From 7025b182f108655d267c06da287718f659018f4e Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 3 May 2021 20:01:45 -0400 Subject: --build fixes --- src/fbuilder/build_bin.c | 2 +- src/fbuilder/build_fs.c | 12 +++++++----- src/fbuilder/build_home.c | 2 +- src/fbuilder/build_profile.c | 23 +++++++++++------------ 4 files changed, 20 insertions(+), 19 deletions(-) diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c index 96bd351f3..431aebee6 100644 --- a/src/fbuilder/build_bin.c +++ b/src/fbuilder/build_bin.c @@ -121,6 +121,6 @@ void build_bin(const char *fname, FILE *fp) { ptr = ptr->next; } fprintf(fp, "\n"); - fprintf(fp, "# private-lib\n"); + fprintf(fp, "#private-lib\n"); } } diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index 495f71ab8..ac0cd455a 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c @@ -220,6 +220,10 @@ static void tmp_callback(char *ptr) { // skip strace file if (strncmp(ptr, "/tmp/firejail-strace", 20) == 0) return; + if (strncmp(ptr, "/tmp/runtime-", 13) == 0) + return; + if (strcmp(ptr, "/tmp") == 0) + return; tmp_out = filedb_add(tmp_out, ptr); } @@ -232,8 +236,7 @@ void build_tmp(const char *fname, FILE *fp) { if (tmp_out == NULL) fprintf(fp, "private-tmp\n"); else { - fprintf(fp, "\n"); - fprintf(fp, "# private-tmp\n"); + fprintf(fp, "#private-tmp\n"); fprintf(fp, "# File accessed in /tmp directory:\n"); fprintf(fp, "# "); FileDB *ptr = tmp_out; @@ -310,9 +313,8 @@ void build_dev(const char *fname, FILE *fp) { if (dev_out == NULL) fprintf(fp, "private-dev\n"); else { - fprintf(fp, "\n"); - fprintf(fp, "# private-dev\n"); - fprintf(fp, "# This is the list of devices accessed (on top of regular private-dev devices:\n"); + fprintf(fp, "#private-dev\n"); + fprintf(fp, "# This is the list of devices accessed on top of regular private-dev devices:\n"); fprintf(fp, "# "); FileDB *ptr = dev_out; while (ptr) { diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c index 683009b71..d7706282a 100644 --- a/src/fbuilder/build_home.c +++ b/src/fbuilder/build_home.c @@ -141,7 +141,7 @@ void process_home(const char *fname, char *home, int home_len) { } // skip files and directories in whitelist-common.inc - if (filedb_find(db_skip, toadd)) { + if (strlen(toadd) == 0 || filedb_find(db_skip, toadd)) { if (dir) free(dir); continue; diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 96a83954d..0c1b57384 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c @@ -150,12 +150,12 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { fprintf(fp, "### basic blacklisting\n"); fprintf(fp, "include disable-common.inc\n"); - fprintf(fp, "# include disable-devel.inc\n"); - fprintf(fp, "# include disable-exec.inc\n"); - fprintf(fp, "# include disable-interpreters.inc\n"); + fprintf(fp, "#include disable-devel.inc\n"); + fprintf(fp, "#include disable-exec.inc\n"); + fprintf(fp, "#include disable-interpreters.inc\n"); fprintf(fp, "include disable-passwdmgr.inc\n"); - fprintf(fp, "# include disable-programs.inc\n"); - fprintf(fp, "# include disable-xdg.inc\n"); + fprintf(fp, "#include disable-programs.inc\n"); + fprintf(fp, "#include disable-xdg.inc\n"); fprintf(fp, "\n"); fprintf(fp, "### home directory whitelisting\n"); @@ -163,18 +163,17 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { fprintf(fp, "\n"); fprintf(fp, "### filesystem\n"); - fprintf(fp, "# /usr/share:\n"); + fprintf(fp, "### /usr/share:\n"); build_share(trace_output, fp); - fprintf(fp, "# /var:\n"); + fprintf(fp, "### /var:\n"); build_var(trace_output, fp); - fprintf(fp, "\n"); - fprintf(fp, "# $PATH:\n"); + fprintf(fp, "### /bin:\n"); build_bin(trace_output, fp); - fprintf(fp, "# /dev:\n"); + fprintf(fp, "### /dev:\n"); build_dev(trace_output, fp); - fprintf(fp, "# /etc:\n"); + fprintf(fp, "### /etc:\n"); build_etc(trace_output, fp); - fprintf(fp, "# /tmp:\n"); + fprintf(fp, "### /tmp:\n"); build_tmp(trace_output, fp); fprintf(fp, "\n"); -- cgit v1.2.3-54-g00ecf