From cbbc90381b41156c16bcb30934a10c843c8298c0 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Tue, 19 Sep 2017 09:47:26 -0400
Subject: add private-bin support to profile builder

---
 src/fbuilder/build_bin.c     | 121 +++++++++++++++++++++++++++++++++++++++++++
 src/fbuilder/build_profile.c |   4 +-
 src/fbuilder/fbuilder.h      |   3 ++
 3 files changed, 126 insertions(+), 2 deletions(-)
 create mode 100644 src/fbuilder/build_bin.c

(limited to 'src/fbuilder')

diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c
new file mode 100644
index 000000000..7d0e2cb7c
--- /dev/null
+++ b/src/fbuilder/build_bin.c
@@ -0,0 +1,121 @@
+/*
+ * Copyright (C) 2014-2017 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "fbuilder.h"
+
+static FileDB *bin_out = NULL;
+
+static void process_bin(const char *fname) {
+	assert(fname);
+	
+	// process trace file
+	FILE *fp = fopen(fname, "r");
+	if (!fp) {
+		fprintf(stderr, "Error: cannot open %s\n", fname);
+		exit(1);
+	}
+	
+	char buf[MAX_BUF];
+	while (fgets(buf, MAX_BUF, fp)) {
+		// remove \n
+		char *ptr = strchr(buf, '\n');
+		if (ptr)
+			*ptr = '\0';
+	
+		// parse line: 4:galculator:access /etc/fonts/conf.d:0
+		// number followed by :
+		ptr = buf;
+		if (!isdigit(*ptr))
+			continue;
+		while (isdigit(*ptr))
+			ptr++;
+		if (*ptr != ':')
+			continue;
+		ptr++;
+
+		// next :
+		ptr = strchr(ptr, ':');
+		if (!ptr)
+			continue;
+		ptr++;
+		if (strncmp(ptr, "exec ", 5) == 0)
+			ptr +=  5;
+		else
+			continue;
+		if (strncmp(ptr, "/bin/", 5) == 0)
+			ptr += 5;
+		else if (strncmp(ptr, "/sbin/", 6) == 0)
+			ptr += 6;
+		else if (strncmp(ptr, "/usr/bin/", 9) == 0)
+			ptr += 9;
+		else if (strncmp(ptr, "/usr/sbin/", 10) == 0)
+			ptr += 10;
+		else if (strncmp(ptr, "/usr/local/bin/", 15) == 0)
+			ptr += 15;
+		else if (strncmp(ptr, "/usr/local/sbin/", 16) == 0)
+			ptr += 16;
+		else if (strncmp(ptr, "/usr/games/", 11) == 0)
+			ptr += 12;
+		else if (strncmp(ptr, "/usr/local/games/", 17) == 0)
+			ptr += 17;
+		else
+			continue;
+
+		// end of filename
+		char *ptr2 = strchr(ptr, ':');
+		if (!ptr2)
+			continue;
+		*ptr2 = '\0';
+		
+		bin_out = filedb_add(bin_out, ptr);
+	}
+	
+	fclose(fp);
+}
+
+
+// process fname, fname.1, fname.2, fname.3, fname.4, fname.5
+void build_bin(const char *fname) {
+	assert(fname);
+	
+	// run fname
+	process_bin(fname);
+	
+	// run all the rest
+	struct stat s;
+	int i;
+	for (i = 1; i <= 5; i++) {
+		char *newname;
+		if (asprintf(&newname, "%s.%d", fname, i) == -1)
+			errExit("asprintf");
+		if (stat(newname, &s) == 0)
+			process_bin(newname);
+		free(newname);
+	}
+
+	if (bin_out) {
+		printf("# private-bin ");
+		FileDB *ptr = bin_out;
+		while (ptr) {
+			printf("%s,", ptr->fname);
+			ptr = ptr->next;
+		}
+		printf("\n");
+	}
+}
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index 5fca22648..3f5fe48ca 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -33,6 +33,7 @@ static char *cmdlist[] = {
 	"--caps.drop=all",
 	"--nonewprivs",
 	"--trace",
+	"--shell=none",
 	"/usr/bin/strace", // also used as a marker in build_profile()
 	"-c",
 	"-f",
@@ -56,8 +57,6 @@ static void clear_tmp_files(void) {
 }
 
 void build_profile(int argc, char **argv, int index) {
-	unlink("/tmp/strace-output");
-
 	// next index is the application name
 	if (index >= argc) {
 		fprintf(stderr, "Error: application name missing\n");
@@ -136,6 +135,7 @@ void build_profile(int argc, char **argv, int index) {
 		build_dev(TRACE_OUTPUT);
 		build_etc(TRACE_OUTPUT);
 		build_var(TRACE_OUTPUT);
+		build_bin(TRACE_OUTPUT);
 		printf("\n");
 
 		printf("### security filters\n");
diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h
index a9049ea2d..c448f3e06 100644
--- a/src/fbuilder/fbuilder.h
+++ b/src/fbuilder/fbuilder.h
@@ -44,6 +44,9 @@ void build_var(const char *fname);
 void build_tmp(const char *fname);
 void build_dev(const char *fname);
 
+// build_bin.c
+void build_bin(const char *fname);
+
 // build_home.c
 void build_home(const char *fname);
 
-- 
cgit v1.2.3-54-g00ecf