From 8988842c1bec4a41c09591e47771bf30247a5539 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@protonmail.com>
Date: Tue, 4 May 2021 16:46:54 -0400
Subject: --build fixes

---
 src/fbuilder/build_fs.c      | 129 +++++++++++++++++++++++++++++++++----------
 src/fbuilder/build_profile.c |  23 +++-----
 2 files changed, 110 insertions(+), 42 deletions(-)

(limited to 'src/fbuilder')

diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c
index ac0cd455a..b35380b96 100644
--- a/src/fbuilder/build_fs.c
+++ b/src/fbuilder/build_fs.c
@@ -177,6 +177,74 @@ void build_var(const char *fname, FILE *fp) {
 //*******************************************
 // usr/share directory
 //*******************************************
+// todo: load the list from whitelist-usr-share-common.inc
+static char *share_skip[] = {
+	"/usr/share/alsa",
+	"/usr/share/applications",
+	"/usr/share/ca-certificates",
+	"/usr/share/crypto-policies",
+	"/usr/share/cursors",
+	"/usr/share/dconf",
+	"/usr/share/distro-info",
+	"/usr/share/drirc.d",
+	"/usr/share/enchant",
+	"/usr/share/enchant-2",
+	"/usr/share/file",
+	"/usr/share/fontconfig",
+	"/usr/share/fonts",
+	"/usr/share/fonts-config",
+	"/usr/share/gir-1.0",
+	"/usr/share/gjs-1.0",
+	"/usr/share/glib-2.0",
+	"/usr/share/glvnd",
+	"/usr/share/gtk-2.0",
+	"/usr/share/gtk-3.0",
+	"/usr/share/gtk-engines",
+	"/usr/share/gtksourceview-3.0",
+	"/usr/share/gtksourceview-4",
+	"/usr/share/hunspell",
+	"/usr/share/hwdata",
+	"/usr/share/icons",
+	"/usr/share/icu",
+	"/usr/share/knotifications5",
+	"/usr/share/kservices5",
+	"/usr/share/Kvantum",
+	"/usr/share/kxmlgui5",
+	"/usr/share/libdrm",
+	"/usr/share/libthai",
+	"/usr/share/locale",
+	"/usr/share/mime",
+	"/usr/share/misc",
+	"/usr/share/Modules",
+	"/usr/share/myspell",
+	"/usr/share/p11-kit",
+	"/usr/share/perl",
+	"/usr/share/perl5",
+	"/usr/share/pixmaps",
+	"/usr/share/pki",
+	"/usr/share/plasma",
+	"/usr/share/publicsuffix",
+	"/usr/share/qt",
+	"/usr/share/qt4",
+	"/usr/share/qt5",
+	"/usr/share/qt5ct",
+	"/usr/share/sounds",
+	"/usr/share/tcl8.6",
+	"/usr/share/tcltk",
+	"/usr/share/terminfo",
+	"/usr/share/texlive",
+	"/usr/share/texmf",
+	"/usr/share/themes",
+	"/usr/share/thumbnail.so",
+	"/usr/share/uim",
+	"/usr/share/vulkan",
+	"/usr/share/X11",
+	"/usr/share/xml",
+	"/usr/share/zenity",
+	"/usr/share/zoneinfo",
+	NULL
+};
+
 static FileDB *share_out = NULL;
 static void share_callback(char *ptr) {
 	// extract the directory:
@@ -195,8 +263,17 @@ static void share_callback(char *ptr) {
 	if (p2)
 		*p2 = '\0';
 
-	// store the file
-	share_out = filedb_add(share_out, ptr);
+	int i = 0;
+	int found = 0;
+	while (share_skip[i]) {
+		if (strncmp(ptr, share_skip[i], strlen(share_skip[i])) == 0) {
+			found = 1;
+			break;
+		}
+		i++;
+	}
+	if (!found)
+		share_out = filedb_add(share_out, ptr);
 }
 
 void build_share(const char *fname, FILE *fp) {
@@ -252,40 +329,36 @@ void build_tmp(const char *fname, FILE *fp) {
 // dev directory
 //*******************************************
 static char *dev_skip[] = {
+	"/dev/stdin",
+	"/dev/stdout",
+	"/dev/stderr",
 	"/dev/zero",
 	"/dev/null",
 	"/dev/full",
 	"/dev/random",
 	"/dev/urandom",
+	"/dev/sr0",
+	"/dev/cdrom",
+	"/dev/cdrw",
+	"/dev/dvd",
+	"/dev/dvdrw",
+	"/dev/fd",
+	"/dev/pts",
+	"/dev/ptmx",
+	"/dev/log",
+
+	"/dev/aload",	// old ALSA devices, not covered in private-dev
+	"/dev/dsp",		// old OSS device, deprecated
+
 	"/dev/tty",
 	"/dev/snd",
 	"/dev/dri",
-	"/dev/pts",
-	"/dev/nvidia0",
-	"/dev/nvidia1",
-	"/dev/nvidia2",
-	"/dev/nvidia3",
-	"/dev/nvidia4",
-	"/dev/nvidia5",
-	"/dev/nvidia6",
-	"/dev/nvidia7",
-	"/dev/nvidia8",
-	"/dev/nvidia9",
-	"/dev/nvidiactl",
-	"/dev/nvidia-modeset",
-	"/dev/nvidia-uvm",
-	"/dev/video0",
-	"/dev/video1",
-	"/dev/video2",
-	"/dev/video3",
-	"/dev/video4",
-	"/dev/video5",
-	"/dev/video6",
-	"/dev/video7",
-	"/dev/video8",
-	"/dev/video9",
+	"/dev/nvidia",
+	"/dev/video",
 	"/dev/dvb",
-	"/dev/sr0",
+	"/dev/hidraw",
+	"/dev/usb",
+	"/dev/input",
 	NULL
 };
 
@@ -295,7 +368,7 @@ static void dev_callback(char *ptr) {
 	int i = 0;
 	int found = 0;
 	while (dev_skip[i]) {
-		if (strcmp(ptr, dev_skip[i]) == 0) {
+		if (strncmp(ptr, dev_skip[i], strlen(dev_skip[i])) == 0) {
 			found = 1;
 			break;
 		}
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index 0c1b57384..100630eb9 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -160,24 +160,21 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
 
 		fprintf(fp, "### home directory whitelisting\n");
 		build_home(trace_output, fp);
-		fprintf(fp, "\n");
 
-		fprintf(fp, "### filesystem\n");
-		fprintf(fp, "### /usr/share:\n");
+		fprintf(fp, "\n### /usr/share:\n");
 		build_share(trace_output, fp);
-		fprintf(fp, "### /var:\n");
+		fprintf(fp, "\n### /var:\n");
 		build_var(trace_output, fp);
-		fprintf(fp, "### /bin:\n");
+		fprintf(fp, "\n### /bin:\n");
 		build_bin(trace_output, fp);
-		fprintf(fp, "### /dev:\n");
+		fprintf(fp, "\n### /dev:\n");
 		build_dev(trace_output, fp);
-		fprintf(fp, "### /etc:\n");
+		fprintf(fp, "\n### /etc:\n");
 		build_etc(trace_output, fp);
-		fprintf(fp, "### /tmp:\n");
+		fprintf(fp, "\n### /tmp:\n");
 		build_tmp(trace_output, fp);
-		fprintf(fp, "\n");
 
-		fprintf(fp, "### security filters\n");
+		fprintf(fp, "\n### security filters\n");
 		fprintf(fp, "caps.drop all\n");
 		fprintf(fp, "nonewprivs\n");
 		fprintf(fp, "seccomp\n");
@@ -189,13 +186,11 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
 			fprintf(fp, "# Yama security module prevents creation of a whitelisted seccomp filter\n");
 		else
 			build_seccomp(strace_output, fp);
-		fprintf(fp, "\n");
 
-		fprintf(fp, "### network\n");
+		fprintf(fp, "\n### network\n");
 		build_protocol(trace_output, fp);
-		fprintf(fp, "\n");
 
-		fprintf(fp, "### environment\n");
+		fprintf(fp, "\n### environment\n");
 		fprintf(fp, "shell none\n");
 
 		if (!arg_debug) {
-- 
cgit v1.2.3-70-g09d2