From a964e3b21e8d69142cc6f3c2275e59961a244a59 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Thu, 29 Jul 2021 18:20:35 -0400 Subject: removed dependency on strace for --build option; added seccomp by default for --build run --- src/fbuilder/build_home.c | 2 ++ src/fbuilder/build_profile.c | 51 ++++---------------------------------------- src/fbuilder/build_seccomp.c | 2 ++ src/firecfg/firecfg.config | 1 + 4 files changed, 9 insertions(+), 47 deletions(-) (limited to 'src') diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c index f283a0cce..c85474779 100644 --- a/src/fbuilder/build_home.c +++ b/src/fbuilder/build_home.c @@ -68,6 +68,8 @@ void process_home(const char *fname, char *home, int home_len) { ptr += 7; else if (strncmp(ptr, "open /home", 10) == 0) ptr += 5; + else if (strncmp(ptr, "opendir /home", 13) == 0) + ptr += 8; else continue; diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index 5df19f511..06a4d8517 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c @@ -32,53 +32,25 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { } char trace_output[] = "/tmp/firejail-trace.XXXXXX"; - char strace_output[] = "/tmp/firejail-strace.XXXXXX"; - int tfile = mkstemp(trace_output); - int stfile = mkstemp(strace_output); - if(tfile == -1 || stfile == -1) + if(tfile == -1) errExit("mkstemp"); - - // close the files, firejail/strace will overwrite them! close(tfile); - close(stfile); - char *output; - char *stroutput; if(asprintf(&output,"--trace=%s",trace_output) == -1) errExit("asprintf"); - if(asprintf(&stroutput,"-o%s",strace_output) == -1) - errExit("asprintf"); char *cmdlist[] = { BINDIR "/firejail", "--quiet", "--noprofile", "--caps.drop=all", - "--nonewprivs", + "--seccomp", output, "--shell=none", - "/usr/bin/strace", // also used as a marker in build_profile() - "-c", - "-f", - stroutput, }; - // detect strace and check if Yama LSM allows us to use it - int have_strace = 0; - int have_yama_permission = 1; - if (access("/usr/bin/strace", X_OK) == 0) { - have_strace = 1; - FILE *ps = fopen("/proc/sys/kernel/yama/ptrace_scope", "r"); - if (ps) { - unsigned val; - if (fscanf(ps, "%u", &val) == 1) - have_yama_permission = (val < 2); - fclose(ps); - } - } - // calculate command length unsigned len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1; if (arg_debug) @@ -87,14 +59,9 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { cmd[0] = cmdlist[0]; // explicit assignment to clean scan-build error // build command - // skip strace if not installed, or no permission to use it - int skip_strace = !(have_strace && have_yama_permission); unsigned i = 0; - for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) { - if (skip_strace && strcmp(cmdlist[i], "/usr/bin/strace") == 0) - break; + for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) cmd[i] = cmdlist[i]; - } int i2 = index; for (; i < (len - 1); i++, i2++) @@ -180,14 +147,6 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { fprintf(fp, "#novideo\t# disable video capture devices\n"); build_protocol(trace_output, fp); fprintf(fp, "seccomp\n"); - if (!have_strace) { - fprintf(fp, "### If you install strace on your system, Firejail will also create a\n"); - fprintf(fp, "### whitelisted seccomp filter.\n"); - } - else if (!have_yama_permission) - fprintf(fp, "### Yama security module prevents creation of a whitelisted seccomp filter\n"); - else - build_seccomp(strace_output, fp); fprintf(fp, "shell none\n"); fprintf(fp, "tracelog\n"); fprintf(fp, "\n"); @@ -206,10 +165,8 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { fprintf(fp, "\n"); fprintf(fp, "#memory-deny-write-execute\n"); - if (!arg_debug) { + if (!arg_debug) unlink(trace_output); - unlink(strace_output); - } } else { fprintf(stderr, "Error: cannot run the sandbox\n"); diff --git a/src/fbuilder/build_seccomp.c b/src/fbuilder/build_seccomp.c index b3187227e..daf8d63ac 100644 --- a/src/fbuilder/build_seccomp.c +++ b/src/fbuilder/build_seccomp.c @@ -20,6 +20,7 @@ #include "fbuilder.h" +#if 0 void build_seccomp(const char *fname, FILE *fp) { assert(fname); assert(fp); @@ -78,6 +79,7 @@ void build_seccomp(const char *fname, FILE *fp) { fclose(fp2); } +#endif //*************************************** // protocol diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 046cb209a..3d05a86ef 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -94,6 +94,7 @@ bleachbit blender blender-2.8 bless +blobby blobwars bluefish bnox -- cgit v1.2.3-54-g00ecf