various clarifications, minor fixes

author: smitsohu <smitsohu@gmail.com> 2019-09-22 13:18:23 +0200
committer: smitsohu <smitsohu@gmail.com> 2019-09-22 13:18:23 +0200
commit: f82d9344dcef51a7306bbe718369b0015922e4f3 (patch)
tree: 28a8a07990d244c6797673973085fe839d0de2c1
parent: apparmor: permit writing to trace file (diff)
download: firejail-f82d9344dcef51a7306bbe718369b0015922e4f3.tar.gz
firejail-f82d9344dcef51a7306bbe718369b0015922e4f3.tar.zst
firejail-f82d9344dcef51a7306bbe718369b0015922e4f3.zip
7 files changed, 32 insertions, 27 deletions
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index 1da765d8f..e886e81da 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -137,7 +137,7 @@ void appimage_set(const char *appimage) {
                errExit("setenv");
        if (size != 0 && setenv("ARGV0", appimage, 1) < 0)
                errExit("setenv");
-        if (setenv("OWD", cfg.cwd, 1) < 0)
+        if (cfg.cwd && setenv("OWD", cfg.cwd, 1) < 0)
                errExit("setenv");
        // build new command line
diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c
index 42e160dec..162f5dbec 100644
--- a/src/firejail/mountinfo.c
+++ b/src/firejail/mountinfo.c
@@ -225,9 +225,9 @@ char **build_mount_array(const int mount_id, const char *path) {
                exit(1);
        }
        do {
+                parse_line(buf, &mntp);
                // find mount point with mount id
                if (!found) {
-                        parse_line(buf, &mntp);
                        if (mntp.mountid == mount_id) {
                                // give up if mount id has been reassigned,
                                // don't remount blacklisted path
@@ -236,19 +236,17 @@ char **build_mount_array(const int mount_id, const char *path) {
                                    strstr(mntp.fsname, "firejail.ro.file"))
                                            break;
-                                rv[0] = strdup(path);
+                                rv[cnt] = strdup(path);
-                                if (rv[0] == NULL)
+                                if (rv[cnt] == NULL)
                                        errExit("strdup");
                                cnt++;
                                found = 1;
                                continue;
                        }
-                        else
+                        continue;
-                                continue;
                }
                // from here on add all mount points below path,
                // don't remount blacklisted paths
-                parse_line(buf, &mntp);
                if (strncmp(mntp.dir, path, pathlen) == 0 &&
                    mntp.dir[pathlen] == '/' &&
                    strstr(mntp.fsname, "firejail.ro.dir") == NULL &&
diff --git a/src/firejail/network.c b/src/firejail/network.c
index 3e6b9d29d..93249a29b 100644
--- a/src/firejail/network.c
+++ b/src/firejail/network.c
@@ -229,7 +229,7 @@ uint32_t network_get_defaultgw(void) {
                        continue;
                char *ptr = buf;
-                while (*ptr != ' ' && *ptr != '\t')
+                while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0')
                        ptr++;
                while (*ptr == ' ' || *ptr == '\t')
                        ptr++;
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index a41e32569..e5739ecb5 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -154,13 +154,15 @@ int sbox_run(unsigned filtermask, int num, ...) {
                                fprintf(stderr,"Error: cannot open %s\n", SBOX_STDIN_FILE);
                                exit(1);
                        }
-                        dup2(fd,STDIN_FILENO);
+                        if (dup2(fd, STDIN_FILENO) == -1)
+                                errExit("dup2");
                        close(fd);
                }
                else if ((filtermask & SBOX_ALLOW_STDIN) == 0) {
                        int fd = open("/dev/null",O_RDWR, 0);
                        if (fd != -1) {
-                                dup2(fd, STDIN_FILENO);
+                                if (dup2(fd, STDIN_FILENO) == -1)
+                                        errExit("dup2");
                                close(fd);
                        }
                        else // the user could run the sandbox without /dev/null
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 918077235..a737f9d47 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -1276,14 +1276,13 @@ int has_handler(pid_t pid, int signal) {
                        char buf[BUFLEN];
                        while (fgets(buf, BUFLEN, fp)) {
                                if (strncmp(buf, "SigCgt:", 7) == 0) {
-                                        char *ptr = buf + 7;
                                        unsigned long long val;
-                                        if (sscanf(ptr, "%llx", &val) != 1) {
+                                        if (sscanf(buf + 7, "%llx", &val) != 1) {
                                                fprintf(stderr, "Error: cannot read /proc file\n");
                                                exit(1);
                                        }
                                        val >>= (signal - 1);
-                                        val &= 1;
+                                        val &= 1ULL;
                                        fclose(fp);
                                        return val;  // 1 if process has a handler for the signal, else 0
                                }
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 49ffc8723..0927593b0 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1321,12 +1321,18 @@ void x11_block(void) {
        }
        // blacklist sockets
-        profile_check_line("blacklist /tmp/.X11-unix", 0, NULL);
+        char *cmd = strdup("blacklist /tmp/.X11-unix");
-        profile_add(strdup("blacklist /tmp/.X11-unix"));
+        if (!cmd)
+                errExit("strdup");
+        profile_check_line(cmd, 0, NULL);
+        profile_add(cmd);
        // blacklist .Xauthority
-        profile_check_line("blacklist ${HOME}/.Xauthority", 0, NULL);
+        cmd = strdup("blacklist ${HOME}/.Xauthority");
-        profile_add(strdup("blacklist ${HOME}/.Xauthority"));
+        if (!cmd)
+                errExit("strdup");
+        profile_check_line(cmd, 0, NULL);
+        profile_add(cmd);
        char *xauthority = getenv("XAUTHORITY");
        if (xauthority) {
                char *line;
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c
index 0c21b9b70..db04ee1ae 100644
--- a/src/libtrace/libtrace.c
+++ b/src/libtrace/libtrace.c
@@ -56,7 +56,7 @@ static orig_access_t orig_access = NULL;
 static FILE *ftty = NULL;
 static pid_t mypid = 0;
 #define MAXNAME 16
-static char myname[MAXNAME] = {'\0', };
+static char myname[MAXNAME] = "unknown";
 static void init(void) __attribute__((constructor));
 void init(void) {
@@ -84,13 +84,15 @@ void init(void) {
        // process name
        char *fname;
-        if (asprintf(&fname, "/proc/%u/comm", mypid) == -1)
+        if (asprintf(&fname, "/proc/%u/comm", mypid) != -1) {
-                strncpy(myname, "unknown", MAXNAME-1);
+                FILE *fp = orig_fopen(fname, "r");
+                free(fname);
-        // read file
+                if (fp) {
-        FILE *fp = orig_fopen(fname, "r");
+                        if (fgets(myname, MAXNAME, fp) == NULL)
-        if (!fp || fgets(myname, MAXNAME, fp) == NULL)
+                                strncpy(myname, "unknown", MAXNAME-1);
-                strncpy(myname, "unknown", MAXNAME-1);
+                        fclose(fp);
+                }
+        }
        // clean '\n'
        char *ptr = strchr(myname, '\n');
@@ -98,8 +100,6 @@ void init(void) {
                *ptr = '\0';
        tprintf(ftty, "=== tracelib init() [%d:%s] === \n", mypid, myname);
-        fclose(fp);
-        free(fname);
 }
 static void fini(void) __attribute__((destructor));
author	smitsohu <smitsohu@gmail.com>	2019-09-22 13:18:23 +0200
committer	smitsohu <smitsohu@gmail.com>	2019-09-22 13:18:23 +0200
commit	f82d9344dcef51a7306bbe718369b0015922e4f3 (patch)
tree	28a8a07990d244c6797673973085fe839d0de2c1
parent	apparmor: permit writing to trace file (diff)
download	firejail-f82d9344dcef51a7306bbe718369b0015922e4f3.tar.gz firejail-f82d9344dcef51a7306bbe718369b0015922e4f3.tar.zst firejail-f82d9344dcef51a7306bbe718369b0015922e4f3.zip

diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 1da765d8f..e886e81da 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c
@@ -137,7 +137,7 @@ void appimage_set(const char *appimage) {
137	errExit("setenv");	137	errExit("setenv");
138	if (size != 0 && setenv("ARGV0", appimage, 1) < 0)	138	if (size != 0 && setenv("ARGV0", appimage, 1) < 0)
139	errExit("setenv");	139	errExit("setenv");
140	if (setenv("OWD", cfg.cwd, 1) < 0)	140	if (cfg.cwd && setenv("OWD", cfg.cwd, 1) < 0)
141	errExit("setenv");	141	errExit("setenv");
142		142
143	// build new command line	143	// build new command line


diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c index 42e160dec..162f5dbec 100644 --- a/src/firejail/mountinfo.c +++ b/src/firejail/mountinfo.c
@@ -225,9 +225,9 @@ char *build_mount_array(const int mount_id, const char path) {
225	exit(1);	225	exit(1);
226	}	226	}
227	do {	227	do {
		228	parse_line(buf, &mntp);
228	// find mount point with mount id	229	// find mount point with mount id
229	if (!found) {	230	if (!found) {
230	parse_line(buf, &mntp);
231	if (mntp.mountid == mount_id) {	231	if (mntp.mountid == mount_id) {
232	// give up if mount id has been reassigned,	232	// give up if mount id has been reassigned,
233	// don't remount blacklisted path	233	// don't remount blacklisted path
@@ -236,19 +236,17 @@ char *build_mount_array(const int mount_id, const char path) {
236	strstr(mntp.fsname, "firejail.ro.file"))	236	strstr(mntp.fsname, "firejail.ro.file"))
237	break;	237	break;
238		238
239	rv[0] = strdup(path);	239	rv[cnt] = strdup(path);
240	if (rv[0] == NULL)	240	if (rv[cnt] == NULL)
241	errExit("strdup");	241	errExit("strdup");
242	cnt++;	242	cnt++;
243	found = 1;	243	found = 1;
244	continue;	244	continue;
245	}	245	}
246	else	246	continue;
247	continue;
248	}	247	}
249	// from here on add all mount points below path,	248	// from here on add all mount points below path,
250	// don't remount blacklisted paths	249	// don't remount blacklisted paths
251	parse_line(buf, &mntp);
252	if (strncmp(mntp.dir, path, pathlen) == 0 &&	250	if (strncmp(mntp.dir, path, pathlen) == 0 &&
253	mntp.dir[pathlen] == '/' &&	251	mntp.dir[pathlen] == '/' &&
254	strstr(mntp.fsname, "firejail.ro.dir") == NULL &&	252	strstr(mntp.fsname, "firejail.ro.dir") == NULL &&


diff --git a/src/firejail/network.c b/src/firejail/network.c index 3e6b9d29d..93249a29b 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c
@@ -229,7 +229,7 @@ uint32_t network_get_defaultgw(void) {
229	continue;	229	continue;
230		230
231	char *ptr = buf;	231	char *ptr = buf;
232	while (ptr != ' ' && ptr != '\t')	232	while (ptr != ' ' && ptr != '\t' && *ptr != '\0')
233	ptr++;	233	ptr++;
234	while (ptr == ' ' \|\| ptr == '\t')	234	while (ptr == ' ' \|\| ptr == '\t')
235	ptr++;	235	ptr++;


diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index a41e32569..e5739ecb5 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c
@@ -154,13 +154,15 @@ int sbox_run(unsigned filtermask, int num, ...) {
154	fprintf(stderr,"Error: cannot open %s\n", SBOX_STDIN_FILE);	154	fprintf(stderr,"Error: cannot open %s\n", SBOX_STDIN_FILE);
155	exit(1);	155	exit(1);
156	}	156	}
157	dup2(fd,STDIN_FILENO);	157	if (dup2(fd, STDIN_FILENO) == -1)
		158	errExit("dup2");
158	close(fd);	159	close(fd);
159	}	160	}
160	else if ((filtermask & SBOX_ALLOW_STDIN) == 0) {	161	else if ((filtermask & SBOX_ALLOW_STDIN) == 0) {
161	int fd = open("/dev/null",O_RDWR, 0);	162	int fd = open("/dev/null",O_RDWR, 0);
162	if (fd != -1) {	163	if (fd != -1) {
163	dup2(fd, STDIN_FILENO);	164	if (dup2(fd, STDIN_FILENO) == -1)
		165	errExit("dup2");
164	close(fd);	166	close(fd);
165	}	167	}
166	else // the user could run the sandbox without /dev/null	168	else // the user could run the sandbox without /dev/null


diff --git a/src/firejail/util.c b/src/firejail/util.c index 918077235..a737f9d47 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c
@@ -1276,14 +1276,13 @@ int has_handler(pid_t pid, int signal) {
1276	char buf[BUFLEN];	1276	char buf[BUFLEN];
1277	while (fgets(buf, BUFLEN, fp)) {	1277	while (fgets(buf, BUFLEN, fp)) {
1278	if (strncmp(buf, "SigCgt:", 7) == 0) {	1278	if (strncmp(buf, "SigCgt:", 7) == 0) {
1279	char *ptr = buf + 7;
1280	unsigned long long val;	1279	unsigned long long val;
1281	if (sscanf(ptr, "%llx", &val) != 1) {	1280	if (sscanf(buf + 7, "%llx", &val) != 1) {
1282	fprintf(stderr, "Error: cannot read /proc file\n");	1281	fprintf(stderr, "Error: cannot read /proc file\n");
1283	exit(1);	1282	exit(1);
1284	}	1283	}
1285	val >>= (signal - 1);	1284	val >>= (signal - 1);
1286	val &= 1;	1285	val &= 1ULL;
1287	fclose(fp);	1286	fclose(fp);
1288	return val; // 1 if process has a handler for the signal, else 0	1287	return val; // 1 if process has a handler for the signal, else 0
1289	}	1288	}


diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 49ffc8723..0927593b0 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c
@@ -1321,12 +1321,18 @@ void x11_block(void) {
1321	}	1321	}
1322		1322
1323	// blacklist sockets	1323	// blacklist sockets
1324	profile_check_line("blacklist /tmp/.X11-unix", 0, NULL);	1324	char *cmd = strdup("blacklist /tmp/.X11-unix");
1325	profile_add(strdup("blacklist /tmp/.X11-unix"));	1325	if (!cmd)
		1326	errExit("strdup");
		1327	profile_check_line(cmd, 0, NULL);
		1328	profile_add(cmd);
1326		1329
1327	// blacklist .Xauthority	1330	// blacklist .Xauthority
1328	profile_check_line("blacklist ${HOME}/.Xauthority", 0, NULL);	1331	cmd = strdup("blacklist ${HOME}/.Xauthority");
1329	profile_add(strdup("blacklist ${HOME}/.Xauthority"));	1332	if (!cmd)
		1333	errExit("strdup");
		1334	profile_check_line(cmd, 0, NULL);
		1335	profile_add(cmd);
1330	char *xauthority = getenv("XAUTHORITY");	1336	char *xauthority = getenv("XAUTHORITY");
1331	if (xauthority) {	1337	if (xauthority) {
1332	char *line;	1338	char *line;


diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c index 0c21b9b70..db04ee1ae 100644 --- a/src/libtrace/libtrace.c +++ b/src/libtrace/libtrace.c
@@ -56,7 +56,7 @@ static orig_access_t orig_access = NULL;
56	static FILE *ftty = NULL;	56	static FILE *ftty = NULL;
57	static pid_t mypid = 0;	57	static pid_t mypid = 0;
58	#define MAXNAME 16	58	#define MAXNAME 16
59	static char myname[MAXNAME] = {'\0', };	59	static char myname[MAXNAME] = "unknown";
60		60
61	static void init(void) __attribute__((constructor));	61	static void init(void) __attribute__((constructor));
62	void init(void) {	62	void init(void) {
@@ -84,13 +84,15 @@ void init(void) {
84		84
85	// process name	85	// process name
86	char *fname;	86	char *fname;
87	if (asprintf(&fname, "/proc/%u/comm", mypid) == -1)	87	if (asprintf(&fname, "/proc/%u/comm", mypid) != -1) {
88	strncpy(myname, "unknown", MAXNAME-1);	88	FILE *fp = orig_fopen(fname, "r");
89		89	free(fname);
90	// read file	90	if (fp) {
91	FILE *fp = orig_fopen(fname, "r");	91	if (fgets(myname, MAXNAME, fp) == NULL)
92	if (!fp \|\| fgets(myname, MAXNAME, fp) == NULL)	92	strncpy(myname, "unknown", MAXNAME-1);
93	strncpy(myname, "unknown", MAXNAME-1);	93	fclose(fp);
		94	}
		95	}
94		96
95	// clean '\n'	97	// clean '\n'
96	char *ptr = strchr(myname, '\n');	98	char *ptr = strchr(myname, '\n');
@@ -98,8 +100,6 @@ void init(void) {
98	*ptr = '\0';	100	*ptr = '\0';
99		101
100	tprintf(ftty, "=== tracelib init() [%d:%s] === \n", mypid, myname);	102	tprintf(ftty, "=== tracelib init() [%d:%s] === \n", mypid, myname);
101	fclose(fp);
102	free(fname);
103	}	103	}
104		104
105	static void fini(void) __attribute__((destructor));	105	static void fini(void) __attribute__((destructor));