From 8ce3b7ab971d6ab02463fd6c7591a73465526cb1 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 28 Aug 2018 13:04:13 -0400 Subject: fbuider cleanup --- src/fbuilder/build_bin.c | 37 ++++++---------- src/fbuilder/build_fs.c | 101 ++++++++++++++++++------------------------- src/fbuilder/build_home.c | 38 +++++++--------- src/fbuilder/build_profile.c | 36 +++++++-------- src/fbuilder/build_seccomp.c | 23 ++++------ src/fbuilder/fbuilder.h | 20 ++++----- 6 files changed, 104 insertions(+), 151 deletions(-) (limited to 'src') diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c index 1b9343216..1230fb780 100644 --- a/src/fbuilder/build_bin.c +++ b/src/fbuilder/build_bin.c @@ -21,16 +21,15 @@ static FileDB *bin_out = NULL; -static void process_bin(char *fname, FILE *fp) { +static void process_bin(const char *fname) { assert(fname); - assert(fp); // process trace file - /* FILE *fp = fdopen(fd, "r"); */ - /* if (!fp) { */ - /* fprintf(stderr, "Error: cannot open %s\n", fname); */ - /* exit(1); */ - /* } */ + FILE *fp = fopen(fname, "r"); + if (!fp) { + fprintf(stderr, "Error: cannot open %s\n", fname); + exit(1); + } char buf[MAX_BUF]; while (fgets(buf, MAX_BUF, fp)) { @@ -91,18 +90,16 @@ static void process_bin(char *fname, FILE *fp) { bin_out = filedb_add(bin_out, ptr); } - /* fclose(fp); */ + fclose(fp); } // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 -void build_bin(char *fname, FILE *fp, FILE *fpo) { +void build_bin(const char *fname, FILE *fp) { assert(fname); - assert(fp); - assert(fpo); // run fname - process_bin(fname, fp); + process_bin(fname); // run all the rest struct stat s; @@ -112,24 +109,18 @@ void build_bin(char *fname, FILE *fp, FILE *fpo) { if (asprintf(&newname, "%s.%d", fname, i) == -1) errExit("asprintf"); if (stat(newname, &s) == 0) - { - int nfd = open(newname, O_RDONLY); - FILE *nfp = fdopen(nfd, "r"); - process_bin(newname, nfp); - fclose(nfp); - unlink(newname); - } + process_bin(newname); free(newname); } if (bin_out) { - fprintf(fpo, "private-bin "); + fprintf(fp, "private-bin "); FileDB *ptr = bin_out; while (ptr) { - fprintf(fpo, "%s,", ptr->fname); + fprintf(fp, "%s,", ptr->fname); ptr = ptr->next; } - fprintf(fpo, "\n"); - fprintf(fpo, "# private-lib\n"); + fprintf(fp, "\n"); + fprintf(fp, "# private-lib\n"); } } diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index 2d63c6fb9..771dc94cb 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c @@ -21,20 +21,19 @@ #include "fbuilder.h" // common file processing function, using the callback for each line in the file -static void process_file(char *fname, FILE *fp, const char *dir, void (*callback)(char *)) { +static void process_file(const char *fname, const char *dir, void (*callback)(char *)) { assert(fname); - assert(fp); assert(dir); assert(callback); int dir_len = strlen(dir); // process trace file - /* FILE *fp = fdopen(fd, "r"); */ - /* if (!fp) { */ - /* fprintf(stderr, "Error: cannot open %s\n", fname); */ - /* exit(1); */ - /* } */ + FILE *fp = fopen(fname, "r"); + if (!fp) { + fprintf(stderr, "Error: cannot open %s\n", fname); + exit(1); + } char buf[MAX_BUF]; while (fgets(buf, MAX_BUF, fp)) { @@ -83,18 +82,17 @@ static void process_file(char *fname, FILE *fp, const char *dir, void (*callback callback(ptr); } - /* fclose(fp); */ + fclose(fp); } // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 -static void process_files(char *fname, FILE *fp, const char *dir, void (*callback)(char *)) { +static void process_files(const char *fname, const char *dir, void (*callback)(char *)) { assert(fname); - assert(fp); assert(dir); assert(callback); // run fname - process_file(fname, fp, dir, callback); + process_file(fname, dir, callback); // run all the rest struct stat s; @@ -103,13 +101,8 @@ static void process_files(char *fname, FILE *fp, const char *dir, void (*callbac char *newname; if (asprintf(&newname, "%s.%d", fname, i) == -1) errExit("asprintf"); - if (stat(newname, &s) == 0) { - int nfd = open(newname, O_RDONLY); - FILE *nfp = fdopen(nfd, "r"); - process_file(newname, nfp, dir, callback); - fclose(nfp); - unlink(newname); - } + if (stat(newname, &s) == 0) + process_file(newname, dir, callback); free(newname); } } @@ -132,23 +125,21 @@ static void etc_callback(char *ptr) { etc_out = filedb_add(etc_out, ptr); } -void build_etc(char *fname, FILE *fp, FILE *fpo) { +void build_etc(const char *fname, FILE *fp) { assert(fname); - assert(fp); - assert(fpo); - process_files(fname, fp, "/etc", etc_callback); + process_files(fname, "/etc", etc_callback); - fprintf(fpo, "private-etc "); + fprintf(fp, "private-etc "); if (etc_out == NULL) - fprintf(fpo, "none\n"); + fprintf(fp, "none\n"); else { FileDB *ptr = etc_out; while (ptr) { - fprintf(fpo, "%s,", ptr->fname); + fprintf(fp, "%s,", ptr->fname); ptr = ptr->next; } - fprintf(fpo, "\n"); + fprintf(fp, "\n"); } } @@ -169,17 +160,15 @@ static void var_callback(char *ptr) { var_out = filedb_add(var_out, ptr); } -void build_var(char *fname, FILE *fp, FILE *fpo) { +void build_var(const char *fname, FILE *fp) { assert(fname); - assert(fp); - assert(fpo); - process_files(fname, fp, "/var", var_callback); + process_files(fname, "/var", var_callback); if (var_out == NULL) - fprintf(fpo, "blacklist /var\n"); + fprintf(fp, "blacklist /var\n"); else - filedb_print(var_out, "whitelist ", fpo); + filedb_print(var_out, "whitelist ", fp); } @@ -208,17 +197,15 @@ static void share_callback(char *ptr) { share_out = filedb_add(share_out, ptr); } -void build_share(char *fname, FILE *fp, FILE *fpo) { +void build_share(const char *fname, FILE *fp) { assert(fname); - assert(fp); - assert(fpo); - process_files(fname, fp, "/usr/share", share_callback); + process_files(fname, "/usr/share", share_callback); if (share_out == NULL) - fprintf(fpo, "blacklist /usr/share\n"); + fprintf(fp, "blacklist /usr/share\n"); else - filedb_print(share_out, "whitelist ", fpo); + filedb_print(share_out, "whitelist ", fp); } //******************************************* @@ -229,23 +216,21 @@ static void tmp_callback(char *ptr) { filedb_add(tmp_out, ptr); } -void build_tmp(char *fname, FILE *fp, FILE *fpo) { +void build_tmp(const char *fname, FILE *fp) { assert(fname); - assert(fp); - assert(fpo); - process_files(fname, fp, "/tmp", tmp_callback); + process_files(fname, "/tmp", tmp_callback); if (tmp_out == NULL) - fprintf(fpo, "private-tmp\n"); + fprintf(fp, "private-tmp\n"); else { - fprintf(fpo, "\n"); - fprintf(fpo, "# private-tmp\n"); - fprintf(fpo, "# File accessed in /tmp directory:\n"); - fprintf(fpo, "# "); + fprintf(fp, "\n"); + fprintf(fp, "# private-tmp\n"); + fprintf(fp, "# File accessed in /tmp directory:\n"); + fprintf(fp, "# "); FileDB *ptr = tmp_out; while (ptr) { - fprintf(fpo, "%s,", ptr->fname); + fprintf(fp, "%s,", ptr->fname); ptr = ptr->next; } printf("\n"); @@ -309,26 +294,24 @@ static void dev_callback(char *ptr) { filedb_add(dev_out, ptr); } -void build_dev(char *fname, FILE *fp, FILE *fpo) { +void build_dev(const char *fname, FILE *fp) { assert(fname); - assert(fp); - assert(fpo); - process_files(fname, fp, "/dev", dev_callback); + process_files(fname, "/dev", dev_callback); if (dev_out == NULL) - fprintf(fpo, "private-dev\n"); + fprintf(fp, "private-dev\n"); else { - fprintf(fpo, "\n"); - fprintf(fpo, "# private-dev\n"); - fprintf(fpo, "# This is the list of devices accessed (on top of regular private-dev devices:\n"); - fprintf(fpo, "# "); + fprintf(fp, "\n"); + fprintf(fp, "# private-dev\n"); + fprintf(fp, "# This is the list of devices accessed (on top of regular private-dev devices:\n"); + fprintf(fp, "# "); FileDB *ptr = dev_out; while (ptr) { - fprintf(fpo, "%s,", ptr->fname); + fprintf(fp, "%s,", ptr->fname); ptr = ptr->next; } - fprintf(fpo, "\n"); + fprintf(fp, "\n"); } } diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c index b582b89bf..7470a8d10 100644 --- a/src/fbuilder/build_home.c +++ b/src/fbuilder/build_home.c @@ -47,18 +47,17 @@ static void load_whitelist_common(void) { fclose(fp); } -void process_home(char *fname, FILE *fp, char *home, int home_len) { +void process_home(const char *fname, char *home, int home_len) { assert(fname); - assert(fp); assert(home); assert(home_len); // process trace file - /* FILE *fp = fdopen(fd, "r"); */ - /* if (!fp) { */ - /* fprintf(stderr, "Error: cannot open %s\n", fname); */ - /* exit(1); */ - /* } */ + FILE *fp = fopen(fname, "r"); + if (!fp) { + fprintf(stderr, "Error: cannot open %s\n", fname); + exit(1); + } char buf[MAX_BUF]; while (fgets(buf, MAX_BUF, fp)) { @@ -154,15 +153,13 @@ void process_home(char *fname, FILE *fp, char *home, int home_len) { free(dir); } - /* fclose(fp); */ + fclose(fp); } // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 -void build_home(char *fname, FILE *fp, FILE *fpo) { +void build_home(const char *fname, FILE *fp) { assert(fname); - assert(fp); - assert(fpo); // load whitelist common load_whitelist_common(); @@ -177,7 +174,7 @@ void build_home(char *fname, FILE *fp, FILE *fpo) { int home_len = strlen(home); // run fname - process_home(fname, fp, home, home_len); + process_home(fname, home, home_len); // run all the rest struct stat s; @@ -186,22 +183,17 @@ void build_home(char *fname, FILE *fp, FILE *fpo) { char *newname; if (asprintf(&newname, "%s.%d", fname, i) == -1) errExit("asprintf"); - if (stat(newname, &s) == 0) { - int nfd = open(newname, O_RDONLY); - FILE *nfp = fdopen(nfd, "r"); - process_home(newname, nfp, home, home_len); - fclose(nfp); - unlink(newname); - } + if (stat(newname, &s) == 0) + process_home(newname, home, home_len); free(newname); } // print the out list if any if (db_out) { - filedb_print(db_out, "whitelist ~/", fpo); - fprintf(fpo, "include /etc/firejail/whitelist-common.inc\n"); + filedb_print(db_out, "whitelist ~/", fp); + fprintf(fp, "include /etc/firejail/whitelist-common.inc\n"); } else - fprintf(fpo, "private\n"); + fprintf(fp, "private\n"); -} +} \ No newline at end of file diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 79de7063f..74f0da226 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c @@ -51,25 +51,20 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { int tfile = mkstemp(trace_output); int stfile = mkstemp(strace_output); - if(tfile == -1 || stfile == -1) - errExit("mkstemp"); + errExit("mkstemp"); - FILE *tp = fdopen(tfile, "r"); + // close the files, firejail/strace will overwrite them! + close(tfile); + close(stfile); - if (!tp) { - fprintf(stderr, "Error: cannot open %s\n", trace_output); - exit(1); - } char *output; char *stroutput; - if(asprintf(&output,"--output=%s",trace_output) == -1) - errExit("asprintf"); - + errExit("asprintf"); if(asprintf(&stroutput,"-o %s",strace_output) == -1) - errExit("asprintf"); + errExit("asprintf"); char *cmdlist[] = { "/usr/bin/firejail", @@ -151,16 +146,16 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { fprintf(fp, "\n"); fprintf(fp, "### home directory whitelisting\n"); - build_home(trace_output, tp, fp); + build_home(trace_output, fp); fprintf(fp, "\n"); fprintf(fp, "### filesystem\n"); - build_tmp(trace_output, tp, fp); - build_dev(trace_output, tp, fp); - build_etc(trace_output, tp, fp); - build_var(trace_output, tp, fp); - build_bin(trace_output, tp, fp); - build_share(trace_output, tp, fp); + build_tmp(trace_output, fp); + build_dev(trace_output, fp); + build_etc(trace_output, fp); + build_var(trace_output, fp); + build_bin(trace_output, fp); + build_share(trace_output, fp); fprintf(fp, "\n"); fprintf(fp, "### security filters\n"); @@ -168,7 +163,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { fprintf(fp, "nonewprivs\n"); fprintf(fp, "seccomp\n"); if (have_strace) - build_seccomp(strace_output, stfile, fp); + build_seccomp(strace_output, fp); else { fprintf(fp, "# If you install strace on your system, Firejail will also create a\n"); fprintf(fp, "# whitelisted seccomp filter.\n"); @@ -176,13 +171,12 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { fprintf(fp, "\n"); fprintf(fp, "### network\n"); - build_protocol(trace_output, tfile, fp); + build_protocol(trace_output, fp); fprintf(fp, "\n"); fprintf(fp, "### environment\n"); fprintf(fp, "shell none\n"); - fclose(tp); unlink(trace_output); unlink(strace_output); diff --git a/src/fbuilder/build_seccomp.c b/src/fbuilder/build_seccomp.c index 64bcac586..fbc0e06f4 100644 --- a/src/fbuilder/build_seccomp.c +++ b/src/fbuilder/build_seccomp.c @@ -20,12 +20,11 @@ #include "fbuilder.h" -void build_seccomp(char *fname, int fd, FILE *fp) { +void build_seccomp(const char *fname, FILE *fp) { assert(fname); - assert(fd); assert(fp); - FILE *fp2 = fdopen(fd, "r"); + FILE *fp2 = fopen(fname, "r"); if (!fp2) { fprintf(stderr, "Error: cannot open %s\n", fname); exit(1); @@ -88,12 +87,11 @@ int inet = 0; int inet6 = 0; int netlink = 0; int packet = 0; -static void process_protocol(char *fname, int fd) { +static void process_protocol(const char *fname) { assert(fname); - assert(fd); // process trace file - FILE *fp = fdopen(fd, "r"); + FILE *fp = fopen(fname, "r"); if (!fp) { fprintf(stderr, "Error: cannot open %s\n", fname); exit(1); @@ -144,13 +142,11 @@ static void process_protocol(char *fname, int fd) { // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 -void build_protocol(char *fname, int fd, FILE *fp) { +void build_protocol(const char *fname, FILE *fp) { assert(fname); - assert(fd); - assert(fp); // run fname - process_protocol(fname, fd); + process_protocol(fname); // run all the rest struct stat s; @@ -159,11 +155,8 @@ void build_protocol(char *fname, int fd, FILE *fp) { char *newname; if (asprintf(&newname, "%s.%d", fname, i) == -1) errExit("asprintf"); - if (stat(newname, &s) == 0) { - int nfd = open(newname, O_RDONLY); - process_protocol(newname, nfd); - unlink(newname); - } + if (stat(newname, &s) == 0) + process_protocol(newname); free(newname); } diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h index 480569027..f0d16eb26 100644 --- a/src/fbuilder/fbuilder.h +++ b/src/fbuilder/fbuilder.h @@ -36,21 +36,21 @@ extern int arg_debug; void build_profile(int argc, char **argv, int index, FILE *fp); // build_seccomp.c -void build_seccomp(char *fname, int fd, FILE *fp); -void build_protocol(char *fname, int fd, FILE *fp); +void build_seccomp(const char *fname, FILE *fp); +void build_protocol(const char *fname, FILE *fp); // build_fs.c -void build_etc(char *fname, FILE *fp, FILE *fpo); -void build_var(char *fname, FILE *fp, FILE *fpo); -void build_tmp(char *fname, FILE *fp, FILE *fpo); -void build_dev(char *fname, FILE *fp, FILE *fpo); -void build_share(char *fname, FILE *fp, FILE *fpo); +void build_etc(const char *fname, FILE *fp); +void build_var(const char *fname, FILE *fp); +void build_tmp(const char *fname, FILE *fp); +void build_dev(const char *fname, FILE *fp); +void build_share(const char *fname, FILE *fp); // build_bin.c -void build_bin(char *fname, FILE *fp, FILE *fpo); +void build_bin(const char *fname, FILE *fp); // build_home.c -void build_home(char *fname, FILE *fp, FILE *fpo); +void build_home(const char *fname, FILE *fp); // utils.c int is_dir(const char *fname); @@ -67,4 +67,4 @@ FileDB *filedb_add(FileDB *head, const char *fname); FileDB *filedb_find(FileDB *head, const char *fname); void filedb_print(FileDB *head, const char *prefix, FILE *fp); -#endif +#endif \ No newline at end of file -- cgit v1.2.3-70-g09d2