From 4861cca38fcb73bae53f85ff8369c6acd535460e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 27 Aug 2017 08:04:35 -0400 Subject: cleanup --- src/fseccomp/seccomp.c | 32 ++------------------------------ test/fs/private-bin.exp | 14 +++++++------- 2 files changed, 9 insertions(+), 37 deletions(-) diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index 7ae74c340..8abc249ec 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c @@ -164,6 +164,8 @@ void seccomp_default_drop(const char *fname1, const char *fname2, char *list, in } void seccomp_keep(const char *fname1, const char *fname2, char *list) { + (void) fname2; + // open file for pre-exec filter int fd = open(fname1, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); if (fd < 0) { @@ -187,36 +189,6 @@ void seccomp_keep(const char *fname1, const char *fname2, char *list) { // close file close(fd); - -#if 0 -// There is something very wrong here with the file descriptors, "ls -l /proc/self/fd" will show no file -// after running this code. We don't need the postexec filter in this case anyway. -printf("@@seccomp_keep start %s %s %s\n", fname1, fname2, list); -system("ls -l /proc/self/fd"); -printf("@@seccomp_keep start %s %s %s\n", fname1, fname2, list); - // open file for post-exec filter - fd = open(fname2, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); - if (fd < 0) { - fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname2); - exit(1); - } - - // build post-exec filter: whitelist without @default-keep - filter_init(fd); - - if (syscall_check_list(list, filter_add_whitelist, fd, 0, NULL)) { - fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); - exit(1); - } - - filter_end_whitelist(fd); - - // close file - close(fd); -printf("@@seccomp_keep end %s %s %s\n", fname1, fname2, list); -system("ls -l /proc/self/fd"); -printf("@@seccomp_keep end %s %s %s\n", fname1, fname2, list); -#endif } void memory_deny_write_execute(const char *fname) { diff --git a/test/fs/private-bin.exp b/test/fs/private-bin.exp index d4cdc3a36..8403b8442 100755 --- a/test/fs/private-bin.exp +++ b/test/fs/private-bin.exp @@ -60,31 +60,31 @@ expect { send -- "ls /bin\r" expect { - timeout {puts "TESTING ERROR 5\n";exit} - "ping" {puts "TESTING ERROR 6\n";exit} + timeout {puts "TESTING ERROR 11\n";exit} + "ping" {puts "TESTING ERROR 12\n";exit} "sh" } send -- "exit\r" after 100 -send -- "firejail --private-bin=/etc/shadow\r" +send -- "firejail --debug --private-bin=/etc/shadow \r" expect { - timeout {puts "TESTING ERROR 8\n";exit} - "invalid filename" + timeout {puts "TESTING ERROR 13\n";exit} + "Warning: file /etc/shadow not found" } after 100 send -- "firejail --private-bin=\"bla;bla\"\r" expect { - timeout {puts "TESTING ERROR 9\n";exit} + timeout {puts "TESTING ERROR 14\n";exit} "is an invalid filename" } after 100 send -- "firejail --private-etc=../bin/ls\r" expect { - timeout {puts "TESTING ERROR 10\n";exit} + timeout {puts "TESTING ERROR 15\n";exit} "is an invalid filename" } -- cgit v1.2.3-54-g00ecf