diff options
| author |  smitsohu <smitsohu@gmail.com> | 2019-02-06 16:13:28 +0100 |
|---|---|---|
| committer | smitsohu <smitsohu@gmail.com> | 2019-02-06 16:13:28 +0100 |
| commit | f77127f5b10f3b19c4c152b49018b24ff4d3590a (patch) | |
| tree | e43681df9f06fdaac233265034cd30a70a375f40 | |
| parent | strncmp byte count fixes (diff) | |
| parent | fix small memleak (diff) | |
| download | firejail-f77127f5b10f3b19c4c152b49018b24ff4d3590a.tar.gz firejail-f77127f5b10f3b19c4c152b49018b24ff4d3590a.tar.zst firejail-f77127f5b10f3b19c4c152b49018b24ff4d3590a.zip | |
Merge branch 'master' of https://github.com/netblue30/firejail
| -rw-r--r-- | Makefile.in | 3 | ||||
| -rw-r--r-- | etc/firejail-local | 3 | ||||
| -rw-r--r-- | etc/zoom.profile | 2 | ||||
| -rw-r--r-- | src/firejail/checkcfg.c | 268 | ||||
| -rw-r--r-- | src/firejail/profile.c | 2 | ||||
| -rw-r--r-- | src/fldd/main.c | 7 | ||||
| -rw-r--r-- | src/fsec-print/print.c | 2 | ||||
| -rw-r--r-- | src/fseccomp/syscall.c | 3 | ||||
| -rw-r--r-- | src/libtracelog/libtracelog.c | 4 | ||||
| -rw-r--r-- | src/man/firejail.txt | 2 |
10 files changed, 55 insertions, 241 deletions
diff --git a/Makefile.in b/Makefile.in index 4e87d4ae0..0cbbb374c 100644 --- a/Makefile.in +++ b/Makefile.in | |||
| @@ -134,7 +134,8 @@ ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR) | |||
| 134 | sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;" | 134 | sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;" |
| 135 | install -c -m 0644 etc/firejail-default $(DESTDIR)/$(sysconfdir)/apparmor.d/. | 135 | install -c -m 0644 etc/firejail-default $(DESTDIR)/$(sysconfdir)/apparmor.d/. |
| 136 | sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;" | 136 | sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;" |
| 137 | install -c -m 0644 etc/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/. | 137 | # install apparmor profile customization file |
| 138 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-local ]; then install -c -m 0644 etc/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/.; fi;" | ||
| 138 | endif | 139 | endif |
| 139 | # man pages | 140 | # man pages |
| 140 | install -m 0755 -d $(DESTDIR)/$(mandir)/man1 | 141 | install -m 0755 -d $(DESTDIR)/$(mandir)/man1 |
diff --git a/etc/firejail-local b/etc/firejail-local index cddf44f13..f086653f8 100644 --- a/etc/firejail-local +++ b/etc/firejail-local | |||
| @@ -1 +1,2 @@ | |||
| 1 | # Site-specific additions and overrides for 'firejail-default' | 1 | # Site-specific additions and overrides for 'firejail-default'. |
| 2 | # For more details, please see /etc/apparmor.d/local/README. | ||
diff --git a/etc/zoom.profile b/etc/zoom.profile index 4fbf7ca01..456b197f3 100644 --- a/etc/zoom.profile +++ b/etc/zoom.profile | |||
| @@ -6,6 +6,7 @@ include zoom.local | |||
| 6 | include globals.local | 6 | include globals.local |
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.config/zoomus.conf | 8 | noblacklist ${HOME}/.config/zoomus.conf |
| 9 | noblacklist ${HOME}/.zoom | ||
| 9 | 10 | ||
| 10 | include disable-common.inc | 11 | include disable-common.inc |
| 11 | include disable-devel.inc | 12 | include disable-devel.inc |
| @@ -14,6 +15,7 @@ include disable-programs.inc | |||
| 14 | 15 | ||
| 15 | mkdir ${HOME}/.zoom | 16 | mkdir ${HOME}/.zoom |
| 16 | whitelist ${HOME}/.cache/zoom | 17 | whitelist ${HOME}/.cache/zoom |
| 18 | whitelist ${HOME}/.config/zoomus.conf | ||
| 17 | whitelist ${HOME}/.zoom | 19 | whitelist ${HOME}/.zoom |
| 18 | include whitelist-common.inc | 20 | include whitelist-common.inc |
| 19 | 21 | ||
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 0a3c5dd08..167bd591d 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
| @@ -71,164 +71,48 @@ int checkcfg(int val) { | |||
| 71 | if (*buf == '#' || *buf == '\n') | 71 | if (*buf == '#' || *buf == '\n') |
| 72 | continue; | 72 | continue; |
| 73 | 73 | ||
| 74 | #define PARSE_YESNO(key, string) \ | ||
| 75 | else if (strncmp(ptr, string " ", strlen(string)+1) == 0) { \ | ||
| 76 | if (strcmp(ptr + strlen(string) + 1, "yes") == 0) \ | ||
| 77 | cfg_val[key] = 1; \ | ||
| 78 | else if (strcmp(ptr + strlen(string) + 1, "no") == 0) \ | ||
| 79 | cfg_val[key] = 0; \ | ||
| 80 | else \ | ||
| 81 | goto errout; \ | ||
| 82 | } | ||
| 83 | |||
| 74 | // parse line | 84 | // parse line |
| 75 | ptr = line_remove_spaces(buf); | 85 | ptr = line_remove_spaces(buf); |
| 76 | if (!ptr) | 86 | if (!ptr) |
| 77 | continue; | 87 | continue; |
| 88 | PARSE_YESNO(CFG_FILE_TRANSFER, "file-transfer") | ||
| 89 | PARSE_YESNO(CFG_DBUS, "dbus") | ||
| 90 | PARSE_YESNO(CFG_JOIN, "join") | ||
| 91 | PARSE_YESNO(CFG_X11, "x11") | ||
| 92 | PARSE_YESNO(CFG_APPARMOR, "apparmor") | ||
| 93 | PARSE_YESNO(CFG_BIND, "bind") | ||
| 94 | PARSE_YESNO(CFG_CGROUP, "cgroup") | ||
| 95 | PARSE_YESNO(CFG_NAME_CHANGE, "name-change") | ||
| 96 | PARSE_YESNO(CFG_USERNS, "userns") | ||
| 97 | PARSE_YESNO(CFG_CHROOT, "chroot") | ||
| 98 | PARSE_YESNO(CFG_FIREJAIL_PROMPT, "firejail-prompt") | ||
| 99 | PARSE_YESNO(CFG_FOLLOW_SYMLINK_AS_USER, "follow-symlink-as-user") | ||
| 100 | PARSE_YESNO(CFG_FORCE_NONEWPRIVS, "force-nonewprivs") | ||
| 101 | PARSE_YESNO(CFG_SECCOMP, "seccomp") | ||
| 102 | PARSE_YESNO(CFG_WHITELIST, "whitelist") | ||
| 103 | PARSE_YESNO(CFG_NETWORK, "network") | ||
| 104 | PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network") | ||
| 105 | PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") | ||
| 106 | PARSE_YESNO(CFG_OVERLAYFS, "overlayfs") | ||
| 107 | PARSE_YESNO(CFG_PRIVATE_HOME, "private-home") | ||
| 108 | PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache") | ||
| 109 | PARSE_YESNO(CFG_PRIVATE_LIB, "private-lib") | ||
| 110 | PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local") | ||
| 111 | PARSE_YESNO(CFG_DISABLE_MNT, "disable-mnt") | ||
| 112 | PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach") | ||
| 113 | PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f") | ||
| 114 | #undef PARSE_YESNO | ||
| 78 | 115 | ||
| 79 | // file transfer | ||
| 80 | else if (strncmp(ptr, "file-transfer ", 14) == 0) { | ||
| 81 | if (strcmp(ptr + 14, "yes") == 0) | ||
| 82 | cfg_val[CFG_FILE_TRANSFER] = 1; | ||
| 83 | else if (strcmp(ptr + 14, "no") == 0) | ||
| 84 | cfg_val[CFG_FILE_TRANSFER] = 0; | ||
| 85 | else | ||
| 86 | goto errout; | ||
| 87 | } | ||
| 88 | // dbus | ||
| 89 | else if (strncmp(ptr, "dbus ", 5) == 0) { | ||
| 90 | if (strcmp(ptr + 5, "yes") == 0) | ||
| 91 | cfg_val[CFG_DBUS] = 1; | ||
| 92 | else if (strcmp(ptr + 5, "no") == 0) | ||
| 93 | cfg_val[CFG_DBUS] = 0; | ||
| 94 | else | ||
| 95 | goto errout; | ||
| 96 | } | ||
| 97 | // join | ||
| 98 | else if (strncmp(ptr, "join ", 5) == 0) { | ||
| 99 | if (strcmp(ptr + 5, "yes") == 0) | ||
| 100 | cfg_val[CFG_JOIN] = 1; | ||
| 101 | else if (strcmp(ptr + 5, "no") == 0) | ||
| 102 | cfg_val[CFG_JOIN] = 0; | ||
| 103 | else | ||
| 104 | goto errout; | ||
| 105 | } | ||
| 106 | // x11 | ||
| 107 | else if (strncmp(ptr, "x11 ", 4) == 0) { | ||
| 108 | if (strcmp(ptr + 4, "yes") == 0) | ||
| 109 | cfg_val[CFG_X11] = 1; | ||
| 110 | else if (strcmp(ptr + 4, "no") == 0) | ||
| 111 | cfg_val[CFG_X11] = 0; | ||
| 112 | else | ||
| 113 | goto errout; | ||
| 114 | } | ||
| 115 | // apparmor | ||
| 116 | else if (strncmp(ptr, "apparmor ", 9) == 0) { | ||
| 117 | if (strcmp(ptr + 9, "yes") == 0) | ||
| 118 | cfg_val[CFG_APPARMOR] = 1; | ||
| 119 | else if (strcmp(ptr + 9, "no") == 0) | ||
| 120 | cfg_val[CFG_APPARMOR] = 0; | ||
| 121 | else | ||
| 122 | goto errout; | ||
| 123 | } | ||
| 124 | // bind | ||
| 125 | else if (strncmp(ptr, "bind ", 5) == 0) { | ||
| 126 | if (strcmp(ptr + 5, "yes") == 0) | ||
| 127 | cfg_val[CFG_BIND] = 1; | ||
| 128 | else if (strcmp(ptr + 5, "no") == 0) | ||
| 129 | cfg_val[CFG_BIND] = 0; | ||
| 130 | else | ||
| 131 | goto errout; | ||
| 132 | } | ||
| 133 | // cgroup | ||
| 134 | else if (strncmp(ptr, "cgroup ", 7) == 0) { | ||
| 135 | if (strcmp(ptr + 7, "yes") == 0) | ||
| 136 | cfg_val[CFG_CGROUP] = 1; | ||
| 137 | else if (strcmp(ptr + 7, "no") == 0) | ||
| 138 | cfg_val[CFG_CGROUP] = 0; | ||
| 139 | else | ||
| 140 | goto errout; | ||
| 141 | } | ||
| 142 | // name change | ||
| 143 | else if (strncmp(ptr, "name-change ", 12) == 0) { | ||
| 144 | if (strcmp(ptr + 12, "yes") == 0) | ||
| 145 | cfg_val[CFG_NAME_CHANGE] = 1; | ||
| 146 | else if (strcmp(ptr + 12, "no") == 0) | ||
| 147 | cfg_val[CFG_NAME_CHANGE] = 0; | ||
| 148 | else | ||
| 149 | goto errout; | ||
| 150 | } | ||
| 151 | // user namespace | ||
| 152 | else if (strncmp(ptr, "userns ", 7) == 0) { | ||
| 153 | if (strcmp(ptr + 7, "yes") == 0) | ||
| 154 | cfg_val[CFG_USERNS] = 1; | ||
| 155 | else if (strcmp(ptr + 7, "no") == 0) | ||
| 156 | cfg_val[CFG_USERNS] = 0; | ||
| 157 | else | ||
| 158 | goto errout; | ||
| 159 | } | ||
| 160 | // chroot | ||
| 161 | else if (strncmp(ptr, "chroot ", 7) == 0) { | ||
| 162 | if (strcmp(ptr + 7, "yes") == 0) | ||
| 163 | cfg_val[CFG_CHROOT] = 1; | ||
| 164 | else if (strcmp(ptr + 7, "no") == 0) | ||
| 165 | cfg_val[CFG_CHROOT] = 0; | ||
| 166 | else | ||
| 167 | goto errout; | ||
| 168 | } | ||
| 169 | // prompt | ||
| 170 | else if (strncmp(ptr, "firejail-prompt ", 16) == 0) { | ||
| 171 | if (strcmp(ptr + 16, "yes") == 0) | ||
| 172 | cfg_val[CFG_FIREJAIL_PROMPT] = 1; | ||
| 173 | else if (strcmp(ptr + 16, "no") == 0) | ||
| 174 | cfg_val[CFG_FIREJAIL_PROMPT] = 0; | ||
| 175 | else | ||
| 176 | goto errout; | ||
| 177 | } | ||
| 178 | // follow symlink as user | ||
| 179 | else if (strncmp(ptr, "follow-symlink-as-user ", 23) == 0) { | ||
| 180 | if (strcmp(ptr + 23, "yes") == 0) | ||
| 181 | cfg_val[CFG_FOLLOW_SYMLINK_AS_USER] = 1; | ||
| 182 | else if (strcmp(ptr + 23, "no") == 0) | ||
| 183 | cfg_val[CFG_FOLLOW_SYMLINK_AS_USER] = 0; | ||
| 184 | else | ||
| 185 | goto errout; | ||
| 186 | } | ||
| 187 | // nonewprivs | ||
| 188 | else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { | ||
| 189 | if (strcmp(ptr + 17, "yes") == 0) | ||
| 190 | cfg_val[CFG_FORCE_NONEWPRIVS] = 1; | ||
| 191 | else if (strcmp(ptr + 17, "no") == 0) | ||
| 192 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; | ||
| 193 | else | ||
| 194 | goto errout; | ||
| 195 | } | ||
| 196 | // seccomp | ||
| 197 | else if (strncmp(ptr, "seccomp ", 8) == 0) { | ||
| 198 | if (strcmp(ptr + 8, "yes") == 0) | ||
| 199 | cfg_val[CFG_SECCOMP] = 1; | ||
| 200 | else if (strcmp(ptr + 8, "no") == 0) | ||
| 201 | cfg_val[CFG_SECCOMP] = 0; | ||
| 202 | else | ||
| 203 | goto errout; | ||
| 204 | } | ||
| 205 | // whitelist | ||
| 206 | else if (strncmp(ptr, "whitelist ", 10) == 0) { | ||
| 207 | if (strcmp(ptr + 10, "yes") == 0) | ||
| 208 | cfg_val[CFG_WHITELIST] = 1; | ||
| 209 | else if (strcmp(ptr + 10, "no") == 0) | ||
| 210 | cfg_val[CFG_WHITELIST] = 0; | ||
| 211 | else | ||
| 212 | goto errout; | ||
| 213 | } | ||
| 214 | // network | ||
| 215 | else if (strncmp(ptr, "network ", 8) == 0) { | ||
| 216 | if (strcmp(ptr + 8, "yes") == 0) | ||
| 217 | cfg_val[CFG_NETWORK] = 1; | ||
| 218 | else if (strcmp(ptr + 8, "no") == 0) | ||
| 219 | cfg_val[CFG_NETWORK] = 0; | ||
| 220 | else | ||
| 221 | goto errout; | ||
| 222 | } | ||
| 223 | // network | ||
| 224 | else if (strncmp(ptr, "restricted-network ", 19) == 0) { | ||
| 225 | if (strcmp(ptr + 19, "yes") == 0) | ||
| 226 | cfg_val[CFG_RESTRICTED_NETWORK] = 1; | ||
| 227 | else if (strcmp(ptr + 19, "no") == 0) | ||
| 228 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; | ||
| 229 | else | ||
| 230 | goto errout; | ||
| 231 | } | ||
| 232 | // netfilter | 116 | // netfilter |
| 233 | else if (strncmp(ptr, "netfilter-default ", 18) == 0) { | 117 | else if (strncmp(ptr, "netfilter-default ", 18) == 0) { |
| 234 | char *fname = ptr + 18; | 118 | char *fname = ptr + 18; |
| @@ -266,16 +150,6 @@ int checkcfg(int val) { | |||
| 266 | errExit("asprintf"); | 150 | errExit("asprintf"); |
| 267 | } | 151 | } |
| 268 | 152 | ||
| 269 | // xephyr window title | ||
| 270 | else if (strncmp(ptr, "xephyr-window-title ", 20) == 0) { | ||
| 271 | if (strcmp(ptr + 20, "yes") == 0) | ||
| 272 | cfg_val[CFG_XEPHYR_WINDOW_TITLE] = 1; | ||
| 273 | else if (strcmp(ptr + 20, "no") == 0) | ||
| 274 | cfg_val[CFG_XEPHYR_WINDOW_TITLE] = 0; | ||
| 275 | else | ||
| 276 | goto errout; | ||
| 277 | } | ||
| 278 | |||
| 279 | // Xephyr command extra parameters | 153 | // Xephyr command extra parameters |
| 280 | else if (strncmp(ptr, "xephyr-extra-params ", 20) == 0) { | 154 | else if (strncmp(ptr, "xephyr-extra-params ", 20) == 0) { |
| 281 | if (*xephyr_extra_params != '\0') | 155 | if (*xephyr_extra_params != '\0') |
| @@ -295,7 +169,7 @@ int checkcfg(int val) { | |||
| 295 | } | 169 | } |
| 296 | 170 | ||
| 297 | // Xvfb screen size | 171 | // Xvfb screen size |
| 298 | else if (strncmp(ptr, "xvfb-screen ", 12) == 0) { | 172 | else if (strncmp(ptr, "xvfb-screen ", 12) == 0) { |
| 299 | // expecting three numbers separated by x's | 173 | // expecting three numbers separated by x's |
| 300 | unsigned int n1; | 174 | unsigned int n1; |
| 301 | unsigned int n2; | 175 | unsigned int n2; |
| @@ -325,54 +199,6 @@ int checkcfg(int val) { | |||
| 325 | else | 199 | else |
| 326 | goto errout; | 200 | goto errout; |
| 327 | } | 201 | } |
| 328 | else if (strncmp(ptr, "overlayfs ", 10) == 0) { | ||
| 329 | if (strcmp(ptr + 10, "yes") == 0) | ||
| 330 | cfg_val[CFG_OVERLAYFS] = 1; | ||
| 331 | else if (strcmp(ptr + 10, "no") == 0) | ||
| 332 | cfg_val[CFG_OVERLAYFS] = 0; | ||
| 333 | else | ||
| 334 | goto errout; | ||
| 335 | } | ||
| 336 | else if (strncmp(ptr, "private-home ", 13) == 0) { | ||
| 337 | if (strcmp(ptr + 13, "yes") == 0) | ||
| 338 | cfg_val[CFG_PRIVATE_HOME] = 1; | ||
| 339 | else if (strcmp(ptr + 13, "no") == 0) | ||
| 340 | cfg_val[CFG_PRIVATE_HOME] = 0; | ||
| 341 | else | ||
| 342 | goto errout; | ||
| 343 | } | ||
| 344 | else if (strncmp(ptr, "private-cache ", 14) == 0) { | ||
| 345 | if (strcmp(ptr + 14, "yes") == 0) | ||
| 346 | cfg_val[CFG_PRIVATE_CACHE] = 1; | ||
| 347 | else if (strcmp(ptr + 14, "no") == 0) | ||
| 348 | cfg_val[CFG_PRIVATE_CACHE] = 0; | ||
| 349 | else | ||
| 350 | goto errout; | ||
| 351 | } | ||
| 352 | else if (strncmp(ptr, "private-lib ", 12) == 0) { | ||
| 353 | if (strcmp(ptr + 12, "yes") == 0) | ||
| 354 | cfg_val[CFG_PRIVATE_LIB] = 1; | ||
| 355 | else if (strcmp(ptr + 12, "no") == 0) | ||
| 356 | cfg_val[CFG_PRIVATE_LIB] = 0; | ||
| 357 | else | ||
| 358 | goto errout; | ||
| 359 | } | ||
| 360 | else if (strncmp(ptr, "private-bin-no-local ", 21) == 0) { | ||
| 361 | if (strcmp(ptr + 21, "yes") == 0) | ||
| 362 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 1; | ||
| 363 | else if (strcmp(ptr + 21, "no") == 0) | ||
| 364 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; | ||
| 365 | else | ||
| 366 | goto errout; | ||
| 367 | } | ||
| 368 | else if (strncmp(ptr, "disable-mnt ", 12) == 0) { | ||
| 369 | if (strcmp(ptr + 12, "yes") == 0) | ||
| 370 | cfg_val[CFG_DISABLE_MNT] = 1; | ||
| 371 | else if (strcmp(ptr + 12, "no") == 0) | ||
| 372 | cfg_val[CFG_DISABLE_MNT] = 0; | ||
| 373 | else | ||
| 374 | goto errout; | ||
| 375 | } | ||
| 376 | // arp probes | 202 | // arp probes |
| 377 | else if (strncmp(ptr, "arp-probes ", 11) == 0) { | 203 | else if (strncmp(ptr, "arp-probes ", 11) == 0) { |
| 378 | int arp_probes = atoi(ptr + 11); | 204 | int arp_probes = atoi(ptr + 11); |
| @@ -380,24 +206,6 @@ int checkcfg(int val) { | |||
| 380 | goto errout; | 206 | goto errout; |
| 381 | cfg_val[CFG_ARP_PROBES] = arp_probes; | 207 | cfg_val[CFG_ARP_PROBES] = arp_probes; |
| 382 | } | 208 | } |
| 383 | // xpra-attach | ||
| 384 | else if (strncmp(ptr, "xpra-attach ", 12) == 0) { | ||
| 385 | if (strcmp(ptr + 12, "yes") == 0) | ||
| 386 | cfg_val[CFG_XPRA_ATTACH] = 1; | ||
| 387 | else if (strcmp(ptr + 12, "no") == 0) | ||
| 388 | cfg_val[CFG_XPRA_ATTACH] = 0; | ||
| 389 | else | ||
| 390 | goto errout; | ||
| 391 | } | ||
| 392 | // browser-disable-u2f | ||
| 393 | else if (strncmp(ptr, "browser-disable-u2f ", 20) == 0) { | ||
| 394 | if (strcmp(ptr + 20, "yes") == 0) | ||
| 395 | cfg_val[CFG_BROWSER_DISABLE_U2F] = 1; | ||
| 396 | else if (strcmp(ptr + 20, "no") == 0) | ||
| 397 | cfg_val[CFG_BROWSER_DISABLE_U2F] = 0; | ||
| 398 | else | ||
| 399 | goto errout; | ||
| 400 | } | ||
| 401 | else | 209 | else |
| 402 | goto errout; | 210 | goto errout; |
| 403 | 211 | ||
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index af7b54596..214275c7d 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
| @@ -241,7 +241,9 @@ error: | |||
| 241 | // return 1 if the command is to be added to the linked list of profile commands | 241 | // return 1 if the command is to be added to the linked list of profile commands |
| 242 | // return 0 if the command was already executed inside the function | 242 | // return 0 if the command was already executed inside the function |
| 243 | int profile_check_line(char *ptr, int lineno, const char *fname) { | 243 | int profile_check_line(char *ptr, int lineno, const char *fname) { |
| 244 | #ifdef HAVE_WHITELIST | ||
| 244 | static int whitelist_warning_printed = 0; | 245 | static int whitelist_warning_printed = 0; |
| 246 | #endif | ||
| 245 | EUID_ASSERT(); | 247 | EUID_ASSERT(); |
| 246 | 248 | ||
| 247 | // check and process conditional profile lines | 249 | // check and process conditional profile lines |
diff --git a/src/fldd/main.c b/src/fldd/main.c index d9adcdcf6..566763ff4 100644 --- a/src/fldd/main.c +++ b/src/fldd/main.c | |||
| @@ -297,7 +297,7 @@ printf("\n"); | |||
| 297 | } | 297 | } |
| 298 | 298 | ||
| 299 | 299 | ||
| 300 | if (strcmp(argv[1], "--help") == 0) { | 300 | if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") == 0) { |
| 301 | usage(); | 301 | usage(); |
| 302 | return 0; | 302 | return 0; |
| 303 | } | 303 | } |
| @@ -312,11 +312,6 @@ printf("\n"); | |||
| 312 | if (quiet && strcmp(quiet, "yes") == 0) | 312 | if (quiet && strcmp(quiet, "yes") == 0) |
| 313 | arg_quiet = 1; | 313 | arg_quiet = 1; |
| 314 | 314 | ||
| 315 | if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) { | ||
| 316 | usage(); | ||
| 317 | return 0; | ||
| 318 | } | ||
| 319 | |||
| 320 | int fd = STDOUT_FILENO; | 315 | int fd = STDOUT_FILENO; |
| 321 | // attempt to open the file | 316 | // attempt to open the file |
| 322 | if (argc == 3) { | 317 | if (argc == 3) { |
diff --git a/src/fsec-print/print.c b/src/fsec-print/print.c index 1042f0c3e..1756d60dc 100644 --- a/src/fsec-print/print.c +++ b/src/fsec-print/print.c | |||
| @@ -206,7 +206,7 @@ static void bpf_decode_args(const struct sock_filter *bpf, unsigned int line) { | |||
| 206 | printf("data.syscall-number"); | 206 | printf("data.syscall-number"); |
| 207 | syscall_loaded = 1; | 207 | syscall_loaded = 1; |
| 208 | } | 208 | } |
| 209 | else if (bpf->k == offsetof(struct seccomp_data, nr)) | 209 | else if (bpf->k == offsetof(struct seccomp_data, instruction_pointer)) |
| 210 | printf("data.instruction_pointer"); | 210 | printf("data.instruction_pointer"); |
| 211 | else { | 211 | else { |
| 212 | int index = bpf->k - offsetof(struct seccomp_data, args); | 212 | int index = bpf->k - offsetof(struct seccomp_data, args); |
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index 3f5fbbbfa..7ea1e749d 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c | |||
| @@ -546,7 +546,7 @@ static void syscall_in_list(int fd, int syscall, int arg, void *ptrarg) { | |||
| 546 | } | 546 | } |
| 547 | else { // no problem, add to pre-exec list | 547 | else { // no problem, add to pre-exec list |
| 548 | // build syscall:error_no | 548 | // build syscall:error_no |
| 549 | char *newcall; | 549 | char *newcall = NULL; |
| 550 | if (arg != 0) { | 550 | if (arg != 0) { |
| 551 | if (asprintf(&newcall, "%s:%s", syscall_find_nr(syscall), errno_find_nr(arg)) == -1) | 551 | if (asprintf(&newcall, "%s:%s", syscall_find_nr(syscall), errno_find_nr(arg)) == -1) |
| 552 | errExit("asprintf"); | 552 | errExit("asprintf"); |
| @@ -560,6 +560,7 @@ static void syscall_in_list(int fd, int syscall, int arg, void *ptrarg) { | |||
| 560 | if (ptr->prelist) { | 560 | if (ptr->prelist) { |
| 561 | if (asprintf(&ptr->prelist, "%s,%s", ptr->prelist, newcall) == -1) | 561 | if (asprintf(&ptr->prelist, "%s,%s", ptr->prelist, newcall) == -1) |
| 562 | errExit("asprintf"); | 562 | errExit("asprintf"); |
| 563 | free(newcall); | ||
| 563 | } | 564 | } |
| 564 | else | 565 | else |
| 565 | ptr->prelist = newcall; | 566 | ptr->prelist = newcall; |
diff --git a/src/libtracelog/libtracelog.c b/src/libtracelog/libtracelog.c index 0f8d5a00d..3e74051f8 100644 --- a/src/libtracelog/libtracelog.c +++ b/src/libtracelog/libtracelog.c | |||
| @@ -181,7 +181,9 @@ static void load_blacklist(void) { | |||
| 181 | 181 | ||
| 182 | // extract blacklists | 182 | // extract blacklists |
| 183 | char buf[MAXBUF]; | 183 | char buf[MAXBUF]; |
| 184 | #ifdef DEBUG | ||
| 184 | int cnt = 0; | 185 | int cnt = 0; |
| 186 | #endif | ||
| 185 | while (fgets(buf, MAXBUF, fp)) { | 187 | while (fgets(buf, MAXBUF, fp)) { |
| 186 | if (strncmp(buf, "sandbox pid: ", 13) == 0) { | 188 | if (strncmp(buf, "sandbox pid: ", 13) == 0) { |
| 187 | char *ptr = strchr(buf, '\n'); | 189 | char *ptr = strchr(buf, '\n'); |
| @@ -202,7 +204,9 @@ static void load_blacklist(void) { | |||
| 202 | if (ptr) | 204 | if (ptr) |
| 203 | *ptr = '\0'; | 205 | *ptr = '\0'; |
| 204 | storage_add(buf + 10); | 206 | storage_add(buf + 10); |
| 207 | #ifdef DEBUG | ||
| 205 | cnt++; | 208 | cnt++; |
| 209 | #endif | ||
| 206 | } | 210 | } |
| 207 | } | 211 | } |
| 208 | fclose(fp); | 212 | fclose(fp); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 16004193d..052aeb56b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
| @@ -2527,7 +2527,7 @@ AppArmor support is disabled by default at compile time. Use --enable-apparmor c | |||
| 2527 | .br | 2527 | .br |
| 2528 | $ ./configure --prefix=/usr --enable-apparmor | 2528 | $ ./configure --prefix=/usr --enable-apparmor |
| 2529 | .TP | 2529 | .TP |
| 2530 | During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The local customizations can be placed in /etc/apparmor.d/local/firejail-local. The profile needs to be loaded into the kernel by reloading apparmor.service, rebooting the system or running the following command as root: | 2530 | During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The local customizations must be placed in /etc/apparmor.d/local/firejail-local. The profile needs to be loaded into the kernel by reloading apparmor.service, rebooting the system or running the following command as root: |
| 2531 | .br | 2531 | .br |
| 2532 | 2532 | ||
| 2533 | .br | 2533 | .br |