diff options
author | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2020-04-21 19:59:08 +0200 |
---|---|---|
committer | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2020-04-21 20:07:48 +0200 |
commit | e09724f53dad4dce14966f746bc18ce359133e51 (patch) | |
tree | d5c507880b5451b569895722385169e151666d21 /src | |
parent | update issue template + add ICEauthority to wruc (diff) | |
download | firejail-e09724f53dad4dce14966f746bc18ce359133e51.tar.gz firejail-e09724f53dad4dce14966f746bc18ce359133e51.tar.zst firejail-e09724f53dad4dce14966f746bc18ce359133e51.zip |
update --build
The profile generated by --build are quite outdated. There are still a
lot of things left to do.
- fix #2150 (whitelist-common.inc is still opened from /etc/firejail)
- include wusc and wvc (todo: remove whitelists in wusc/wvc from the
generated profile.)
- fix parsing wc / use ${HOME} macro instead of ~
- update profile headers
- include all disable includes (mustly commented) in the output
- reorder the filesystem section
Diffstat (limited to 'src')
-rw-r--r-- | src/fbuilder/build_fs.c | 12 | ||||
-rw-r--r-- | src/fbuilder/build_home.c | 8 | ||||
-rw-r--r-- | src/fbuilder/build_profile.c | 34 |
3 files changed, 34 insertions, 20 deletions
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index b08afb939..1b8231033 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c | |||
@@ -165,10 +165,12 @@ void build_var(const char *fname, FILE *fp) { | |||
165 | 165 | ||
166 | process_files(fname, "/var", var_callback); | 166 | process_files(fname, "/var", var_callback); |
167 | 167 | ||
168 | if (var_out == NULL) | 168 | if (var_out == NULL) { |
169 | fprintf(fp, "blacklist /var\n"); | 169 | fprintf(fp, "blacklist /var\n"); |
170 | else | 170 | } else { |
171 | filedb_print(var_out, "whitelist ", fp); | 171 | filedb_print(var_out, "whitelist ", fp); |
172 | fprintf(fp, "include whitelist-var-common.inc\n"); | ||
173 | } | ||
172 | } | 174 | } |
173 | 175 | ||
174 | 176 | ||
@@ -202,10 +204,12 @@ void build_share(const char *fname, FILE *fp) { | |||
202 | 204 | ||
203 | process_files(fname, "/usr/share", share_callback); | 205 | process_files(fname, "/usr/share", share_callback); |
204 | 206 | ||
205 | if (share_out == NULL) | 207 | if (share_out == NULL) { |
206 | fprintf(fp, "blacklist /usr/share\n"); | 208 | fprintf(fp, "blacklist /usr/share\n"); |
207 | else | 209 | } else { |
208 | filedb_print(share_out, "whitelist ", fp); | 210 | filedb_print(share_out, "whitelist ", fp); |
211 | fprintf(fp, "include whitelist-usr-share-common.inc\n"); | ||
212 | } | ||
209 | } | 213 | } |
210 | 214 | ||
211 | //******************************************* | 215 | //******************************************* |
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c index 8db17a942..fca3396c4 100644 --- a/src/fbuilder/build_home.c +++ b/src/fbuilder/build_home.c | |||
@@ -32,9 +32,9 @@ static void load_whitelist_common(void) { | |||
32 | 32 | ||
33 | char buf[MAX_BUF]; | 33 | char buf[MAX_BUF]; |
34 | while (fgets(buf, MAX_BUF, fp)) { | 34 | while (fgets(buf, MAX_BUF, fp)) { |
35 | if (strncmp(buf, "whitelist ~/", 12) != 0) | 35 | if (strncmp(buf, "whitelist ${HOME}/", 18) != 0) |
36 | continue; | 36 | continue; |
37 | char *fn = buf + 12; | 37 | char *fn = buf + 18; |
38 | char *ptr = strchr(buf, '\n'); | 38 | char *ptr = strchr(buf, '\n'); |
39 | if (!ptr) | 39 | if (!ptr) |
40 | continue; | 40 | continue; |
@@ -190,8 +190,8 @@ void build_home(const char *fname, FILE *fp) { | |||
190 | 190 | ||
191 | // print the out list if any | 191 | // print the out list if any |
192 | if (db_out) { | 192 | if (db_out) { |
193 | filedb_print(db_out, "whitelist ~/", fp); | 193 | filedb_print(db_out, "whitelist ${HOME}/", fp); |
194 | fprintf(fp, "include /etc/firejail/whitelist-common.inc\n"); | 194 | fprintf(fp, "include whitelist-common.inc\n"); |
195 | } | 195 | } |
196 | else | 196 | else |
197 | fprintf(fp, "private\n"); | 197 | fprintf(fp, "private\n"); |
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index ea9e9a4a0..adc00e67b 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -131,18 +131,21 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
131 | if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { | 131 | if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { |
132 | if (fp == stdout) | 132 | if (fp == stdout) |
133 | printf("--- Built profile beings after this line ---\n"); | 133 | printf("--- Built profile beings after this line ---\n"); |
134 | fprintf(fp, "############################################\n"); | 134 | fprintf(fp, "# Firejail profile for %s\n", argv[index]); |
135 | fprintf(fp, "# %s profile\n", argv[index]); | 135 | fprintf(fp, "# Persistent local customizations\n"); |
136 | fprintf(fp, "############################################\n"); | 136 | fprintf(fp, "#include %s.local\n", argv[index]); |
137 | fprintf(fp, "# Persistent global definitions\n"); | 137 | fprintf(fp, "# Persistent global definitions\n"); |
138 | fprintf(fp, "# include /etc/firejail/globals.local\n"); | 138 | fprintf(fp, "#include globals.local\n"); |
139 | fprintf(fp, "\n"); | 139 | fprintf(fp, "\n"); |
140 | 140 | ||
141 | fprintf(fp, "### basic blacklisting\n"); | 141 | fprintf(fp, "### basic blacklisting\n"); |
142 | fprintf(fp, "include /etc/firejail/disable-common.inc\n"); | 142 | fprintf(fp, "include disable-common.inc\n"); |
143 | fprintf(fp, "# include /etc/firejail/disable-devel.inc\n"); | 143 | fprintf(fp, "# include disable-devel.inc\n"); |
144 | fprintf(fp, "include /etc/firejail/disable-passwdmgr.inc\n"); | 144 | fprintf(fp, "# include disable-exec.inc\n"); |
145 | fprintf(fp, "# include /etc/firejail/disable-programs.inc\n"); | 145 | fprintf(fp, "# include disable-interpreters.inc\n"); |
146 | fprintf(fp, "include disable-passwdmgr.inc\n"); | ||
147 | fprintf(fp, "# include disable-programs.inc\n"); | ||
148 | fprintf(fp, "# include disable-xdg.inc\n"); | ||
146 | fprintf(fp, "\n"); | 149 | fprintf(fp, "\n"); |
147 | 150 | ||
148 | fprintf(fp, "### home directory whitelisting\n"); | 151 | fprintf(fp, "### home directory whitelisting\n"); |
@@ -150,12 +153,19 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
150 | fprintf(fp, "\n"); | 153 | fprintf(fp, "\n"); |
151 | 154 | ||
152 | fprintf(fp, "### filesystem\n"); | 155 | fprintf(fp, "### filesystem\n"); |
153 | build_tmp(trace_output, fp); | 156 | fprintf(fp, "# /usr/share:\n"); |
154 | build_dev(trace_output, fp); | 157 | build_share(trace_output, fp); |
155 | build_etc(trace_output, fp); | 158 | fprintf(fp, "# /var:\n"); |
156 | build_var(trace_output, fp); | 159 | build_var(trace_output, fp); |
160 | fprintf(fp, "\n"); | ||
161 | fprintf(fp, "# $PATH:\n"); | ||
157 | build_bin(trace_output, fp); | 162 | build_bin(trace_output, fp); |
158 | build_share(trace_output, fp); | 163 | fprintf(fp, "# /dev:\n"); |
164 | build_dev(trace_output, fp); | ||
165 | fprintf(fp, "# /etc:\n"); | ||
166 | build_etc(trace_output, fp); | ||
167 | fprintf(fp, "# /tmp:\n"); | ||
168 | build_tmp(trace_output, fp); | ||
159 | fprintf(fp, "\n"); | 169 | fprintf(fp, "\n"); |
160 | 170 | ||
161 | fprintf(fp, "### security filters\n"); | 171 | fprintf(fp, "### security filters\n"); |