From 601068247adcb0f947c8098a1533de749accc02e Mon Sep 17 00:00:00 2001 From: startx2017 Date: Thu, 2 Nov 2017 09:12:08 -0400 Subject: fixing filesystem reporting for firetools --- src/firejail/fs_bin.c | 22 +++++++++++++++++++--- src/firejail/fs_dev.c | 4 ++++ src/firejail/fs_home.c | 5 +++++ src/firejail/fs_lib.c | 16 ++++++++++++++++ src/firejail/pulseaudio.c | 7 +++++++ 5 files changed, 51 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 6bd7ecd17..eaa7362cf 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c @@ -146,6 +146,19 @@ errexit: return 0; } +static void report_duplication(const char *fname) { + // report the file on all bin paths + int i = 0; + while (paths[i]) { + char *p; + if (asprintf(&p, "%s/%s", paths[i], fname) == -1) + errExit("asprintf"); + fs_logger2("clone", p); + free(p); + i++; + } +} + static void duplicate(char *fname, FILE *fplist) { assert(fname); @@ -193,17 +206,20 @@ static void duplicate(char *fname, FILE *fplist) { if (is_link(full_path)) { char *actual_path = realpath(full_path, NULL); if (actual_path) { - if (valid_full_path_file(actual_path)) + if (valid_full_path_file(actual_path)) { sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, actual_path, RUN_BIN_DIR); + char *f = strrchr(actual_path, '/'); + if (f && *(++f) !='\0') + report_duplication(f); + } free(actual_path); } } sbox_run(SBOX_ROOT| SBOX_SECCOMP, 3, PATH_FCOPY, full_path, RUN_BIN_DIR); } - - fs_logger2("clone", fname); free(full_path); + report_duplication(fname); } static void globbing(char *fname, FILE *fplist) { diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index 0dbbb65a0..d839a0786 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c @@ -131,6 +131,7 @@ static void create_char_dev(const char *path, mode_t mode, int major, int minor) if (chmod(path, mode) < 0) goto errexit; ASSERT_PERMS(path, 0, 0, mode); + fs_logger2("create", path); return; @@ -144,6 +145,7 @@ static void create_link(const char *oldpath, const char *newpath) { goto errexit; if (chown(newpath, 0, 0) < 0) goto errexit; + fs_logger2("create", newpath); return; errexit: @@ -205,6 +207,7 @@ void fs_private_dev(void){ printf("Create /dev/shm directory\n"); mkdir_attr("/dev/shm", 01777, 0, 0); fs_logger("mkdir /dev/shm"); + fs_logger("create /dev/shm"); // create default devices create_char_dev("/dev/zero", 0666, 1, 5); // mknod -m 666 /dev/zero c 1 5 @@ -227,6 +230,7 @@ void fs_private_dev(void){ // pseudo-terminal mkdir_attr("/dev/pts", 0755, 0, 0); fs_logger("mkdir /dev/pts"); + fs_logger("create /dev/pts"); create_char_dev("/dev/pts/ptmx", 0666, 5, 2); //"mknod -m 666 /dev/pts/ptmx c 5 2"); fs_logger("mknod /dev/pts/ptmx"); create_link("/dev/pts/ptmx", "/dev/ptmx"); diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 6d3818ccb..5a39fab48 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -50,6 +50,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) { if (stat("/etc/skel/.zshrc", &s) == 0) { copy_file_as_user("/etc/skel/.zshrc", fname, u, g, 0644); // regular user fs_logger("clone /etc/skel/.zshrc"); + fs_logger2("clone", fname); } else { touch_file_as_user(fname, u, g, 0644); @@ -74,6 +75,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) { if (stat("/etc/skel/.cshrc", &s) == 0) { copy_file_as_user("/etc/skel/.cshrc", fname, u, g, 0644); // regular user fs_logger("clone /etc/skel/.cshrc"); + fs_logger2("clone", fname); } else { touch_file_as_user(fname, u, g, 0644); @@ -97,6 +99,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) { if (stat("/etc/skel/.bashrc", &s) == 0) { copy_file_as_user("/etc/skel/.bashrc", fname, u, g, 0644); // regular user fs_logger("clone /etc/skel/.bashrc"); + fs_logger2("clone", fname); } free(fname); } @@ -312,6 +315,7 @@ void fs_private(void) { if (chown(homedir, u, g) < 0) errExit("chown"); fs_logger2("mkdir", homedir); + fs_logger2("tmpfs", homedir); } skel(homedir, u, g); @@ -500,6 +504,7 @@ void fs_private_home_list(void) { if (mount(RUN_HOME_DIR, homedir, NULL, MS_BIND|MS_REC, NULL) < 0) errExit("mount bind"); + fs_logger2("tmpfs", homedir); if (uid != 0) { // mask /root diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 18739c554..56a66742a 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c @@ -43,6 +43,21 @@ extern void fslib_install_system(void); static int lib_cnt = 0; static int dir_cnt = 0; +static void report_duplication(const char *full_path) { + char *fname = strrchr(full_path, '/'); + if (fname && *(++fname) != '\0') { + // report the file on all bin paths + int i = 0; + while (lib_paths[i]) { + char *p; + if (asprintf(&p, "%s/%s", lib_paths[i], fname) == -1) + errExit("asprintf"); + fs_logger2("clone", p); + free(p); + i++; + } + } +} static char *build_dest_dir(const char *full_path) { assert(full_path); @@ -81,6 +96,7 @@ void fslib_duplicate(const char *full_path) { printf("copying %s to private %s\n", full_path, dest_dir); sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, dest_dir); + report_duplication(full_path); lib_cnt++; } diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index 2f8cd5f7d..6768b525b 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c @@ -147,6 +147,7 @@ void pulseaudio_init(void) { } // wait for the child to finish waitpid(child, NULL, 0); + fs_logger2("create", dir1); } else { // make sure the directory is owned by the user @@ -179,6 +180,7 @@ void pulseaudio_init(void) { } // wait for the child to finish waitpid(child, NULL, 0); + fs_logger2("create", dir1); } else { // make sure the directory is owned by the user @@ -199,6 +201,11 @@ void pulseaudio_init(void) { mount(NULL, homeusercfg, NULL, MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_BIND|MS_REMOUNT, NULL) < 0) errExit("mount pulseaudio"); fs_logger2("tmpfs", homeusercfg); + char *p; + if (asprintf(&p, "%s/client.conf", homeusercfg) == -1) + errExit("asprintf"); + fs_logger2("create", p); + free(p); } else { // set environment -- cgit v1.2.3-70-g09d2