diff options
author | netblue30 <netblue30@yahoo.com> | 2018-08-28 13:04:13 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2018-08-28 13:04:13 -0400 |
commit | 8ce3b7ab971d6ab02463fd6c7591a73465526cb1 (patch) | |
tree | 2df83450626433978a970dbae4fb38d84754600e /src | |
parent | memory leaks (diff) | |
download | firejail-8ce3b7ab971d6ab02463fd6c7591a73465526cb1.tar.gz firejail-8ce3b7ab971d6ab02463fd6c7591a73465526cb1.tar.zst firejail-8ce3b7ab971d6ab02463fd6c7591a73465526cb1.zip |
fbuider cleanup
Diffstat (limited to 'src')
-rw-r--r-- | src/fbuilder/build_bin.c | 37 | ||||
-rw-r--r-- | src/fbuilder/build_fs.c | 101 | ||||
-rw-r--r-- | src/fbuilder/build_home.c | 38 | ||||
-rw-r--r-- | src/fbuilder/build_profile.c | 36 | ||||
-rw-r--r-- | src/fbuilder/build_seccomp.c | 23 | ||||
-rw-r--r-- | src/fbuilder/fbuilder.h | 20 |
6 files changed, 104 insertions, 151 deletions
diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c index 1b9343216..1230fb780 100644 --- a/src/fbuilder/build_bin.c +++ b/src/fbuilder/build_bin.c | |||
@@ -21,16 +21,15 @@ | |||
21 | 21 | ||
22 | static FileDB *bin_out = NULL; | 22 | static FileDB *bin_out = NULL; |
23 | 23 | ||
24 | static void process_bin(char *fname, FILE *fp) { | 24 | static void process_bin(const char *fname) { |
25 | assert(fname); | 25 | assert(fname); |
26 | assert(fp); | ||
27 | 26 | ||
28 | // process trace file | 27 | // process trace file |
29 | /* FILE *fp = fdopen(fd, "r"); */ | 28 | FILE *fp = fopen(fname, "r"); |
30 | /* if (!fp) { */ | 29 | if (!fp) { |
31 | /* fprintf(stderr, "Error: cannot open %s\n", fname); */ | 30 | fprintf(stderr, "Error: cannot open %s\n", fname); |
32 | /* exit(1); */ | 31 | exit(1); |
33 | /* } */ | 32 | } |
34 | 33 | ||
35 | char buf[MAX_BUF]; | 34 | char buf[MAX_BUF]; |
36 | while (fgets(buf, MAX_BUF, fp)) { | 35 | while (fgets(buf, MAX_BUF, fp)) { |
@@ -91,18 +90,16 @@ static void process_bin(char *fname, FILE *fp) { | |||
91 | bin_out = filedb_add(bin_out, ptr); | 90 | bin_out = filedb_add(bin_out, ptr); |
92 | } | 91 | } |
93 | 92 | ||
94 | /* fclose(fp); */ | 93 | fclose(fp); |
95 | } | 94 | } |
96 | 95 | ||
97 | 96 | ||
98 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 | 97 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 |
99 | void build_bin(char *fname, FILE *fp, FILE *fpo) { | 98 | void build_bin(const char *fname, FILE *fp) { |
100 | assert(fname); | 99 | assert(fname); |
101 | assert(fp); | ||
102 | assert(fpo); | ||
103 | 100 | ||
104 | // run fname | 101 | // run fname |
105 | process_bin(fname, fp); | 102 | process_bin(fname); |
106 | 103 | ||
107 | // run all the rest | 104 | // run all the rest |
108 | struct stat s; | 105 | struct stat s; |
@@ -112,24 +109,18 @@ void build_bin(char *fname, FILE *fp, FILE *fpo) { | |||
112 | if (asprintf(&newname, "%s.%d", fname, i) == -1) | 109 | if (asprintf(&newname, "%s.%d", fname, i) == -1) |
113 | errExit("asprintf"); | 110 | errExit("asprintf"); |
114 | if (stat(newname, &s) == 0) | 111 | if (stat(newname, &s) == 0) |
115 | { | 112 | process_bin(newname); |
116 | int nfd = open(newname, O_RDONLY); | ||
117 | FILE *nfp = fdopen(nfd, "r"); | ||
118 | process_bin(newname, nfp); | ||
119 | fclose(nfp); | ||
120 | unlink(newname); | ||
121 | } | ||
122 | free(newname); | 113 | free(newname); |
123 | } | 114 | } |
124 | 115 | ||
125 | if (bin_out) { | 116 | if (bin_out) { |
126 | fprintf(fpo, "private-bin "); | 117 | fprintf(fp, "private-bin "); |
127 | FileDB *ptr = bin_out; | 118 | FileDB *ptr = bin_out; |
128 | while (ptr) { | 119 | while (ptr) { |
129 | fprintf(fpo, "%s,", ptr->fname); | 120 | fprintf(fp, "%s,", ptr->fname); |
130 | ptr = ptr->next; | 121 | ptr = ptr->next; |
131 | } | 122 | } |
132 | fprintf(fpo, "\n"); | 123 | fprintf(fp, "\n"); |
133 | fprintf(fpo, "# private-lib\n"); | 124 | fprintf(fp, "# private-lib\n"); |
134 | } | 125 | } |
135 | } | 126 | } |
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index 2d63c6fb9..771dc94cb 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c | |||
@@ -21,20 +21,19 @@ | |||
21 | #include "fbuilder.h" | 21 | #include "fbuilder.h" |
22 | 22 | ||
23 | // common file processing function, using the callback for each line in the file | 23 | // common file processing function, using the callback for each line in the file |
24 | static void process_file(char *fname, FILE *fp, const char *dir, void (*callback)(char *)) { | 24 | static void process_file(const char *fname, const char *dir, void (*callback)(char *)) { |
25 | assert(fname); | 25 | assert(fname); |
26 | assert(fp); | ||
27 | assert(dir); | 26 | assert(dir); |
28 | assert(callback); | 27 | assert(callback); |
29 | 28 | ||
30 | int dir_len = strlen(dir); | 29 | int dir_len = strlen(dir); |
31 | 30 | ||
32 | // process trace file | 31 | // process trace file |
33 | /* FILE *fp = fdopen(fd, "r"); */ | 32 | FILE *fp = fopen(fname, "r"); |
34 | /* if (!fp) { */ | 33 | if (!fp) { |
35 | /* fprintf(stderr, "Error: cannot open %s\n", fname); */ | 34 | fprintf(stderr, "Error: cannot open %s\n", fname); |
36 | /* exit(1); */ | 35 | exit(1); |
37 | /* } */ | 36 | } |
38 | 37 | ||
39 | char buf[MAX_BUF]; | 38 | char buf[MAX_BUF]; |
40 | while (fgets(buf, MAX_BUF, fp)) { | 39 | while (fgets(buf, MAX_BUF, fp)) { |
@@ -83,18 +82,17 @@ static void process_file(char *fname, FILE *fp, const char *dir, void (*callback | |||
83 | callback(ptr); | 82 | callback(ptr); |
84 | } | 83 | } |
85 | 84 | ||
86 | /* fclose(fp); */ | 85 | fclose(fp); |
87 | } | 86 | } |
88 | 87 | ||
89 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 | 88 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 |
90 | static void process_files(char *fname, FILE *fp, const char *dir, void (*callback)(char *)) { | 89 | static void process_files(const char *fname, const char *dir, void (*callback)(char *)) { |
91 | assert(fname); | 90 | assert(fname); |
92 | assert(fp); | ||
93 | assert(dir); | 91 | assert(dir); |
94 | assert(callback); | 92 | assert(callback); |
95 | 93 | ||
96 | // run fname | 94 | // run fname |
97 | process_file(fname, fp, dir, callback); | 95 | process_file(fname, dir, callback); |
98 | 96 | ||
99 | // run all the rest | 97 | // run all the rest |
100 | struct stat s; | 98 | struct stat s; |
@@ -103,13 +101,8 @@ static void process_files(char *fname, FILE *fp, const char *dir, void (*callbac | |||
103 | char *newname; | 101 | char *newname; |
104 | if (asprintf(&newname, "%s.%d", fname, i) == -1) | 102 | if (asprintf(&newname, "%s.%d", fname, i) == -1) |
105 | errExit("asprintf"); | 103 | errExit("asprintf"); |
106 | if (stat(newname, &s) == 0) { | 104 | if (stat(newname, &s) == 0) |
107 | int nfd = open(newname, O_RDONLY); | 105 | process_file(newname, dir, callback); |
108 | FILE *nfp = fdopen(nfd, "r"); | ||
109 | process_file(newname, nfp, dir, callback); | ||
110 | fclose(nfp); | ||
111 | unlink(newname); | ||
112 | } | ||
113 | free(newname); | 106 | free(newname); |
114 | } | 107 | } |
115 | } | 108 | } |
@@ -132,23 +125,21 @@ static void etc_callback(char *ptr) { | |||
132 | etc_out = filedb_add(etc_out, ptr); | 125 | etc_out = filedb_add(etc_out, ptr); |
133 | } | 126 | } |
134 | 127 | ||
135 | void build_etc(char *fname, FILE *fp, FILE *fpo) { | 128 | void build_etc(const char *fname, FILE *fp) { |
136 | assert(fname); | 129 | assert(fname); |
137 | assert(fp); | ||
138 | assert(fpo); | ||
139 | 130 | ||
140 | process_files(fname, fp, "/etc", etc_callback); | 131 | process_files(fname, "/etc", etc_callback); |
141 | 132 | ||
142 | fprintf(fpo, "private-etc "); | 133 | fprintf(fp, "private-etc "); |
143 | if (etc_out == NULL) | 134 | if (etc_out == NULL) |
144 | fprintf(fpo, "none\n"); | 135 | fprintf(fp, "none\n"); |
145 | else { | 136 | else { |
146 | FileDB *ptr = etc_out; | 137 | FileDB *ptr = etc_out; |
147 | while (ptr) { | 138 | while (ptr) { |
148 | fprintf(fpo, "%s,", ptr->fname); | 139 | fprintf(fp, "%s,", ptr->fname); |
149 | ptr = ptr->next; | 140 | ptr = ptr->next; |
150 | } | 141 | } |
151 | fprintf(fpo, "\n"); | 142 | fprintf(fp, "\n"); |
152 | } | 143 | } |
153 | } | 144 | } |
154 | 145 | ||
@@ -169,17 +160,15 @@ static void var_callback(char *ptr) { | |||
169 | var_out = filedb_add(var_out, ptr); | 160 | var_out = filedb_add(var_out, ptr); |
170 | } | 161 | } |
171 | 162 | ||
172 | void build_var(char *fname, FILE *fp, FILE *fpo) { | 163 | void build_var(const char *fname, FILE *fp) { |
173 | assert(fname); | 164 | assert(fname); |
174 | assert(fp); | ||
175 | assert(fpo); | ||
176 | 165 | ||
177 | process_files(fname, fp, "/var", var_callback); | 166 | process_files(fname, "/var", var_callback); |
178 | 167 | ||
179 | if (var_out == NULL) | 168 | if (var_out == NULL) |
180 | fprintf(fpo, "blacklist /var\n"); | 169 | fprintf(fp, "blacklist /var\n"); |
181 | else | 170 | else |
182 | filedb_print(var_out, "whitelist ", fpo); | 171 | filedb_print(var_out, "whitelist ", fp); |
183 | } | 172 | } |
184 | 173 | ||
185 | 174 | ||
@@ -208,17 +197,15 @@ static void share_callback(char *ptr) { | |||
208 | share_out = filedb_add(share_out, ptr); | 197 | share_out = filedb_add(share_out, ptr); |
209 | } | 198 | } |
210 | 199 | ||
211 | void build_share(char *fname, FILE *fp, FILE *fpo) { | 200 | void build_share(const char *fname, FILE *fp) { |
212 | assert(fname); | 201 | assert(fname); |
213 | assert(fp); | ||
214 | assert(fpo); | ||
215 | 202 | ||
216 | process_files(fname, fp, "/usr/share", share_callback); | 203 | process_files(fname, "/usr/share", share_callback); |
217 | 204 | ||
218 | if (share_out == NULL) | 205 | if (share_out == NULL) |
219 | fprintf(fpo, "blacklist /usr/share\n"); | 206 | fprintf(fp, "blacklist /usr/share\n"); |
220 | else | 207 | else |
221 | filedb_print(share_out, "whitelist ", fpo); | 208 | filedb_print(share_out, "whitelist ", fp); |
222 | } | 209 | } |
223 | 210 | ||
224 | //******************************************* | 211 | //******************************************* |
@@ -229,23 +216,21 @@ static void tmp_callback(char *ptr) { | |||
229 | filedb_add(tmp_out, ptr); | 216 | filedb_add(tmp_out, ptr); |
230 | } | 217 | } |
231 | 218 | ||
232 | void build_tmp(char *fname, FILE *fp, FILE *fpo) { | 219 | void build_tmp(const char *fname, FILE *fp) { |
233 | assert(fname); | 220 | assert(fname); |
234 | assert(fp); | ||
235 | assert(fpo); | ||
236 | 221 | ||
237 | process_files(fname, fp, "/tmp", tmp_callback); | 222 | process_files(fname, "/tmp", tmp_callback); |
238 | 223 | ||
239 | if (tmp_out == NULL) | 224 | if (tmp_out == NULL) |
240 | fprintf(fpo, "private-tmp\n"); | 225 | fprintf(fp, "private-tmp\n"); |
241 | else { | 226 | else { |
242 | fprintf(fpo, "\n"); | 227 | fprintf(fp, "\n"); |
243 | fprintf(fpo, "# private-tmp\n"); | 228 | fprintf(fp, "# private-tmp\n"); |
244 | fprintf(fpo, "# File accessed in /tmp directory:\n"); | 229 | fprintf(fp, "# File accessed in /tmp directory:\n"); |
245 | fprintf(fpo, "# "); | 230 | fprintf(fp, "# "); |
246 | FileDB *ptr = tmp_out; | 231 | FileDB *ptr = tmp_out; |
247 | while (ptr) { | 232 | while (ptr) { |
248 | fprintf(fpo, "%s,", ptr->fname); | 233 | fprintf(fp, "%s,", ptr->fname); |
249 | ptr = ptr->next; | 234 | ptr = ptr->next; |
250 | } | 235 | } |
251 | printf("\n"); | 236 | printf("\n"); |
@@ -309,26 +294,24 @@ static void dev_callback(char *ptr) { | |||
309 | filedb_add(dev_out, ptr); | 294 | filedb_add(dev_out, ptr); |
310 | } | 295 | } |
311 | 296 | ||
312 | void build_dev(char *fname, FILE *fp, FILE *fpo) { | 297 | void build_dev(const char *fname, FILE *fp) { |
313 | assert(fname); | 298 | assert(fname); |
314 | assert(fp); | ||
315 | assert(fpo); | ||
316 | 299 | ||
317 | process_files(fname, fp, "/dev", dev_callback); | 300 | process_files(fname, "/dev", dev_callback); |
318 | 301 | ||
319 | if (dev_out == NULL) | 302 | if (dev_out == NULL) |
320 | fprintf(fpo, "private-dev\n"); | 303 | fprintf(fp, "private-dev\n"); |
321 | else { | 304 | else { |
322 | fprintf(fpo, "\n"); | 305 | fprintf(fp, "\n"); |
323 | fprintf(fpo, "# private-dev\n"); | 306 | fprintf(fp, "# private-dev\n"); |
324 | fprintf(fpo, "# This is the list of devices accessed (on top of regular private-dev devices:\n"); | 307 | fprintf(fp, "# This is the list of devices accessed (on top of regular private-dev devices:\n"); |
325 | fprintf(fpo, "# "); | 308 | fprintf(fp, "# "); |
326 | FileDB *ptr = dev_out; | 309 | FileDB *ptr = dev_out; |
327 | while (ptr) { | 310 | while (ptr) { |
328 | fprintf(fpo, "%s,", ptr->fname); | 311 | fprintf(fp, "%s,", ptr->fname); |
329 | ptr = ptr->next; | 312 | ptr = ptr->next; |
330 | } | 313 | } |
331 | fprintf(fpo, "\n"); | 314 | fprintf(fp, "\n"); |
332 | } | 315 | } |
333 | } | 316 | } |
334 | 317 | ||
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c index b582b89bf..7470a8d10 100644 --- a/src/fbuilder/build_home.c +++ b/src/fbuilder/build_home.c | |||
@@ -47,18 +47,17 @@ static void load_whitelist_common(void) { | |||
47 | fclose(fp); | 47 | fclose(fp); |
48 | } | 48 | } |
49 | 49 | ||
50 | void process_home(char *fname, FILE *fp, char *home, int home_len) { | 50 | void process_home(const char *fname, char *home, int home_len) { |
51 | assert(fname); | 51 | assert(fname); |
52 | assert(fp); | ||
53 | assert(home); | 52 | assert(home); |
54 | assert(home_len); | 53 | assert(home_len); |
55 | 54 | ||
56 | // process trace file | 55 | // process trace file |
57 | /* FILE *fp = fdopen(fd, "r"); */ | 56 | FILE *fp = fopen(fname, "r"); |
58 | /* if (!fp) { */ | 57 | if (!fp) { |
59 | /* fprintf(stderr, "Error: cannot open %s\n", fname); */ | 58 | fprintf(stderr, "Error: cannot open %s\n", fname); |
60 | /* exit(1); */ | 59 | exit(1); |
61 | /* } */ | 60 | } |
62 | 61 | ||
63 | char buf[MAX_BUF]; | 62 | char buf[MAX_BUF]; |
64 | while (fgets(buf, MAX_BUF, fp)) { | 63 | while (fgets(buf, MAX_BUF, fp)) { |
@@ -154,15 +153,13 @@ void process_home(char *fname, FILE *fp, char *home, int home_len) { | |||
154 | free(dir); | 153 | free(dir); |
155 | 154 | ||
156 | } | 155 | } |
157 | /* fclose(fp); */ | 156 | fclose(fp); |
158 | } | 157 | } |
159 | 158 | ||
160 | 159 | ||
161 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 | 160 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 |
162 | void build_home(char *fname, FILE *fp, FILE *fpo) { | 161 | void build_home(const char *fname, FILE *fp) { |
163 | assert(fname); | 162 | assert(fname); |
164 | assert(fp); | ||
165 | assert(fpo); | ||
166 | 163 | ||
167 | // load whitelist common | 164 | // load whitelist common |
168 | load_whitelist_common(); | 165 | load_whitelist_common(); |
@@ -177,7 +174,7 @@ void build_home(char *fname, FILE *fp, FILE *fpo) { | |||
177 | int home_len = strlen(home); | 174 | int home_len = strlen(home); |
178 | 175 | ||
179 | // run fname | 176 | // run fname |
180 | process_home(fname, fp, home, home_len); | 177 | process_home(fname, home, home_len); |
181 | 178 | ||
182 | // run all the rest | 179 | // run all the rest |
183 | struct stat s; | 180 | struct stat s; |
@@ -186,22 +183,17 @@ void build_home(char *fname, FILE *fp, FILE *fpo) { | |||
186 | char *newname; | 183 | char *newname; |
187 | if (asprintf(&newname, "%s.%d", fname, i) == -1) | 184 | if (asprintf(&newname, "%s.%d", fname, i) == -1) |
188 | errExit("asprintf"); | 185 | errExit("asprintf"); |
189 | if (stat(newname, &s) == 0) { | 186 | if (stat(newname, &s) == 0) |
190 | int nfd = open(newname, O_RDONLY); | 187 | process_home(newname, home, home_len); |
191 | FILE *nfp = fdopen(nfd, "r"); | ||
192 | process_home(newname, nfp, home, home_len); | ||
193 | fclose(nfp); | ||
194 | unlink(newname); | ||
195 | } | ||
196 | free(newname); | 188 | free(newname); |
197 | } | 189 | } |
198 | 190 | ||
199 | // print the out list if any | 191 | // print the out list if any |
200 | if (db_out) { | 192 | if (db_out) { |
201 | filedb_print(db_out, "whitelist ~/", fpo); | 193 | filedb_print(db_out, "whitelist ~/", fp); |
202 | fprintf(fpo, "include /etc/firejail/whitelist-common.inc\n"); | 194 | fprintf(fp, "include /etc/firejail/whitelist-common.inc\n"); |
203 | } | 195 | } |
204 | else | 196 | else |
205 | fprintf(fpo, "private\n"); | 197 | fprintf(fp, "private\n"); |
206 | 198 | ||
207 | } | 199 | } \ No newline at end of file |
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 79de7063f..74f0da226 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -51,25 +51,20 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
51 | 51 | ||
52 | int tfile = mkstemp(trace_output); | 52 | int tfile = mkstemp(trace_output); |
53 | int stfile = mkstemp(strace_output); | 53 | int stfile = mkstemp(strace_output); |
54 | |||
55 | if(tfile == -1 || stfile == -1) | 54 | if(tfile == -1 || stfile == -1) |
56 | errExit("mkstemp"); | 55 | errExit("mkstemp"); |
57 | 56 | ||
58 | FILE *tp = fdopen(tfile, "r"); | 57 | // close the files, firejail/strace will overwrite them! |
58 | close(tfile); | ||
59 | close(stfile); | ||
59 | 60 | ||
60 | if (!tp) { | ||
61 | fprintf(stderr, "Error: cannot open %s\n", trace_output); | ||
62 | exit(1); | ||
63 | } | ||
64 | 61 | ||
65 | char *output; | 62 | char *output; |
66 | char *stroutput; | 63 | char *stroutput; |
67 | |||
68 | if(asprintf(&output,"--output=%s",trace_output) == -1) | 64 | if(asprintf(&output,"--output=%s",trace_output) == -1) |
69 | errExit("asprintf"); | 65 | errExit("asprintf"); |
70 | |||
71 | if(asprintf(&stroutput,"-o %s",strace_output) == -1) | 66 | if(asprintf(&stroutput,"-o %s",strace_output) == -1) |
72 | errExit("asprintf"); | 67 | errExit("asprintf"); |
73 | 68 | ||
74 | char *cmdlist[] = { | 69 | char *cmdlist[] = { |
75 | "/usr/bin/firejail", | 70 | "/usr/bin/firejail", |
@@ -151,16 +146,16 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
151 | fprintf(fp, "\n"); | 146 | fprintf(fp, "\n"); |
152 | 147 | ||
153 | fprintf(fp, "### home directory whitelisting\n"); | 148 | fprintf(fp, "### home directory whitelisting\n"); |
154 | build_home(trace_output, tp, fp); | 149 | build_home(trace_output, fp); |
155 | fprintf(fp, "\n"); | 150 | fprintf(fp, "\n"); |
156 | 151 | ||
157 | fprintf(fp, "### filesystem\n"); | 152 | fprintf(fp, "### filesystem\n"); |
158 | build_tmp(trace_output, tp, fp); | 153 | build_tmp(trace_output, fp); |
159 | build_dev(trace_output, tp, fp); | 154 | build_dev(trace_output, fp); |
160 | build_etc(trace_output, tp, fp); | 155 | build_etc(trace_output, fp); |
161 | build_var(trace_output, tp, fp); | 156 | build_var(trace_output, fp); |
162 | build_bin(trace_output, tp, fp); | 157 | build_bin(trace_output, fp); |
163 | build_share(trace_output, tp, fp); | 158 | build_share(trace_output, fp); |
164 | fprintf(fp, "\n"); | 159 | fprintf(fp, "\n"); |
165 | 160 | ||
166 | fprintf(fp, "### security filters\n"); | 161 | fprintf(fp, "### security filters\n"); |
@@ -168,7 +163,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
168 | fprintf(fp, "nonewprivs\n"); | 163 | fprintf(fp, "nonewprivs\n"); |
169 | fprintf(fp, "seccomp\n"); | 164 | fprintf(fp, "seccomp\n"); |
170 | if (have_strace) | 165 | if (have_strace) |
171 | build_seccomp(strace_output, stfile, fp); | 166 | build_seccomp(strace_output, fp); |
172 | else { | 167 | else { |
173 | fprintf(fp, "# If you install strace on your system, Firejail will also create a\n"); | 168 | fprintf(fp, "# If you install strace on your system, Firejail will also create a\n"); |
174 | fprintf(fp, "# whitelisted seccomp filter.\n"); | 169 | fprintf(fp, "# whitelisted seccomp filter.\n"); |
@@ -176,13 +171,12 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
176 | fprintf(fp, "\n"); | 171 | fprintf(fp, "\n"); |
177 | 172 | ||
178 | fprintf(fp, "### network\n"); | 173 | fprintf(fp, "### network\n"); |
179 | build_protocol(trace_output, tfile, fp); | 174 | build_protocol(trace_output, fp); |
180 | fprintf(fp, "\n"); | 175 | fprintf(fp, "\n"); |
181 | 176 | ||
182 | fprintf(fp, "### environment\n"); | 177 | fprintf(fp, "### environment\n"); |
183 | fprintf(fp, "shell none\n"); | 178 | fprintf(fp, "shell none\n"); |
184 | 179 | ||
185 | fclose(tp); | ||
186 | unlink(trace_output); | 180 | unlink(trace_output); |
187 | unlink(strace_output); | 181 | unlink(strace_output); |
188 | 182 | ||
diff --git a/src/fbuilder/build_seccomp.c b/src/fbuilder/build_seccomp.c index 64bcac586..fbc0e06f4 100644 --- a/src/fbuilder/build_seccomp.c +++ b/src/fbuilder/build_seccomp.c | |||
@@ -20,12 +20,11 @@ | |||
20 | 20 | ||
21 | #include "fbuilder.h" | 21 | #include "fbuilder.h" |
22 | 22 | ||
23 | void build_seccomp(char *fname, int fd, FILE *fp) { | 23 | void build_seccomp(const char *fname, FILE *fp) { |
24 | assert(fname); | 24 | assert(fname); |
25 | assert(fd); | ||
26 | assert(fp); | 25 | assert(fp); |
27 | 26 | ||
28 | FILE *fp2 = fdopen(fd, "r"); | 27 | FILE *fp2 = fopen(fname, "r"); |
29 | if (!fp2) { | 28 | if (!fp2) { |
30 | fprintf(stderr, "Error: cannot open %s\n", fname); | 29 | fprintf(stderr, "Error: cannot open %s\n", fname); |
31 | exit(1); | 30 | exit(1); |
@@ -88,12 +87,11 @@ int inet = 0; | |||
88 | int inet6 = 0; | 87 | int inet6 = 0; |
89 | int netlink = 0; | 88 | int netlink = 0; |
90 | int packet = 0; | 89 | int packet = 0; |
91 | static void process_protocol(char *fname, int fd) { | 90 | static void process_protocol(const char *fname) { |
92 | assert(fname); | 91 | assert(fname); |
93 | assert(fd); | ||
94 | 92 | ||
95 | // process trace file | 93 | // process trace file |
96 | FILE *fp = fdopen(fd, "r"); | 94 | FILE *fp = fopen(fname, "r"); |
97 | if (!fp) { | 95 | if (!fp) { |
98 | fprintf(stderr, "Error: cannot open %s\n", fname); | 96 | fprintf(stderr, "Error: cannot open %s\n", fname); |
99 | exit(1); | 97 | exit(1); |
@@ -144,13 +142,11 @@ static void process_protocol(char *fname, int fd) { | |||
144 | 142 | ||
145 | 143 | ||
146 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 | 144 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 |
147 | void build_protocol(char *fname, int fd, FILE *fp) { | 145 | void build_protocol(const char *fname, FILE *fp) { |
148 | assert(fname); | 146 | assert(fname); |
149 | assert(fd); | ||
150 | assert(fp); | ||
151 | 147 | ||
152 | // run fname | 148 | // run fname |
153 | process_protocol(fname, fd); | 149 | process_protocol(fname); |
154 | 150 | ||
155 | // run all the rest | 151 | // run all the rest |
156 | struct stat s; | 152 | struct stat s; |
@@ -159,11 +155,8 @@ void build_protocol(char *fname, int fd, FILE *fp) { | |||
159 | char *newname; | 155 | char *newname; |
160 | if (asprintf(&newname, "%s.%d", fname, i) == -1) | 156 | if (asprintf(&newname, "%s.%d", fname, i) == -1) |
161 | errExit("asprintf"); | 157 | errExit("asprintf"); |
162 | if (stat(newname, &s) == 0) { | 158 | if (stat(newname, &s) == 0) |
163 | int nfd = open(newname, O_RDONLY); | 159 | process_protocol(newname); |
164 | process_protocol(newname, nfd); | ||
165 | unlink(newname); | ||
166 | } | ||
167 | free(newname); | 160 | free(newname); |
168 | } | 161 | } |
169 | 162 | ||
diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h index 480569027..f0d16eb26 100644 --- a/src/fbuilder/fbuilder.h +++ b/src/fbuilder/fbuilder.h | |||
@@ -36,21 +36,21 @@ extern int arg_debug; | |||
36 | void build_profile(int argc, char **argv, int index, FILE *fp); | 36 | void build_profile(int argc, char **argv, int index, FILE *fp); |
37 | 37 | ||
38 | // build_seccomp.c | 38 | // build_seccomp.c |
39 | void build_seccomp(char *fname, int fd, FILE *fp); | 39 | void build_seccomp(const char *fname, FILE *fp); |
40 | void build_protocol(char *fname, int fd, FILE *fp); | 40 | void build_protocol(const char *fname, FILE *fp); |
41 | 41 | ||
42 | // build_fs.c | 42 | // build_fs.c |
43 | void build_etc(char *fname, FILE *fp, FILE *fpo); | 43 | void build_etc(const char *fname, FILE *fp); |
44 | void build_var(char *fname, FILE *fp, FILE *fpo); | 44 | void build_var(const char *fname, FILE *fp); |
45 | void build_tmp(char *fname, FILE *fp, FILE *fpo); | 45 | void build_tmp(const char *fname, FILE *fp); |
46 | void build_dev(char *fname, FILE *fp, FILE *fpo); | 46 | void build_dev(const char *fname, FILE *fp); |
47 | void build_share(char *fname, FILE *fp, FILE *fpo); | 47 | void build_share(const char *fname, FILE *fp); |
48 | 48 | ||
49 | // build_bin.c | 49 | // build_bin.c |
50 | void build_bin(char *fname, FILE *fp, FILE *fpo); | 50 | void build_bin(const char *fname, FILE *fp); |
51 | 51 | ||
52 | // build_home.c | 52 | // build_home.c |
53 | void build_home(char *fname, FILE *fp, FILE *fpo); | 53 | void build_home(const char *fname, FILE *fp); |
54 | 54 | ||
55 | // utils.c | 55 | // utils.c |
56 | int is_dir(const char *fname); | 56 | int is_dir(const char *fname); |
@@ -67,4 +67,4 @@ FileDB *filedb_add(FileDB *head, const char *fname); | |||
67 | FileDB *filedb_find(FileDB *head, const char *fname); | 67 | FileDB *filedb_find(FileDB *head, const char *fname); |
68 | void filedb_print(FileDB *head, const char *prefix, FILE *fp); | 68 | void filedb_print(FileDB *head, const char *prefix, FILE *fp); |
69 | 69 | ||
70 | #endif | 70 | #endif \ No newline at end of file |