diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-02-19 14:26:15 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-02-20 17:39:31 -0300 |
commit | 490051f71494e828f2020257c012c3b28398d852 (patch) | |
tree | e565f37c36d9573dd9d95c2028361012f1132989 | |
parent | .gitattributes: mark some binary files as such (diff) | |
download | firejail-490051f71494e828f2020257c012c3b28398d852.tar.gz firejail-490051f71494e828f2020257c012c3b28398d852.tar.zst firejail-490051f71494e828f2020257c012c3b28398d852.zip |
Fix space before/after tab in indent
This fixes all of the "space before tab in indent" errors raised by git:
$ git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904..HEAD |
grep '^[^+]' | cut -f 3 -d : | LC_ALL=C sort | uniq -c
72 space before tab in indent.
Commands used to find the errors:
$ git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904..HEAD
$ git grep -In "$(printf '\t') "
Note: Unlike "space before tab in indent", the reverse ("space after tab
in indent") is not reported by git. That is because spaces could be
intentionally used for alignment or line continuation, but in some cases
they are being used for indentation together with tabs and in others the
formatting is misaligned. The second command was used to help find and
fix these other issues.
-rw-r--r-- | README | 2 | ||||
-rw-r--r-- | src/etc-cleanup/main.c | 4 | ||||
-rw-r--r-- | src/fbuilder/build_home.c | 2 | ||||
-rw-r--r-- | src/fbuilder/filedb.c | 4 | ||||
-rw-r--r-- | src/fcopy/main.c | 2 | ||||
-rw-r--r-- | src/firecfg/util.c | 8 | ||||
-rw-r--r-- | src/firejail/appimage_size.c | 2 | ||||
-rw-r--r-- | src/firejail/chroot.c | 2 | ||||
-rw-r--r-- | src/firejail/cpu.c | 12 | ||||
-rw-r--r-- | src/firejail/fs.c | 4 | ||||
-rw-r--r-- | src/firejail/ls.c | 2 | ||||
-rw-r--r-- | src/firejail/macros.c | 6 | ||||
-rw-r--r-- | src/firejail/main.c | 70 | ||||
-rw-r--r-- | src/firejail/network.c | 2 | ||||
-rw-r--r-- | src/firejail/no_sandbox.c | 8 | ||||
-rw-r--r-- | src/firejail/restricted_shell.c | 50 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 24 | ||||
-rw-r--r-- | src/firejail/util.c | 2 | ||||
-rw-r--r-- | src/firemon/procevent.c | 2 | ||||
-rw-r--r-- | src/firemon/top.c | 3 | ||||
-rw-r--r-- | src/fnet/interface.c | 6 | ||||
-rw-r--r-- | src/fnettrace-dns/main.c | 2 | ||||
-rw-r--r-- | src/fseccomp/namespaces.c | 4 | ||||
-rw-r--r-- | src/jailcheck/noexec.c | 2 | ||||
-rw-r--r-- | src/libtrace/libtrace.c | 2 | ||||
-rw-r--r-- | src/profstats/main.c | 10 |
26 files changed, 119 insertions, 118 deletions
@@ -1079,7 +1079,7 @@ SYN-cook (https://github.com/SYN-cook) | |||
1079 | startx2017 (https://github.com/startx2017) | 1079 | startx2017 (https://github.com/startx2017) |
1080 | - syscall list update | 1080 | - syscall list update |
1081 | - updated default seccomp filters - added bpf, clock_settime, personality, process_vm_writev, query_module, | 1081 | - updated default seccomp filters - added bpf, clock_settime, personality, process_vm_writev, query_module, |
1082 | settimeofday, stime, umount, userfaultfd, ustat, vm86, and vm86old | 1082 | settimeofday, stime, umount, userfaultfd, ustat, vm86, and vm86old |
1083 | - enable/disable join support in /etc/firejail/firejail.config | 1083 | - enable/disable join support in /etc/firejail/firejail.config |
1084 | - firecfg fix: create ~/.local/share/applications directory if it doesn't exist | 1084 | - firecfg fix: create ~/.local/share/applications directory if it doesn't exist |
1085 | - firejail.config cleanup | 1085 | - firejail.config cleanup |
diff --git a/src/etc-cleanup/main.c b/src/etc-cleanup/main.c index 1f1a61f88..6c7bea6d6 100644 --- a/src/etc-cleanup/main.c +++ b/src/etc-cleanup/main.c | |||
@@ -231,8 +231,8 @@ int main(int argc, char **argv) { | |||
231 | int i; | 231 | int i; |
232 | for (i = 1; i < argc; i++) { | 232 | for (i = 1; i < argc; i++) { |
233 | if (strcmp(argv[i], "-h") == 0 || | 233 | if (strcmp(argv[i], "-h") == 0 || |
234 | strcmp(argv[i], "-?") == 0 || | 234 | strcmp(argv[i], "-?") == 0 || |
235 | strcmp(argv[i], "--help") == 0) { | 235 | strcmp(argv[i], "--help") == 0) { |
236 | usage(); | 236 | usage(); |
237 | return 0; | 237 | return 0; |
238 | } | 238 | } |
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c index 6d96b69cc..15c54911b 100644 --- a/src/fbuilder/build_home.c +++ b/src/fbuilder/build_home.c | |||
@@ -110,7 +110,7 @@ void process_home(const char *fname, char *home, int home_len) { | |||
110 | strcmp(toadd, ".cache") == 0) { | 110 | strcmp(toadd, ".cache") == 0) { |
111 | if (dir) | 111 | if (dir) |
112 | free(dir); | 112 | free(dir); |
113 | continue; | 113 | continue; |
114 | } | 114 | } |
115 | 115 | ||
116 | // clean .cache entries | 116 | // clean .cache entries |
diff --git a/src/fbuilder/filedb.c b/src/fbuilder/filedb.c index 4089f3806..5a3b389ae 100644 --- a/src/fbuilder/filedb.c +++ b/src/fbuilder/filedb.c | |||
@@ -38,8 +38,8 @@ FileDB *filedb_find(FileDB *head, const char *fname) { | |||
38 | if (strlen(fname) > ptr->len && | 38 | if (strlen(fname) > ptr->len && |
39 | fname[ptr->len] == '/' && | 39 | fname[ptr->len] == '/' && |
40 | strncmp(ptr->fname, fname, ptr->len) == 0) { | 40 | strncmp(ptr->fname, fname, ptr->len) == 0) { |
41 | found = 1; | 41 | found = 1; |
42 | break; | 42 | break; |
43 | } | 43 | } |
44 | 44 | ||
45 | ptr = ptr->next; | 45 | ptr = ptr->next; |
diff --git a/src/fcopy/main.c b/src/fcopy/main.c index f1deabf2e..da24fb3f7 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c | |||
@@ -236,7 +236,7 @@ void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid, | |||
236 | // if the link is already there, don't create it | 236 | // if the link is already there, don't create it |
237 | struct stat s; | 237 | struct stat s; |
238 | if (lstat(linkpath, &s) == 0) | 238 | if (lstat(linkpath, &s) == 0) |
239 | return; | 239 | return; |
240 | 240 | ||
241 | char *rp = proc_pid_to_self(target); | 241 | char *rp = proc_pid_to_self(target); |
242 | if (rp) { | 242 | if (rp) { |
diff --git a/src/firecfg/util.c b/src/firecfg/util.c index dc24d4e68..4185b52dd 100644 --- a/src/firecfg/util.c +++ b/src/firecfg/util.c | |||
@@ -30,8 +30,8 @@ static int find(const char *program, const char *directory) { | |||
30 | 30 | ||
31 | struct stat s; | 31 | struct stat s; |
32 | if (stat(fname, &s) == 0) { | 32 | if (stat(fname, &s) == 0) { |
33 | if (arg_debug) | 33 | if (arg_debug) |
34 | printf("found %s in directory %s\n", program, directory); | 34 | printf("found %s in directory %s\n", program, directory); |
35 | retval = 1; | 35 | retval = 1; |
36 | } | 36 | } |
37 | 37 | ||
@@ -44,8 +44,8 @@ static int find(const char *program, const char *directory) { | |||
44 | int which(const char *program) { | 44 | int which(const char *program) { |
45 | // check some well-known paths | 45 | // check some well-known paths |
46 | if (find(program, "/bin") || find(program, "/usr/bin") || | 46 | if (find(program, "/bin") || find(program, "/usr/bin") || |
47 | find(program, "/sbin") || find(program, "/usr/sbin") || | 47 | find(program, "/sbin") || find(program, "/usr/sbin") || |
48 | find(program, "/usr/games")) | 48 | find(program, "/usr/games")) |
49 | return 1; | 49 | return 1; |
50 | 50 | ||
51 | // check environment | 51 | // check environment |
diff --git a/src/firejail/appimage_size.c b/src/firejail/appimage_size.c index 6bb530d12..c3f1620bc 100644 --- a/src/firejail/appimage_size.c +++ b/src/firejail/appimage_size.c | |||
@@ -144,7 +144,7 @@ long unsigned int appimage2_size(int fd) { | |||
144 | return 0; | 144 | return 0; |
145 | 145 | ||
146 | if ((ehdr.e_ident[EI_DATA] != ELFDATA2LSB) && | 146 | if ((ehdr.e_ident[EI_DATA] != ELFDATA2LSB) && |
147 | (ehdr.e_ident[EI_DATA] != ELFDATA2MSB)) | 147 | (ehdr.e_ident[EI_DATA] != ELFDATA2MSB)) |
148 | return 0; | 148 | return 0; |
149 | 149 | ||
150 | if(ehdr.e_ident[EI_CLASS] == ELFCLASS32) { | 150 | if(ehdr.e_ident[EI_CLASS] == ELFCLASS32) { |
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c index fef7eb724..132ac94ba 100644 --- a/src/firejail/chroot.c +++ b/src/firejail/chroot.c | |||
@@ -280,7 +280,7 @@ void fs_chroot(const char *rootdir) { | |||
280 | // fs_dev_shm(); | 280 | // fs_dev_shm(); |
281 | fs_var_lock(); | 281 | fs_var_lock(); |
282 | if (!arg_keep_var_tmp) | 282 | if (!arg_keep_var_tmp) |
283 | fs_var_tmp(); | 283 | fs_var_tmp(); |
284 | if (!arg_writable_var_log) | 284 | if (!arg_writable_var_log) |
285 | fs_var_log(); | 285 | fs_var_log(); |
286 | 286 | ||
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c index ada76bc76..804d51caa 100644 --- a/src/firejail/cpu.c +++ b/src/firejail/cpu.c | |||
@@ -103,17 +103,17 @@ void set_cpu_affinity(void) { | |||
103 | if (sched_setaffinity(0, sizeof(mask), &mask) == -1) | 103 | if (sched_setaffinity(0, sizeof(mask), &mask) == -1) |
104 | fwarning("cannot set cpu affinity\n"); | 104 | fwarning("cannot set cpu affinity\n"); |
105 | 105 | ||
106 | // verify cpu affinity | 106 | // verify cpu affinity |
107 | cpu_set_t mask2; | 107 | cpu_set_t mask2; |
108 | CPU_ZERO(&mask2); | 108 | CPU_ZERO(&mask2); |
109 | if (sched_getaffinity(0, sizeof(mask2), &mask2) == -1) | 109 | if (sched_getaffinity(0, sizeof(mask2), &mask2) == -1) |
110 | fwarning("cannot verify cpu affinity\n"); | 110 | fwarning("cannot verify cpu affinity\n"); |
111 | else if (arg_debug) { | 111 | else if (arg_debug) { |
112 | if (CPU_EQUAL(&mask, &mask2)) | 112 | if (CPU_EQUAL(&mask, &mask2)) |
113 | printf("CPU affinity set\n"); | 113 | printf("CPU affinity set\n"); |
114 | else | 114 | else |
115 | printf("CPU affinity not set\n"); | 115 | printf("CPU affinity not set\n"); |
116 | } | 116 | } |
117 | } | 117 | } |
118 | 118 | ||
119 | static void print_cpu(ProcessHandle process) { | 119 | static void print_cpu(ProcessHandle process) { |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index d7a2edc3b..182f26e53 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -123,8 +123,8 @@ static void disable_file(OPERATION op, const char *filename) { | |||
123 | if (op == BLACKLIST_FILE || op == BLACKLIST_NOLOG) { | 123 | if (op == BLACKLIST_FILE || op == BLACKLIST_NOLOG) { |
124 | // some distros put all executables under /usr/bin and make /bin a symbolic link | 124 | // some distros put all executables under /usr/bin and make /bin a symbolic link |
125 | if ((strcmp(fname, "/bin") == 0 || strcmp(fname, "/usr/bin") == 0) && | 125 | if ((strcmp(fname, "/bin") == 0 || strcmp(fname, "/usr/bin") == 0) && |
126 | is_link(filename) && | 126 | is_link(filename) && |
127 | S_ISDIR(s.st_mode)) { | 127 | S_ISDIR(s.st_mode)) { |
128 | fwarning("%s directory link was not blacklisted\n", filename); | 128 | fwarning("%s directory link was not blacklisted\n", filename); |
129 | } | 129 | } |
130 | else { | 130 | else { |
diff --git a/src/firejail/ls.c b/src/firejail/ls.c index f2782de35..ea85fabfd 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c | |||
@@ -178,7 +178,7 @@ static void print_directory(const char *path) { | |||
178 | 178 | ||
179 | n = scandir(path, &namelist, 0, alphasort); | 179 | n = scandir(path, &namelist, 0, alphasort); |
180 | if (n < 0) | 180 | if (n < 0) |
181 | errExit("scandir"); | 181 | errExit("scandir"); |
182 | else { | 182 | else { |
183 | for (i = 0; i < n; i++) | 183 | for (i = 0; i < n; i++) |
184 | print_file_or_dir(path, namelist[i]->d_name); | 184 | print_file_or_dir(path, namelist[i]->d_name); |
diff --git a/src/firejail/macros.c b/src/firejail/macros.c index 27bb4227a..af7d02c2a 100644 --- a/src/firejail/macros.c +++ b/src/firejail/macros.c | |||
@@ -38,19 +38,19 @@ Macro macro[] = { | |||
38 | }, | 38 | }, |
39 | 39 | ||
40 | { | 40 | { |
41 | "${MUSIC}", | 41 | "${MUSIC}", |
42 | "XDG_MUSIC_DIR=\"$HOME/", | 42 | "XDG_MUSIC_DIR=\"$HOME/", |
43 | {"Music", "Музыка", "Musique", "Musica", "Música", "Musik"} | 43 | {"Music", "Музыка", "Musique", "Musica", "Música", "Musik"} |
44 | }, | 44 | }, |
45 | 45 | ||
46 | { | 46 | { |
47 | "${VIDEOS}", | 47 | "${VIDEOS}", |
48 | "XDG_VIDEOS_DIR=\"$HOME/", | 48 | "XDG_VIDEOS_DIR=\"$HOME/", |
49 | {"Videos", "Видео", "Vidéos", "Video", "Vídeos"} | 49 | {"Videos", "Видео", "Vidéos", "Video", "Vídeos"} |
50 | }, | 50 | }, |
51 | 51 | ||
52 | { | 52 | { |
53 | "${PICTURES}", | 53 | "${PICTURES}", |
54 | "XDG_PICTURES_DIR=\"$HOME/", | 54 | "XDG_PICTURES_DIR=\"$HOME/", |
55 | {"Pictures", "Изображения", "Photos", "Immagini", "Imágenes", "Imagens", "Bilder"} | 55 | {"Pictures", "Изображения", "Photos", "Immagini", "Imágenes", "Imagens", "Bilder"} |
56 | }, | 56 | }, |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 7a9d3d00d..fac357303 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -52,7 +52,7 @@ | |||
52 | int __clone2(int (*fn)(void *), | 52 | int __clone2(int (*fn)(void *), |
53 | void *child_stack_base, size_t stack_size, | 53 | void *child_stack_base, size_t stack_size, |
54 | int flags, void *arg, ... | 54 | int flags, void *arg, ... |
55 | /* pid_t *ptid, struct user_desc *tls, pid_t *ctid */ ); | 55 | /* pid_t *ptid, struct user_desc *tls, pid_t *ctid */ ); |
56 | #endif | 56 | #endif |
57 | 57 | ||
58 | uid_t firejail_uid = 0; | 58 | uid_t firejail_uid = 0; |
@@ -106,7 +106,7 @@ char *arg_netfilter6_file = NULL; // netfilter6 file | |||
106 | char *arg_netns = NULL; // "ip netns"-created network namespace to use | 106 | char *arg_netns = NULL; // "ip netns"-created network namespace to use |
107 | int arg_doubledash = 0; // double dash | 107 | int arg_doubledash = 0; // double dash |
108 | int arg_private_dev = 0; // private dev directory | 108 | int arg_private_dev = 0; // private dev directory |
109 | int arg_keep_dev_shm = 0; // preserve /dev/shm | 109 | int arg_keep_dev_shm = 0; // preserve /dev/shm |
110 | int arg_private_etc = 0; // private etc directory | 110 | int arg_private_etc = 0; // private etc directory |
111 | int arg_private_opt = 0; // private opt directory | 111 | int arg_private_opt = 0; // private opt directory |
112 | int arg_private_srv = 0; // private srv directory | 112 | int arg_private_srv = 0; // private srv directory |
@@ -129,7 +129,7 @@ int arg_writable_etc = 0; // writable etc | |||
129 | int arg_keep_config_pulse = 0; // disable automatic ~/.config/pulse init | 129 | int arg_keep_config_pulse = 0; // disable automatic ~/.config/pulse init |
130 | int arg_keep_shell_rc = 0; // do not copy shell configuration from /etc/skel | 130 | int arg_keep_shell_rc = 0; // do not copy shell configuration from /etc/skel |
131 | int arg_writable_var = 0; // writable var | 131 | int arg_writable_var = 0; // writable var |
132 | int arg_keep_var_tmp = 0; // don't overwrite /var/tmp | 132 | int arg_keep_var_tmp = 0; // don't overwrite /var/tmp |
133 | int arg_writable_run_user = 0; // writable /run/user | 133 | int arg_writable_run_user = 0; // writable /run/user |
134 | int arg_writable_var_log = 0; // writable /var/log | 134 | int arg_writable_var_log = 0; // writable /var/log |
135 | int arg_appimage = 0; // appimage | 135 | int arg_appimage = 0; // appimage |
@@ -141,7 +141,7 @@ int arg_x11_block = 0; // block X11 | |||
141 | int arg_x11_xorg = 0; // use X11 security extension | 141 | int arg_x11_xorg = 0; // use X11 security extension |
142 | int arg_allusers = 0; // all user home directories visible | 142 | int arg_allusers = 0; // all user home directories visible |
143 | int arg_machineid = 0; // spoof /etc/machine-id | 143 | int arg_machineid = 0; // spoof /etc/machine-id |
144 | int arg_allow_private_blacklist = 0; // blacklist things in private directories | 144 | int arg_allow_private_blacklist = 0; // blacklist things in private directories |
145 | int arg_disable_mnt = 0; // disable /mnt and /media | 145 | int arg_disable_mnt = 0; // disable /mnt and /media |
146 | int arg_noprofile = 0; // use default.profile if none other found/specified | 146 | int arg_noprofile = 0; // use default.profile if none other found/specified |
147 | int arg_memory_deny_write_execute = 0; // block writable and executable memory | 147 | int arg_memory_deny_write_execute = 0; // block writable and executable memory |
@@ -150,7 +150,7 @@ int arg_nodvd = 0; // --nodvd | |||
150 | int arg_nou2f = 0; // --nou2f | 150 | int arg_nou2f = 0; // --nou2f |
151 | int arg_noinput = 0; // --noinput | 151 | int arg_noinput = 0; // --noinput |
152 | int arg_deterministic_exit_code = 0; // always exit with first child's exit status | 152 | int arg_deterministic_exit_code = 0; // always exit with first child's exit status |
153 | int arg_deterministic_shutdown = 0; // shut down the sandbox if first child dies | 153 | int arg_deterministic_shutdown = 0; // shut down the sandbox if first child dies |
154 | int arg_keep_fd_all = 0; // inherit all file descriptors to sandbox | 154 | int arg_keep_fd_all = 0; // inherit all file descriptors to sandbox |
155 | DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user | 155 | DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user |
156 | DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system | 156 | DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system |
@@ -768,11 +768,11 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
768 | exit(1); | 768 | exit(1); |
769 | } | 769 | } |
770 | char *path = argv[i + 1]; | 770 | char *path = argv[i + 1]; |
771 | invalid_filename(path, 0); // no globbing | 771 | invalid_filename(path, 0); // no globbing |
772 | if (strstr(path, "..")) { | 772 | if (strstr(path, "..")) { |
773 | fprintf(stderr, "Error: invalid file name %s\n", path); | 773 | fprintf(stderr, "Error: invalid file name %s\n", path); |
774 | exit(1); | 774 | exit(1); |
775 | } | 775 | } |
776 | 776 | ||
777 | // get file | 777 | // get file |
778 | pid_t pid = require_pid(argv[i] + 6); | 778 | pid_t pid = require_pid(argv[i] + 6); |
@@ -796,17 +796,17 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
796 | exit(1); | 796 | exit(1); |
797 | } | 797 | } |
798 | char *path1 = argv[i + 1]; | 798 | char *path1 = argv[i + 1]; |
799 | invalid_filename(path1, 0); // no globbing | 799 | invalid_filename(path1, 0); // no globbing |
800 | if (strstr(path1, "..")) { | 800 | if (strstr(path1, "..")) { |
801 | fprintf(stderr, "Error: invalid file name %s\n", path1); | 801 | fprintf(stderr, "Error: invalid file name %s\n", path1); |
802 | exit(1); | 802 | exit(1); |
803 | } | 803 | } |
804 | char *path2 = argv[i + 2]; | 804 | char *path2 = argv[i + 2]; |
805 | invalid_filename(path2, 0); // no globbing | 805 | invalid_filename(path2, 0); // no globbing |
806 | if (strstr(path2, "..")) { | 806 | if (strstr(path2, "..")) { |
807 | fprintf(stderr, "Error: invalid file name %s\n", path2); | 807 | fprintf(stderr, "Error: invalid file name %s\n", path2); |
808 | exit(1); | 808 | exit(1); |
809 | } | 809 | } |
810 | 810 | ||
811 | // get file | 811 | // get file |
812 | pid_t pid = require_pid(argv[i] + 6); | 812 | pid_t pid = require_pid(argv[i] + 6); |
@@ -830,15 +830,15 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
830 | exit(1); | 830 | exit(1); |
831 | } | 831 | } |
832 | char *path = argv[i + 1]; | 832 | char *path = argv[i + 1]; |
833 | invalid_filename(path, 0); // no globbing | 833 | invalid_filename(path, 0); // no globbing |
834 | if (strstr(path, "..")) { | 834 | if (strstr(path, "..")) { |
835 | fprintf(stderr, "Error: invalid file name %s\n", path); | 835 | fprintf(stderr, "Error: invalid file name %s\n", path); |
836 | exit(1); | 836 | exit(1); |
837 | } | 837 | } |
838 | 838 | ||
839 | // list directory contents | 839 | // list directory contents |
840 | if (!arg_debug) | 840 | if (!arg_debug) |
841 | arg_quiet = 1; | 841 | arg_quiet = 1; |
842 | pid_t pid = require_pid(argv[i] + 5); | 842 | pid_t pid = require_pid(argv[i] + 5); |
843 | sandboxfs(SANDBOX_FS_LS, pid, path, NULL); | 843 | sandboxfs(SANDBOX_FS_LS, pid, path, NULL); |
844 | exit(0); | 844 | exit(0); |
@@ -867,7 +867,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
867 | 867 | ||
868 | // write file contents to stdout | 868 | // write file contents to stdout |
869 | if (!arg_debug) | 869 | if (!arg_debug) |
870 | arg_quiet = 1; | 870 | arg_quiet = 1; |
871 | pid_t pid = require_pid(argv[i] + 6); | 871 | pid_t pid = require_pid(argv[i] + 6); |
872 | sandboxfs(SANDBOX_FS_CAT, pid, path, NULL); | 872 | sandboxfs(SANDBOX_FS_CAT, pid, path, NULL); |
873 | exit(0); | 873 | exit(0); |
@@ -894,8 +894,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
894 | 894 | ||
895 | } | 895 | } |
896 | else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { | 896 | else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { |
897 | // NOTE: this is first part of option handler, | 897 | // NOTE: this is first part of option handler, sandbox name is |
898 | // sandbox name is set in other part | 898 | // set in other part |
899 | if (checkcfg(CFG_JOIN) || getuid() == 0) { | 899 | if (checkcfg(CFG_JOIN) || getuid() == 0) { |
900 | logargs(argc, argv); | 900 | logargs(argc, argv); |
901 | 901 | ||
@@ -1050,11 +1050,11 @@ static int check_postexec(const char *list) { | |||
1050 | //******************************************* | 1050 | //******************************************* |
1051 | int main(int argc, char **argv, char **envp) { | 1051 | int main(int argc, char **argv, char **envp) { |
1052 | int i; | 1052 | int i; |
1053 | int prog_index = -1; // index in argv where the program command starts | 1053 | int prog_index = -1; // index in argv where the program command starts |
1054 | int lockfd_network = -1; | 1054 | int lockfd_network = -1; |
1055 | int lockfd_directory = -1; | 1055 | int lockfd_directory = -1; |
1056 | int custom_profile = 0; // custom profile loaded | 1056 | int custom_profile = 0; // custom profile loaded |
1057 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) | 1057 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) |
1058 | char **ptr; | 1058 | char **ptr; |
1059 | 1059 | ||
1060 | 1060 | ||
@@ -1983,7 +1983,7 @@ int main(int argc, char **argv, char **envp) { | |||
1983 | arg_writable_var = 1; | 1983 | arg_writable_var = 1; |
1984 | } | 1984 | } |
1985 | else if (strcmp(argv[i], "--keep-var-tmp") == 0) { | 1985 | else if (strcmp(argv[i], "--keep-var-tmp") == 0) { |
1986 | arg_keep_var_tmp = 1; | 1986 | arg_keep_var_tmp = 1; |
1987 | } | 1987 | } |
1988 | else if (strcmp(argv[i], "--writable-run-user") == 0) { | 1988 | else if (strcmp(argv[i], "--writable-run-user") == 0) { |
1989 | arg_writable_run_user = 1; | 1989 | arg_writable_run_user = 1; |
@@ -2818,8 +2818,8 @@ int main(int argc, char **argv, char **envp) { | |||
2818 | } | 2818 | } |
2819 | #endif | 2819 | #endif |
2820 | else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { | 2820 | else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { |
2821 | // NOTE: this is second part of option handler, | 2821 | // NOTE: this is second part of option handler, atempt |
2822 | // atempt to find and join sandbox is done in other one | 2822 | // to find and join sandbox is done in other one |
2823 | 2823 | ||
2824 | // set sandbox name and start normally | 2824 | // set sandbox name and start normally |
2825 | cfg.name = argv[i] + 16; | 2825 | cfg.name = argv[i] + 16; |
diff --git a/src/firejail/network.c b/src/firejail/network.c index 5163035fa..c1adf87cc 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c | |||
@@ -265,7 +265,7 @@ int net_get_mac(const char *ifname, unsigned char mac[6]) { | |||
265 | int sock; | 265 | int sock; |
266 | 266 | ||
267 | if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) | 267 | if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) |
268 | errExit("socket"); | 268 | errExit("socket"); |
269 | 269 | ||
270 | memset(&ifr, 0, sizeof(ifr)); | 270 | memset(&ifr, 0, sizeof(ifr)); |
271 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); | 271 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); |
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 3997d8f86..22ee9dc3c 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -29,10 +29,10 @@ | |||
29 | int is_container(const char *str) { | 29 | int is_container(const char *str) { |
30 | assert(str); | 30 | assert(str); |
31 | if (strcmp(str, "lxc") == 0 || | 31 | if (strcmp(str, "lxc") == 0 || |
32 | strcmp(str, "docker") == 0 || | 32 | strcmp(str, "docker") == 0 || |
33 | strcmp(str, "lxc-libvirt") == 0 || | 33 | strcmp(str, "lxc-libvirt") == 0 || |
34 | strcmp(str, "systemd-nspawn") == 0 || | 34 | strcmp(str, "systemd-nspawn") == 0 || |
35 | strcmp(str, "rkt") == 0) | 35 | strcmp(str, "rkt") == 0) |
36 | return 1; | 36 | return 1; |
37 | return 0; | 37 | return 0; |
38 | } | 38 | } |
diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c index a22e63ab3..79e0bd9df 100644 --- a/src/firejail/restricted_shell.c +++ b/src/firejail/restricted_shell.c | |||
@@ -84,16 +84,16 @@ int restricted_shell(const char *user) { | |||
84 | 84 | ||
85 | // user name globbing | 85 | // user name globbing |
86 | if (fnmatch(usr, user, 0) == 0) { | 86 | if (fnmatch(usr, user, 0) == 0) { |
87 | // process program arguments | 87 | // process program arguments |
88 | 88 | ||
89 | fullargv[0] = "firejail"; | 89 | fullargv[0] = "firejail"; |
90 | int i; | 90 | int i; |
91 | ptr = args; | 91 | ptr = args; |
92 | for (i = 1; i < MAX_ARGS; i++) { | 92 | for (i = 1; i < MAX_ARGS; i++) { |
93 | // skip blanks | 93 | // skip blanks |
94 | while (*ptr == ' ' || *ptr == '\t') | 94 | while (*ptr == ' ' || *ptr == '\t') |
95 | ptr++; | 95 | ptr++; |
96 | fullargv[i] = ptr; | 96 | fullargv[i] = ptr; |
97 | #ifdef DEBUG_RESTRICTED_SHELL | 97 | #ifdef DEBUG_RESTRICTED_SHELL |
98 | {EUID_ROOT(); | 98 | {EUID_ROOT(); |
99 | FILE *fp = fopen("/firelog", "ae"); | 99 | FILE *fp = fopen("/firelog", "ae"); |
@@ -104,23 +104,23 @@ int restricted_shell(const char *user) { | |||
104 | EUID_USER();} | 104 | EUID_USER();} |
105 | #endif | 105 | #endif |
106 | 106 | ||
107 | if (*ptr != '\0') { | 107 | if (*ptr != '\0') { |
108 | // go to the end of the word | 108 | // go to the end of the word |
109 | while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0') | 109 | while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0') |
110 | ptr++; | 110 | ptr++; |
111 | *ptr ='\0'; | 111 | *ptr ='\0'; |
112 | fullargv[i] = strdup(fullargv[i]); | 112 | fullargv[i] = strdup(fullargv[i]); |
113 | if (fullargv[i] == NULL) | 113 | if (fullargv[i] == NULL) |
114 | errExit("strdup"); | 114 | errExit("strdup"); |
115 | ptr++; | 115 | ptr++; |
116 | while (*ptr == ' ' || *ptr == '\t') | 116 | while (*ptr == ' ' || *ptr == '\t') |
117 | ptr++; | 117 | ptr++; |
118 | if (*ptr != '\0') | 118 | if (*ptr != '\0') |
119 | continue; | 119 | continue; |
120 | } | 120 | } |
121 | fullargv[i] = strdup(fullargv[i]); | 121 | fullargv[i] = strdup(fullargv[i]); |
122 | fclose(fp); | 122 | fclose(fp); |
123 | return i + 1; | 123 | return i + 1; |
124 | } | 124 | } |
125 | fprintf(stderr, "Error: too many program arguments in users.conf line %d\n", lineno); | 125 | fprintf(stderr, "Error: too many program arguments in users.conf line %d\n", lineno); |
126 | exit(1); | 126 | exit(1); |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index c4dc0ca78..a4109cc17 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -274,7 +274,7 @@ static void sandbox_if_up(Bridge *br) { | |||
274 | } | 274 | } |
275 | 275 | ||
276 | if (br->ip6sandbox) | 276 | if (br->ip6sandbox) |
277 | net_if_ip6(dev, br->ip6sandbox); | 277 | net_if_ip6(dev, br->ip6sandbox); |
278 | } | 278 | } |
279 | 279 | ||
280 | static void chk_chroot(void) { | 280 | static void chk_chroot(void) { |
@@ -650,12 +650,12 @@ int sandbox(void* sandbox_arg) { | |||
650 | if (arg_debug) | 650 | if (arg_debug) |
651 | printf("Initializing child process\n"); | 651 | printf("Initializing child process\n"); |
652 | 652 | ||
653 | // close each end of the unused pipes | 653 | // close each end of the unused pipes |
654 | close(parent_to_child_fds[1]); | 654 | close(parent_to_child_fds[1]); |
655 | close(child_to_parent_fds[0]); | 655 | close(child_to_parent_fds[0]); |
656 | 656 | ||
657 | // wait for parent to do base setup | 657 | // wait for parent to do base setup |
658 | wait_for_other(parent_to_child_fds[0]); | 658 | wait_for_other(parent_to_child_fds[0]); |
659 | 659 | ||
660 | if (arg_debug && child_pid == 1) | 660 | if (arg_debug && child_pid == 1) |
661 | printf("PID namespace installed\n"); | 661 | printf("PID namespace installed\n"); |
@@ -1259,13 +1259,13 @@ int sandbox(void* sandbox_arg) { | |||
1259 | } | 1259 | } |
1260 | 1260 | ||
1261 | // notify parent that new user namespace has been created so a proper | 1261 | // notify parent that new user namespace has been created so a proper |
1262 | // UID/GID map can be setup | 1262 | // UID/GID map can be setup |
1263 | notify_other(child_to_parent_fds[1]); | 1263 | notify_other(child_to_parent_fds[1]); |
1264 | close(child_to_parent_fds[1]); | 1264 | close(child_to_parent_fds[1]); |
1265 | 1265 | ||
1266 | // wait for parent to finish setting up a proper UID/GID map | 1266 | // wait for parent to finish setting up a proper UID/GID map |
1267 | wait_for_other(parent_to_child_fds[0]); | 1267 | wait_for_other(parent_to_child_fds[0]); |
1268 | close(parent_to_child_fds[0]); | 1268 | close(parent_to_child_fds[0]); |
1269 | 1269 | ||
1270 | // somehow, the new user namespace resets capabilities; | 1270 | // somehow, the new user namespace resets capabilities; |
1271 | // we need to do them again | 1271 | // we need to do them again |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 846c27321..bafcd69ec 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -1101,7 +1101,7 @@ void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) { | |||
1101 | if (mkdir(fname, mode) == -1 || | 1101 | if (mkdir(fname, mode) == -1 || |
1102 | chmod(fname, mode) == -1 || | 1102 | chmod(fname, mode) == -1 || |
1103 | chown(fname, uid, gid)) { | 1103 | chown(fname, uid, gid)) { |
1104 | fprintf(stderr, "Error: failed to create %s directory\n", fname); | 1104 | fprintf(stderr, "Error: failed to create %s directory\n", fname); |
1105 | errExit("mkdir/chmod"); | 1105 | errExit("mkdir/chmod"); |
1106 | } | 1106 | } |
1107 | 1107 | ||
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index ff4fdda56..77739c1f3 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c | |||
@@ -309,7 +309,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my | |||
309 | #endif | 309 | #endif |
310 | if (proc_ev->event_data.fork.child_pid != | 310 | if (proc_ev->event_data.fork.child_pid != |
311 | proc_ev->event_data.fork.child_tgid) | 311 | proc_ev->event_data.fork.child_tgid) |
312 | continue; // this is a thread, not a process | 312 | continue; // this is a thread, not a process |
313 | pid = proc_ev->event_data.fork.parent_tgid; | 313 | pid = proc_ev->event_data.fork.parent_tgid; |
314 | #ifdef DEBUG_PRCTL | 314 | #ifdef DEBUG_PRCTL |
315 | printf("%s: %d, event fork, pid %d\n", __FUNCTION__, __LINE__, pid); | 315 | printf("%s: %d, event fork, pid %d\n", __FUNCTION__, __LINE__, pid); |
diff --git a/src/firemon/top.c b/src/firemon/top.c index c127e2f56..c70bc9424 100644 --- a/src/firemon/top.c +++ b/src/firemon/top.c | |||
@@ -166,7 +166,8 @@ static char *print_top(unsigned index, unsigned parent, unsigned *utime, unsigne | |||
166 | snprintf(prcs_str, 10, "%d", *cnt); | 166 | snprintf(prcs_str, 10, "%d", *cnt); |
167 | 167 | ||
168 | if (asprintf(&rv, "%-7.7s %-9.9s %-8.8s %-8.8s %-5.5s %-4.4s %-9.9s %s", | 168 | if (asprintf(&rv, "%-7.7s %-9.9s %-8.8s %-8.8s %-5.5s %-4.4s %-9.9s %s", |
169 | pidstr, ptruser, rss, shared, cpu_str, prcs_str, uptime_str, ptrcmd) == -1) | 169 | pidstr, ptruser, rss, shared, cpu_str, prcs_str, |
170 | uptime_str, ptrcmd) == -1) | ||
170 | errExit("asprintf"); | 171 | errExit("asprintf"); |
171 | 172 | ||
172 | if (cmd) | 173 | if (cmd) |
diff --git a/src/fnet/interface.c b/src/fnet/interface.c index aa0981269..873252d40 100644 --- a/src/fnet/interface.c +++ b/src/fnet/interface.c | |||
@@ -57,7 +57,7 @@ void net_bridge_add_interface(const char *bridge, const char *dev) { | |||
57 | 57 | ||
58 | int sock; | 58 | int sock; |
59 | if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) | 59 | if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) |
60 | errExit("socket"); | 60 | errExit("socket"); |
61 | 61 | ||
62 | memset(&ifr, 0, sizeof(ifr)); | 62 | memset(&ifr, 0, sizeof(ifr)); |
63 | strncpy(ifr.ifr_name, bridge, IFNAMSIZ - 1); | 63 | strncpy(ifr.ifr_name, bridge, IFNAMSIZ - 1); |
@@ -237,7 +237,7 @@ int net_get_mac(const char *ifname, unsigned char mac[6]) { | |||
237 | int sock; | 237 | int sock; |
238 | 238 | ||
239 | if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) | 239 | if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) |
240 | errExit("socket"); | 240 | errExit("socket"); |
241 | 241 | ||
242 | memset(&ifr, 0, sizeof(ifr)); | 242 | memset(&ifr, 0, sizeof(ifr)); |
243 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); | 243 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); |
@@ -291,7 +291,7 @@ int net_if_mac(const char *ifname, const unsigned char mac[6]) { | |||
291 | int sock; | 291 | int sock; |
292 | 292 | ||
293 | if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) | 293 | if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) |
294 | errExit("socket"); | 294 | errExit("socket"); |
295 | 295 | ||
296 | memset(&ifr, 0, sizeof(ifr)); | 296 | memset(&ifr, 0, sizeof(ifr)); |
297 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); | 297 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); |
diff --git a/src/fnettrace-dns/main.c b/src/fnettrace-dns/main.c index 60738147d..64feec5fe 100644 --- a/src/fnettrace-dns/main.c +++ b/src/fnettrace-dns/main.c | |||
@@ -124,7 +124,7 @@ static void print_date(void) { | |||
124 | 124 | ||
125 | static void run_trace(void) { | 125 | static void run_trace(void) { |
126 | // grab all Ethernet packets and use a custom BPF filter to get only UDP from source port 53 | 126 | // grab all Ethernet packets and use a custom BPF filter to get only UDP from source port 53 |
127 | int s = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); | 127 | int s = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); |
128 | if (s < 0) | 128 | if (s < 0) |
129 | errExit("socket"); | 129 | errExit("socket"); |
130 | custom_bpf(s); | 130 | custom_bpf(s); |
diff --git a/src/fseccomp/namespaces.c b/src/fseccomp/namespaces.c index ffc1dfe4c..e6c63219f 100644 --- a/src/fseccomp/namespaces.c +++ b/src/fseccomp/namespaces.c | |||
@@ -202,8 +202,8 @@ void deny_ns_32(const char *fname, const char *list) { | |||
202 | // 0003: 20 00 00 00000000 ld data.syscall-number | 202 | // 0003: 20 00 00 00000000 ld data.syscall-number |
203 | // 0004: 06 00 00 7fff0000 ret ALLOW | 203 | // 0004: 06 00 00 7fff0000 ret ALLOW |
204 | // | 204 | // |
205 | if (sizeof(filter)) | 205 | if (sizeof(filter)) |
206 | write_to_file(fd, filter, sizeof(filter)); | 206 | write_to_file(fd, filter, sizeof(filter)); |
207 | 207 | ||
208 | filter_end_blacklist(fd); | 208 | filter_end_blacklist(fd); |
209 | 209 | ||
diff --git a/src/jailcheck/noexec.c b/src/jailcheck/noexec.c index a78272591..bfeff9c7f 100644 --- a/src/jailcheck/noexec.c +++ b/src/jailcheck/noexec.c | |||
@@ -76,7 +76,7 @@ void noexec_test(const char *path) { | |||
76 | 76 | ||
77 | if (child == 0) { // child | 77 | if (child == 0) { // child |
78 | // drop privileges | 78 | // drop privileges |
79 | if (setgid(user_gid) != 0) | 79 | if (setgid(user_gid) != 0) |
80 | errExit("setgid"); | 80 | errExit("setgid"); |
81 | if (setuid(user_uid) != 0) | 81 | if (setuid(user_uid) != 0) |
82 | errExit("setuid"); | 82 | errExit("setuid"); |
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c index 97e36e5c9..231e09882 100644 --- a/src/libtrace/libtrace.c +++ b/src/libtrace/libtrace.c | |||
@@ -515,7 +515,7 @@ int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) { | |||
515 | if (!orig_connect) | 515 | if (!orig_connect) |
516 | orig_connect = (orig_connect_t)dlsym(RTLD_NEXT, "connect"); | 516 | orig_connect = (orig_connect_t)dlsym(RTLD_NEXT, "connect"); |
517 | 517 | ||
518 | int rv = orig_connect(sockfd, addr, addrlen); | 518 | int rv = orig_connect(sockfd, addr, addrlen); |
519 | print_sockaddr(sockfd, "connect", addr, rv); | 519 | print_sockaddr(sockfd, "connect", addr, rv); |
520 | 520 | ||
521 | return rv; | 521 | return rv; |
diff --git a/src/profstats/main.c b/src/profstats/main.c index 90a5f405d..491cec736 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c | |||
@@ -166,7 +166,7 @@ static void process_file(char *fname) { | |||
166 | else if (strncmp(ptr, "include whitelist-var-common.inc", 32) == 0) | 166 | else if (strncmp(ptr, "include whitelist-var-common.inc", 32) == 0) |
167 | cnt_whitelistvar++; | 167 | cnt_whitelistvar++; |
168 | else if (strncmp(ptr, "include whitelist-runuser-common.inc", 36) == 0 || | 168 | else if (strncmp(ptr, "include whitelist-runuser-common.inc", 36) == 0 || |
169 | strncmp(ptr, "blacklist ${RUNUSER}", 20) == 0) | 169 | strncmp(ptr, "blacklist ${RUNUSER}", 20) == 0) |
170 | cnt_whitelistrunuser++; | 170 | cnt_whitelistrunuser++; |
171 | else if (strncmp(ptr, "include whitelist-common.inc", 28) == 0) | 171 | else if (strncmp(ptr, "include whitelist-common.inc", 28) == 0) |
172 | cnt_whitelisthome++; | 172 | cnt_whitelisthome++; |
@@ -283,10 +283,10 @@ int main(int argc, char **argv) { | |||
283 | arg_dbus_user_none = 1; | 283 | arg_dbus_user_none = 1; |
284 | else if (*argv[i] == '-') { | 284 | else if (*argv[i] == '-') { |
285 | fprintf(stderr, "Error: invalid option %s\n", argv[i]); | 285 | fprintf(stderr, "Error: invalid option %s\n", argv[i]); |
286 | return 1; | 286 | return 1; |
287 | } | 287 | } |
288 | else | 288 | else |
289 | break; | 289 | break; |
290 | } | 290 | } |
291 | 291 | ||
292 | start = i; | 292 | start = i; |