3 files changed, 88 insertions, 2 deletions
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c
index 9038e1953..ce01648e1 100644
--- a/src/fbuilder/build_fs.c
+++ b/src/fbuilder/build_fs.c
@@ -222,6 +222,88 @@ void build_var(const char *fname, FILE *fp) {
        fprintf(fp, "include whitelist-var-common.inc\n");
 }
+//*******************************************
+// run directory
+//*******************************************
+static FileDB *run_out = NULL;
+static FileDB *run_skip = NULL;
+static void run_callback(char *ptr) {
+        // skip /run/firejail
+        if (strncmp(ptr, "/run/firejail", 13) == 0)
+                return;
+        // skip files in /run/user
+        if (strncmp(ptr, "/run/user", 9) == 0)
+                return;
+        // extract the directory:
+        assert(strncmp(ptr, "/run", 4) == 0);
+        char *p1 = ptr + 4;
+        if (*p1 != '/')
+                return;
+        p1++;
+        if (*p1 == '/') // double '/'
+                p1++;
+        if (*p1 == '\0')
+                return;
+        if (!filedb_find(run_skip, p1))
+                run_out = filedb_add(run_out, p1);
+}
+void build_run(const char *fname, FILE *fp) {
+        assert(fname);
+        run_skip = filedb_load_whitelist(run_skip, "whitelist-run-common.inc", "whitelist /run/");
+        process_files(fname, "/run", run_callback);
+        // always whitelist /run
+        if (run_out)
+                filedb_print(run_out, "whitelist /run/", fp);
+        fprintf(fp, "include whitelist-run-common.inc\n");
+}
+//*******************************************
+// ${RUNUSER} directory
+//*******************************************
+static char *runuser_fname = NULL;
+static FileDB *runuser_out = NULL;
+static FileDB *runuser_skip = NULL;
+static void runuser_callback(char *ptr) {
+        // extract the directory:
+        assert(runuser_fname);
+        assert(strncmp(ptr, runuser_fname, strlen(runuser_fname)) == 0);
+        char *p1 = ptr + strlen(runuser_fname);
+        if (*p1 != '/')
+                return;
+        p1++;
+        if (*p1 == '/') // double '/'
+                p1++;
+        if (*p1 == '\0')
+                return;
+        if (!filedb_find(runuser_skip, p1))
+                runuser_out = filedb_add(runuser_out, p1);
+}
+void build_runuser(const char *fname, FILE *fp) {
+        assert(fname);
+        if (asprintf(&runuser_fname, "/run/user/%d", getuid()) < 0)
+                errExit("asprintf");
+        if (!is_dir(runuser_fname))
+                return;
+        runuser_skip = filedb_load_whitelist(runuser_skip, "whitelist-runuser-common.inc", "whitelist ${RUNUSER}/");
+        process_files(fname, runuser_fname, runuser_callback);
+        // always whitelist /run/user/$UID
+        if (runuser_out)
+                filedb_print(runuser_out, "whitelist ${RUNUSER}/", fp);
+        fprintf(fp, "include whitelist-runuser-common.inc\n");
+}
 //*******************************************
 // usr/share directory
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index 4fcd950c6..24cb4472c 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -122,8 +122,10 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
                fprintf(fp, "\n");
                fprintf(fp, "### Filesystem Whitelisting ###\n");
-                build_share(trace_output, fp);
+                build_run(trace_output, fp);
-                //todo: include whitelist-runuser-common.inc
+                build_runuser(trace_output, fp);
+                if (!arg_appimage)
+                        build_share(trace_output, fp);
                build_var(trace_output, fp);
                fprintf(fp, "\n");
diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h
index 3e23d7854..43bb0b59d 100644
--- a/src/fbuilder/fbuilder.h
+++ b/src/fbuilder/fbuilder.h
@@ -46,6 +46,8 @@ void build_var(const char *fname, FILE *fp);
 void build_tmp(const char *fname, FILE *fp);
 void build_dev(const char *fname, FILE *fp);
 void build_share(const char *fname, FILE *fp);
+void build_run(const char *fname, FILE *fp);
+void build_runuser(const char *fname, FILE *fp);
 // build_bin.c
 void build_bin(const char *fname, FILE *fp);

diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index 9038e1953..ce01648e1 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c
@@ -222,6 +222,88 @@ void build_var(const char fname, FILE fp) {
222	fprintf(fp, "include whitelist-var-common.inc\n");	222	fprintf(fp, "include whitelist-var-common.inc\n");
223	}	223	}
224		224
		225	//*******************************************
		226	// run directory
		227	//*******************************************
		228	static FileDB *run_out = NULL;
		229	static FileDB *run_skip = NULL;
		230	static void run_callback(char *ptr) {
		231	// skip /run/firejail
		232	if (strncmp(ptr, "/run/firejail", 13) == 0)
		233	return;
		234	// skip files in /run/user
		235	if (strncmp(ptr, "/run/user", 9) == 0)
		236	return;
		237
		238	// extract the directory:
		239	assert(strncmp(ptr, "/run", 4) == 0);
		240	char *p1 = ptr + 4;
		241	if (*p1 != '/')
		242	return;
		243	p1++;
		244
		245	if (*p1 == '/') // double '/'
		246	p1++;
		247	if (*p1 == '\0')
		248	return;
		249
		250	if (!filedb_find(run_skip, p1))
		251	run_out = filedb_add(run_out, p1);
		252	}
		253
		254	void build_run(const char fname, FILE fp) {
		255	assert(fname);
		256
		257	run_skip = filedb_load_whitelist(run_skip, "whitelist-run-common.inc", "whitelist /run/");
		258	process_files(fname, "/run", run_callback);
		259
		260	// always whitelist /run
		261	if (run_out)
		262	filedb_print(run_out, "whitelist /run/", fp);
		263	fprintf(fp, "include whitelist-run-common.inc\n");
		264	}
		265
		266	//*******************************************
		267	// ${RUNUSER} directory
		268	//*******************************************
		269	static char *runuser_fname = NULL;
		270	static FileDB *runuser_out = NULL;
		271	static FileDB *runuser_skip = NULL;
		272	static void runuser_callback(char *ptr) {
		273	// extract the directory:
		274	assert(runuser_fname);
		275	assert(strncmp(ptr, runuser_fname, strlen(runuser_fname)) == 0);
		276	char *p1 = ptr + strlen(runuser_fname);
		277	if (*p1 != '/')
		278	return;
		279	p1++;
		280
		281	if (*p1 == '/') // double '/'
		282	p1++;
		283	if (*p1 == '\0')
		284	return;
		285
		286	if (!filedb_find(runuser_skip, p1))
		287	runuser_out = filedb_add(runuser_out, p1);
		288	}
		289
		290	void build_runuser(const char fname, FILE fp) {
		291	assert(fname);
		292
		293	if (asprintf(&runuser_fname, "/run/user/%d", getuid()) < 0)
		294	errExit("asprintf");
		295
		296	if (!is_dir(runuser_fname))
		297	return;
		298
		299	runuser_skip = filedb_load_whitelist(runuser_skip, "whitelist-runuser-common.inc", "whitelist ${RUNUSER}/");
		300	process_files(fname, runuser_fname, runuser_callback);
		301
		302	// always whitelist /run/user/$UID
		303	if (runuser_out)
		304	filedb_print(runuser_out, "whitelist ${RUNUSER}/", fp);
		305	fprintf(fp, "include whitelist-runuser-common.inc\n");
		306	}
225		307
226	//*******************************************	308	//*******************************************
227	// usr/share directory	309	// usr/share directory


diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 4fcd950c6..24cb4472c 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c
@@ -122,8 +122,10 @@ void build_profile(int argc, char *argv, int index, FILE fp) {
122	fprintf(fp, "\n");	122	fprintf(fp, "\n");
123		123
124	fprintf(fp, "### Filesystem Whitelisting ###\n");	124	fprintf(fp, "### Filesystem Whitelisting ###\n");
125	build_share(trace_output, fp);	125	build_run(trace_output, fp);
126	//todo: include whitelist-runuser-common.inc	126	build_runuser(trace_output, fp);
		127	if (!arg_appimage)
		128	build_share(trace_output, fp);
127	build_var(trace_output, fp);	129	build_var(trace_output, fp);
128	fprintf(fp, "\n");	130	fprintf(fp, "\n");
129		131


diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h index 3e23d7854..43bb0b59d 100644 --- a/src/fbuilder/fbuilder.h +++ b/src/fbuilder/fbuilder.h
@@ -46,6 +46,8 @@ void build_var(const char fname, FILE fp);
46	void build_tmp(const char fname, FILE fp);	46	void build_tmp(const char fname, FILE fp);
47	void build_dev(const char fname, FILE fp);	47	void build_dev(const char fname, FILE fp);
48	void build_share(const char fname, FILE fp);	48	void build_share(const char fname, FILE fp);
		49	void build_run(const char fname, FILE fp);
		50	void build_runuser(const char fname, FILE fp);
49		51
50	// build_bin.c	52	// build_bin.c
51	void build_bin(const char fname, FILE fp);	53	void build_bin(const char fname, FILE fp);