diff options
Diffstat (limited to 'src/fbuilder/build_seccomp.c')
-rw-r--r-- | src/fbuilder/build_seccomp.c | 192 |
1 files changed, 0 insertions, 192 deletions
diff --git a/src/fbuilder/build_seccomp.c b/src/fbuilder/build_seccomp.c deleted file mode 100644 index fbc0e06f4..000000000 --- a/src/fbuilder/build_seccomp.c +++ /dev/null | |||
@@ -1,192 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2018 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | #include "fbuilder.h" | ||
22 | |||
23 | void build_seccomp(const char *fname, FILE *fp) { | ||
24 | assert(fname); | ||
25 | assert(fp); | ||
26 | |||
27 | FILE *fp2 = fopen(fname, "r"); | ||
28 | if (!fp2) { | ||
29 | fprintf(stderr, "Error: cannot open %s\n", fname); | ||
30 | exit(1); | ||
31 | } | ||
32 | |||
33 | char buf[MAX_BUF]; | ||
34 | int line = 1; | ||
35 | int position = 0; | ||
36 | int cnt = 0; | ||
37 | while (fgets(buf, MAX_BUF, fp2)) { | ||
38 | // remove \n | ||
39 | char *ptr = strchr(buf, '\n'); | ||
40 | if (ptr) | ||
41 | *ptr = '\0'; | ||
42 | |||
43 | // first line: | ||
44 | //% time seconds usecs/call calls errors syscall | ||
45 | if (line == 1) { | ||
46 | // extract syscall position | ||
47 | ptr = strstr(buf, "syscall"); | ||
48 | if (*buf != '%' || ptr == NULL) { | ||
49 | // skip this line, it could be garbage from strace | ||
50 | continue; | ||
51 | } | ||
52 | position = (int) (ptr - buf); | ||
53 | } | ||
54 | else if (line == 2) { | ||
55 | if (*buf != '-') { | ||
56 | fprintf(stderr, "Error: invalid strace output\n%s\n", buf); | ||
57 | exit(1); | ||
58 | } | ||
59 | } | ||
60 | else { | ||
61 | // get out on the next "----" line | ||
62 | if (*buf == '-') | ||
63 | break; | ||
64 | |||
65 | if (line == 3) | ||
66 | fprintf(fp, "# seccomp.keep %s", buf + position); | ||
67 | else | ||
68 | fprintf(fp, ",%s", buf + position); | ||
69 | cnt++; | ||
70 | } | ||
71 | line++; | ||
72 | } | ||
73 | fprintf(fp, "\n"); | ||
74 | fprintf(fp, "# %d syscalls total\n", cnt); | ||
75 | fprintf(fp, "# Probably you will need to add more syscalls to seccomp.keep. Look for\n"); | ||
76 | fprintf(fp, "# seccomp errors in /var/log/syslog or /var/log/audit/audit.log while\n"); | ||
77 | fprintf(fp, "# running your sandbox.\n"); | ||
78 | |||
79 | fclose(fp2); | ||
80 | } | ||
81 | |||
82 | //*************************************** | ||
83 | // protocol | ||
84 | //*************************************** | ||
85 | int unix_s = 0; | ||
86 | int inet = 0; | ||
87 | int inet6 = 0; | ||
88 | int netlink = 0; | ||
89 | int packet = 0; | ||
90 | static void process_protocol(const char *fname) { | ||
91 | assert(fname); | ||
92 | |||
93 | // process trace file | ||
94 | FILE *fp = fopen(fname, "r"); | ||
95 | if (!fp) { | ||
96 | fprintf(stderr, "Error: cannot open %s\n", fname); | ||
97 | exit(1); | ||
98 | } | ||
99 | |||
100 | char buf[MAX_BUF]; | ||
101 | while (fgets(buf, MAX_BUF, fp)) { | ||
102 | // remove \n | ||
103 | char *ptr = strchr(buf, '\n'); | ||
104 | if (ptr) | ||
105 | *ptr = '\0'; | ||
106 | |||
107 | // parse line: 4:galculator:access /etc/fonts/conf.d:0 | ||
108 | // number followed by : | ||
109 | ptr = buf; | ||
110 | if (!isdigit(*ptr)) | ||
111 | continue; | ||
112 | while (isdigit(*ptr)) | ||
113 | ptr++; | ||
114 | if (*ptr != ':') | ||
115 | continue; | ||
116 | ptr++; | ||
117 | |||
118 | // next : | ||
119 | ptr = strchr(ptr, ':'); | ||
120 | if (!ptr) | ||
121 | continue; | ||
122 | ptr++; | ||
123 | if (strncmp(ptr, "socket ", 7) == 0) | ||
124 | ptr += 7; | ||
125 | else | ||
126 | continue; | ||
127 | |||
128 | if (strncmp(ptr, "AF_LOCAL ", 9) == 0) | ||
129 | unix_s = 1; | ||
130 | else if (strncmp(ptr, "AF_INET ", 8) == 0) | ||
131 | inet = 1; | ||
132 | else if (strncmp(ptr, "AF_INET6 ", 9) == 0) | ||
133 | inet6 = 1; | ||
134 | else if (strncmp(ptr, "AF_NETLINK ", 9) == 0) | ||
135 | netlink = 1; | ||
136 | else if (strncmp(ptr, "AF_PACKET ", 9) == 0) | ||
137 | packet = 1; | ||
138 | } | ||
139 | |||
140 | fclose(fp); | ||
141 | } | ||
142 | |||
143 | |||
144 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 | ||
145 | void build_protocol(const char *fname, FILE *fp) { | ||
146 | assert(fname); | ||
147 | |||
148 | // run fname | ||
149 | process_protocol(fname); | ||
150 | |||
151 | // run all the rest | ||
152 | struct stat s; | ||
153 | int i; | ||
154 | for (i = 1; i <= 5; i++) { | ||
155 | char *newname; | ||
156 | if (asprintf(&newname, "%s.%d", fname, i) == -1) | ||
157 | errExit("asprintf"); | ||
158 | if (stat(newname, &s) == 0) | ||
159 | process_protocol(newname); | ||
160 | free(newname); | ||
161 | } | ||
162 | |||
163 | int net = 0; | ||
164 | if (unix_s || inet || inet6 || netlink || packet) { | ||
165 | fprintf(fp, "protocol "); | ||
166 | if (unix_s) | ||
167 | fprintf(fp, "unix,"); | ||
168 | if (inet) { | ||
169 | fprintf(fp, "inet,"); | ||
170 | net = 1; | ||
171 | } | ||
172 | if (inet6) { | ||
173 | fprintf(fp, "inet6,"); | ||
174 | net = 1; | ||
175 | } | ||
176 | if (netlink) | ||
177 | fprintf(fp, "netlink,"); | ||
178 | if (packet) { | ||
179 | fprintf(fp, "packet"); | ||
180 | net = 1; | ||
181 | } | ||
182 | fprintf(fp, "\n"); | ||
183 | } | ||
184 | |||
185 | if (net == 0) | ||
186 | fprintf(fp, "net none\n"); | ||
187 | else { | ||
188 | fprintf(fp, "# net eth0\n"); | ||
189 | fprintf(fp, "netfilter\n"); | ||
190 | } | ||
191 | } | ||
192 | |||