diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-10-05 17:54:03 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-10-06 15:19:52 -0300 |
commit | a7e4b9b9b20bc62985e03435e2eee41dd62e0318 (patch) | |
tree | 94653e21cfae01b7d1f607d46be46ff088e02f0c /src | |
parent | build_profile.c: fix typo of "begins" (diff) | |
download | firejail-a7e4b9b9b20bc62985e03435e2eee41dd62e0318.tar.gz firejail-a7e4b9b9b20bc62985e03435e2eee41dd62e0318.tar.zst firejail-a7e4b9b9b20bc62985e03435e2eee41dd62e0318.zip |
Revert "allow/deny fbuilder"
This reverts commit 4438f14f2892b5c88d158ae8fad0a80a2eebfd44.
Also, partially revert related commit e4307b409 ("fix whitelist/allow in
make test-utils") to keep the tests working.
The profiles are being generated using aliases, which are not used on
the profiles in the repository. So generate them using the normal
commands for consistency. See also commit dd13595b8 ("Revert
"allow/deny help and man pages"") / PR #4502.
Relates to #4410.
Misc: I noticed this on issue #4592.
Diffstat (limited to 'src')
-rw-r--r-- | src/fbuilder/build_fs.c | 8 | ||||
-rw-r--r-- | src/fbuilder/build_home.c | 4 |
2 files changed, 6 insertions, 6 deletions
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index 019c3ac5a..8700e0ba1 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c | |||
@@ -182,12 +182,12 @@ static void var_callback(char *ptr) { | |||
182 | void build_var(const char *fname, FILE *fp) { | 182 | void build_var(const char *fname, FILE *fp) { |
183 | assert(fname); | 183 | assert(fname); |
184 | 184 | ||
185 | var_skip = filedb_load_whitelist(var_skip, "whitelist-var-common.inc", "allow /var/"); | 185 | var_skip = filedb_load_whitelist(var_skip, "whitelist-var-common.inc", "whitelist /var/"); |
186 | process_files(fname, "/var", var_callback); | 186 | process_files(fname, "/var", var_callback); |
187 | 187 | ||
188 | // always whitelist /var | 188 | // always whitelist /var |
189 | if (var_out) | 189 | if (var_out) |
190 | filedb_print(var_out, "allow /var/", fp); | 190 | filedb_print(var_out, "whitelist /var/", fp); |
191 | fprintf(fp, "include whitelist-var-common.inc\n"); | 191 | fprintf(fp, "include whitelist-var-common.inc\n"); |
192 | } | 192 | } |
193 | 193 | ||
@@ -222,12 +222,12 @@ static void share_callback(char *ptr) { | |||
222 | void build_share(const char *fname, FILE *fp) { | 222 | void build_share(const char *fname, FILE *fp) { |
223 | assert(fname); | 223 | assert(fname); |
224 | 224 | ||
225 | share_skip = filedb_load_whitelist(share_skip, "whitelist-usr-share-common.inc", "allow /usr/share/"); | 225 | share_skip = filedb_load_whitelist(share_skip, "whitelist-usr-share-common.inc", "whitelist /usr/share/"); |
226 | process_files(fname, "/usr/share", share_callback); | 226 | process_files(fname, "/usr/share", share_callback); |
227 | 227 | ||
228 | // always whitelist /usr/share | 228 | // always whitelist /usr/share |
229 | if (share_out) | 229 | if (share_out) |
230 | filedb_print(share_out, "allow /usr/share/", fp); | 230 | filedb_print(share_out, "whitelist /usr/share/", fp); |
231 | fprintf(fp, "include whitelist-usr-share-common.inc\n"); | 231 | fprintf(fp, "include whitelist-usr-share-common.inc\n"); |
232 | } | 232 | } |
233 | 233 | ||
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c index c85474779..0fe0ffef6 100644 --- a/src/fbuilder/build_home.c +++ b/src/fbuilder/build_home.c | |||
@@ -140,7 +140,7 @@ void build_home(const char *fname, FILE *fp) { | |||
140 | assert(fname); | 140 | assert(fname); |
141 | 141 | ||
142 | // load whitelist common | 142 | // load whitelist common |
143 | db_skip = filedb_load_whitelist(db_skip, "whitelist-common.inc", "allow ${HOME}/"); | 143 | db_skip = filedb_load_whitelist(db_skip, "whitelist-common.inc", "whitelist ${HOME}/"); |
144 | 144 | ||
145 | // find user home directory | 145 | // find user home directory |
146 | struct passwd *pw = getpwuid(getuid()); | 146 | struct passwd *pw = getpwuid(getuid()); |
@@ -168,7 +168,7 @@ void build_home(const char *fname, FILE *fp) { | |||
168 | 168 | ||
169 | // print the out list if any | 169 | // print the out list if any |
170 | if (db_out) { | 170 | if (db_out) { |
171 | filedb_print(db_out, "allow ${HOME}/", fp); | 171 | filedb_print(db_out, "whitelist ${HOME}/", fp); |
172 | fprintf(fp, "include whitelist-common.inc\n"); | 172 | fprintf(fp, "include whitelist-common.inc\n"); |
173 | } | 173 | } |
174 | else | 174 | else |