diff options
Diffstat (limited to 'src/fbuilder/build_fs.c')
-rw-r--r-- | src/fbuilder/build_fs.c | 317 |
1 files changed, 0 insertions, 317 deletions
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c deleted file mode 100644 index 771dc94cb..000000000 --- a/src/fbuilder/build_fs.c +++ /dev/null | |||
@@ -1,317 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2018 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | #include "fbuilder.h" | ||
22 | |||
23 | // common file processing function, using the callback for each line in the file | ||
24 | static void process_file(const char *fname, const char *dir, void (*callback)(char *)) { | ||
25 | assert(fname); | ||
26 | assert(dir); | ||
27 | assert(callback); | ||
28 | |||
29 | int dir_len = strlen(dir); | ||
30 | |||
31 | // process trace file | ||
32 | FILE *fp = fopen(fname, "r"); | ||
33 | if (!fp) { | ||
34 | fprintf(stderr, "Error: cannot open %s\n", fname); | ||
35 | exit(1); | ||
36 | } | ||
37 | |||
38 | char buf[MAX_BUF]; | ||
39 | while (fgets(buf, MAX_BUF, fp)) { | ||
40 | // remove \n | ||
41 | char *ptr = strchr(buf, '\n'); | ||
42 | if (ptr) | ||
43 | *ptr = '\0'; | ||
44 | |||
45 | // parse line: 4:galculator:access /etc/fonts/conf.d:0 | ||
46 | // number followed by : | ||
47 | ptr = buf; | ||
48 | if (!isdigit(*ptr)) | ||
49 | continue; | ||
50 | while (isdigit(*ptr)) | ||
51 | ptr++; | ||
52 | if (*ptr != ':') | ||
53 | continue; | ||
54 | ptr++; | ||
55 | |||
56 | // next : | ||
57 | ptr = strchr(ptr, ':'); | ||
58 | if (!ptr) | ||
59 | continue; | ||
60 | ptr++; | ||
61 | if (strncmp(ptr, "access ", 7) == 0) | ||
62 | ptr += 7; | ||
63 | else if (strncmp(ptr, "fopen ", 6) == 0) | ||
64 | ptr += 6; | ||
65 | else if (strncmp(ptr, "fopen64 ", 8) == 0) | ||
66 | ptr += 8; | ||
67 | else if (strncmp(ptr, "open64 ", 7) == 0) | ||
68 | ptr += 7; | ||
69 | else if (strncmp(ptr, "open ", 5) == 0) | ||
70 | ptr += 5; | ||
71 | else | ||
72 | continue; | ||
73 | if (strncmp(ptr, dir, dir_len) != 0) | ||
74 | continue; | ||
75 | |||
76 | // end of filename | ||
77 | char *ptr2 = strchr(ptr, ':'); | ||
78 | if (!ptr2) | ||
79 | continue; | ||
80 | *ptr2 = '\0'; | ||
81 | |||
82 | callback(ptr); | ||
83 | } | ||
84 | |||
85 | fclose(fp); | ||
86 | } | ||
87 | |||
88 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 | ||
89 | static void process_files(const char *fname, const char *dir, void (*callback)(char *)) { | ||
90 | assert(fname); | ||
91 | assert(dir); | ||
92 | assert(callback); | ||
93 | |||
94 | // run fname | ||
95 | process_file(fname, dir, callback); | ||
96 | |||
97 | // run all the rest | ||
98 | struct stat s; | ||
99 | int i; | ||
100 | for (i = 1; i <= 5; i++) { | ||
101 | char *newname; | ||
102 | if (asprintf(&newname, "%s.%d", fname, i) == -1) | ||
103 | errExit("asprintf"); | ||
104 | if (stat(newname, &s) == 0) | ||
105 | process_file(newname, dir, callback); | ||
106 | free(newname); | ||
107 | } | ||
108 | } | ||
109 | |||
110 | //******************************************* | ||
111 | // etc directory | ||
112 | //******************************************* | ||
113 | static FileDB *etc_out = NULL; | ||
114 | |||
115 | static void etc_callback(char *ptr) { | ||
116 | // skip firejail directory | ||
117 | if (strncmp(ptr, "/etc/firejail", 13) == 0) | ||
118 | return; | ||
119 | |||
120 | // add only top files and directories | ||
121 | ptr += 5; // skip "/etc/" | ||
122 | char *end = strchr(ptr, '/'); | ||
123 | if (end) | ||
124 | *end = '\0'; | ||
125 | etc_out = filedb_add(etc_out, ptr); | ||
126 | } | ||
127 | |||
128 | void build_etc(const char *fname, FILE *fp) { | ||
129 | assert(fname); | ||
130 | |||
131 | process_files(fname, "/etc", etc_callback); | ||
132 | |||
133 | fprintf(fp, "private-etc "); | ||
134 | if (etc_out == NULL) | ||
135 | fprintf(fp, "none\n"); | ||
136 | else { | ||
137 | FileDB *ptr = etc_out; | ||
138 | while (ptr) { | ||
139 | fprintf(fp, "%s,", ptr->fname); | ||
140 | ptr = ptr->next; | ||
141 | } | ||
142 | fprintf(fp, "\n"); | ||
143 | } | ||
144 | } | ||
145 | |||
146 | //******************************************* | ||
147 | // var directory | ||
148 | //******************************************* | ||
149 | static FileDB *var_out = NULL; | ||
150 | static void var_callback(char *ptr) { | ||
151 | if (strcmp(ptr, "/var/lib") == 0) | ||
152 | ; | ||
153 | else if (strcmp(ptr, "/var/cache") == 0) | ||
154 | ; | ||
155 | else if (strncmp(ptr, "/var/lib/menu-xdg", 17) == 0) | ||
156 | var_out = filedb_add(var_out, "/var/lib/menu-xdg"); | ||
157 | else if (strncmp(ptr, "/var/cache/fontconfig", 21) == 0) | ||
158 | var_out = filedb_add(var_out, "/var/cache/fontconfig"); | ||
159 | else | ||
160 | var_out = filedb_add(var_out, ptr); | ||
161 | } | ||
162 | |||
163 | void build_var(const char *fname, FILE *fp) { | ||
164 | assert(fname); | ||
165 | |||
166 | process_files(fname, "/var", var_callback); | ||
167 | |||
168 | if (var_out == NULL) | ||
169 | fprintf(fp, "blacklist /var\n"); | ||
170 | else | ||
171 | filedb_print(var_out, "whitelist ", fp); | ||
172 | } | ||
173 | |||
174 | |||
175 | //******************************************* | ||
176 | // usr/share directory | ||
177 | //******************************************* | ||
178 | static FileDB *share_out = NULL; | ||
179 | static void share_callback(char *ptr) { | ||
180 | // extract the directory: | ||
181 | assert(strncmp(ptr, "/usr/share", 10) == 0); | ||
182 | char *p1 = ptr + 10; | ||
183 | if (*p1 != '/') | ||
184 | return; | ||
185 | p1++; | ||
186 | if (*p1 == '/') // double '/' | ||
187 | p1++; | ||
188 | if (*p1 == '\0') | ||
189 | return; | ||
190 | |||
191 | // "/usr/share/bash-completion/bash_completion" becomes "/usr/share/bash-completion" | ||
192 | char *p2 = strchr(p1, '/'); | ||
193 | if (p2) | ||
194 | *p2 = '\0'; | ||
195 | |||
196 | // store the file | ||
197 | share_out = filedb_add(share_out, ptr); | ||
198 | } | ||
199 | |||
200 | void build_share(const char *fname, FILE *fp) { | ||
201 | assert(fname); | ||
202 | |||
203 | process_files(fname, "/usr/share", share_callback); | ||
204 | |||
205 | if (share_out == NULL) | ||
206 | fprintf(fp, "blacklist /usr/share\n"); | ||
207 | else | ||
208 | filedb_print(share_out, "whitelist ", fp); | ||
209 | } | ||
210 | |||
211 | //******************************************* | ||
212 | // tmp directory | ||
213 | //******************************************* | ||
214 | static FileDB *tmp_out = NULL; | ||
215 | static void tmp_callback(char *ptr) { | ||
216 | filedb_add(tmp_out, ptr); | ||
217 | } | ||
218 | |||
219 | void build_tmp(const char *fname, FILE *fp) { | ||
220 | assert(fname); | ||
221 | |||
222 | process_files(fname, "/tmp", tmp_callback); | ||
223 | |||
224 | if (tmp_out == NULL) | ||
225 | fprintf(fp, "private-tmp\n"); | ||
226 | else { | ||
227 | fprintf(fp, "\n"); | ||
228 | fprintf(fp, "# private-tmp\n"); | ||
229 | fprintf(fp, "# File accessed in /tmp directory:\n"); | ||
230 | fprintf(fp, "# "); | ||
231 | FileDB *ptr = tmp_out; | ||
232 | while (ptr) { | ||
233 | fprintf(fp, "%s,", ptr->fname); | ||
234 | ptr = ptr->next; | ||
235 | } | ||
236 | printf("\n"); | ||
237 | } | ||
238 | } | ||
239 | |||
240 | //******************************************* | ||
241 | // dev directory | ||
242 | //******************************************* | ||
243 | static char *dev_skip[] = { | ||
244 | "/dev/zero", | ||
245 | "/dev/null", | ||
246 | "/dev/full", | ||
247 | "/dev/random", | ||
248 | "/dev/urandom", | ||
249 | "/dev/tty", | ||
250 | "/dev/snd", | ||
251 | "/dev/dri", | ||
252 | "/dev/pts", | ||
253 | "/dev/nvidia0", | ||
254 | "/dev/nvidia1", | ||
255 | "/dev/nvidia2", | ||
256 | "/dev/nvidia3", | ||
257 | "/dev/nvidia4", | ||
258 | "/dev/nvidia5", | ||
259 | "/dev/nvidia6", | ||
260 | "/dev/nvidia7", | ||
261 | "/dev/nvidia8", | ||
262 | "/dev/nvidia9", | ||
263 | "/dev/nvidiactl", | ||
264 | "/dev/nvidia-modeset", | ||
265 | "/dev/nvidia-uvm", | ||
266 | "/dev/video0", | ||
267 | "/dev/video1", | ||
268 | "/dev/video2", | ||
269 | "/dev/video3", | ||
270 | "/dev/video4", | ||
271 | "/dev/video5", | ||
272 | "/dev/video6", | ||
273 | "/dev/video7", | ||
274 | "/dev/video8", | ||
275 | "/dev/video9", | ||
276 | "/dev/dvb", | ||
277 | "/dev/sr0", | ||
278 | NULL | ||
279 | }; | ||
280 | |||
281 | static FileDB *dev_out = NULL; | ||
282 | static void dev_callback(char *ptr) { | ||
283 | // skip private-dev devices | ||
284 | int i = 0; | ||
285 | int found = 0; | ||
286 | while (dev_skip[i]) { | ||
287 | if (strcmp(ptr, dev_skip[i]) == 0) { | ||
288 | found = 1; | ||
289 | break; | ||
290 | } | ||
291 | i++; | ||
292 | } | ||
293 | if (!found) | ||
294 | filedb_add(dev_out, ptr); | ||
295 | } | ||
296 | |||
297 | void build_dev(const char *fname, FILE *fp) { | ||
298 | assert(fname); | ||
299 | |||
300 | process_files(fname, "/dev", dev_callback); | ||
301 | |||
302 | if (dev_out == NULL) | ||
303 | fprintf(fp, "private-dev\n"); | ||
304 | else { | ||
305 | fprintf(fp, "\n"); | ||
306 | fprintf(fp, "# private-dev\n"); | ||
307 | fprintf(fp, "# This is the list of devices accessed (on top of regular private-dev devices:\n"); | ||
308 | fprintf(fp, "# "); | ||
309 | FileDB *ptr = dev_out; | ||
310 | while (ptr) { | ||
311 | fprintf(fp, "%s,", ptr->fname); | ||
312 | ptr = ptr->next; | ||
313 | } | ||
314 | fprintf(fp, "\n"); | ||
315 | } | ||
316 | } | ||
317 | |||