speed up blacklists

netblue30 · Sep 12, 2023 · eb5c971 · eb5c971
1 parent 8caf747
commit eb5c971
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 0 deletions.
diff --git a/etc/inc/disable-devel.inc b/etc/inc/disable-devel.inc
@@ -25,6 +25,7 @@ blacklist ${PATH}/patchview
 # packaging
 blacklist ${PATH}/dh_*
 blacklist ${PATH}/fakeroot*
+blacklist ${PATH}/lintian
 
 # expect
 blacklist ${PATH}/autoexpect

diff --git a/src/firejail/fs.c b/src/firejail/fs.c
@@ -281,6 +281,8 @@ void fs_blacklist(void) {
  if (!entry)
  return;
 
+ timetrace_start();
+
  size_t noblacklist_c = 0;
  size_t noblacklist_m = 32;
  char **noblacklist = calloc(noblacklist_m, sizeof(*noblacklist));
@@ -463,6 +465,8 @@ void fs_blacklist(void) {
  for (i = 0; i < noblacklist_c; i++)
  free(noblacklist[i]);
  free(noblacklist);
+
+ fmessage("Base filesystem installed in %0.2f ms\n", timetrace_end());
 }
 
 //***********************************************

diff --git a/src/firejail/paths.c b/src/firejail/paths.c
@@ -47,6 +47,16 @@ static void init_paths(void) {
  errExit("calloc");
  memset(paths, 0, path_cnt * sizeof(char *)); // get rid of false positive error from GCC static analyzer
 
+ // lots of distros set /bin as a symlink to /usr/bin;
+ // we remove /bin form the path to speed up path-based operations such as blacklist
+ int bin_symlink = 0;
+ p = realpath("/bin", NULL);
+ if (p) {
+ if (strcmp(p, "/usr/bin") == 0)
+ bin_symlink = 1;
+ }
+ free(p);
+
  // fill in 'paths' with pointers to elements of 'path'
  unsigned int i = 0, j;
  unsigned int len;
@@ -62,6 +72,14 @@ static void init_paths(void) {
  if (len == 0)
  goto skip;
 
+ //deal with /bin - /usr/bin symlink
+ if (bin_symlink > 0) {
+ if (strcmp(elt, "/bin") == 0 || strcmp(elt, "/usr/bin") == 0)
+ bin_symlink++;
+ if (bin_symlink == 3)
+ goto skip;
+ }
+
  // filter out duplicate entries
  for (j = 0; j < i; j++)
  if (strcmp(elt, paths[j]) == 0)