From 8988842c1bec4a41c09591e47771bf30247a5539 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 4 May 2021 16:46:54 -0400 Subject: --build fixes --- README | 4 ++ README.md | 1 + RELNOTES | 5 +- src/fbuilder/build_fs.c | 129 +++++++++++++++++++++++++++++++++---------- src/fbuilder/build_profile.c | 23 +++----- 5 files changed, 119 insertions(+), 43 deletions(-) diff --git a/README b/README index eb8a8e374..99beaf694 100644 --- a/README +++ b/README @@ -278,6 +278,7 @@ David Thole (https://github.com/TheDarkTrumpet) Davide Beatrici (https://github.com/davidebeatrici) - steam.profile: correctly blacklist unneeded directories in user's home - minetest fixes + - map /dev/input with "--private-dev", add "--no-input" option to disable it David Hyrule (https://github.com/Svaag) - remove nou2f in ssh profile Deelvesh Bunjun (https://github.com/DeelveshBunjun) @@ -553,6 +554,7 @@ Kishore96in (https://github.com/Kishore96in) - okular profile fixes - jitsi-meet-desktop profile - konversatin profile fix + - added Neochat profile KOLANICH (https://github.com/KOLANICH) - added symlink fixer fix_private-bin.py in contrib section - update fix_private-bin.py @@ -619,6 +621,8 @@ Melvin Vermeeren (https://github.com/melvinvermeeren) - added --noautopulse command line option Michael Haas (https://github.com/mhaas) - bugfixes +Michael Hoffmann (https://github.com/brisad) + - added support for subdirs in private-etc Mike Frysinger (vapier@gentoo.org) - Gentoo compile patch mirabellette (https://github.com/mirabellette) diff --git a/README.md b/README.md index 4de1c2bc8..40e9eff41 100644 --- a/README.md +++ b/README.md @@ -336,3 +336,4 @@ pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, bcompare, b2sum, c sha256sum, sha384sum, sha512sum, sum, librewold-nightly, Quodlibet, tmux, sway, alienarena, alienarena-wrapper, ballbuster, ballbuster-wrapper, colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, glaxium-wrapper, pinball, pinball-wrapper, etr-wrapper, neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, firedragon +neochat diff --git a/RELNOTES b/RELNOTES index fb384a419..788d5781a 100644 --- a/RELNOTES +++ b/RELNOTES @@ -12,6 +12,8 @@ firejail (0.9.65) baseline; urgency=low * compile time: --enable-force-nonewprivs * compile time: --disable-output * compile time: --enable-lts + * subdirs support in private-etc + * input devices support in private-dev, --no-input * new profiles: vmware-view, display-im6.q16, ipcalc, ipcalc-ng * ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop, * avidemux, calligragemini, vmware-player, vmware-workstation @@ -22,7 +24,8 @@ firejail (0.9.65) baseline; urgency=low * alienarena, alienarena-wrapper, ballbuster, ballbuster-wrapper, * colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, * glaxium-wrapper, pinball, pinball-wrapper, etr-wrapper, firedragon - * neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper + * neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, + * neochat -- netblue30 Tue, 9 Feb 2021 09:00:00 -0500 firejail (0.9.64.4) baseline; urgency=low diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index ac0cd455a..b35380b96 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c @@ -177,6 +177,74 @@ void build_var(const char *fname, FILE *fp) { //******************************************* // usr/share directory //******************************************* +// todo: load the list from whitelist-usr-share-common.inc +static char *share_skip[] = { + "/usr/share/alsa", + "/usr/share/applications", + "/usr/share/ca-certificates", + "/usr/share/crypto-policies", + "/usr/share/cursors", + "/usr/share/dconf", + "/usr/share/distro-info", + "/usr/share/drirc.d", + "/usr/share/enchant", + "/usr/share/enchant-2", + "/usr/share/file", + "/usr/share/fontconfig", + "/usr/share/fonts", + "/usr/share/fonts-config", + "/usr/share/gir-1.0", + "/usr/share/gjs-1.0", + "/usr/share/glib-2.0", + "/usr/share/glvnd", + "/usr/share/gtk-2.0", + "/usr/share/gtk-3.0", + "/usr/share/gtk-engines", + "/usr/share/gtksourceview-3.0", + "/usr/share/gtksourceview-4", + "/usr/share/hunspell", + "/usr/share/hwdata", + "/usr/share/icons", + "/usr/share/icu", + "/usr/share/knotifications5", + "/usr/share/kservices5", + "/usr/share/Kvantum", + "/usr/share/kxmlgui5", + "/usr/share/libdrm", + "/usr/share/libthai", + "/usr/share/locale", + "/usr/share/mime", + "/usr/share/misc", + "/usr/share/Modules", + "/usr/share/myspell", + "/usr/share/p11-kit", + "/usr/share/perl", + "/usr/share/perl5", + "/usr/share/pixmaps", + "/usr/share/pki", + "/usr/share/plasma", + "/usr/share/publicsuffix", + "/usr/share/qt", + "/usr/share/qt4", + "/usr/share/qt5", + "/usr/share/qt5ct", + "/usr/share/sounds", + "/usr/share/tcl8.6", + "/usr/share/tcltk", + "/usr/share/terminfo", + "/usr/share/texlive", + "/usr/share/texmf", + "/usr/share/themes", + "/usr/share/thumbnail.so", + "/usr/share/uim", + "/usr/share/vulkan", + "/usr/share/X11", + "/usr/share/xml", + "/usr/share/zenity", + "/usr/share/zoneinfo", + NULL +}; + static FileDB *share_out = NULL; static void share_callback(char *ptr) { // extract the directory: @@ -195,8 +263,17 @@ static void share_callback(char *ptr) { if (p2) *p2 = '\0'; - // store the file - share_out = filedb_add(share_out, ptr); + int i = 0; + int found = 0; + while (share_skip[i]) { + if (strncmp(ptr, share_skip[i], strlen(share_skip[i])) == 0) { + found = 1; + break; + } + i++; + } + if (!found) + share_out = filedb_add(share_out, ptr); } void build_share(const char *fname, FILE *fp) { @@ -252,40 +329,36 @@ void build_tmp(const char *fname, FILE *fp) { // dev directory //******************************************* static char *dev_skip[] = { + "/dev/stdin", + "/dev/stdout", + "/dev/stderr", "/dev/zero", "/dev/null", "/dev/full", "/dev/random", "/dev/urandom", + "/dev/sr0", + "/dev/cdrom", + "/dev/cdrw", + "/dev/dvd", + "/dev/dvdrw", + "/dev/fd", + "/dev/pts", + "/dev/ptmx", + "/dev/log", + + "/dev/aload", // old ALSA devices, not covered in private-dev + "/dev/dsp", // old OSS device, deprecated + "/dev/tty", "/dev/snd", "/dev/dri", - "/dev/pts", - "/dev/nvidia0", - "/dev/nvidia1", - "/dev/nvidia2", - "/dev/nvidia3", - "/dev/nvidia4", - "/dev/nvidia5", - "/dev/nvidia6", - "/dev/nvidia7", - "/dev/nvidia8", - "/dev/nvidia9", - "/dev/nvidiactl", - "/dev/nvidia-modeset", - "/dev/nvidia-uvm", - "/dev/video0", - "/dev/video1", - "/dev/video2", - "/dev/video3", - "/dev/video4", - "/dev/video5", - "/dev/video6", - "/dev/video7", - "/dev/video8", - "/dev/video9", + "/dev/nvidia", + "/dev/video", "/dev/dvb", - "/dev/sr0", + "/dev/hidraw", + "/dev/usb", + "/dev/input", NULL }; @@ -295,7 +368,7 @@ static void dev_callback(char *ptr) { int i = 0; int found = 0; while (dev_skip[i]) { - if (strcmp(ptr, dev_skip[i]) == 0) { + if (strncmp(ptr, dev_skip[i], strlen(dev_skip[i])) == 0) { found = 1; break; } diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 0c1b57384..100630eb9 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c @@ -160,24 +160,21 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { fprintf(fp, "### home directory whitelisting\n"); build_home(trace_output, fp); - fprintf(fp, "\n"); - fprintf(fp, "### filesystem\n"); - fprintf(fp, "### /usr/share:\n"); + fprintf(fp, "\n### /usr/share:\n"); build_share(trace_output, fp); - fprintf(fp, "### /var:\n"); + fprintf(fp, "\n### /var:\n"); build_var(trace_output, fp); - fprintf(fp, "### /bin:\n"); + fprintf(fp, "\n### /bin:\n"); build_bin(trace_output, fp); - fprintf(fp, "### /dev:\n"); + fprintf(fp, "\n### /dev:\n"); build_dev(trace_output, fp); - fprintf(fp, "### /etc:\n"); + fprintf(fp, "\n### /etc:\n"); build_etc(trace_output, fp); - fprintf(fp, "### /tmp:\n"); + fprintf(fp, "\n### /tmp:\n"); build_tmp(trace_output, fp); - fprintf(fp, "\n"); - fprintf(fp, "### security filters\n"); + fprintf(fp, "\n### security filters\n"); fprintf(fp, "caps.drop all\n"); fprintf(fp, "nonewprivs\n"); fprintf(fp, "seccomp\n"); @@ -189,13 +186,11 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { fprintf(fp, "# Yama security module prevents creation of a whitelisted seccomp filter\n"); else build_seccomp(strace_output, fp); - fprintf(fp, "\n"); - fprintf(fp, "### network\n"); + fprintf(fp, "\n### network\n"); build_protocol(trace_output, fp); - fprintf(fp, "\n"); - fprintf(fp, "### environment\n"); + fprintf(fp, "\n### environment\n"); fprintf(fp, "shell none\n"); if (!arg_debug) { -- cgit v1.2.3-70-g09d2