diff options
author | netblue30 <netblue30@protonmail.com> | 2023-02-24 20:50:25 -0500 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2023-02-24 20:50:25 -0500 |
commit | 71b98ed838910173ec56c977f4892fd9c53da339 (patch) | |
tree | 16b90ac1333137ffc4df4f50e152ade351c458c8 | |
parent | merges (diff) | |
parent | Merge pull request #5646 from NetSysFire/parsecd (diff) | |
download | firejail-71b98ed838910173ec56c977f4892fd9c53da339.tar.gz firejail-71b98ed838910173ec56c977f4892fd9c53da339.tar.zst firejail-71b98ed838910173ec56c977f4892fd9c53da339.zip |
Merge branch 'master' of ssh://github.com/netblue30/firejail
87 files changed, 415 insertions, 316 deletions
diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 000000000..7d98c1b14 --- /dev/null +++ b/.editorconfig | |||
@@ -0,0 +1,34 @@ | |||
1 | root = true | ||
2 | |||
3 | [*] | ||
4 | charset = utf-8 | ||
5 | end_of_line = lf | ||
6 | insert_final_newline = true | ||
7 | trim_trailing_whitespace = true | ||
8 | |||
9 | # Build | ||
10 | [configure.ac] | ||
11 | indent_size = 8 | ||
12 | indent_style = tab | ||
13 | |||
14 | [*{.mk,Makefile}{,.in}] | ||
15 | indent_size = 8 | ||
16 | indent_style = tab | ||
17 | |||
18 | # Source code and scripts | ||
19 | [*.{c,h}{,.in}] | ||
20 | indent_size = 8 | ||
21 | indent_style = tab | ||
22 | |||
23 | [*.{awk,exp,sh}{,.in}] | ||
24 | indent_size = 8 | ||
25 | indent_style = tab | ||
26 | |||
27 | [*.py{,.in}] | ||
28 | indent_size = 4 | ||
29 | indent_style = space | ||
30 | |||
31 | # Misc | ||
32 | [.gitlab-ci.yml] | ||
33 | indent_size = 4 | ||
34 | indent_style = space | ||
diff --git a/.gitattributes b/.gitattributes index 6b329f917..61bf3bfb7 100644 --- a/.gitattributes +++ b/.gitattributes | |||
@@ -1 +1,6 @@ | |||
1 | * text=auto eol=lf | ||
2 | |||
3 | *.AppImage -text | ||
4 | *.zip -text | ||
5 | |||
1 | /etc/inc/*.inc linguist-language=text | 6 | /etc/inc/*.inc linguist-language=text |
diff --git a/.github/.editorconfig b/.github/.editorconfig new file mode 100644 index 000000000..eb5c699c5 --- /dev/null +++ b/.github/.editorconfig | |||
@@ -0,0 +1,3 @@ | |||
1 | [*.yml] | ||
2 | indent_size = 2 | ||
3 | indent_style = space | ||
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index c8c6f40bd..53066013d 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md | |||
@@ -81,7 +81,7 @@ output goes here | |||
81 | <details> | 81 | <details> |
82 | <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> | 82 | <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> |
83 | <p> | 83 | <p> |
84 | 84 | ||
85 | <!-- If the output is too long to embed it into the comment, | 85 | <!-- If the output is too long to embed it into the comment, |
86 | create a secret gist at https://gist.github.com/ and link it here. --> | 86 | create a secret gist at https://gist.github.com/ and link it here. --> |
87 | 87 | ||
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 7cb92a938..80945c8ba 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md | |||
@@ -1,17 +1,17 @@ | |||
1 | If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR. | 1 | If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR. |
2 | 2 | ||
3 | If you submit a PR for new profiles or changing profiles, please do the following: | 3 | If you submit a PR for new profiles or changing profiles, please do the following: |
4 | - The ordering of options follow the rules described in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template). | 4 | - The ordering of options follow the rules described in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template). |
5 | > Hint: The profile-template is very new. If you install firejail with your package manager, it may be missing. In order to follow the latest rules, it is recommended to use the template from the repository. | 5 | > Hint: The profile-template is very new. If you install firejail with your package manager, it may be missing. In order to follow the latest rules, it is recommended to use the template from the repository. |
6 | - Order the arguments of options alphabetically. You can easily do this with [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py). | 6 | - Order the arguments of options alphabetically. You can easily do this with [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py). |
7 | The path to it depends on your distro: | 7 | The path to it depends on your distro: |
8 | 8 | ||
9 | | Distro | Path | | 9 | | Distro | Path | |
10 | | ------ | ---- | | 10 | | ------ | ---- | |
11 | | Arch/Fedora | `/usr/lib64/firejail/sort.py` | | 11 | | Arch/Fedora | `/usr/lib64/firejail/sort.py` | |
12 | | Debian/Ubuntu/Mint | `/usr/lib/x86_64-linux-gnu/firejail/sort.py` | | 12 | | Debian/Ubuntu/Mint | `/usr/lib/x86_64-linux-gnu/firejail/sort.py` | |
13 | | local git clone | `contrib/sort.py` | | 13 | | local git clone | `contrib/sort.py` | |
14 | 14 | ||
15 | Note also that the sort.py script exists only since firejail `0.9.61`. | 15 | Note also that the sort.py script exists only since firejail `0.9.61`. |
16 | 16 | ||
17 | See also [CONTRIBUTING.md](/CONTRIBUTING.md). | 17 | See also [CONTRIBUTING.md](/CONTRIBUTING.md). |
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 97730e533..76d3e709b 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md | |||
@@ -9,14 +9,14 @@ our [dedicated issue](https://github.com/netblue30/firejail/issues/1139). | |||
9 | 9 | ||
10 | When submitting a bug report, please provide the following information so that | 10 | When submitting a bug report, please provide the following information so that |
11 | we can handle the report more easily: | 11 | we can handle the report more easily: |
12 | - firejail version. If you're not sure, open a terminal and type `firejail --version`. | 12 | - firejail version. If you're not sure, open a terminal and type `firejail --version`. |
13 | - Linux distribution (so that we can try to reproduce it, if necessary). | 13 | - Linux distribution (so that we can try to reproduce it, if necessary). |
14 | - If you know that the problem did not exist in an earlier version of firejail, please mention it. | 14 | - If you know that the problem did not exist in an earlier version of firejail, please mention it. |
15 | - If you are reporting that a program does not work with firejail, please also run firejail with | 15 | - If you are reporting that a program does not work with firejail, please also run firejail with |
16 | the `--noprofile` argument. | 16 | the `--noprofile` argument. |
17 | For example, if `firejail firefox` does not work, please also run `firejail --noprofile firefox` and | 17 | For example, if `firejail firefox` does not work, please also run `firejail --noprofile firefox` and |
18 | let us know if it runs correctly or not. | 18 | let us know if it runs correctly or not. |
19 | - You may also try disabling various options provided in `/etc/firejail/<ProgramName.profile>` until you find out which one causes problems. It will significantly help to find solution for your issue. | 19 | - You may also try disabling various options provided in `/etc/firejail/<ProgramName.profile>` until you find out which one causes problems. It will significantly help to find solution for your issue. |
20 | 20 | ||
21 | Please note: if you are running Debian, Ubuntu, Linux Mint, or another related | 21 | Please note: if you are running Debian, Ubuntu, Linux Mint, or another related |
22 | distribution and you installed firejail from your distro's repositories, please | 22 | distribution and you installed firejail from your distro's repositories, please |
@@ -36,10 +36,10 @@ If you have already written a profile, please make sure it follows the rules des | |||
36 | 36 | ||
37 | If you add a new command, here's the checklist: | 37 | If you add a new command, here's the checklist: |
38 | 38 | ||
39 | - [ ] Update manpages: firejail(1) and firejail-profile(5) | 39 | - [ ] Update manpages: firejail(1) and firejail-profile(5) |
40 | - [ ] Update shell completions | 40 | - [ ] Update shell completions |
41 | - [ ] Update syntax files (run `make syntax` or just `make`) | 41 | - [ ] Update syntax files (run `make syntax` or just `make`) |
42 | - [ ] Update --help | 42 | - [ ] Update --help |
43 | 43 | ||
44 | # Editing the wiki | 44 | # Editing the wiki |
45 | 45 | ||
@@ -1080,7 +1080,7 @@ SYN-cook (https://github.com/SYN-cook) | |||
1080 | startx2017 (https://github.com/startx2017) | 1080 | startx2017 (https://github.com/startx2017) |
1081 | - syscall list update | 1081 | - syscall list update |
1082 | - updated default seccomp filters - added bpf, clock_settime, personality, process_vm_writev, query_module, | 1082 | - updated default seccomp filters - added bpf, clock_settime, personality, process_vm_writev, query_module, |
1083 | settimeofday, stime, umount, userfaultfd, ustat, vm86, and vm86old | 1083 | settimeofday, stime, umount, userfaultfd, ustat, vm86, and vm86old |
1084 | - enable/disable join support in /etc/firejail/firejail.config | 1084 | - enable/disable join support in /etc/firejail/firejail.config |
1085 | - firecfg fix: create ~/.local/share/applications directory if it doesn't exist | 1085 | - firecfg fix: create ~/.local/share/applications directory if it doesn't exist |
1086 | - firejail.config cleanup | 1086 | - firejail.config cleanup |
@@ -268,5 +268,3 @@ Stats: | |||
268 | dbus-system filter 12 | 268 | dbus-system filter 12 |
269 | 269 | ||
270 | ``` | 270 | ``` |
271 | |||
272 | |||
diff --git a/contrib/gdb-firejail.sh b/contrib/gdb-firejail.sh index b00cc65bc..032b031f0 100755 --- a/contrib/gdb-firejail.sh +++ b/contrib/gdb-firejail.sh | |||
@@ -13,11 +13,11 @@ set -x | |||
13 | # setuid firejail process from the absolute beginning. | 13 | # setuid firejail process from the absolute beginning. |
14 | 14 | ||
15 | if [ -z "${1##*/firejail}" ]; then | 15 | if [ -z "${1##*/firejail}" ]; then |
16 | FIREJAIL=$1 | 16 | FIREJAIL=$1 |
17 | else | 17 | else |
18 | # First argument is not named firejail, then add default unless environment | 18 | # First argument is not named firejail, then add default unless environment |
19 | # variable already set. | 19 | # variable already set. |
20 | set -- ${FIREJAIL:=$(command -v firejail)} "$@" | 20 | set -- ${FIREJAIL:=$(command -v firejail)} "$@" |
21 | fi | 21 | fi |
22 | 22 | ||
23 | bash -c "kill -STOP \$\$; exec \"\$0\" \"\$@\"" "$@" & | 23 | bash -c "kill -STOP \$\$; exec \"\$0\" \"\$@\"" "$@" & |
diff --git a/contrib/syntax/.editorconfig b/contrib/syntax/.editorconfig new file mode 100644 index 000000000..385bf17d5 --- /dev/null +++ b/contrib/syntax/.editorconfig | |||
@@ -0,0 +1,7 @@ | |||
1 | [*.lang{,.in}] | ||
2 | indent_size = 2 | ||
3 | indent_style = space | ||
4 | |||
5 | [*.vim{,.in}] | ||
6 | indent_size = 2 | ||
7 | indent_style = space | ||
diff --git a/contrib/syscalls.sh b/contrib/syscalls.sh index 2c5bdf5ec..aece84e72 100755 --- a/contrib/syscalls.sh +++ b/contrib/syscalls.sh | |||
@@ -8,22 +8,22 @@ SYSCALLS_OUTPUT_FILE="$(pwd)/syscalls.txt" | |||
8 | 8 | ||
9 | if [ $# -eq 0 ] | 9 | if [ $# -eq 0 ] |
10 | then | 10 | then |
11 | echo | 11 | echo |
12 | echo " *** No program specified!!! ***" | 12 | echo " *** No program specified!!! ***" |
13 | echo | 13 | echo |
14 | echo -e "Make this file executable and execute it as:\\n" | 14 | echo -e "Make this file executable and execute it as:\\n" |
15 | echo -e "\\e[96m syscalls.sh /full/path/to/program\\n" | 15 | echo -e "\\e[96m syscalls.sh /full/path/to/program\\n" |
16 | echo -e "\\e[39mif you saved this script in a directory in your PATH (e.g., in ${HOME}/bin), otherwise as:\\n" | 16 | echo -e "\\e[39mif you saved this script in a directory in your PATH (e.g., in ${HOME}/bin), otherwise as:\\n" |
17 | echo -e "\\e[96m ./syscalls.sh /full/path/to/program\\n" | 17 | echo -e "\\e[96m ./syscalls.sh /full/path/to/program\\n" |
18 | echo -e "\\e[39mUse the full path to the respective program to avoid executing it sandboxed with Firejail\\n(if a Firejail profile for it already exits and 'sudo firecfg' was executed earlier)\\nin order to determine the necessary system calls." | 18 | echo -e "\\e[39mUse the full path to the respective program to avoid executing it sandboxed with Firejail\\n(if a Firejail profile for it already exits and 'sudo firecfg' was executed earlier)\\nin order to determine the necessary system calls." |
19 | echo | 19 | echo |
20 | exit 0 | 20 | exit 0 |
21 | else | 21 | else |
22 | strace -cfo "$STRACE_OUTPUT_FILE" "$@" && awk '{print $NF}' "$STRACE_OUTPUT_FILE" | sed '/syscall\|-\|total/d' | sort -u | awk -vORS=, '{ print $1 }' | sed 's/,$/\n/' > "$SYSCALLS_OUTPUT_FILE" | 22 | strace -cfo "$STRACE_OUTPUT_FILE" "$@" && awk '{print $NF}' "$STRACE_OUTPUT_FILE" | sed '/syscall\|-\|total/d' | sort -u | awk -vORS=, '{ print $1 }' | sed 's/,$/\n/' > "$SYSCALLS_OUTPUT_FILE" |
23 | echo | 23 | echo |
24 | echo -e "\e[39mThese are the sorted syscalls:\n\e[93m" | 24 | echo -e "\e[39mThese are the sorted syscalls:\n\e[93m" |
25 | cat "$SYSCALLS_OUTPUT_FILE" | 25 | cat "$SYSCALLS_OUTPUT_FILE" |
26 | echo | 26 | echo |
27 | echo -e "\e[39mThe sorted syscalls were saved to:\n\e[96m$SYSCALLS_OUTPUT_FILE\n\e[39m" | 27 | echo -e "\e[39mThe sorted syscalls were saved to:\n\e[96m$SYSCALLS_OUTPUT_FILE\n\e[39m" |
28 | exit 0 | 28 | exit 0 |
29 | fi | 29 | fi |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 3333dd0fa..3eb6c03d5 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -1078,6 +1078,7 @@ blacklist ${HOME}/.ostrichriders | |||
1078 | blacklist ${HOME}/.paradoxinteractive | 1078 | blacklist ${HOME}/.paradoxinteractive |
1079 | blacklist ${HOME}/.paradoxlauncher | 1079 | blacklist ${HOME}/.paradoxlauncher |
1080 | blacklist ${HOME}/.parallelrealities/blobwars | 1080 | blacklist ${HOME}/.parallelrealities/blobwars |
1081 | blacklist ${HOME}/.parsec | ||
1081 | blacklist ${HOME}/.pcsxr | 1082 | blacklist ${HOME}/.pcsxr |
1082 | blacklist ${HOME}/.penguin-command | 1083 | blacklist ${HOME}/.penguin-command |
1083 | blacklist ${HOME}/.pine-crash | 1084 | blacklist ${HOME}/.pine-crash |
diff --git a/etc/profile-a-l/bibtex.profile b/etc/profile-a-l/bibtex.profile index e868dcbab..5f12d61f1 100644 --- a/etc/profile-a-l/bibtex.profile +++ b/etc/profile-a-l/bibtex.profile | |||
@@ -9,4 +9,3 @@ private-bin bibtex | |||
9 | 9 | ||
10 | # Redirect | 10 | # Redirect |
11 | include latex-common.profile | 11 | include latex-common.profile |
12 | |||
diff --git a/etc/profile-a-l/latex.profile b/etc/profile-a-l/latex.profile index 2230dd570..f6e625d35 100644 --- a/etc/profile-a-l/latex.profile +++ b/etc/profile-a-l/latex.profile | |||
@@ -9,4 +9,3 @@ private-bin latex | |||
9 | 9 | ||
10 | # Redirect | 10 | # Redirect |
11 | include latex-common.profile | 11 | include latex-common.profile |
12 | |||
diff --git a/etc/profile-m-z/parsecd.profile b/etc/profile-m-z/parsecd.profile new file mode 100644 index 000000000..249d475cf --- /dev/null +++ b/etc/profile-m-z/parsecd.profile | |||
@@ -0,0 +1,57 @@ | |||
1 | # Firejail profile for Parsec | ||
2 | # Description: Remote desktop application focused on gaming and other 3D applications | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include parsecd.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.parsec | ||
10 | ignore noexec ${HOME} | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-proc.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-shell.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | mkdir ${HOME}/.parsec | ||
22 | whitelist ${HOME}/.parsec | ||
23 | whitelist /usr/share/parsec | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-run-common.inc | ||
27 | include whitelist-runuser-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | # Due to the nature of parsec, the following directives will not work: | ||
31 | # - no3d | ||
32 | # - novideo | ||
33 | # - nosound | ||
34 | # - noinput (it does remote passthrough stuff for gamepads) | ||
35 | # - private-dev (because of the above) | ||
36 | apparmor | ||
37 | caps.drop all | ||
38 | nodvd | ||
39 | nogroups | ||
40 | nonewprivs | ||
41 | notv | ||
42 | nou2f | ||
43 | noroot | ||
44 | # Will fail to start with mty_evdev_create: 'udev_monitor_new_from_netlink' failed without netlink | ||
45 | protocol unix,inet,inet6,netlink | ||
46 | seccomp !tgkill | ||
47 | seccomp.block-secondary | ||
48 | |||
49 | # Will not start with zenity missing | ||
50 | private-bin parsecd,zenity | ||
51 | private-tmp | ||
52 | |||
53 | dbus-user none | ||
54 | dbus-system none | ||
55 | |||
56 | memory-deny-write-execute | ||
57 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/pdflatex.profile b/etc/profile-m-z/pdflatex.profile index caf980d4d..ddf6d0990 100644 --- a/etc/profile-m-z/pdflatex.profile +++ b/etc/profile-m-z/pdflatex.profile | |||
@@ -9,4 +9,3 @@ private-bin pdflatex | |||
9 | 9 | ||
10 | # Redirect | 10 | # Redirect |
11 | include latex-common.profile | 11 | include latex-common.profile |
12 | |||
diff --git a/etc/profile-m-z/presentations18.profile b/etc/profile-m-z/presentations18.profile index 65d684c40..ac844d1af 100644 --- a/etc/profile-m-z/presentations18.profile +++ b/etc/profile-m-z/presentations18.profile | |||
@@ -8,4 +8,3 @@ include globals.local | |||
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include softmaker-common.profile | 10 | include softmaker-common.profile |
11 | |||
diff --git a/etc/profile-m-z/rpcs3.profile b/etc/profile-m-z/rpcs3.profile index 186e31b46..405ab818d 100644 --- a/etc/profile-m-z/rpcs3.profile +++ b/etc/profile-m-z/rpcs3.profile | |||
@@ -2,7 +2,7 @@ | |||
2 | # Description: RPCS3 emulator | 2 | # Description: RPCS3 emulator |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include rpcs3.local | 5 | include rpcs3.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
diff --git a/etc/profile-m-z/tex.profile b/etc/profile-m-z/tex.profile index f56c3038e..c850cf5c3 100644 --- a/etc/profile-m-z/tex.profile +++ b/etc/profile-m-z/tex.profile | |||
@@ -9,4 +9,3 @@ private-bin tex | |||
9 | 9 | ||
10 | # Redirect | 10 | # Redirect |
11 | include latex-common.profile | 11 | include latex-common.profile |
12 | |||
diff --git a/etc/profile-m-z/textmaker18.profile b/etc/profile-m-z/textmaker18.profile index e5a4b6454..8284df791 100644 --- a/etc/profile-m-z/textmaker18.profile +++ b/etc/profile-m-z/textmaker18.profile | |||
@@ -8,4 +8,3 @@ include globals.local | |||
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include softmaker-common.profile | 10 | include softmaker-common.profile |
11 | |||
diff --git a/etc/profile-m-z/textmaker18free.profile b/etc/profile-m-z/textmaker18free.profile index 0e918bf0a..ad945ca55 100644 --- a/etc/profile-m-z/textmaker18free.profile +++ b/etc/profile-m-z/textmaker18free.profile | |||
@@ -8,4 +8,3 @@ include globals.local | |||
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include softmaker-common.profile | 10 | include softmaker-common.profile |
11 | |||
diff --git a/platform/rpm/.editorconfig b/platform/rpm/.editorconfig new file mode 100644 index 000000000..964dd36dd --- /dev/null +++ b/platform/rpm/.editorconfig | |||
@@ -0,0 +1,3 @@ | |||
1 | [*.sh{,.in}] | ||
2 | indent_size = 4 | ||
3 | indent_style = space | ||
diff --git a/platform/rpm/mkrpm.sh b/platform/rpm/mkrpm.sh index 34104c7b2..d32ccd360 100755 --- a/platform/rpm/mkrpm.sh +++ b/platform/rpm/mkrpm.sh | |||
@@ -31,7 +31,7 @@ fi | |||
31 | tmpdir=$(mktemp -d) | 31 | tmpdir=$(mktemp -d) |
32 | mkdir -p ${tmpdir}/{BUILD,RPMS,SOURCES,SPECS,SRPMS} | 32 | mkdir -p ${tmpdir}/{BUILD,RPMS,SOURCES,SPECS,SRPMS} |
33 | function cleanup { | 33 | function cleanup { |
34 | rm -rf ${tmpdir} | 34 | rm -rf ${tmpdir} |
35 | } | 35 | } |
36 | trap cleanup EXIT | 36 | trap cleanup EXIT |
37 | 37 | ||
diff --git a/src/bash_completion/.editorconfig b/src/bash_completion/.editorconfig new file mode 100644 index 000000000..298a13b5e --- /dev/null +++ b/src/bash_completion/.editorconfig | |||
@@ -0,0 +1,3 @@ | |||
1 | [*.bash_completion{,.in}] | ||
2 | indent_size = 4 | ||
3 | indent_style = space | ||
diff --git a/src/etc-cleanup/main.c b/src/etc-cleanup/main.c index a51043e66..6c7bea6d6 100644 --- a/src/etc-cleanup/main.c +++ b/src/etc-cleanup/main.c | |||
@@ -231,8 +231,8 @@ int main(int argc, char **argv) { | |||
231 | int i; | 231 | int i; |
232 | for (i = 1; i < argc; i++) { | 232 | for (i = 1; i < argc; i++) { |
233 | if (strcmp(argv[i], "-h") == 0 || | 233 | if (strcmp(argv[i], "-h") == 0 || |
234 | strcmp(argv[i], "-?") == 0 || | 234 | strcmp(argv[i], "-?") == 0 || |
235 | strcmp(argv[i], "--help") == 0) { | 235 | strcmp(argv[i], "--help") == 0) { |
236 | usage(); | 236 | usage(); |
237 | return 0; | 237 | return 0; |
238 | } | 238 | } |
@@ -252,4 +252,4 @@ int main(int argc, char **argv) { | |||
252 | process_file(argv[i]); | 252 | process_file(argv[i]); |
253 | 253 | ||
254 | return 0; | 254 | return 0; |
255 | } \ No newline at end of file | 255 | } |
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c index 6d96b69cc..15c54911b 100644 --- a/src/fbuilder/build_home.c +++ b/src/fbuilder/build_home.c | |||
@@ -110,7 +110,7 @@ void process_home(const char *fname, char *home, int home_len) { | |||
110 | strcmp(toadd, ".cache") == 0) { | 110 | strcmp(toadd, ".cache") == 0) { |
111 | if (dir) | 111 | if (dir) |
112 | free(dir); | 112 | free(dir); |
113 | continue; | 113 | continue; |
114 | } | 114 | } |
115 | 115 | ||
116 | // clean .cache entries | 116 | // clean .cache entries |
diff --git a/src/fbuilder/filedb.c b/src/fbuilder/filedb.c index 4089f3806..5a3b389ae 100644 --- a/src/fbuilder/filedb.c +++ b/src/fbuilder/filedb.c | |||
@@ -38,8 +38,8 @@ FileDB *filedb_find(FileDB *head, const char *fname) { | |||
38 | if (strlen(fname) > ptr->len && | 38 | if (strlen(fname) > ptr->len && |
39 | fname[ptr->len] == '/' && | 39 | fname[ptr->len] == '/' && |
40 | strncmp(ptr->fname, fname, ptr->len) == 0) { | 40 | strncmp(ptr->fname, fname, ptr->len) == 0) { |
41 | found = 1; | 41 | found = 1; |
42 | break; | 42 | break; |
43 | } | 43 | } |
44 | 44 | ||
45 | ptr = ptr->next; | 45 | ptr = ptr->next; |
diff --git a/src/fbuilder/main.c b/src/fbuilder/main.c index ebb273f12..7fdf9af68 100644 --- a/src/fbuilder/main.c +++ b/src/fbuilder/main.c | |||
@@ -32,7 +32,7 @@ int main(int argc, char **argv) { | |||
32 | system("cat /proc/self/status"); | 32 | system("cat /proc/self/status"); |
33 | int i; | 33 | int i; |
34 | for (i = 0; i < argc; i++) | 34 | for (i = 0; i < argc; i++) |
35 | printf("*%s* ", argv[i]); | 35 | printf("*%s* ", argv[i]); |
36 | printf("\n"); | 36 | printf("\n"); |
37 | } | 37 | } |
38 | #endif | 38 | #endif |
diff --git a/src/fcopy/main.c b/src/fcopy/main.c index f1deabf2e..ce2efb295 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c | |||
@@ -92,7 +92,7 @@ static void selinux_relabel_path(const char *path, const char *inside_path) { | |||
92 | printf("Cannot relabel %s: %s\n", path, strerror(errno)); | 92 | printf("Cannot relabel %s: %s\n", path, strerror(errno)); |
93 | } | 93 | } |
94 | freecon(fcon); | 94 | freecon(fcon); |
95 | close: | 95 | close: |
96 | close(fd); | 96 | close(fd); |
97 | #else | 97 | #else |
98 | (void) path; | 98 | (void) path; |
@@ -236,7 +236,7 @@ void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid, | |||
236 | // if the link is already there, don't create it | 236 | // if the link is already there, don't create it |
237 | struct stat s; | 237 | struct stat s; |
238 | if (lstat(linkpath, &s) == 0) | 238 | if (lstat(linkpath, &s) == 0) |
239 | return; | 239 | return; |
240 | 240 | ||
241 | char *rp = proc_pid_to_self(target); | 241 | char *rp = proc_pid_to_self(target); |
242 | if (rp) { | 242 | if (rp) { |
diff --git a/src/fids/config b/src/fids/config index c18c97260..7828622e8 100644 --- a/src/fids/config +++ b/src/fids/config | |||
@@ -13,4 +13,3 @@ | |||
13 | /home/netblue/Desktop/*.desktop | 13 | /home/netblue/Desktop/*.desktop |
14 | /home/netblue/.ssh | 14 | /home/netblue/.ssh |
15 | /home/netblue/.gnupg | 15 | /home/netblue/.gnupg |
16 | |||
diff --git a/src/fids/db.c b/src/fids/db.c index 6a21a4e14..7cad11cca 100644 --- a/src/fids/db.c +++ b/src/fids/db.c | |||
@@ -155,4 +155,3 @@ errexit: | |||
155 | fprintf(stderr, "Error fids: database corrupted\n"); | 155 | fprintf(stderr, "Error fids: database corrupted\n"); |
156 | exit(1); | 156 | exit(1); |
157 | } | 157 | } |
158 | |||
diff --git a/src/fids/db_exclude.c b/src/fids/db_exclude.c index 18a05209a..aedb95e4f 100644 --- a/src/fids/db_exclude.c +++ b/src/fids/db_exclude.c | |||
@@ -53,4 +53,3 @@ int db_exclude_check(const char *fname) { | |||
53 | 53 | ||
54 | return 0; | 54 | return 0; |
55 | } | 55 | } |
56 | |||
diff --git a/src/firecfg/util.c b/src/firecfg/util.c index dc24d4e68..4185b52dd 100644 --- a/src/firecfg/util.c +++ b/src/firecfg/util.c | |||
@@ -30,8 +30,8 @@ static int find(const char *program, const char *directory) { | |||
30 | 30 | ||
31 | struct stat s; | 31 | struct stat s; |
32 | if (stat(fname, &s) == 0) { | 32 | if (stat(fname, &s) == 0) { |
33 | if (arg_debug) | 33 | if (arg_debug) |
34 | printf("found %s in directory %s\n", program, directory); | 34 | printf("found %s in directory %s\n", program, directory); |
35 | retval = 1; | 35 | retval = 1; |
36 | } | 36 | } |
37 | 37 | ||
@@ -44,8 +44,8 @@ static int find(const char *program, const char *directory) { | |||
44 | int which(const char *program) { | 44 | int which(const char *program) { |
45 | // check some well-known paths | 45 | // check some well-known paths |
46 | if (find(program, "/bin") || find(program, "/usr/bin") || | 46 | if (find(program, "/bin") || find(program, "/usr/bin") || |
47 | find(program, "/sbin") || find(program, "/usr/sbin") || | 47 | find(program, "/sbin") || find(program, "/usr/sbin") || |
48 | find(program, "/usr/games")) | 48 | find(program, "/usr/games")) |
49 | return 1; | 49 | return 1; |
50 | 50 | ||
51 | // check environment | 51 | // check environment |
diff --git a/src/firejail/appimage_size.c b/src/firejail/appimage_size.c index 6bb530d12..60c4c0364 100644 --- a/src/firejail/appimage_size.c +++ b/src/firejail/appimage_size.c | |||
@@ -17,8 +17,9 @@ | |||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | 17 | * with this program; if not, write to the Free Software Foundation, Inc., |
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | |||
20 | /* | 21 | /* |
21 | This code borrows heavily from src/libappimage_shared/elf.c in libappimage | 22 | * This code borrows heavily from src/libappimage_shared/elf.c in libappimage |
22 | */ | 23 | */ |
23 | /* | 24 | /* |
24 | Compile with: | 25 | Compile with: |
@@ -144,7 +145,7 @@ long unsigned int appimage2_size(int fd) { | |||
144 | return 0; | 145 | return 0; |
145 | 146 | ||
146 | if ((ehdr.e_ident[EI_DATA] != ELFDATA2LSB) && | 147 | if ((ehdr.e_ident[EI_DATA] != ELFDATA2LSB) && |
147 | (ehdr.e_ident[EI_DATA] != ELFDATA2MSB)) | 148 | (ehdr.e_ident[EI_DATA] != ELFDATA2MSB)) |
148 | return 0; | 149 | return 0; |
149 | 150 | ||
150 | if(ehdr.e_ident[EI_CLASS] == ELFCLASS32) { | 151 | if(ehdr.e_ident[EI_CLASS] == ELFCLASS32) { |
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c index fef7eb724..132ac94ba 100644 --- a/src/firejail/chroot.c +++ b/src/firejail/chroot.c | |||
@@ -280,7 +280,7 @@ void fs_chroot(const char *rootdir) { | |||
280 | // fs_dev_shm(); | 280 | // fs_dev_shm(); |
281 | fs_var_lock(); | 281 | fs_var_lock(); |
282 | if (!arg_keep_var_tmp) | 282 | if (!arg_keep_var_tmp) |
283 | fs_var_tmp(); | 283 | fs_var_tmp(); |
284 | if (!arg_writable_var_log) | 284 | if (!arg_writable_var_log) |
285 | fs_var_log(); | 285 | fs_var_log(); |
286 | 286 | ||
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c index ada76bc76..804d51caa 100644 --- a/src/firejail/cpu.c +++ b/src/firejail/cpu.c | |||
@@ -103,17 +103,17 @@ void set_cpu_affinity(void) { | |||
103 | if (sched_setaffinity(0, sizeof(mask), &mask) == -1) | 103 | if (sched_setaffinity(0, sizeof(mask), &mask) == -1) |
104 | fwarning("cannot set cpu affinity\n"); | 104 | fwarning("cannot set cpu affinity\n"); |
105 | 105 | ||
106 | // verify cpu affinity | 106 | // verify cpu affinity |
107 | cpu_set_t mask2; | 107 | cpu_set_t mask2; |
108 | CPU_ZERO(&mask2); | 108 | CPU_ZERO(&mask2); |
109 | if (sched_getaffinity(0, sizeof(mask2), &mask2) == -1) | 109 | if (sched_getaffinity(0, sizeof(mask2), &mask2) == -1) |
110 | fwarning("cannot verify cpu affinity\n"); | 110 | fwarning("cannot verify cpu affinity\n"); |
111 | else if (arg_debug) { | 111 | else if (arg_debug) { |
112 | if (CPU_EQUAL(&mask, &mask2)) | 112 | if (CPU_EQUAL(&mask, &mask2)) |
113 | printf("CPU affinity set\n"); | 113 | printf("CPU affinity set\n"); |
114 | else | 114 | else |
115 | printf("CPU affinity not set\n"); | 115 | printf("CPU affinity not set\n"); |
116 | } | 116 | } |
117 | } | 117 | } |
118 | 118 | ||
119 | static void print_cpu(ProcessHandle process) { | 119 | static void print_cpu(ProcessHandle process) { |
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c index a41071305..b2f9fe2d2 100644 --- a/src/firejail/dbus.c +++ b/src/firejail/dbus.c | |||
@@ -263,7 +263,7 @@ static char *find_user_socket_by_format(char *format) { | |||
263 | if (!S_ISSOCK(s.st_mode)) | 263 | if (!S_ISSOCK(s.st_mode)) |
264 | goto fail; | 264 | goto fail; |
265 | return dbus_user_socket; | 265 | return dbus_user_socket; |
266 | fail: | 266 | fail: |
267 | free(dbus_user_socket); | 267 | free(dbus_user_socket); |
268 | return NULL; | 268 | return NULL; |
269 | } | 269 | } |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 30c1b441c..824164c8a 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -266,7 +266,7 @@ static inline int any_ip6_dhcp(void) { | |||
266 | } | 266 | } |
267 | 267 | ||
268 | static inline int any_dhcp(void) { | 268 | static inline int any_dhcp(void) { |
269 | return any_ip_dhcp() || any_ip6_dhcp(); | 269 | return any_ip_dhcp() || any_ip6_dhcp(); |
270 | } | 270 | } |
271 | 271 | ||
272 | extern int arg_private; // mount private /home | 272 | extern int arg_private; // mount private /home |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index d7a2edc3b..182f26e53 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -123,8 +123,8 @@ static void disable_file(OPERATION op, const char *filename) { | |||
123 | if (op == BLACKLIST_FILE || op == BLACKLIST_NOLOG) { | 123 | if (op == BLACKLIST_FILE || op == BLACKLIST_NOLOG) { |
124 | // some distros put all executables under /usr/bin and make /bin a symbolic link | 124 | // some distros put all executables under /usr/bin and make /bin a symbolic link |
125 | if ((strcmp(fname, "/bin") == 0 || strcmp(fname, "/usr/bin") == 0) && | 125 | if ((strcmp(fname, "/bin") == 0 || strcmp(fname, "/usr/bin") == 0) && |
126 | is_link(filename) && | 126 | is_link(filename) && |
127 | S_ISDIR(s.st_mode)) { | 127 | S_ISDIR(s.st_mode)) { |
128 | fwarning("%s directory link was not blacklisted\n", filename); | 128 | fwarning("%s directory link was not blacklisted\n", filename); |
129 | } | 129 | } |
130 | else { | 130 | else { |
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 6c4d4c0c6..3b7369ea8 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -402,4 +402,3 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c | |||
402 | fs_private_dir_mount(private_dir, private_run_dir); | 402 | fs_private_dir_mount(private_dir, private_run_dir); |
403 | fmessage("Private %s installed in %0.2f ms\n", private_dir, timetrace_end()); | 403 | fmessage("Private %s installed in %0.2f ms\n", private_dir, timetrace_end()); |
404 | } | 404 | } |
405 | |||
diff --git a/src/firejail/ls.c b/src/firejail/ls.c index f2782de35..ea85fabfd 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c | |||
@@ -178,7 +178,7 @@ static void print_directory(const char *path) { | |||
178 | 178 | ||
179 | n = scandir(path, &namelist, 0, alphasort); | 179 | n = scandir(path, &namelist, 0, alphasort); |
180 | if (n < 0) | 180 | if (n < 0) |
181 | errExit("scandir"); | 181 | errExit("scandir"); |
182 | else { | 182 | else { |
183 | for (i = 0; i < n; i++) | 183 | for (i = 0; i < n; i++) |
184 | print_file_or_dir(path, namelist[i]->d_name); | 184 | print_file_or_dir(path, namelist[i]->d_name); |
diff --git a/src/firejail/macros.c b/src/firejail/macros.c index 27bb4227a..af7d02c2a 100644 --- a/src/firejail/macros.c +++ b/src/firejail/macros.c | |||
@@ -38,19 +38,19 @@ Macro macro[] = { | |||
38 | }, | 38 | }, |
39 | 39 | ||
40 | { | 40 | { |
41 | "${MUSIC}", | 41 | "${MUSIC}", |
42 | "XDG_MUSIC_DIR=\"$HOME/", | 42 | "XDG_MUSIC_DIR=\"$HOME/", |
43 | {"Music", "Музыка", "Musique", "Musica", "Música", "Musik"} | 43 | {"Music", "Музыка", "Musique", "Musica", "Música", "Musik"} |
44 | }, | 44 | }, |
45 | 45 | ||
46 | { | 46 | { |
47 | "${VIDEOS}", | 47 | "${VIDEOS}", |
48 | "XDG_VIDEOS_DIR=\"$HOME/", | 48 | "XDG_VIDEOS_DIR=\"$HOME/", |
49 | {"Videos", "Видео", "Vidéos", "Video", "Vídeos"} | 49 | {"Videos", "Видео", "Vidéos", "Video", "Vídeos"} |
50 | }, | 50 | }, |
51 | 51 | ||
52 | { | 52 | { |
53 | "${PICTURES}", | 53 | "${PICTURES}", |
54 | "XDG_PICTURES_DIR=\"$HOME/", | 54 | "XDG_PICTURES_DIR=\"$HOME/", |
55 | {"Pictures", "Изображения", "Photos", "Immagini", "Imágenes", "Imagens", "Bilder"} | 55 | {"Pictures", "Изображения", "Photos", "Immagini", "Imágenes", "Imagens", "Bilder"} |
56 | }, | 56 | }, |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 7a9d3d00d..ac84f00c9 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -47,12 +47,12 @@ | |||
47 | #endif | 47 | #endif |
48 | 48 | ||
49 | #ifdef __ia64__ | 49 | #ifdef __ia64__ |
50 | /* clone(2) has a different interface on ia64, as it needs to know | 50 | /* clone(2) has a different interface on ia64, as it needs to know the size of |
51 | the size of the stack */ | 51 | * the stack */ |
52 | int __clone2(int (*fn)(void *), | 52 | int __clone2(int (*fn)(void *), |
53 | void *child_stack_base, size_t stack_size, | 53 | void *child_stack_base, size_t stack_size, |
54 | int flags, void *arg, ... | 54 | int flags, void *arg, ... |
55 | /* pid_t *ptid, struct user_desc *tls, pid_t *ctid */ ); | 55 | /* pid_t *ptid, struct user_desc *tls, pid_t *ctid */ ); |
56 | #endif | 56 | #endif |
57 | 57 | ||
58 | uid_t firejail_uid = 0; | 58 | uid_t firejail_uid = 0; |
@@ -106,7 +106,7 @@ char *arg_netfilter6_file = NULL; // netfilter6 file | |||
106 | char *arg_netns = NULL; // "ip netns"-created network namespace to use | 106 | char *arg_netns = NULL; // "ip netns"-created network namespace to use |
107 | int arg_doubledash = 0; // double dash | 107 | int arg_doubledash = 0; // double dash |
108 | int arg_private_dev = 0; // private dev directory | 108 | int arg_private_dev = 0; // private dev directory |
109 | int arg_keep_dev_shm = 0; // preserve /dev/shm | 109 | int arg_keep_dev_shm = 0; // preserve /dev/shm |
110 | int arg_private_etc = 0; // private etc directory | 110 | int arg_private_etc = 0; // private etc directory |
111 | int arg_private_opt = 0; // private opt directory | 111 | int arg_private_opt = 0; // private opt directory |
112 | int arg_private_srv = 0; // private srv directory | 112 | int arg_private_srv = 0; // private srv directory |
@@ -129,7 +129,7 @@ int arg_writable_etc = 0; // writable etc | |||
129 | int arg_keep_config_pulse = 0; // disable automatic ~/.config/pulse init | 129 | int arg_keep_config_pulse = 0; // disable automatic ~/.config/pulse init |
130 | int arg_keep_shell_rc = 0; // do not copy shell configuration from /etc/skel | 130 | int arg_keep_shell_rc = 0; // do not copy shell configuration from /etc/skel |
131 | int arg_writable_var = 0; // writable var | 131 | int arg_writable_var = 0; // writable var |
132 | int arg_keep_var_tmp = 0; // don't overwrite /var/tmp | 132 | int arg_keep_var_tmp = 0; // don't overwrite /var/tmp |
133 | int arg_writable_run_user = 0; // writable /run/user | 133 | int arg_writable_run_user = 0; // writable /run/user |
134 | int arg_writable_var_log = 0; // writable /var/log | 134 | int arg_writable_var_log = 0; // writable /var/log |
135 | int arg_appimage = 0; // appimage | 135 | int arg_appimage = 0; // appimage |
@@ -141,7 +141,7 @@ int arg_x11_block = 0; // block X11 | |||
141 | int arg_x11_xorg = 0; // use X11 security extension | 141 | int arg_x11_xorg = 0; // use X11 security extension |
142 | int arg_allusers = 0; // all user home directories visible | 142 | int arg_allusers = 0; // all user home directories visible |
143 | int arg_machineid = 0; // spoof /etc/machine-id | 143 | int arg_machineid = 0; // spoof /etc/machine-id |
144 | int arg_allow_private_blacklist = 0; // blacklist things in private directories | 144 | int arg_allow_private_blacklist = 0; // blacklist things in private directories |
145 | int arg_disable_mnt = 0; // disable /mnt and /media | 145 | int arg_disable_mnt = 0; // disable /mnt and /media |
146 | int arg_noprofile = 0; // use default.profile if none other found/specified | 146 | int arg_noprofile = 0; // use default.profile if none other found/specified |
147 | int arg_memory_deny_write_execute = 0; // block writable and executable memory | 147 | int arg_memory_deny_write_execute = 0; // block writable and executable memory |
@@ -150,7 +150,7 @@ int arg_nodvd = 0; // --nodvd | |||
150 | int arg_nou2f = 0; // --nou2f | 150 | int arg_nou2f = 0; // --nou2f |
151 | int arg_noinput = 0; // --noinput | 151 | int arg_noinput = 0; // --noinput |
152 | int arg_deterministic_exit_code = 0; // always exit with first child's exit status | 152 | int arg_deterministic_exit_code = 0; // always exit with first child's exit status |
153 | int arg_deterministic_shutdown = 0; // shut down the sandbox if first child dies | 153 | int arg_deterministic_shutdown = 0; // shut down the sandbox if first child dies |
154 | int arg_keep_fd_all = 0; // inherit all file descriptors to sandbox | 154 | int arg_keep_fd_all = 0; // inherit all file descriptors to sandbox |
155 | DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user | 155 | DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user |
156 | DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system | 156 | DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system |
@@ -768,11 +768,11 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
768 | exit(1); | 768 | exit(1); |
769 | } | 769 | } |
770 | char *path = argv[i + 1]; | 770 | char *path = argv[i + 1]; |
771 | invalid_filename(path, 0); // no globbing | 771 | invalid_filename(path, 0); // no globbing |
772 | if (strstr(path, "..")) { | 772 | if (strstr(path, "..")) { |
773 | fprintf(stderr, "Error: invalid file name %s\n", path); | 773 | fprintf(stderr, "Error: invalid file name %s\n", path); |
774 | exit(1); | 774 | exit(1); |
775 | } | 775 | } |
776 | 776 | ||
777 | // get file | 777 | // get file |
778 | pid_t pid = require_pid(argv[i] + 6); | 778 | pid_t pid = require_pid(argv[i] + 6); |
@@ -796,17 +796,17 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
796 | exit(1); | 796 | exit(1); |
797 | } | 797 | } |
798 | char *path1 = argv[i + 1]; | 798 | char *path1 = argv[i + 1]; |
799 | invalid_filename(path1, 0); // no globbing | 799 | invalid_filename(path1, 0); // no globbing |
800 | if (strstr(path1, "..")) { | 800 | if (strstr(path1, "..")) { |
801 | fprintf(stderr, "Error: invalid file name %s\n", path1); | 801 | fprintf(stderr, "Error: invalid file name %s\n", path1); |
802 | exit(1); | 802 | exit(1); |
803 | } | 803 | } |
804 | char *path2 = argv[i + 2]; | 804 | char *path2 = argv[i + 2]; |
805 | invalid_filename(path2, 0); // no globbing | 805 | invalid_filename(path2, 0); // no globbing |
806 | if (strstr(path2, "..")) { | 806 | if (strstr(path2, "..")) { |
807 | fprintf(stderr, "Error: invalid file name %s\n", path2); | 807 | fprintf(stderr, "Error: invalid file name %s\n", path2); |
808 | exit(1); | 808 | exit(1); |
809 | } | 809 | } |
810 | 810 | ||
811 | // get file | 811 | // get file |
812 | pid_t pid = require_pid(argv[i] + 6); | 812 | pid_t pid = require_pid(argv[i] + 6); |
@@ -830,15 +830,15 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
830 | exit(1); | 830 | exit(1); |
831 | } | 831 | } |
832 | char *path = argv[i + 1]; | 832 | char *path = argv[i + 1]; |
833 | invalid_filename(path, 0); // no globbing | 833 | invalid_filename(path, 0); // no globbing |
834 | if (strstr(path, "..")) { | 834 | if (strstr(path, "..")) { |
835 | fprintf(stderr, "Error: invalid file name %s\n", path); | 835 | fprintf(stderr, "Error: invalid file name %s\n", path); |
836 | exit(1); | 836 | exit(1); |
837 | } | 837 | } |
838 | 838 | ||
839 | // list directory contents | 839 | // list directory contents |
840 | if (!arg_debug) | 840 | if (!arg_debug) |
841 | arg_quiet = 1; | 841 | arg_quiet = 1; |
842 | pid_t pid = require_pid(argv[i] + 5); | 842 | pid_t pid = require_pid(argv[i] + 5); |
843 | sandboxfs(SANDBOX_FS_LS, pid, path, NULL); | 843 | sandboxfs(SANDBOX_FS_LS, pid, path, NULL); |
844 | exit(0); | 844 | exit(0); |
@@ -867,7 +867,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
867 | 867 | ||
868 | // write file contents to stdout | 868 | // write file contents to stdout |
869 | if (!arg_debug) | 869 | if (!arg_debug) |
870 | arg_quiet = 1; | 870 | arg_quiet = 1; |
871 | pid_t pid = require_pid(argv[i] + 6); | 871 | pid_t pid = require_pid(argv[i] + 6); |
872 | sandboxfs(SANDBOX_FS_CAT, pid, path, NULL); | 872 | sandboxfs(SANDBOX_FS_CAT, pid, path, NULL); |
873 | exit(0); | 873 | exit(0); |
@@ -894,8 +894,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
894 | 894 | ||
895 | } | 895 | } |
896 | else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { | 896 | else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { |
897 | // NOTE: this is first part of option handler, | 897 | // Note: This is the first part of the option handler; the |
898 | // sandbox name is set in other part | 898 | // sandbox name is set in the other part |
899 | if (checkcfg(CFG_JOIN) || getuid() == 0) { | 899 | if (checkcfg(CFG_JOIN) || getuid() == 0) { |
900 | logargs(argc, argv); | 900 | logargs(argc, argv); |
901 | 901 | ||
@@ -1050,11 +1050,11 @@ static int check_postexec(const char *list) { | |||
1050 | //******************************************* | 1050 | //******************************************* |
1051 | int main(int argc, char **argv, char **envp) { | 1051 | int main(int argc, char **argv, char **envp) { |
1052 | int i; | 1052 | int i; |
1053 | int prog_index = -1; // index in argv where the program command starts | 1053 | int prog_index = -1; // index in argv where the program command starts |
1054 | int lockfd_network = -1; | 1054 | int lockfd_network = -1; |
1055 | int lockfd_directory = -1; | 1055 | int lockfd_directory = -1; |
1056 | int custom_profile = 0; // custom profile loaded | 1056 | int custom_profile = 0; // custom profile loaded |
1057 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) | 1057 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) |
1058 | char **ptr; | 1058 | char **ptr; |
1059 | 1059 | ||
1060 | 1060 | ||
@@ -1080,7 +1080,8 @@ int main(int argc, char **argv, char **envp) { | |||
1080 | // sanity check for arguments | 1080 | // sanity check for arguments |
1081 | for (i = 0; i < argc; i++) { | 1081 | for (i = 0; i < argc; i++) { |
1082 | if (strlen(argv[i]) >= MAX_ARG_LEN) { | 1082 | if (strlen(argv[i]) >= MAX_ARG_LEN) { |
1083 | fprintf(stderr, "Error: too long arguments: argv[%d] len (%zu) >= MAX_ARG_LEN (%d)\n", i, strlen(argv[i]), MAX_ARG_LEN); | 1083 | fprintf(stderr, "Error: too long argument: argv[%d] len (%zu) >= MAX_ARG_LEN (%d): %s\n", |
1084 | i, strlen(argv[i]), MAX_ARG_LEN, argv[i]); | ||
1084 | exit(1); | 1085 | exit(1); |
1085 | } | 1086 | } |
1086 | } | 1087 | } |
@@ -1983,7 +1984,7 @@ int main(int argc, char **argv, char **envp) { | |||
1983 | arg_writable_var = 1; | 1984 | arg_writable_var = 1; |
1984 | } | 1985 | } |
1985 | else if (strcmp(argv[i], "--keep-var-tmp") == 0) { | 1986 | else if (strcmp(argv[i], "--keep-var-tmp") == 0) { |
1986 | arg_keep_var_tmp = 1; | 1987 | arg_keep_var_tmp = 1; |
1987 | } | 1988 | } |
1988 | else if (strcmp(argv[i], "--writable-run-user") == 0) { | 1989 | else if (strcmp(argv[i], "--writable-run-user") == 0) { |
1989 | arg_writable_run_user = 1; | 1990 | arg_writable_run_user = 1; |
@@ -2818,8 +2819,9 @@ int main(int argc, char **argv, char **envp) { | |||
2818 | } | 2819 | } |
2819 | #endif | 2820 | #endif |
2820 | else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { | 2821 | else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { |
2821 | // NOTE: this is second part of option handler, | 2822 | // Note: This is the second part of the option handler; |
2822 | // atempt to find and join sandbox is done in other one | 2823 | // the attempt to find and join the sandbox is done in |
2824 | // the other one | ||
2823 | 2825 | ||
2824 | // set sandbox name and start normally | 2826 | // set sandbox name and start normally |
2825 | cfg.name = argv[i] + 16; | 2827 | cfg.name = argv[i] + 16; |
diff --git a/src/firejail/network.c b/src/firejail/network.c index 5163035fa..c1adf87cc 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c | |||
@@ -265,7 +265,7 @@ int net_get_mac(const char *ifname, unsigned char mac[6]) { | |||
265 | int sock; | 265 | int sock; |
266 | 266 | ||
267 | if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) | 267 | if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) |
268 | errExit("socket"); | 268 | errExit("socket"); |
269 | 269 | ||
270 | memset(&ifr, 0, sizeof(ifr)); | 270 | memset(&ifr, 0, sizeof(ifr)); |
271 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); | 271 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); |
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 3997d8f86..22ee9dc3c 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -29,10 +29,10 @@ | |||
29 | int is_container(const char *str) { | 29 | int is_container(const char *str) { |
30 | assert(str); | 30 | assert(str); |
31 | if (strcmp(str, "lxc") == 0 || | 31 | if (strcmp(str, "lxc") == 0 || |
32 | strcmp(str, "docker") == 0 || | 32 | strcmp(str, "docker") == 0 || |
33 | strcmp(str, "lxc-libvirt") == 0 || | 33 | strcmp(str, "lxc-libvirt") == 0 || |
34 | strcmp(str, "systemd-nspawn") == 0 || | 34 | strcmp(str, "systemd-nspawn") == 0 || |
35 | strcmp(str, "rkt") == 0) | 35 | strcmp(str, "rkt") == 0) |
36 | return 1; | 36 | return 1; |
37 | return 0; | 37 | return 0; |
38 | } | 38 | } |
diff --git a/src/firejail/oom.c b/src/firejail/oom.c index f4df3538c..482fc0ad0 100644 --- a/src/firejail/oom.c +++ b/src/firejail/oom.c | |||
@@ -84,4 +84,3 @@ void oom_set(const char *oom_string) { | |||
84 | if (waitpid(child, &status, 0) == -1 ) | 84 | if (waitpid(child, &status, 0) == -1 ) |
85 | errExit("waitpid"); | 85 | errExit("waitpid"); |
86 | } | 86 | } |
87 | |||
diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c index a22e63ab3..79e0bd9df 100644 --- a/src/firejail/restricted_shell.c +++ b/src/firejail/restricted_shell.c | |||
@@ -84,16 +84,16 @@ int restricted_shell(const char *user) { | |||
84 | 84 | ||
85 | // user name globbing | 85 | // user name globbing |
86 | if (fnmatch(usr, user, 0) == 0) { | 86 | if (fnmatch(usr, user, 0) == 0) { |
87 | // process program arguments | 87 | // process program arguments |
88 | 88 | ||
89 | fullargv[0] = "firejail"; | 89 | fullargv[0] = "firejail"; |
90 | int i; | 90 | int i; |
91 | ptr = args; | 91 | ptr = args; |
92 | for (i = 1; i < MAX_ARGS; i++) { | 92 | for (i = 1; i < MAX_ARGS; i++) { |
93 | // skip blanks | 93 | // skip blanks |
94 | while (*ptr == ' ' || *ptr == '\t') | 94 | while (*ptr == ' ' || *ptr == '\t') |
95 | ptr++; | 95 | ptr++; |
96 | fullargv[i] = ptr; | 96 | fullargv[i] = ptr; |
97 | #ifdef DEBUG_RESTRICTED_SHELL | 97 | #ifdef DEBUG_RESTRICTED_SHELL |
98 | {EUID_ROOT(); | 98 | {EUID_ROOT(); |
99 | FILE *fp = fopen("/firelog", "ae"); | 99 | FILE *fp = fopen("/firelog", "ae"); |
@@ -104,23 +104,23 @@ int restricted_shell(const char *user) { | |||
104 | EUID_USER();} | 104 | EUID_USER();} |
105 | #endif | 105 | #endif |
106 | 106 | ||
107 | if (*ptr != '\0') { | 107 | if (*ptr != '\0') { |
108 | // go to the end of the word | 108 | // go to the end of the word |
109 | while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0') | 109 | while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0') |
110 | ptr++; | 110 | ptr++; |
111 | *ptr ='\0'; | 111 | *ptr ='\0'; |
112 | fullargv[i] = strdup(fullargv[i]); | 112 | fullargv[i] = strdup(fullargv[i]); |
113 | if (fullargv[i] == NULL) | 113 | if (fullargv[i] == NULL) |
114 | errExit("strdup"); | 114 | errExit("strdup"); |
115 | ptr++; | 115 | ptr++; |
116 | while (*ptr == ' ' || *ptr == '\t') | 116 | while (*ptr == ' ' || *ptr == '\t') |
117 | ptr++; | 117 | ptr++; |
118 | if (*ptr != '\0') | 118 | if (*ptr != '\0') |
119 | continue; | 119 | continue; |
120 | } | 120 | } |
121 | fullargv[i] = strdup(fullargv[i]); | 121 | fullargv[i] = strdup(fullargv[i]); |
122 | fclose(fp); | 122 | fclose(fp); |
123 | return i + 1; | 123 | return i + 1; |
124 | } | 124 | } |
125 | fprintf(stderr, "Error: too many program arguments in users.conf line %d\n", lineno); | 125 | fprintf(stderr, "Error: too many program arguments in users.conf line %d\n", lineno); |
126 | exit(1); | 126 | exit(1); |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index c4dc0ca78..a4109cc17 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -274,7 +274,7 @@ static void sandbox_if_up(Bridge *br) { | |||
274 | } | 274 | } |
275 | 275 | ||
276 | if (br->ip6sandbox) | 276 | if (br->ip6sandbox) |
277 | net_if_ip6(dev, br->ip6sandbox); | 277 | net_if_ip6(dev, br->ip6sandbox); |
278 | } | 278 | } |
279 | 279 | ||
280 | static void chk_chroot(void) { | 280 | static void chk_chroot(void) { |
@@ -650,12 +650,12 @@ int sandbox(void* sandbox_arg) { | |||
650 | if (arg_debug) | 650 | if (arg_debug) |
651 | printf("Initializing child process\n"); | 651 | printf("Initializing child process\n"); |
652 | 652 | ||
653 | // close each end of the unused pipes | 653 | // close each end of the unused pipes |
654 | close(parent_to_child_fds[1]); | 654 | close(parent_to_child_fds[1]); |
655 | close(child_to_parent_fds[0]); | 655 | close(child_to_parent_fds[0]); |
656 | 656 | ||
657 | // wait for parent to do base setup | 657 | // wait for parent to do base setup |
658 | wait_for_other(parent_to_child_fds[0]); | 658 | wait_for_other(parent_to_child_fds[0]); |
659 | 659 | ||
660 | if (arg_debug && child_pid == 1) | 660 | if (arg_debug && child_pid == 1) |
661 | printf("PID namespace installed\n"); | 661 | printf("PID namespace installed\n"); |
@@ -1259,13 +1259,13 @@ int sandbox(void* sandbox_arg) { | |||
1259 | } | 1259 | } |
1260 | 1260 | ||
1261 | // notify parent that new user namespace has been created so a proper | 1261 | // notify parent that new user namespace has been created so a proper |
1262 | // UID/GID map can be setup | 1262 | // UID/GID map can be setup |
1263 | notify_other(child_to_parent_fds[1]); | 1263 | notify_other(child_to_parent_fds[1]); |
1264 | close(child_to_parent_fds[1]); | 1264 | close(child_to_parent_fds[1]); |
1265 | 1265 | ||
1266 | // wait for parent to finish setting up a proper UID/GID map | 1266 | // wait for parent to finish setting up a proper UID/GID map |
1267 | wait_for_other(parent_to_child_fds[0]); | 1267 | wait_for_other(parent_to_child_fds[0]); |
1268 | close(parent_to_child_fds[0]); | 1268 | close(parent_to_child_fds[0]); |
1269 | 1269 | ||
1270 | // somehow, the new user namespace resets capabilities; | 1270 | // somehow, the new user namespace resets capabilities; |
1271 | // we need to do them again | 1271 | // we need to do them again |
diff --git a/src/firejail/selinux.c b/src/firejail/selinux.c index 5beda294d..08f3b3122 100644 --- a/src/firejail/selinux.c +++ b/src/firejail/selinux.c | |||
@@ -78,7 +78,7 @@ void selinux_relabel_path(const char *path, const char *inside_path) | |||
78 | } | 78 | } |
79 | 79 | ||
80 | freecon(fcon); | 80 | freecon(fcon); |
81 | close: | 81 | close: |
82 | close(fd); | 82 | close(fd); |
83 | #else | 83 | #else |
84 | (void) path; | 84 | (void) path; |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 846c27321..bafcd69ec 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -1101,7 +1101,7 @@ void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) { | |||
1101 | if (mkdir(fname, mode) == -1 || | 1101 | if (mkdir(fname, mode) == -1 || |
1102 | chmod(fname, mode) == -1 || | 1102 | chmod(fname, mode) == -1 || |
1103 | chown(fname, uid, gid)) { | 1103 | chown(fname, uid, gid)) { |
1104 | fprintf(stderr, "Error: failed to create %s directory\n", fname); | 1104 | fprintf(stderr, "Error: failed to create %s directory\n", fname); |
1105 | errExit("mkdir/chmod"); | 1105 | errExit("mkdir/chmod"); |
1106 | } | 1106 | } |
1107 | 1107 | ||
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index ff4fdda56..77739c1f3 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c | |||
@@ -309,7 +309,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my | |||
309 | #endif | 309 | #endif |
310 | if (proc_ev->event_data.fork.child_pid != | 310 | if (proc_ev->event_data.fork.child_pid != |
311 | proc_ev->event_data.fork.child_tgid) | 311 | proc_ev->event_data.fork.child_tgid) |
312 | continue; // this is a thread, not a process | 312 | continue; // this is a thread, not a process |
313 | pid = proc_ev->event_data.fork.parent_tgid; | 313 | pid = proc_ev->event_data.fork.parent_tgid; |
314 | #ifdef DEBUG_PRCTL | 314 | #ifdef DEBUG_PRCTL |
315 | printf("%s: %d, event fork, pid %d\n", __FUNCTION__, __LINE__, pid); | 315 | printf("%s: %d, event fork, pid %d\n", __FUNCTION__, __LINE__, pid); |
diff --git a/src/firemon/top.c b/src/firemon/top.c index c127e2f56..c70bc9424 100644 --- a/src/firemon/top.c +++ b/src/firemon/top.c | |||
@@ -166,7 +166,8 @@ static char *print_top(unsigned index, unsigned parent, unsigned *utime, unsigne | |||
166 | snprintf(prcs_str, 10, "%d", *cnt); | 166 | snprintf(prcs_str, 10, "%d", *cnt); |
167 | 167 | ||
168 | if (asprintf(&rv, "%-7.7s %-9.9s %-8.8s %-8.8s %-5.5s %-4.4s %-9.9s %s", | 168 | if (asprintf(&rv, "%-7.7s %-9.9s %-8.8s %-8.8s %-5.5s %-4.4s %-9.9s %s", |
169 | pidstr, ptruser, rss, shared, cpu_str, prcs_str, uptime_str, ptrcmd) == -1) | 169 | pidstr, ptruser, rss, shared, cpu_str, prcs_str, |
170 | uptime_str, ptrcmd) == -1) | ||
170 | errExit("asprintf"); | 171 | errExit("asprintf"); |
171 | 172 | ||
172 | if (cmd) | 173 | if (cmd) |
diff --git a/src/fldd/main.c b/src/fldd/main.c index 390f7a1bc..4b645b1b3 100644 --- a/src/fldd/main.c +++ b/src/fldd/main.c | |||
@@ -193,9 +193,9 @@ static void parse_elf(const char *exe) { | |||
193 | } | 193 | } |
194 | goto close; | 194 | goto close; |
195 | 195 | ||
196 | error_close: | 196 | error_close: |
197 | perror("copy libs"); | 197 | perror("copy libs"); |
198 | close: | 198 | close: |
199 | if (base) | 199 | if (base) |
200 | munmap(base, s.st_size); | 200 | munmap(base, s.st_size); |
201 | 201 | ||
@@ -295,7 +295,7 @@ int main(int argc, char **argv) { | |||
295 | //system("cat /proc/self/status"); | 295 | //system("cat /proc/self/status"); |
296 | int i; | 296 | int i; |
297 | for (i = 0; i < argc; i++) | 297 | for (i = 0; i < argc; i++) |
298 | printf("*%s* ", argv[i]); | 298 | printf("*%s* ", argv[i]); |
299 | printf("\n"); | 299 | printf("\n"); |
300 | } | 300 | } |
301 | #endif | 301 | #endif |
diff --git a/src/fnet/fnet.h b/src/fnet/fnet.h index c9d40ec1d..f9b09d7ea 100644 --- a/src/fnet/fnet.h +++ b/src/fnet/fnet.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2023 Firejail Authors | 2 | * Copyright (C) 2014-2023 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
diff --git a/src/fnet/interface.c b/src/fnet/interface.c index aa0981269..ca7c744ed 100644 --- a/src/fnet/interface.c +++ b/src/fnet/interface.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2023 Firejail Authors | 2 | * Copyright (C) 2014-2023 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
@@ -57,7 +57,7 @@ void net_bridge_add_interface(const char *bridge, const char *dev) { | |||
57 | 57 | ||
58 | int sock; | 58 | int sock; |
59 | if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) | 59 | if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) |
60 | errExit("socket"); | 60 | errExit("socket"); |
61 | 61 | ||
62 | memset(&ifr, 0, sizeof(ifr)); | 62 | memset(&ifr, 0, sizeof(ifr)); |
63 | strncpy(ifr.ifr_name, bridge, IFNAMSIZ - 1); | 63 | strncpy(ifr.ifr_name, bridge, IFNAMSIZ - 1); |
@@ -237,7 +237,7 @@ int net_get_mac(const char *ifname, unsigned char mac[6]) { | |||
237 | int sock; | 237 | int sock; |
238 | 238 | ||
239 | if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) | 239 | if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) |
240 | errExit("socket"); | 240 | errExit("socket"); |
241 | 241 | ||
242 | memset(&ifr, 0, sizeof(ifr)); | 242 | memset(&ifr, 0, sizeof(ifr)); |
243 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); | 243 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); |
@@ -291,7 +291,7 @@ int net_if_mac(const char *ifname, const unsigned char mac[6]) { | |||
291 | int sock; | 291 | int sock; |
292 | 292 | ||
293 | if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) | 293 | if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) |
294 | errExit("socket"); | 294 | errExit("socket"); |
295 | 295 | ||
296 | memset(&ifr, 0, sizeof(ifr)); | 296 | memset(&ifr, 0, sizeof(ifr)); |
297 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); | 297 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); |
diff --git a/src/fnet/main.c b/src/fnet/main.c index 1c48622a0..96c4f1478 100644 --- a/src/fnet/main.c +++ b/src/fnet/main.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2023 Firejail Authors | 2 | * Copyright (C) 2014-2023 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
@@ -47,7 +47,7 @@ static void usage(void) { | |||
47 | printf("\tfnet config mac addr\n"); | 47 | printf("\tfnet config mac addr\n"); |
48 | printf("\tfnet config ipv6 dev ip\n"); | 48 | printf("\tfnet config ipv6 dev ip\n"); |
49 | printf("\tfnet ifup dev\n"); | 49 | printf("\tfnet ifup dev\n"); |
50 | printf("\tfnet waitll dev\n"); | 50 | printf("\tfnet waitll dev\n"); |
51 | } | 51 | } |
52 | 52 | ||
53 | int main(int argc, char **argv) { | 53 | int main(int argc, char **argv) { |
@@ -144,9 +144,9 @@ printf("\n"); | |||
144 | else if (argc == 5 && strcmp(argv[1], "config") == 0 && strcmp(argv[2], "ipv6") == 0) { | 144 | else if (argc == 5 && strcmp(argv[1], "config") == 0 && strcmp(argv[2], "ipv6") == 0) { |
145 | net_if_ip6(argv[3], argv[4]); | 145 | net_if_ip6(argv[3], argv[4]); |
146 | } | 146 | } |
147 | else if (argc == 3 && strcmp(argv[1], "waitll") == 0) { | 147 | else if (argc == 3 && strcmp(argv[1], "waitll") == 0) { |
148 | net_if_waitll(argv[2]); | 148 | net_if_waitll(argv[2]); |
149 | } | 149 | } |
150 | else { | 150 | else { |
151 | fprintf(stderr, "Error fnet: invalid arguments\n"); | 151 | fprintf(stderr, "Error fnet: invalid arguments\n"); |
152 | return 1; | 152 | return 1; |
diff --git a/src/fnet/veth.c b/src/fnet/veth.c index 2a23c6bd4..2111cfa56 100644 --- a/src/fnet/veth.c +++ b/src/fnet/veth.c | |||
@@ -24,8 +24,8 @@ | |||
24 | * | 24 | * |
25 | * Authors: Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru> | 25 | * Authors: Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru> |
26 | * | 26 | * |
27 | */ | 27 | */ |
28 | /* | 28 | /* |
29 | * Copyright (C) 2014-2023 Firejail Authors | 29 | * Copyright (C) 2014-2023 Firejail Authors |
30 | * | 30 | * |
31 | * This file is part of firejail project | 31 | * This file is part of firejail project |
diff --git a/src/fnetfilter/main.c b/src/fnetfilter/main.c index 978d145b3..8c0f6c297 100644 --- a/src/fnetfilter/main.c +++ b/src/fnetfilter/main.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2023 Firejail Authors | 2 | * Copyright (C) 2014-2023 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
diff --git a/src/fnettrace-dns/fnettrace_dns.h b/src/fnettrace-dns/fnettrace_dns.h index 6d8a3c211..b8f69e9d7 100644 --- a/src/fnettrace-dns/fnettrace_dns.h +++ b/src/fnettrace-dns/fnettrace_dns.h | |||
@@ -31,4 +31,4 @@ | |||
31 | #include <fcntl.h> | 31 | #include <fcntl.h> |
32 | #include <sys/mman.h> | 32 | #include <sys/mman.h> |
33 | 33 | ||
34 | #endif \ No newline at end of file | 34 | #endif |
diff --git a/src/fnettrace-dns/main.c b/src/fnettrace-dns/main.c index 60738147d..64feec5fe 100644 --- a/src/fnettrace-dns/main.c +++ b/src/fnettrace-dns/main.c | |||
@@ -124,7 +124,7 @@ static void print_date(void) { | |||
124 | 124 | ||
125 | static void run_trace(void) { | 125 | static void run_trace(void) { |
126 | // grab all Ethernet packets and use a custom BPF filter to get only UDP from source port 53 | 126 | // grab all Ethernet packets and use a custom BPF filter to get only UDP from source port 53 |
127 | int s = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); | 127 | int s = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); |
128 | if (s < 0) | 128 | if (s < 0) |
129 | errExit("socket"); | 129 | errExit("socket"); |
130 | custom_bpf(s); | 130 | custom_bpf(s); |
diff --git a/src/fnettrace-icmp/fnettrace_icmp.h b/src/fnettrace-icmp/fnettrace_icmp.h index f535106e1..04c449ff2 100644 --- a/src/fnettrace-icmp/fnettrace_icmp.h +++ b/src/fnettrace-icmp/fnettrace_icmp.h | |||
@@ -31,4 +31,4 @@ | |||
31 | #include <fcntl.h> | 31 | #include <fcntl.h> |
32 | #include <sys/mman.h> | 32 | #include <sys/mman.h> |
33 | 33 | ||
34 | #endif \ No newline at end of file | 34 | #endif |
diff --git a/src/fnettrace-sni/fnettrace_sni.h b/src/fnettrace-sni/fnettrace_sni.h index f535106e1..04c449ff2 100644 --- a/src/fnettrace-sni/fnettrace_sni.h +++ b/src/fnettrace-sni/fnettrace_sni.h | |||
@@ -31,4 +31,4 @@ | |||
31 | #include <fcntl.h> | 31 | #include <fcntl.h> |
32 | #include <sys/mman.h> | 32 | #include <sys/mman.h> |
33 | 33 | ||
34 | #endif \ No newline at end of file | 34 | #endif |
diff --git a/src/fnettrace/fnettrace.h b/src/fnettrace/fnettrace.h index d3bc6439e..629b8ce5b 100644 --- a/src/fnettrace/fnettrace.h +++ b/src/fnettrace/fnettrace.h | |||
@@ -70,4 +70,4 @@ char* retrieve_hostname(uint32_t ip); | |||
70 | // tail.c | 70 | // tail.c |
71 | void tail(const char *logfile); | 71 | void tail(const char *logfile); |
72 | 72 | ||
73 | #endif \ No newline at end of file | 73 | #endif |
diff --git a/src/fnettrace/hostnames.c b/src/fnettrace/hostnames.c index 4f5641dfb..878a67123 100644 --- a/src/fnettrace/hostnames.c +++ b/src/fnettrace/hostnames.c | |||
@@ -121,4 +121,3 @@ errexit: | |||
121 | fprintf(stderr, "Error: invalid line %d in file %s\n", line, fname); | 121 | fprintf(stderr, "Error: invalid line %d in file %s\n", line, fname); |
122 | exit(1); | 122 | exit(1); |
123 | } | 123 | } |
124 | |||
diff --git a/src/fnettrace/radix.c b/src/fnettrace/radix.c index 97e890bec..a1d510a61 100644 --- a/src/fnettrace/radix.c +++ b/src/fnettrace/radix.c | |||
@@ -152,4 +152,3 @@ char *radix_longest_prefix_match(uint32_t ip) { | |||
152 | 152 | ||
153 | return (rv)? rv->name: NULL; | 153 | return (rv)? rv->name: NULL; |
154 | } | 154 | } |
155 | |||
diff --git a/src/fnettrace/radix.h b/src/fnettrace/radix.h index 85a75d0d7..d75fe3999 100644 --- a/src/fnettrace/radix.h +++ b/src/fnettrace/radix.h | |||
@@ -24,4 +24,4 @@ extern int radix_nodes; | |||
24 | char *radix_longest_prefix_match(uint32_t ip); | 24 | char *radix_longest_prefix_match(uint32_t ip); |
25 | char *radix_add(uint32_t ip, uint32_t mask, char *name); | 25 | char *radix_add(uint32_t ip, uint32_t mask, char *name); |
26 | 26 | ||
27 | #endif \ No newline at end of file | 27 | #endif |
diff --git a/src/fsec-optimize/main.c b/src/fsec-optimize/main.c index 0a9b7c9b9..0bc521c0d 100644 --- a/src/fsec-optimize/main.c +++ b/src/fsec-optimize/main.c | |||
@@ -33,7 +33,7 @@ int main(int argc, char **argv) { | |||
33 | //system("cat /proc/self/status"); | 33 | //system("cat /proc/self/status"); |
34 | int i; | 34 | int i; |
35 | for (i = 0; i < argc; i++) | 35 | for (i = 0; i < argc; i++) |
36 | printf("*%s* ", argv[i]); | 36 | printf("*%s* ", argv[i]); |
37 | printf("\n"); | 37 | printf("\n"); |
38 | } | 38 | } |
39 | #endif | 39 | #endif |
diff --git a/src/fsec-print/main.c b/src/fsec-print/main.c index de93f260e..696c6bc0c 100644 --- a/src/fsec-print/main.c +++ b/src/fsec-print/main.c | |||
@@ -47,7 +47,7 @@ int main(int argc, char **argv) { | |||
47 | //system("cat /proc/self/status"); | 47 | //system("cat /proc/self/status"); |
48 | int i; | 48 | int i; |
49 | for (i = 0; i < argc; i++) | 49 | for (i = 0; i < argc; i++) |
50 | printf("*%s* ", argv[i]); | 50 | printf("*%s* ", argv[i]); |
51 | printf("\n"); | 51 | printf("\n"); |
52 | } | 52 | } |
53 | #endif | 53 | #endif |
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index 1edbad764..57a5a6d67 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c | |||
@@ -58,7 +58,7 @@ int main(int argc, char **argv) { | |||
58 | //system("cat /proc/self/status"); | 58 | //system("cat /proc/self/status"); |
59 | int i; | 59 | int i; |
60 | for (i = 0; i < argc; i++) | 60 | for (i = 0; i < argc; i++) |
61 | printf("*%s* ", argv[i]); | 61 | printf("*%s* ", argv[i]); |
62 | printf("\n"); | 62 | printf("\n"); |
63 | } | 63 | } |
64 | #endif | 64 | #endif |
diff --git a/src/fseccomp/namespaces.c b/src/fseccomp/namespaces.c index ffc1dfe4c..e6c63219f 100644 --- a/src/fseccomp/namespaces.c +++ b/src/fseccomp/namespaces.c | |||
@@ -202,8 +202,8 @@ void deny_ns_32(const char *fname, const char *list) { | |||
202 | // 0003: 20 00 00 00000000 ld data.syscall-number | 202 | // 0003: 20 00 00 00000000 ld data.syscall-number |
203 | // 0004: 06 00 00 7fff0000 ret ALLOW | 203 | // 0004: 06 00 00 7fff0000 ret ALLOW |
204 | // | 204 | // |
205 | if (sizeof(filter)) | 205 | if (sizeof(filter)) |
206 | write_to_file(fd, filter, sizeof(filter)); | 206 | write_to_file(fd, filter, sizeof(filter)); |
207 | 207 | ||
208 | filter_end_blacklist(fd); | 208 | filter_end_blacklist(fd); |
209 | 209 | ||
diff --git a/src/include/gcov_wrapper.h b/src/include/gcov_wrapper.h index b56b4e736..7c8f89d59 100644 --- a/src/include/gcov_wrapper.h +++ b/src/include/gcov_wrapper.h | |||
@@ -33,8 +33,8 @@ | |||
33 | */ | 33 | */ |
34 | #if __GNUC__ > 11 || (__GNUC__ == 11 && __GNUC_MINOR__ >= 1) | 34 | #if __GNUC__ > 11 || (__GNUC__ == 11 && __GNUC_MINOR__ >= 1) |
35 | static void __gcov_flush(void) { | 35 | static void __gcov_flush(void) { |
36 | __gcov_dump(); | 36 | __gcov_dump(); |
37 | __gcov_reset(); | 37 | __gcov_reset(); |
38 | } | 38 | } |
39 | #endif | 39 | #endif |
40 | #else | 40 | #else |
diff --git a/src/include/seccomp.h b/src/include/seccomp.h index ef3fe6c3a..fc07b75ce 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h | |||
@@ -194,24 +194,24 @@ | |||
194 | #endif | 194 | #endif |
195 | 195 | ||
196 | #define VALIDATE_ARCHITECTURE \ | 196 | #define VALIDATE_ARCHITECTURE \ |
197 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | 197 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ |
198 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ | 198 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ |
199 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | 199 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
200 | 200 | ||
201 | #define VALIDATE_ARCHITECTURE_KILL \ | 201 | #define VALIDATE_ARCHITECTURE_KILL \ |
202 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | 202 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ |
203 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ | 203 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ |
204 | KILL_OR_RETURN_ERRNO | 204 | KILL_OR_RETURN_ERRNO |
205 | 205 | ||
206 | #define VALIDATE_ARCHITECTURE_64 \ | 206 | #define VALIDATE_ARCHITECTURE_64 \ |
207 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | 207 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ |
208 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_64, 1, 0), \ | 208 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_64, 1, 0), \ |
209 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | 209 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
210 | 210 | ||
211 | #define VALIDATE_ARCHITECTURE_32 \ | 211 | #define VALIDATE_ARCHITECTURE_32 \ |
212 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ | 212 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ |
213 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_32, 1, 0), \ | 213 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_32, 1, 0), \ |
214 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) | 214 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
215 | 215 | ||
216 | #ifndef X32_SYSCALL_BIT | 216 | #ifndef X32_SYSCALL_BIT |
217 | #define X32_SYSCALL_BIT 0x40000000 | 217 | #define X32_SYSCALL_BIT 0x40000000 |
diff --git a/src/jailcheck/apparmor.c b/src/jailcheck/apparmor.c index 9b6b72fb7..658928ed5 100644 --- a/src/jailcheck/apparmor.c +++ b/src/jailcheck/apparmor.c | |||
@@ -37,4 +37,3 @@ void apparmor_test(pid_t pid) { | |||
37 | return; | 37 | return; |
38 | } | 38 | } |
39 | #endif | 39 | #endif |
40 | |||
diff --git a/src/jailcheck/network.c b/src/jailcheck/network.c index 961a66105..a4d5eeec1 100644 --- a/src/jailcheck/network.c +++ b/src/jailcheck/network.c | |||
@@ -52,6 +52,3 @@ void network_test(void) { | |||
52 | else | 52 | else |
53 | printf(" Networking: disabled\n"); | 53 | printf(" Networking: disabled\n"); |
54 | } | 54 | } |
55 | |||
56 | |||
57 | |||
diff --git a/src/jailcheck/noexec.c b/src/jailcheck/noexec.c index a78272591..bfeff9c7f 100644 --- a/src/jailcheck/noexec.c +++ b/src/jailcheck/noexec.c | |||
@@ -76,7 +76,7 @@ void noexec_test(const char *path) { | |||
76 | 76 | ||
77 | if (child == 0) { // child | 77 | if (child == 0) { // child |
78 | // drop privileges | 78 | // drop privileges |
79 | if (setgid(user_gid) != 0) | 79 | if (setgid(user_gid) != 0) |
80 | errExit("setgid"); | 80 | errExit("setgid"); |
81 | if (setuid(user_uid) != 0) | 81 | if (setuid(user_uid) != 0) |
82 | errExit("setuid"); | 82 | errExit("setuid"); |
diff --git a/src/jailcheck/utils.c b/src/jailcheck/utils.c index 8460c1bf7..97fe8833b 100644 --- a/src/jailcheck/utils.c +++ b/src/jailcheck/utils.c | |||
@@ -99,4 +99,3 @@ int find_child(int id) { | |||
99 | // this happens for processes sandboxed with --join | 99 | // this happens for processes sandboxed with --join |
100 | return first_child; | 100 | return first_child; |
101 | } | 101 | } |
102 | |||
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c index 97e36e5c9..25f0cc12e 100644 --- a/src/libtrace/libtrace.c +++ b/src/libtrace/libtrace.c | |||
@@ -35,11 +35,11 @@ | |||
35 | #include "../include/rundefs.h" | 35 | #include "../include/rundefs.h" |
36 | 36 | ||
37 | #define tprintf(fp, args...) \ | 37 | #define tprintf(fp, args...) \ |
38 | do { \ | 38 | do { \ |
39 | if (!fp)\ | 39 | if (!fp)\ |
40 | init(); \ | 40 | init(); \ |
41 | fprintf(fp, args); \ | 41 | fprintf(fp, args); \ |
42 | } while(0) | 42 | } while(0) |
43 | 43 | ||
44 | // break recursivity on fopen call | 44 | // break recursivity on fopen call |
45 | typedef FILE *(*orig_fopen_t)(const char *pathname, const char *mode); | 45 | typedef FILE *(*orig_fopen_t)(const char *pathname, const char *mode); |
@@ -515,7 +515,7 @@ int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) { | |||
515 | if (!orig_connect) | 515 | if (!orig_connect) |
516 | orig_connect = (orig_connect_t)dlsym(RTLD_NEXT, "connect"); | 516 | orig_connect = (orig_connect_t)dlsym(RTLD_NEXT, "connect"); |
517 | 517 | ||
518 | int rv = orig_connect(sockfd, addr, addrlen); | 518 | int rv = orig_connect(sockfd, addr, addrlen); |
519 | print_sockaddr(sockfd, "connect", addr, rv); | 519 | print_sockaddr(sockfd, "connect", addr, rv); |
520 | 520 | ||
521 | return rv; | 521 | return rv; |
diff --git a/src/profstats/main.c b/src/profstats/main.c index 90a5f405d..d5e57e7cc 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2014-2023 Firejail Authors | 2 | * Copyright (C) 2014-2023 Firejail Authors |
3 | * | 3 | * |
4 | * This file is part of firejail project | 4 | * This file is part of firejail project |
@@ -166,7 +166,7 @@ static void process_file(char *fname) { | |||
166 | else if (strncmp(ptr, "include whitelist-var-common.inc", 32) == 0) | 166 | else if (strncmp(ptr, "include whitelist-var-common.inc", 32) == 0) |
167 | cnt_whitelistvar++; | 167 | cnt_whitelistvar++; |
168 | else if (strncmp(ptr, "include whitelist-runuser-common.inc", 36) == 0 || | 168 | else if (strncmp(ptr, "include whitelist-runuser-common.inc", 36) == 0 || |
169 | strncmp(ptr, "blacklist ${RUNUSER}", 20) == 0) | 169 | strncmp(ptr, "blacklist ${RUNUSER}", 20) == 0) |
170 | cnt_whitelistrunuser++; | 170 | cnt_whitelistrunuser++; |
171 | else if (strncmp(ptr, "include whitelist-common.inc", 28) == 0) | 171 | else if (strncmp(ptr, "include whitelist-common.inc", 28) == 0) |
172 | cnt_whitelisthome++; | 172 | cnt_whitelisthome++; |
@@ -283,10 +283,10 @@ int main(int argc, char **argv) { | |||
283 | arg_dbus_user_none = 1; | 283 | arg_dbus_user_none = 1; |
284 | else if (*argv[i] == '-') { | 284 | else if (*argv[i] == '-') { |
285 | fprintf(stderr, "Error: invalid option %s\n", argv[i]); | 285 | fprintf(stderr, "Error: invalid option %s\n", argv[i]); |
286 | return 1; | 286 | return 1; |
287 | } | 287 | } |
288 | else | 288 | else |
289 | break; | 289 | break; |
290 | } | 290 | } |
291 | 291 | ||
292 | start = i; | 292 | start = i; |
diff --git a/src/tools/extract_seccomp.c b/src/tools/extract_seccomp.c index 0482dfd88..69e20317a 100644 --- a/src/tools/extract_seccomp.c +++ b/src/tools/extract_seccomp.c | |||
@@ -31,10 +31,13 @@ | |||
31 | #include <linux/filter.h> | 31 | #include <linux/filter.h> |
32 | 32 | ||
33 | #define MAXBUF 1024 | 33 | #define MAXBUF 1024 |
34 | #define errExit(msg) { char msgout[256]; \ | 34 | #define errExit(msg) \ |
35 | snprintf(msgout, 256, "Error %d: %s", __LINE__, (msg)); \ | 35 | do { \ |
36 | perror(msgout); \ | 36 | char msgout[256]; \ |
37 | exit(1); } | 37 | snprintf(msgout, 256, "Error %d: %s", __LINE__, (msg)); \ |
38 | perror(msgout); \ | ||
39 | exit(1); \ | ||
40 | } while (0); | ||
38 | 41 | ||
39 | // dump all seccomp filters of a process | 42 | // dump all seccomp filters of a process |
40 | // for further analysis with fsec-print | 43 | // for further analysis with fsec-print |
diff --git a/src/zsh_completion/.editorconfig b/src/zsh_completion/.editorconfig new file mode 100644 index 000000000..15ca952a4 --- /dev/null +++ b/src/zsh_completion/.editorconfig | |||
@@ -0,0 +1,3 @@ | |||
1 | [_*{,.in}] | ||
2 | indent_size = 4 | ||
3 | indent_style = space | ||
diff --git a/test/filters/namespaces.c b/test/filters/namespaces.c index 06dfa4edf..ecf0fdcd1 100644 --- a/test/filters/namespaces.c +++ b/test/filters/namespaces.c | |||
@@ -15,82 +15,82 @@ | |||
15 | #define STACK_SIZE 1024 * 1024 | 15 | #define STACK_SIZE 1024 * 1024 |
16 | 16 | ||
17 | static int usage() { | 17 | static int usage() { |
18 | fprintf(stderr, "Usage: namespaces <system call>[clone,unshare] <list of namespaces>[cgroup,ipc,mnt,net,pid,time,user,uts]\n"); | 18 | fprintf(stderr, "Usage: namespaces <system call>[clone,unshare] <list of namespaces>[cgroup,ipc,mnt,net,pid,time,user,uts]\n"); |
19 | exit(1); | 19 | exit(1); |
20 | } | 20 | } |
21 | 21 | ||
22 | static void die(const char *msg) { | 22 | static void die(const char *msg) { |
23 | fprintf(stderr, "Error: %s: %s\n", msg, strerror(errno)); | 23 | fprintf(stderr, "Error: %s: %s\n", msg, strerror(errno)); |
24 | exit(1); | 24 | exit(1); |
25 | } | 25 | } |
26 | 26 | ||
27 | static int ns_flags(const char *list) { | 27 | static int ns_flags(const char *list) { |
28 | int flags = 0; | 28 | int flags = 0; |
29 | 29 | ||
30 | char *dup = strdup(list); | 30 | char *dup = strdup(list); |
31 | if (!dup) | 31 | if (!dup) |
32 | die("cannot allocate memory"); | 32 | die("cannot allocate memory"); |
33 | 33 | ||
34 | char *token = strtok(dup, ","); | 34 | char *token = strtok(dup, ","); |
35 | while (token) { | 35 | while (token) { |
36 | if (strcmp(token, "cgroup") == 0) | 36 | if (strcmp(token, "cgroup") == 0) |
37 | flags |= CLONE_NEWCGROUP; | 37 | flags |= CLONE_NEWCGROUP; |
38 | else if (strcmp(token, "ipc") == 0) | 38 | else if (strcmp(token, "ipc") == 0) |
39 | flags |= CLONE_NEWIPC; | 39 | flags |= CLONE_NEWIPC; |
40 | else if (strcmp(token, "net") == 0) | 40 | else if (strcmp(token, "net") == 0) |
41 | flags |= CLONE_NEWNET; | 41 | flags |= CLONE_NEWNET; |
42 | else if (strcmp(token, "mnt") == 0) | 42 | else if (strcmp(token, "mnt") == 0) |
43 | flags |= CLONE_NEWNS; | 43 | flags |= CLONE_NEWNS; |
44 | else if (strcmp(token, "pid") == 0) | 44 | else if (strcmp(token, "pid") == 0) |
45 | flags |= CLONE_NEWPID; | 45 | flags |= CLONE_NEWPID; |
46 | else if (strcmp(token, "time") == 0) | 46 | else if (strcmp(token, "time") == 0) |
47 | flags |= CLONE_NEWTIME; | 47 | flags |= CLONE_NEWTIME; |
48 | else if (strcmp(token, "user") == 0) | 48 | else if (strcmp(token, "user") == 0) |
49 | flags |= CLONE_NEWUSER; | 49 | flags |= CLONE_NEWUSER; |
50 | else if (strcmp(token, "uts") == 0) | 50 | else if (strcmp(token, "uts") == 0) |
51 | flags |= CLONE_NEWUTS; | 51 | flags |= CLONE_NEWUTS; |
52 | else | 52 | else |
53 | usage(); | 53 | usage(); |
54 | 54 | ||
55 | token = strtok(NULL, ","); | 55 | token = strtok(NULL, ","); |
56 | } | 56 | } |
57 | 57 | ||
58 | free(dup); | 58 | free(dup); |
59 | return flags; | 59 | return flags; |
60 | } | 60 | } |
61 | 61 | ||
62 | static int child(void *arg) { | 62 | static int child(void *arg) { |
63 | (void) arg; | 63 | (void) arg; |
64 | 64 | ||
65 | fprintf(stderr, "clone successful\n"); | 65 | fprintf(stderr, "clone successful\n"); |
66 | return 0; | 66 | return 0; |
67 | } | 67 | } |
68 | 68 | ||
69 | int main (int argc, char **argv) { | 69 | int main (int argc, char **argv) { |
70 | if (argc != 3) | 70 | if (argc != 3) |
71 | usage(); | 71 | usage(); |
72 | 72 | ||
73 | int flags = ns_flags(argv[2]); | 73 | int flags = ns_flags(argv[2]); |
74 | if (getuid() != 0) | 74 | if (getuid() != 0) |
75 | flags |= CLONE_NEWUSER; | 75 | flags |= CLONE_NEWUSER; |
76 | 76 | ||
77 | if (strcmp(argv[1], "clone") == 0) { | 77 | if (strcmp(argv[1], "clone") == 0) { |
78 | void *stack = mmap(NULL, STACK_SIZE, PROT_READ | PROT_WRITE, | 78 | void *stack = mmap(NULL, STACK_SIZE, PROT_READ | PROT_WRITE, |
79 | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); | 79 | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); |
80 | if (stack == MAP_FAILED) | 80 | if (stack == MAP_FAILED) |
81 | die("mmap"); | 81 | die("mmap"); |
82 | 82 | ||
83 | if (clone(child, stack + STACK_SIZE, flags | SIGCHLD, NULL) < 0) | 83 | if (clone(child, stack + STACK_SIZE, flags | SIGCHLD, NULL) < 0) |
84 | die("clone"); | 84 | die("clone"); |
85 | } | 85 | } |
86 | else if (strcmp(argv[1], "unshare") == 0) { | 86 | else if (strcmp(argv[1], "unshare") == 0) { |
87 | if (unshare(flags)) | 87 | if (unshare(flags)) |
88 | die("unshare"); | 88 | die("unshare"); |
89 | 89 | ||
90 | fprintf(stderr, "unshare successful\n"); | 90 | fprintf(stderr, "unshare successful\n"); |
91 | } | 91 | } |
92 | else | 92 | else |
93 | usage(); | 93 | usage(); |
94 | 94 | ||
95 | return 0; | 95 | return 0; |
96 | } | 96 | } |
diff --git a/test/fs/private-whitelist.exp b/test/fs/private-whitelist.exp index eaad5700d..bf95e40dd 100755 --- a/test/fs/private-whitelist.exp +++ b/test/fs/private-whitelist.exp | |||
@@ -32,9 +32,9 @@ send -- "ls -a ~ | wc -l\r" | |||
32 | expect { | 32 | expect { |
33 | timeout {puts "TESTING ERROR 4\n";exit} | 33 | timeout {puts "TESTING ERROR 4\n";exit} |
34 | "3" {puts "3\n"} | 34 | "3" {puts "3\n"} |
35 | "4" {puts "4\n"} | 35 | "4" {puts "4\n"} |
36 | "5" {puts "5\n"} | 36 | "5" {puts "5\n"} |
37 | "6" {puts "6\n"} | 37 | "6" {puts "6\n"} |
38 | } | 38 | } |
39 | 39 | ||
40 | sleep 1 | 40 | sleep 1 |
diff --git a/test/network/firemon-route.exp b/test/network/firemon-route.exp index 707217eea..69cccfeae 100755 --- a/test/network/firemon-route.exp +++ b/test/network/firemon-route.exp | |||
@@ -33,7 +33,7 @@ expect { | |||
33 | "0.0.0.0/0 via 192.168.1.1, dev eth0, metric 0" {puts "Debian testing\n";} | 33 | "0.0.0.0/0 via 192.168.1.1, dev eth0, metric 0" {puts "Debian testing\n";} |
34 | "0.0.0.0/0 via 192.168.1.1, dev enp0s3, metric 1024" {puts "Centos 7 testing\n";} | 34 | "0.0.0.0/0 via 192.168.1.1, dev enp0s3, metric 1024" {puts "Centos 7 testing\n";} |
35 | "0.0.0.0/0 via 192.168.1.1, dev enp0s3, metric 0" {puts "OpenSUSE testing\n";} | 35 | "0.0.0.0/0 via 192.168.1.1, dev enp0s3, metric 0" {puts "OpenSUSE testing\n";} |
36 | "0.0.0.0/0 via 192.168.1.1, dev enp0s3, metric 100" {puts "Arch testing\n";} | 36 | "0.0.0.0/0 via 192.168.1.1, dev enp0s3, metric 100" {puts "Arch testing\n";} |
37 | } | 37 | } |
38 | expect { | 38 | expect { |
39 | timeout {puts "TESTING ERROR 4\n";exit} | 39 | timeout {puts "TESTING ERROR 4\n";exit} |
diff --git a/test/private-etc/private-etc.sh b/test/private-etc/private-etc.sh index 8488611b9..c46b684af 100755 --- a/test/private-etc/private-etc.sh +++ b/test/private-etc/private-etc.sh | |||
@@ -18,4 +18,3 @@ echo "TESTING: groups (test/private-etc/groups.exp)" | |||
18 | 18 | ||
19 | echo "TESTING: etc-cleanup (test/private-etc/etc-cleanup.exp)" | 19 | echo "TESTING: etc-cleanup (test/private-etc/etc-cleanup.exp)" |
20 | ./etc-cleanup.exp | 20 | ./etc-cleanup.exp |
21 | |||
diff --git a/test/private-lib/private-lib.sh b/test/private-lib/private-lib.sh index 0ef18b79d..5c67b16c5 100755 --- a/test/private-lib/private-lib.sh +++ b/test/private-lib/private-lib.sh | |||
@@ -29,4 +29,3 @@ if [[ $(uname -m) == "x86_64" ]]; then | |||
29 | else | 29 | else |
30 | echo "TESTING SKIP: private-lib test implemented only for x86_64." | 30 | echo "TESTING SKIP: private-lib test implemented only for x86_64." |
31 | fi | 31 | fi |
32 | |||
diff --git a/test/profiles/test2.profile b/test/profiles/test2.profile index 9fbd5219a..9504f5085 100644 --- a/test/profiles/test2.profile +++ b/test/profiles/test2.profile | |||
@@ -1,6 +1,6 @@ | |||
1 | caps | 1 | caps |
2 | seccomp | 2 | seccomp |
3 | private | 3 | private |
4 | include test.profile | 4 | include test.profile |
5 | include test.local | 5 | include test.local |
6 | include test25.profile | 6 | include test25.profile |
diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh index 231f5afa8..f5567ff02 100755 --- a/test/sysutils/sysutils.sh +++ b/test/sysutils/sysutils.sh | |||
@@ -150,4 +150,3 @@ then | |||
150 | else | 150 | else |
151 | echo "TESTING SKIP: whois not found" | 151 | echo "TESTING SKIP: whois not found" |
152 | fi | 152 | fi |
153 | |||