diff options
| author |  netblue30 <netblue30@yahoo.com> | 2018-08-29 07:35:28 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2018-08-29 07:35:28 -0400 |
| commit | ec9ac7df45acdde1eaaec75b2e85c6ad22f6c1a6 (patch) | |
| tree | 44309790dc138e59143d147dda63ea7afac4094d | |
| parent | silence warning about failed unmounting of /sys (overlay options) (diff) | |
| download | firejail-ec9ac7df45acdde1eaaec75b2e85c6ad22f6c1a6.tar.gz firejail-ec9ac7df45acdde1eaaec75b2e85c6ad22f6c1a6.tar.zst firejail-ec9ac7df45acdde1eaaec75b2e85c6ad22f6c1a6.zip | |
cleanup
| -rw-r--r-- | src/firecfg/main.c | 5 | ||||
| -rw-r--r-- | src/firejail/arp.c | 4 | ||||
| -rw-r--r-- | src/firejail/fs_whitelist.c | 8 | ||||
| -rw-r--r-- | src/firejail/network.c | 6 | ||||
| -rw-r--r-- | src/firejail/preproc.c | 2 | ||||
| -rw-r--r-- | src/firemon/interface.c | 2 | ||||
| -rw-r--r-- | src/fldd/main.c | 2 | ||||
| -rw-r--r-- | src/fnet/arp.c | 2 | ||||
| -rw-r--r-- | src/fnet/interface.c | 16 |
9 files changed, 27 insertions, 20 deletions
diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 298314d4f..810af6ff2 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c | |||
| @@ -318,13 +318,14 @@ int main(int argc, char **argv) { | |||
| 318 | 318 | ||
| 319 | // user setup | 319 | // user setup |
| 320 | char *user = get_user(); | 320 | char *user = get_user(); |
| 321 | assert(user); | ||
| 321 | uid_t uid; | 322 | uid_t uid; |
| 322 | gid_t gid; | 323 | gid_t gid; |
| 323 | char *home = get_homedir(user, &uid, &gid); | 324 | char *home = get_homedir(user, &uid, &gid); |
| 324 | 325 | ||
| 325 | 326 | ||
| 326 | // check for --bindir | 327 | // check for --bindir |
| 327 | for (i = i; i < argc; i++) { | 328 | for (i = 1; i < argc; i++) { |
| 328 | if (strncmp(argv[i], "--bindir=", 9) == 0) { | 329 | if (strncmp(argv[i], "--bindir=", 9) == 0) { |
| 329 | if (strncmp(argv[i] + 9, "~/", 2) == 0) { | 330 | if (strncmp(argv[i] + 9, "~/", 2) == 0) { |
| 330 | if (asprintf(&arg_bindir, "%s/%s", home, argv[i] + 11) == -1) | 331 | if (asprintf(&arg_bindir, "%s/%s", home, argv[i] + 11) == -1) |
| @@ -430,7 +431,7 @@ int main(int argc, char **argv) { | |||
| 430 | set_links_firecfg(); | 431 | set_links_firecfg(); |
| 431 | 432 | ||
| 432 | // add user to firejail access database - only for root | 433 | // add user to firejail access database - only for root |
| 433 | if (user && getuid() == 0) { | 434 | if (getuid() == 0) { |
| 434 | printf("\nAdding user %s to Firejail access database in %s/firejail.users\n", user, SYSCONFDIR); | 435 | printf("\nAdding user %s to Firejail access database in %s/firejail.users\n", user, SYSCONFDIR); |
| 435 | firejail_user_add(user); | 436 | firejail_user_add(user); |
| 436 | } | 437 | } |
diff --git a/src/firejail/arp.c b/src/firejail/arp.c index c19cb0a47..288e5ded3 100644 --- a/src/firejail/arp.c +++ b/src/firejail/arp.c | |||
| @@ -66,7 +66,7 @@ void arp_announce(const char *dev, Bridge *br) { | |||
| 66 | // Find interface MAC address | 66 | // Find interface MAC address |
| 67 | struct ifreq ifr; | 67 | struct ifreq ifr; |
| 68 | memset(&ifr, 0, sizeof (ifr)); | 68 | memset(&ifr, 0, sizeof (ifr)); |
| 69 | strncpy(ifr.ifr_name, dev, IFNAMSIZ); | 69 | strncpy(ifr.ifr_name, dev, IFNAMSIZ - 1); |
| 70 | if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0) | 70 | if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0) |
| 71 | errExit("ioctl"); | 71 | errExit("ioctl"); |
| 72 | close(sock); | 72 | close(sock); |
| @@ -138,7 +138,7 @@ int arp_check(const char *dev, uint32_t destaddr) { | |||
| 138 | // Find interface MAC address | 138 | // Find interface MAC address |
| 139 | struct ifreq ifr; | 139 | struct ifreq ifr; |
| 140 | memset(&ifr, 0, sizeof (ifr)); | 140 | memset(&ifr, 0, sizeof (ifr)); |
| 141 | strncpy(ifr.ifr_name, dev, IFNAMSIZ); | 141 | strncpy(ifr.ifr_name, dev, IFNAMSIZ - 1); |
| 142 | if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0) | 142 | if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0) |
| 143 | errExit("ioctl"); | 143 | errExit("ioctl"); |
| 144 | close(sock); | 144 | close(sock); |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index e983a071d..8a402f692 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
| @@ -506,14 +506,18 @@ void fs_whitelist(void) { | |||
| 506 | // both path and absolute path are under /home | 506 | // both path and absolute path are under /home |
| 507 | if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) == 0) { | 507 | if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) == 0) { |
| 508 | // entire home directory is not allowed | 508 | // entire home directory is not allowed |
| 509 | if (*(fname + strlen(cfg.homedir)) != '/') | 509 | if (*(fname + strlen(cfg.homedir)) != '/') { |
| 510 | free(fname); | ||
| 510 | goto errexit; | 511 | goto errexit; |
| 512 | } | ||
| 511 | } | 513 | } |
| 512 | else { | 514 | else { |
| 513 | if (checkcfg(CFG_FOLLOW_SYMLINK_AS_USER)) { | 515 | if (checkcfg(CFG_FOLLOW_SYMLINK_AS_USER)) { |
| 514 | // check if the file is owned by the user | 516 | // check if the file is owned by the user |
| 515 | if (stat(fname, &s) == 0 && s.st_uid != getuid()) | 517 | if (stat(fname, &s) == 0 && s.st_uid != getuid()) { |
| 518 | free(fname); | ||
| 516 | goto errexit; | 519 | goto errexit; |
| 520 | } | ||
| 517 | } | 521 | } |
| 518 | } | 522 | } |
| 519 | } | 523 | } |
diff --git a/src/firejail/network.c b/src/firejail/network.c index 7b84854d3..fed7539ca 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c | |||
| @@ -78,7 +78,7 @@ int net_get_mtu(const char *ifname) { | |||
| 78 | 78 | ||
| 79 | memset(&ifr, 0, sizeof(ifr)); | 79 | memset(&ifr, 0, sizeof(ifr)); |
| 80 | ifr.ifr_addr.sa_family = AF_INET; | 80 | ifr.ifr_addr.sa_family = AF_INET; |
| 81 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); | 81 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); |
| 82 | if (ioctl(s, SIOCGIFMTU, (caddr_t)&ifr) == 0) | 82 | if (ioctl(s, SIOCGIFMTU, (caddr_t)&ifr) == 0) |
| 83 | mtu = ifr.ifr_mtu; | 83 | mtu = ifr.ifr_mtu; |
| 84 | if (arg_debug) | 84 | if (arg_debug) |
| @@ -106,7 +106,7 @@ void net_set_mtu(const char *ifname, int mtu) { | |||
| 106 | 106 | ||
| 107 | memset(&ifr, 0, sizeof(ifr)); | 107 | memset(&ifr, 0, sizeof(ifr)); |
| 108 | ifr.ifr_addr.sa_family = AF_INET; | 108 | ifr.ifr_addr.sa_family = AF_INET; |
| 109 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); | 109 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); |
| 110 | ifr.ifr_mtu = mtu; | 110 | ifr.ifr_mtu = mtu; |
| 111 | if (ioctl(s, SIOCSIFMTU, (caddr_t)&ifr) != 0) | 111 | if (ioctl(s, SIOCSIFMTU, (caddr_t)&ifr) != 0) |
| 112 | fwarning("cannot set mtu for interface %s\n", ifname); | 112 | fwarning("cannot set mtu for interface %s\n", ifname); |
| @@ -269,7 +269,7 @@ int net_get_mac(const char *ifname, unsigned char mac[6]) { | |||
| 269 | errExit("socket"); | 269 | errExit("socket"); |
| 270 | 270 | ||
| 271 | memset(&ifr, 0, sizeof(ifr)); | 271 | memset(&ifr, 0, sizeof(ifr)); |
| 272 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); | 272 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); |
| 273 | ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER; | 273 | ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER; |
| 274 | 274 | ||
| 275 | if (ioctl(sock, SIOCGIFHWADDR, &ifr) == -1) | 275 | if (ioctl(sock, SIOCGIFHWADDR, &ifr) == -1) |
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index 9fb4840c6..f519ed85f 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
| @@ -140,6 +140,8 @@ void preproc_clean_run(void) { | |||
| 140 | if (fp) { | 140 | if (fp) { |
| 141 | int val; | 141 | int val; |
| 142 | if (fscanf(fp, "%d", &val) == 1) { | 142 | if (fscanf(fp, "%d", &val) == 1) { |
| 143 | if (val > 4194304) // this is the max value supported on 64 bit Linux kernels | ||
| 144 | val = 4194304; | ||
| 143 | if (val >= max_pids) | 145 | if (val >= max_pids) |
| 144 | max_pids = val + 1; | 146 | max_pids = val + 1; |
| 145 | } | 147 | } |
diff --git a/src/firemon/interface.c b/src/firemon/interface.c index 71026c7b7..3e0f10d0b 100644 --- a/src/firemon/interface.c +++ b/src/firemon/interface.c | |||
| @@ -62,7 +62,7 @@ static void net_ifprint(void) { | |||
| 62 | // extract mac address | 62 | // extract mac address |
| 63 | struct ifreq ifr; | 63 | struct ifreq ifr; |
| 64 | memset(&ifr, 0, sizeof(ifr)); | 64 | memset(&ifr, 0, sizeof(ifr)); |
| 65 | strncpy(ifr.ifr_name, ifa->ifa_name, IFNAMSIZ); | 65 | strncpy(ifr.ifr_name, ifa->ifa_name, IFNAMSIZ - 1); |
| 66 | int rv = ioctl (fd, SIOCGIFHWADDR, &ifr); | 66 | int rv = ioctl (fd, SIOCGIFHWADDR, &ifr); |
| 67 | 67 | ||
| 68 | if (rv == 0) | 68 | if (rv == 0) |
diff --git a/src/fldd/main.c b/src/fldd/main.c index 4658e82fb..d9adcdcf6 100644 --- a/src/fldd/main.c +++ b/src/fldd/main.c | |||
| @@ -321,7 +321,7 @@ printf("\n"); | |||
| 321 | // attempt to open the file | 321 | // attempt to open the file |
| 322 | if (argc == 3) { | 322 | if (argc == 3) { |
| 323 | fd = open(argv[2], O_CREAT | O_TRUNC | O_WRONLY, 0644); | 323 | fd = open(argv[2], O_CREAT | O_TRUNC | O_WRONLY, 0644); |
| 324 | if (!fd) { | 324 | if (fd == -1) { |
| 325 | fprintf(stderr, "Error fldd: invalid arguments\n"); | 325 | fprintf(stderr, "Error fldd: invalid arguments\n"); |
| 326 | usage(); | 326 | usage(); |
| 327 | exit(1); | 327 | exit(1); |
diff --git a/src/fnet/arp.c b/src/fnet/arp.c index 2b6df6945..794f6c8c8 100644 --- a/src/fnet/arp.c +++ b/src/fnet/arp.c | |||
| @@ -60,7 +60,7 @@ void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) { | |||
| 60 | errExit("socket"); | 60 | errExit("socket"); |
| 61 | struct ifreq ifr; | 61 | struct ifreq ifr; |
| 62 | memset(&ifr, 0, sizeof (ifr)); | 62 | memset(&ifr, 0, sizeof (ifr)); |
| 63 | strncpy(ifr.ifr_name, dev, IFNAMSIZ); | 63 | strncpy(ifr.ifr_name, dev, IFNAMSIZ - 1); |
| 64 | if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0) | 64 | if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0) |
| 65 | errExit("ioctl"); | 65 | errExit("ioctl"); |
| 66 | close(sock); | 66 | close(sock); |
diff --git a/src/fnet/interface.c b/src/fnet/interface.c index f3e9a8993..283c6d312 100644 --- a/src/fnet/interface.c +++ b/src/fnet/interface.c | |||
| @@ -58,7 +58,7 @@ void net_bridge_add_interface(const char *bridge, const char *dev) { | |||
| 58 | errExit("socket"); | 58 | errExit("socket"); |
| 59 | 59 | ||
| 60 | memset(&ifr, 0, sizeof(ifr)); | 60 | memset(&ifr, 0, sizeof(ifr)); |
| 61 | strncpy(ifr.ifr_name, bridge, IFNAMSIZ); | 61 | strncpy(ifr.ifr_name, bridge, IFNAMSIZ - 1); |
| 62 | #ifdef SIOCBRADDIF | 62 | #ifdef SIOCBRADDIF |
| 63 | ifr.ifr_ifindex = ifindex; | 63 | ifr.ifr_ifindex = ifindex; |
| 64 | err = ioctl(sock, SIOCBRADDIF, &ifr); | 64 | err = ioctl(sock, SIOCBRADDIF, &ifr); |
| @@ -90,7 +90,7 @@ void net_if_up(const char *ifname) { | |||
| 90 | // get the existing interface flags | 90 | // get the existing interface flags |
| 91 | struct ifreq ifr; | 91 | struct ifreq ifr; |
| 92 | memset(&ifr, 0, sizeof(ifr)); | 92 | memset(&ifr, 0, sizeof(ifr)); |
| 93 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); | 93 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); |
| 94 | ifr.ifr_addr.sa_family = AF_INET; | 94 | ifr.ifr_addr.sa_family = AF_INET; |
| 95 | 95 | ||
| 96 | // read the existing flags | 96 | // read the existing flags |
| @@ -135,7 +135,7 @@ int net_get_mtu(const char *ifname) { | |||
| 135 | 135 | ||
| 136 | memset(&ifr, 0, sizeof(ifr)); | 136 | memset(&ifr, 0, sizeof(ifr)); |
| 137 | ifr.ifr_addr.sa_family = AF_INET; | 137 | ifr.ifr_addr.sa_family = AF_INET; |
| 138 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); | 138 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); |
| 139 | if (ioctl(s, SIOCGIFMTU, (caddr_t)&ifr) == 0) | 139 | if (ioctl(s, SIOCGIFMTU, (caddr_t)&ifr) == 0) |
| 140 | mtu = ifr.ifr_mtu; | 140 | mtu = ifr.ifr_mtu; |
| 141 | close(s); | 141 | close(s); |
| @@ -154,7 +154,7 @@ void net_set_mtu(const char *ifname, int mtu) { | |||
| 154 | 154 | ||
| 155 | memset(&ifr, 0, sizeof(ifr)); | 155 | memset(&ifr, 0, sizeof(ifr)); |
| 156 | ifr.ifr_addr.sa_family = AF_INET; | 156 | ifr.ifr_addr.sa_family = AF_INET; |
| 157 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); | 157 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); |
| 158 | ifr.ifr_mtu = mtu; | 158 | ifr.ifr_mtu = mtu; |
| 159 | if (ioctl(s, SIOCSIFMTU, (caddr_t)&ifr) != 0) { | 159 | if (ioctl(s, SIOCSIFMTU, (caddr_t)&ifr) != 0) { |
| 160 | if (!arg_quiet) | 160 | if (!arg_quiet) |
| @@ -238,7 +238,7 @@ int net_get_mac(const char *ifname, unsigned char mac[6]) { | |||
| 238 | errExit("socket"); | 238 | errExit("socket"); |
| 239 | 239 | ||
| 240 | memset(&ifr, 0, sizeof(ifr)); | 240 | memset(&ifr, 0, sizeof(ifr)); |
| 241 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); | 241 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); |
| 242 | ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER; | 242 | ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER; |
| 243 | 243 | ||
| 244 | if (ioctl(sock, SIOCGIFHWADDR, &ifr) == -1) | 244 | if (ioctl(sock, SIOCGIFHWADDR, &ifr) == -1) |
| @@ -258,7 +258,7 @@ void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) { | |||
| 258 | 258 | ||
| 259 | struct ifreq ifr; | 259 | struct ifreq ifr; |
| 260 | memset(&ifr, 0, sizeof(ifr)); | 260 | memset(&ifr, 0, sizeof(ifr)); |
| 261 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); | 261 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); |
| 262 | ifr.ifr_addr.sa_family = AF_INET; | 262 | ifr.ifr_addr.sa_family = AF_INET; |
| 263 | 263 | ||
| 264 | ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(ip); | 264 | ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(ip); |
| @@ -292,7 +292,7 @@ int net_if_mac(const char *ifname, const unsigned char mac[6]) { | |||
| 292 | errExit("socket"); | 292 | errExit("socket"); |
| 293 | 293 | ||
| 294 | memset(&ifr, 0, sizeof(ifr)); | 294 | memset(&ifr, 0, sizeof(ifr)); |
| 295 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); | 295 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); |
| 296 | ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER; | 296 | ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER; |
| 297 | memcpy(ifr.ifr_hwaddr.sa_data, mac, 6); | 297 | memcpy(ifr.ifr_hwaddr.sa_data, mac, 6); |
| 298 | 298 | ||
| @@ -350,7 +350,7 @@ void net_if_ip6(const char *ifname, const char *addr6) { | |||
| 350 | // find interface index | 350 | // find interface index |
| 351 | struct ifreq ifr; | 351 | struct ifreq ifr; |
| 352 | memset(&ifr, 0, sizeof(ifr)); | 352 | memset(&ifr, 0, sizeof(ifr)); |
| 353 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); | 353 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); |
| 354 | ifr.ifr_addr.sa_family = AF_INET; | 354 | ifr.ifr_addr.sa_family = AF_INET; |
| 355 | if (ioctl(sock, SIOGIFINDEX, &ifr) < 0) { | 355 | if (ioctl(sock, SIOGIFINDEX, &ifr) < 0) { |
| 356 | perror("ioctl SIOGIFINDEX"); | 356 | perror("ioctl SIOGIFINDEX"); |