Merge branch 'master' of https://github.com/netblue30/firejail

author: smitsohu <smitsohu@gmail.com> 2018-08-28 17:01:59 +0200
committer: smitsohu <smitsohu@gmail.com> 2018-08-28 17:01:59 +0200
commit: 2d08ecaf45fcf11fd0409995c73cdab37b2b0f56 (patch)
tree: f02293aa5735709cf69b7fe781792af546d6f389
parent: fix and harden overlay options (diff)
parent: memory leaks (diff)
download: firejail-2d08ecaf45fcf11fd0409995c73cdab37b2b0f56.tar.gz
firejail-2d08ecaf45fcf11fd0409995c73cdab37b2b0f56.tar.zst
firejail-2d08ecaf45fcf11fd0409995c73cdab37b2b0f56.zip
6 files changed, 56 insertions, 72 deletions
diff --git a/etc/firejail-default b/etc/firejail-default
index 09dc896e6..e05d09468 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -22,42 +22,30 @@ dbus,
 ##########
 # With ptrace it is possible to inspect and hijack running programs. Usually this
-# is needed only for debugging. To allow ptrace, uncomment the following line
+# is needed only for debugging. To allow ptrace, uncomment the following line.
 ##########
 #ptrace,
 ##########
-# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes
+# Allow read access to whole filesystem and control it from firejail.
 ##########
-/ r,
+/{,**} rklm,
-/{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk,
-/run/firejail/mnt/oroot/{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk,
-/{,var/}run/ r,
+##########
-/{,var/}run/** r,
+# Allow write access to paths writable in firejail which aren't used for
-/run/firejail/mnt/oroot/{,var/}run/ r,
+# executing programs. /run, /proc and /sys are handled separately.
-/run/firejail/mnt/oroot/{,var/}run/** r,
+# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes.
+##########
-owner /{,var/}run/user/[0-9]*/** rw,
+/{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w,
-owner /{,var/}run/user/[0-9]*/*.slave-socket rwl,
-owner /{,var/}run/user/[0-9]*/orcexec.* rwkm,
-owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]*/** rw,
-owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]*/*.slave-socket rwl,
-owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]*/orcexec.* rwkm,
-/{,var/}run/firejail/mnt/fslogger r,
+##########
-/{,var/}run/firejail/appimage r,
+# Whitelist writable paths under /run, /proc and /sys.
-/{,var/}run/firejail/appimage/** r,
+##########
-/{,var/}run/firejail/appimage/** ix,
+owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w,
-/run/firejail/mnt/oroot/{,var/}run/firejail/mnt/fslogger r,
+owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/*.slave-socket w,
-/run/firejail/mnt/oroot/{,var/}run/firejail/appimage r,
+owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/orcexec.* w,
-/run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** r,
-/run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** ix,
-/{run,dev}/shm/ r,
+owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,
-owner /{run,dev}/shm/** rmwk,
-/run/firejail/mnt/oroot/{run,dev}/shm/ r,
-owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk,
 # Allow logging Firejail blacklist violations to journal
 /{,var/}run/systemd/journal/socket w,
@@ -66,58 +54,41 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk,
 # Needed for wine
 /{,var/}run/firejail/profile/@{PID} w,
-##########
+# Allow access to cups printing socket.
-# Allow /proc and /sys read-only access.
+/{,var/}run/cups/cups.sock w,
-# Blacklisting is controlled from userspace Firejail.
-##########
+# Needed for firefox sandbox
-/proc/ r,
-/proc/** r,
 /proc/[0-9]*/{uid_map,gid_map,setgroups} w,
-# Uncomment to silence all denied write warnings
-#deny /proc/** w,
+# Silence noise
 deny /proc/@{PID}/oom_adj w,
 deny /proc/@{PID}/oom_score_adj w,
-/sys/ r,
-/sys/** r,
 # Uncomment to silence all denied write warnings
-#deny /sys/** w,
+#deny /proc/** w,
-# Blacklist snapshots
+# Uncomment to silence all denied write warnings
-deny /**/.snapshots/ rwx,
+#deny /sys/** w,
 ##########
 # Allow running programs only from well-known system directories. If you need
 # to run programs from your home directory, uncomment /home line.
 ##########
-/lib/** ix,
+/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix,
-/lib64/** ix,
+/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix,
-/bin/** ix,
+/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix,
-/sbin/** ix,
+/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64}/** ix,
-/usr/bin/** ix,
+/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix,
-/usr/sbin/** ix,
+#/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}home/** ix,
-/usr/local/** ix,
-/usr/lib/** ix,
+# Appimage support
-/usr/lib64/** ix,
+/{,run/firejail/mnt/oroot/}{,var/}run/firejail/appimage/** ix,
-/usr/games/** ix,
-/opt/** ix,
-#/home/** ix,
-/run/firejail/mnt/oroot/lib/** ix,
-/run/firejail/mnt/oroot/lib64/** ix,
-/run/firejail/mnt/oroot/bin/** ix,
-/run/firejail/mnt/oroot/sbin/** ix,
-/run/firejail/mnt/oroot/usr/bin/** ix,
-/run/firejail/mnt/oroot/usr/sbin/** ix,
-/run/firejail/mnt/oroot/usr/local/** ix,
-/run/firejail/mnt/oroot/usr/lib/** ix,
-/run/firejail/mnt/oroot/usr/lib64/** ix,
-/run/firejail/mnt/oroot/usr/games/** ix,
-/run/firejail/mnt/oroot/opt/** ix,
 ##########
-# Allow access to cups printing socket.
+# Blacklist specific sensitive paths.
 ##########
-/run/cups/cups.sock w,
+# Common backup directory
+deny /**/.snapshots/ rwx,
 ##########
 # Allow all networking functionality, and control it from Firejail.
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c
index 71b39390e..de2b8cfa2 100644
--- a/src/firecfg/desktop_files.c
+++ b/src/firecfg/desktop_files.c
@@ -144,6 +144,8 @@ void fix_desktop_files(char *homedir) {
                perror("opendir");
                fprintf(stderr, "Warning: cannot access /usr/share/applications directory, desktop files fixing skipped...\n");
                free(user_apps_dir);
+                if (dir)
+                        closedir(dir);
                return;
        }
@@ -266,12 +268,16 @@ void fix_desktop_files(char *homedir) {
                if (stat(outname, &sb) == 0) {
                        printf("   %s skipped: file exists\n", filename);
+                        if (change_exec)
+                                free(change_exec);
                        continue;
                }
                FILE *fpin = fopen(filename, "r");
                if (!fpin) {
                        fprintf(stderr, "Warning: cannot open /usr/share/applications/%s\n", filename);
+                        if (change_exec)
+                                free(change_exec);
                        continue;
                }
@@ -279,6 +285,8 @@ void fix_desktop_files(char *homedir) {
                if (!fpout) {
                        fprintf(stderr, "Warning: cannot open ~/.local/share/applications/%s\n", outname);
                        fclose(fpin);
+                        if (change_exec)
+                                free(change_exec);
                        continue;
                }
                fprintf(fpout, "# converted by firecfg\n");
diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c
index ce1e281a5..1fe5a2398 100644
--- a/src/firejail/cmdline.c
+++ b/src/firejail/cmdline.c
@@ -208,4 +208,5 @@ void build_appimage_cmdline(char **command_line, char **window_title, int argc,
        // free strdup
        free(tmp1);
+        free(command_line_tmp);
 }
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 602985b4e..9b68b6753 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -371,10 +371,13 @@ void fs_whitelist(void) {
                // resolve macros
                if (is_macro(dataptr)) {
-                        char *tmp = resolve_macro(dataptr);
+                        char *tmp = resolve_macro(dataptr); // returns allocated mem
-                        if (tmp != NULL)
+                        if (tmp != NULL) {
-                                tmp = parse_nowhitelist(nowhitelist_flag, tmp);
+                                char *tmp1 = parse_nowhitelist(nowhitelist_flag, tmp);
+                                assert(tmp1);
+                                free(tmp);
+                                tmp = tmp1;
+                        }
                        if (tmp) {
                                entry->data = tmp;
                                dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10;
diff --git a/src/fsec-print/main.c b/src/fsec-print/main.c
index 94c60687f..5a1e34080 100644
--- a/src/fsec-print/main.c
+++ b/src/fsec-print/main.c
@@ -74,7 +74,8 @@ printf("\n");
        close(fd);
        return 0;
 errexit:
-        close(fd);
+        if (fd != -1)
+                close(fd);
        fprintf(stderr, "Error: cannot read %s\n", fname);
        exit(1);
diff --git a/src/libpostexecseccomp/libpostexecseccomp.c b/src/libpostexecseccomp/libpostexecseccomp.c
index 0ccb74b10..6d2c8c695 100644
--- a/src/libpostexecseccomp/libpostexecseccomp.c
+++ b/src/libpostexecseccomp/libpostexecseccomp.c
@@ -31,7 +31,7 @@ static void load_seccomp(void) {
        if (fd == -1)
                return;
-        int size = lseek(fd, 0, SEEK_END);
+        off_t size = lseek(fd, 0, SEEK_END);
        unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter);
        struct sock_filter *filter = MAP_FAILED;
        if (size != 0)
author	smitsohu <smitsohu@gmail.com>	2018-08-28 17:01:59 +0200
committer	smitsohu <smitsohu@gmail.com>	2018-08-28 17:01:59 +0200
commit	2d08ecaf45fcf11fd0409995c73cdab37b2b0f56 (patch)
tree	f02293aa5735709cf69b7fe781792af546d6f389
parent	fix and harden overlay options (diff)
parent	memory leaks (diff)
download	firejail-2d08ecaf45fcf11fd0409995c73cdab37b2b0f56.tar.gz firejail-2d08ecaf45fcf11fd0409995c73cdab37b2b0f56.tar.zst firejail-2d08ecaf45fcf11fd0409995c73cdab37b2b0f56.zip

diff --git a/etc/firejail-default b/etc/firejail-default index 09dc896e6..e05d09468 100644 --- a/etc/firejail-default +++ b/etc/firejail-default
@@ -22,42 +22,30 @@ dbus,
22		22
23	##########	23	##########
24	# With ptrace it is possible to inspect and hijack running programs. Usually this	24	# With ptrace it is possible to inspect and hijack running programs. Usually this
25	# is needed only for debugging. To allow ptrace, uncomment the following line	25	# is needed only for debugging. To allow ptrace, uncomment the following line.
26	##########	26	##########
27	#ptrace,	27	#ptrace,
28		28
29	##########	29	##########
30	# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes	30	# Allow read access to whole filesystem and control it from firejail.
31	##########	31	##########
32	/ r,	32	/{,**} rklm,
33	/{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk,
34	/run/firejail/mnt/oroot/{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk,
35		33
36	/{,var/}run/ r,	34	##########
37	/{,var/}run/** r,	35	# Allow write access to paths writable in firejail which aren't used for
38	/run/firejail/mnt/oroot/{,var/}run/ r,	36	# executing programs. /run, /proc and /sys are handled separately.
39	/run/firejail/mnt/oroot/{,var/}run/** r,	37	# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes.
40		38	##########
41	owner /{,var/}run/user/[0-9]/* rw,	39	/{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w,
42	owner /{,var/}run/user/[0-9]/.slave-socket rwl,
43	owner /{,var/}run/user/[0-9]/orcexec. rwkm,
44	owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]/* rw,
45	owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]/.slave-socket rwl,
46	owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]/orcexec. rwkm,
47		40
48	/{,var/}run/firejail/mnt/fslogger r,	41	##########
49	/{,var/}run/firejail/appimage r,	42	# Whitelist writable paths under /run, /proc and /sys.
50	/{,var/}run/firejail/appimage/** r,	43	##########
51	/{,var/}run/firejail/appimage/** ix,	44	owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]/* w,
52	/run/firejail/mnt/oroot/{,var/}run/firejail/mnt/fslogger r,	45	owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]/.slave-socket w,
53	/run/firejail/mnt/oroot/{,var/}run/firejail/appimage r,	46	owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]/orcexec. w,
54	/run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** r,
55	/run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** ix,
56		47
57	/{run,dev}/shm/ r,	48	owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,
58	owner /{run,dev}/shm/** rmwk,
59	/run/firejail/mnt/oroot/{run,dev}/shm/ r,
60	owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk,
61		49
62	# Allow logging Firejail blacklist violations to journal	50	# Allow logging Firejail blacklist violations to journal
63	/{,var/}run/systemd/journal/socket w,	51	/{,var/}run/systemd/journal/socket w,
@@ -66,58 +54,41 @@ owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk,
66	# Needed for wine	54	# Needed for wine
67	/{,var/}run/firejail/profile/@{PID} w,	55	/{,var/}run/firejail/profile/@{PID} w,
68		56
69	##########	57	# Allow access to cups printing socket.
70	# Allow /proc and /sys read-only access.	58	/{,var/}run/cups/cups.sock w,
71	# Blacklisting is controlled from userspace Firejail.	59
72	##########	60	# Needed for firefox sandbox
73	/proc/ r,
74	/proc/** r,
75	/proc/[0-9]*/{uid_map,gid_map,setgroups} w,	61	/proc/[0-9]*/{uid_map,gid_map,setgroups} w,
76	# Uncomment to silence all denied write warnings	62
77	#deny /proc/** w,	63	# Silence noise
78	deny /proc/@{PID}/oom_adj w,	64	deny /proc/@{PID}/oom_adj w,
79	deny /proc/@{PID}/oom_score_adj w,	65	deny /proc/@{PID}/oom_score_adj w,
80		66
81	/sys/ r,
82	/sys/** r,
83	# Uncomment to silence all denied write warnings	67	# Uncomment to silence all denied write warnings
84	#deny /sys/** w,	68	#deny /proc/** w,
85		69
86	# Blacklist snapshots	70	# Uncomment to silence all denied write warnings
87	deny /**/.snapshots/ rwx,	71	#deny /sys/** w,
88		72
89	##########	73	##########
90	# Allow running programs only from well-known system directories. If you need	74	# Allow running programs only from well-known system directories. If you need
91	# to run programs from your home directory, uncomment /home line.	75	# to run programs from your home directory, uncomment /home line.
92	##########	76	##########
93	/lib/** ix,	77	/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix,
94	/lib64/** ix,	78	/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix,
95	/bin/** ix,	79	/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix,
96	/sbin/** ix,	80	/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64}/** ix,
97	/usr/bin/** ix,	81	/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix,
98	/usr/sbin/** ix,	82	#/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}home/** ix,
99	/usr/local/** ix,	83
100	/usr/lib/** ix,	84	# Appimage support
101	/usr/lib64/** ix,	85	/{,run/firejail/mnt/oroot/}{,var/}run/firejail/appimage/** ix,
102	/usr/games/** ix,
103	/opt/** ix,
104	#/home/** ix,
105	/run/firejail/mnt/oroot/lib/** ix,
106	/run/firejail/mnt/oroot/lib64/** ix,
107	/run/firejail/mnt/oroot/bin/** ix,
108	/run/firejail/mnt/oroot/sbin/** ix,
109	/run/firejail/mnt/oroot/usr/bin/** ix,
110	/run/firejail/mnt/oroot/usr/sbin/** ix,
111	/run/firejail/mnt/oroot/usr/local/** ix,
112	/run/firejail/mnt/oroot/usr/lib/** ix,
113	/run/firejail/mnt/oroot/usr/lib64/** ix,
114	/run/firejail/mnt/oroot/usr/games/** ix,
115	/run/firejail/mnt/oroot/opt/** ix,
116		86
117	##########	87	##########
118	# Allow access to cups printing socket.	88	# Blacklist specific sensitive paths.
119	##########	89	##########
120	/run/cups/cups.sock w,	90	# Common backup directory
		91	deny /**/.snapshots/ rwx,
121		92
122	##########	93	##########
123	# Allow all networking functionality, and control it from Firejail.	94	# Allow all networking functionality, and control it from Firejail.


diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c index 71b39390e..de2b8cfa2 100644 --- a/src/firecfg/desktop_files.c +++ b/src/firecfg/desktop_files.c
@@ -144,6 +144,8 @@ void fix_desktop_files(char *homedir) {
144	perror("opendir");	144	perror("opendir");
145	fprintf(stderr, "Warning: cannot access /usr/share/applications directory, desktop files fixing skipped...\n");	145	fprintf(stderr, "Warning: cannot access /usr/share/applications directory, desktop files fixing skipped...\n");
146	free(user_apps_dir);	146	free(user_apps_dir);
		147	if (dir)
		148	closedir(dir);
147	return;	149	return;
148	}	150	}
149		151
@@ -266,12 +268,16 @@ void fix_desktop_files(char *homedir) {
266		268
267	if (stat(outname, &sb) == 0) {	269	if (stat(outname, &sb) == 0) {
268	printf(" %s skipped: file exists\n", filename);	270	printf(" %s skipped: file exists\n", filename);
		271	if (change_exec)
		272	free(change_exec);
269	continue;	273	continue;
270	}	274	}
271		275
272	FILE *fpin = fopen(filename, "r");	276	FILE *fpin = fopen(filename, "r");
273	if (!fpin) {	277	if (!fpin) {
274	fprintf(stderr, "Warning: cannot open /usr/share/applications/%s\n", filename);	278	fprintf(stderr, "Warning: cannot open /usr/share/applications/%s\n", filename);
		279	if (change_exec)
		280	free(change_exec);
275	continue;	281	continue;
276	}	282	}
277		283
@@ -279,6 +285,8 @@ void fix_desktop_files(char *homedir) {
279	if (!fpout) {	285	if (!fpout) {
280	fprintf(stderr, "Warning: cannot open ~/.local/share/applications/%s\n", outname);	286	fprintf(stderr, "Warning: cannot open ~/.local/share/applications/%s\n", outname);
281	fclose(fpin);	287	fclose(fpin);
		288	if (change_exec)
		289	free(change_exec);
282	continue;	290	continue;
283	}	291	}
284	fprintf(fpout, "# converted by firecfg\n");	292	fprintf(fpout, "# converted by firecfg\n");


diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c index ce1e281a5..1fe5a2398 100644 --- a/src/firejail/cmdline.c +++ b/src/firejail/cmdline.c
@@ -208,4 +208,5 @@ void build_appimage_cmdline(char command_line, char window_title, int argc,
208		208
209	// free strdup	209	// free strdup
210	free(tmp1);	210	free(tmp1);
		211	free(command_line_tmp);
211	}	212	}


diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 602985b4e..9b68b6753 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c
@@ -371,10 +371,13 @@ void fs_whitelist(void) {
371		371
372	// resolve macros	372	// resolve macros
373	if (is_macro(dataptr)) {	373	if (is_macro(dataptr)) {
374	char *tmp = resolve_macro(dataptr);	374	char *tmp = resolve_macro(dataptr); // returns allocated mem
375	if (tmp != NULL)	375	if (tmp != NULL) {
376	tmp = parse_nowhitelist(nowhitelist_flag, tmp);	376	char *tmp1 = parse_nowhitelist(nowhitelist_flag, tmp);
377		377	assert(tmp1);
		378	free(tmp);
		379	tmp = tmp1;
		380	}
378	if (tmp) {	381	if (tmp) {
379	entry->data = tmp;	382	entry->data = tmp;
380	dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10;	383	dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10;


diff --git a/src/fsec-print/main.c b/src/fsec-print/main.c index 94c60687f..5a1e34080 100644 --- a/src/fsec-print/main.c +++ b/src/fsec-print/main.c
@@ -74,7 +74,8 @@ printf("\n");
74	close(fd);	74	close(fd);
75	return 0;	75	return 0;
76	errexit:	76	errexit:
77	close(fd);	77	if (fd != -1)
		78	close(fd);
78	fprintf(stderr, "Error: cannot read %s\n", fname);	79	fprintf(stderr, "Error: cannot read %s\n", fname);
79	exit(1);	80	exit(1);
80		81


diff --git a/src/libpostexecseccomp/libpostexecseccomp.c b/src/libpostexecseccomp/libpostexecseccomp.c index 0ccb74b10..6d2c8c695 100644 --- a/src/libpostexecseccomp/libpostexecseccomp.c +++ b/src/libpostexecseccomp/libpostexecseccomp.c
@@ -31,7 +31,7 @@ static void load_seccomp(void) {
31	if (fd == -1)	31	if (fd == -1)
32	return;	32	return;
33		33
34	int size = lseek(fd, 0, SEEK_END);	34	off_t size = lseek(fd, 0, SEEK_END);
35	unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter);	35	unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter);
36	struct sock_filter *filter = MAP_FAILED;	36	struct sock_filter *filter = MAP_FAILED;
37	if (size != 0)	37	if (size != 0)