diff options
Diffstat (limited to 'src/fbuilder/build_profile.c')
-rw-r--r-- | src/fbuilder/build_profile.c | 36 |
1 files changed, 15 insertions, 21 deletions
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 79de7063f..74f0da226 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -51,25 +51,20 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
51 | 51 | ||
52 | int tfile = mkstemp(trace_output); | 52 | int tfile = mkstemp(trace_output); |
53 | int stfile = mkstemp(strace_output); | 53 | int stfile = mkstemp(strace_output); |
54 | |||
55 | if(tfile == -1 || stfile == -1) | 54 | if(tfile == -1 || stfile == -1) |
56 | errExit("mkstemp"); | 55 | errExit("mkstemp"); |
57 | 56 | ||
58 | FILE *tp = fdopen(tfile, "r"); | 57 | // close the files, firejail/strace will overwrite them! |
58 | close(tfile); | ||
59 | close(stfile); | ||
59 | 60 | ||
60 | if (!tp) { | ||
61 | fprintf(stderr, "Error: cannot open %s\n", trace_output); | ||
62 | exit(1); | ||
63 | } | ||
64 | 61 | ||
65 | char *output; | 62 | char *output; |
66 | char *stroutput; | 63 | char *stroutput; |
67 | |||
68 | if(asprintf(&output,"--output=%s",trace_output) == -1) | 64 | if(asprintf(&output,"--output=%s",trace_output) == -1) |
69 | errExit("asprintf"); | 65 | errExit("asprintf"); |
70 | |||
71 | if(asprintf(&stroutput,"-o %s",strace_output) == -1) | 66 | if(asprintf(&stroutput,"-o %s",strace_output) == -1) |
72 | errExit("asprintf"); | 67 | errExit("asprintf"); |
73 | 68 | ||
74 | char *cmdlist[] = { | 69 | char *cmdlist[] = { |
75 | "/usr/bin/firejail", | 70 | "/usr/bin/firejail", |
@@ -151,16 +146,16 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
151 | fprintf(fp, "\n"); | 146 | fprintf(fp, "\n"); |
152 | 147 | ||
153 | fprintf(fp, "### home directory whitelisting\n"); | 148 | fprintf(fp, "### home directory whitelisting\n"); |
154 | build_home(trace_output, tp, fp); | 149 | build_home(trace_output, fp); |
155 | fprintf(fp, "\n"); | 150 | fprintf(fp, "\n"); |
156 | 151 | ||
157 | fprintf(fp, "### filesystem\n"); | 152 | fprintf(fp, "### filesystem\n"); |
158 | build_tmp(trace_output, tp, fp); | 153 | build_tmp(trace_output, fp); |
159 | build_dev(trace_output, tp, fp); | 154 | build_dev(trace_output, fp); |
160 | build_etc(trace_output, tp, fp); | 155 | build_etc(trace_output, fp); |
161 | build_var(trace_output, tp, fp); | 156 | build_var(trace_output, fp); |
162 | build_bin(trace_output, tp, fp); | 157 | build_bin(trace_output, fp); |
163 | build_share(trace_output, tp, fp); | 158 | build_share(trace_output, fp); |
164 | fprintf(fp, "\n"); | 159 | fprintf(fp, "\n"); |
165 | 160 | ||
166 | fprintf(fp, "### security filters\n"); | 161 | fprintf(fp, "### security filters\n"); |
@@ -168,7 +163,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
168 | fprintf(fp, "nonewprivs\n"); | 163 | fprintf(fp, "nonewprivs\n"); |
169 | fprintf(fp, "seccomp\n"); | 164 | fprintf(fp, "seccomp\n"); |
170 | if (have_strace) | 165 | if (have_strace) |
171 | build_seccomp(strace_output, stfile, fp); | 166 | build_seccomp(strace_output, fp); |
172 | else { | 167 | else { |
173 | fprintf(fp, "# If you install strace on your system, Firejail will also create a\n"); | 168 | fprintf(fp, "# If you install strace on your system, Firejail will also create a\n"); |
174 | fprintf(fp, "# whitelisted seccomp filter.\n"); | 169 | fprintf(fp, "# whitelisted seccomp filter.\n"); |
@@ -176,13 +171,12 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
176 | fprintf(fp, "\n"); | 171 | fprintf(fp, "\n"); |
177 | 172 | ||
178 | fprintf(fp, "### network\n"); | 173 | fprintf(fp, "### network\n"); |
179 | build_protocol(trace_output, tfile, fp); | 174 | build_protocol(trace_output, fp); |
180 | fprintf(fp, "\n"); | 175 | fprintf(fp, "\n"); |
181 | 176 | ||
182 | fprintf(fp, "### environment\n"); | 177 | fprintf(fp, "### environment\n"); |
183 | fprintf(fp, "shell none\n"); | 178 | fprintf(fp, "shell none\n"); |
184 | 179 | ||
185 | fclose(tp); | ||
186 | unlink(trace_output); | 180 | unlink(trace_output); |
187 | unlink(strace_output); | 181 | unlink(strace_output); |
188 | 182 | ||