,15 @@ void process_home(const char *fname, char *home, int home_len) { | |||
153 | free(dir); | 154 | free(dir); |
154 | 155 | ||
155 | } | 156 | } |
156 | fclose(fp); | 157 | /* fclose(fp); */ |
157 | } | 158 | } |
158 | 159 | ||
159 | 160 | ||
160 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 | 161 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 |
161 | void build_home(const char *fname, FILE *fp) { | 162 | void build_home(char *fname, FILE *fp, FILE *fpo) { |
162 | assert(fname); | 163 | assert(fname); |
164 | assert(fp); | ||
165 | assert(fpo); | ||
163 | 166 | ||
164 | // load whitelist common | 167 | // load whitelist common |
165 | load_whitelist_common(); | 168 | load_whitelist_common(); |
@@ -174,7 +177,7 @@ void build_home(const char *fname, FILE *fp) { | |||
174 | int home_len = strlen(home); | 177 | int home_len = strlen(home); |
175 | 178 | ||
176 | // run fname | 179 | // run fname |
177 | process_home(fname, home, home_len); | 180 | process_home(fname, fp, home, home_len); |
178 | 181 | ||
179 | // run all the rest | 182 | // run all the rest |
180 | struct stat s; | 183 | struct stat s; |
@@ -183,17 +186,21 @@ void build_home(const char *fname, FILE *fp) { | |||
183 | char *newname; | 186 | char *newname; |
184 | if (asprintf(&newname, "%s.%d", fname, i) == -1) | 187 | if (asprintf(&newname, "%s.%d", fname, i) == -1) |
185 | errExit("asprintf"); | 188 | errExit("asprintf"); |
186 | if (stat(newname, &s) == 0) | 189 | if (stat(newname, &s) == 0) { |
187 | process_home(newname, home, home_len); | 190 | int nfd = open(newname, O_RDONLY); |
191 | FILE *nfp = fdopen(nfd, "r"); | ||
192 | process_home(newname, nfp, home, home_len); | ||
193 | fclose(nfp); | ||
194 | } | ||
188 | free(newname); | 195 | free(newname); |
189 | } | 196 | } |
190 | 197 | ||
191 | // print the out list if any | 198 | // print the out list if any |
192 | if (db_out) { | 199 | if (db_out) { |
193 | filedb_print(db_out, "whitelist ~/", fp); | 200 | filedb_print(db_out, "whitelist ~/", fpo); |
194 | fprintf(fp, "include /etc/firejail/whitelist-common.inc\n"); | 201 | fprintf(fpo, "include /etc/firejail/whitelist-common.inc\n"); |
195 | } | 202 | } |
196 | else | 203 | else |
197 | fprintf(fp, "private\n"); | 204 | fprintf(fpo, "private\n"); |
198 | 205 | ||
199 | } \ No newline at end of file | 206 | } |
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 125487c41..0c65d3413 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -20,25 +20,24 @@ | |||
20 | 20 | ||
21 | #include "fbuilder.h" | 21 | #include "fbuilder.h" |
22 | #include <sys/wait.h> | 22 | #include <sys/wait.h> |
23 | #include <fcntl.h> | 23 | |
24 | 24 | #define TRACE_OUTPUT "/tmp/firejail-trace.XXXXXX" | |
25 | #define TRACE_OUTPUT "/tmp/firejail-trace" | 25 | #define STRACE_OUTPUT "/tmp/firejail-strace.XXXXXX" |
26 | #define STRACE_OUTPUT "/tmp/firejail-strace" | 26 | |
27 | 27 | /* static char *cmdlist[] = { */ | |
28 | static char *cmdlist[] = { | 28 | /* "/usr/bin/firejail", */ |
29 | "/usr/bin/firejail", | 29 | /* "--quiet", */ |
30 | "--quiet", | 30 | /* "--output=" TRACE_OUTPUT, */ |
31 | "--output=" TRACE_OUTPUT, | 31 | /* "--noprofile", */ |
32 | "--noprofile", | 32 | /* "--caps.drop=all", */ |
33 | "--caps.drop=all", | 33 | /* "--nonewprivs", */ |
34 | "--nonewprivs", | 34 | /* "--trace", */ |
35 | "--trace", | 35 | /* "--shell=none", */ |
36 | "--shell=none", | 36 | /* "/usr/bin/strace", // also used as a marker in build_profile() */ |
37 | "/usr/bin/strace", // also used as a marker in build_profile() | 37 | /* "-c", */ |
38 | "-c", | 38 | /* "-f", */ |
39 | "-f", | 39 | /* "-o" STRACE_OUTPUT, */ |
40 | "-o" STRACE_OUTPUT, | 40 | /* }; */ |
41 | }; | ||
42 | 41 | ||
43 | static void clear_tmp_files(void) { | 42 | static void clear_tmp_files(void) { |
44 | unlink(STRACE_OUTPUT); | 43 | unlink(STRACE_OUTPUT); |
@@ -64,7 +63,47 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
64 | } | 63 | } |
65 | 64 | ||
66 | // clean /tmp files | 65 | // clean /tmp files |
67 | clear_tmp_files(); | 66 | /* clear_tmp_files(); */ |
67 | |||
68 | char trace_output[] = "/tmp/firejail-trace.XXXXXX"; | ||
69 | char strace_output[] = "/tmp/firejail-strace.XXXXXX"; | ||
70 | |||
71 | int tfile = mkstemp(trace_output); | ||
72 | int stfile = mkstemp(strace_output); | ||
73 | |||
74 | if(tfile == -1 || stfile == -1) | ||
75 | errExit("mkstemp"); | ||
76 | |||
77 | FILE *tp = fdopen(tfile, "r"); | ||
78 | |||
79 | if (!tp) { | ||
80 | fprintf(stderr, "Error: cannot open %s\n", trace_output); | ||
81 | exit(1); | ||
82 | } | ||
83 | |||
84 | char *output; | ||
85 | char *stroutput; | ||
86 | |||
87 | if(asprintf(&output,"--output=%s",trace_output) == -1) | ||
88 | errExit("asprintf"); | ||
89 | |||
90 | if(asprintf(&stroutput,"-o %s",strace_output) == -1) | ||
91 | errExit("asprintf"); | ||
92 | |||
93 | char *cmdlist[] = { | ||
94 | "/usr/bin/firejail", | ||
95 | "--quiet", | ||
96 | output, | ||
97 | "--noprofile", | ||
98 | "--caps.drop=all", | ||
99 | "--nonewprivs", | ||
100 | "--trace", | ||
101 | "--shell=none", | ||
102 | "/usr/bin/strace", // also used as a marker in build_profile() | ||
103 | "-c", | ||
104 | "-f", | ||
105 | stroutput, | ||
106 | }; | ||
68 | 107 | ||
69 | // detect strace | 108 | // detect strace |
70 | int have_strace = 0; | 109 | int have_strace = 0; |
@@ -131,16 +170,16 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
131 | fprintf(fp, "\n"); | 170 | fprintf(fp, "\n"); |
132 | 171 | ||
133 | fprintf(fp, "### home directory whitelisting\n"); | 172 | fprintf(fp, "### home directory whitelisting\n"); |
134 | build_home(TRACE_OUTPUT, fp); | 173 | build_home(trace_output, tp, fp); |
135 | fprintf(fp, "\n"); | 174 | fprintf(fp, "\n"); |
136 | 175 | ||
137 | fprintf(fp, "### filesystem\n"); | 176 | fprintf(fp, "### filesystem\n"); |
138 | build_tmp(TRACE_OUTPUT, fp); | 177 | build_tmp(trace_output, tp, fp); |
139 | build_dev(TRACE_OUTPUT, fp); | 178 | build_dev(trace_output, tp, fp); |
140 | build_etc(TRACE_OUTPUT, fp); | 179 | build_etc(trace_output, tp, fp); |
141 | build_var(TRACE_OUTPUT, fp); | 180 | build_var(trace_output, tp, fp); |
142 | build_bin(TRACE_OUTPUT, fp); | 181 | build_bin(trace_output, tp, fp); |
143 | build_share(TRACE_OUTPUT, fp); | 182 | build_share(trace_output, tp, fp); |
144 | fprintf(fp, "\n"); | 183 | fprintf(fp, "\n"); |
145 | 184 | ||
146 | fprintf(fp, "### security filters\n"); | 185 | fprintf(fp, "### security filters\n"); |
@@ -148,7 +187,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
148 | fprintf(fp, "nonewprivs\n"); | 187 | fprintf(fp, "nonewprivs\n"); |
149 | fprintf(fp, "seccomp\n"); | 188 | fprintf(fp, "seccomp\n"); |
150 | if (have_strace) | 189 | if (have_strace) |
151 | build_seccomp(STRACE_OUTPUT, fp); | 190 | build_seccomp(strace_output, stfile, fp); |
152 | else { | 191 | else { |
153 | fprintf(fp, "# If you install strace on your system, Firejail will also create a\n"); | 192 | fprintf(fp, "# If you install strace on your system, Firejail will also create a\n"); |
154 | fprintf(fp, "# whitelisted seccomp filter.\n"); | 193 | fprintf(fp, "# whitelisted seccomp filter.\n"); |
@@ -156,11 +195,13 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
156 | fprintf(fp, "\n"); | 195 | fprintf(fp, "\n"); |
157 | 196 | ||
158 | fprintf(fp, "### network\n"); | 197 | fprintf(fp, "### network\n"); |
159 | build_protocol(TRACE_OUTPUT, fp); | 198 | build_protocol(trace_output, tfile, fp); |
160 | fprintf(fp, "\n"); | 199 | fprintf(fp, "\n"); |
161 | 200 | ||
162 | fprintf(fp, "### environment\n"); | 201 | fprintf(fp, "### environment\n"); |
163 | fprintf(fp, "shell none\n"); | 202 | fprintf(fp, "shell none\n"); |
203 | |||
204 | fclose(tp); | ||
164 | 205 | ||
165 | } | 206 | } |
166 | else { | 207 | else { |
diff --git a/src/fbuilder/build_seccomp.c b/src/fbuilder/build_seccomp.c index fbc0e06f4..f275caf80 100644 --- a/src/fbuilder/build_seccomp.c +++ b/src/fbuilder/build_seccomp.c | |||
@@ -20,11 +20,12 @@ | |||
20 | 20 | ||
21 | #include "fbuilder.h" | 21 | #include "fbuilder.h" |
22 | 22 | ||
23 | void build_seccomp(const char *fname, FILE *fp) { | 23 | void build_seccomp(char *fname, int fd, FILE *fp) { |
24 | assert(fname); | 24 | assert(fname); |
25 | assert(fd); | ||
25 | assert(fp); | 26 | assert(fp); |
26 | 27 | ||
27 | FILE *fp2 = fopen(fname, "r"); | 28 | FILE *fp2 = fdopen(fd, "r"); |
28 | if (!fp2) { | 29 | if (!fp2) { |
29 | fprintf(stderr, "Error: cannot open %s\n", fname); | 30 | fprintf(stderr, "Error: cannot open %s\n", fname); |
30 | exit(1); | 31 | exit(1); |
@@ -87,11 +88,12 @@ int inet = 0; | |||
87 | int inet6 = 0; | 88 | int inet6 = 0; |
88 | int netlink = 0; | 89 | int netlink = 0; |
89 | int packet = 0; | 90 | int packet = 0; |
90 | static void process_protocol(const char *fname) { | 91 | static void process_protocol(char *fname, int fd) { |
91 | assert(fname); | 92 | assert(fname); |
93 | assert(fd); | ||
92 | 94 | ||
93 | // process trace file | 95 | // process trace file |
94 | FILE *fp = fopen(fname, "r"); | 96 | FILE *fp = fdopen(fd, "r"); |
95 | if (!fp) { | 97 | if (!fp) { |
96 | fprintf(stderr, "Error: cannot open %s\n", fname); | 98 | fprintf(stderr, "Error: cannot open %s\n", fname); |
97 | exit(1); | 99 | exit(1); |
@@ -142,11 +144,13 @@ static void process_protocol(const char *fname) { | |||
142 | 144 | ||
143 | 145 | ||
144 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 | 146 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 |
145 | void build_protocol(const char *fname, FILE *fp) { | 147 | void build_protocol(char *fname, int fd, FILE *fp) { |
146 | assert(fname); | 148 | assert(fname); |
149 | assert(fd); | ||
150 | assert(fp); | ||
147 | 151 | ||
148 | // run fname | 152 | // run fname |
149 | process_protocol(fname); | 153 | process_protocol(fname, fd); |
150 | 154 | ||
151 | // run all the rest | 155 | // run all the rest |
152 | struct stat s; | 156 | struct stat s; |
@@ -155,8 +159,10 @@ void build_protocol(const char *fname, FILE *fp) { | |||
155 | char *newname; | 159 | char *newname; |
156 | if (asprintf(&newname, "%s.%d", fname, i) == -1) | 160 | if (asprintf(&newname, "%s.%d", fname, i) == -1) |
157 | errExit("asprintf"); | 161 | errExit("asprintf"); |
158 | if (stat(newname, &s) == 0) | 162 | if (stat(newname, &s) == 0) { |
159 | process_protocol(newname); | 163 | int nfd = open(newname, O_RDONLY); |
164 | process_protocol(newname, nfd); | ||
165 | } | ||
160 | free(newname); | 166 | free(newname); |
161 | } | 167 | } |
162 | 168 | ||
diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h index 0a0fd42c9..480569027 100644 --- a/src/fbuilder/fbuilder.h +++ b/src/fbuilder/fbuilder.h | |||
@@ -25,6 +25,7 @@ | |||
25 | #include <pwd.h> | 25 | #include <pwd.h> |
26 | #include <sys/types.h> | 26 | #include <sys/types.h> |
27 | #include <sys/stat.h> | 27 | #include <sys/stat.h> |
28 | #include <fcntl.h> | ||
28 | 29 | ||
29 | 30 | ||
30 | #define MAX_BUF 4096 | 31 | #define MAX_BUF 4096 |
@@ -35,21 +36,21 @@ extern int arg_debug; | |||
35 | void build_profile(int argc, char **argv, int index, FILE *fp); | 36 | void build_profile(int argc, char **argv, int index, FILE *fp); |
36 | 37 | ||
37 | // build_seccomp.c | 38 | // build_seccomp.c |
38 | void build_seccomp(const char *fname, FILE *fp); | 39 | void build_seccomp(char *fname, int fd, FILE *fp); |
39 | void build_protocol(const char *fname, FILE *fp); | 40 | void build_protocol(char *fname, int fd, FILE *fp); |
40 | 41 | ||
41 | // build_fs.c | 42 | // build_fs.c |
42 | void build_etc(const char *fname, FILE *fp); | 43 | void build_etc(char *fname, FILE *fp, FILE *fpo); |
43 | void build_var(const char *fname, FILE *fp); | 44 | void build_var(char *fname, FILE *fp, FILE *fpo); |
44 | void build_tmp(const char *fname, FILE *fp); | 45 | void build_tmp(char *fname, FILE *fp, FILE *fpo); |
45 | void build_dev(const char *fname, FILE *fp); | 46 | void build_dev(char *fname, FILE *fp, FILE *fpo); |
46 | void build_share(const char *fname, FILE *fp); | 47 | void build_share(char *fname, FILE *fp, FILE *fpo); |
47 | 48 | ||
48 | // build_bin.c | 49 | // build_bin.c |
49 | void build_bin(const char *fname, FILE *fp); | 50 | void build_bin(char *fname, FILE *fp, FILE *fpo); |
50 | 51 | ||
51 | // build_home.c | 52 | // build_home.c |
52 | void build_home(const char *fname, FILE *fp); | 53 | void build_home(char *fname, FILE *fp, FILE *fpo); |
53 | 54 | ||
54 | // utils.c | 55 | // utils.c |
55 | int is_dir(const char *fname); | 56 | int is_dir(const char *fname); |
@@ -66,4 +67,4 @@ FileDB *filedb_add(FileDB *head, const char *fname); | |||
66 | FileDB *filedb_find(FileDB *head, const char *fname); | 67 | FileDB *filedb_find(FileDB *head, const char *fname); |
67 | void filedb_print(FileDB *head, const char *prefix, FILE *fp); | 68 | void filedb_print(FileDB *head, const char *prefix, FILE *fp); |
68 | 69 | ||
69 | #endif \ No newline at end of file | 70 | #endif |