diff options
Diffstat (limited to 'src/fbuilder/build_seccomp.c')
-rw-r--r-- | src/fbuilder/build_seccomp.c | 191 |
1 files changed, 191 insertions, 0 deletions
diff --git a/src/fbuilder/build_seccomp.c b/src/fbuilder/build_seccomp.c new file mode 100644 index 000000000..18a767518 --- /dev/null +++ b/src/fbuilder/build_seccomp.c | |||
@@ -0,0 +1,191 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2017 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | #include "fbuilder.h" | ||
22 | |||
23 | void build_seccomp(const char *fname) { | ||
24 | assert(fname); | ||
25 | |||
26 | FILE *fp = fopen(fname, "r"); | ||
27 | if (!fp) { | ||
28 | fprintf(stderr, "Error: cannot open %s\n", fname); | ||
29 | exit(1); | ||
30 | } | ||
31 | |||
32 | char buf[MAX_BUF]; | ||
33 | int line = 1; | ||
34 | int position = 0; | ||
35 | int cnt = 0; | ||
36 | while (fgets(buf, MAX_BUF, fp)) { | ||
37 | // remove \n | ||
38 | char *ptr = strchr(buf, '\n'); | ||
39 | if (ptr) | ||
40 | *ptr = '\0'; | ||
41 | |||
42 | // first line: | ||
43 | //% time seconds usecs/call calls errors syscall | ||
44 | if (line == 1) { | ||
45 | // extract syscall position | ||
46 | ptr = strstr(buf, "syscall"); | ||
47 | if (*buf != '%' || ptr == NULL) { | ||
48 | // skip this line, it could be garbage from strace | ||
49 | continue; | ||
50 | } | ||
51 | position = (int) (ptr - buf); | ||
52 | } | ||
53 | else if (line == 2) { | ||
54 | if (*buf != '-') { | ||
55 | fprintf(stderr, "Error: invalid strace output\n%s\n", buf); | ||
56 | exit(1); | ||
57 | } | ||
58 | } | ||
59 | else { | ||
60 | // get out on the next "----" line | ||
61 | if (*buf == '-') | ||
62 | break; | ||
63 | |||
64 | if (line == 3) | ||
65 | printf("# seccomp.keep %s", buf + position); | ||
66 | else | ||
67 | printf(",%s", buf + position); | ||
68 | cnt++; | ||
69 | } | ||
70 | line++; | ||
71 | } | ||
72 | printf("\n"); | ||
73 | printf("# %d syscalls total\n", cnt); | ||
74 | printf("# Probably you will need to add more syscalls to seccomp.keep. Look for\n"); | ||
75 | printf("# seccomp errors in /var/log/syslog or /var/log/audit/audit.log while\n"); | ||
76 | printf("# running your sandbox.\n"); | ||
77 | |||
78 | fclose(fp); | ||
79 | } | ||
80 | |||
81 | //*************************************** | ||
82 | // protocol | ||
83 | //*************************************** | ||
84 | int unix_s = 0; | ||
85 | int inet = 0; | ||
86 | int inet6 = 0; | ||
87 | int netlink = 0; | ||
88 | int packet = 0; | ||
89 | static void process_protocol(const char *fname) { | ||
90 | assert(fname); | ||
91 | |||
92 | // process trace file | ||
93 | FILE *fp = fopen(fname, "r"); | ||
94 | if (!fp) { | ||
95 | fprintf(stderr, "Error: cannot open %s\n", fname); | ||
96 | exit(1); | ||
97 | } | ||
98 | |||
99 | char buf[MAX_BUF]; | ||
100 | while (fgets(buf, MAX_BUF, fp)) { | ||
101 | // remove \n | ||
102 | char *ptr = strchr(buf, '\n'); | ||
103 | if (ptr) | ||
104 | *ptr = '\0'; | ||
105 | |||
106 | // parse line: 4:galculator:access /etc/fonts/conf.d:0 | ||
107 | // number followed by : | ||
108 | ptr = buf; | ||
109 | if (!isdigit(*ptr)) | ||
110 | continue; | ||
111 | while (isdigit(*ptr)) | ||
112 | ptr++; | ||
113 | if (*ptr != ':') | ||
114 | continue; | ||
115 | ptr++; | ||
116 | |||
117 | // next : | ||
118 | ptr = strchr(ptr, ':'); | ||
119 | if (!ptr) | ||
120 | continue; | ||
121 | ptr++; | ||
122 | if (strncmp(ptr, "socket ", 7) == 0) | ||
123 | ptr += 7; | ||
124 | else | ||
125 | continue; | ||
126 | |||
127 | if (strncmp(ptr, "AF_LOCAL ", 9) == 0) | ||
128 | unix_s = 1; | ||
129 | else if (strncmp(ptr, "AF_INET ", 8) == 0) | ||
130 | inet = 1; | ||
131 | else if (strncmp(ptr, "AF_INET6 ", 9) == 0) | ||
132 | inet6 = 1; | ||
133 | else if (strncmp(ptr, "AF_NETLINK ", 9) == 0) | ||
134 | netlink = 1; | ||
135 | else if (strncmp(ptr, "AF_PACKET ", 9) == 0) | ||
136 | packet = 1; | ||
137 | } | ||
138 | |||
139 | fclose(fp); | ||
140 | } | ||
141 | |||
142 | |||
143 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 | ||
144 | void build_protocol(const char *fname) { | ||
145 | assert(fname); | ||
146 | |||
147 | // run fname | ||
148 | process_protocol(fname); | ||
149 | |||
150 | // run all the rest | ||
151 | struct stat s; | ||
152 | int i; | ||
153 | for (i = 1; i <= 5; i++) { | ||
154 | char *newname; | ||
155 | if (asprintf(&newname, "%s.%d", fname, i) == -1) | ||
156 | errExit("asprintf"); | ||
157 | if (stat(newname, &s) == 0) | ||
158 | process_protocol(newname); | ||
159 | free(newname); | ||
160 | } | ||
161 | |||
162 | int net = 0; | ||
163 | if (unix_s || inet || inet6 || netlink || packet) { | ||
164 | printf("protocol "); | ||
165 | if (unix_s) | ||
166 | printf("unix,"); | ||
167 | if (inet) { | ||
168 | printf("inet,"); | ||
169 | net = 1; | ||
170 | } | ||
171 | if (inet6) { | ||
172 | printf("inet6,"); | ||
173 | net = 1; | ||
174 | } | ||
175 | if (netlink) | ||
176 | printf("netlink,"); | ||
177 | if (packet) { | ||
178 | printf("packet"); | ||
179 | net = 1; | ||
180 | } | ||
181 | printf("\n"); | ||
182 | } | ||
183 | |||
184 | if (net == 0) | ||
185 | printf("net none\n"); | ||
186 | else { | ||
187 | printf("# net eth0\n"); | ||
188 | printf("netfilter\n"); | ||
189 | } | ||
190 | } | ||
191 | |||