cleanup

author: netblue30 <netblue30@yahoo.com> 2016-11-27 18:10:50 -0500
committer: netblue30 <netblue30@yahoo.com> 2016-11-27 18:10:50 -0500
commit: 4ea68a4e03592d1c685f760f66eebe3018536416 (patch)
tree: 950649bfa28b6f56bb4991c46eed8bd2ca3eae40
parent: fixes (diff)
download: firejail-4ea68a4e03592d1c685f760f66eebe3018536416.tar.gz
firejail-4ea68a4e03592d1c685f760f66eebe3018536416.tar.zst
firejail-4ea68a4e03592d1c685f760f66eebe3018536416.zip
8 files changed, 25 insertions, 17 deletions
diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c
index 3c87305df..4cd2526ba 100644
--- a/src/faudit/syscall.c
+++ b/src/faudit/syscall.c
@@ -35,7 +35,8 @@ void syscall_helper(int argc, char **argv) {
        (void) argc;
        
        if (strcmp(argv[2], "mount") == 0) {
-                mount(NULL, NULL, NULL, 0, NULL);
+                int rv = mount(NULL, NULL, NULL, 0, NULL);
+                (void) rv;
                printf("\nUGLY: mount syscall permitted.\n");
        }
        else if (strcmp(argv[2], "umount2") == 0) {
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 974fbb8a3..6565f488a 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -33,6 +33,7 @@ int checkcfg(int val) {
        assert(val < CFG_MAX);
        int line = 0;
        FILE *fp = NULL;
+        char *ptr;
        if (!initialized) {
                // initialize defaults
@@ -76,7 +77,7 @@ int checkcfg(int val) {
                                continue;
                        // parse line                           
-                        char *ptr = line_remove_spaces(buf);
+                        ptr = line_remove_spaces(buf);
                        if (!ptr)
                                continue;
                        
@@ -286,8 +287,10 @@ int checkcfg(int val) {
        return cfg_val[val];
        
 errout:
-        if (fp)
+        assert(ptr);
-                fclose(fp);
+        free(ptr);
+        assert(fp);
+        fclose(fp);
        fprintf(stderr, "Error: invalid line %d in firejail configuration file\n", line );
        exit(1);
 }
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index 4b4ae1de2..77eb35f97 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -259,11 +259,11 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                drop_privs(0);
                // check access
-                /* coverity[toctou] */
                if (access(fname1, R_OK) == -1) {
                        fprintf(stderr, "Error: Cannot access %s\n", fname1);
                        exit(1);
                }
+                /* coverity[toctou] */
                char *rp = realpath(fname1, NULL);
                if (!rp) {
                        fprintf(stderr, "Error: Cannot access %s\n", fname1);
@@ -316,9 +316,11 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
                // create a user-owned temporary file in /run/firejail directory
                char tmp_fname[] = "/run/firejail/tmpget-XXXXXX";
                int fd = mkstemp(tmp_fname);
-                SET_PERMS_FD(fd, getuid(), getgid(), 0600);
+                if (fd != -1) {
-                close(fd);
+                        SET_PERMS_FD(fd, getuid(), getgid(), 0600);
-        
+                        close(fd);
+                }
+                
                // copy the source file into the temporary file - we need to chroot
                pid_t child = fork();
                if (child < 0)
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index 0136ab1f8..43f08e45b 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -85,12 +85,14 @@ void netfilter(const char *fname) {
                filter = malloc(size + 1);        // + '\0'
                if (filter == NULL)
                        goto errexit;
-                memset(&filter[0], 0, sizeof(filter));
+                memset(filter, 0, size + 1);
                int rd = 0;
                while (rd < size) {
                        int rv = read(fd, (unsigned char *) filter + rd, size - rd);
-                        if (rv == -1)
+                        if (rv == -1) {
+                                close(fd);
                                goto errexit;
+                        }
                        rd += rv;
                }
                
@@ -207,7 +209,7 @@ void netfilter6(const char *fname) {
        filter = malloc(size + 1);        // + '\0'
        if (filter == NULL)
                goto errexit;
-        memset(&filter[0], 0, sizeof(filter));
+        memset(filter, 0, size + 1);
        int rd = 0;
        while (rd < size) {
                int rv = read(fd, (unsigned char *) filter + rd, size - rd);
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index dbfdd445a..65c4e35e9 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -145,12 +145,10 @@ int sbox_run(unsigned filter, int num, ...) {
                        int fd = open("/dev/null",O_RDWR, 0);
                        if (fd != -1) {
                                dup2 (fd, STDIN_FILENO);
-                                if (fd > 2)
+                                close(fd);
-                                        close (fd);
                        }
                        else // the user could run the sandbox without /dev/null
                                close(STDIN_FILENO);
-                        close(fd);
                }
                umask(027);     
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index dd133b2ba..cdbbe4fdd 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -72,7 +72,7 @@ int seccomp_load(const char *fname) {
        struct sock_filter *filter = malloc(size);
        if (filter == NULL)
                goto errexit;
-        memset(&filter[0], 0, sizeof(filter));
+        memset(filter, 0, size);
        int rd = 0;
        while (rd < size) {
                int rv = read(fd, (unsigned char *) filter + rd, size - rd);
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index 807f2d5f0..d9b3b23d1 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -252,7 +252,8 @@ void x11_start_xephyr(int argc, char **argv) {
                }
                for (i = 0; i < (int) strlen(xephyr_extra_params)-1; i++) {
-                        if (pos >= (sizeof(server_argv)/sizeof(*server_argv))) {
+//todo: if working , add a -2 also in 0.9.44-bugfix                     
+                        if (pos >= (sizeof(server_argv)/sizeof(*server_argv)) - 2) {
                                fprintf(stderr, "Error: arg count limit exceeded while parsing xephyr_extra_params\n");
                                exit(1);
                        }
@@ -716,6 +717,7 @@ void x11_xorg(void) {
        }
        if (set_perms(RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600))
                errExit("set_perms");
+        /* coverity[toctou] */
        unlink(tmpfname);
        
        // mount
diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c
index af240307c..e22c682dc 100644
--- a/src/fseccomp/seccomp_print.c
+++ b/src/fseccomp/seccomp_print.c
@@ -45,7 +45,7 @@ static void load_seccomp(const char *fname) {
        filter = malloc(size);
        if (filter == NULL)
                goto errexit;
-        memset(&filter[0], 0, sizeof(filter));
+        memset(filter, 0, size);
        int rd = 0;
        while (rd < size) {
                int rv = read(fd, (unsigned char *) filter + rd, size - rd);
author	netblue30 <netblue30@yahoo.com>	2016-11-27 18:10:50 -0500
committer	netblue30 <netblue30@yahoo.com>	2016-11-27 18:10:50 -0500
commit	4ea68a4e03592d1c685f760f66eebe3018536416 (patch)
tree	950649bfa28b6f56bb4991c46eed8bd2ca3eae40
parent	fixes (diff)
download	firejail-4ea68a4e03592d1c685f760f66eebe3018536416.tar.gz firejail-4ea68a4e03592d1c685f760f66eebe3018536416.tar.zst firejail-4ea68a4e03592d1c685f760f66eebe3018536416.zip

diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c index 3c87305df..4cd2526ba 100644 --- a/src/faudit/syscall.c +++ b/src/faudit/syscall.c
@@ -35,7 +35,8 @@ void syscall_helper(int argc, char **argv) {
35	(void) argc;	35	(void) argc;
36		36
37	if (strcmp(argv[2], "mount") == 0) {	37	if (strcmp(argv[2], "mount") == 0) {
38	mount(NULL, NULL, NULL, 0, NULL);	38	int rv = mount(NULL, NULL, NULL, 0, NULL);
		39	(void) rv;
39	printf("\nUGLY: mount syscall permitted.\n");	40	printf("\nUGLY: mount syscall permitted.\n");
40	}	41	}
41	else if (strcmp(argv[2], "umount2") == 0) {	42	else if (strcmp(argv[2], "umount2") == 0) {


diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 974fbb8a3..6565f488a 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c
@@ -33,6 +33,7 @@ int checkcfg(int val) {
33	assert(val < CFG_MAX);	33	assert(val < CFG_MAX);
34	int line = 0;	34	int line = 0;
35	FILE *fp = NULL;	35	FILE *fp = NULL;
		36	char *ptr;
36		37
37	if (!initialized) {	38	if (!initialized) {
38	// initialize defaults	39	// initialize defaults
@@ -76,7 +77,7 @@ int checkcfg(int val) {
76	continue;	77	continue;
77		78
78	// parse line	79	// parse line
79	char *ptr = line_remove_spaces(buf);	80	ptr = line_remove_spaces(buf);
80	if (!ptr)	81	if (!ptr)
81	continue;	82	continue;
82		83
@@ -286,8 +287,10 @@ int checkcfg(int val) {
286	return cfg_val[val];	287	return cfg_val[val];
287		288
288	errout:	289	errout:
289	if (fp)	290	assert(ptr);
290	fclose(fp);	291	free(ptr);
		292	assert(fp);
		293	fclose(fp);
291	fprintf(stderr, "Error: invalid line %d in firejail configuration file\n", line );	294	fprintf(stderr, "Error: invalid line %d in firejail configuration file\n", line );
292	exit(1);	295	exit(1);
293	}	296	}


diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 4b4ae1de2..77eb35f97 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c
@@ -259,11 +259,11 @@ void sandboxfs(int op, pid_t pid, const char path1, const char path2) {
259	drop_privs(0);	259	drop_privs(0);
260		260
261	// check access	261	// check access
262	/* coverity[toctou] */
263	if (access(fname1, R_OK) == -1) {	262	if (access(fname1, R_OK) == -1) {
264	fprintf(stderr, "Error: Cannot access %s\n", fname1);	263	fprintf(stderr, "Error: Cannot access %s\n", fname1);
265	exit(1);	264	exit(1);
266	}	265	}
		266	/* coverity[toctou] */
267	char *rp = realpath(fname1, NULL);	267	char *rp = realpath(fname1, NULL);
268	if (!rp) {	268	if (!rp) {
269	fprintf(stderr, "Error: Cannot access %s\n", fname1);	269	fprintf(stderr, "Error: Cannot access %s\n", fname1);
@@ -316,9 +316,11 @@ void sandboxfs(int op, pid_t pid, const char path1, const char path2) {
316	// create a user-owned temporary file in /run/firejail directory	316	// create a user-owned temporary file in /run/firejail directory
317	char tmp_fname[] = "/run/firejail/tmpget-XXXXXX";	317	char tmp_fname[] = "/run/firejail/tmpget-XXXXXX";
318	int fd = mkstemp(tmp_fname);	318	int fd = mkstemp(tmp_fname);
319	SET_PERMS_FD(fd, getuid(), getgid(), 0600);	319	if (fd != -1) {
320	close(fd);	320	SET_PERMS_FD(fd, getuid(), getgid(), 0600);
321		321	close(fd);
		322	}
		323
322	// copy the source file into the temporary file - we need to chroot	324	// copy the source file into the temporary file - we need to chroot
323	pid_t child = fork();	325	pid_t child = fork();
324	if (child < 0)	326	if (child < 0)


diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index 0136ab1f8..43f08e45b 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c
@@ -85,12 +85,14 @@ void netfilter(const char *fname) {
85	filter = malloc(size + 1); // + '\0'	85	filter = malloc(size + 1); // + '\0'
86	if (filter == NULL)	86	if (filter == NULL)
87	goto errexit;	87	goto errexit;
88	memset(&filter[0], 0, sizeof(filter));	88	memset(filter, 0, size + 1);
89	int rd = 0;	89	int rd = 0;
90	while (rd < size) {	90	while (rd < size) {
91	int rv = read(fd, (unsigned char *) filter + rd, size - rd);	91	int rv = read(fd, (unsigned char *) filter + rd, size - rd);
92	if (rv == -1)	92	if (rv == -1) {
		93	close(fd);
93	goto errexit;	94	goto errexit;
		95	}
94	rd += rv;	96	rd += rv;
95	}	97	}
96		98
@@ -207,7 +209,7 @@ void netfilter6(const char *fname) {
207	filter = malloc(size + 1); // + '\0'	209	filter = malloc(size + 1); // + '\0'
208	if (filter == NULL)	210	if (filter == NULL)
209	goto errexit;	211	goto errexit;
210	memset(&filter[0], 0, sizeof(filter));	212	memset(filter, 0, size + 1);
211	int rd = 0;	213	int rd = 0;
212	while (rd < size) {	214	while (rd < size) {
213	int rv = read(fd, (unsigned char *) filter + rd, size - rd);	215	int rv = read(fd, (unsigned char *) filter + rd, size - rd);


diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index dbfdd445a..65c4e35e9 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c
@@ -145,12 +145,10 @@ int sbox_run(unsigned filter, int num, ...) {
145	int fd = open("/dev/null",O_RDWR, 0);	145	int fd = open("/dev/null",O_RDWR, 0);
146	if (fd != -1) {	146	if (fd != -1) {
147	dup2 (fd, STDIN_FILENO);	147	dup2 (fd, STDIN_FILENO);
148	if (fd > 2)	148	close(fd);
149	close (fd);
150	}	149	}
151	else // the user could run the sandbox without /dev/null	150	else // the user could run the sandbox without /dev/null
152	close(STDIN_FILENO);	151	close(STDIN_FILENO);
153	close(fd);
154	}	152	}
155	umask(027);	153	umask(027);
156		154


diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index dd133b2ba..cdbbe4fdd 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c
@@ -72,7 +72,7 @@ int seccomp_load(const char *fname) {
72	struct sock_filter *filter = malloc(size);	72	struct sock_filter *filter = malloc(size);
73	if (filter == NULL)	73	if (filter == NULL)
74	goto errexit;	74	goto errexit;
75	memset(&filter[0], 0, sizeof(filter));	75	memset(filter, 0, size);
76	int rd = 0;	76	int rd = 0;
77	while (rd < size) {	77	while (rd < size) {
78	int rv = read(fd, (unsigned char *) filter + rd, size - rd);	78	int rv = read(fd, (unsigned char *) filter + rd, size - rd);


diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 807f2d5f0..d9b3b23d1 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c
@@ -252,7 +252,8 @@ void x11_start_xephyr(int argc, char **argv) {
252	}	252	}
253		253
254	for (i = 0; i < (int) strlen(xephyr_extra_params)-1; i++) {	254	for (i = 0; i < (int) strlen(xephyr_extra_params)-1; i++) {
255	if (pos >= (sizeof(server_argv)/sizeof(*server_argv))) {	255	//todo: if working , add a -2 also in 0.9.44-bugfix
		256	if (pos >= (sizeof(server_argv)/sizeof(*server_argv)) - 2) {
256	fprintf(stderr, "Error: arg count limit exceeded while parsing xephyr_extra_params\n");	257	fprintf(stderr, "Error: arg count limit exceeded while parsing xephyr_extra_params\n");
257	exit(1);	258	exit(1);
258	}	259	}
@@ -716,6 +717,7 @@ void x11_xorg(void) {
716	}	717	}
717	if (set_perms(RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600))	718	if (set_perms(RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600))
718	errExit("set_perms");	719	errExit("set_perms");
		720	/* coverity[toctou] */
719	unlink(tmpfname);	721	unlink(tmpfname);
720		722
721	// mount	723	// mount


diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c index af240307c..e22c682dc 100644 --- a/src/fseccomp/seccomp_print.c +++ b/src/fseccomp/seccomp_print.c
@@ -45,7 +45,7 @@ static void load_seccomp(const char *fname) {
45	filter = malloc(size);	45	filter = malloc(size);
46	if (filter == NULL)	46	if (filter == NULL)
47	goto errexit;	47	goto errexit;
48	memset(&filter[0], 0, sizeof(filter));	48	memset(filter, 0, size);
49	int rd = 0;	49	int rd = 0;
50	while (rd < size) {	50	while (rd < size) {
51	int rv = read(fd, (unsigned char *) filter + rd, size - rd);	51	int rv = read(fd, (unsigned char *) filter + rd, size - rd);