aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar Fred Barclay <Fred-Barclay@users.noreply.github.com>2017-05-24 14:13:52 -0500
committerLibravatar Fred Barclay <Fred-Barclay@users.noreply.github.com>2017-05-24 14:13:52 -0500
commit96c920e166b40bbe50f216e294f2efac154a1cb2 (patch)
treefa80a34e81863ab897f2f2b8ec4124b10d023516
parentremove trailing whitespace from etc/ (diff)
downloadfirejail-96c920e166b40bbe50f216e294f2efac154a1cb2.tar.gz
firejail-96c920e166b40bbe50f216e294f2efac154a1cb2.tar.zst
firejail-96c920e166b40bbe50f216e294f2efac154a1cb2.zip
Remove trailing whitespace from src/
Diffstat
-rw-r--r--src/bash_completion/firecfg.bash_completion3
-rw-r--r--src/bash_completion/firejail.bash_completion3
-rw-r--r--src/bash_completion/firemon.bash_completion3
-rw-r--r--src/faudit/Makefile.in1
-rw-r--r--src/faudit/caps.c13
-rw-r--r--src/faudit/dbus.c13
-rw-r--r--src/faudit/dev.c6
-rw-r--r--src/faudit/files.c12
-rw-r--r--src/faudit/main.c18
-rw-r--r--src/faudit/network.c16
-rw-r--r--src/faudit/pid.c12
-rw-r--r--src/faudit/seccomp.c20
-rw-r--r--src/faudit/syscall.c6
-rw-r--r--src/faudit/x11.c4
-rw-r--r--src/fcopy/Makefile.in1
-rw-r--r--src/firecfg/Makefile.in1
-rw-r--r--src/firecfg/main.c57
-rw-r--r--src/firejail/Makefile.in1
-rw-r--r--src/firejail/appimage.c22
-rw-r--r--src/firejail/appimage_size.c2
-rw-r--r--src/firejail/arg-checking.txt9
-rw-r--r--src/firejail/arp.c28
-rw-r--r--src/firejail/bandwidth.c56
-rw-r--r--src/firejail/caps.c28
-rw-r--r--src/firejail/cgroup.c24
-rw-r--r--src/firejail/checkcfg.c36
-rw-r--r--src/firejail/cmdline.c8
-rw-r--r--src/firejail/cpu.c21
-rw-r--r--src/firejail/env.c22
-rw-r--r--src/firejail/fs.c150
-rw-r--r--src/firejail/fs_bin.c29
-rw-r--r--src/firejail/fs_etc.c27
-rw-r--r--src/firejail/fs_home.c40
-rw-r--r--src/firejail/fs_hostname.c19
-rw-r--r--src/firejail/fs_logger.c12
-rw-r--r--src/firejail/fs_mkdir.c8
-rw-r--r--src/firejail/fs_trace.c5
-rw-r--r--src/firejail/fs_var.c44
-rw-r--r--src/firejail/fs_whitelist.c98
-rw-r--r--src/firejail/git.c16
-rw-r--r--src/firejail/join.c37
-rw-r--r--src/firejail/ls.c58
-rw-r--r--src/firejail/netfilter.c10
-rw-r--r--src/firejail/network.c37
-rw-r--r--src/firejail/network.txt16
-rw-r--r--src/firejail/network_main.c16
-rw-r--r--src/firejail/no_sandbox.c20
-rw-r--r--src/firejail/output.c12
-rw-r--r--src/firejail/preproc.c16
-rw-r--r--src/firejail/protocol.c8
-rw-r--r--src/firejail/pulseaudio.c24
-rw-r--r--src/firejail/restrict_users.c42
-rw-r--r--src/firejail/restricted_shell.c17
-rw-r--r--src/firejail/rlimit.c4
-rw-r--r--src/firejail/run_symlink.c8
-rw-r--r--src/firejail/sbox.c52
-rw-r--r--src/firejail/seccomp.c27
-rw-r--r--src/firejail/shutdown.c10
-rw-r--r--src/firejail/util.c18
-rw-r--r--src/firejail/x11.c6
-rw-r--r--src/firemon/Makefile.in3
-rw-r--r--src/firemon/arp.c10
-rw-r--r--src/firemon/caps.c7
-rw-r--r--src/firemon/cgroup.c7
-rw-r--r--src/firemon/cpu.c7
-rw-r--r--src/firemon/firemon.c30
-rw-r--r--src/firemon/interface.c13
-rw-r--r--src/firemon/list.c3
-rw-r--r--src/firemon/netstats.c35
-rw-r--r--src/firemon/procevent.c60
-rw-r--r--src/firemon/route.c26
-rw-r--r--src/firemon/seccomp.c7
-rw-r--r--src/firemon/top.c55
-rw-r--r--src/firemon/tree.c3
-rw-r--r--src/firemon/x11.c7
-rw-r--r--src/floader/README.md2
-rw-r--r--src/floader/loader.c34
-rw-r--r--src/floader/makefile2
-rw-r--r--src/fnet/Makefile.in1
-rw-r--r--src/fnet/arp.c39
-rw-r--r--src/fnet/interface.c24
-rw-r--r--src/fnet/main.c4
-rw-r--r--src/fnet/veth.c26
-rw-r--r--src/fseccomp/Makefile.in1
-rw-r--r--src/fseccomp/errno.c2
-rw-r--r--src/fseccomp/main.c8
-rw-r--r--src/fseccomp/protocol.c14
-rw-r--r--src/fseccomp/seccomp.c13
-rw-r--r--src/fseccomp/seccomp_file.c7
-rw-r--r--src/fseccomp/seccomp_print.c10
-rw-r--r--src/fseccomp/seccomp_secondary.c13
-rw-r--r--src/fseccomp/syscall.c10
-rwxr-xr-xsrc/fshaper/fshaper.sh16
-rw-r--r--src/ftee/Makefile.in1
-rw-r--r--src/ftee/ftee.h2
-rw-r--r--src/ftee/main.c32
-rw-r--r--src/include/common.h12
-rw-r--r--src/include/libnetlink.h9
-rw-r--r--src/include/syscall.h1
-rw-r--r--src/lib/Makefile.in2
-rw-r--r--src/lib/common.c21
-rw-r--r--src/lib/libnetlink.c16
-rw-r--r--src/lib/pid.c32
-rw-r--r--src/libtrace/Makefile.in2
-rw-r--r--src/libtrace/libtrace.c92
-rw-r--r--src/libtracelog/Makefile.in2
-rw-r--r--src/libtracelog/libtracelog.c72
-rw-r--r--src/man/firecfg.txt4
-rw-r--r--src/man/firejail-login.txt2
-rw-r--r--src/man/firemon.txt2
-rw-r--r--src/tools/extract_caps.c18
-rw-r--r--src/tools/extract_syscalls.c16
-rwxr-xr-xsrc/tools/mkcoverit.sh2
-rw-r--r--src/tools/rvtest.c20
-rw-r--r--src/tools/unixsocket.c4
115 files changed, 1061 insertions, 1134 deletions
diff --git a/src/bash_completion/firecfg.bash_completion b/src/bash_completion/firecfg.bash_completion
index 79b74e49d..36f066f0a 100644
--- a/src/bash_completion/firecfg.bash_completion
+++ b/src/bash_completion/firecfg.bash_completion
@@ -34,6 +34,3 @@ _firecfg()
34 fi 34 fi
35} && 35} &&
36complete -F _firecfg firecfg 36complete -F _firecfg firecfg
37
38
39
diff --git a/src/bash_completion/firejail.bash_completion b/src/bash_completion/firejail.bash_completion
index 0b2caed61..09798f505 100644
--- a/src/bash_completion/firejail.bash_completion
+++ b/src/bash_completion/firejail.bash_completion
@@ -109,6 +109,3 @@ _firejail()
109 109
110} && 110} &&
111complete -F _firejail firejail 111complete -F _firejail firejail
112
113
114
diff --git a/src/bash_completion/firemon.bash_completion b/src/bash_completion/firemon.bash_completion
index befbf2388..a33935602 100644
--- a/src/bash_completion/firemon.bash_completion
+++ b/src/bash_completion/firemon.bash_completion
@@ -34,6 +34,3 @@ _firemon()
34 fi 34 fi
35} && 35} &&
36complete -F _firemon firemon 36complete -F _firemon firemon
37
38
39
diff --git a/src/faudit/Makefile.in b/src/faudit/Makefile.in
index 995a0bf49..ec36ca80c 100644
--- a/src/faudit/Makefile.in
+++ b/src/faudit/Makefile.in
@@ -22,4 +22,3 @@ clean:; rm -f *.o faudit
22 22
23distclean: clean 23distclean: clean
24 rm -fr Makefile 24 rm -fr Makefile
25
diff --git a/src/faudit/caps.c b/src/faudit/caps.c
index b200c6792..d4a98676c 100644
--- a/src/faudit/caps.c
+++ b/src/faudit/caps.c
@@ -26,7 +26,7 @@ static int extract_caps(uint64_t *val) {
26 FILE *fp = fopen("/proc/self/status", "r"); 26 FILE *fp = fopen("/proc/self/status", "r");
27 if (!fp) 27 if (!fp)
28 return 1; 28 return 1;
29 29
30 char buf[MAXBUF]; 30 char buf[MAXBUF];
31 while (fgets(buf, MAXBUF, fp)) { 31 while (fgets(buf, MAXBUF, fp)) {
32 if (strncmp(buf, "CapBnd:\t", 8) == 0) { 32 if (strncmp(buf, "CapBnd:\t", 8) == 0) {
@@ -47,7 +47,7 @@ static int extract_caps(uint64_t *val) {
47static int check_capability(uint64_t map, int cap) { 47static int check_capability(uint64_t map, int cap) {
48 int i; 48 int i;
49 uint64_t mask = 1ULL; 49 uint64_t mask = 1ULL;
50 50
51 for (i = 0; i < 64; i++, mask <<= 1) { 51 for (i = 0; i < 64; i++, mask <<= 1) {
52 if ((i == cap) && (mask & map)) 52 if ((i == cap) && (mask & map))
53 return 1; 53 return 1;
@@ -58,22 +58,21 @@ static int check_capability(uint64_t map, int cap) {
58 58
59void caps_test(void) { 59void caps_test(void) {
60 uint64_t caps_val; 60 uint64_t caps_val;
61 61
62 if (extract_caps(&caps_val)) { 62 if (extract_caps(&caps_val)) {
63 printf("SKIP: cannot extract capabilities on this platform.\n"); 63 printf("SKIP: cannot extract capabilities on this platform.\n");
64 return; 64 return;
65 } 65 }
66 66
67 if (caps_val) { 67 if (caps_val) {
68 printf("BAD: the capability map is %llx, it should be all zero. ", (unsigned long long) caps_val); 68 printf("BAD: the capability map is %llx, it should be all zero. ", (unsigned long long) caps_val);
69 printf("Use \"firejail --caps.drop=all\" to fix it.\n"); 69 printf("Use \"firejail --caps.drop=all\" to fix it.\n");
70 70
71 if (check_capability(caps_val, CAP_SYS_ADMIN)) 71 if (check_capability(caps_val, CAP_SYS_ADMIN))
72 printf("UGLY: CAP_SYS_ADMIN is enabled.\n"); 72 printf("UGLY: CAP_SYS_ADMIN is enabled.\n");
73 if (check_capability(caps_val, CAP_SYS_BOOT)) 73 if (check_capability(caps_val, CAP_SYS_BOOT))
74 printf("UGLY: CAP_SYS_BOOT is enabled.\n"); 74 printf("UGLY: CAP_SYS_BOOT is enabled.\n");
75 } 75 }
76 else 76 else
77 printf("GOOD: all capabilities are disabled.\n"); 77 printf("GOOD: all capabilities are disabled.\n");
78} 78}
79
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c
index 1b1fbb817..54300c9b8 100644
--- a/src/faudit/dbus.c
+++ b/src/faudit/dbus.c
@@ -28,7 +28,7 @@ int check_unix(const char *sockfile) {
28 28
29 // open socket 29 // open socket
30 int sock = socket(AF_UNIX, SOCK_STREAM, 0); 30 int sock = socket(AF_UNIX, SOCK_STREAM, 0);
31 if (sock == -1) 31 if (sock == -1)
32 return rv; 32 return rv;
33 33
34 // connect 34 // connect
@@ -41,7 +41,7 @@ int check_unix(const char *sockfile) {
41 remote.sun_path[0] = '\0'; 41 remote.sun_path[0] = '\0';
42 if (connect(sock, (struct sockaddr *)&remote, len) == 0) 42 if (connect(sock, (struct sockaddr *)&remote, len) == 0)
43 rv = 0; 43 rv = 0;
44 44
45 close(sock); 45 close(sock);
46 return rv; 46 return rv;
47} 47}
@@ -60,7 +60,7 @@ void dbus_test(void) {
60 *sockfile = '@'; 60 *sockfile = '@';
61 char *ptr = strchr(sockfile, ','); 61 char *ptr = strchr(sockfile, ',');
62 if (ptr) 62 if (ptr)
63 *ptr = '\0'; 63 *ptr = '\0';
64 rv = check_unix(sockfile); 64 rv = check_unix(sockfile);
65 *sockfile = '@'; 65 *sockfile = '@';
66 if (rv == 0) 66 if (rv == 0)
@@ -83,13 +83,10 @@ void dbus_test(void) {
83 printf("UGLY: session bus configured for TCP communication.\n"); 83 printf("UGLY: session bus configured for TCP communication.\n");
84 else 84 else
85 printf("GOOD: cannot find a D-Bus socket\n"); 85 printf("GOOD: cannot find a D-Bus socket\n");
86 86
87 87
88 free(bus); 88 free(bus);
89 } 89 }
90 else 90 else
91 printf("GOOD: DBUS_SESSION_BUS_ADDRESS environment variable not configured."); 91 printf("GOOD: DBUS_SESSION_BUS_ADDRESS environment variable not configured.");
92} 92}
93
94
95
diff --git a/src/faudit/dev.c b/src/faudit/dev.c
index 74adbca9c..6bafaf93e 100644
--- a/src/faudit/dev.c
+++ b/src/faudit/dev.c
@@ -26,19 +26,19 @@ void dev_test(void) {
26 fprintf(stderr, "Error: cannot open /dev directory\n"); 26 fprintf(stderr, "Error: cannot open /dev directory\n");
27 return; 27 return;
28 } 28 }
29 29
30 struct dirent *entry; 30 struct dirent *entry;
31 printf("INFO: files visible in /dev directory: "); 31 printf("INFO: files visible in /dev directory: ");
32 int cnt = 0; 32 int cnt = 0;
33 while ((entry = readdir(dir)) != NULL) { 33 while ((entry = readdir(dir)) != NULL) {
34 if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) 34 if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
35 continue; 35 continue;
36 36
37 printf("%s, ", entry->d_name); 37 printf("%s, ", entry->d_name);
38 cnt++; 38 cnt++;
39 } 39 }
40 printf("\n"); 40 printf("\n");
41 41
42 if (cnt > 20) 42 if (cnt > 20)
43 printf("MAYBE: /dev directory seems to be fully populated. Use --private-dev or --whitelist to restrict the access.\n"); 43 printf("MAYBE: /dev directory seems to be fully populated. Use --private-dev or --whitelist to restrict the access.\n");
44 else 44 else
diff --git a/src/faudit/files.c b/src/faudit/files.c
index 46256f5f0..aa5b3aafb 100644
--- a/src/faudit/files.c
+++ b/src/faudit/files.c
@@ -26,7 +26,7 @@ static char *homedir = NULL;
26 26
27static void check_home_file(const char *name) { 27static void check_home_file(const char *name) {
28 assert(homedir); 28 assert(homedir);
29 29
30 char *fname; 30 char *fname;
31 if (asprintf(&fname, "%s/%s", homedir, name) == -1) 31 if (asprintf(&fname, "%s/%s", homedir, name) == -1)
32 errExit("asprintf"); 32 errExit("asprintf");
@@ -37,7 +37,7 @@ static void check_home_file(const char *name) {
37 } 37 }
38 else 38 else
39 printf("GOOD: I cannot access files in %s directory.\n", fname); 39 printf("GOOD: I cannot access files in %s directory.\n", fname);
40 40
41 free(fname); 41 free(fname);
42} 42}
43 43
@@ -47,14 +47,14 @@ void files_test(void) {
47 fprintf(stderr, "Error: cannot retrieve user account information\n"); 47 fprintf(stderr, "Error: cannot retrieve user account information\n");
48 return; 48 return;
49 } 49 }
50 50
51 username = strdup(pw->pw_name); 51 username = strdup(pw->pw_name);
52 if (!username) 52 if (!username)
53 errExit("strdup"); 53 errExit("strdup");
54 homedir = strdup(pw->pw_dir); 54 homedir = strdup(pw->pw_dir);
55 if (!homedir) 55 if (!homedir)
56 errExit("strdup"); 56 errExit("strdup");
57 57
58 // check access to .ssh directory 58 // check access to .ssh directory
59 check_home_file(".ssh"); 59 check_home_file(".ssh");
60 60
@@ -66,10 +66,10 @@ void files_test(void) {
66 66
67 // check access to Chromium browser directory 67 // check access to Chromium browser directory
68 check_home_file(".config/chromium"); 68 check_home_file(".config/chromium");
69 69
70 // check access to Debian Icedove directory 70 // check access to Debian Icedove directory
71 check_home_file(".icedove"); 71 check_home_file(".icedove");
72 72
73 // check access to Thunderbird directory 73 // check access to Thunderbird directory
74 check_home_file(".thunderbird"); 74 check_home_file(".thunderbird");
75} 75}
diff --git a/src/faudit/main.c b/src/faudit/main.c
index 2572bf332..8ab0de5a6 100644
--- a/src/faudit/main.c
+++ b/src/faudit/main.c
@@ -24,19 +24,19 @@ int main(int argc, char **argv) {
24 // make test-arguments helper 24 // make test-arguments helper
25 if (getenv("FIREJAIL_TEST_ARGUMENTS")) { 25 if (getenv("FIREJAIL_TEST_ARGUMENTS")) {
26 printf("Arguments:\n"); 26 printf("Arguments:\n");
27 27
28 int i; 28 int i;
29 for (i = 0; i < argc; i++) { 29 for (i = 0; i < argc; i++) {
30 printf("#%s#\n", argv[i]); 30 printf("#%s#\n", argv[i]);
31 } 31 }
32 32
33 return 0; 33 return 0;
34 } 34 }
35 35
36 36
37 if (argc != 1) { 37 if (argc != 1) {
38 int i; 38 int i;
39 39
40 for (i = 1; i < argc; i++) { 40 for (i = 1; i < argc; i++) {
41 if (strcmp(argv[i], "syscall")) { 41 if (strcmp(argv[i], "syscall")) {
42 syscall_helper(argc, argv); 42 syscall_helper(argc, argv);
@@ -56,16 +56,16 @@ int main(int argc, char **argv) {
56 errExit("strdup"); 56 errExit("strdup");
57 } 57 }
58 printf("INFO: starting %s.\n", prog); 58 printf("INFO: starting %s.\n", prog);
59 59
60 60
61 // check pid namespace 61 // check pid namespace
62 pid_test(); 62 pid_test();
63 printf("\n"); 63 printf("\n");
64 64
65 // check seccomp 65 // check seccomp
66 seccomp_test(); 66 seccomp_test();
67 printf("\n"); 67 printf("\n");
68 68
69 // check capabilities 69 // check capabilities
70 caps_test(); 70 caps_test();
71 printf("\n"); 71 printf("\n");
@@ -73,11 +73,11 @@ int main(int argc, char **argv) {
73 // check some well-known problematic files and directories 73 // check some well-known problematic files and directories
74 files_test(); 74 files_test();
75 printf("\n"); 75 printf("\n");
76 76
77 // network 77 // network
78 network_test(); 78 network_test();
79 printf("\n"); 79 printf("\n");
80 80
81 // dbus 81 // dbus
82 dbus_test(); 82 dbus_test();
83 printf("\n"); 83 printf("\n");
diff --git a/src/faudit/network.c b/src/faudit/network.c
index 67c11e835..797c15ba8 100644
--- a/src/faudit/network.c
+++ b/src/faudit/network.c
@@ -35,15 +35,15 @@ static void check_ssh(void) {
35 struct sockaddr_in server; 35 struct sockaddr_in server;
36 server.sin_addr.s_addr = inet_addr("127.0.0.1"); 36 server.sin_addr.s_addr = inet_addr("127.0.0.1");
37 server.sin_family = AF_INET; 37 server.sin_family = AF_INET;
38 server.sin_port = htons(22); 38 server.sin_port = htons(22);
39 39
40 if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) 40 if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0)
41 printf("GOOD: SSH server not available on localhost.\n"); 41 printf("GOOD: SSH server not available on localhost.\n");
42 else { 42 else {
43 printf("MAYBE: an SSH server is accessible on localhost. "); 43 printf("MAYBE: an SSH server is accessible on localhost. ");
44 printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); 44 printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
45 } 45 }
46 46
47 close(sock); 47 close(sock);
48} 48}
49 49
@@ -59,15 +59,15 @@ static void check_http(void) {
59 struct sockaddr_in server; 59 struct sockaddr_in server;
60 server.sin_addr.s_addr = inet_addr("127.0.0.1"); 60 server.sin_addr.s_addr = inet_addr("127.0.0.1");
61 server.sin_family = AF_INET; 61 server.sin_family = AF_INET;
62 server.sin_port = htons(80); 62 server.sin_port = htons(80);
63 63
64 if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) 64 if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0)
65 printf("GOOD: HTTP server not available on localhost.\n"); 65 printf("GOOD: HTTP server not available on localhost.\n");
66 else { 66 else {
67 printf("MAYBE: an HTTP server is accessible on localhost. "); 67 printf("MAYBE: an HTTP server is accessible on localhost. ");
68 printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); 68 printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
69 } 69 }
70 70
71 close(sock); 71 close(sock);
72} 72}
73 73
@@ -88,12 +88,12 @@ void check_netlink(void) {
88 close(sock); 88 close(sock);
89 return; 89 return;
90 } 90 }
91 91
92 close(sock); 92 close(sock);
93 printf("MAYBE: I can connect to netlink socket. Network utilities such as iproute2 will work fine in the sandbox. "); 93 printf("MAYBE: I can connect to netlink socket. Network utilities such as iproute2 will work fine in the sandbox. ");
94 printf("You can use \"--protocol\" to disable the socket.\n"); 94 printf("You can use \"--protocol\" to disable the socket.\n");
95} 95}
96 96
97void network_test(void) { 97void network_test(void) {
98 check_ssh(); 98 check_ssh();
99 check_http(); 99 check_http();
diff --git a/src/faudit/pid.c b/src/faudit/pid.c
index 34f6d1691..0aa2ddd44 100644
--- a/src/faudit/pid.c
+++ b/src/faudit/pid.c
@@ -32,7 +32,7 @@ void pid_test(void) {
32 32
33 // look at the first 10 processes 33 // look at the first 10 processes
34 int not_visible = 1; 34 int not_visible = 1;
35 for (i = 1; i <= 10; i++) { 35 for (i = 1; i <= 10; i++) {
36 struct stat s; 36 struct stat s;
37 char *fname; 37 char *fname;
38 if (asprintf(&fname, "/proc/%d/comm", i) == -1) 38 if (asprintf(&fname, "/proc/%d/comm", i) == -1)
@@ -41,7 +41,7 @@ void pid_test(void) {
41 free(fname); 41 free(fname);
42 continue; 42 continue;
43 } 43 }
44 44
45 // open file 45 // open file
46 /* coverity[toctou] */ 46 /* coverity[toctou] */
47 FILE *fp = fopen(fname, "r"); 47 FILE *fp = fopen(fname, "r");
@@ -49,7 +49,7 @@ void pid_test(void) {
49 free(fname); 49 free(fname);
50 continue; 50 continue;
51 } 51 }
52 52
53 // read file 53 // read file
54 char buf[100]; 54 char buf[100];
55 if (fgets(buf, 10, fp) == NULL) { 55 if (fgets(buf, 10, fp) == NULL) {
@@ -63,7 +63,7 @@ void pid_test(void) {
63 char *ptr; 63 char *ptr;
64 if ((ptr = strchr(buf, '\n')) != NULL) 64 if ((ptr = strchr(buf, '\n')) != NULL)
65 *ptr = '\0'; 65 *ptr = '\0';
66 66
67 // check process name against the kernel list 67 // check process name against the kernel list
68 int j = 0; 68 int j = 0;
69 while (kern_proc[j] != NULL) { 69 while (kern_proc[j] != NULL) {
@@ -76,7 +76,7 @@ void pid_test(void) {
76 } 76 }
77 j++; 77 j++;
78 } 78 }
79 79
80 fclose(fp); 80 fclose(fp);
81 free(fname); 81 free(fname);
82 } 82 }
@@ -86,7 +86,7 @@ void pid_test(void) {
86 printf("BAD: Process %d is not running in a PID namespace.\n", pid); 86 printf("BAD: Process %d is not running in a PID namespace.\n", pid);
87 else 87 else
88 printf("GOOD: process %d is running in a PID namespace.\n", pid); 88 printf("GOOD: process %d is running in a PID namespace.\n", pid);
89 89
90 // try to guess the type of container/sandbox 90 // try to guess the type of container/sandbox
91 char *str = getenv("container"); 91 char *str = getenv("container");
92 if (str) 92 if (str)
diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c
index 1c188aa45..2e9665fd9 100644
--- a/src/faudit/seccomp.c
+++ b/src/faudit/seccomp.c
@@ -24,7 +24,7 @@ static int extract_seccomp(int *val) {
24 FILE *fp = fopen("/proc/self/status", "r"); 24 FILE *fp = fopen("/proc/self/status", "r");
25 if (!fp) 25 if (!fp)
26 return 1; 26 return 1;
27 27
28 char buf[MAXBUF]; 28 char buf[MAXBUF];
29 while (fgets(buf, MAXBUF, fp)) { 29 while (fgets(buf, MAXBUF, fp)) {
30 if (strncmp(buf, "Seccomp:\t", 8) == 0) { 30 if (strncmp(buf, "Seccomp:\t", 8) == 0) {
@@ -44,12 +44,12 @@ static int extract_seccomp(int *val) {
44void seccomp_test(void) { 44void seccomp_test(void) {
45 int seccomp_status; 45 int seccomp_status;
46 int rv = extract_seccomp(&seccomp_status); 46 int rv = extract_seccomp(&seccomp_status);
47 47
48 if (rv) { 48 if (rv) {
49 printf("INFO: cannot extract seccomp configuration on this platform.\n"); 49 printf("INFO: cannot extract seccomp configuration on this platform.\n");
50 return; 50 return;
51 } 51 }
52 52
53 if (seccomp_status == 0) { 53 if (seccomp_status == 0) {
54 printf("BAD: seccomp disabled. Use \"firejail --seccomp\" to enable it.\n"); 54 printf("BAD: seccomp disabled. Use \"firejail --seccomp\" to enable it.\n");
55 } 55 }
@@ -67,10 +67,10 @@ void seccomp_test(void) {
67 67
68 printf("ptrace... "); fflush(0); 68 printf("ptrace... "); fflush(0);
69 syscall_run("ptrace"); 69 syscall_run("ptrace");
70 70
71 printf("swapon... "); fflush(0); 71 printf("swapon... "); fflush(0);
72 syscall_run("swapon"); 72 syscall_run("swapon");
73 73
74 printf("swapoff... "); fflush(0); 74 printf("swapoff... "); fflush(0);
75 syscall_run("swapoff"); 75 syscall_run("swapoff");
76 76
@@ -79,20 +79,20 @@ void seccomp_test(void) {
79 79
80 printf("delete_module... "); fflush(0); 80 printf("delete_module... "); fflush(0);
81 syscall_run("delete_module"); 81 syscall_run("delete_module");
82 82
83 printf("chroot... "); fflush(0); 83 printf("chroot... "); fflush(0);
84 syscall_run("chroot"); 84 syscall_run("chroot");
85 85
86 printf("pivot_root... "); fflush(0); 86 printf("pivot_root... "); fflush(0);
87 syscall_run("pivot_root"); 87 syscall_run("pivot_root");
88 88
89#if defined(__i386__) || defined(__x86_64__) 89#if defined(__i386__) || defined(__x86_64__)
90 printf("iopl... "); fflush(0); 90 printf("iopl... "); fflush(0);
91 syscall_run("iopl"); 91 syscall_run("iopl");
92 92
93 printf("ioperm... "); fflush(0); 93 printf("ioperm... "); fflush(0);
94 syscall_run("ioperm"); 94 syscall_run("ioperm");
95#endif 95#endif
96 printf("\n"); 96 printf("\n");
97 } 97 }
98 else 98 else
diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c
index 40b1ecc84..2925a6c30 100644
--- a/src/faudit/syscall.c
+++ b/src/faudit/syscall.c
@@ -33,7 +33,7 @@ extern int pivot_root(const char *new_root, const char *put_old);
33 33
34void syscall_helper(int argc, char **argv) { 34void syscall_helper(int argc, char **argv) {
35 (void) argc; 35 (void) argc;
36 36
37 if (strcmp(argv[2], "mount") == 0) { 37 if (strcmp(argv[2], "mount") == 0) {
38 int rv = mount(NULL, NULL, NULL, 0, NULL); 38 int rv = mount(NULL, NULL, NULL, 0, NULL);
39 (void) rv; 39 (void) rv;
@@ -87,7 +87,7 @@ void syscall_helper(int argc, char **argv) {
87 87
88void syscall_run(const char *name) { 88void syscall_run(const char *name) {
89 assert(prog); 89 assert(prog);
90 90
91 pid_t child = fork(); 91 pid_t child = fork();
92 if (child < 0) 92 if (child < 0)
93 errExit("fork"); 93 errExit("fork");
@@ -96,7 +96,7 @@ void syscall_run(const char *name) {
96 perror("execl"); 96 perror("execl");
97 _exit(1); 97 _exit(1);
98 } 98 }
99 99
100 // wait for the child to finish 100 // wait for the child to finish
101 waitpid(child, NULL, 0); 101 waitpid(child, NULL, 0);
102} 102}
diff --git a/src/faudit/x11.c b/src/faudit/x11.c
index 4cf1511a5..f0cc0eed4 100644
--- a/src/faudit/x11.c
+++ b/src/faudit/x11.c
@@ -29,7 +29,7 @@ void x11_test(void) {
29 29
30 if (check_unix("@/tmp/.X11-unix/X0") == 0) 30 if (check_unix("@/tmp/.X11-unix/X0") == 0)
31 printf("MAYBE: X11 socket @/tmp/.X11-unix/X0 is available\n"); 31 printf("MAYBE: X11 socket @/tmp/.X11-unix/X0 is available\n");
32 32
33 // check all unix sockets in /tmp/.X11-unix directory 33 // check all unix sockets in /tmp/.X11-unix directory
34 DIR *dir; 34 DIR *dir;
35 if (!(dir = opendir("/tmp/.X11-unix"))) { 35 if (!(dir = opendir("/tmp/.X11-unix"))) {
@@ -39,7 +39,7 @@ void x11_test(void) {
39 ; 39 ;
40 } 40 }
41 } 41 }
42 42
43 if (dir == NULL) 43 if (dir == NULL)
44 printf("GOOD: cannot open /tmp/.X11-unix directory\n"); 44 printf("GOOD: cannot open /tmp/.X11-unix directory\n");
45 else { 45 else {
diff --git a/src/fcopy/Makefile.in b/src/fcopy/Makefile.in
index 278957a4f..a5dc7a0f4 100644
--- a/src/fcopy/Makefile.in
+++ b/src/fcopy/Makefile.in
@@ -42,4 +42,3 @@ clean:; rm -f *.o fcopy *.gcov *.gcda *.gcno
42 42
43distclean: clean 43distclean: clean
44 rm -fr Makefile 44 rm -fr Makefile
45
diff --git a/src/firecfg/Makefile.in b/src/firecfg/Makefile.in
index f9fe08768..b7412b7f0 100644
--- a/src/firecfg/Makefile.in
+++ b/src/firecfg/Makefile.in
@@ -37,4 +37,3 @@ clean:; rm -f *.o firecfg firecfg.1 firecfg.1.gz *.gcov *.gcda *.gcno
37 37
38distclean: clean 38distclean: clean
39 rm -fr Makefile 39 rm -fr Makefile
40
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index 4f957b4ae..ea439cf0e 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -79,7 +79,7 @@ static void sound(void) {
79 if (!home) { 79 if (!home) {
80 goto errexit; 80 goto errexit;
81 } 81 }
82 82
83 // the input file is /etc/pulse/client.conf 83 // the input file is /etc/pulse/client.conf
84 FILE *fpin = fopen("/etc/pulse/client.conf", "r"); 84 FILE *fpin = fopen("/etc/pulse/client.conf", "r");
85 if (!fpin) { 85 if (!fpin) {
@@ -95,18 +95,18 @@ static void sound(void) {
95 free(fname); 95 free(fname);
96 if (!fpout) 96 if (!fpout)
97 goto errexit; 97 goto errexit;
98 98
99 // copy default config 99 // copy default config
100 char buf[MAX_BUF]; 100 char buf[MAX_BUF];
101 while (fgets(buf, MAX_BUF, fpin)) 101 while (fgets(buf, MAX_BUF, fpin))
102 fputs(buf, fpout); 102 fputs(buf, fpout);
103 103
104 // disable shm 104 // disable shm
105 fprintf(fpout, "\nenable-shm = no\n"); 105 fprintf(fpout, "\nenable-shm = no\n");
106 fclose(fpin); 106 fclose(fpin);
107 fclose(fpout); 107 fclose(fpout);
108 printf("PulseAudio configured, please logout and login back again\n"); 108 printf("PulseAudio configured, please logout and login back again\n");
109 return; 109 return;
110 110
111errexit: 111errexit:
112 fprintf(stderr, "Error: cannot configure sound file\n"); 112 fprintf(stderr, "Error: cannot configure sound file\n");
@@ -116,18 +116,18 @@ errexit:
116// return 1 if the program is found 116// return 1 if the program is found
117static int find(const char *program, const char *directory) { 117static int find(const char *program, const char *directory) {
118 int retval = 0; 118 int retval = 0;
119 119
120 char *fname; 120 char *fname;
121 if (asprintf(&fname, "/%s/%s", directory, program) == -1) 121 if (asprintf(&fname, "/%s/%s", directory, program) == -1)
122 errExit("asprintf"); 122 errExit("asprintf");
123 123
124 struct stat s; 124 struct stat s;
125 if (stat(fname, &s) == 0) { 125 if (stat(fname, &s) == 0) {
126 if (arg_debug) 126 if (arg_debug)
127 printf("found %s in directory %s\n", program, directory); 127 printf("found %s in directory %s\n", program, directory);
128 retval = 1; 128 retval = 1;
129 } 129 }
130 130
131 free(fname); 131 free(fname);
132 return retval; 132 return retval;
133} 133}
@@ -140,14 +140,14 @@ static int which(const char *program) {
140 find(program, "/sbin") || find(program, "/usr/sbin") || 140 find(program, "/sbin") || find(program, "/usr/sbin") ||
141 find(program, "/usr/games")) 141 find(program, "/usr/games"))
142 return 1; 142 return 1;
143 143
144 // check environment 144 // check environment
145 char *path1 = getenv("PATH"); 145 char *path1 = getenv("PATH");
146 if (path1) { 146 if (path1) {
147 char *path2 = strdup(path1); 147 char *path2 = strdup(path1);
148 if (!path2) 148 if (!path2)
149 errExit("strdup"); 149 errExit("strdup");
150 150
151 // use path2 to count the entries 151 // use path2 to count the entries
152 char *ptr = strtok(path2, ":"); 152 char *ptr = strtok(path2, ":");
153 while (ptr) { 153 while (ptr) {
@@ -159,7 +159,7 @@ static int which(const char *program) {
159 } 159 }
160 free(path2); 160 free(path2);
161 } 161 }
162 162
163 return 0; 163 return 0;
164} 164}
165 165
@@ -193,11 +193,11 @@ static void list(void) {
193 while ((entry = readdir(dir)) != NULL) { 193 while ((entry = readdir(dir)) != NULL) {
194 if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) 194 if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
195 continue; 195 continue;
196 196
197 char *fullname; 197 char *fullname;
198 if (asprintf(&fullname, "/usr/local/bin/%s", entry->d_name) == -1) 198 if (asprintf(&fullname, "/usr/local/bin/%s", entry->d_name) == -1)
199 errExit("asprintf"); 199 errExit("asprintf");
200 200
201 if (is_link(fullname)) { 201 if (is_link(fullname)) {
202 char* fname = realpath(fullname, NULL); 202 char* fname = realpath(fullname, NULL);
203 if (fname) { 203 if (fname) {
@@ -208,7 +208,7 @@ static void list(void) {
208 } 208 }
209 free(fullname); 209 free(fullname);
210 } 210 }
211 211
212 closedir(dir); 212 closedir(dir);
213 free(firejail_exec); 213 free(firejail_exec);
214} 214}
@@ -233,11 +233,11 @@ static void clear(void) {
233 while ((entry = readdir(dir)) != NULL) { 233 while ((entry = readdir(dir)) != NULL) {
234 if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) 234 if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
235 continue; 235 continue;
236 236
237 char *fullname; 237 char *fullname;
238 if (asprintf(&fullname, "/usr/local/bin/%s", entry->d_name) == -1) 238 if (asprintf(&fullname, "/usr/local/bin/%s", entry->d_name) == -1)
239 errExit("asprintf"); 239 errExit("asprintf");
240 240
241 if (is_link(fullname)) { 241 if (is_link(fullname)) {
242 char* fname = realpath(fullname, NULL); 242 char* fname = realpath(fullname, NULL);
243 if (fname) { 243 if (fname) {
@@ -250,7 +250,7 @@ static void clear(void) {
250 } 250 }
251 free(fullname); 251 free(fullname);
252 } 252 }
253 253
254 closedir(dir); 254 closedir(dir);
255 free(firejail_exec); 255 free(firejail_exec);
256} 256}
@@ -262,7 +262,7 @@ static void set_file(const char *name, const char *firejail_exec) {
262 char *fname; 262 char *fname;
263 if (asprintf(&fname, "/usr/local/bin/%s", name) == -1) 263 if (asprintf(&fname, "/usr/local/bin/%s", name) == -1)
264 errExit("asprintf"); 264 errExit("asprintf");
265 265
266 struct stat s; 266 struct stat s;
267 if (stat(fname, &s) != 0) { 267 if (stat(fname, &s) != 0) {
268 int rv = symlink(firejail_exec, fname); 268 int rv = symlink(firejail_exec, fname);
@@ -273,7 +273,7 @@ static void set_file(const char *name, const char *firejail_exec) {
273 else 273 else
274 printf(" %s created\n", name); 274 printf(" %s created\n", name);
275 } 275 }
276 276
277 free(fname); 277 free(fname);
278} 278}
279 279
@@ -292,7 +292,7 @@ static void set_links(void) {
292 exit(1); 292 exit(1);
293 } 293 }
294 printf("Configuring symlinks in /usr/local/bin\n"); 294 printf("Configuring symlinks in /usr/local/bin\n");
295 295
296 char buf[MAX_BUF]; 296 char buf[MAX_BUF];
297 int lineno = 0; 297 int lineno = 0;
298 while (fgets(buf, MAX_BUF,fp)) { 298 while (fgets(buf, MAX_BUF,fp)) {
@@ -305,18 +305,18 @@ static void set_links(void) {
305 fprintf(stderr, "Error: invalid line %d in %s\n", lineno, cfgfile); 305 fprintf(stderr, "Error: invalid line %d in %s\n", lineno, cfgfile);
306 exit(1); 306 exit(1);
307 } 307 }
308 308
309 // remove \n 309 // remove \n
310 char *ptr = strchr(buf, '\n'); 310 char *ptr = strchr(buf, '\n');
311 if (ptr) 311 if (ptr)
312 *ptr = '\0'; 312 *ptr = '\0';
313 313
314 // trim spaces 314 // trim spaces
315 ptr = buf; 315 ptr = buf;
316 while (*ptr == ' ' || *ptr == '\t') 316 while (*ptr == ' ' || *ptr == '\t')
317 ptr++; 317 ptr++;
318 char *start = ptr; 318 char *start = ptr;
319 319
320 // empty line 320 // empty line
321 if (*start == '\0') 321 if (*start == '\0')
322 continue; 322 continue;
@@ -334,7 +334,7 @@ int have_profile(const char *filename) {
334 // remove .desktop extension 334 // remove .desktop extension
335 char *f1 = strdup(filename); 335 char *f1 = strdup(filename);
336 if (!f1) 336 if (!f1)
337 errExit("strdup"); 337 errExit("strdup");
338 f1[strlen(filename) - 8] = '\0'; 338 f1[strlen(filename) - 8] = '\0';
339 339
340 // build profile name 340 // build profile name
@@ -358,7 +358,7 @@ static void fix_desktop_files(char *homedir) {
358 fprintf(stderr, "Error: this option is not supported for root user; please run as a regular user.\n"); 358 fprintf(stderr, "Error: this option is not supported for root user; please run as a regular user.\n");
359 exit(1); 359 exit(1);
360 } 360 }
361 361
362 // destination 362 // destination
363 // create ~/.local/share/applications directory if necessary 363 // create ~/.local/share/applications directory if necessary
364 char *user_apps_dir; 364 char *user_apps_dir;
@@ -373,7 +373,7 @@ static void fix_desktop_files(char *homedir) {
373 } 373 }
374 rv = chmod(user_apps_dir, 0700); 374 rv = chmod(user_apps_dir, 0700);
375 (void) rv; 375 (void) rv;
376 } 376 }
377 377
378 // source 378 // source
379 DIR *dir = opendir("/usr/share/applications"); 379 DIR *dir = opendir("/usr/share/applications");
@@ -527,7 +527,7 @@ static void fix_desktop_files(char *homedir) {
527 527
528int main(int argc, char **argv) { 528int main(int argc, char **argv) {
529 int i; 529 int i;
530 530
531 for (i = 1; i < argc; i++) { 531 for (i = 1; i < argc; i++) {
532 // default options 532 // default options
533 if (strcmp(argv[i], "--help") == 0 || 533 if (strcmp(argv[i], "--help") == 0 ||
@@ -572,7 +572,7 @@ int main(int argc, char **argv) {
572 return 1; 572 return 1;
573 } 573 }
574 } 574 }
575 575
576 // set symlinks in /usr/local/bin 576 // set symlinks in /usr/local/bin
577 if (getuid() != 0) { 577 if (getuid() != 0) {
578 fprintf(stderr, "Error: cannot set the symbolic links in /usr/local/bin\n"); 578 fprintf(stderr, "Error: cannot set the symbolic links in /usr/local/bin\n");
@@ -615,11 +615,10 @@ int main(int argc, char **argv) {
615 printf("%s %d %d %d %d\n", user, getuid(), getgid(), geteuid(), getegid()); 615 printf("%s %d %d %d %d\n", user, getuid(), getgid(), geteuid(), getegid());
616 fix_desktop_files(home); 616 fix_desktop_files(home);
617 } 617 }
618 618
619 return 0; 619 return 0;
620 620
621errexit: 621errexit:
622 fprintf(stderr, "Error: cannot detect login user in order to set desktop files in ~/.local/share/applications\n"); 622 fprintf(stderr, "Error: cannot detect login user in order to set desktop files in ~/.local/share/applications\n");
623 return 1; 623 return 1;
624} 624}
625
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 80f35ff4d..2059713ac 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -42,4 +42,3 @@ clean:; rm -f *.o firejail firejail.1 firejail.1.gz *.gcov *.gcda *.gcno
42 42
43distclean: clean 43distclean: clean
44 rm -fr Makefile 44 rm -fr Makefile
45
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c
index e14de3c27..976750f8f 100644
--- a/src/firejail/appimage.c
+++ b/src/firejail/appimage.c
@@ -28,7 +28,7 @@
28#include <linux/loop.h> 28#include <linux/loop.h>
29#include <errno.h> 29#include <errno.h>
30 30
31static char *devloop = NULL; // device file 31static char *devloop = NULL; // device file
32static char *mntdir = NULL; // mount point in /tmp directory 32static char *mntdir = NULL; // mount point in /tmp directory
33 33
34static void err_loop(void) { 34static void err_loop(void) {
@@ -40,7 +40,7 @@ void appimage_set(const char *appimage) {
40 assert(appimage); 40 assert(appimage);
41 assert(devloop == NULL); // don't call this twice! 41 assert(devloop == NULL); // don't call this twice!
42 EUID_ASSERT(); 42 EUID_ASSERT();
43 43
44#ifdef LOOP_CTL_GET_FREE // test for older kernels; this definition is found in /usr/include/linux/loop.h 44#ifdef LOOP_CTL_GET_FREE // test for older kernels; this definition is found in /usr/include/linux/loop.h
45 // check appimage file 45 // check appimage file
46 invalid_filename(appimage); 46 invalid_filename(appimage);
@@ -74,13 +74,13 @@ void appimage_set(const char *appimage) {
74 close(cfd); 74 close(cfd);
75 if (asprintf(&devloop, "/dev/loop%d", devnr) == -1) 75 if (asprintf(&devloop, "/dev/loop%d", devnr) == -1)
76 errExit("asprintf"); 76 errExit("asprintf");
77 77
78 int lfd = open(devloop, O_RDONLY); 78 int lfd = open(devloop, O_RDONLY);
79 if (lfd == -1) 79 if (lfd == -1)
80 err_loop(); 80 err_loop();
81 if (ioctl(lfd, LOOP_SET_FD, ffd) == -1) 81 if (ioctl(lfd, LOOP_SET_FD, ffd) == -1)
82 err_loop(); 82 err_loop();
83 83
84 if (size) { 84 if (size) {
85 struct loop_info64 info; 85 struct loop_info64 info;
86 memset(&info, 0, sizeof(struct loop_info64)); 86 memset(&info, 0, sizeof(struct loop_info64));
@@ -88,7 +88,7 @@ void appimage_set(const char *appimage) {
88 if (ioctl(lfd, LOOP_SET_STATUS64, &info) == -1) 88 if (ioctl(lfd, LOOP_SET_STATUS64, &info) == -1)
89 err_loop(); 89 err_loop();
90 } 90 }
91 91
92 close(lfd); 92 close(lfd);
93 close(ffd); 93 close(ffd);
94 EUID_USER(); 94 EUID_USER();
@@ -99,13 +99,13 @@ void appimage_set(const char *appimage) {
99 EUID_ROOT(); 99 EUID_ROOT();
100 mkdir_attr(mntdir, 0700, getuid(), getgid()); 100 mkdir_attr(mntdir, 0700, getuid(), getgid());
101 EUID_USER(); 101 EUID_USER();
102 102
103 // mount 103 // mount
104 char *mode; 104 char *mode;
105 if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1) 105 if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1)
106 errExit("asprintf"); 106 errExit("asprintf");
107 EUID_ROOT(); 107 EUID_ROOT();
108 108
109 if (size == 0) { 109 if (size == 0) {
110 if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL|MS_RDONLY, mode) < 0) 110 if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL|MS_RDONLY, mode) < 0)
111 errExit("mounting appimage"); 111 errExit("mounting appimage");
@@ -128,7 +128,7 @@ void appimage_set(const char *appimage) {
128 // build new command line 128 // build new command line
129 if (asprintf(&cfg.command_line, "%s/AppRun", mntdir) == -1) 129 if (asprintf(&cfg.command_line, "%s/AppRun", mntdir) == -1)
130 errExit("asprintf"); 130 errExit("asprintf");
131 131
132 free(mode); 132 free(mode);
133#ifdef HAVE_GCOV 133#ifdef HAVE_GCOV
134 __gcov_flush(); 134 __gcov_flush();
@@ -151,7 +151,7 @@ void appimage_clear(void) {
151 if (rv == 0) { 151 if (rv == 0) {
152 if (!arg_quiet) 152 if (!arg_quiet)
153 printf("AppImage unmounted\n"); 153 printf("AppImage unmounted\n");
154 154
155 break; 155 break;
156 } 156 }
157 if (rv == -1 && errno == EBUSY) { 157 if (rv == -1 && errno == EBUSY) {
@@ -159,14 +159,14 @@ void appimage_clear(void) {
159 sleep(2); 159 sleep(2);
160 continue; 160 continue;
161 } 161 }
162 162
163 // rv = -1 163 // rv = -1
164 if (!arg_quiet) { 164 if (!arg_quiet) {
165 fwarning("error trying to unmount %s\n", mntdir); 165 fwarning("error trying to unmount %s\n", mntdir);
166 perror("umount"); 166 perror("umount");
167 } 167 }
168 } 168 }
169 169
170 if (rv == 0) { 170 if (rv == 0) {
171 rmdir(mntdir); 171 rmdir(mntdir);
172 free(mntdir); 172 free(mntdir);
diff --git a/src/firejail/appimage_size.c b/src/firejail/appimage_size.c
index 1632440ed..c750f9028 100644
--- a/src/firejail/appimage_size.c
+++ b/src/firejail/appimage_size.c
@@ -156,5 +156,3 @@ getout:
156 close(fd); 156 close(fd);
157 return size; 157 return size;
158} 158}
159
160
diff --git a/src/firejail/arg-checking.txt b/src/firejail/arg-checking.txt
index 07e61df93..cfed454f8 100644
--- a/src/firejail/arg-checking.txt
+++ b/src/firejail/arg-checking.txt
@@ -49,7 +49,7 @@ arg checking:
49 - checking no link 49 - checking no link
50 - checking no ".." 50 - checking no ".."
51 - unit test 51 - unit test
52 52
538. --private=dirname 538. --private=dirname
54 - supported in profiles 54 - supported in profiles
55 - expand "~" 55 - expand "~"
@@ -58,7 +58,7 @@ arg checking:
58 - checking no ".." 58 - checking no ".."
59 - check same owner 59 - check same owner
60 - unit test 60 - unit test
61 61
629. --private-home=filelist 629. --private-home=filelist
63 - supported in profiles 63 - supported in profiles
64 - checking no ".." 64 - checking no ".."
@@ -66,7 +66,7 @@ arg checking:
66 - checking same owner 66 - checking same owner
67 - checking no link 67 - checking no link
68 - unit test 68 - unit test
69 69
7010. --netfilter=filename 7010. --netfilter=filename
71 - supported in profiles 71 - supported in profiles
72 - check access as real GID/UID 72 - check access as real GID/UID
@@ -74,7 +74,7 @@ arg checking:
74 - checking no link 74 - checking no link
75 - checking no ".." 75 - checking no ".."
76 - unit test 76 - unit test
77 77
7811. --shell=filename 7811. --shell=filename
79 - not supported in profiles 79 - not supported in profiles
80 - check access as real GID/UID 80 - check access as real GID/UID
@@ -82,4 +82,3 @@ arg checking:
82 - checking no link 82 - checking no link
83 - checking no ".." 83 - checking no ".."
84 - unit test 84 - unit test
85
diff --git a/src/firejail/arp.c b/src/firejail/arp.c
index 55ffbb301..10cfe507f 100644
--- a/src/firejail/arp.c
+++ b/src/firejail/arp.c
@@ -47,7 +47,7 @@ int arp_check(const char *dev, uint32_t destaddr, uint32_t srcaddr) {
47 fprintf(stderr, "Error: invalid network device name %s\n", dev); 47 fprintf(stderr, "Error: invalid network device name %s\n", dev);
48 exit(1); 48 exit(1);
49 } 49 }
50 50
51 if (arg_debug) 51 if (arg_debug)
52 printf("Trying %d.%d.%d.%d ...\n", PRINT_IP(destaddr)); 52 printf("Trying %d.%d.%d.%d ...\n", PRINT_IP(destaddr));
53 53
@@ -66,7 +66,7 @@ int arp_check(const char *dev, uint32_t destaddr, uint32_t srcaddr) {
66 if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0) 66 if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0)
67 errExit("ioctl"); 67 errExit("ioctl");
68 close(sock); 68 close(sock);
69 69
70 // configure layer2 socket address information 70 // configure layer2 socket address information
71 struct sockaddr_ll addr; 71 struct sockaddr_ll addr;
72 memset(&addr, 0, sizeof(addr)); 72 memset(&addr, 0, sizeof(addr));
@@ -105,7 +105,7 @@ int arp_check(const char *dev, uint32_t destaddr, uint32_t srcaddr) {
105 if ((len = sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr))) <= 0) 105 if ((len = sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr))) <= 0)
106 errExit("send"); 106 errExit("send");
107 fflush(0); 107 fflush(0);
108 108
109 // wait not more than one second for an answer 109 // wait not more than one second for an answer
110 fd_set fds; 110 fd_set fds;
111 FD_ZERO(&fds); 111 FD_ZERO(&fds);
@@ -130,7 +130,7 @@ int arp_check(const char *dev, uint32_t destaddr, uint32_t srcaddr) {
130 close(sock); 130 close(sock);
131 return -1; 131 return -1;
132 } 132 }
133 133
134 // parse the incoming packet 134 // parse the incoming packet
135 if ((unsigned int) len < 14 + sizeof(ArpHdr)) 135 if ((unsigned int) len < 14 + sizeof(ArpHdr))
136 continue; 136 continue;
@@ -147,7 +147,7 @@ int arp_check(const char *dev, uint32_t destaddr, uint32_t srcaddr) {
147 memcpy(&ip, hdr.target_ip, 4); 147 memcpy(&ip, hdr.target_ip, 4);
148 if (ip != srcaddr) { 148 if (ip != srcaddr) {
149 continue; 149 continue;
150 } 150 }
151 close(sock); 151 close(sock);
152 return -1; 152 return -1;
153 } 153 }
@@ -180,13 +180,13 @@ static uint32_t arp_random(const char *dev, Bridge *br) {
180 return 0; // the user will have to set the IP address manually 180 return 0; // the user will have to set the IP address manually
181 range -= 2; // subtract the network address and the broadcast address 181 range -= 2; // subtract the network address and the broadcast address
182 uint32_t start = (ifip & ifmask) + 1; 182 uint32_t start = (ifip & ifmask) + 1;
183 183
184 // adjust range based on --iprange params 184 // adjust range based on --iprange params
185 if (br->iprange_start && br->iprange_end) { 185 if (br->iprange_start && br->iprange_end) {
186 start = br->iprange_start; 186 start = br->iprange_start;
187 range = br->iprange_end - br->iprange_start; 187 range = br->iprange_end - br->iprange_start;
188 } 188 }
189 189
190 if (arg_debug) 190 if (arg_debug)
191 printf("IP address range from %d.%d.%d.%d to %d.%d.%d.%d\n", 191 printf("IP address range from %d.%d.%d.%d to %d.%d.%d.%d\n",
192 PRINT_IP(start), PRINT_IP(start + range)); 192 PRINT_IP(start), PRINT_IP(start + range));
@@ -198,13 +198,13 @@ static uint32_t arp_random(const char *dev, Bridge *br) {
198 dest = start + ((uint32_t) rand()) % range; 198 dest = start + ((uint32_t) rand()) % range;
199 if (dest == ifip) // do not allow the interface address 199 if (dest == ifip) // do not allow the interface address
200 continue; // try again 200 continue; // try again
201 201
202 // if we've made it up to here, we have a valid address 202 // if we've made it up to here, we have a valid address
203 break; 203 break;
204 } 204 }
205 if (i == 10) // we failed 10 times 205 if (i == 10) // we failed 10 times
206 return 0; 206 return 0;
207 207
208 // check address 208 // check address
209 uint32_t rv = arp_check(dev, dest, ifip); 209 uint32_t rv = arp_check(dev, dest, ifip);
210 if (!rv) 210 if (!rv)
@@ -237,7 +237,7 @@ static uint32_t arp_sequential(const char *dev, Bridge *br) {
237 uint32_t last = dest + range - 1; 237 uint32_t last = dest + range - 1;
238 if (br->iprange_end) 238 if (br->iprange_end)
239 last = br->iprange_end; 239 last = br->iprange_end;
240 240
241 if (arg_debug) 241 if (arg_debug)
242 printf("Trying IP address range from %d.%d.%d.%d to %d.%d.%d.%d\n", 242 printf("Trying IP address range from %d.%d.%d.%d to %d.%d.%d.%d\n",
243 PRINT_IP(dest), PRINT_IP(last)); 243 PRINT_IP(dest), PRINT_IP(last));
@@ -272,19 +272,17 @@ uint32_t arp_assign(const char *dev, Bridge *br) {
272 ip = arp_random(dev, br); 272 ip = arp_random(dev, br);
273 if (!ip) 273 if (!ip)
274 ip = arp_random(dev, br); 274 ip = arp_random(dev, br);
275 275
276 // try all possible IP addresses one by one 276 // try all possible IP addresses one by one
277 if (!ip) 277 if (!ip)
278 ip = arp_sequential(dev, br); 278 ip = arp_sequential(dev, br);
279 279
280 // print result 280 // print result
281 if (!ip) { 281 if (!ip) {
282 fprintf(stderr, "Error: cannot assign an IP address; it looks like all of them are in use.\n"); 282 fprintf(stderr, "Error: cannot assign an IP address; it looks like all of them are in use.\n");
283 logerr("Cannot assign an IP address; it looks like all of them are in use."); 283 logerr("Cannot assign an IP address; it looks like all of them are in use.");
284 exit(1); 284 exit(1);
285 } 285 }
286 286
287 return ip; 287 return ip;
288} 288}
289
290
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c
index 998fe5ffe..24d027d54 100644
--- a/src/firejail/bandwidth.c
+++ b/src/firejail/bandwidth.c
@@ -58,30 +58,30 @@ IFBW *ifbw_find(const char *dev) {
58 assert(dev); 58 assert(dev);
59 int len = strlen(dev); 59 int len = strlen(dev);
60 assert(len); 60 assert(len);
61 61
62 if (ifbw == NULL) 62 if (ifbw == NULL)
63 return NULL; 63 return NULL;
64 64
65 IFBW *ptr = ifbw; 65 IFBW *ptr = ifbw;
66 while (ptr) { 66 while (ptr) {
67 if (strncmp(ptr->txt, dev, len) == 0 && ptr->txt[len] == ':') 67 if (strncmp(ptr->txt, dev, len) == 0 && ptr->txt[len] == ':')
68 return ptr; 68 return ptr;
69 ptr = ptr->next; 69 ptr = ptr->next;
70 } 70 }
71 71
72 return NULL; 72 return NULL;
73} 73}
74 74
75void ifbw_remove(IFBW *r) { 75void ifbw_remove(IFBW *r) {
76 if (ifbw == NULL) 76 if (ifbw == NULL)
77 return; 77 return;
78 78
79 // remove the first element 79 // remove the first element
80 if (ifbw == r) { 80 if (ifbw == r) {
81 ifbw = ifbw->next; 81 ifbw = ifbw->next;
82 return; 82 return;
83 } 83 }
84 84
85 // walk the list 85 // walk the list
86 IFBW *ptr = ifbw->next; 86 IFBW *ptr = ifbw->next;
87 IFBW *prev = ifbw; 87 IFBW *prev = ifbw;
@@ -90,11 +90,11 @@ void ifbw_remove(IFBW *r) {
90 prev->next = ptr->next; 90 prev->next = ptr->next;
91 return; 91 return;
92 } 92 }
93 93
94 prev = ptr; 94 prev = ptr;
95 ptr = ptr->next; 95 ptr = ptr->next;
96 } 96 }
97 97
98 return; 98 return;
99} 99}
100 100
@@ -106,10 +106,10 @@ int fibw_count(void) {
106 rv++; 106 rv++;
107 ptr = ptr->next; 107 ptr = ptr->next;
108 } 108 }
109 109
110 return rv; 110 return rv;
111} 111}
112 112
113 113
114//*********************************** 114//***********************************
115// run file handling 115// run file handling
@@ -118,7 +118,7 @@ static void bandwidth_create_run_file(pid_t pid) {
118 char *fname; 118 char *fname;
119 if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1) 119 if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1)
120 errExit("asprintf"); 120 errExit("asprintf");
121 121
122 // if the file already exists, do nothing 122 // if the file already exists, do nothing
123 struct stat s; 123 struct stat s;
124 if (stat(fname, &s) == 0) { 124 if (stat(fname, &s) == 0) {
@@ -137,7 +137,7 @@ static void bandwidth_create_run_file(pid_t pid) {
137 fprintf(stderr, "Error: cannot create bandwidth file\n"); 137 fprintf(stderr, "Error: cannot create bandwidth file\n");
138 exit(1); 138 exit(1);
139 } 139 }
140 140
141 free(fname); 141 free(fname);
142} 142}
143 143
@@ -162,7 +162,7 @@ void network_set_run_file(pid_t pid) {
162 char *fname; 162 char *fname;
163 if (asprintf(&fname, "%s/%d-netmap", RUN_FIREJAIL_NETWORK_DIR, (int) pid) == -1) 163 if (asprintf(&fname, "%s/%d-netmap", RUN_FIREJAIL_NETWORK_DIR, (int) pid) == -1)
164 errExit("asprintf"); 164 errExit("asprintf");
165 165
166 // create an empty file and set mod and ownership 166 // create an empty file and set mod and ownership
167 FILE *fp = fopen(fname, "w"); 167 FILE *fp = fopen(fname, "w");
168 if (fp) { 168 if (fp) {
@@ -182,7 +182,7 @@ void network_set_run_file(pid_t pid) {
182 fprintf(stderr, "Error: cannot create network map file\n"); 182 fprintf(stderr, "Error: cannot create network map file\n");
183 exit(1); 183 exit(1);
184 } 184 }
185 185
186 free(fname); 186 free(fname);
187} 187}
188 188
@@ -204,7 +204,7 @@ static void read_bandwidth_file(pid_t pid) {
204 *ptr = '\0'; 204 *ptr = '\0';
205 if (strlen(buf) == 0) 205 if (strlen(buf) == 0)
206 continue; 206 continue;
207 207
208 // create a new IFBW entry 208 // create a new IFBW entry
209 IFBW *ifbw_new = malloc(sizeof(IFBW)); 209 IFBW *ifbw_new = malloc(sizeof(IFBW));
210 if (!ifbw_new) 210 if (!ifbw_new)
@@ -213,12 +213,12 @@ static void read_bandwidth_file(pid_t pid) {
213 ifbw_new->txt = strdup(buf); 213 ifbw_new->txt = strdup(buf);
214 if (!ifbw_new->txt) 214 if (!ifbw_new->txt)
215 errExit("strdup"); 215 errExit("strdup");
216 216
217 // add it to the linked list 217 // add it to the linked list
218 ifbw_add(ifbw_new); 218 ifbw_add(ifbw_new);
219 } 219 }
220 220
221 fclose(fp); 221 fclose(fp);
222 } 222 }
223} 223}
224 224
@@ -256,17 +256,17 @@ errout:
256// remove interface from run file 256// remove interface from run file
257void bandwidth_remove(pid_t pid, const char *dev) { 257void bandwidth_remove(pid_t pid, const char *dev) {
258 bandwidth_create_run_file(pid); 258 bandwidth_create_run_file(pid);
259 259
260 // read bandwidth file 260 // read bandwidth file
261 read_bandwidth_file(pid); 261 read_bandwidth_file(pid);
262 262
263 // find the element and remove it 263 // find the element and remove it
264 IFBW *elem = ifbw_find(dev); 264 IFBW *elem = ifbw_find(dev);
265 if (elem) { 265 if (elem) {
266 ifbw_remove(elem); 266 ifbw_remove(elem);
267 write_bandwidth_file(pid) ; 267 write_bandwidth_file(pid) ;
268 } 268 }
269 269
270 // remove the file if there are no entries in the list 270 // remove the file if there are no entries in the list
271 if (ifbw == NULL) { 271 if (ifbw == NULL) {
272 bandwidth_del_run_file(pid); 272 bandwidth_del_run_file(pid);
@@ -282,7 +282,7 @@ void bandwidth_set(pid_t pid, const char *dev, int down, int up) {
282 char *txt; 282 char *txt;
283 if (asprintf(&txt, "%s: RX %dKB/s, TX %dKB/s", dev, down, up) == -1) 283 if (asprintf(&txt, "%s: RX %dKB/s, TX %dKB/s", dev, down, up) == -1)
284 errExit("asprintf"); 284 errExit("asprintf");
285 285
286 // read bandwidth file 286 // read bandwidth file
287 read_bandwidth_file(pid); 287 read_bandwidth_file(pid);
288 288
@@ -300,7 +300,7 @@ void bandwidth_set(pid_t pid, const char *dev, int down, int up) {
300 errExit("malloc"); 300 errExit("malloc");
301 memset(ifbw_new, 0, sizeof(IFBW)); 301 memset(ifbw_new, 0, sizeof(IFBW));
302 ifbw_new->txt = txt; 302 ifbw_new->txt = txt;
303 303
304 // add it to the linked list 304 // add it to the linked list
305 ifbw_add(ifbw_new); 305 ifbw_add(ifbw_new);
306 } 306 }
@@ -330,7 +330,7 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
330 exit(1); 330 exit(1);
331 } 331 }
332 free(comm); 332 free(comm);
333 333
334 // check network namespace 334 // check network namespace
335 char *name; 335 char *name;
336 if (asprintf(&name, "/run/firejail/network/%d-netmap", pid) == -1) 336 if (asprintf(&name, "/run/firejail/network/%d-netmap", pid) == -1)
@@ -376,7 +376,7 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
376 fprintf(stderr, "Error: cannot read network map file %s\n", fname); 376 fprintf(stderr, "Error: cannot read network map file %s\n", fname);
377 exit(1); 377 exit(1);
378 } 378 }
379 379
380 char buf[1024]; 380 char buf[1024];
381 int len = strlen(dev); 381 int len = strlen(dev);
382 while (fgets(buf, 1024, fp)) { 382 while (fgets(buf, 1024, fp)) {
@@ -402,7 +402,7 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
402 free(fname); 402 free(fname);
403 fclose(fp); 403 fclose(fp);
404 } 404 }
405 405
406 // build fshaper.sh command 406 // build fshaper.sh command
407 char *cmd = NULL; 407 char *cmd = NULL;
408 if (devname) { 408 if (devname) {
@@ -442,7 +442,7 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in
442 arg[3] = NULL; 442 arg[3] = NULL;
443 clearenv(); 443 clearenv();
444 execvp(arg[0], arg); 444 execvp(arg[0], arg);
445 445
446 // it will never get here 446 // it will never get here
447 errExit("execvp"); 447 errExit("execvp");
448} 448}
diff --git a/src/firejail/caps.c b/src/firejail/caps.c
index 30693f7a0..d45ba20ce 100644
--- a/src/firejail/caps.c
+++ b/src/firejail/caps.c
@@ -154,12 +154,12 @@ static CapsEntry capslist[] = {
154// not in Debian 7 154// not in Debian 7
155#ifdef CAP_BLOCK_SUSPEND 155#ifdef CAP_BLOCK_SUSPEND
156 {"block_suspend", CAP_BLOCK_SUSPEND }, 156 {"block_suspend", CAP_BLOCK_SUSPEND },
157#else 157#else
158 {"block_suspend", 36 }, 158 {"block_suspend", 36 },
159#endif 159#endif
160#ifdef CAP_AUDIT_READ 160#ifdef CAP_AUDIT_READ
161 {"audit_read", CAP_AUDIT_READ }, 161 {"audit_read", CAP_AUDIT_READ },
162#else 162#else
163 {"audit_read", 37 }, 163 {"audit_read", 37 },
164#endif 164#endif
165 165
@@ -176,7 +176,7 @@ static int caps_find_name(const char *name) {
176 if (strcmp(name, capslist[i].name) == 0) 176 if (strcmp(name, capslist[i].name) == 0)
177 return capslist[i].nr; 177 return capslist[i].nr;
178 } 178 }
179 179
180 return -1; 180 return -1;
181} 181}
182 182
@@ -205,32 +205,32 @@ void caps_check_list(const char *clist, void (*callback)(int)) {
205 goto errexit; 205 goto errexit;
206 else if (callback != NULL) 206 else if (callback != NULL)
207 callback(nr); 207 callback(nr);
208 208
209 start = ptr + 1; 209 start = ptr + 1;
210 } 210 }
211 ptr++; 211 ptr++;
212 } 212 }
213 if (*start != '\0') { 213 if (*start != '\0') {
214 int nr = caps_find_name(start); 214 int nr = caps_find_name(start);
215 if (nr == -1) 215 if (nr == -1)
216 goto errexit; 216 goto errexit;
217 else if (callback != NULL) 217 else if (callback != NULL)
218 callback(nr); 218 callback(nr);
219 } 219 }
220 220
221 free(str); 221 free(str);
222 return; 222 return;
223 223
224errexit: 224errexit:
225 fprintf(stderr, "Error: capability \"%s\" not found\n", start); 225 fprintf(stderr, "Error: capability \"%s\" not found\n", start);
226 exit(1); 226 exit(1);
227} 227}
228 228
229void caps_print(void) { 229void caps_print(void) {
230 EUID_ASSERT(); 230 EUID_ASSERT();
231 int i; 231 int i;
232 int elems = sizeof(capslist) / sizeof(capslist[0]); 232 int elems = sizeof(capslist) / sizeof(capslist[0]);
233 233
234 // check current caps supported by the kernel 234 // check current caps supported by the kernel
235 int cnt = 0; 235 int cnt = 0;
236 unsigned long cap; 236 unsigned long cap;
@@ -242,7 +242,7 @@ void caps_print(void) {
242 } 242 }
243 EUID_USER(); 243 EUID_USER();
244 printf("Your kernel supports %d capabilities.\n", cnt); 244 printf("Your kernel supports %d capabilities.\n", cnt);
245 245
246 for (i = 0; i < elems; i++) { 246 for (i = 0; i < elems; i++) {
247 printf("%d\t- %s\n", capslist[i].nr, capslist[i].name); 247 printf("%d\t- %s\n", capslist[i].nr, capslist[i].name);
248 } 248 }
@@ -300,7 +300,7 @@ int caps_default_filter(void) {
300 300
301errexit: 301errexit:
302 fprintf(stderr, "Error: cannot drop capabilities\n"); 302 fprintf(stderr, "Error: cannot drop capabilities\n");
303 exit(1); 303 exit(1);
304} 304}
305 305
306void caps_drop_all(void) { 306void caps_drop_all(void) {
@@ -359,7 +359,7 @@ void caps_keep_list(const char *clist) {
359#define MAXBUF 4098 359#define MAXBUF 4098
360static uint64_t extract_caps(int pid) { 360static uint64_t extract_caps(int pid) {
361 EUID_ASSERT(); 361 EUID_ASSERT();
362 362
363 char *file; 363 char *file;
364 if (asprintf(&file, "/proc/%d/status", pid) == -1) 364 if (asprintf(&file, "/proc/%d/status", pid) == -1)
365 errExit("asprintf"); 365 errExit("asprintf");
@@ -369,7 +369,7 @@ static uint64_t extract_caps(int pid) {
369 EUID_USER(); // grsecurity 369 EUID_USER(); // grsecurity
370 if (!fp) 370 if (!fp)
371 goto errexit; 371 goto errexit;
372 372
373 char buf[MAXBUF]; 373 char buf[MAXBUF];
374 while (fgets(buf, MAXBUF, fp)) { 374 while (fgets(buf, MAXBUF, fp)) {
375 if (strncmp(buf, "CapBnd:\t", 8) == 0) { 375 if (strncmp(buf, "CapBnd:\t", 8) == 0) {
@@ -383,7 +383,7 @@ static uint64_t extract_caps(int pid) {
383 } 383 }
384 fclose(fp); 384 fclose(fp);
385 385
386errexit: 386errexit:
387 free(file); 387 free(file);
388 fprintf(stderr, "Error: cannot read caps configuration\n"); 388 fprintf(stderr, "Error: cannot read caps configuration\n");
389 exit(1); 389 exit(1);
@@ -391,7 +391,7 @@ errexit:
391 391
392void caps_print_filter(pid_t pid) { 392void caps_print_filter(pid_t pid) {
393 EUID_ASSERT(); 393 EUID_ASSERT();
394 394
395 // if the pid is that of a firejail process, use the pid of the first child process 395 // if the pid is that of a firejail process, use the pid of the first child process
396 EUID_ROOT(); // grsecurity 396 EUID_ROOT(); // grsecurity
397 char *comm = pid_proc_comm(pid); 397 char *comm = pid_proc_comm(pid);
diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c
index 6ceb647ff..70f07dd23 100644
--- a/src/firejail/cgroup.c
+++ b/src/firejail/cgroup.c
@@ -25,7 +25,7 @@
25void save_cgroup(void) { 25void save_cgroup(void) {
26 if (cfg.cgroup == NULL) 26 if (cfg.cgroup == NULL)
27 return; 27 return;
28 28
29 FILE *fp = fopen(RUN_CGROUP_CFG, "w"); 29 FILE *fp = fopen(RUN_CGROUP_CFG, "w");
30 if (fp) { 30 if (fp) {
31 fprintf(fp, "%s", cfg.cgroup); 31 fprintf(fp, "%s", cfg.cgroup);
@@ -36,7 +36,7 @@ void save_cgroup(void) {
36 } 36 }
37 else 37 else
38 goto errout; 38 goto errout;
39 39
40 return; 40 return;
41 41
42errout: 42errout:
@@ -58,7 +58,7 @@ void load_cgroup(const char *fname) {
58 } 58 }
59 else 59 else
60 goto errout; 60 goto errout;
61 61
62 fclose(fp); 62 fclose(fp);
63 return; 63 return;
64 } 64 }
@@ -71,34 +71,34 @@ errout:
71 71
72void set_cgroup(const char *path) { 72void set_cgroup(const char *path) {
73 EUID_ASSERT(); 73 EUID_ASSERT();
74 74
75 invalid_filename(path); 75 invalid_filename(path);
76 76
77 // path starts with /sys/fs/cgroup 77 // path starts with /sys/fs/cgroup
78 if (strncmp(path, "/sys/fs/cgroup", 14) != 0) 78 if (strncmp(path, "/sys/fs/cgroup", 14) != 0)
79 goto errout; 79 goto errout;
80 80
81 // path ends in tasks 81 // path ends in tasks
82 char *ptr = strstr(path, "tasks"); 82 char *ptr = strstr(path, "tasks");
83 if (!ptr) 83 if (!ptr)
84 goto errout; 84 goto errout;
85 if (*(ptr + 5) != '\0') 85 if (*(ptr + 5) != '\0')
86 goto errout; 86 goto errout;
87 87
88 // no .. traversal 88 // no .. traversal
89 ptr = strstr(path, ".."); 89 ptr = strstr(path, "..");
90 if (ptr) 90 if (ptr)
91 goto errout; 91 goto errout;
92 92
93 // tasks file exists 93 // tasks file exists
94 struct stat s; 94 struct stat s;
95 if (stat(path, &s) == -1) 95 if (stat(path, &s) == -1)
96 goto errout; 96 goto errout;
97 97
98 // task file belongs to the user running the sandbox 98 // task file belongs to the user running the sandbox
99 if (s.st_uid != getuid() && s.st_gid != getgid()) 99 if (s.st_uid != getuid() && s.st_gid != getgid())
100 goto errout2; 100 goto errout2;
101 101
102 // add the task to cgroup 102 // add the task to cgroup
103 /* coverity[toctou] */ 103 /* coverity[toctou] */
104 FILE *fp = fopen(path, "a"); 104 FILE *fp = fopen(path, "a");
@@ -110,10 +110,10 @@ void set_cgroup(const char *path) {
110 fclose(fp); 110 fclose(fp);
111 return; 111 return;
112 112
113errout: 113errout:
114 fprintf(stderr, "Error: invalid cgroup\n"); 114 fprintf(stderr, "Error: invalid cgroup\n");
115 exit(1); 115 exit(1);
116errout2: 116errout2:
117 fprintf(stderr, "Error: you don't have permissions to use this control group\n"); 117 fprintf(stderr, "Error: you don't have permissions to use this control group\n");
118 exit(1); 118 exit(1);
119} 119}
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 3c0c1b9ac..f4e28f084 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -49,33 +49,33 @@ int checkcfg(int val) {
49 cfg_val[CFG_FIREJAIL_PROMPT] = 0; 49 cfg_val[CFG_FIREJAIL_PROMPT] = 0;
50 cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 0; 50 cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 0;
51 cfg_val[CFG_DISABLE_MNT] = 0; 51 cfg_val[CFG_DISABLE_MNT] = 0;
52 52
53 // open configuration file 53 // open configuration file
54 const char *fname = SYSCONFDIR "/firejail.config"; 54 const char *fname = SYSCONFDIR "/firejail.config";
55 fp = fopen(fname, "r"); 55 fp = fopen(fname, "r");
56 if (!fp) { 56 if (!fp) {
57#ifdef HAVE_GLOBALCFG 57#ifdef HAVE_GLOBALCFG
58 fprintf(stderr, "Error: Firejail configuration file %s not found\n", fname); 58 fprintf(stderr, "Error: Firejail configuration file %s not found\n", fname);
59 exit(1); 59 exit(1);
60#else 60#else
61 initialized = 1; 61 initialized = 1;
62 return cfg_val[val]; 62 return cfg_val[val];
63#endif 63#endif
64 } 64 }
65 65
66 // read configuration file 66 // read configuration file
67 char buf[MAX_READ]; 67 char buf[MAX_READ];
68 while (fgets(buf,MAX_READ, fp)) { 68 while (fgets(buf,MAX_READ, fp)) {
69 line++; 69 line++;
70 if (*buf == '#' || *buf == '\n') 70 if (*buf == '#' || *buf == '\n')
71 continue; 71 continue;
72 72
73 // parse line 73 // parse line
74 ptr = line_remove_spaces(buf); 74 ptr = line_remove_spaces(buf);
75 if (!ptr) 75 if (!ptr)
76 continue; 76 continue;
77 77
78 // file transfer 78 // file transfer
79 else if (strncmp(ptr, "file-transfer ", 14) == 0) { 79 else if (strncmp(ptr, "file-transfer ", 14) == 0) {
80 if (strcmp(ptr + 14, "yes") == 0) 80 if (strcmp(ptr + 14, "yes") == 0)
81 cfg_val[CFG_FILE_TRANSFER] = 1; 81 cfg_val[CFG_FILE_TRANSFER] = 1;
@@ -209,14 +209,14 @@ int checkcfg(int val) {
209 char *end = strchr(fname, ' '); 209 char *end = strchr(fname, ' ');
210 if (end) 210 if (end)
211 *end = '\0'; 211 *end = '\0';
212 212
213 // is the file present? 213 // is the file present?
214 struct stat s; 214 struct stat s;
215 if (stat(fname, &s) == -1) { 215 if (stat(fname, &s) == -1) {
216 fprintf(stderr, "Error: netfilter-default file %s not available\n", fname); 216 fprintf(stderr, "Error: netfilter-default file %s not available\n", fname);
217 exit(1); 217 exit(1);
218 } 218 }
219 219
220 if (netfilter_default) 220 if (netfilter_default)
221 goto errout; 221 goto errout;
222 netfilter_default = strdup(fname); 222 netfilter_default = strdup(fname);
@@ -225,7 +225,7 @@ int checkcfg(int val) {
225 if (arg_debug) 225 if (arg_debug)
226 printf("netfilter default file %s\n", fname); 226 printf("netfilter default file %s\n", fname);
227 } 227 }
228 228
229 // Xephyr screen size 229 // Xephyr screen size
230 else if (strncmp(ptr, "xephyr-screen ", 14) == 0) { 230 else if (strncmp(ptr, "xephyr-screen ", 14) == 0) {
231 // expecting two numbers and an x between them 231 // expecting two numbers and an x between them
@@ -237,7 +237,7 @@ int checkcfg(int val) {
237 if (asprintf(&xephyr_screen, "%dx%d", n1, n2) == -1) 237 if (asprintf(&xephyr_screen, "%dx%d", n1, n2) == -1)
238 errExit("asprintf"); 238 errExit("asprintf");
239 } 239 }
240 240
241 // xephyr window title 241 // xephyr window title
242 else if (strncmp(ptr, "xephyr-window-title ", 20) == 0) { 242 else if (strncmp(ptr, "xephyr-window-title ", 20) == 0) {
243 if (strcmp(ptr + 20, "yes") == 0) 243 if (strcmp(ptr + 20, "yes") == 0)
@@ -247,7 +247,7 @@ int checkcfg(int val) {
247 else 247 else
248 goto errout; 248 goto errout;
249 } 249 }
250 250
251 // Xephyr command extra parameters 251 // Xephyr command extra parameters
252 else if (strncmp(ptr, "xephyr-extra-params ", 20) == 0) { 252 else if (strncmp(ptr, "xephyr-extra-params ", 20) == 0) {
253 if (*xephyr_extra_params != '\0') 253 if (*xephyr_extra_params != '\0')
@@ -256,7 +256,7 @@ int checkcfg(int val) {
256 if (!xephyr_extra_params) 256 if (!xephyr_extra_params)
257 errExit("strdup"); 257 errExit("strdup");
258 } 258 }
259 259
260 // xpra server extra parameters 260 // xpra server extra parameters
261 else if (strncmp(ptr, "xpra-extra-params ", 18) == 0) { 261 else if (strncmp(ptr, "xpra-extra-params ", 18) == 0) {
262 if (*xpra_extra_params != '\0') 262 if (*xpra_extra_params != '\0')
@@ -287,7 +287,7 @@ int checkcfg(int val) {
287 if (!xvfb_extra_params) 287 if (!xvfb_extra_params)
288 errExit("strdup"); 288 errExit("strdup");
289 } 289 }
290 290
291 // quiet by default 291 // quiet by default
292 else if (strncmp(ptr, "quiet-by-default ", 17) == 0) { 292 else if (strncmp(ptr, "quiet-by-default ", 17) == 0) {
293 if (strcmp(ptr + 17, "yes") == 0) 293 if (strcmp(ptr + 17, "yes") == 0)
@@ -355,9 +355,9 @@ int checkcfg(int val) {
355 fclose(fp); 355 fclose(fp);
356 initialized = 1; 356 initialized = 1;
357 } 357 }
358 358
359 return cfg_val[val]; 359 return cfg_val[val];
360 360
361errout: 361errout:
362 assert(ptr); 362 assert(ptr);
363 free(ptr); 363 free(ptr);
@@ -477,5 +477,5 @@ void print_compiletime_support(void) {
477 "disabled" 477 "disabled"
478#endif 478#endif
479 ); 479 );
480 480
481} 481}
diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c
index e62ed8d33..114173b6a 100644
--- a/src/firejail/cmdline.c
+++ b/src/firejail/cmdline.c
@@ -28,7 +28,7 @@
28 28
29static int cmdline_length(int argc, char **argv, int index) { 29static int cmdline_length(int argc, char **argv, int index) {
30 assert(index != -1); 30 assert(index != -1);
31 31
32 unsigned i,j; 32 unsigned i,j;
33 int len = 0; 33 int len = 0;
34 unsigned argcnt = argc - index; 34 unsigned argcnt = argc - index;
@@ -91,7 +91,7 @@ static void quote_cmdline(char *command_line, char *window_title, int len, int a
91 if (j > 0 && argv[i + index][j-1] == '\'') { 91 if (j > 0 && argv[i + index][j-1] == '\'') {
92 ptr1--; 92 ptr1--;
93 sprintf(ptr1, "\'\""); 93 sprintf(ptr1, "\'\"");
94 } 94 }
95 // this first in series 95 // this first in series
96 else 96 else
97 { 97 {
@@ -151,9 +151,9 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar
151 *window_title = malloc(len + 1); 151 *window_title = malloc(len + 1);
152 if (!*window_title) 152 if (!*window_title)
153 errExit("malloc"); 153 errExit("malloc");
154 154
155 quote_cmdline(*command_line, *window_title, len, argc, argv, index); 155 quote_cmdline(*command_line, *window_title, len, argc, argv, index);
156 156
157 if (arg_debug) 157 if (arg_debug)
158 printf("Building quoted command line: %s\n", *command_line); 158 printf("Building quoted command line: %s\n", *command_line);
159 159
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c
index 9c0214502..6b3fc063d 100644
--- a/src/firejail/cpu.c
+++ b/src/firejail/cpu.c
@@ -26,13 +26,13 @@
26static void set_cpu(const char *str) { 26static void set_cpu(const char *str) {
27 if (strlen(str) == 0) 27 if (strlen(str) == 0)
28 return; 28 return;
29 29
30 int val = atoi(str); 30 int val = atoi(str);
31 if (val < 0 || val >= 32) { 31 if (val < 0 || val >= 32) {
32 fprintf(stderr, "Error: invalid cpu number. Accepted values are between 0 and 31.\n"); 32 fprintf(stderr, "Error: invalid cpu number. Accepted values are between 0 and 31.\n");
33 exit(1); 33 exit(1);
34 } 34 }
35 35
36 uint32_t mask = 1; 36 uint32_t mask = 1;
37 int i; 37 int i;
38 for (i = 0; i < val; i++, mask <<= 1); 38 for (i = 0; i < val; i++, mask <<= 1);
@@ -41,11 +41,11 @@ static void set_cpu(const char *str) {
41 41
42void read_cpu_list(const char *str) { 42void read_cpu_list(const char *str) {
43 EUID_ASSERT(); 43 EUID_ASSERT();
44 44
45 char *tmp = strdup(str); 45 char *tmp = strdup(str);
46 if (tmp == NULL) 46 if (tmp == NULL)
47 errExit("strdup"); 47 errExit("strdup");
48 48
49 char *ptr = tmp; 49 char *ptr = tmp;
50 while (*ptr != '\0') { 50 while (*ptr != '\0') {
51 if (*ptr == ',' || isdigit(*ptr)) 51 if (*ptr == ',' || isdigit(*ptr))
@@ -56,7 +56,7 @@ void read_cpu_list(const char *str) {
56 } 56 }
57 ptr++; 57 ptr++;
58 } 58 }
59 59
60 char *start = tmp; 60 char *start = tmp;
61 ptr = tmp; 61 ptr = tmp;
62 while (*ptr != '\0') { 62 while (*ptr != '\0') {
@@ -107,17 +107,17 @@ void set_cpu_affinity(void) {
107 // set cpu affinity 107 // set cpu affinity
108 cpu_set_t mask; 108 cpu_set_t mask;
109 CPU_ZERO(&mask); 109 CPU_ZERO(&mask);
110 110
111 int i; 111 int i;
112 uint32_t m = 1; 112 uint32_t m = 1;
113 for (i = 0; i < 32; i++, m <<= 1) { 113 for (i = 0; i < 32; i++, m <<= 1) {
114 if (cfg.cpus & m) 114 if (cfg.cpus & m)
115 CPU_SET(i, &mask); 115 CPU_SET(i, &mask);
116 } 116 }
117 117
118 if (sched_setaffinity(0, sizeof(mask), &mask) == -1) 118 if (sched_setaffinity(0, sizeof(mask), &mask) == -1)
119 fwarning("cannot set cpu affinity\n"); 119 fwarning("cannot set cpu affinity\n");
120 120
121 // verify cpu affinity 121 // verify cpu affinity
122 cpu_set_t mask2; 122 cpu_set_t mask2;
123 CPU_ZERO(&mask2); 123 CPU_ZERO(&mask2);
@@ -147,7 +147,7 @@ static void print_cpu(int pid) {
147 return; 147 return;
148 } 148 }
149 149
150#define MAXBUF 4096 150#define MAXBUF 4096
151 char buf[MAXBUF]; 151 char buf[MAXBUF];
152 while (fgets(buf, MAXBUF, fp)) { 152 while (fgets(buf, MAXBUF, fp)) {
153 if (strncmp(buf, "Cpus_allowed_list:", 18) == 0) { 153 if (strncmp(buf, "Cpus_allowed_list:", 18) == 0) {
@@ -164,7 +164,7 @@ static void print_cpu(int pid) {
164 164
165void cpu_print_filter(pid_t pid) { 165void cpu_print_filter(pid_t pid) {
166 EUID_ASSERT(); 166 EUID_ASSERT();
167 167
168 // if the pid is that of a firejail process, use the pid of the first child process 168 // if the pid is that of a firejail process, use the pid of the first child process
169 EUID_ROOT(); // grsecurity 169 EUID_ROOT(); // grsecurity
170 char *comm = pid_proc_comm(pid); 170 char *comm = pid_proc_comm(pid);
@@ -192,4 +192,3 @@ void cpu_print_filter(pid_t pid) {
192 print_cpu(pid); 192 print_cpu(pid);
193 exit(0); 193 exit(0);
194} 194}
195
diff --git a/src/firejail/env.c b/src/firejail/env.c
index c54b429c3..b2e4c17f3 100644
--- a/src/firejail/env.c
+++ b/src/firejail/env.c
@@ -33,13 +33,13 @@ static Env *envlist = NULL;
33 33
34static void env_add(Env *env) { 34static void env_add(Env *env) {
35 env->next = NULL; 35 env->next = NULL;
36 36
37 // add the new entry at the end of the list 37 // add the new entry at the end of the list
38 if (envlist == NULL) { 38 if (envlist == NULL) {
39 envlist = env; 39 envlist = env;
40 return; 40 return;
41 } 41 }
42 42
43 Env *ptr = envlist; 43 Env *ptr = envlist;
44 while (1) { 44 while (1) {
45 if (ptr->next == NULL) { 45 if (ptr->next == NULL) {
@@ -77,7 +77,7 @@ void env_ibus_load(void) {
77 continue; 77 continue;
78 if (strlen(ptr) != 6) 78 if (strlen(ptr) != 6)
79 continue; 79 continue;
80 80
81 // open the file 81 // open the file
82 char *fname; 82 char *fname;
83 if (asprintf(&fname, "%s/%s", dirname, entry->d_name) == -1) 83 if (asprintf(&fname, "%s/%s", dirname, entry->d_name) == -1)
@@ -86,7 +86,7 @@ void env_ibus_load(void) {
86 free(fname); 86 free(fname);
87 if (!fp) 87 if (!fp)
88 continue; 88 continue;
89 89
90 // read the file 90 // read the file
91 const int maxline = 4096; 91 const int maxline = 4096;
92 char buf[maxline]; 92 char buf[maxline];
@@ -137,24 +137,24 @@ void env_defaults(void) {
137 if (prompt && strcmp(prompt, "yes") == 0) 137 if (prompt && strcmp(prompt, "yes") == 0)
138 set_prompt = 1; 138 set_prompt = 1;
139 } 139 }
140 140
141 if (set_prompt) { 141 if (set_prompt) {
142 //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' 142 //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] '
143 if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) 143 if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0)
144 errExit("setenv"); 144 errExit("setenv");
145 } 145 }
146 146
147 // set the window title 147 // set the window title
148 if (!arg_quiet) 148 if (!arg_quiet)
149 printf("\033]0;firejail %s\007", cfg.window_title); 149 printf("\033]0;firejail %s\007", cfg.window_title);
150 fflush(0); 150 fflush(0);
151} 151}
152 152
153// parse and store the environment setting 153// parse and store the environment setting
154void env_store(const char *str, ENV_OP op) { 154void env_store(const char *str, ENV_OP op) {
155 EUID_ASSERT(); 155 EUID_ASSERT();
156 assert(str); 156 assert(str);
157 157
158 // some basic checking 158 // some basic checking
159 if (*str == '\0') 159 if (*str == '\0')
160 goto errexit; 160 goto errexit;
@@ -182,11 +182,11 @@ void env_store(const char *str, ENV_OP op) {
182 env->value = ptr2 + 1; 182 env->value = ptr2 + 1;
183 } 183 }
184 env->op = op; 184 env->op = op;
185 185
186 // add entry to the list 186 // add entry to the list
187 env_add(env); 187 env_add(env);
188 return; 188 return;
189 189
190errexit: 190errexit:
191 fprintf(stderr, "Error: invalid --env setting\n"); 191 fprintf(stderr, "Error: invalid --env setting\n");
192 exit(1); 192 exit(1);
@@ -195,7 +195,7 @@ errexit:
195// set env variables in the new sandbox process 195// set env variables in the new sandbox process
196void env_apply(void) { 196void env_apply(void) {
197 Env *env = envlist; 197 Env *env = envlist;
198 198
199 while (env) { 199 while (env) {
200 if (env->op == SETENV) { 200 if (env->op == SETENV) {
201 if (setenv(env->name, env->value, 1) < 0) 201 if (setenv(env->name, env->value, 1) < 0)
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index ac68e7738..c60322dda 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -55,7 +55,7 @@ static void disable_file(OPERATION op, const char *filename) {
55 assert(filename); 55 assert(filename);
56 assert(op <OPERATION_MAX); 56 assert(op <OPERATION_MAX);
57 last_disable = UNSUCCESSFUL; 57 last_disable = UNSUCCESSFUL;
58 58
59 // Resolve all symlinks 59 // Resolve all symlinks
60 char* fname = realpath(filename, NULL); 60 char* fname = realpath(filename, NULL);
61 if (fname == NULL && errno != EACCES) { 61 if (fname == NULL && errno != EACCES) {
@@ -87,10 +87,10 @@ static void disable_file(OPERATION op, const char *filename) {
87 if (arg_debug) 87 if (arg_debug)
88 printf("Warning (blacklisting): %s is an invalid file, skipping...\n", filename); 88 printf("Warning (blacklisting): %s is an invalid file, skipping...\n", filename);
89 } 89 }
90 90
91 return; 91 return;
92 } 92 }
93 93
94 // if the file is not present, do nothing 94 // if the file is not present, do nothing
95 struct stat s; 95 struct stat s;
96 if (fname == NULL) 96 if (fname == NULL)
@@ -124,7 +124,7 @@ static void disable_file(OPERATION op, const char *filename) {
124 else 124 else
125 printf(" - no logging\n"); 125 printf(" - no logging\n");
126 } 126 }
127 127
128 if (S_ISDIR(s.st_mode)) { 128 if (S_ISDIR(s.st_mode)) {
129 if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) 129 if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
130 errExit("disable file"); 130 errExit("disable file");
@@ -243,7 +243,7 @@ void fs_blacklist(void) {
243 ProfileEntry *entry = cfg.profile; 243 ProfileEntry *entry = cfg.profile;
244 if (!entry) 244 if (!entry)
245 return; 245 return;
246 246
247 size_t noblacklist_c = 0; 247 size_t noblacklist_c = 0;
248 size_t noblacklist_m = 32; 248 size_t noblacklist_m = 32;
249 char **noblacklist = calloc(noblacklist_m, sizeof(*noblacklist)); 249 char **noblacklist = calloc(noblacklist_m, sizeof(*noblacklist));
@@ -256,7 +256,7 @@ void fs_blacklist(void) {
256 char *ptr; 256 char *ptr;
257 257
258 // whitelist commands handled by fs_whitelist() 258 // whitelist commands handled by fs_whitelist()
259 if (strncmp(entry->data, "whitelist ", 10) == 0 || 259 if (strncmp(entry->data, "whitelist ", 10) == 0 ||
260 strncmp(entry->data, "nowhitelist ", 12) == 0 || 260 strncmp(entry->data, "nowhitelist ", 12) == 0 ||
261 *entry->data == '\0') { 261 *entry->data == '\0') {
262 entry = entry->next; 262 entry = entry->next;
@@ -275,7 +275,7 @@ void fs_blacklist(void) {
275 entry = entry->next; 275 entry = entry->next;
276 continue; 276 continue;
277 } 277 }
278 278
279 // mount --bind olddir newdir 279 // mount --bind olddir newdir
280 if (arg_debug) 280 if (arg_debug)
281 printf("Mount-bind %s on top of %s\n", dname1, dname2); 281 printf("Mount-bind %s on top of %s\n", dname1, dname2);
@@ -284,8 +284,8 @@ void fs_blacklist(void) {
284 errExit("mount bind"); 284 errExit("mount bind");
285 /* coverity[toctou] */ 285 /* coverity[toctou] */
286 if (set_perms(dname2, s.st_uid, s.st_gid,s.st_mode)) 286 if (set_perms(dname2, s.st_uid, s.st_gid,s.st_mode))
287 errExit("set_perms"); 287 errExit("set_perms");
288 288
289 entry = entry->next; 289 entry = entry->next;
290 continue; 290 continue;
291 } 291 }
@@ -348,33 +348,33 @@ void fs_blacklist(void) {
348 else if (strncmp(entry->data, "read-only ", 10) == 0) { 348 else if (strncmp(entry->data, "read-only ", 10) == 0) {
349 ptr = entry->data + 10; 349 ptr = entry->data + 10;
350 op = MOUNT_READONLY; 350 op = MOUNT_READONLY;
351 } 351 }
352 else if (strncmp(entry->data, "read-write ", 11) == 0) { 352 else if (strncmp(entry->data, "read-write ", 11) == 0) {
353 ptr = entry->data + 11; 353 ptr = entry->data + 11;
354 op = MOUNT_RDWR; 354 op = MOUNT_RDWR;
355 } 355 }
356 else if (strncmp(entry->data, "noexec ", 7) == 0) { 356 else if (strncmp(entry->data, "noexec ", 7) == 0) {
357 ptr = entry->data + 7; 357 ptr = entry->data + 7;
358 op = MOUNT_NOEXEC; 358 op = MOUNT_NOEXEC;
359 } 359 }
360 else if (strncmp(entry->data, "tmpfs ", 6) == 0) { 360 else if (strncmp(entry->data, "tmpfs ", 6) == 0) {
361 ptr = entry->data + 6; 361 ptr = entry->data + 6;
362 op = MOUNT_TMPFS; 362 op = MOUNT_TMPFS;
363 } 363 }
364 else if (strncmp(entry->data, "mkdir ", 6) == 0) { 364 else if (strncmp(entry->data, "mkdir ", 6) == 0) {
365 EUID_USER(); 365 EUID_USER();
366 fs_mkdir(entry->data + 6); 366 fs_mkdir(entry->data + 6);
367 EUID_ROOT(); 367 EUID_ROOT();
368 entry = entry->next; 368 entry = entry->next;
369 continue; 369 continue;
370 } 370 }
371 else if (strncmp(entry->data, "mkfile ", 7) == 0) { 371 else if (strncmp(entry->data, "mkfile ", 7) == 0) {
372 EUID_USER(); 372 EUID_USER();
373 fs_mkfile(entry->data + 7); 373 fs_mkfile(entry->data + 7);
374 EUID_ROOT(); 374 EUID_ROOT();
375 entry = entry->next; 375 entry = entry->next;
376 continue; 376 continue;
377 } 377 }
378 else { 378 else {
379 fprintf(stderr, "Error: invalid profile line %s\n", entry->data); 379 fprintf(stderr, "Error: invalid profile line %s\n", entry->data);
380 entry = entry->next; 380 entry = entry->next;
@@ -446,10 +446,10 @@ static void fs_rdwr(const char *dir) {
446 fwarning("you are not allowed to change %s to read-write\n", dir); 446 fwarning("you are not allowed to change %s to read-write\n", dir);
447 return; 447 return;
448 } 448 }
449 449
450 // mount --bind /bin /bin 450 // mount --bind /bin /bin
451 // mount --bind -o remount,rw /bin 451 // mount --bind -o remount,rw /bin
452 if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || 452 if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 ||
453 mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0) 453 mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0)
454 errExit("mount read-write"); 454 errExit("mount read-write");
455 fs_logger2("read-write", dir); 455 fs_logger2("read-write", dir);
@@ -464,7 +464,7 @@ void fs_noexec(const char *dir) {
464 if (rv == 0) { 464 if (rv == 0) {
465 // mount --bind /bin /bin 465 // mount --bind /bin /bin
466 // mount --bind -o remount,ro /bin 466 // mount --bind -o remount,ro /bin
467 if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || 467 if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 ||
468 mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_REC, NULL) < 0) 468 mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_REC, NULL) < 0)
469 errExit("mount noexec"); 469 errExit("mount noexec");
470 fs_logger2("noexec", dir); 470 fs_logger2("noexec", dir);
@@ -504,11 +504,11 @@ void fs_proc_sys_dev_boot(void) {
504 fwarning("failed to mount /sys\n"); 504 fwarning("failed to mount /sys\n");
505 else 505 else
506 fs_logger("remount /sys"); 506 fs_logger("remount /sys");
507 507
508 disable_file(BLACKLIST_FILE, "/sys/firmware"); 508 disable_file(BLACKLIST_FILE, "/sys/firmware");
509 disable_file(BLACKLIST_FILE, "/sys/hypervisor"); 509 disable_file(BLACKLIST_FILE, "/sys/hypervisor");
510 { // allow user access to /sys/fs if "--noblacklist=/sys/fs" is present on the command line 510 { // allow user access to /sys/fs if "--noblacklist=/sys/fs" is present on the command line
511 EUID_USER(); 511 EUID_USER();
512 profile_add("blacklist /sys/fs"); 512 profile_add("blacklist /sys/fs");
513 EUID_ROOT(); 513 EUID_ROOT();
514 } 514 }
@@ -519,11 +519,11 @@ void fs_proc_sys_dev_boot(void) {
519 disable_file(BLACKLIST_FILE, "/sys/kernel/uevent_helper"); 519 disable_file(BLACKLIST_FILE, "/sys/kernel/uevent_helper");
520 520
521 // various /proc/sys files 521 // various /proc/sys files
522 disable_file(BLACKLIST_FILE, "/proc/sys/security"); 522 disable_file(BLACKLIST_FILE, "/proc/sys/security");
523 disable_file(BLACKLIST_FILE, "/proc/sys/efi/vars"); 523 disable_file(BLACKLIST_FILE, "/proc/sys/efi/vars");
524 disable_file(BLACKLIST_FILE, "/proc/sys/fs/binfmt_misc"); 524 disable_file(BLACKLIST_FILE, "/proc/sys/fs/binfmt_misc");
525 disable_file(BLACKLIST_FILE, "/proc/sys/kernel/core_pattern"); 525 disable_file(BLACKLIST_FILE, "/proc/sys/kernel/core_pattern");
526 disable_file(BLACKLIST_FILE, "/proc/sys/kernel/modprobe"); 526 disable_file(BLACKLIST_FILE, "/proc/sys/kernel/modprobe");
527 disable_file(BLACKLIST_FILE, "/proc/sysrq-trigger"); 527 disable_file(BLACKLIST_FILE, "/proc/sysrq-trigger");
528 disable_file(BLACKLIST_FILE, "/proc/sys/kernel/hotplug"); 528 disable_file(BLACKLIST_FILE, "/proc/sys/kernel/hotplug");
529 disable_file(BLACKLIST_FILE, "/proc/sys/vm/panic_on_oom"); 529 disable_file(BLACKLIST_FILE, "/proc/sys/vm/panic_on_oom");
@@ -531,15 +531,15 @@ void fs_proc_sys_dev_boot(void) {
531 // various /proc files 531 // various /proc files
532 disable_file(BLACKLIST_FILE, "/proc/irq"); 532 disable_file(BLACKLIST_FILE, "/proc/irq");
533 disable_file(BLACKLIST_FILE, "/proc/bus"); 533 disable_file(BLACKLIST_FILE, "/proc/bus");
534 disable_file(BLACKLIST_FILE, "/proc/config.gz"); 534 disable_file(BLACKLIST_FILE, "/proc/config.gz");
535 disable_file(BLACKLIST_FILE, "/proc/sched_debug"); 535 disable_file(BLACKLIST_FILE, "/proc/sched_debug");
536 disable_file(BLACKLIST_FILE, "/proc/timer_list"); 536 disable_file(BLACKLIST_FILE, "/proc/timer_list");
537 disable_file(BLACKLIST_FILE, "/proc/timer_stats"); 537 disable_file(BLACKLIST_FILE, "/proc/timer_stats");
538 disable_file(BLACKLIST_FILE, "/proc/kcore"); 538 disable_file(BLACKLIST_FILE, "/proc/kcore");
539 disable_file(BLACKLIST_FILE, "/proc/kallsyms"); 539 disable_file(BLACKLIST_FILE, "/proc/kallsyms");
540 disable_file(BLACKLIST_FILE, "/proc/mem"); 540 disable_file(BLACKLIST_FILE, "/proc/mem");
541 disable_file(BLACKLIST_FILE, "/proc/kmem"); 541 disable_file(BLACKLIST_FILE, "/proc/kmem");
542 542
543 // remove kernel symbol information 543 // remove kernel symbol information
544 if (!arg_allow_debuggers) { 544 if (!arg_allow_debuggers) {
545 disable_file(BLACKLIST_FILE, "/usr/src/linux"); 545 disable_file(BLACKLIST_FILE, "/usr/src/linux");
@@ -547,18 +547,18 @@ void fs_proc_sys_dev_boot(void) {
547 disable_file(BLACKLIST_FILE, "/usr/lib/debug"); 547 disable_file(BLACKLIST_FILE, "/usr/lib/debug");
548 disable_file(BLACKLIST_FILE, "/boot"); 548 disable_file(BLACKLIST_FILE, "/boot");
549 } 549 }
550 550
551 // disable /selinux 551 // disable /selinux
552 disable_file(BLACKLIST_FILE, "/selinux"); 552 disable_file(BLACKLIST_FILE, "/selinux");
553 553
554 // disable /dev/port 554 // disable /dev/port
555 disable_file(BLACKLIST_FILE, "/dev/port"); 555 disable_file(BLACKLIST_FILE, "/dev/port");
556 556
557 557
558 558
559 // disable various ipc sockets in /run/user 559 // disable various ipc sockets in /run/user
560 struct stat s; 560 struct stat s;
561 561
562 char *fname; 562 char *fname;
563 if (asprintf(&fname, "/run/usr/%d", getuid()) == -1) 563 if (asprintf(&fname, "/run/usr/%d", getuid()) == -1)
564 errExit("asprintf"); 564 errExit("asprintf");
@@ -567,24 +567,24 @@ void fs_proc_sys_dev_boot(void) {
567 char *fnamegpg; 567 char *fnamegpg;
568 if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1) 568 if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1)
569 errExit("asprintf"); 569 errExit("asprintf");
570 if (stat(fnamegpg, &s) == -1) 570 if (stat(fnamegpg, &s) == -1)
571 mkdir_attr(fnamegpg, 0700, getuid(), getgid()); 571 mkdir_attr(fnamegpg, 0700, getuid(), getgid());
572 if (stat(fnamegpg, &s) == 0) 572 if (stat(fnamegpg, &s) == 0)
573 disable_file(BLACKLIST_FILE, fnamegpg); 573 disable_file(BLACKLIST_FILE, fnamegpg);
574 free(fnamegpg); 574 free(fnamegpg);
575 575
576 // disable /run/user/{uid}/systemd 576 // disable /run/user/{uid}/systemd
577 char *fnamesysd; 577 char *fnamesysd;
578 if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) 578 if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1)
579 errExit("asprintf"); 579 errExit("asprintf");
580 if (stat(fnamesysd, &s) == -1) 580 if (stat(fnamesysd, &s) == -1)
581 mkdir_attr(fnamesysd, 0755, getuid(), getgid()); 581 mkdir_attr(fnamesysd, 0755, getuid(), getgid());
582 if (stat(fnamesysd, &s) == 0) 582 if (stat(fnamesysd, &s) == 0)
583 disable_file(BLACKLIST_FILE, fnamesysd); 583 disable_file(BLACKLIST_FILE, fnamesysd);
584 free(fnamesysd); 584 free(fnamesysd);
585 } 585 }
586 free(fname); 586 free(fname);
587 587
588 if (getuid() != 0) { 588 if (getuid() != 0) {
589 // disable /dev/kmsg and /proc/kmsg 589 // disable /dev/kmsg and /proc/kmsg
590 disable_file(BLACKLIST_FILE, "/dev/kmsg"); 590 disable_file(BLACKLIST_FILE, "/dev/kmsg");
@@ -602,7 +602,7 @@ static void disable_config(void) {
602 if (stat(fname, &s) == 0) 602 if (stat(fname, &s) == 0)
603 disable_file(BLACKLIST_FILE, fname); 603 disable_file(BLACKLIST_FILE, fname);
604 free(fname); 604 free(fname);
605 605
606 // disable run time information 606 // disable run time information
607 if (stat(RUN_FIREJAIL_NETWORK_DIR, &s) == 0) 607 if (stat(RUN_FIREJAIL_NETWORK_DIR, &s) == 0)
608 disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR); 608 disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR);
@@ -618,7 +618,7 @@ static void disable_config(void) {
618// build a basic read-only filesystem 618// build a basic read-only filesystem
619void fs_basic_fs(void) { 619void fs_basic_fs(void) {
620 uid_t uid = getuid(); 620 uid_t uid = getuid();
621 621
622 if (arg_debug) 622 if (arg_debug)
623 printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr"); 623 printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr");
624 if (!arg_writable_etc) { 624 if (!arg_writable_etc) {
@@ -649,15 +649,15 @@ void fs_basic_fs(void) {
649 fs_var_log(); 649 fs_var_log();
650 else 650 else
651 fs_rdwr("/var/log"); 651 fs_rdwr("/var/log");
652 652
653 fs_var_lib(); 653 fs_var_lib();
654 fs_var_cache(); 654 fs_var_cache();
655 fs_var_utmp(); 655 fs_var_utmp();
656 fs_machineid(); 656 fs_machineid();
657 657
658 // don't leak user information 658 // don't leak user information
659 restrict_users(); 659 restrict_users();
660 660
661 // when starting as root, firejail config is not disabled; 661 // when starting as root, firejail config is not disabled;
662 // this mode could be used to install and test new software by chaining 662 // this mode could be used to install and test new software by chaining
663 // firejail sandboxes (firejail --force) 663 // firejail sandboxes (firejail --force)
@@ -675,7 +675,7 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
675 // create ~/.firejail directory 675 // create ~/.firejail directory
676 if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) 676 if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1)
677 errExit("asprintf"); 677 errExit("asprintf");
678 678
679 if (is_link(dirname)) { 679 if (is_link(dirname)) {
680 fprintf(stderr, "Error: invalid ~/.firejail directory\n"); 680 fprintf(stderr, "Error: invalid ~/.firejail directory\n");
681 exit(1); 681 exit(1);
@@ -688,7 +688,7 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) {
688 if (child == 0) { 688 if (child == 0) {
689 // drop privileges 689 // drop privileges
690 drop_privs(0); 690 drop_privs(0);
691 691
692 // create directory 692 // create directory
693 if (mkdir(dirname, 0700)) 693 if (mkdir(dirname, 0700))
694 errExit("mkdir"); 694 errExit("mkdir");
@@ -770,7 +770,7 @@ void fs_overlayfs(void) {
770 fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version); 770 fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version);
771 exit(1); 771 exit(1);
772 } 772 }
773 773
774 if (arg_debug) 774 if (arg_debug)
775 printf("Linux kernel version %d.%d\n", major, minor); 775 printf("Linux kernel version %d.%d\n", major, minor);
776 int oldkernel = 0; 776 int oldkernel = 0;
@@ -780,7 +780,7 @@ void fs_overlayfs(void) {
780 } 780 }
781 if (major == 3 && minor < 18) 781 if (major == 3 && minor < 18)
782 oldkernel = 1; 782 oldkernel = 1;
783 783
784 char *oroot; 784 char *oroot;
785 if(asprintf(&oroot, "%s/oroot", RUN_MNT_DIR) == -1) 785 if(asprintf(&oroot, "%s/oroot", RUN_MNT_DIR) == -1)
786 errExit("asprintf"); 786 errExit("asprintf");
@@ -818,7 +818,7 @@ void fs_overlayfs(void) {
818 } 818 }
819 else if (set_perms(odiff, 0, 0, 0755)) 819 else if (set_perms(odiff, 0, 0, 0755))
820 errExit("set_perms"); 820 errExit("set_perms");
821 821
822 char *owork; 822 char *owork;
823 if(asprintf(&owork, "%s/owork", basedir) == -1) 823 if(asprintf(&owork, "%s/owork", basedir) == -1)
824 errExit("asprintf"); 824 errExit("asprintf");
@@ -829,7 +829,7 @@ void fs_overlayfs(void) {
829 } 829 }
830 else if (set_perms(owork, 0, 0, 0755)) 830 else if (set_perms(owork, 0, 0, 0755))
831 errExit("chown"); 831 errExit("chown");
832 832
833 // mount overlayfs 833 // mount overlayfs
834 if (arg_debug) 834 if (arg_debug)
835 printf("Mounting OverlayFS\n"); 835 printf("Mounting OverlayFS\n");
@@ -849,11 +849,11 @@ void fs_overlayfs(void) {
849 errExit("asprintf"); 849 errExit("asprintf");
850 if (mount("overlay", oroot, "overlay", MS_MGC_VAL, option) < 0) 850 if (mount("overlay", oroot, "overlay", MS_MGC_VAL, option) < 0)
851 errExit("mounting overlayfs"); 851 errExit("mounting overlayfs");
852 852
853 //*************************** 853 //***************************
854 // issue #263 start code 854 // issue #263 start code
855 // My setup has a separate mount point for /home. When the overlay is mounted, 855 // My setup has a separate mount point for /home. When the overlay is mounted,
856 // the overlay does not contain the original /home contents. 856 // the overlay does not contain the original /home contents.
857 // I added code to create a second overlay for /home if the overlay home dir is empty and this seems to work 857 // I added code to create a second overlay for /home if the overlay home dir is empty and this seems to work
858 // @dshmgh, Jan 2016 858 // @dshmgh, Jan 2016
859 { 859 {
@@ -862,22 +862,22 @@ void fs_overlayfs(void) {
862 char *hroot; 862 char *hroot;
863 char *hdiff; 863 char *hdiff;
864 char *hwork; 864 char *hwork;
865 865
866 // dons add debug 866 // dons add debug
867 if (arg_debug) printf ("DEBUG: chroot dirs are oroot %s odiff %s owork %s\n",oroot,odiff,owork); 867 if (arg_debug) printf ("DEBUG: chroot dirs are oroot %s odiff %s owork %s\n",oroot,odiff,owork);
868 868
869 // BEFORE NEXT, WE NEED TO TEST IF /home has any contents or do we need to mount it? 869 // BEFORE NEXT, WE NEED TO TEST IF /home has any contents or do we need to mount it?
870 // must create var for oroot/cfg.homedir 870 // must create var for oroot/cfg.homedir
871 if (asprintf(&overlayhome,"%s%s",oroot,cfg.homedir) == -1) 871 if (asprintf(&overlayhome,"%s%s",oroot,cfg.homedir) == -1)
872 errExit("asprintf"); 872 errExit("asprintf");
873 if (arg_debug) printf ("DEBUG: overlayhome var holds ##%s##\n",overlayhome); 873 if (arg_debug) printf ("DEBUG: overlayhome var holds ##%s##\n",overlayhome);
874 874
875 // if no homedir in overlay -- create another overlay for /home 875 // if no homedir in overlay -- create another overlay for /home
876 if (stat(overlayhome, &s) == -1) { 876 if (stat(overlayhome, &s) == -1) {
877 877
878 if(asprintf(&hroot, "%s/oroot/home", RUN_MNT_DIR) == -1) 878 if(asprintf(&hroot, "%s/oroot/home", RUN_MNT_DIR) == -1)
879 errExit("asprintf"); 879 errExit("asprintf");
880 880
881 if(asprintf(&hdiff, "%s/hdiff", basedir) == -1) 881 if(asprintf(&hdiff, "%s/hdiff", basedir) == -1)
882 errExit("asprintf"); 882 errExit("asprintf");
883 883
@@ -887,7 +887,7 @@ void fs_overlayfs(void) {
887 } 887 }
888 else if (set_perms(hdiff, 0, 0, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH)) 888 else if (set_perms(hdiff, 0, 0, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH))
889 errExit("set_perms"); 889 errExit("set_perms");
890 890
891 if(asprintf(&hwork, "%s/hwork", basedir) == -1) 891 if(asprintf(&hwork, "%s/hwork", basedir) == -1)
892 errExit("asprintf"); 892 errExit("asprintf");
893 893
@@ -897,13 +897,13 @@ void fs_overlayfs(void) {
897 } 897 }
898 else if (set_perms(hwork, 0, 0, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH)) 898 else if (set_perms(hwork, 0, 0, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH))
899 errExit("set_perms"); 899 errExit("set_perms");
900 900
901 // no homedir in overlay so now mount another overlay for /home 901 // no homedir in overlay so now mount another overlay for /home
902 if (asprintf(&option, "lowerdir=/home,upperdir=%s,workdir=%s", hdiff, hwork) == -1) 902 if (asprintf(&option, "lowerdir=/home,upperdir=%s,workdir=%s", hdiff, hwork) == -1)
903 errExit("asprintf"); 903 errExit("asprintf");
904 if (mount("overlay", hroot, "overlay", MS_MGC_VAL, option) < 0) 904 if (mount("overlay", hroot, "overlay", MS_MGC_VAL, option) < 0)
905 errExit("mounting overlayfs for mounted home directory"); 905 errExit("mounting overlayfs for mounted home directory");
906 906
907 printf("OverlayFS for /home configured in %s directory\n", basedir); 907 printf("OverlayFS for /home configured in %s directory\n", basedir);
908 } // stat(overlayhome) 908 } // stat(overlayhome)
909 free(overlayhome); 909 free(overlayhome);
@@ -913,7 +913,7 @@ void fs_overlayfs(void) {
913 } 913 }
914 if (!arg_quiet) 914 if (!arg_quiet)
915 printf("OverlayFS configured in %s directory\n", basedir); 915 printf("OverlayFS configured in %s directory\n", basedir);
916 916
917 // mount-bind dev directory 917 // mount-bind dev directory
918 if (arg_debug) 918 if (arg_debug)
919 printf("Mounting /dev\n"); 919 printf("Mounting /dev\n");
@@ -964,7 +964,7 @@ void fs_overlayfs(void) {
964 fs_var_log(); 964 fs_var_log();
965 else 965 else
966 fs_rdwr("/var/log"); 966 fs_rdwr("/var/log");
967 967
968 fs_var_lib(); 968 fs_var_lib();
969 fs_var_cache(); 969 fs_var_cache();
970 fs_var_utmp(); 970 fs_var_utmp();
@@ -987,7 +987,7 @@ void fs_overlayfs(void) {
987#endif 987#endif
988 988
989 989
990#ifdef HAVE_CHROOT 990#ifdef HAVE_CHROOT
991// return 1 if error 991// return 1 if error
992void fs_check_chroot_dir(const char *rootdir) { 992void fs_check_chroot_dir(const char *rootdir) {
993 EUID_ASSERT(); 993 EUID_ASSERT();
@@ -1035,7 +1035,7 @@ void fs_check_chroot_dir(const char *rootdir) {
1035 exit(1); 1035 exit(1);
1036 } 1036 }
1037 free(name); 1037 free(name);
1038 1038
1039 // check /proc 1039 // check /proc
1040 if (asprintf(&name, "%s/proc", rootdir) == -1) 1040 if (asprintf(&name, "%s/proc", rootdir) == -1)
1041 errExit("asprintf"); 1041 errExit("asprintf");
@@ -1048,7 +1048,7 @@ void fs_check_chroot_dir(const char *rootdir) {
1048 exit(1); 1048 exit(1);
1049 } 1049 }
1050 free(name); 1050 free(name);
1051 1051
1052 // check /tmp 1052 // check /tmp
1053 if (asprintf(&name, "%s/tmp", rootdir) == -1) 1053 if (asprintf(&name, "%s/tmp", rootdir) == -1)
1054 errExit("asprintf"); 1054 errExit("asprintf");
@@ -1110,7 +1110,7 @@ void fs_check_chroot_dir(const char *rootdir) {
1110// chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf 1110// chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf
1111void fs_chroot(const char *rootdir) { 1111void fs_chroot(const char *rootdir) {
1112 assert(rootdir); 1112 assert(rootdir);
1113 1113
1114 if (checkcfg(CFG_CHROOT_DESKTOP)) { 1114 if (checkcfg(CFG_CHROOT_DESKTOP)) {
1115 // mount-bind a /dev in rootdir 1115 // mount-bind a /dev in rootdir
1116 char *newdev; 1116 char *newdev;
@@ -1121,7 +1121,7 @@ void fs_chroot(const char *rootdir) {
1121 if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0) 1121 if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0)
1122 errExit("mounting /dev"); 1122 errExit("mounting /dev");
1123 free(newdev); 1123 free(newdev);
1124 1124
1125 // x11 1125 // x11
1126 if (getenv("FIREJAIL_X11")) { 1126 if (getenv("FIREJAIL_X11")) {
1127 char *newx11; 1127 char *newx11;
@@ -1133,7 +1133,7 @@ void fs_chroot(const char *rootdir) {
1133 errExit("mounting /tmp/.X11-unix"); 1133 errExit("mounting /tmp/.X11-unix");
1134 free(newx11); 1134 free(newx11);
1135 } 1135 }
1136 1136
1137 // some older distros don't have a /run directory 1137 // some older distros don't have a /run directory
1138 // create one by default 1138 // create one by default
1139 // create /run/firejail directory in chroot 1139 // create /run/firejail directory in chroot
@@ -1150,7 +1150,7 @@ void fs_chroot(const char *rootdir) {
1150 errExit("asprintf"); 1150 errExit("asprintf");
1151 create_empty_dir_as_root(rundir, 0755); 1151 create_empty_dir_as_root(rundir, 0755);
1152 free(rundir); 1152 free(rundir);
1153 1153
1154 // create /run/firejail/mnt directory in chroot and mount the current one 1154 // create /run/firejail/mnt directory in chroot and mount the current one
1155 if (asprintf(&rundir, "%s%s", rootdir, RUN_MNT_DIR) == -1) 1155 if (asprintf(&rundir, "%s%s", rootdir, RUN_MNT_DIR) == -1)
1156 errExit("asprintf"); 1156 errExit("asprintf");
@@ -1173,7 +1173,7 @@ void fs_chroot(const char *rootdir) {
1173 if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1) // root needed 1173 if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1) // root needed
1174 fwarning("/etc/resolv.conf not initialized\n"); 1174 fwarning("/etc/resolv.conf not initialized\n");
1175 } 1175 }
1176 1176
1177 // chroot into the new directory 1177 // chroot into the new directory
1178#ifdef HAVE_GCOV 1178#ifdef HAVE_GCOV
1179 __gcov_flush(); 1179 __gcov_flush();
@@ -1196,15 +1196,15 @@ void fs_chroot(const char *rootdir) {
1196 fs_var_log(); 1196 fs_var_log();
1197 else 1197 else
1198 fs_rdwr("/var/log"); 1198 fs_rdwr("/var/log");
1199 1199
1200 fs_var_lib(); 1200 fs_var_lib();
1201 fs_var_cache(); 1201 fs_var_cache();
1202 fs_var_utmp(); 1202 fs_var_utmp();
1203 fs_machineid(); 1203 fs_machineid();
1204 1204
1205 // don't leak user information 1205 // don't leak user information
1206 restrict_users(); 1206 restrict_users();
1207 1207
1208 // when starting as root, firejail config is not disabled; 1208 // when starting as root, firejail config is not disabled;
1209 // this mode could be used to install and test new software by chaining 1209 // this mode could be used to install and test new software by chaining
1210 // firejail sandboxes (firejail --force) 1210 // firejail sandboxes (firejail --force)
@@ -1229,10 +1229,10 @@ void fs_private_tmp(void) {
1229 if (rp) 1229 if (rp)
1230 free(rp); 1230 free(rp);
1231 } 1231 }
1232 1232
1233 // whitelist x11 directory 1233 // whitelist x11 directory
1234 profile_add("whitelist /tmp/.X11-unix"); 1234 profile_add("whitelist /tmp/.X11-unix");
1235 1235
1236 // whitelist any pulse* file in /tmp directory 1236 // whitelist any pulse* file in /tmp directory
1237 // some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user 1237 // some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user
1238 DIR *dir; 1238 DIR *dir;
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index c572bec88..5170f2edc 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -39,10 +39,10 @@ static char *paths[] = {
39// return 1 if found, 0 if not found 39// return 1 if found, 0 if not found
40static char *check_dir_or_file(const char *name) { 40static char *check_dir_or_file(const char *name) {
41 assert(name); 41 assert(name);
42 42
43 struct stat s; 43 struct stat s;
44 char *fname = NULL; 44 char *fname = NULL;
45 45
46 int i = 0; 46 int i = 0;
47 while (paths[i]) { 47 while (paths[i]) {
48 // private-bin-no-local can be disabled in /etc/firejail/firejail.config 48 // private-bin-no-local can be disabled in /etc/firejail/firejail.config
@@ -50,12 +50,12 @@ static char *check_dir_or_file(const char *name) {
50 i++; 50 i++;
51 continue; 51 continue;
52 } 52 }
53 53
54 // check file 54 // check file
55 if (asprintf(&fname, "%s/%s", paths[i], name) == -1) 55 if (asprintf(&fname, "%s/%s", paths[i], name) == -1)
56 errExit("asprintf"); 56 errExit("asprintf");
57 if (arg_debug) 57 if (arg_debug)
58 printf("Checking %s/%s\n", paths[i], name); 58 printf("Checking %s/%s\n", paths[i], name);
59 if (stat(fname, &s) == 0 && !S_ISDIR(s.st_mode)) { // do not allow directories 59 if (stat(fname, &s) == 0 && !S_ISDIR(s.st_mode)) { // do not allow directories
60 // check symlink to firejail executable in /usr/local/bin 60 // check symlink to firejail executable in /usr/local/bin
61 if (strcmp(paths[i], "/usr/local/bin") == 0 && is_link(fname)) { 61 if (strcmp(paths[i], "/usr/local/bin") == 0 && is_link(fname)) {
@@ -74,11 +74,11 @@ static char *check_dir_or_file(const char *name) {
74 } 74 }
75 free(actual_path); 75 free(actual_path);
76 } 76 }
77 77
78 } 78 }
79 break; // file found 79 break; // file found
80 } 80 }
81 81
82 free(fname); 82 free(fname);
83 fname = NULL; 83 fname = NULL;
84 i++; 84 i++;
@@ -89,7 +89,7 @@ static char *check_dir_or_file(const char *name) {
89 fwarning("file %s not found\n", name); 89 fwarning("file %s not found\n", name);
90 return NULL; 90 return NULL;
91 } 91 }
92 92
93 free(fname); 93 free(fname);
94 return paths[i]; 94 return paths[i];
95} 95}
@@ -109,7 +109,7 @@ static void duplicate(char *fname) {
109 char *full_path; 109 char *full_path;
110 if (asprintf(&full_path, "%s/%s", path, fname) == -1) 110 if (asprintf(&full_path, "%s/%s", path, fname) == -1)
111 errExit("asprintf"); 111 errExit("asprintf");
112 112
113 // copy the file 113 // copy the file
114 if (checkcfg(CFG_FOLLOW_SYMLINK_PRIVATE_BIN)) 114 if (checkcfg(CFG_FOLLOW_SYMLINK_PRIVATE_BIN))
115 sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, RUN_BIN_DIR); 115 sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, RUN_BIN_DIR);
@@ -123,10 +123,10 @@ static void duplicate(char *fname) {
123void fs_private_bin_list(void) { 123void fs_private_bin_list(void) {
124 char *private_list = cfg.bin_private_keep; 124 char *private_list = cfg.bin_private_keep;
125 assert(private_list); 125 assert(private_list);
126 126
127 // create /run/firejail/mnt/bin directory 127 // create /run/firejail/mnt/bin directory
128 mkdir_attr(RUN_BIN_DIR, 0755, 0, 0); 128 mkdir_attr(RUN_BIN_DIR, 0755, 0, 0);
129 129
130 if (arg_debug) 130 if (arg_debug)
131 printf("Copying files in the new bin directory\n"); 131 printf("Copying files in the new bin directory\n");
132 132
@@ -134,12 +134,12 @@ void fs_private_bin_list(void) {
134 char *dlist = strdup(private_list); 134 char *dlist = strdup(private_list);
135 if (!dlist) 135 if (!dlist)
136 errExit("strdup"); 136 errExit("strdup");
137 137
138 char *ptr = strtok(dlist, ","); 138 char *ptr = strtok(dlist, ",");
139 duplicate(ptr); 139 duplicate(ptr);
140 while ((ptr = strtok(NULL, ",")) != NULL) 140 while ((ptr = strtok(NULL, ",")) != NULL)
141 duplicate(ptr); 141 duplicate(ptr);
142 free(dlist); 142 free(dlist);
143 fs_logger_print(); 143 fs_logger_print();
144 144
145 // mount-bind 145 // mount-bind
@@ -157,4 +157,3 @@ void fs_private_bin_list(void) {
157 i++; 157 i++;
158 } 158 }
159} 159}
160
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c
index 59700dd9b..b0835d50b 100644
--- a/src/firejail/fs_etc.c
+++ b/src/firejail/fs_etc.c
@@ -36,20 +36,20 @@ void fs_machineid(void) {
36 return; 36 return;
37 if (arg_debug) 37 if (arg_debug)
38 printf("Generating a new machine-id\n"); 38 printf("Generating a new machine-id\n");
39 39
40 // init random number generator 40 // init random number generator
41 srand(time(NULL)); 41 srand(time(NULL));
42 42
43 // generate random id 43 // generate random id
44 mid.u32[0] = rand(); 44 mid.u32[0] = rand();
45 mid.u32[1] = rand(); 45 mid.u32[1] = rand();
46 mid.u32[2] = rand(); 46 mid.u32[2] = rand();
47 mid.u32[3] = rand(); 47 mid.u32[3] = rand();
48 48
49 // UUID version 4 and DCE variant 49 // UUID version 4 and DCE variant
50 mid.u8[6] = (mid.u8[6] & 0x0F) | 0x40; 50 mid.u8[6] = (mid.u8[6] & 0x0F) | 0x40;
51 mid.u8[8] = (mid.u8[8] & 0x3F) | 0x80; 51 mid.u8[8] = (mid.u8[8] & 0x3F) | 0x80;
52 52
53 // write it in a file 53 // write it in a file
54 FILE *fp = fopen(RUN_MACHINEID, "w"); 54 FILE *fp = fopen(RUN_MACHINEID, "w");
55 if (!fp) 55 if (!fp)
@@ -58,7 +58,7 @@ void fs_machineid(void) {
58 fclose(fp); 58 fclose(fp);
59 if (set_perms(RUN_MACHINEID, 0, 0, 0444)) 59 if (set_perms(RUN_MACHINEID, 0, 0, 0444))
60 errExit("set_perms"); 60 errExit("set_perms");
61 61
62 62
63 struct stat s; 63 struct stat s;
64 if (stat("/etc/machine-id", &s) == 0) { 64 if (stat("/etc/machine-id", &s) == 0) {
@@ -93,7 +93,7 @@ static int check_dir_or_file(const char *fname) {
93 if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || !is_link(fname)) 93 if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || !is_link(fname))
94 return 1; // normal exit 94 return 1; // normal exit
95 95
96errexit: 96errexit:
97 fprintf(stderr, "Error: invalid file type, %s.\n", fname); 97 fprintf(stderr, "Error: invalid file type, %s.\n", fname);
98 exit(1); 98 exit(1);
99} 99}
@@ -116,7 +116,7 @@ static void duplicate(const char *fname, const char *private_dir, const char *pr
116 116
117 if (arg_debug) 117 if (arg_debug)
118 printf("copying %s to private %s\n", src, private_dir); 118 printf("copying %s to private %s\n", src, private_dir);
119 119
120 struct stat s; 120 struct stat s;
121 if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) { 121 if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) {
122 // create the directory in RUN_ETC_DIR 122 // create the directory in RUN_ETC_DIR
@@ -139,11 +139,11 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c
139 assert(private_dir); 139 assert(private_dir);
140 assert(private_run_dir); 140 assert(private_run_dir);
141 assert(private_list); 141 assert(private_list);
142 142
143 // create /run/firejail/mnt/etc directory 143 // create /run/firejail/mnt/etc directory
144 mkdir_attr(private_run_dir, 0755, 0, 0); 144 mkdir_attr(private_run_dir, 0755, 0, 0);
145 fs_logger2("tmpfs", private_dir); 145 fs_logger2("tmpfs", private_dir);
146 146
147 fs_logger_print(); // save the current log 147 fs_logger_print(); // save the current log
148 148
149 149
@@ -157,21 +157,20 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c
157 char *dlist = strdup(private_list); 157 char *dlist = strdup(private_list);
158 if (!dlist) 158 if (!dlist)
159 errExit("strdup"); 159 errExit("strdup");
160 160
161 161
162 char *ptr = strtok(dlist, ","); 162 char *ptr = strtok(dlist, ",");
163 duplicate(ptr, private_dir, private_run_dir); 163 duplicate(ptr, private_dir, private_run_dir);
164 164
165 while ((ptr = strtok(NULL, ",")) != NULL) 165 while ((ptr = strtok(NULL, ",")) != NULL)
166 duplicate(ptr, private_dir, private_run_dir); 166 duplicate(ptr, private_dir, private_run_dir);
167 free(dlist); 167 free(dlist);
168 fs_logger_print(); 168 fs_logger_print();
169 } 169 }
170 170
171 if (arg_debug) 171 if (arg_debug)
172 printf("Mount-bind %s on top of %s\n", private_run_dir, private_dir); 172 printf("Mount-bind %s on top of %s\n", private_run_dir, private_dir);
173 if (mount(private_run_dir, private_dir, NULL, MS_BIND|MS_REC, NULL) < 0) 173 if (mount(private_run_dir, private_dir, NULL, MS_BIND|MS_REC, NULL) < 0)
174 errExit("mount bind"); 174 errExit("mount bind");
175 fs_logger2("mount", private_dir); 175 fs_logger2("mount", private_dir);
176} 176}
177
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index 70f0388e6..e5e068583 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -63,7 +63,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
63 if (asprintf(&fname, "%s/.cshrc", homedir) == -1) 63 if (asprintf(&fname, "%s/.cshrc", homedir) == -1)
64 errExit("asprintf"); 64 errExit("asprintf");
65 struct stat s; 65 struct stat s;
66 66
67 // don't copy it if we already have the file 67 // don't copy it if we already have the file
68 if (stat(fname, &s) == 0) 68 if (stat(fname, &s) == 0)
69 return; 69 return;
@@ -88,7 +88,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) {
88 errExit("asprintf"); 88 errExit("asprintf");
89 struct stat s; 89 struct stat s;
90 // don't copy it if we already have the file 90 // don't copy it if we already have the file
91 if (stat(fname, &s) == 0) 91 if (stat(fname, &s) == 0)
92 return; 92 return;
93 if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat 93 if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat
94 fprintf(stderr, "Error: invalid %s file\n", fname); 94 fprintf(stderr, "Error: invalid %s file\n", fname);
@@ -113,10 +113,10 @@ static int store_xauthority(void) {
113 SET_PERMS_STREAM(fp, getuid(), getgid(), 0600); 113 SET_PERMS_STREAM(fp, getuid(), getgid(), 0600);
114 fclose(fp); 114 fclose(fp);
115 } 115 }
116 116
117 if (asprintf(&src, "%s/.Xauthority", cfg.homedir) == -1) 117 if (asprintf(&src, "%s/.Xauthority", cfg.homedir) == -1)
118 errExit("asprintf"); 118 errExit("asprintf");
119 119
120 struct stat s; 120 struct stat s;
121 if (stat(src, &s) == 0) { 121 if (stat(src, &s) == 0) {
122 if (is_link(src)) { 122 if (is_link(src)) {
@@ -128,7 +128,7 @@ static int store_xauthority(void) {
128 fs_logger2("clone", dest); 128 fs_logger2("clone", dest);
129 return 1; // file copied 129 return 1; // file copied
130 } 130 }
131 131
132 return 0; 132 return 0;
133} 133}
134 134
@@ -143,10 +143,10 @@ static int store_asoundrc(void) {
143 SET_PERMS_STREAM(fp, getuid(), getgid(), 0644); 143 SET_PERMS_STREAM(fp, getuid(), getgid(), 0644);
144 fclose(fp); 144 fclose(fp);
145 } 145 }
146 146
147 if (asprintf(&src, "%s/.asoundrc", cfg.homedir) == -1) 147 if (asprintf(&src, "%s/.asoundrc", cfg.homedir) == -1)
148 errExit("asprintf"); 148 errExit("asprintf");
149 149
150 struct stat s; 150 struct stat s;
151 if (stat(src, &s) == 0) { 151 if (stat(src, &s) == 0) {
152 if (is_link(src)) { 152 if (is_link(src)) {
@@ -168,7 +168,7 @@ static int store_asoundrc(void) {
168 fs_logger2("clone", dest); 168 fs_logger2("clone", dest);
169 return 1; // file copied 169 return 1; // file copied
170 } 170 }
171 171
172 return 0; 172 return 0;
173} 173}
174 174
@@ -178,7 +178,7 @@ static void copy_xauthority(void) {
178 char *dest; 178 char *dest;
179 if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1) 179 if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1)
180 errExit("asprintf"); 180 errExit("asprintf");
181 181
182 // if destination is a symbolic link, exit the sandbox!!! 182 // if destination is a symbolic link, exit the sandbox!!!
183 if (is_link(dest)) { 183 if (is_link(dest)) {
184 fprintf(stderr, "Error: %s is a symbolic link\n", dest); 184 fprintf(stderr, "Error: %s is a symbolic link\n", dest);
@@ -187,7 +187,7 @@ static void copy_xauthority(void) {
187 187
188 copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user 188 copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user
189 fs_logger2("clone", dest); 189 fs_logger2("clone", dest);
190 190
191 // delete the temporary file 191 // delete the temporary file
192 unlink(src); 192 unlink(src);
193} 193}
@@ -198,7 +198,7 @@ static void copy_asoundrc(void) {
198 char *dest; 198 char *dest;
199 if (asprintf(&dest, "%s/.asoundrc", cfg.homedir) == -1) 199 if (asprintf(&dest, "%s/.asoundrc", cfg.homedir) == -1)
200 errExit("asprintf"); 200 errExit("asprintf");
201 201
202 // if destination is a symbolic link, exit the sandbox!!! 202 // if destination is a symbolic link, exit the sandbox!!!
203 if (is_link(dest)) { 203 if (is_link(dest)) {
204 fprintf(stderr, "Error: %s is a symbolic link\n", dest); 204 fprintf(stderr, "Error: %s is a symbolic link\n", dest);
@@ -222,10 +222,10 @@ void fs_private_homedir(void) {
222 char *private_homedir = cfg.home_private; 222 char *private_homedir = cfg.home_private;
223 assert(homedir); 223 assert(homedir);
224 assert(private_homedir); 224 assert(private_homedir);
225 225
226 int xflag = store_xauthority(); 226 int xflag = store_xauthority();
227 int aflag = store_asoundrc(); 227 int aflag = store_asoundrc();
228 228
229 uid_t u = getuid(); 229 uid_t u = getuid();
230 gid_t g = getgid(); 230 gid_t g = getgid();
231 231
@@ -258,7 +258,7 @@ void fs_private_homedir(void) {
258 errExit("mounting home directory"); 258 errExit("mounting home directory");
259 fs_logger("tmpfs /home"); 259 fs_logger("tmpfs /home");
260 } 260 }
261 261
262 262
263 skel(homedir, u, g); 263 skel(homedir, u, g);
264 if (xflag) 264 if (xflag)
@@ -309,7 +309,7 @@ void fs_private(void) {
309 errExit("chown"); 309 errExit("chown");
310 fs_logger2("mkdir", homedir); 310 fs_logger2("mkdir", homedir);
311 } 311 }
312 312
313 skel(homedir, u, g); 313 skel(homedir, u, g);
314 if (xflag) 314 if (xflag)
315 copy_xauthority(); 315 copy_xauthority();
@@ -322,12 +322,12 @@ void fs_private(void) {
322void fs_check_private_dir(void) { 322void fs_check_private_dir(void) {
323 EUID_ASSERT(); 323 EUID_ASSERT();
324 invalid_filename(cfg.home_private); 324 invalid_filename(cfg.home_private);
325 325
326 // Expand the home directory 326 // Expand the home directory
327 char *tmp = expand_home(cfg.home_private, cfg.homedir); 327 char *tmp = expand_home(cfg.home_private, cfg.homedir);
328 cfg.home_private = realpath(tmp, NULL); 328 cfg.home_private = realpath(tmp, NULL);
329 free(tmp); 329 free(tmp);
330 330
331 if (!cfg.home_private 331 if (!cfg.home_private
332 || !is_dir(cfg.home_private) 332 || !is_dir(cfg.home_private)
333 || is_link(cfg.home_private) 333 || is_link(cfg.home_private)
@@ -383,7 +383,7 @@ static char *check_dir_or_file(const char *name) {
383 // we allow only files in user home directory or symbolic links to files or directories owned by the user 383 // we allow only files in user home directory or symbolic links to files or directories owned by the user
384 struct stat s; 384 struct stat s;
385 if (lstat(fname, &s) == 0 && S_ISLNK(s.st_mode)) { 385 if (lstat(fname, &s) == 0 && S_ISLNK(s.st_mode)) {
386 if (stat(fname, &s) == 0) { 386 if (stat(fname, &s) == 0) {
387 if (s.st_uid != getuid()) { 387 if (s.st_uid != getuid()) {
388 fprintf(stderr, "Error: symbolic link %s to file or directory not owned by the user\n", fname); 388 fprintf(stderr, "Error: symbolic link %s to file or directory not owned by the user\n", fname);
389 exit(1); 389 exit(1);
@@ -404,7 +404,7 @@ static char *check_dir_or_file(const char *name) {
404 fprintf(stderr, "Error: invalid file %s\n", name); 404 fprintf(stderr, "Error: invalid file %s\n", name);
405 exit(1); 405 exit(1);
406 } 406 }
407 407
408 // only top files and directories in user home are allowed 408 // only top files and directories in user home are allowed
409 char *ptr = rname + strlen(cfg.homedir); 409 char *ptr = rname + strlen(cfg.homedir);
410 assert(*ptr != '\0'); 410 assert(*ptr != '\0');
@@ -480,7 +480,7 @@ void fs_private_home_list(void) {
480 char *dlist = strdup(cfg.home_private_keep); 480 char *dlist = strdup(cfg.home_private_keep);
481 if (!dlist) 481 if (!dlist)
482 errExit("strdup"); 482 errExit("strdup");
483 483
484 char *ptr = strtok(dlist, ","); 484 char *ptr = strtok(dlist, ",");
485 duplicate(ptr); 485 duplicate(ptr);
486 while ((ptr = strtok(NULL, ",")) != NULL) 486 while ((ptr = strtok(NULL, ",")) != NULL)
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
index 32243c700..42255070c 100644
--- a/src/firejail/fs_hostname.c
+++ b/src/firejail/fs_hostname.c
@@ -27,7 +27,7 @@
27 27
28void fs_hostname(const char *hostname) { 28void fs_hostname(const char *hostname) {
29 struct stat s; 29 struct stat s;
30 30
31 // create a new /etc/hostname 31 // create a new /etc/hostname
32 if (stat("/etc/hostname", &s) == 0) { 32 if (stat("/etc/hostname", &s) == 0) {
33 if (arg_debug) 33 if (arg_debug)
@@ -40,7 +40,7 @@ void fs_hostname(const char *hostname) {
40 errExit("mount bind /etc/hostname"); 40 errExit("mount bind /etc/hostname");
41 fs_logger("create /etc/hostname"); 41 fs_logger("create /etc/hostname");
42 } 42 }
43 43
44 // create a new /etc/hosts 44 // create a new /etc/hosts
45 if (cfg.hosts_file == NULL && stat("/etc/hosts", &s) == 0) { 45 if (cfg.hosts_file == NULL && stat("/etc/hosts", &s) == 0) {
46 if (arg_debug) 46 if (arg_debug)
@@ -56,7 +56,7 @@ void fs_hostname(const char *hostname) {
56 fclose(fp1); 56 fclose(fp1);
57 goto errexit; 57 goto errexit;
58 } 58 }
59 59
60 char buf[4096]; 60 char buf[4096];
61 int done = 0; 61 int done = 0;
62 while (fgets(buf, sizeof(buf), fp1)) { 62 while (fgets(buf, sizeof(buf), fp1)) {
@@ -64,7 +64,7 @@ void fs_hostname(const char *hostname) {
64 char *ptr = strchr(buf, '\n'); 64 char *ptr = strchr(buf, '\n');
65 if (ptr) 65 if (ptr)
66 *ptr = '\0'; 66 *ptr = '\0';
67 67
68 // copy line 68 // copy line
69 if (strstr(buf, "127.0.0.1") && done == 0) { 69 if (strstr(buf, "127.0.0.1") && done == 0) {
70 done = 1; 70 done = 1;
@@ -77,7 +77,7 @@ void fs_hostname(const char *hostname) {
77 // mode and owner 77 // mode and owner
78 SET_PERMS_STREAM(fp2, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); 78 SET_PERMS_STREAM(fp2, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
79 fclose(fp2); 79 fclose(fp2);
80 80
81 // bind-mount the file on top of /etc/hostname 81 // bind-mount the file on top of /etc/hostname
82 fs_mount_hosts_file(); 82 fs_mount_hosts_file();
83 } 83 }
@@ -93,7 +93,7 @@ void fs_resolvconf(void) {
93 return; 93 return;
94 94
95 struct stat s; 95 struct stat s;
96 96
97 // create a new /etc/hostname 97 // create a new /etc/hostname
98 if (stat("/etc/resolv.conf", &s) == 0) { 98 if (stat("/etc/resolv.conf", &s) == 0) {
99 if (arg_debug) 99 if (arg_debug)
@@ -103,7 +103,7 @@ void fs_resolvconf(void) {
103 fprintf(stderr, "Error: cannot create %s\n", RUN_RESOLVCONF_FILE); 103 fprintf(stderr, "Error: cannot create %s\n", RUN_RESOLVCONF_FILE);
104 exit(1); 104 exit(1);
105 } 105 }
106 106
107 if (cfg.dns1) 107 if (cfg.dns1)
108 fprintf(fp, "nameserver %d.%d.%d.%d\n", PRINT_IP(cfg.dns1)); 108 fprintf(fp, "nameserver %d.%d.%d.%d\n", PRINT_IP(cfg.dns1));
109 if (cfg.dns2) 109 if (cfg.dns2)
@@ -115,7 +115,7 @@ void fs_resolvconf(void) {
115 SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); 115 SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
116 116
117 fclose(fp); 117 fclose(fp);
118 118
119 // bind-mount the file on top of /etc/hostname 119 // bind-mount the file on top of /etc/hostname
120 if (mount(RUN_RESOLVCONF_FILE, "/etc/resolv.conf", NULL, MS_BIND|MS_REC, NULL) < 0) 120 if (mount(RUN_RESOLVCONF_FILE, "/etc/resolv.conf", NULL, MS_BIND|MS_REC, NULL) < 0)
121 errExit("mount bind /etc/resolv.conf"); 121 errExit("mount bind /etc/resolv.conf");
@@ -135,7 +135,7 @@ char *fs_check_hosts_file(const char *fname) {
135 // no a link 135 // no a link
136 if (is_link(rv)) 136 if (is_link(rv))
137 goto errexit; 137 goto errexit;
138 138
139 // the user has read access to the file 139 // the user has read access to the file
140 if (access(rv, R_OK)) 140 if (access(rv, R_OK))
141 goto errexit; 141 goto errexit;
@@ -175,4 +175,3 @@ errexit:
175 fprintf(stderr, "Error: invalid /etc/hosts file\n"); 175 fprintf(stderr, "Error: invalid /etc/hosts file\n");
176 exit(1); 176 exit(1);
177} 177}
178
diff --git a/src/firejail/fs_logger.c b/src/firejail/fs_logger.c
index a2b6b317e..354e720a1 100644
--- a/src/firejail/fs_logger.c
+++ b/src/firejail/fs_logger.c
@@ -17,7 +17,7 @@
17 * with this program; if not, write to the Free Software Foundation, Inc., 17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19*/ 19*/
20 20
21#include "firejail.h" 21#include "firejail.h"
22#include <sys/types.h> 22#include <sys/types.h>
23#include <sys/stat.h> 23#include <sys/stat.h>
@@ -47,7 +47,7 @@ static inline void insertmsg(FsMsg *ptr) {
47 last = ptr; 47 last = ptr;
48 return; 48 return;
49 } 49 }
50 50
51 assert(last); 51 assert(last);
52 last->next = ptr; 52 last->next = ptr;
53 last = ptr; 53 last = ptr;
@@ -91,14 +91,14 @@ void fs_logger3(const char *msg1, const char *msg2, const char *msg3) {
91void fs_logger_print(void) { 91void fs_logger_print(void) {
92 if (!head) 92 if (!head)
93 return; 93 return;
94 94
95 FILE *fp = fopen(RUN_FSLOGGER_FILE, "a"); 95 FILE *fp = fopen(RUN_FSLOGGER_FILE, "a");
96 if (!fp) { 96 if (!fp) {
97 perror("fopen"); 97 perror("fopen");
98 return; 98 return;
99 } 99 }
100 SET_PERMS_STREAM_NOERR(fp, getuid(), getgid(), 0644); 100 SET_PERMS_STREAM_NOERR(fp, getuid(), getgid(), 0644);
101 101
102 FsMsg *ptr = head; 102 FsMsg *ptr = head;
103 while (ptr) { 103 while (ptr) {
104 fprintf(fp, "%s\n", ptr->msg); 104 fprintf(fp, "%s\n", ptr->msg);
@@ -162,7 +162,7 @@ void fs_logger_print_log(pid_t pid) {
162 fprintf(stderr, "Error: Cannot open filesystem log\n"); 162 fprintf(stderr, "Error: Cannot open filesystem log\n");
163 exit(1); 163 exit(1);
164 } 164 }
165 165
166 char buf[MAXBUF]; 166 char buf[MAXBUF];
167 while (fgets(buf, MAXBUF, fp)) 167 while (fgets(buf, MAXBUF, fp))
168 printf("%s", buf); 168 printf("%s", buf);
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c
index 4397f0721..20ffe825a 100644
--- a/src/firejail/fs_mkdir.c
+++ b/src/firejail/fs_mkdir.c
@@ -57,7 +57,7 @@ static void mkdir_recursive(char *path) {
57 57
58void fs_mkdir(const char *name) { 58void fs_mkdir(const char *name) {
59 EUID_ASSERT(); 59 EUID_ASSERT();
60 60
61 // check directory name 61 // check directory name
62 invalid_filename(name); 62 invalid_filename(name);
63 char *expanded = expand_home(name, cfg.homedir); 63 char *expanded = expand_home(name, cfg.homedir);
@@ -93,11 +93,11 @@ void fs_mkdir(const char *name) {
93 93
94doexit: 94doexit:
95 free(expanded); 95 free(expanded);
96} 96}
97 97
98void fs_mkfile(const char *name) { 98void fs_mkfile(const char *name) {
99 EUID_ASSERT(); 99 EUID_ASSERT();
100 100
101 // check file name 101 // check file name
102 invalid_filename(name); 102 invalid_filename(name);
103 char *expanded = expand_home(name, cfg.homedir); 103 char *expanded = expand_home(name, cfg.homedir);
@@ -115,7 +115,7 @@ void fs_mkfile(const char *name) {
115 115
116 // create file 116 // create file
117 touch_file_as_user(expanded, getuid(), getgid(), 0600); 117 touch_file_as_user(expanded, getuid(), getgid(), 0600);
118 118
119doexit: 119doexit:
120 free(expanded); 120 free(expanded);
121} 121}
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c
index 2a58d1eb2..f964c05d0 100644
--- a/src/firejail/fs_trace.c
+++ b/src/firejail/fs_trace.c
@@ -58,11 +58,11 @@ void fs_trace(void) {
58 fprintf(fp, "%s/firejail/libtracelog.so\n", LIBDIR); 58 fprintf(fp, "%s/firejail/libtracelog.so\n", LIBDIR);
59 if (!arg_quiet) 59 if (!arg_quiet)
60 printf("Blacklist violations are logged to syslog\n"); 60 printf("Blacklist violations are logged to syslog\n");
61 } 61 }
62 62
63 SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); 63 SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH);
64 fclose(fp); 64 fclose(fp);
65 65
66 // mount the new preload file 66 // mount the new preload file
67 if (arg_debug) 67 if (arg_debug)
68 printf("Mount the new ld.so.preload file\n"); 68 printf("Mount the new ld.so.preload file\n");
@@ -70,4 +70,3 @@ void fs_trace(void) {
70 errExit("mount bind ld.so.preload"); 70 errExit("mount bind ld.so.preload");
71 fs_logger("create /etc/ld.so.preload"); 71 fs_logger("create /etc/ld.so.preload");
72} 72}
73
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c
index 426ef48bf..9452d162d 100644
--- a/src/firejail/fs_var.c
+++ b/src/firejail/fs_var.c
@@ -48,7 +48,7 @@ static void release_all(void) {
48 } 48 }
49 dirlist = NULL; 49 dirlist = NULL;
50} 50}
51 51
52static void build_list(const char *srcdir) { 52static void build_list(const char *srcdir) {
53 // extract current /var/log directory data 53 // extract current /var/log directory data
54 struct dirent *dir; 54 struct dirent *dir;
@@ -77,7 +77,7 @@ static void build_list(const char *srcdir) {
77// s.st_uid, 77// s.st_uid,
78// s.st_gid, 78// s.st_gid,
79// dir->d_name); 79// dir->d_name);
80 80
81 DirData *ptr = malloc(sizeof(DirData)); 81 DirData *ptr = malloc(sizeof(DirData));
82 if (ptr == NULL) 82 if (ptr == NULL)
83 errExit("malloc"); 83 errExit("malloc");
@@ -87,8 +87,8 @@ static void build_list(const char *srcdir) {
87 ptr->st_uid = s.st_uid; 87 ptr->st_uid = s.st_uid;
88 ptr->st_gid = s.st_gid; 88 ptr->st_gid = s.st_gid;
89 ptr->next = dirlist; 89 ptr->next = dirlist;
90 dirlist = ptr; 90 dirlist = ptr;
91 } 91 }
92 } 92 }
93 closedir(d); 93 closedir(d);
94} 94}
@@ -102,10 +102,10 @@ static void build_dirs(void) {
102 ptr = ptr->next; 102 ptr = ptr->next;
103 } 103 }
104} 104}
105 105
106void fs_var_log(void) { 106void fs_var_log(void) {
107 build_list("/var/log"); 107 build_list("/var/log");
108 108
109 // note: /var/log is not created here, if it does not exist, this section fails. 109 // note: /var/log is not created here, if it does not exist, this section fails.
110 // create /var/log if it doesn't exit 110 // create /var/log if it doesn't exit
111 if (is_dir("/var/log")) { 111 if (is_dir("/var/log")) {
@@ -114,17 +114,17 @@ void fs_var_log(void) {
114 gid_t wtmp_group = 0; 114 gid_t wtmp_group = 0;
115 if (stat("/var/log/wtmp", &s) == 0) 115 if (stat("/var/log/wtmp", &s) == 0)
116 wtmp_group = s.st_gid; 116 wtmp_group = s.st_gid;
117 117
118 // mount a tmpfs on top of /var/log 118 // mount a tmpfs on top of /var/log
119 if (arg_debug) 119 if (arg_debug)
120 printf("Mounting tmpfs on /var/log\n"); 120 printf("Mounting tmpfs on /var/log\n");
121 if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 121 if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
122 errExit("mounting /var/log"); 122 errExit("mounting /var/log");
123 fs_logger("tmpfs /var/log"); 123 fs_logger("tmpfs /var/log");
124 124
125 build_dirs(); 125 build_dirs();
126 release_all(); 126 release_all();
127 127
128 // create an empty /var/log/wtmp file 128 // create an empty /var/log/wtmp file
129 /* coverity[toctou] */ 129 /* coverity[toctou] */
130 FILE *fp = fopen("/var/log/wtmp", "w"); 130 FILE *fp = fopen("/var/log/wtmp", "w");
@@ -133,7 +133,7 @@ void fs_var_log(void) {
133 fclose(fp); 133 fclose(fp);
134 } 134 }
135 fs_logger("touch /var/log/wtmp"); 135 fs_logger("touch /var/log/wtmp");
136 136
137 // create an empty /var/log/btmp file 137 // create an empty /var/log/btmp file
138 fp = fopen("/var/log/btmp", "w"); 138 fp = fopen("/var/log/btmp", "w");
139 if (fp) { 139 if (fp) {
@@ -148,7 +148,7 @@ void fs_var_log(void) {
148 148
149void fs_var_lib(void) { 149void fs_var_lib(void) {
150 struct stat s; 150 struct stat s;
151 151
152 // ISC DHCP multiserver 152 // ISC DHCP multiserver
153 if (stat("/var/lib/dhcp", &s) == 0) { 153 if (stat("/var/lib/dhcp", &s) == 0) {
154 if (arg_debug) 154 if (arg_debug)
@@ -156,10 +156,10 @@ void fs_var_lib(void) {
156 if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 156 if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
157 errExit("mounting /var/lib/dhcp"); 157 errExit("mounting /var/lib/dhcp");
158 fs_logger("tmpfs /var/lib/dhcp"); 158 fs_logger("tmpfs /var/lib/dhcp");
159 159
160 // isc dhcp server requires a /var/lib/dhcp/dhcpd.leases file 160 // isc dhcp server requires a /var/lib/dhcp/dhcpd.leases file
161 FILE *fp = fopen("/var/lib/dhcp/dhcpd.leases", "w"); 161 FILE *fp = fopen("/var/lib/dhcp/dhcpd.leases", "w");
162 162
163 if (fp) { 163 if (fp) {
164 fprintf(fp, "\n"); 164 fprintf(fp, "\n");
165 SET_PERMS_STREAM(fp, 0, 0, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); 165 SET_PERMS_STREAM(fp, 0, 0, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
@@ -175,7 +175,7 @@ void fs_var_lib(void) {
175 if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 175 if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
176 errExit("mounting /var/lib/nginx"); 176 errExit("mounting /var/lib/nginx");
177 fs_logger("tmpfs /var/lib/nginx"); 177 fs_logger("tmpfs /var/lib/nginx");
178 } 178 }
179 179
180 // net-snmp multiserver 180 // net-snmp multiserver
181 if (stat("/var/lib/snmp", &s) == 0) { 181 if (stat("/var/lib/snmp", &s) == 0) {
@@ -184,7 +184,7 @@ void fs_var_lib(void) {
184 if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 184 if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
185 errExit("mounting /var/lib/snmp"); 185 errExit("mounting /var/lib/snmp");
186 fs_logger("tmpfs /var/lib/snmp"); 186 fs_logger("tmpfs /var/lib/snmp");
187 } 187 }
188 188
189 // this is where sudo remembers its state 189 // this is where sudo remembers its state
190 if (stat("/var/lib/sudo", &s) == 0) { 190 if (stat("/var/lib/sudo", &s) == 0) {
@@ -193,7 +193,7 @@ void fs_var_lib(void) {
193 if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 193 if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
194 errExit("mounting /var/lib/sudo"); 194 errExit("mounting /var/lib/sudo");
195 fs_logger("tmpfs /var/lib/sudo"); 195 fs_logger("tmpfs /var/lib/sudo");
196 } 196 }
197} 197}
198 198
199void fs_var_cache(void) { 199void fs_var_cache(void) {
@@ -205,7 +205,7 @@ void fs_var_cache(void) {
205 if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 205 if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
206 errExit("mounting /var/cache/apache2"); 206 errExit("mounting /var/cache/apache2");
207 fs_logger("tmpfs /var/cache/apache2"); 207 fs_logger("tmpfs /var/cache/apache2");
208 } 208 }
209 209
210 if (stat("/var/cache/lighttpd", &s) == 0) { 210 if (stat("/var/cache/lighttpd", &s) == 0) {
211 if (arg_debug) 211 if (arg_debug)
@@ -221,13 +221,13 @@ void fs_var_cache(void) {
221 uid = p->pw_uid; 221 uid = p->pw_uid;
222 gid = p->pw_gid; 222 gid = p->pw_gid;
223 } 223 }
224 224
225 mkdir_attr("/var/cache/lighttpd/compress", 0755, uid, gid); 225 mkdir_attr("/var/cache/lighttpd/compress", 0755, uid, gid);
226 fs_logger("mkdir /var/cache/lighttpd/compress"); 226 fs_logger("mkdir /var/cache/lighttpd/compress");
227 227
228 mkdir_attr("/var/cache/lighttpd/uploads", 0755, uid, gid); 228 mkdir_attr("/var/cache/lighttpd/uploads", 0755, uid, gid);
229 fs_logger("/var/cache/lighttpd/uploads"); 229 fs_logger("/var/cache/lighttpd/uploads");
230 } 230 }
231} 231}
232 232
233void dbg_test_dir(const char *dir) { 233void dbg_test_dir(const char *dir) {
@@ -312,7 +312,7 @@ void fs_var_utmp(void) {
312 FILE *fp = fopen(RUN_UTMP_FILE, "w"); 312 FILE *fp = fopen(RUN_UTMP_FILE, "w");
313 if (!fp) 313 if (!fp)
314 errExit("fopen"); 314 errExit("fopen");
315 315
316 // read current utmp 316 // read current utmp
317 struct utmp *u; 317 struct utmp *u;
318 struct utmp u_boot; 318 struct utmp u_boot;
@@ -324,12 +324,12 @@ void fs_var_utmp(void) {
324 } 324 }
325 } 325 }
326 endutent(); 326 endutent();
327 327
328 // save new utmp file 328 // save new utmp file
329 fwrite(&u_boot, sizeof(u_boot), 1, fp); 329 fwrite(&u_boot, sizeof(u_boot), 1, fp);
330 SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH); 330 SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH);
331 fclose(fp); 331 fclose(fp);
332 332
333 // mount the new utmp file 333 // mount the new utmp file
334 if (arg_debug) 334 if (arg_debug)
335 printf("Mount the new utmp file\n"); 335 printf("Mount the new utmp file\n");
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 407192200..3403c57a7 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -44,11 +44,11 @@ static char *resolve_downloads(int nowhitelist_flag) {
44 while (dentry[i] != NULL) { 44 while (dentry[i] != NULL) {
45 if (asprintf(&fname, "%s/%s", cfg.homedir, dentry[i]) == -1) 45 if (asprintf(&fname, "%s/%s", cfg.homedir, dentry[i]) == -1)
46 errExit("asprintf"); 46 errExit("asprintf");
47 47
48 if (stat(fname, &s) == 0) { 48 if (stat(fname, &s) == 0) {
49 if (arg_debug || arg_debug_whitelists) 49 if (arg_debug || arg_debug_whitelists)
50 printf("Downloads directory resolved as \"%s\"\n", fname); 50 printf("Downloads directory resolved as \"%s\"\n", fname);
51 51
52 char *rv; 52 char *rv;
53 if (nowhitelist_flag) { 53 if (nowhitelist_flag) {
54 if (asprintf(&rv, "nowhitelist ~/%s", dentry[i]) == -1) 54 if (asprintf(&rv, "nowhitelist ~/%s", dentry[i]) == -1)
@@ -72,14 +72,14 @@ static char *resolve_downloads(int nowhitelist_flag) {
72 if (!fp) { 72 if (!fp) {
73 free(fname); 73 free(fname);
74 return NULL; 74 return NULL;
75 } 75 }
76 free(fname); 76 free(fname);
77 77
78 // extract downloads directory 78 // extract downloads directory
79 char buf[MAXBUF]; 79 char buf[MAXBUF];
80 while (fgets(buf, MAXBUF, fp)) { 80 while (fgets(buf, MAXBUF, fp)) {
81 char *ptr = buf; 81 char *ptr = buf;
82 82
83 // skip blanks 83 // skip blanks
84 while (*ptr == ' ' || *ptr == '\t') 84 while (*ptr == ' ' || *ptr == '\t')
85 ptr++; 85 ptr++;
@@ -97,15 +97,15 @@ static char *resolve_downloads(int nowhitelist_flag) {
97 if (strlen(ptr1) != 0) { 97 if (strlen(ptr1) != 0) {
98 if (arg_debug || arg_debug_whitelists) 98 if (arg_debug || arg_debug_whitelists)
99 printf("Downloads directory resolved as \"%s\"\n", ptr1); 99 printf("Downloads directory resolved as \"%s\"\n", ptr1);
100 100
101 if (asprintf(&fname, "%s/%s", cfg.homedir, ptr1) == -1) 101 if (asprintf(&fname, "%s/%s", cfg.homedir, ptr1) == -1)
102 errExit("asprintf"); 102 errExit("asprintf");
103 103
104 if (stat(fname, &s) == -1) { 104 if (stat(fname, &s) == -1) {
105 free(fname); 105 free(fname);
106 goto errout; 106 goto errout;
107 } 107 }
108 108
109 char *rv; 109 char *rv;
110 if (nowhitelist_flag) { 110 if (nowhitelist_flag) {
111 if (asprintf(&rv, "nowhitelist ~/%s", ptr + 24) == -1) 111 if (asprintf(&rv, "nowhitelist ~/%s", ptr + 24) == -1)
@@ -122,7 +122,7 @@ static char *resolve_downloads(int nowhitelist_flag) {
122 } 122 }
123 } 123 }
124 } 124 }
125 125
126 fclose(fp); 126 fclose(fp);
127 return NULL; 127 return NULL;
128 128
@@ -131,13 +131,13 @@ errout:
131 fprintf(stderr, "*** Error: Downloads directory was not found in user home.\n"); 131 fprintf(stderr, "*** Error: Downloads directory was not found in user home.\n");
132 fprintf(stderr, "*** \tAny files saved by the program, will be lost when the sandbox is closed.\n"); 132 fprintf(stderr, "*** \tAny files saved by the program, will be lost when the sandbox is closed.\n");
133 fprintf(stderr, "***\n"); 133 fprintf(stderr, "***\n");
134 134
135 return NULL; 135 return NULL;
136} 136}
137 137
138static int mkpath(const char* path, mode_t mode) { 138static int mkpath(const char* path, mode_t mode) {
139 assert(path && *path); 139 assert(path && *path);
140 140
141 mode |= 0111; 141 mode |= 0111;
142 142
143 // create directories with uid/gid as root or as current user if inside home directory 143 // create directories with uid/gid as root or as current user if inside home directory
@@ -168,13 +168,13 @@ static int mkpath(const char* path, mode_t mode) {
168 if (set_perms(file_path, uid, gid, mode)) 168 if (set_perms(file_path, uid, gid, mode))
169 errExit("set_perms"); 169 errExit("set_perms");
170 done = 1; 170 done = 1;
171 } 171 }
172 172
173 *p='/'; 173 *p='/';
174 } 174 }
175 if (done) 175 if (done)
176 fs_logger2("mkpath", path); 176 fs_logger2("mkpath", path);
177 177
178 free(file_path); 178 free(file_path);
179 return 0; 179 return 0;
180} 180}
@@ -187,14 +187,14 @@ static void whitelist_path(ProfileEntry *entry) {
187 char *wfile = NULL; 187 char *wfile = NULL;
188 188
189 if (entry->home_dir) { 189 if (entry->home_dir) {
190 if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) { 190 if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) {
191 fname = path + strlen(cfg.homedir); 191 fname = path + strlen(cfg.homedir);
192 if (*fname == '\0') 192 if (*fname == '\0')
193 goto errexit; 193 goto errexit;
194 } 194 }
195 else 195 else
196 fname = path; 196 fname = path;
197 197
198 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1) 198 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1)
199 errExit("asprintf"); 199 errExit("asprintf");
200 } 200 }
@@ -202,7 +202,7 @@ static void whitelist_path(ProfileEntry *entry) {
202 fname = path + 4; // strlen("/tmp") 202 fname = path + 4; // strlen("/tmp")
203 if (*fname == '\0') 203 if (*fname == '\0')
204 goto errexit; 204 goto errexit;
205 205
206 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_TMP_DIR, fname) == -1) 206 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_TMP_DIR, fname) == -1)
207 errExit("asprintf"); 207 errExit("asprintf");
208 } 208 }
@@ -210,7 +210,7 @@ static void whitelist_path(ProfileEntry *entry) {
210 fname = path + 6; // strlen("/media") 210 fname = path + 6; // strlen("/media")
211 if (*fname == '\0') 211 if (*fname == '\0')
212 goto errexit; 212 goto errexit;
213 213
214 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MEDIA_DIR, fname) == -1) 214 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MEDIA_DIR, fname) == -1)
215 errExit("asprintf"); 215 errExit("asprintf");
216 } 216 }
@@ -226,7 +226,7 @@ static void whitelist_path(ProfileEntry *entry) {
226 fname = path + 4; // strlen("/var") 226 fname = path + 4; // strlen("/var")
227 if (*fname == '\0') 227 if (*fname == '\0')
228 goto errexit; 228 goto errexit;
229 229
230 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_VAR_DIR, fname) == -1) 230 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_VAR_DIR, fname) == -1)
231 errExit("asprintf"); 231 errExit("asprintf");
232 } 232 }
@@ -234,7 +234,7 @@ static void whitelist_path(ProfileEntry *entry) {
234 fname = path + 4; // strlen("/dev") 234 fname = path + 4; // strlen("/dev")
235 if (*fname == '\0') 235 if (*fname == '\0')
236 goto errexit; 236 goto errexit;
237 237
238 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_DEV_DIR, fname) == -1) 238 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_DEV_DIR, fname) == -1)
239 errExit("asprintf"); 239 errExit("asprintf");
240 } 240 }
@@ -242,7 +242,7 @@ static void whitelist_path(ProfileEntry *entry) {
242 fname = path + 4; // strlen("/opt") 242 fname = path + 4; // strlen("/opt")
243 if (*fname == '\0') 243 if (*fname == '\0')
244 goto errexit; 244 goto errexit;
245 245
246 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1) 246 if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1)
247 errExit("asprintf"); 247 errExit("asprintf");
248 } 248 }
@@ -263,18 +263,18 @@ static void whitelist_path(ProfileEntry *entry) {
263 else { 263 else {
264 return; 264 return;
265 } 265 }
266 266
267 // create the path if necessary 267 // create the path if necessary
268 mkpath(path, s.st_mode); 268 mkpath(path, s.st_mode);
269 fs_logger2("whitelist", path); 269 fs_logger2("whitelist", path);
270 270
271 // process directory 271 // process directory
272 if (S_ISDIR(s.st_mode)) { 272 if (S_ISDIR(s.st_mode)) {
273 // create directory 273 // create directory
274 int rv = mkdir(path, 0755); 274 int rv = mkdir(path, 0755);
275 (void) rv; 275 (void) rv;
276 } 276 }
277 277
278 // process regular file 278 // process regular file
279 else { 279 else {
280 if (access(path, R_OK)) { 280 if (access(path, R_OK)) {
@@ -291,7 +291,7 @@ static void whitelist_path(ProfileEntry *entry) {
291 else 291 else
292 return; // the file is already present 292 return; // the file is already present
293 } 293 }
294 294
295 // mount 295 // mount
296 if (mount(wfile, path, NULL, MS_BIND|MS_REC, NULL) < 0) 296 if (mount(wfile, path, NULL, MS_BIND|MS_REC, NULL) < 0)
297 errExit("mount bind"); 297 errExit("mount bind");
@@ -328,11 +328,11 @@ void fs_whitelist(void) {
328 char **nowhitelist = calloc(nowhitelist_m, sizeof(*nowhitelist)); 328 char **nowhitelist = calloc(nowhitelist_m, sizeof(*nowhitelist));
329 if (nowhitelist == NULL) 329 if (nowhitelist == NULL)
330 errExit("failed allocating memory for nowhitelist entries"); 330 errExit("failed allocating memory for nowhitelist entries");
331 331
332 // verify whitelist files, extract symbolic links, etc. 332 // verify whitelist files, extract symbolic links, etc.
333 while (entry) { 333 while (entry) {
334 int nowhitelist_flag = 0; 334 int nowhitelist_flag = 0;
335 335
336 // handle only whitelist and nowhitelist commands 336 // handle only whitelist and nowhitelist commands
337 if (strncmp(entry->data, "whitelist ", 10) == 0) 337 if (strncmp(entry->data, "whitelist ", 10) == 0)
338 nowhitelist_flag = 0; 338 nowhitelist_flag = 0;
@@ -412,16 +412,16 @@ void fs_whitelist(void) {
412 else if (strncmp(new_name, "/srv/", 5) == 0) 412 else if (strncmp(new_name, "/srv/", 5) == 0)
413 opt_dir = 1; 413 opt_dir = 1;
414 } 414 }
415 415
416 *entry->data = '\0'; 416 *entry->data = '\0';
417 continue; 417 continue;
418 } 418 }
419 419
420 if (nowhitelist_flag) { 420 if (nowhitelist_flag) {
421 // store the path in nowhitelist array 421 // store the path in nowhitelist array
422 if (arg_debug || arg_debug_whitelists) 422 if (arg_debug || arg_debug_whitelists)
423 printf("Storing nowhitelist %s\n", fname); 423 printf("Storing nowhitelist %s\n", fname);
424 424
425 if (nowhitelist_c >= nowhitelist_m) { 425 if (nowhitelist_c >= nowhitelist_m) {
426 nowhitelist_m *= 2; 426 nowhitelist_m *= 2;
427 nowhitelist = realloc(nowhitelist, sizeof(*nowhitelist) * nowhitelist_m); 427 nowhitelist = realloc(nowhitelist, sizeof(*nowhitelist) * nowhitelist_m);
@@ -432,8 +432,8 @@ void fs_whitelist(void) {
432 *entry->data = 0; 432 *entry->data = 0;
433 continue; 433 continue;
434 } 434 }
435 435
436 436
437 // check for supported directories 437 // check for supported directories
438 if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) { 438 if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) {
439 // whitelisting home directory is disabled if --private option is present 439 // whitelisting home directory is disabled if --private option is present
@@ -544,7 +544,7 @@ void fs_whitelist(void) {
544 free(fname); 544 free(fname);
545 continue; 545 continue;
546 } 546 }
547 } 547 }
548 548
549 // mark symbolic links 549 // mark symbolic links
550 if (is_link(new_name)) 550 if (is_link(new_name))
@@ -566,29 +566,29 @@ void fs_whitelist(void) {
566 free(fname); 566 free(fname);
567 entry = entry->next; 567 entry = entry->next;
568 } 568 }
569 569
570 // release nowhitelist memory 570 // release nowhitelist memory
571 assert(nowhitelist); 571 assert(nowhitelist);
572 free(nowhitelist); 572 free(nowhitelist);
573 573
574 // /home/user 574 // /home/user
575 if (home_dir) { 575 if (home_dir) {
576 // keep a copy of real home dir in RUN_WHITELIST_HOME_USER_DIR 576 // keep a copy of real home dir in RUN_WHITELIST_HOME_USER_DIR
577 mkdir_attr(RUN_WHITELIST_HOME_USER_DIR, 0755, getuid(), getgid()); 577 mkdir_attr(RUN_WHITELIST_HOME_USER_DIR, 0755, getuid(), getgid());
578 if (mount(cfg.homedir, RUN_WHITELIST_HOME_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) 578 if (mount(cfg.homedir, RUN_WHITELIST_HOME_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
579 errExit("mount bind"); 579 errExit("mount bind");
580 580
581 // mount a tmpfs and initialize /home/user 581 // mount a tmpfs and initialize /home/user
582 fs_private(); 582 fs_private();
583 } 583 }
584 584
585 // /tmp mountpoint 585 // /tmp mountpoint
586 if (tmp_dir) { 586 if (tmp_dir) {
587 // keep a copy of real /tmp directory in 587 // keep a copy of real /tmp directory in
588 mkdir_attr(RUN_WHITELIST_TMP_DIR, 1777, 0, 0); 588 mkdir_attr(RUN_WHITELIST_TMP_DIR, 1777, 0, 0);
589 if (mount("/tmp", RUN_WHITELIST_TMP_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) 589 if (mount("/tmp", RUN_WHITELIST_TMP_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
590 errExit("mount bind"); 590 errExit("mount bind");
591 591
592 // mount tmpfs on /tmp 592 // mount tmpfs on /tmp
593 if (arg_debug || arg_debug_whitelists) 593 if (arg_debug || arg_debug_whitelists)
594 printf("Mounting tmpfs on /tmp directory\n"); 594 printf("Mounting tmpfs on /tmp directory\n");
@@ -596,7 +596,7 @@ void fs_whitelist(void) {
596 errExit("mounting tmpfs on /tmp"); 596 errExit("mounting tmpfs on /tmp");
597 fs_logger("tmpfs /tmp"); 597 fs_logger("tmpfs /tmp");
598 } 598 }
599 599
600 // /media mountpoint 600 // /media mountpoint
601 if (media_dir) { 601 if (media_dir) {
602 // some distros don't have a /media directory 602 // some distros don't have a /media directory
@@ -606,7 +606,7 @@ void fs_whitelist(void) {
606 mkdir_attr(RUN_WHITELIST_MEDIA_DIR, 0755, 0, 0); 606 mkdir_attr(RUN_WHITELIST_MEDIA_DIR, 0755, 0, 0);
607 if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) 607 if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
608 errExit("mount bind"); 608 errExit("mount bind");
609 609
610 // mount tmpfs on /media 610 // mount tmpfs on /media
611 if (arg_debug || arg_debug_whitelists) 611 if (arg_debug || arg_debug_whitelists)
612 printf("Mounting tmpfs on /media directory\n"); 612 printf("Mounting tmpfs on /media directory\n");
@@ -646,7 +646,7 @@ void fs_whitelist(void) {
646 mkdir_attr(RUN_WHITELIST_VAR_DIR, 0755, 0, 0); 646 mkdir_attr(RUN_WHITELIST_VAR_DIR, 0755, 0, 0);
647 if (mount("/var", RUN_WHITELIST_VAR_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) 647 if (mount("/var", RUN_WHITELIST_VAR_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
648 errExit("mount bind"); 648 errExit("mount bind");
649 649
650 // mount tmpfs on /var 650 // mount tmpfs on /var
651 if (arg_debug || arg_debug_whitelists) 651 if (arg_debug || arg_debug_whitelists)
652 printf("Mounting tmpfs on /var directory\n"); 652 printf("Mounting tmpfs on /var directory\n");
@@ -661,7 +661,7 @@ void fs_whitelist(void) {
661 mkdir_attr(RUN_WHITELIST_DEV_DIR, 0755, 0, 0); 661 mkdir_attr(RUN_WHITELIST_DEV_DIR, 0755, 0, 0);
662 if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC, "mode=755,gid=0") < 0) 662 if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC, "mode=755,gid=0") < 0)
663 errExit("mount bind"); 663 errExit("mount bind");
664 664
665 // mount tmpfs on /dev 665 // mount tmpfs on /dev
666 if (arg_debug || arg_debug_whitelists) 666 if (arg_debug || arg_debug_whitelists)
667 printf("Mounting tmpfs on /dev directory\n"); 667 printf("Mounting tmpfs on /dev directory\n");
@@ -676,7 +676,7 @@ void fs_whitelist(void) {
676 mkdir_attr(RUN_WHITELIST_OPT_DIR, 0755, 0, 0); 676 mkdir_attr(RUN_WHITELIST_OPT_DIR, 0755, 0, 0);
677 if (mount("/opt", RUN_WHITELIST_OPT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) 677 if (mount("/opt", RUN_WHITELIST_OPT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0)
678 errExit("mount bind"); 678 errExit("mount bind");
679 679
680 // mount tmpfs on /opt 680 // mount tmpfs on /opt
681 if (arg_debug || arg_debug_whitelists) 681 if (arg_debug || arg_debug_whitelists)
682 printf("Mounting tmpfs on /opt directory\n"); 682 printf("Mounting tmpfs on /opt directory\n");
@@ -707,7 +707,7 @@ void fs_whitelist(void) {
707 } 707 }
708 708
709 709
710 710
711 // go through profile rules again, and interpret whitelist commands 711 // go through profile rules again, and interpret whitelist commands
712 entry = cfg.profile; 712 entry = cfg.profile;
713 while (entry) { 713 while (entry) {
@@ -719,7 +719,7 @@ void fs_whitelist(void) {
719 719
720//printf("here %d#%s#\n", __LINE__, entry->data); 720//printf("here %d#%s#\n", __LINE__, entry->data);
721 // whitelist the real file 721 // whitelist the real file
722 if (strcmp(entry->data, "whitelist /run") == 0 && 722 if (strcmp(entry->data, "whitelist /run") == 0 &&
723 (strcmp(entry->link, "/var/run") == 0 || strcmp(entry->link, "/var/lock") == 0)) { 723 (strcmp(entry->link, "/var/run") == 0 || strcmp(entry->link, "/var/lock") == 0)) {
724 int rv = symlink(entry->data + 10, entry->link); 724 int rv = symlink(entry->data + 10, entry->link);
725 if (rv) 725 if (rv)
@@ -729,7 +729,7 @@ void fs_whitelist(void) {
729 } 729 }
730 else { 730 else {
731 whitelist_path(entry); 731 whitelist_path(entry);
732 732
733 // create the link if any 733 // create the link if any
734 if (entry->link) { 734 if (entry->link) {
735 // if the link is already there, do not bother 735 // if the link is already there, do not bother
@@ -737,7 +737,7 @@ void fs_whitelist(void) {
737 if (stat(entry->link, &s) != 0) { 737 if (stat(entry->link, &s) != 0) {
738 // create the path if necessary 738 // create the path if necessary
739 mkpath(entry->link, s.st_mode); 739 mkpath(entry->link, s.st_mode);
740 740
741 int rv = symlink(entry->data + 10, entry->link); 741 int rv = symlink(entry->data + 10, entry->link);
742 if (rv) 742 if (rv)
743 fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link); 743 fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link);
@@ -756,7 +756,7 @@ void fs_whitelist(void) {
756 errExit("mount tmpfs"); 756 errExit("mount tmpfs");
757 fs_logger2("tmpfs", RUN_WHITELIST_HOME_USER_DIR); 757 fs_logger2("tmpfs", RUN_WHITELIST_HOME_USER_DIR);
758 } 758 }
759 759
760 // mask the real /tmp directory, currently mounted on RUN_WHITELIST_TMP_DIR 760 // mask the real /tmp directory, currently mounted on RUN_WHITELIST_TMP_DIR
761 if (tmp_dir) { 761 if (tmp_dir) {
762 if (mount("tmpfs", RUN_WHITELIST_TMP_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) 762 if (mount("tmpfs", RUN_WHITELIST_TMP_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0)
@@ -808,7 +808,7 @@ void fs_whitelist(void) {
808 808
809 if (new_name) 809 if (new_name)
810 free(new_name); 810 free(new_name);
811 811
812 return; 812 return;
813 813
814errexit: 814errexit:
diff --git a/src/firejail/git.c b/src/firejail/git.c
index c4dd54a1b..ae28f7ec1 100644
--- a/src/firejail/git.c
+++ b/src/firejail/git.c
@@ -19,7 +19,7 @@
19 */ 19 */
20 20
21#ifdef HAVE_GIT_INSTALL 21#ifdef HAVE_GIT_INSTALL
22 22
23#include "firejail.h" 23#include "firejail.h"
24#include <sys/utsname.h> 24#include <sys/utsname.h>
25#include <sched.h> 25#include <sched.h>
@@ -46,7 +46,7 @@ static void sbox_ns(void) {
46 errExit("setgid/getgid"); 46 errExit("setgid/getgid");
47 if (setuid(getuid()) < 0) 47 if (setuid(getuid()) < 0)
48 errExit("setuid/getuid"); 48 errExit("setuid/getuid");
49 assert(getenv("LD_PRELOAD") == NULL); 49 assert(getenv("LD_PRELOAD") == NULL);
50 50
51 printf("Running as "); fflush(0); 51 printf("Running as "); fflush(0);
52 int rv = system("whoami"); 52 int rv = system("whoami");
@@ -55,16 +55,16 @@ static void sbox_ns(void) {
55 rv = system("ls -l /tmp"); 55 rv = system("ls -l /tmp");
56 (void) rv; 56 (void) rv;
57} 57}
58 58
59 59
60void git_install(void) { 60void git_install(void) {
61 // redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh" 61 // redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh"
62 EUID_ASSERT(); 62 EUID_ASSERT();
63 EUID_ROOT(); 63 EUID_ROOT();
64 64
65 // install a mount namespace with a tmpfs on top of /tmp 65 // install a mount namespace with a tmpfs on top of /tmp
66 sbox_ns(); 66 sbox_ns();
67 67
68 // run command 68 // run command
69 const char *cmd = LIBDIR "/firejail/fgit-install.sh"; 69 const char *cmd = LIBDIR "/firejail/fgit-install.sh";
70 int rv = system(cmd); 70 int rv = system(cmd);
@@ -76,15 +76,15 @@ void git_uninstall(void) {
76 // redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh" 76 // redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh"
77 EUID_ASSERT(); 77 EUID_ASSERT();
78 EUID_ROOT(); 78 EUID_ROOT();
79 79
80 // install a mount namespace with a tmpfs on top of /tmp 80 // install a mount namespace with a tmpfs on top of /tmp
81 sbox_ns(); 81 sbox_ns();
82 82
83 // run command 83 // run command
84 const char *cmd = LIBDIR "/firejail/fgit-uninstall.sh"; 84 const char *cmd = LIBDIR "/firejail/fgit-uninstall.sh";
85 int rv = system(cmd); 85 int rv = system(cmd);
86 (void) rv; 86 (void) rv;
87 exit(0); 87 exit(0);
88} 88}
89 89
90#endif // HAVE_GIT_INSTALL 90#endif // HAVE_GIT_INSTALL
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 2f6f070e0..b5b45a3bf 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -48,7 +48,7 @@ static void extract_command(int argc, char **argv, int index) {
48 if (index >= argc) 48 if (index >= argc)
49 return; 49 return;
50 } 50 }
51 51
52 // first argv needs to be a valid command 52 // first argv needs to be a valid command
53 if (arg_doubledash == 0 && *argv[index] == '-') { 53 if (arg_doubledash == 0 && *argv[index] == '-') {
54 fprintf(stderr, "Error: invalid option %s after --join\n", argv[index]); 54 fprintf(stderr, "Error: invalid option %s after --join\n", argv[index]);
@@ -66,7 +66,7 @@ static void extract_nogroups(pid_t pid) {
66 char *fname; 66 char *fname;
67 if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_GROUPS_CFG) == -1) 67 if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_GROUPS_CFG) == -1)
68 errExit("asprintf"); 68 errExit("asprintf");
69 69
70 struct stat s; 70 struct stat s;
71 if (stat(fname, &s) == -1) 71 if (stat(fname, &s) == -1)
72 return; 72 return;
@@ -79,11 +79,11 @@ static void extract_cpu(pid_t pid) {
79 char *fname; 79 char *fname;
80 if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_CPU_CFG) == -1) 80 if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_CPU_CFG) == -1)
81 errExit("asprintf"); 81 errExit("asprintf");
82 82
83 struct stat s; 83 struct stat s;
84 if (stat(fname, &s) == -1) 84 if (stat(fname, &s) == -1)
85 return; 85 return;
86 86
87 // there is a CPU_CFG file, load it! 87 // there is a CPU_CFG file, load it!
88 load_cpu(fname); 88 load_cpu(fname);
89 free(fname); 89 free(fname);
@@ -93,11 +93,11 @@ static void extract_cgroup(pid_t pid) {
93 char *fname; 93 char *fname;
94 if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_CGROUP_CFG) == -1) 94 if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_CGROUP_CFG) == -1)
95 errExit("asprintf"); 95 errExit("asprintf");
96 96
97 struct stat s; 97 struct stat s;
98 if (stat(fname, &s) == -1) 98 if (stat(fname, &s) == -1)
99 return; 99 return;
100 100
101 // there is a cgroup file CGROUP_CFG, load it! 101 // there is a cgroup file CGROUP_CFG, load it!
102 load_cgroup(fname); 102 load_cgroup(fname);
103 free(fname); 103 free(fname);
@@ -127,7 +127,7 @@ static void extract_caps_seccomp(pid_t pid) {
127 apply_seccomp = 1; 127 apply_seccomp = 1;
128 break; 128 break;
129 } 129 }
130 else if (strncmp(buf, "CapBnd:", 7) == 0) { 130 else if (strncmp(buf, "CapBnd:", 7) == 0) {
131 char *ptr = buf + 7; 131 char *ptr = buf + 7;
132 unsigned long long val; 132 unsigned long long val;
133 sscanf(ptr, "%llx", &val); 133 sscanf(ptr, "%llx", &val);
@@ -149,7 +149,7 @@ static void extract_user_namespace(pid_t pid) {
149 stat("/proc/self/gid_map", &s3) == 0); 149 stat("/proc/self/gid_map", &s3) == 0);
150 else 150 else
151 return; 151 return;
152 152
153 // read uid map 153 // read uid map
154 char *uidmap; 154 char *uidmap;
155 if (asprintf(&uidmap, "/proc/%u/uid_map", pid) == -1) 155 if (asprintf(&uidmap, "/proc/%u/uid_map", pid) == -1)
@@ -215,11 +215,11 @@ void join(pid_t pid, int argc, char **argv, int index) {
215 extract_nogroups(pid); 215 extract_nogroups(pid);
216 extract_user_namespace(pid); 216 extract_user_namespace(pid);
217 } 217 }
218 218
219 // set cgroup 219 // set cgroup
220 if (cfg.cgroup) // not available for uid 0 220 if (cfg.cgroup) // not available for uid 0
221 set_cgroup(cfg.cgroup); 221 set_cgroup(cfg.cgroup);
222 222
223 // join namespaces 223 // join namespaces
224 if (arg_join_network) { 224 if (arg_join_network) {
225 if (join_namespace(pid, "net")) 225 if (join_namespace(pid, "net"))
@@ -246,14 +246,14 @@ void join(pid_t pid, int argc, char **argv, int index) {
246 char *rootdir; 246 char *rootdir;
247 if (asprintf(&rootdir, "/proc/%d/root", pid) == -1) 247 if (asprintf(&rootdir, "/proc/%d/root", pid) == -1)
248 errExit("asprintf"); 248 errExit("asprintf");
249 249
250 int rv; 250 int rv;
251 if (!arg_join_network) { 251 if (!arg_join_network) {
252 rv = chroot(rootdir); // this will fail for processes in sandboxes not started with --chroot option 252 rv = chroot(rootdir); // this will fail for processes in sandboxes not started with --chroot option
253 if (rv == 0) 253 if (rv == 0)
254 printf("changing root to %s\n", rootdir); 254 printf("changing root to %s\n", rootdir);
255 } 255 }
256 256
257 prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died 257 prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died
258 if (chdir("/") < 0) 258 if (chdir("/") < 0)
259 errExit("chdir"); 259 errExit("chdir");
@@ -265,11 +265,11 @@ void join(pid_t pid, int argc, char **argv, int index) {
265 errExit("chdir"); 265 errExit("chdir");
266 } 266 }
267 } 267 }
268 268
269 // set cpu affinity 269 // set cpu affinity
270 if (cfg.cpus) // not available for uid 0 270 if (cfg.cpus) // not available for uid 0
271 set_cpu_affinity(); 271 set_cpu_affinity();
272 272
273 // set caps filter 273 // set caps filter
274 if (apply_caps == 1) // not available for uid 0 274 if (apply_caps == 1) // not available for uid 0
275 caps_set(caps); 275 caps_set(caps);
@@ -278,9 +278,9 @@ void join(pid_t pid, int argc, char **argv, int index) {
278 if (getuid() != 0) 278 if (getuid() != 0)
279 protocol_filter_load(RUN_PROTOCOL_CFG); 279 protocol_filter_load(RUN_PROTOCOL_CFG);
280 if (cfg.protocol) { // not available for uid 0 280 if (cfg.protocol) { // not available for uid 0
281 seccomp_load(RUN_SECCOMP_PROTOCOL); // install filter 281 seccomp_load(RUN_SECCOMP_PROTOCOL); // install filter
282 } 282 }
283 283
284 // set seccomp filter 284 // set seccomp filter
285 if (apply_seccomp == 1) // not available for uid 0 285 if (apply_seccomp == 1) // not available for uid 0
286 seccomp_load(RUN_SECCOMP_CFG); 286 seccomp_load(RUN_SECCOMP_CFG);
@@ -298,7 +298,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
298 if (apply_caps == 1) // not available for uid 0 298 if (apply_caps == 1) // not available for uid 0
299 caps_set(caps); 299 caps_set(caps);
300 } 300 }
301 else 301 else
302 drop_privs(arg_nogroups); // nogroups not available for uid 0 302 drop_privs(arg_nogroups); // nogroups not available for uid 0
303 303
304 304
@@ -349,6 +349,3 @@ void join(pid_t pid, int argc, char **argv, int index) {
349 flush_stdin(); 349 flush_stdin();
350 exit(0); 350 exit(0);
351} 351}
352
353
354
diff --git a/src/firejail/ls.c b/src/firejail/ls.c
index 7b51ee697..7b994b835 100644
--- a/src/firejail/ls.c
+++ b/src/firejail/ls.c
@@ -17,7 +17,7 @@
17 * with this program; if not, write to the Free Software Foundation, Inc., 17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19*/ 19*/
20 20
21#include "firejail.h" 21#include "firejail.h"
22#include <sys/types.h> 22#include <sys/types.h>
23#include <sys/stat.h> 23#include <sys/stat.h>
@@ -36,7 +36,7 @@ static char *c_uid_name = NULL;
36 36
37static void print_file_or_dir(const char *path, const char *fname, int separator) { 37static void print_file_or_dir(const char *path, const char *fname, int separator) {
38 assert(fname); 38 assert(fname);
39 39
40 char *name; 40 char *name;
41 if (separator) { 41 if (separator) {
42 if (asprintf(&name, "%s/%s", path, fname) == -1) 42 if (asprintf(&name, "%s/%s", path, fname) == -1)
@@ -46,7 +46,7 @@ static void print_file_or_dir(const char *path, const char *fname, int separator
46 if (asprintf(&name, "%s%s", path, fname) == -1) 46 if (asprintf(&name, "%s%s", path, fname) == -1)
47 errExit("asprintf"); 47 errExit("asprintf");
48 } 48 }
49 49
50 struct stat s; 50 struct stat s;
51 if (stat(name, &s) == -1) { 51 if (stat(name, &s) == -1) {
52 if (lstat(name, &s) == -1) { 52 if (lstat(name, &s) == -1) {
@@ -78,7 +78,7 @@ static void print_file_or_dir(const char *path, const char *fname, int separator
78 printf( (s.st_mode & S_IWOTH) ? "w" : "-"); 78 printf( (s.st_mode & S_IWOTH) ? "w" : "-");
79 printf( (s.st_mode & S_IXOTH) ? "x" : "-"); 79 printf( (s.st_mode & S_IXOTH) ? "x" : "-");
80 printf(" "); 80 printf(" ");
81 81
82 // user name 82 // user name
83 char *username; 83 char *username;
84 int allocated = 0; 84 int allocated = 0;
@@ -100,7 +100,7 @@ static void print_file_or_dir(const char *path, const char *fname, int separator
100 if (!username) 100 if (!username)
101 errExit("asprintf"); 101 errExit("asprintf");
102 } 102 }
103 103
104 if (c_uid == 0) { 104 if (c_uid == 0) {
105 c_uid = s.st_uid; 105 c_uid = s.st_uid;
106 c_uid_name = strdup(username); 106 c_uid_name = strdup(username);
@@ -108,7 +108,7 @@ static void print_file_or_dir(const char *path, const char *fname, int separator
108 errExit("asprintf"); 108 errExit("asprintf");
109 } 109 }
110 } 110 }
111 111
112 // print user name, 8 chars maximum 112 // print user name, 8 chars maximum
113 int len = strlen(username); 113 int len = strlen(username);
114 if (len > 8) { 114 if (len > 8) {
@@ -121,7 +121,7 @@ static void print_file_or_dir(const char *path, const char *fname, int separator
121 printf(" "); 121 printf(" ");
122 if (allocated) 122 if (allocated)
123 free(username); 123 free(username);
124 124
125 125
126 // group name 126 // group name
127 char *groupname; 127 char *groupname;
@@ -141,7 +141,7 @@ static void print_file_or_dir(const char *path, const char *fname, int separator
141 errExit("asprintf"); 141 errExit("asprintf");
142 } 142 }
143 } 143 }
144 144
145 // print grup name, 8 chars maximum 145 // print grup name, 8 chars maximum
146 len = strlen(groupname); 146 len = strlen(groupname);
147 if (len > 8) { 147 if (len > 8) {
@@ -159,7 +159,7 @@ static void print_file_or_dir(const char *path, const char *fname, int separator
159 errExit("asprintf"); 159 errExit("asprintf");
160 printf("%11.10s %s\n", sz, fname); 160 printf("%11.10s %s\n", sz, fname);
161 free(sz); 161 free(sz);
162 162
163} 163}
164 164
165static void print_directory(const char *path) { 165static void print_directory(const char *path) {
@@ -168,7 +168,7 @@ static void print_directory(const char *path) {
168 if (stat(path, &s) == -1) 168 if (stat(path, &s) == -1)
169 return; 169 return;
170 assert(S_ISDIR(s.st_mode)); 170 assert(S_ISDIR(s.st_mode));
171 171
172 struct dirent **namelist; 172 struct dirent **namelist;
173 int i; 173 int i;
174 int n; 174 int n;
@@ -200,7 +200,7 @@ char *expand_path(const char *path) {
200 // assume the file is in current working directory 200 // assume the file is in current working directory
201 if (asprintf(&fname, "%s/%s", cfg.cwd, path) == -1) 201 if (asprintf(&fname, "%s/%s", cfg.cwd, path) == -1)
202 errExit("asprintf"); 202 errExit("asprintf");
203 } 203 }
204 return fname; 204 return fname;
205} 205}
206 206
@@ -241,7 +241,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
241 printf("file1 %s\n", fname1); 241 printf("file1 %s\n", fname1);
242 printf("file2 %s\n", fname2); 242 printf("file2 %s\n", fname2);
243 } 243 }
244 244
245 // sandbox root directory 245 // sandbox root directory
246 char *rootdir; 246 char *rootdir;
247 if (asprintf(&rootdir, "/proc/%d/root", pid) == -1) 247 if (asprintf(&rootdir, "/proc/%d/root", pid) == -1)
@@ -254,7 +254,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
254 errExit("chroot"); 254 errExit("chroot");
255 if (chdir("/") < 0) 255 if (chdir("/") < 0)
256 errExit("chdir"); 256 errExit("chdir");
257 257
258 // drop privileges 258 // drop privileges
259 drop_privs(0); 259 drop_privs(0);
260 260
@@ -271,8 +271,8 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
271 } 271 }
272 if (arg_debug) 272 if (arg_debug)
273 printf("realpath %s\n", rp); 273 printf("realpath %s\n", rp);
274 274
275 275
276 // list directory contents 276 // list directory contents
277 struct stat s; 277 struct stat s;
278 if (stat(rp, &s) == -1) { 278 if (stat(rp, &s) == -1) {
@@ -283,7 +283,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
283 char *dir; 283 char *dir;
284 if (asprintf(&dir, "%s/", rp) == -1) 284 if (asprintf(&dir, "%s/", rp) == -1)
285 errExit("asprintf"); 285 errExit("asprintf");
286 286
287 print_directory(dir); 287 print_directory(dir);
288 free(dir); 288 free(dir);
289 } 289 }
@@ -299,7 +299,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
299 } 299 }
300 free(rp); 300 free(rp);
301 } 301 }
302 302
303 // get file from sandbox and store it in the current directory 303 // get file from sandbox and store it in the current directory
304 else if (op == SANDBOX_FS_GET) { 304 else if (op == SANDBOX_FS_GET) {
305 char *src_fname =fname1; 305 char *src_fname =fname1;
@@ -320,7 +320,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
320 SET_PERMS_FD(fd, getuid(), getgid(), 0600); 320 SET_PERMS_FD(fd, getuid(), getgid(), 0600);
321 close(fd); 321 close(fd);
322 } 322 }
323 323
324 // copy the source file into the temporary file - we need to chroot 324 // copy the source file into the temporary file - we need to chroot
325 pid_t child = fork(); 325 pid_t child = fork();
326 if (child < 0) 326 if (child < 0)
@@ -331,10 +331,10 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
331 errExit("chroot"); 331 errExit("chroot");
332 if (chdir("/") < 0) 332 if (chdir("/") < 0)
333 errExit("chdir"); 333 errExit("chdir");
334 334
335 // drop privileges 335 // drop privileges
336 drop_privs(0); 336 drop_privs(0);
337 337
338 // copy the file 338 // copy the file
339 if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user 339 if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user
340 _exit(1); 340 _exit(1);
@@ -352,7 +352,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
352 unlink(tmp_fname); 352 unlink(tmp_fname);
353 exit(1); 353 exit(1);
354 } 354 }
355 355
356 // copy the temporary file into the destionation file 356 // copy the temporary file into the destionation file
357 child = fork(); 357 child = fork();
358 if (child < 0) 358 if (child < 0)
@@ -360,7 +360,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
360 if (child == 0) { 360 if (child == 0) {
361 // drop privileges 361 // drop privileges
362 drop_privs(0); 362 drop_privs(0);
363 363
364 // copy the file 364 // copy the file
365 if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user 365 if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user
366 _exit(1); 366 _exit(1);
@@ -378,7 +378,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
378 unlink(tmp_fname); 378 unlink(tmp_fname);
379 exit(1); 379 exit(1);
380 } 380 }
381 381
382 // remove the temporary file 382 // remove the temporary file
383 unlink(tmp_fname); 383 unlink(tmp_fname);
384 EUID_USER(); 384 EUID_USER();
@@ -401,7 +401,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
401 } 401 }
402 SET_PERMS_FD(fd, getuid(), getgid(), 0600); 402 SET_PERMS_FD(fd, getuid(), getgid(), 0600);
403 close(fd); 403 close(fd);
404 404
405 // copy the source file into the temporary file - we need to chroot 405 // copy the source file into the temporary file - we need to chroot
406 pid_t child = fork(); 406 pid_t child = fork();
407 if (child < 0) 407 if (child < 0)
@@ -409,7 +409,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
409 if (child == 0) { 409 if (child == 0) {
410 // drop privileges 410 // drop privileges
411 drop_privs(0); 411 drop_privs(0);
412 412
413 // copy the file 413 // copy the file
414 if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user 414 if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user
415 _exit(1); 415 _exit(1);
@@ -427,7 +427,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
427 unlink(tmp_fname); 427 unlink(tmp_fname);
428 exit(1); 428 exit(1);
429 } 429 }
430 430
431 // copy the temporary file into the destionation file 431 // copy the temporary file into the destionation file
432 child = fork(); 432 child = fork();
433 if (child < 0) 433 if (child < 0)
@@ -438,10 +438,10 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
438 errExit("chroot"); 438 errExit("chroot");
439 if (chdir("/") < 0) 439 if (chdir("/") < 0)
440 errExit("chdir"); 440 errExit("chdir");
441 441
442 // drop privileges 442 // drop privileges
443 drop_privs(0); 443 drop_privs(0);
444 444
445 // copy the file 445 // copy the file
446 if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user 446 if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user
447 _exit(1); 447 _exit(1);
@@ -459,7 +459,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
459 unlink(tmp_fname); 459 unlink(tmp_fname);
460 exit(1); 460 exit(1);
461 } 461 }
462 462
463 // remove the temporary file 463 // remove the temporary file
464 unlink(tmp_fname); 464 unlink(tmp_fname);
465 EUID_USER(); 465 EUID_USER();
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index ea1d45dd7..14b3b54a6 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -46,7 +46,7 @@ static char *client_filter =
46void check_netfilter_file(const char *fname) { 46void check_netfilter_file(const char *fname) {
47 EUID_ASSERT(); 47 EUID_ASSERT();
48 invalid_filename(fname); 48 invalid_filename(fname);
49 49
50 if (is_dir(fname) || is_link(fname) || strstr(fname, "..") || access(fname, R_OK )) { 50 if (is_dir(fname) || is_link(fname) || strstr(fname, "..") || access(fname, R_OK )) {
51 fprintf(stderr, "Error: invalid network filter file %s\n", fname); 51 fprintf(stderr, "Error: invalid network filter file %s\n", fname);
52 exit(1); 52 exit(1);
@@ -95,14 +95,14 @@ void netfilter(const char *fname) {
95 // push filter 95 // push filter
96 if (arg_debug) 96 if (arg_debug)
97 printf("Installing network filter:\n%s\n", filter); 97 printf("Installing network filter:\n%s\n", filter);
98 98
99 // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter 99 // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter
100 // we run this command with caps and seccomp disabled in order to allow the loading of these modules 100 // we run this command with caps and seccomp disabled in order to allow the loading of these modules
101 sbox_run(SBOX_ROOT /* | SBOX_CAPS_NETWORK | SBOX_SECCOMP*/ | SBOX_STDIN_FROM_FILE, 1, iptables_restore); 101 sbox_run(SBOX_ROOT /* | SBOX_CAPS_NETWORK | SBOX_SECCOMP*/ | SBOX_STDIN_FROM_FILE, 1, iptables_restore);
102 unlink(SBOX_STDIN_FILE); 102 unlink(SBOX_STDIN_FILE);
103 103
104 // debug 104 // debug
105 if (arg_debug) 105 if (arg_debug)
106 sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-vL"); 106 sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-vL");
107 107
108 if (allocated) 108 if (allocated)
@@ -113,7 +113,7 @@ void netfilter(const char *fname) {
113void netfilter6(const char *fname) { 113void netfilter6(const char *fname) {
114 if (fname == NULL) 114 if (fname == NULL)
115 return; 115 return;
116 116
117 // find iptables command 117 // find iptables command
118 char *ip6tables = NULL; 118 char *ip6tables = NULL;
119 char *ip6tables_restore = NULL; 119 char *ip6tables_restore = NULL;
@@ -149,7 +149,7 @@ void netfilter6(const char *fname) {
149 // we run this command with caps and seccomp disabled in order to allow the loading of these modules 149 // we run this command with caps and seccomp disabled in order to allow the loading of these modules
150 sbox_run(SBOX_ROOT | /* SBOX_CAPS_NETWORK | SBOX_SECCOMP | */ SBOX_STDIN_FROM_FILE, 1, ip6tables_restore); 150 sbox_run(SBOX_ROOT | /* SBOX_CAPS_NETWORK | SBOX_SECCOMP | */ SBOX_STDIN_FROM_FILE, 1, ip6tables_restore);
151 unlink(SBOX_STDIN_FILE); 151 unlink(SBOX_STDIN_FILE);
152 152
153 // debug 153 // debug
154 if (arg_debug) 154 if (arg_debug)
155 sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, ip6tables, "-vL"); 155 sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, ip6tables, "-vL");
diff --git a/src/firejail/network.c b/src/firejail/network.c
index 44fc4f68f..f7ddef917 100644
--- a/src/firejail/network.c
+++ b/src/firejail/network.c
@@ -50,8 +50,8 @@ int net_get_mtu(const char *ifname) {
50 if (arg_debug) 50 if (arg_debug)
51 printf("MTU of %s is %d.\n", ifname, ifr.ifr_mtu); 51 printf("MTU of %s is %d.\n", ifname, ifr.ifr_mtu);
52 close(s); 52 close(s);
53 53
54 54
55 return mtu; 55 return mtu;
56} 56}
57 57
@@ -84,10 +84,10 @@ int net_get_if_addr(const char *bridge, uint32_t *ip, uint32_t *mask, uint8_t ma
84 assert(bridge); 84 assert(bridge);
85 assert(ip); 85 assert(ip);
86 assert(mask); 86 assert(mask);
87 87
88 if (arg_debug) 88 if (arg_debug)
89 printf("get interface %s configuration\n", bridge); 89 printf("get interface %s configuration\n", bridge);
90 90
91 int rv = -1; 91 int rv = -1;
92 struct ifaddrs *ifaddr, *ifa; 92 struct ifaddrs *ifaddr, *ifa;
93 93
@@ -110,7 +110,7 @@ int net_get_if_addr(const char *bridge, uint32_t *ip, uint32_t *mask, uint8_t ma
110 net_get_mac(ifa->ifa_name, mac); 110 net_get_mac(ifa->ifa_name, mac);
111 *mtu = net_get_mtu(bridge); 111 *mtu = net_get_mtu(bridge);
112 } 112 }
113 113
114 rv = 0; 114 rv = 0;
115 break; 115 break;
116 } 116 }
@@ -126,9 +126,9 @@ void net_if_up(const char *ifname) {
126 fprintf(stderr, "Error: invalid network device name %s\n", ifname); 126 fprintf(stderr, "Error: invalid network device name %s\n", ifname);
127 exit(1); 127 exit(1);
128 } 128 }
129 sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 3, 129 sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 3,
130 PATH_FNET, "ifup", ifname); 130 PATH_FNET, "ifup", ifname);
131} 131}
132 132
133 133
134// configure interface ipv6 address 134// configure interface ipv6 address
@@ -138,8 +138,8 @@ void net_if_ip6(const char *ifname, const char *addr6) {
138 fprintf(stderr, "Error: invalid IPv6 address %s\n", addr6); 138 fprintf(stderr, "Error: invalid IPv6 address %s\n", addr6);
139 exit(1); 139 exit(1);
140 } 140 }
141 141
142 sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 5, 142 sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 5,
143 PATH_FNET, "config", "ipv6", ifname, addr6); 143 PATH_FNET, "config", "ipv6", ifname, addr6);
144 144
145} 145}
@@ -187,19 +187,19 @@ uint32_t network_get_defaultgw(void) {
187 FILE *fp = fopen("/proc/self/net/route", "r"); 187 FILE *fp = fopen("/proc/self/net/route", "r");
188 if (!fp) 188 if (!fp)
189 errExit("fopen"); 189 errExit("fopen");
190 190
191 char buf[BUFSIZE]; 191 char buf[BUFSIZE];
192 uint32_t retval = 0; 192 uint32_t retval = 0;
193 while (fgets(buf, BUFSIZE, fp)) { 193 while (fgets(buf, BUFSIZE, fp)) {
194 if (strncmp(buf, "Iface", 5) == 0) 194 if (strncmp(buf, "Iface", 5) == 0)
195 continue; 195 continue;
196 196
197 char *ptr = buf; 197 char *ptr = buf;
198 while (*ptr != ' ' && *ptr != '\t') 198 while (*ptr != ' ' && *ptr != '\t')
199 ptr++; 199 ptr++;
200 while (*ptr == ' ' || *ptr == '\t') 200 while (*ptr == ' ' || *ptr == '\t')
201 ptr++; 201 ptr++;
202 202
203 unsigned dest; 203 unsigned dest;
204 unsigned gw; 204 unsigned gw;
205 int rv = sscanf(ptr, "%x %x", &dest, &gw); 205 int rv = sscanf(ptr, "%x %x", &dest, &gw);
@@ -219,9 +219,9 @@ int net_config_mac(const char *ifname, const unsigned char mac[6]) {
219 mac[0], mac[1], mac[2], mac[3], mac[4], mac[5]) == -1) 219 mac[0], mac[1], mac[2], mac[3], mac[4], mac[5]) == -1)
220 errExit("asprintf"); 220 errExit("asprintf");
221 221
222 sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 5, 222 sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 5,
223 PATH_FNET, "config", "mac", ifname, macstr); 223 PATH_FNET, "config", "mac", ifname, macstr);
224 224
225 free(macstr); 225 free(macstr);
226 return 0; 226 return 0;
227} 227}
@@ -237,7 +237,7 @@ int net_get_mac(const char *ifname, unsigned char mac[6]) {
237 memset(&ifr, 0, sizeof(ifr)); 237 memset(&ifr, 0, sizeof(ifr));
238 strncpy(ifr.ifr_name, ifname, IFNAMSIZ); 238 strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
239 ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER; 239 ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER;
240 240
241 if (ioctl(sock, SIOCGIFHWADDR, &ifr) == -1) 241 if (ioctl(sock, SIOCGIFHWADDR, &ifr) == -1)
242 errExit("ioctl"); 242 errExit("ioctl");
243 memcpy(mac, ifr.ifr_hwaddr.sa_data, 6); 243 memcpy(mac, ifr.ifr_hwaddr.sa_data, 6);
@@ -248,7 +248,7 @@ int net_get_mac(const char *ifname, unsigned char mac[6]) {
248 248
249void net_config_interface(const char *dev, uint32_t ip, uint32_t mask, int mtu) { 249void net_config_interface(const char *dev, uint32_t ip, uint32_t mask, int mtu) {
250 assert(dev); 250 assert(dev);
251 251
252 char *ipstr; 252 char *ipstr;
253 if (asprintf(&ipstr, "%llu", (long long unsigned) ip) == -1) 253 if (asprintf(&ipstr, "%llu", (long long unsigned) ip) == -1)
254 errExit("asprintf"); 254 errExit("asprintf");
@@ -260,12 +260,11 @@ void net_config_interface(const char *dev, uint32_t ip, uint32_t mask, int mtu)
260 char *mtustr; 260 char *mtustr;
261 if (asprintf(&mtustr, "%d", mtu) == -1) 261 if (asprintf(&mtustr, "%d", mtu) == -1)
262 errExit("asprintf"); 262 errExit("asprintf");
263 263
264 sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 7, 264 sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 7,
265 PATH_FNET, "config", "interface", dev, ipstr, maskstr, mtustr); 265 PATH_FNET, "config", "interface", dev, ipstr, maskstr, mtustr);
266 266
267 free(ipstr); 267 free(ipstr);
268 free(maskstr); 268 free(maskstr);
269 free(mtustr); 269 free(mtustr);
270} 270}
271
diff --git a/src/firejail/network.txt b/src/firejail/network.txt
index f6df0f485..75bdc346d 100644
--- a/src/firejail/network.txt
+++ b/src/firejail/network.txt
@@ -40,10 +40,10 @@ main() {
40 else if --ip 40 else if --ip
41 br = last bridge configured 41 br = last bridge configured
42 br->ipsandbox = ip address extracted from argv[i] 42 br->ipsandbox = ip address extracted from argv[i]
43 else if --defaultgw 43 else if --defaultgw
44 cfg.defaultgw = ip address extracted from argv[i] 44 cfg.defaultgw = ip address extracted from argv[i]
45 } 45 }
46 46
47 net_check_cfg(); // check the validity of network configuration so far 47 net_check_cfg(); // check the validity of network configuration so far
48 48
49 if (any bridge configured) { 49 if (any bridge configured) {
@@ -51,29 +51,29 @@ main() {
51 for each bridge 51 for each bridge
52 net_configure_sandbox_ip(br) 52 net_configure_sandbox_ip(br)
53 } 53 }
54 54
55 clone (new network namespace if any bridge configured or --net=none) 55 clone (new network namespace if any bridge configured or --net=none)
56 56
57 if (any bridge configured) { 57 if (any bridge configured) {
58 for each bridge 58 for each bridge
59 net_configure_veth_pair 59 net_configure_veth_pair
60 } 60 }
61 61
62 notify child init is done 62 notify child init is done
63 63
64 if (any bridge configured) { 64 if (any bridge configured) {
65 for each bridge 65 for each bridge
66 net_bridge_wait_ip 66 net_bridge_wait_ip
67 unlock /var/lock/firejail.lock file 67 unlock /var/lock/firejail.lock file
68 } 68 }
69 69
70 wait on child 70 wait on child
71 exit 71 exit
72} 72}
73 73
74 74
75****************************************************** 75******************************************************
76* macvlan notes 76* macvlan notes
77****************************************************** 77******************************************************
78Configure a macvlan interface 78Configure a macvlan interface
79 79
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c
index 3450bceea..1da25dd08 100644
--- a/src/firejail/network_main.c
+++ b/src/firejail/network_main.c
@@ -50,7 +50,7 @@ void net_configure_bridge(Bridge *br, char *dev_name) {
50 if (asprintf(&newname, "%s-%u", br->devsandbox, getpid()) == -1) 50 if (asprintf(&newname, "%s-%u", br->devsandbox, getpid()) == -1)
51 errExit("asprintf"); 51 errExit("asprintf");
52 br->devsandbox = newname; 52 br->devsandbox = newname;
53 } 53 }
54 else { 54 else {
55 fprintf(stderr, "Error: cannot find network device %s\n", br->dev); 55 fprintf(stderr, "Error: cannot find network device %s\n", br->dev);
56 exit(1); 56 exit(1);
@@ -72,7 +72,7 @@ void net_configure_bridge(Bridge *br, char *dev_name) {
72 printf("macvlan parent device %s at %d.%d.%d.%d/%d\n", 72 printf("macvlan parent device %s at %d.%d.%d.%d/%d\n",
73 br->dev, PRINT_IP(br->ip), mask2bits(br->mask)); 73 br->dev, PRINT_IP(br->ip), mask2bits(br->mask));
74 } 74 }
75 75
76 uint32_t range = ~br->mask + 1; // the number of potential addresses 76 uint32_t range = ~br->mask + 1; // the number of potential addresses
77 // this software is not supported for /31 networks 77 // this software is not supported for /31 networks
78 if (range < 4) { 78 if (range < 4) {
@@ -127,7 +127,7 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child) {
127 } 127 }
128 else 128 else
129 dev = br->veth_name; 129 dev = br->veth_name;
130 130
131 char *cstr; 131 char *cstr;
132 if (asprintf(&cstr, "%d", child) == -1) 132 if (asprintf(&cstr, "%d", child) == -1)
133 errExit("asprintf"); 133 errExit("asprintf");
@@ -249,7 +249,7 @@ void net_dns_print(pid_t pid) {
249 } 249 }
250 free(comm); 250 free(comm);
251 } 251 }
252 252
253 char *fname; 253 char *fname;
254 EUID_ROOT(); 254 EUID_ROOT();
255 if (asprintf(&fname, "/proc/%d/root/etc/resolv.conf", pid) == -1) 255 if (asprintf(&fname, "/proc/%d/root/etc/resolv.conf", pid) == -1)
@@ -261,7 +261,7 @@ void net_dns_print(pid_t pid) {
261 fprintf(stderr, "Error: cannot access /etc/resolv.conf\n"); 261 fprintf(stderr, "Error: cannot access /etc/resolv.conf\n");
262 exit(1); 262 exit(1);
263 } 263 }
264 264
265 char buf[MAXBUF]; 265 char buf[MAXBUF];
266 while (fgets(buf, MAXBUF, fp)) 266 while (fgets(buf, MAXBUF, fp))
267 printf("%s", buf); 267 printf("%s", buf);
@@ -284,21 +284,21 @@ void network_main(pid_t child) {
284 else 284 else
285 sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr); 285 sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr);
286 } 286 }
287 287
288 if (cfg.bridge1.configured) { 288 if (cfg.bridge1.configured) {
289 if (cfg.bridge1.macvlan == 0) 289 if (cfg.bridge1.macvlan == 0)
290 net_configure_veth_pair(&cfg.bridge1, "eth1", child); 290 net_configure_veth_pair(&cfg.bridge1, "eth1", child);
291 else 291 else
292 sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr); 292 sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr);
293 } 293 }
294 294
295 if (cfg.bridge2.configured) { 295 if (cfg.bridge2.configured) {
296 if (cfg.bridge2.macvlan == 0) 296 if (cfg.bridge2.macvlan == 0)
297 net_configure_veth_pair(&cfg.bridge2, "eth2", child); 297 net_configure_veth_pair(&cfg.bridge2, "eth2", child);
298 else 298 else
299 sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr); 299 sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr);
300 } 300 }
301 301
302 if (cfg.bridge3.configured) { 302 if (cfg.bridge3.configured) {
303 if (cfg.bridge3.macvlan == 0) 303 if (cfg.bridge3.macvlan == 0)
304 net_configure_veth_pair(&cfg.bridge3, "eth3", child); 304 net_configure_veth_pair(&cfg.bridge3, "eth3", child);
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c
index 05f5abe2a..b37c5abf7 100644
--- a/src/firejail/no_sandbox.c
+++ b/src/firejail/no_sandbox.c
@@ -39,12 +39,12 @@ int is_container(const char *str) {
39// returns 1 if we are running under LXC 39// returns 1 if we are running under LXC
40int check_namespace_virt(void) { 40int check_namespace_virt(void) {
41 EUID_ASSERT(); 41 EUID_ASSERT();
42 42
43 // check container environment variable 43 // check container environment variable
44 char *str = getenv("container"); 44 char *str = getenv("container");
45 if (str && is_container(str)) 45 if (str && is_container(str))
46 return 1; 46 return 1;
47 47
48 // check PID 1 container environment variable 48 // check PID 1 container environment variable
49 EUID_ROOT(); 49 EUID_ROOT();
50 FILE *fp = fopen("/proc/1/environ", "r"); 50 FILE *fp = fopen("/proc/1/environ", "r");
@@ -62,7 +62,7 @@ int check_namespace_virt(void) {
62 break; 62 break;
63 } 63 }
64 buf[i] = '\0'; 64 buf[i] = '\0';
65 65
66 // check env var name 66 // check env var name
67 if (strncmp(buf, "container=", 10) == 0) { 67 if (strncmp(buf, "container=", 10) == 0) {
68 // found it 68 // found it
@@ -74,10 +74,10 @@ int check_namespace_virt(void) {
74 } 74 }
75// printf("i %d c %d, buf #%s#\n", i, c, buf); 75// printf("i %d c %d, buf #%s#\n", i, c, buf);
76 } 76 }
77 77
78 fclose(fp); 78 fclose(fp);
79 } 79 }
80 80
81 EUID_USER(); 81 EUID_USER();
82 return 0; 82 return 0;
83} 83}
@@ -104,7 +104,7 @@ int check_kernel_procs(void) {
104 104
105 // look at the first 10 processes 105 // look at the first 10 processes
106 // if a kernel process is found, return 1 106 // if a kernel process is found, return 1
107 for (i = 1; i <= 10; i++) { 107 for (i = 1; i <= 10; i++) {
108 struct stat s; 108 struct stat s;
109 char *fname; 109 char *fname;
110 if (asprintf(&fname, "/proc/%d/comm", i) == -1) 110 if (asprintf(&fname, "/proc/%d/comm", i) == -1)
@@ -113,7 +113,7 @@ int check_kernel_procs(void) {
113 free(fname); 113 free(fname);
114 continue; 114 continue;
115 } 115 }
116 116
117 // open file 117 // open file
118 /* coverity[toctou] */ 118 /* coverity[toctou] */
119 FILE *fp = fopen(fname, "r"); 119 FILE *fp = fopen(fname, "r");
@@ -122,7 +122,7 @@ int check_kernel_procs(void) {
122 free(fname); 122 free(fname);
123 continue; 123 continue;
124 } 124 }
125 125
126 // read file 126 // read file
127 char buf[100]; 127 char buf[100];
128 if (fgets(buf, 10, fp) == NULL) { 128 if (fgets(buf, 10, fp) == NULL) {
@@ -135,7 +135,7 @@ int check_kernel_procs(void) {
135 char *ptr; 135 char *ptr;
136 if ((ptr = strchr(buf, '\n')) != NULL) 136 if ((ptr = strchr(buf, '\n')) != NULL)
137 *ptr = '\0'; 137 *ptr = '\0';
138 138
139 // check process name against the kernel list 139 // check process name against the kernel list
140 int j = 0; 140 int j = 0;
141 while (kern_proc[j] != NULL) { 141 while (kern_proc[j] != NULL) {
@@ -148,7 +148,7 @@ int check_kernel_procs(void) {
148 } 148 }
149 j++; 149 j++;
150 } 150 }
151 151
152 fclose(fp); 152 fclose(fp);
153 free(fname); 153 free(fname);
154 } 154 }
diff --git a/src/firejail/output.c b/src/firejail/output.c
index cea4f4e28..9fb4ad6b1 100644
--- a/src/firejail/output.c
+++ b/src/firejail/output.c
@@ -24,7 +24,7 @@
24 24
25void check_output(int argc, char **argv) { 25void check_output(int argc, char **argv) {
26 EUID_ASSERT(); 26 EUID_ASSERT();
27 27
28 int i; 28 int i;
29 int outindex = 0; 29 int outindex = 0;
30 30
@@ -49,7 +49,7 @@ void check_output(int argc, char **argv) {
49 fprintf(stderr, "Error: invalid output file. Links, directories and files with \"..\" are not allowed.\n"); 49 fprintf(stderr, "Error: invalid output file. Links, directories and files with \"..\" are not allowed.\n");
50 exit(1); 50 exit(1);
51 } 51 }
52 52
53 struct stat s; 53 struct stat s;
54 if (stat(outfile, &s) == 0) { 54 if (stat(outfile, &s) == 0) {
55 // check permissions 55 // check permissions
@@ -57,7 +57,7 @@ void check_output(int argc, char **argv) {
57 fprintf(stderr, "Error: the output file needs to be owned by the current user.\n"); 57 fprintf(stderr, "Error: the output file needs to be owned by the current user.\n");
58 exit(1); 58 exit(1);
59 } 59 }
60 60
61 // check hard links 61 // check hard links
62 if (s.st_nlink != 1) { 62 if (s.st_nlink != 1) {
63 fprintf(stderr, "Error: no hard links allowed.\n"); 63 fprintf(stderr, "Error: no hard links allowed.\n");
@@ -71,11 +71,11 @@ void check_output(int argc, char **argv) {
71 len += strlen(argv[i]) + 1; // + ' ' 71 len += strlen(argv[i]) + 1; // + ' '
72 } 72 }
73 len += 100 + strlen(LIBDIR) + strlen(outfile); // tee command 73 len += 100 + strlen(LIBDIR) + strlen(outfile); // tee command
74 74
75 char *cmd = malloc(len + 1); // + '\0' 75 char *cmd = malloc(len + 1); // + '\0'
76 if (!cmd) 76 if (!cmd)
77 errExit("malloc"); 77 errExit("malloc");
78 78
79 char *ptr = cmd; 79 char *ptr = cmd;
80 for (i = 0; i < argc; i++) { 80 for (i = 0; i < argc; i++) {
81 if (strncmp(argv[i], "--output=", 9) == 0) 81 if (strncmp(argv[i], "--output=", 9) == 0)
@@ -91,7 +91,7 @@ void check_output(int argc, char **argv) {
91 a[2] = cmd; 91 a[2] = cmd;
92 a[3] = NULL; 92 a[3] = NULL;
93 93
94 execvp(a[0], a); 94 execvp(a[0], a);
95 95
96 perror("execvp"); 96 perror("execvp");
97 exit(1); 97 exit(1);
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index b834e6275..ef93368bf 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -35,27 +35,27 @@ void preproc_build_firejail_dir(void) {
35 if (stat(RUN_FIREJAIL_DIR, &s)) { 35 if (stat(RUN_FIREJAIL_DIR, &s)) {
36 create_empty_dir_as_root(RUN_FIREJAIL_DIR, 0755); 36 create_empty_dir_as_root(RUN_FIREJAIL_DIR, 0755);
37 } 37 }
38 38
39 if (stat(RUN_FIREJAIL_NETWORK_DIR, &s)) { 39 if (stat(RUN_FIREJAIL_NETWORK_DIR, &s)) {
40 create_empty_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755); 40 create_empty_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755);
41 } 41 }
42 42
43 if (stat(RUN_FIREJAIL_BANDWIDTH_DIR, &s)) { 43 if (stat(RUN_FIREJAIL_BANDWIDTH_DIR, &s)) {
44 create_empty_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755); 44 create_empty_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755);
45 } 45 }
46 46
47 if (stat(RUN_FIREJAIL_NAME_DIR, &s)) { 47 if (stat(RUN_FIREJAIL_NAME_DIR, &s)) {
48 create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755); 48 create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755);
49 } 49 }
50 50
51 if (stat(RUN_FIREJAIL_X11_DIR, &s)) { 51 if (stat(RUN_FIREJAIL_X11_DIR, &s)) {
52 create_empty_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755); 52 create_empty_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755);
53 } 53 }
54 54
55 if (stat(RUN_FIREJAIL_APPIMAGE_DIR, &s)) { 55 if (stat(RUN_FIREJAIL_APPIMAGE_DIR, &s)) {
56 create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755); 56 create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755);
57 } 57 }
58 58
59 if (stat(RUN_MNT_DIR, &s)) { 59 if (stat(RUN_MNT_DIR, &s)) {
60 create_empty_dir_as_root(RUN_MNT_DIR, 0755); 60 create_empty_dir_as_root(RUN_MNT_DIR, 0755);
61 } 61 }
@@ -74,7 +74,7 @@ void preproc_mount_mnt_dir(void) {
74 errExit("mounting /run/firejail/mnt"); 74 errExit("mounting /run/firejail/mnt");
75 tmpfs_mounted = 1; 75 tmpfs_mounted = 1;
76 fs_logger2("tmpfs", RUN_MNT_DIR); 76 fs_logger2("tmpfs", RUN_MNT_DIR);
77 77
78 //copy defaultl seccomp files 78 //copy defaultl seccomp files
79 copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644); // root needed 79 copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644); // root needed
80 copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644); // root needed 80 copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644); // root needed
@@ -82,7 +82,7 @@ void preproc_mount_mnt_dir(void) {
82 copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed 82 copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed
83 else 83 else
84 copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed 84 copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed
85 85
86 // as root, create an empty RUN_SECCOMP_PROTOCOL file 86 // as root, create an empty RUN_SECCOMP_PROTOCOL file
87 create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644); 87 create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644);
88 if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644)) 88 if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644))
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c
index 098c9fb16..9524d6617 100644
--- a/src/firejail/protocol.c
+++ b/src/firejail/protocol.c
@@ -34,7 +34,7 @@ void protocol_filter_save(void) {
34 34
35void protocol_filter_load(const char *fname) { 35void protocol_filter_load(const char *fname) {
36 assert(fname); 36 assert(fname);
37 37
38 // read protocol filter configuration from PROTOCOL_CFG 38 // read protocol filter configuration from PROTOCOL_CFG
39 FILE *fp = fopen(fname, "r"); 39 FILE *fp = fopen(fname, "r");
40 if (!fp) 40 if (!fp)
@@ -48,7 +48,7 @@ void protocol_filter_load(const char *fname) {
48 return; 48 return;
49 } 49 }
50 fclose(fp); 50 fclose(fp);
51 51
52 char *ptr = strchr(buf, '\n'); 52 char *ptr = strchr(buf, '\n');
53 if (ptr) 53 if (ptr)
54 *ptr = '\0'; 54 *ptr = '\0';
@@ -61,7 +61,7 @@ void protocol_filter_load(const char *fname) {
61// --protocol.print 61// --protocol.print
62void protocol_print_filter(pid_t pid) { 62void protocol_print_filter(pid_t pid) {
63 EUID_ASSERT(); 63 EUID_ASSERT();
64 64
65 (void) pid; 65 (void) pid;
66#ifdef SYS_socket 66#ifdef SYS_socket
67 // if the pid is that of a firejail process, use the pid of the first child process 67 // if the pid is that of a firejail process, use the pid of the first child process
@@ -109,7 +109,7 @@ void protocol_print_filter(pid_t pid) {
109#else 109#else
110 fwarning("--protocol not supported on this platform\n"); 110 fwarning("--protocol not supported on this platform\n");
111 return; 111 return;
112#endif 112#endif
113} 113}
114 114
115 115
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index ead5dd361..246ba8fd8 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -27,17 +27,17 @@
27static void disable_file(const char *path, const char *file) { 27static void disable_file(const char *path, const char *file) {
28 assert(file); 28 assert(file);
29 assert(path); 29 assert(path);
30 30
31 struct stat s; 31 struct stat s;
32 char *fname; 32 char *fname;
33 if (asprintf(&fname, "%s/%s", path, file) == -1) 33 if (asprintf(&fname, "%s/%s", path, file) == -1)
34 errExit("asprintf"); 34 errExit("asprintf");
35 if (stat(fname, &s) == -1) 35 if (stat(fname, &s) == -1)
36 goto doexit; 36 goto doexit;
37 37
38 if (arg_debug) 38 if (arg_debug)
39 printf("Disable%s\n", fname); 39 printf("Disable%s\n", fname);
40 40
41 if (S_ISDIR(s.st_mode)) { 41 if (S_ISDIR(s.st_mode)) {
42 if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) 42 if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
43 errExit("disable file"); 43 errExit("disable file");
@@ -71,7 +71,7 @@ void pulseaudio_disable(void) {
71 errExit("asprintf"); 71 errExit("asprintf");
72 disable_file(path, "pulse/native"); 72 disable_file(path, "pulse/native");
73 free(path); 73 free(path);
74 74
75 75
76 76
77 // blacklist any pulse* file in /tmp directory 77 // blacklist any pulse* file in /tmp directory
@@ -99,11 +99,11 @@ void pulseaudio_disable(void) {
99// disable shm in pulseaudio 99// disable shm in pulseaudio
100void pulseaudio_init(void) { 100void pulseaudio_init(void) {
101 struct stat s; 101 struct stat s;
102 102
103 // do we have pulseaudio in the system? 103 // do we have pulseaudio in the system?
104 if (stat("/etc/pulse/client.conf", &s) == -1) 104 if (stat("/etc/pulse/client.conf", &s) == -1)
105 return; 105 return;
106 106
107 // create the new user pulseaudio directory 107 // create the new user pulseaudio directory
108 int rv = mkdir(RUN_PULSE_DIR, 0700); 108 int rv = mkdir(RUN_PULSE_DIR, 0700);
109 (void) rv; // in --chroot mode the directory can already be there 109 (void) rv; // in --chroot mode the directory can already be there
@@ -134,7 +134,7 @@ void pulseaudio_init(void) {
134 if (child == 0) { 134 if (child == 0) {
135 // drop privileges 135 // drop privileges
136 drop_privs(0); 136 drop_privs(0);
137 137
138 int rv = mkdir(dir1, 0755); 138 int rv = mkdir(dir1, 0755);
139 if (rv == 0) { 139 if (rv == 0) {
140 if (set_perms(dir1, getuid(), getgid(), 0755)) 140 if (set_perms(dir1, getuid(), getgid(), 0755))
@@ -156,7 +156,7 @@ void pulseaudio_init(void) {
156 } 156 }
157 } 157 }
158 free(dir1); 158 free(dir1);
159 159
160 if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1) 160 if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1)
161 errExit("asprintf"); 161 errExit("asprintf");
162 if (stat(dir1, &s) == -1) { 162 if (stat(dir1, &s) == -1) {
@@ -166,7 +166,7 @@ void pulseaudio_init(void) {
166 if (child == 0) { 166 if (child == 0) {
167 // drop privileges 167 // drop privileges
168 drop_privs(0); 168 drop_privs(0);
169 169
170 int rv = mkdir(dir1, 0700); 170 int rv = mkdir(dir1, 0700);
171 if (rv == 0) { 171 if (rv == 0) {
172 if (set_perms(dir1, getuid(), getgid(), 0700)) 172 if (set_perms(dir1, getuid(), getgid(), 0700))
@@ -188,8 +188,8 @@ void pulseaudio_init(void) {
188 } 188 }
189 } 189 }
190 free(dir1); 190 free(dir1);
191 191
192 192
193 // if we have ~/.config/pulse mount the new directory, else set environment variable 193 // if we have ~/.config/pulse mount the new directory, else set environment variable
194 char *homeusercfg; 194 char *homeusercfg;
195 if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1) 195 if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1)
@@ -204,7 +204,7 @@ void pulseaudio_init(void) {
204 if (setenv("PULSE_CLIENTCONFIG", pulsecfg, 1) < 0) 204 if (setenv("PULSE_CLIENTCONFIG", pulsecfg, 1) < 0)
205 errExit("setenv"); 205 errExit("setenv");
206 } 206 }
207 207
208 free(pulsecfg); 208 free(pulsecfg);
209 free(homeusercfg); 209 free(homeusercfg);
210} 210}
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c
index 086af48b0..87ee513af 100644
--- a/src/firejail/restrict_users.c
+++ b/src/firejail/restrict_users.c
@@ -56,23 +56,23 @@ static USER_LIST *ulist_find(const char *user) {
56 return ptr; 56 return ptr;
57 ptr = ptr->next; 57 ptr = ptr->next;
58 } 58 }
59 59
60 return NULL; 60 return NULL;
61} 61}
62 62
63static void sanitize_home(void) { 63static void sanitize_home(void) {
64 assert(getuid() != 0); // this code works only for regular users 64 assert(getuid() != 0); // this code works only for regular users
65 65
66 if (arg_debug) 66 if (arg_debug)
67 printf("Cleaning /home directory\n"); 67 printf("Cleaning /home directory\n");
68 68
69 struct stat s; 69 struct stat s;
70 if (stat(cfg.homedir, &s) == -1) { 70 if (stat(cfg.homedir, &s) == -1) {
71 // cannot find home directory, just return 71 // cannot find home directory, just return
72 fwarning("cannot find home directory\n"); 72 fwarning("cannot find home directory\n");
73 return; 73 return;
74 } 74 }
75 75
76 if (mkdir(RUN_WHITELIST_HOME_DIR, 0755) == -1) 76 if (mkdir(RUN_WHITELIST_HOME_DIR, 0755) == -1)
77 errExit("mkdir"); 77 errExit("mkdir");
78 78
@@ -93,7 +93,7 @@ static void sanitize_home(void) {
93 errExit("mkdir"); 93 errExit("mkdir");
94 } 94 }
95 fs_logger2("mkdir", cfg.homedir); 95 fs_logger2("mkdir", cfg.homedir);
96 96
97 // set mode and ownership 97 // set mode and ownership
98 if (set_perms(cfg.homedir, s.st_uid, s.st_gid, s.st_mode)) 98 if (set_perms(cfg.homedir, s.st_uid, s.st_gid, s.st_mode))
99 errExit("set_perms"); 99 errExit("set_perms");
@@ -108,7 +108,7 @@ static void sanitize_home(void) {
108 fs_logger2("tmpfs", RUN_WHITELIST_HOME_DIR); 108 fs_logger2("tmpfs", RUN_WHITELIST_HOME_DIR);
109 if (!arg_private) 109 if (!arg_private)
110 fs_logger2("whitelist", cfg.homedir); 110 fs_logger2("whitelist", cfg.homedir);
111 111
112} 112}
113 113
114static void sanitize_passwd(void) { 114static void sanitize_passwd(void) {
@@ -133,7 +133,7 @@ static void sanitize_passwd(void) {
133 fpout = fopen(RUN_PASSWD_FILE, "w"); 133 fpout = fopen(RUN_PASSWD_FILE, "w");
134 if (!fpout) 134 if (!fpout)
135 goto errout; 135 goto errout;
136 136
137 // read the file line by line 137 // read the file line by line
138 char buf[MAXBUF]; 138 char buf[MAXBUF];
139 uid_t myuid = getuid(); 139 uid_t myuid = getuid();
@@ -141,12 +141,12 @@ static void sanitize_passwd(void) {
141 // comments and empty lines 141 // comments and empty lines
142 if (*buf == '\0' || *buf == '#') 142 if (*buf == '\0' || *buf == '#')
143 continue; 143 continue;
144 144
145 // sample line: 145 // sample line:
146 // www-data:x:33:33:www-data:/var/www:/bin/sh 146 // www-data:x:33:33:www-data:/var/www:/bin/sh
147 // drop lines with uid > 1000 and not the current user 147 // drop lines with uid > 1000 and not the current user
148 char *ptr = buf; 148 char *ptr = buf;
149 149
150 // advance to uid 150 // advance to uid
151 while (*ptr != ':' && *ptr != '\0') 151 while (*ptr != ':' && *ptr != '\0')
152 ptr++; 152 ptr++;
@@ -190,9 +190,9 @@ static void sanitize_passwd(void) {
190 if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0) 190 if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0)
191 errExit("mount"); 191 errExit("mount");
192 fs_logger("create /etc/passwd"); 192 fs_logger("create /etc/passwd");
193 193
194 return; 194 return;
195 195
196errout: 196errout:
197 fwarning("failed to clean up /etc/passwd\n"); 197 fwarning("failed to clean up /etc/passwd\n");
198 if (fpin) 198 if (fpin)
@@ -206,7 +206,7 @@ static int copy_line(FILE *fpout, char *buf, char *ptr) {
206 // fpout: GROUP_FILE 206 // fpout: GROUP_FILE
207 // buf: pulse:x:115:netblue,bingo 207 // buf: pulse:x:115:netblue,bingo
208 // ptr: 115:neblue,bingo 208 // ptr: 115:neblue,bingo
209 209
210 while (*ptr != ':' && *ptr != '\0') 210 while (*ptr != ':' && *ptr != '\0')
211 ptr++; 211 ptr++;
212 if (*ptr == '\0') 212 if (*ptr == '\0')
@@ -217,7 +217,7 @@ static int copy_line(FILE *fpout, char *buf, char *ptr) {
217 fprintf(fpout, "%s", buf); 217 fprintf(fpout, "%s", buf);
218 return 0; 218 return 0;
219 } 219 }
220 220
221 // print what we have so far 221 // print what we have so far
222 char tmp = *ptr; 222 char tmp = *ptr;
223 *ptr = '\0'; 223 *ptr = '\0';
@@ -266,7 +266,7 @@ static void sanitize_group(void) {
266 fpout = fopen(RUN_GROUP_FILE, "w"); 266 fpout = fopen(RUN_GROUP_FILE, "w");
267 if (!fpout) 267 if (!fpout)
268 goto errout; 268 goto errout;
269 269
270 // read the file line by line 270 // read the file line by line
271 char buf[MAXBUF]; 271 char buf[MAXBUF];
272 gid_t mygid = getgid(); 272 gid_t mygid = getgid();
@@ -274,12 +274,12 @@ static void sanitize_group(void) {
274 // comments and empty lines 274 // comments and empty lines
275 if (*buf == '\0' || *buf == '#') 275 if (*buf == '\0' || *buf == '#')
276 continue; 276 continue;
277 277
278 // sample line: 278 // sample line:
279 // pulse:x:115:netblue,bingo 279 // pulse:x:115:netblue,bingo
280 // drop lines with uid > 1000 and not the current user group 280 // drop lines with uid > 1000 and not the current user group
281 char *ptr = buf; 281 char *ptr = buf;
282 282
283 // advance to uid 283 // advance to uid
284 while (*ptr != ':' && *ptr != '\0') 284 while (*ptr != ':' && *ptr != '\0')
285 ptr++; 285 ptr++;
@@ -318,9 +318,9 @@ static void sanitize_group(void) {
318 if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0) 318 if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0)
319 errExit("mount"); 319 errExit("mount");
320 fs_logger("create /etc/group"); 320 fs_logger("create /etc/group");
321 321
322 return; 322 return;
323 323
324errout: 324errout:
325 fwarning("failed to clean up /etc/group\n"); 325 fwarning("failed to clean up /etc/group\n");
326 if (fpin) 326 if (fpin)
@@ -332,7 +332,7 @@ errout:
332void restrict_users(void) { 332void restrict_users(void) {
333 if (arg_allusers) 333 if (arg_allusers)
334 return; 334 return;
335 335
336 // only in user mode 336 // only in user mode
337 if (getuid()) { 337 if (getuid()) {
338 if (strncmp(cfg.homedir, "/home/", 6) == 0) { 338 if (strncmp(cfg.homedir, "/home/", 6) == 0) {
diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c
index 9919c4656..d09a2c7e5 100644
--- a/src/firejail/restricted_shell.c
+++ b/src/firejail/restricted_shell.c
@@ -44,7 +44,7 @@ int restricted_shell(const char *user) {
44 44
45 // remove empty spaces at the beginning of the line 45 // remove empty spaces at the beginning of the line
46 char *ptr = buf; 46 char *ptr = buf;
47 while (*ptr == ' ' || *ptr == '\t') { 47 while (*ptr == ' ' || *ptr == '\t') {
48 ptr++; 48 ptr++;
49 } 49 }
50 if (*ptr == '\n' || *ptr == '#') 50 if (*ptr == '\n' || *ptr == '#')
@@ -53,7 +53,7 @@ int restricted_shell(const char *user) {
53 // 53 //
54 // parse line 54 // parse line
55 // 55 //
56 56
57 // extract users 57 // extract users
58 char *usr = ptr; 58 char *usr = ptr;
59 char *args = strchr(usr, ':'); 59 char *args = strchr(usr, ':');
@@ -61,13 +61,13 @@ int restricted_shell(const char *user) {
61 fprintf(stderr, "Error: users.conf line %d\n", lineno); 61 fprintf(stderr, "Error: users.conf line %d\n", lineno);
62 exit(1); 62 exit(1);
63 } 63 }
64 64
65 *args = '\0'; 65 *args = '\0';
66 args++; 66 args++;
67 ptr = strchr(args, '\n'); 67 ptr = strchr(args, '\n');
68 if (ptr) 68 if (ptr)
69 *ptr = '\0'; 69 *ptr = '\0';
70 70
71 // extract firejail command line arguments 71 // extract firejail command line arguments
72 char *ptr2 = args; 72 char *ptr2 = args;
73 int found = 0; 73 int found = 0;
@@ -81,7 +81,7 @@ int restricted_shell(const char *user) {
81 // if nothing follows, continue 81 // if nothing follows, continue
82 if (!found) 82 if (!found)
83 continue; 83 continue;
84 84
85 // user name globbing 85 // user name globbing
86 if (fnmatch(usr, user, 0) == 0) { 86 if (fnmatch(usr, user, 0) == 0) {
87 // process program arguments 87 // process program arguments
@@ -102,8 +102,8 @@ int restricted_shell(const char *user) {
102 fclose(fp); 102 fclose(fp);
103 } 103 }
104 EUID_USER();} 104 EUID_USER();}
105#endif 105#endif
106 106
107 if (*ptr != '\0') { 107 if (*ptr != '\0') {
108 // go to the end of the word 108 // go to the end of the word
109 while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0') 109 while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0')
@@ -128,6 +128,5 @@ int restricted_shell(const char *user) {
128 } 128 }
129 fclose(fp); 129 fclose(fp);
130 130
131 return 0; 131 return 0;
132} 132}
133
diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c
index bf63bae38..99127673e 100644
--- a/src/firejail/rlimit.c
+++ b/src/firejail/rlimit.c
@@ -47,7 +47,7 @@ void set_rlimits(void) {
47 if (arg_debug) 47 if (arg_debug)
48 printf("Config rlimit: number of processes %llu\n", cfg.rlimit_nproc); 48 printf("Config rlimit: number of processes %llu\n", cfg.rlimit_nproc);
49 } 49 }
50 50
51 if (arg_rlimit_fsize) { 51 if (arg_rlimit_fsize) {
52 rl.rlim_cur = (rlim_t) cfg.rlimit_fsize; 52 rl.rlim_cur = (rlim_t) cfg.rlimit_fsize;
53 rl.rlim_max = (rlim_t) cfg.rlimit_fsize; 53 rl.rlim_max = (rlim_t) cfg.rlimit_fsize;
@@ -59,7 +59,7 @@ void set_rlimits(void) {
59 if (arg_debug) 59 if (arg_debug)
60 printf("Config rlimit: maximum file size %llu\n", cfg.rlimit_fsize); 60 printf("Config rlimit: maximum file size %llu\n", cfg.rlimit_fsize);
61 } 61 }
62 62
63 if (arg_rlimit_sigpending) { 63 if (arg_rlimit_sigpending) {
64 rl.rlim_cur = (rlim_t) cfg.rlimit_sigpending; 64 rl.rlim_cur = (rlim_t) cfg.rlimit_sigpending;
65 rl.rlim_max = (rlim_t) cfg.rlimit_sigpending; 65 rl.rlim_max = (rlim_t) cfg.rlimit_sigpending;
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c
index 57f04485b..a9298a33f 100644
--- a/src/firejail/run_symlink.c
+++ b/src/firejail/run_symlink.c
@@ -24,7 +24,7 @@
24 24
25void run_symlink(int argc, char **argv) { 25void run_symlink(int argc, char **argv) {
26 EUID_ASSERT(); 26 EUID_ASSERT();
27 27
28 char *program = strrchr(argv[0], '/'); 28 char *program = strrchr(argv[0], '/');
29 if (program) 29 if (program)
30 program += 1; 30 program += 1;
@@ -40,7 +40,7 @@ void run_symlink(int argc, char **argv) {
40 fprintf(stderr, "Error: PATH environment variable not set\n"); 40 fprintf(stderr, "Error: PATH environment variable not set\n");
41 exit(1); 41 exit(1);
42 } 42 }
43 43
44 char *path = strdup(p); 44 char *path = strdup(p);
45 if (!path) 45 if (!path)
46 errExit("strdup"); 46 errExit("strdup");
@@ -105,8 +105,8 @@ void run_symlink(int argc, char **argv) {
105 a[i + 2] = argv[i + 1]; 105 a[i + 2] = argv[i + 1];
106 } 106 }
107 a[i + 2] = NULL; 107 a[i + 2] = NULL;
108 assert(getenv("LD_PRELOAD") == NULL); 108 assert(getenv("LD_PRELOAD") == NULL);
109 execvp(a[0], a); 109 execvp(a[0], a);
110 110
111 perror("execvp"); 111 perror("execvp");
112 exit(1); 112 exit(1);
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index 9640ef9ed..6cd58d78e 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -39,28 +39,28 @@ static struct sock_filter filter[] = {
39#endif 39#endif
40 40
41 // syscall list 41 // syscall list
42#ifdef SYS_mount 42#ifdef SYS_mount
43 BLACKLIST(SYS_mount), // mount/unmount filesystems 43 BLACKLIST(SYS_mount), // mount/unmount filesystems
44#endif 44#endif
45#ifdef SYS_umount2 45#ifdef SYS_umount2
46 BLACKLIST(SYS_umount2), 46 BLACKLIST(SYS_umount2),
47#endif 47#endif
48#ifdef SYS_ptrace 48#ifdef SYS_ptrace
49 BLACKLIST(SYS_ptrace), // trace processes 49 BLACKLIST(SYS_ptrace), // trace processes
50#endif 50#endif
51#ifdef SYS_kexec_file_load 51#ifdef SYS_kexec_file_load
52 BLACKLIST(SYS_kexec_file_load), 52 BLACKLIST(SYS_kexec_file_load),
53#endif 53#endif
54#ifdef SYS_kexec_load 54#ifdef SYS_kexec_load
55 BLACKLIST(SYS_kexec_load), // loading a different kernel 55 BLACKLIST(SYS_kexec_load), // loading a different kernel
56#endif 56#endif
57#ifdef SYS_name_to_handle_at 57#ifdef SYS_name_to_handle_at
58 BLACKLIST(SYS_name_to_handle_at), 58 BLACKLIST(SYS_name_to_handle_at),
59#endif 59#endif
60#ifdef SYS_open_by_handle_at 60#ifdef SYS_open_by_handle_at
61 BLACKLIST(SYS_open_by_handle_at), // open by handle 61 BLACKLIST(SYS_open_by_handle_at), // open by handle
62#endif 62#endif
63#ifdef SYS_init_module 63#ifdef SYS_init_module
64 BLACKLIST(SYS_init_module), // kernel module handling 64 BLACKLIST(SYS_init_module), // kernel module handling
65#endif 65#endif
66#ifdef SYS_finit_module // introduced in 2013 66#ifdef SYS_finit_module // introduced in 2013
@@ -69,31 +69,31 @@ static struct sock_filter filter[] = {
69#ifdef SYS_create_module 69#ifdef SYS_create_module
70 BLACKLIST(SYS_create_module), 70 BLACKLIST(SYS_create_module),
71#endif 71#endif
72#ifdef SYS_delete_module 72#ifdef SYS_delete_module
73 BLACKLIST(SYS_delete_module), 73 BLACKLIST(SYS_delete_module),
74#endif 74#endif
75#ifdef SYS_iopl 75#ifdef SYS_iopl
76 BLACKLIST(SYS_iopl), // io permissions 76 BLACKLIST(SYS_iopl), // io permissions
77#endif 77#endif
78#ifdef SYS_ioperm 78#ifdef SYS_ioperm
79 BLACKLIST(SYS_ioperm), 79 BLACKLIST(SYS_ioperm),
80#endif 80#endif
81#ifdef SYS_iopl 81#ifdef SYS_iopl
82 BLACKLIST(SYS_iopl), // io permissions 82 BLACKLIST(SYS_iopl), // io permissions
83#endif 83#endif
84#ifdef SYS_ioprio_set 84#ifdef SYS_ioprio_set
85 BLACKLIST(SYS_ioprio_set), 85 BLACKLIST(SYS_ioprio_set),
86#endif 86#endif
87#ifdef SYS_ni_syscall // new io permissions call on arm devices 87#ifdef SYS_ni_syscall // new io permissions call on arm devices
88 BLACKLIST(SYS_ni_syscall), 88 BLACKLIST(SYS_ni_syscall),
89#endif 89#endif
90#ifdef SYS_swapon 90#ifdef SYS_swapon
91 BLACKLIST(SYS_swapon), // swap on/off 91 BLACKLIST(SYS_swapon), // swap on/off
92#endif 92#endif
93#ifdef SYS_swapoff 93#ifdef SYS_swapoff
94 BLACKLIST(SYS_swapoff), 94 BLACKLIST(SYS_swapoff),
95#endif 95#endif
96#ifdef SYS_syslog 96#ifdef SYS_syslog
97 BLACKLIST(SYS_syslog), // kernel printk control 97 BLACKLIST(SYS_syslog), // kernel printk control
98#endif 98#endif
99 RETURN_ALLOW 99 RETURN_ALLOW
@@ -113,7 +113,7 @@ typedef struct sbox_config {
113 113
114int sbox_run(unsigned filter, int num, ...) { 114int sbox_run(unsigned filter, int num, ...) {
115 EUID_ROOT(); 115 EUID_ROOT();
116 116
117 int i; 117 int i;
118 va_list valist; 118 va_list valist;
119 va_start(valist, num); 119 va_start(valist, num);
@@ -124,7 +124,7 @@ int sbox_run(unsigned filter, int num, ...) {
124 arg[i] = va_arg(valist, char*); 124 arg[i] = va_arg(valist, char*);
125 arg[i] = NULL; 125 arg[i] = NULL;
126 va_end(valist); 126 va_end(valist);
127 127
128 if (arg_debug) { 128 if (arg_debug) {
129 printf("sbox run: "); 129 printf("sbox run: ");
130 for (i = 0; i <= num; i++) 130 for (i = 0; i <= num; i++)
@@ -138,7 +138,7 @@ int sbox_run(unsigned filter, int num, ...) {
138 if (child == 0) { 138 if (child == 0) {
139 // clean the new process 139 // clean the new process
140 clearenv(); 140 clearenv();
141 141
142 if (filter & SBOX_STDIN_FROM_FILE) { 142 if (filter & SBOX_STDIN_FROM_FILE) {
143 int fd; 143 int fd;
144 if((fd = open(SBOX_STDIN_FILE, O_RDONLY)) == -1) { 144 if((fd = open(SBOX_STDIN_FILE, O_RDONLY)) == -1) {
@@ -154,7 +154,7 @@ int sbox_run(unsigned filter, int num, ...) {
154 else // the user could run the sandbox without /dev/null 154 else // the user could run the sandbox without /dev/null
155 close(STDIN_FILENO); 155 close(STDIN_FILENO);
156 } 156 }
157 157
158 // close all other file descriptors 158 // close all other file descriptors
159 int max = 20; // getdtablesize() is overkill for a firejail process 159 int max = 20; // getdtablesize() is overkill for a firejail process
160 for (i = 3; i < max; i++) 160 for (i = 3; i < max; i++)
@@ -163,10 +163,10 @@ int sbox_run(unsigned filter, int num, ...) {
163 if (arg_debug) { 163 if (arg_debug) {
164 printf("sbox file descriptors:\n"); 164 printf("sbox file descriptors:\n");
165 int rv = system("ls -l /proc/self/fd"); 165 int rv = system("ls -l /proc/self/fd");
166 (void) rv; 166 (void) rv;
167 } 167 }
168 168
169 umask(027); 169 umask(027);
170 170
171 // apply filters 171 // apply filters
172 if (filter & SBOX_CAPS_NONE) { 172 if (filter & SBOX_CAPS_NONE) {
@@ -178,7 +178,7 @@ int sbox_run(unsigned filter, int num, ...) {
178 set |= ((uint64_t) 1) << CAP_NET_RAW; 178 set |= ((uint64_t) 1) << CAP_NET_RAW;
179 caps_set(set); 179 caps_set(set);
180#endif 180#endif
181 } 181 }
182 182
183 if (filter & SBOX_SECCOMP) { 183 if (filter & SBOX_SECCOMP) {
184 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { 184 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
@@ -200,11 +200,11 @@ int sbox_run(unsigned filter, int num, ...) {
200 drop_privs(1); 200 drop_privs(1);
201 201
202 clearenv(); 202 clearenv();
203 203
204 // --quiet is passed as an environment variable 204 // --quiet is passed as an environment variable
205 if (arg_quiet) 205 if (arg_quiet)
206 setenv("FIREJAIL_QUIET", "yes", 1); 206 setenv("FIREJAIL_QUIET", "yes", 1);
207 207
208 if (arg[0]) // get rid of scan-build warning 208 if (arg[0]) // get rid of scan-build warning
209 execvp(arg[0], arg); 209 execvp(arg[0], arg);
210 else 210 else
@@ -221,6 +221,6 @@ int sbox_run(unsigned filter, int num, ...) {
221 fprintf(stderr, "Error: failed to run %s\n", arg[0]); 221 fprintf(stderr, "Error: failed to run %s\n", arg[0]);
222 exit(1); 222 exit(1);
223 } 223 }
224 224
225 return status; 225 return status;
226} 226}
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 4ede003e3..72a5874f8 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -30,13 +30,13 @@ char *seccomp_check_list(const char *str) {
30 fprintf(stderr, "Error: empty syscall lists are not allowed\n"); 30 fprintf(stderr, "Error: empty syscall lists are not allowed\n");
31 exit(1); 31 exit(1);
32 } 32 }
33 33
34 int len = strlen(str) + 1; 34 int len = strlen(str) + 1;
35 char *rv = malloc(len); 35 char *rv = malloc(len);
36 if (!rv) 36 if (!rv)
37 errExit("malloc"); 37 errExit("malloc");
38 memset(rv, 0, len); 38 memset(rv, 0, len);
39 39
40 const char *ptr1 = str; 40 const char *ptr1 = str;
41 char *ptr2 = rv; 41 char *ptr2 = rv;
42 while (*ptr1 != '\0') { 42 while (*ptr1 != '\0') {
@@ -47,14 +47,14 @@ char *seccomp_check_list(const char *str) {
47 exit(1); 47 exit(1);
48 } 48 }
49 } 49 }
50 50
51 return rv; 51 return rv;
52} 52}
53 53
54 54
55int seccomp_load(const char *fname) { 55int seccomp_load(const char *fname) {
56 assert(fname); 56 assert(fname);
57 57
58 // open filter file 58 // open filter file
59 int fd = open(fname, O_RDONLY); 59 int fd = open(fname, O_RDONLY);
60 if (fd == -1) 60 if (fd == -1)
@@ -82,7 +82,7 @@ int seccomp_load(const char *fname) {
82 goto errexit; 82 goto errexit;
83 rd += rv; 83 rd += rv;
84 } 84 }
85 85
86 // close file 86 // close file
87 close(fd); 87 close(fd);
88 88
@@ -97,9 +97,9 @@ int seccomp_load(const char *fname) {
97 err_printed = 1; 97 err_printed = 1;
98 return 1; 98 return 1;
99 } 99 }
100 100
101 return 0; 101 return 0;
102 102
103errexit: 103errexit:
104 fprintf(stderr, "Error: cannot read %s\n", fname); 104 fprintf(stderr, "Error: cannot read %s\n", fname);
105 exit(1); 105 exit(1);
@@ -142,7 +142,7 @@ int seccomp_filter_drop(int enforce_seccomp) {
142#endif 142#endif
143 if (arg_debug) 143 if (arg_debug)
144 printf("Build default+drop seccomp filter\n"); 144 printf("Build default+drop seccomp filter\n");
145 145
146 // build the seccomp filter as a regular user 146 // build the seccomp filter as a regular user
147 int rv; 147 int rv;
148 if (arg_allow_debuggers) 148 if (arg_allow_debuggers)
@@ -154,7 +154,7 @@ int seccomp_filter_drop(int enforce_seccomp) {
154 if (rv) 154 if (rv)
155 exit(rv); 155 exit(rv);
156 } 156 }
157 157
158 // drop list without defaults - secondary filters are not installed 158 // drop list without defaults - secondary filters are not installed
159 else if (cfg.seccomp_list == NULL && cfg.seccomp_list_drop) { 159 else if (cfg.seccomp_list == NULL && cfg.seccomp_list_drop) {
160 if (arg_debug) 160 if (arg_debug)
@@ -175,7 +175,7 @@ int seccomp_filter_drop(int enforce_seccomp) {
175 else { 175 else {
176 assert(0); 176 assert(0);
177 } 177 }
178 178
179 // load the filter 179 // load the filter
180 if (seccomp_load(RUN_SECCOMP_CFG) == 0) { 180 if (seccomp_load(RUN_SECCOMP_CFG) == 0) {
181 if (arg_debug) 181 if (arg_debug)
@@ -185,7 +185,7 @@ int seccomp_filter_drop(int enforce_seccomp) {
185 fprintf(stderr, "Error: a seccomp-enabled Linux kernel is required, exiting...\n"); 185 fprintf(stderr, "Error: a seccomp-enabled Linux kernel is required, exiting...\n");
186 exit(1); 186 exit(1);
187 } 187 }
188 188
189 if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) 189 if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0)
190 sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, 190 sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3,
191 PATH_FSECCOMP, "print", RUN_SECCOMP_CFG); 191 PATH_FSECCOMP, "print", RUN_SECCOMP_CFG);
@@ -197,14 +197,14 @@ int seccomp_filter_drop(int enforce_seccomp) {
197int seccomp_filter_keep(void) { 197int seccomp_filter_keep(void) {
198 if (arg_debug) 198 if (arg_debug)
199 printf("Build drop seccomp filter\n"); 199 printf("Build drop seccomp filter\n");
200 200
201 // build the seccomp filter as a regular user 201 // build the seccomp filter as a regular user
202 sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, 202 sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4,
203 PATH_FSECCOMP, "keep", RUN_SECCOMP_CFG, cfg.seccomp_list_keep); 203 PATH_FSECCOMP, "keep", RUN_SECCOMP_CFG, cfg.seccomp_list_keep);
204 if (arg_debug) 204 if (arg_debug)
205 printf("seccomp filter configured\n"); 205 printf("seccomp filter configured\n");
206 206
207 207
208 return seccomp_load(RUN_SECCOMP_CFG); 208 return seccomp_load(RUN_SECCOMP_CFG);
209} 209}
210 210
@@ -255,4 +255,3 @@ void seccomp_print_filter(pid_t pid) {
255} 255}
256 256
257#endif // HAVE_SECCOMP 257#endif // HAVE_SECCOMP
258
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c
index 3c150738b..f187960d5 100644
--- a/src/firejail/shutdown.c
+++ b/src/firejail/shutdown.c
@@ -25,7 +25,7 @@
25 25
26void shut(pid_t pid) { 26void shut(pid_t pid) {
27 EUID_ASSERT(); 27 EUID_ASSERT();
28 28
29 pid_t parent = pid; 29 pid_t parent = pid;
30 // if the pid is that of a firejail process, use the pid of a child process inside the sandbox 30 // if the pid is that of a firejail process, use the pid of a child process inside the sandbox
31 EUID_ROOT(); 31 EUID_ROOT();
@@ -57,11 +57,11 @@ void shut(pid_t pid) {
57 exit(1); 57 exit(1);
58 } 58 }
59 } 59 }
60 60
61 EUID_ROOT(); 61 EUID_ROOT();
62 printf("Sending SIGTERM to %u\n", pid); 62 printf("Sending SIGTERM to %u\n", pid);
63 kill(pid, SIGTERM); 63 kill(pid, SIGTERM);
64 64
65 // wait for not more than 10 seconds 65 // wait for not more than 10 seconds
66 sleep(2); 66 sleep(2);
67 int monsec = 8; 67 int monsec = 8;
@@ -76,7 +76,7 @@ void shut(pid_t pid) {
76 killdone = 1; 76 killdone = 1;
77 break; 77 break;
78 } 78 }
79 79
80 char c; 80 char c;
81 size_t count = fread(&c, 1, 1, fp); 81 size_t count = fread(&c, 1, 1, fp);
82 fclose(fp); 82 fclose(fp);
@@ -102,6 +102,6 @@ void shut(pid_t pid) {
102 kill(parent, SIGKILL); 102 kill(parent, SIGKILL);
103 } 103 }
104 } 104 }
105 105
106 clear_run_files(parent); 106 clear_run_files(parent);
107} 107}
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 54f83dccf..acbc19234 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -118,7 +118,7 @@ int mkpath_as_root(const char* path) {
118void fwarning(char* fmt, ...) { 118void fwarning(char* fmt, ...) {
119 if (arg_quiet) 119 if (arg_quiet)
120 return; 120 return;
121 121
122 va_list args; 122 va_list args;
123 va_start(args,fmt); 123 va_start(args,fmt);
124 fprintf(stderr, "Warning: "); 124 fprintf(stderr, "Warning: ");
@@ -786,7 +786,7 @@ static int remove_callback(const char *fpath, const struct stat *sb, int typefla
786 (void) sb; 786 (void) sb;
787 (void) typeflag; 787 (void) typeflag;
788 (void) ftwbuf; 788 (void) ftwbuf;
789 789
790 int rv = remove(fpath); 790 int rv = remove(fpath);
791 if (rv) 791 if (rv)
792 perror(fpath); 792 perror(fpath);
@@ -816,7 +816,7 @@ void create_empty_dir_as_root(const char *dir, mode_t mode) {
816 assert(dir); 816 assert(dir);
817 mode &= 07777; 817 mode &= 07777;
818 struct stat s; 818 struct stat s;
819 819
820 if (stat(dir, &s)) { 820 if (stat(dir, &s)) {
821 if (arg_debug) 821 if (arg_debug)
822 printf("Creating empty %s directory\n", dir); 822 printf("Creating empty %s directory\n", dir);
@@ -862,7 +862,7 @@ int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode) {
862void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) { 862void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) {
863 assert(fname); 863 assert(fname);
864 mode &= 07777; 864 mode &= 07777;
865#if 0 865#if 0
866 printf("fname %s, uid %d, gid %d, mode %x - ", fname, uid, gid, (unsigned) mode); 866 printf("fname %s, uid %d, gid %d, mode %x - ", fname, uid, gid, (unsigned) mode);
867 if (S_ISLNK(mode)) 867 if (S_ISLNK(mode))
868 printf("l"); 868 printf("l");
@@ -886,7 +886,7 @@ void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) {
886 printf( (mode & S_IWOTH) ? "w" : "-"); 886 printf( (mode & S_IWOTH) ? "w" : "-");
887 printf( (mode & S_IXOTH) ? "x" : "-"); 887 printf( (mode & S_IXOTH) ? "x" : "-");
888 printf("\n"); 888 printf("\n");
889#endif 889#endif
890 if (mkdir(fname, mode) == -1 || 890 if (mkdir(fname, mode) == -1 ||
891 chmod(fname, mode) == -1 || 891 chmod(fname, mode) == -1 ||
892 chown(fname, uid, gid)) { 892 chown(fname, uid, gid)) {
@@ -899,7 +899,7 @@ void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) {
899 899
900char *read_text_file_or_exit(const char *fname) { 900char *read_text_file_or_exit(const char *fname) {
901 assert(fname); 901 assert(fname);
902 902
903 // open file 903 // open file
904 int fd = open(fname, O_RDONLY); 904 int fd = open(fname, O_RDONLY);
905 if (fd == -1) { 905 if (fd == -1) {
@@ -912,7 +912,7 @@ char *read_text_file_or_exit(const char *fname) {
912 goto errexit; 912 goto errexit;
913 if (lseek(fd, 0 , SEEK_SET) == -1) 913 if (lseek(fd, 0 , SEEK_SET) == -1)
914 goto errexit; 914 goto errexit;
915 915
916 // allocate memory 916 // allocate memory
917 char *data = malloc(size + 1); // + '\0' 917 char *data = malloc(size + 1); // + '\0'
918 if (data == NULL) 918 if (data == NULL)
@@ -928,11 +928,11 @@ char *read_text_file_or_exit(const char *fname) {
928 } 928 }
929 rd += rv; 929 rd += rv;
930 } 930 }
931 931
932 // close file 932 // close file
933 close(fd); 933 close(fd);
934 return data; 934 return data;
935 935
936errexit: 936errexit:
937 close(fd); 937 close(fd);
938 fprintf(stderr, "Error: cannot read %s\n", fname); 938 fprintf(stderr, "Error: cannot read %s\n", fname);
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index f1d45adef..5ce156603 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -639,7 +639,7 @@ void x11_start_xpra(int argc, char **argv) {
639 639
640 // build the start command 640 // build the start command
641 char *server_argv[256] = { // rest initialyzed to NULL 641 char *server_argv[256] = { // rest initialyzed to NULL
642 "xpra", "start", display_str, "--no-daemon", 642 "xpra", "start", display_str, "--no-daemon",
643 }; 643 };
644 unsigned pos = 0; 644 unsigned pos = 0;
645 while (server_argv[pos] != NULL) pos++; 645 while (server_argv[pos] != NULL) pos++;
@@ -696,7 +696,7 @@ void x11_start_xpra(int argc, char **argv) {
696 // no overrun 696 // no overrun
697 assert(pos < (sizeof(server_argv)/sizeof(*server_argv))); 697 assert(pos < (sizeof(server_argv)/sizeof(*server_argv)));
698 assert(server_argv[pos-1] == NULL); // last element is null 698 assert(server_argv[pos-1] == NULL); // last element is null
699 699
700 if (arg_debug) { 700 if (arg_debug) {
701 size_t i = 0; 701 size_t i = 0;
702 printf("\n*** Starting xpra server: "); 702 printf("\n*** Starting xpra server: ");
@@ -820,7 +820,7 @@ void x11_start_xpra(int argc, char **argv) {
820 printf("Xpra server pid %d, xpra client pid %d, jail %d\n", server, client, jail); 820 printf("Xpra server pid %d, xpra client pid %d, jail %d\n", server, client, jail);
821 821
822 sleep(1); // adding a delay in order to let the server start 822 sleep(1); // adding a delay in order to let the server start
823 823
824 // wait for jail or server to end 824 // wait for jail or server to end
825 while (1) { 825 while (1) {
826 pid_t pid = wait(NULL); 826 pid_t pid = wait(NULL);
diff --git a/src/firemon/Makefile.in b/src/firemon/Makefile.in
index efc48b212..a7a97cf5a 100644
--- a/src/firemon/Makefile.in
+++ b/src/firemon/Makefile.in
@@ -12,7 +12,7 @@ C_FILE_LIST = $(sort $(wildcard *.c))
12OBJS = $(C_FILE_LIST:.c=.o) 12OBJS = $(C_FILE_LIST:.c=.o)
13BINOBJS = $(foreach file, $(OBJS), $file) 13BINOBJS = $(foreach file, $(OBJS), $file)
14CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security 14CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
15LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now 15LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
16HAVE_GCOV=@HAVE_GCOV@ 16HAVE_GCOV=@HAVE_GCOV@
17EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ 17EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
18 18
@@ -27,4 +27,3 @@ clean:; rm -f *.o firemon *.gcov *.gcda *.gcno
27 27
28distclean: clean 28distclean: clean
29 rm -fr Makefile 29 rm -fr Makefile
30
diff --git a/src/firemon/arp.c b/src/firemon/arp.c
index d30983e4a..51a699273 100644
--- a/src/firemon/arp.c
+++ b/src/firemon/arp.c
@@ -24,7 +24,7 @@ static void print_arp(const char *fname) {
24 FILE *fp = fopen(fname, "r"); 24 FILE *fp = fopen(fname, "r");
25 if (!fp) 25 if (!fp)
26 return; 26 return;
27 27
28 printf(" ARP Table:\n"); 28 printf(" ARP Table:\n");
29 char buf[MAXBUF]; 29 char buf[MAXBUF];
30 while (fgets(buf, MAXBUF, fp)) { 30 while (fgets(buf, MAXBUF, fp)) {
@@ -54,7 +54,7 @@ static void print_arp(const char *fname) {
54 int rv = sscanf(start, "%s %s %s %s %s %s\n", ip, type, flags, mac, mask, device); 54 int rv = sscanf(start, "%s %s %s %s %s %s\n", ip, type, flags, mac, mask, device);
55 if (rv != 6) 55 if (rv != 6)
56 continue; 56 continue;
57 57
58 // destination ip 58 // destination ip
59 unsigned a, b, c, d; 59 unsigned a, b, c, d;
60 if (sscanf(ip, "%u.%u.%u.%u", &a, &b, &c, &d) != 4 || a > 255 || b > 255 || c > 255 || d > 255) 60 if (sscanf(ip, "%u.%u.%u.%u", &a, &b, &c, &d) != 4 || a > 255 || b > 255 || c > 255 || d > 255)
@@ -67,14 +67,14 @@ static void print_arp(const char *fname) {
67 printf(" %d.%d.%d.%d dev %s lladdr %s REACHABLE\n", 67 printf(" %d.%d.%d.%d dev %s lladdr %s REACHABLE\n",
68 PRINT_IP(destip), device, mac); 68 PRINT_IP(destip), device, mac);
69 } 69 }
70 70
71 fclose(fp); 71 fclose(fp);
72 72
73} 73}
74 74
75void arp(pid_t pid, int print_procs) { 75void arp(pid_t pid, int print_procs) {
76 pid_read(pid); 76 pid_read(pid);
77 77
78 // print processes 78 // print processes
79 int i; 79 int i;
80 for (i = 0; i < max_pids; i++) { 80 for (i = 0; i < max_pids; i++) {
@@ -93,5 +93,3 @@ void arp(pid_t pid, int print_procs) {
93 } 93 }
94 printf("\n"); 94 printf("\n");
95} 95}
96
97
diff --git a/src/firemon/caps.c b/src/firemon/caps.c
index a13b784a2..4a18833d0 100644
--- a/src/firemon/caps.c
+++ b/src/firemon/caps.c
@@ -32,7 +32,7 @@ static void print_caps(int pid) {
32 free(file); 32 free(file);
33 return; 33 return;
34 } 34 }
35 35
36 char buf[MAXBUF]; 36 char buf[MAXBUF];
37 while (fgets(buf, MAXBUF, fp)) { 37 while (fgets(buf, MAXBUF, fp)) {
38 if (strncmp(buf, "CapBnd:", 7) == 0) { 38 if (strncmp(buf, "CapBnd:", 7) == 0) {
@@ -44,10 +44,10 @@ static void print_caps(int pid) {
44 fclose(fp); 44 fclose(fp);
45 free(file); 45 free(file);
46} 46}
47 47
48void caps(pid_t pid, int print_procs) { 48void caps(pid_t pid, int print_procs) {
49 pid_read(pid); // include all processes 49 pid_read(pid); // include all processes
50 50
51 // print processes 51 // print processes
52 int i; 52 int i;
53 for (i = 0; i < max_pids; i++) { 53 for (i = 0; i < max_pids; i++) {
@@ -61,4 +61,3 @@ void caps(pid_t pid, int print_procs) {
61 } 61 }
62 printf("\n"); 62 printf("\n");
63} 63}
64
diff --git a/src/firemon/cgroup.c b/src/firemon/cgroup.c
index 48427210b..41afa41fd 100644
--- a/src/firemon/cgroup.c
+++ b/src/firemon/cgroup.c
@@ -33,7 +33,7 @@ static void print_cgroup(int pid) {
33 free(file); 33 free(file);
34 return; 34 return;
35 } 35 }
36 36
37 char buf[MAXBUF]; 37 char buf[MAXBUF];
38 if (fgets(buf, MAXBUF, fp)) { 38 if (fgets(buf, MAXBUF, fp)) {
39 printf(" %s", buf); 39 printf(" %s", buf);
@@ -43,10 +43,10 @@ static void print_cgroup(int pid) {
43 fclose(fp); 43 fclose(fp);
44 free(file); 44 free(file);
45} 45}
46 46
47void cgroup(pid_t pid, int print_procs) { 47void cgroup(pid_t pid, int print_procs) {
48 pid_read(pid); 48 pid_read(pid);
49 49
50 // print processes 50 // print processes
51 int i; 51 int i;
52 for (i = 0; i < max_pids; i++) { 52 for (i = 0; i < max_pids; i++) {
@@ -60,4 +60,3 @@ void cgroup(pid_t pid, int print_procs) {
60 } 60 }
61 printf("\n"); 61 printf("\n");
62} 62}
63
diff --git a/src/firemon/cpu.c b/src/firemon/cpu.c
index 2a6979573..7d31cd44d 100644
--- a/src/firemon/cpu.c
+++ b/src/firemon/cpu.c
@@ -33,7 +33,7 @@ static void print_cpu(int pid) {
33 free(file); 33 free(file);
34 return; 34 return;
35 } 35 }
36 36
37 char buf[MAXBUF]; 37 char buf[MAXBUF];
38 while (fgets(buf, MAXBUF, fp)) { 38 while (fgets(buf, MAXBUF, fp)) {
39 if (strncmp(buf, "Cpus_allowed_list:", 18) == 0) { 39 if (strncmp(buf, "Cpus_allowed_list:", 18) == 0) {
@@ -45,10 +45,10 @@ static void print_cpu(int pid) {
45 fclose(fp); 45 fclose(fp);
46 free(file); 46 free(file);
47} 47}
48 48
49void cpu(pid_t pid, int print_procs) { 49void cpu(pid_t pid, int print_procs) {
50 pid_read(pid); 50 pid_read(pid);
51 51
52 // print processes 52 // print processes
53 int i; 53 int i;
54 for (i = 0; i < max_pids; i++) { 54 for (i = 0; i < max_pids; i++) {
@@ -62,4 +62,3 @@ void cpu(pid_t pid, int print_procs) {
62 } 62 }
63 printf("\n"); 63 printf("\n");
64} 64}
65
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c
index da5cc2d97..aaeffdbd2 100644
--- a/src/firemon/firemon.c
+++ b/src/firemon/firemon.c
@@ -24,7 +24,7 @@
24#include <sys/prctl.h> 24#include <sys/prctl.h>
25#include <grp.h> 25#include <grp.h>
26#include <sys/stat.h> 26#include <sys/stat.h>
27 27
28static int arg_route = 0; 28static int arg_route = 0;
29static int arg_arp = 0; 29static int arg_arp = 0;
30static int arg_tree = 0; 30static int arg_tree = 0;
@@ -49,7 +49,7 @@ static void my_handler(int s){
49 49
50 if (terminal_set) 50 if (terminal_set)
51 tcsetattr(0, TCSANOW, &tlocal); 51 tcsetattr(0, TCSANOW, &tlocal);
52 exit(0); 52 exit(0);
53} 53}
54 54
55// find the first child process for the specified pid 55// find the first child process for the specified pid
@@ -60,7 +60,7 @@ int find_child(int id) {
60 if (pids[i].level == 2 && pids[i].parent == id) 60 if (pids[i].level == 2 && pids[i].parent == id)
61 return i; 61 return i;
62 } 62 }
63 63
64 return -1; 64 return -1;
65} 65}
66 66
@@ -118,7 +118,7 @@ int main(int argc, char **argv) {
118 printf("firemon version %s\n\n", VERSION); 118 printf("firemon version %s\n\n", VERSION);
119 return 0; 119 return 0;
120 } 120 }
121 121
122 // options without a pid argument 122 // options without a pid argument
123 else if (strcmp(argv[i], "--top") == 0) 123 else if (strcmp(argv[i], "--top") == 0)
124 arg_top = 1; 124 arg_top = 1;
@@ -131,7 +131,7 @@ int main(int argc, char **argv) {
131 if (getuid() != 0 && stat("/proc/sys/kernel/grsecurity", &s) == 0) { 131 if (getuid() != 0 && stat("/proc/sys/kernel/grsecurity", &s) == 0) {
132 fprintf(stderr, "Error: this feature is not available on Grsecurity systems\n"); 132 fprintf(stderr, "Error: this feature is not available on Grsecurity systems\n");
133 exit(1); 133 exit(1);
134 } 134 }
135 arg_netstats = 1; 135 arg_netstats = 1;
136 } 136 }
137 137
@@ -166,17 +166,17 @@ int main(int argc, char **argv) {
166 return 1; 166 return 1;
167 } 167 }
168 } 168 }
169 169
170 // etc 170 // etc
171 else if (strcmp(argv[i], "--nowrap") == 0) 171 else if (strcmp(argv[i], "--nowrap") == 0)
172 arg_nowrap = 1; 172 arg_nowrap = 1;
173 173
174 // invalid option 174 // invalid option
175 else if (*argv[i] == '-') { 175 else if (*argv[i] == '-') {
176 fprintf(stderr, "Error: invalid option\n"); 176 fprintf(stderr, "Error: invalid option\n");
177 return 1; 177 return 1;
178 } 178 }
179 179
180 // PID argument 180 // PID argument
181 else { 181 else {
182 // this should be a pid number 182 // this should be a pid number
@@ -199,9 +199,9 @@ int main(int argc, char **argv) {
199 fprintf(stderr, "Error: /proc is mounted hidepid, you would need to be root to run this command\n"); 199 fprintf(stderr, "Error: /proc is mounted hidepid, you would need to be root to run this command\n");
200 exit(1); 200 exit(1);
201 } 201 }
202 202
203 if (arg_top) { 203 if (arg_top) {
204 top(); 204 top();
205 return 0; 205 return 0;
206 } 206 }
207 if (arg_list) { 207 if (arg_list) {
@@ -210,9 +210,9 @@ int main(int argc, char **argv) {
210 } 210 }
211 if (arg_netstats) { 211 if (arg_netstats) {
212 netstats(); 212 netstats();
213 return 0; 213 return 0;
214 } 214 }
215 215
216 // cumulative options 216 // cumulative options
217 int print_procs = 1; 217 int print_procs = 1;
218 if (arg_tree) { 218 if (arg_tree) {
@@ -251,9 +251,9 @@ int main(int argc, char **argv) {
251 arp((pid_t) pid, print_procs); 251 arp((pid_t) pid, print_procs);
252 print_procs = 0; 252 print_procs = 0;
253 } 253 }
254 254
255 if (print_procs) 255 if (print_procs)
256 procevent((pid_t) pid); 256 procevent((pid_t) pid);
257 257
258 return 0; 258 return 0;
259} 259}
diff --git a/src/firemon/interface.c b/src/firemon/interface.c
index 77dd1f277..44374ed60 100644
--- a/src/firemon/interface.c
+++ b/src/firemon/interface.c
@@ -64,13 +64,13 @@ static void net_ifprint(void) {
64 memset(&ifr, 0, sizeof(ifr)); 64 memset(&ifr, 0, sizeof(ifr));
65 strncpy(ifr.ifr_name, ifa->ifa_name, IFNAMSIZ); 65 strncpy(ifr.ifr_name, ifa->ifa_name, IFNAMSIZ);
66 int rv = ioctl (fd, SIOCGIFHWADDR, &ifr); 66 int rv = ioctl (fd, SIOCGIFHWADDR, &ifr);
67 67
68 if (rv == 0) 68 if (rv == 0)
69 printf(" %s UP, %02x:%02x:%02x:%02x:%02x:%02x\n", 69 printf(" %s UP, %02x:%02x:%02x:%02x:%02x:%02x\n",
70 ifa->ifa_name, PRINT_MAC((unsigned char *) &ifr.ifr_hwaddr.sa_data)); 70 ifa->ifa_name, PRINT_MAC((unsigned char *) &ifr.ifr_hwaddr.sa_data));
71 else 71 else
72 printf(" %s UP\n", ifa->ifa_name); 72 printf(" %s UP\n", ifa->ifa_name);
73 73
74 printf(" tx/rx: %u/%u packets, %u/%u bytes\n", 74 printf(" tx/rx: %u/%u packets, %u/%u bytes\n",
75 stats->tx_packets, stats->rx_packets, 75 stats->tx_packets, stats->rx_packets,
76 stats->tx_bytes, stats->rx_bytes); 76 stats->tx_bytes, stats->rx_bytes);
@@ -78,7 +78,7 @@ static void net_ifprint(void) {
78 } 78 }
79 else 79 else
80 printf(" %s DOWN\n", ifa->ifa_name); 80 printf(" %s DOWN\n", ifa->ifa_name);
81 } 81 }
82 } 82 }
83 83
84 84
@@ -139,7 +139,7 @@ static void print_sandbox(pid_t pid) {
139 pid_t child = fork(); 139 pid_t child = fork();
140 if (child == -1) 140 if (child == -1)
141 return; 141 return;
142 142
143 if (child == 0) { 143 if (child == 0) {
144 int rv = join_namespace(pid, "net"); 144 int rv = join_namespace(pid, "net");
145 if (rv) 145 if (rv)
@@ -150,14 +150,14 @@ static void print_sandbox(pid_t pid) {
150#endif 150#endif
151 _exit(0); 151 _exit(0);
152 } 152 }
153 153
154 // wait for the child to finish 154 // wait for the child to finish
155 waitpid(child, NULL, 0); 155 waitpid(child, NULL, 0);
156} 156}
157 157
158void interface(pid_t pid, int print_procs) { 158void interface(pid_t pid, int print_procs) {
159 pid_read(pid); // a pid of 0 will include all processes 159 pid_read(pid); // a pid of 0 will include all processes
160 160
161 // print processes 161 // print processes
162 int i; 162 int i;
163 for (i = 0; i < max_pids; i++) { 163 for (i = 0; i < max_pids; i++) {
@@ -172,4 +172,3 @@ void interface(pid_t pid, int print_procs) {
172 } 172 }
173 printf("\n"); 173 printf("\n");
174} 174}
175
diff --git a/src/firemon/list.c b/src/firemon/list.c
index 2152df31f..708b66ae4 100644
--- a/src/firemon/list.c
+++ b/src/firemon/list.c
@@ -21,7 +21,7 @@
21 21
22void list(void) { 22void list(void) {
23 pid_read(0); // include all processes 23 pid_read(0); // include all processes
24 24
25 // print processes 25 // print processes
26 int i; 26 int i;
27 for (i = 0; i < max_pids; i++) { 27 for (i = 0; i < max_pids; i++) {
@@ -29,4 +29,3 @@ void list(void) {
29 pid_print_list(i, arg_nowrap); 29 pid_print_list(i, arg_nowrap);
30 } 30 }
31} 31}
32
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c
index 8d78b094b..c5e8a242c 100644
--- a/src/firemon/netstats.c
+++ b/src/firemon/netstats.c
@@ -35,7 +35,7 @@ static char *get_header(void) {
35 if (asprintf(&rv, "%-5.5s %-9.9s %-10.10s %-10.10s %s", 35 if (asprintf(&rv, "%-5.5s %-9.9s %-10.10s %-10.10s %s",
36 "PID", "User", "RX(KB/s)", "TX(KB/s)", "Command") == -1) 36 "PID", "User", "RX(KB/s)", "TX(KB/s)", "Command") == -1)
37 errExit("asprintf"); 37 errExit("asprintf");
38 38
39 return rv; 39 return rv;
40} 40}
41 41
@@ -59,7 +59,7 @@ void get_stats(int parent) {
59 free(fname); 59 free(fname);
60 goto errexit; 60 goto errexit;
61 } 61 }
62 62
63 char buf[MAXBUF]; 63 char buf[MAXBUF];
64 long long unsigned rx = 0; 64 long long unsigned rx = 0;
65 long long unsigned tx = 0; 65 long long unsigned tx = 0;
@@ -68,19 +68,19 @@ void get_stats(int parent) {
68 continue; 68 continue;
69 if (strncmp(buf, " face", 5) == 0) 69 if (strncmp(buf, " face", 5) == 0)
70 continue; 70 continue;
71 71
72 char *ptr = buf; 72 char *ptr = buf;
73 while (*ptr != '\0' && *ptr != ':') { 73 while (*ptr != '\0' && *ptr != ':') {
74 ptr++; 74 ptr++;
75 } 75 }
76 76
77 if (*ptr == '\0') { 77 if (*ptr == '\0') {
78 fclose(fp); 78 fclose(fp);
79 free(fname); 79 free(fname);
80 goto errexit; 80 goto errexit;
81 } 81 }
82 ptr++; 82 ptr++;
83 83
84 long long unsigned rxval; 84 long long unsigned rxval;
85 long long unsigned txval; 85 long long unsigned txval;
86 unsigned a, b, c, d, e, f, g; 86 unsigned a, b, c, d, e, f, g;
@@ -101,7 +101,7 @@ void get_stats(int parent) {
101 fclose(fp); 101 fclose(fp);
102 return; 102 return;
103 103
104errexit: 104errexit:
105 pids[parent].rx = 0; 105 pids[parent].rx = 0;
106 pids[parent].tx = 0; 106 pids[parent].tx = 0;
107 pids[parent].rx_delta = 0; 107 pids[parent].rx_delta = 0;
@@ -121,7 +121,7 @@ static void print_proc(int index, int itv, int col) {
121 } 121 }
122 else 122 else
123 ptrcmd = cmd; 123 ptrcmd = cmd;
124 124
125 // check network namespace 125 // check network namespace
126 char *name; 126 char *name;
127 if (asprintf(&name, "/run/firejail/network/%d-netmap", index) == -1) 127 if (asprintf(&name, "/run/firejail/network/%d-netmap", index) == -1)
@@ -145,35 +145,35 @@ static void print_proc(int index, int itv, int col) {
145 ptruser = user; 145 ptruser = user;
146 else 146 else
147 ptruser = ""; 147 ptruser = "";
148 148
149 149
150 float rx_kbps = ((float) pids[index].rx_delta / 1000) / itv; 150 float rx_kbps = ((float) pids[index].rx_delta / 1000) / itv;
151 char ptrrx[15]; 151 char ptrrx[15];
152 sprintf(ptrrx, "%.03f", rx_kbps); 152 sprintf(ptrrx, "%.03f", rx_kbps);
153 153
154 float tx_kbps = ((float) pids[index].tx_delta / 1000) / itv; 154 float tx_kbps = ((float) pids[index].tx_delta / 1000) / itv;
155 char ptrtx[15]; 155 char ptrtx[15];
156 sprintf(ptrtx, "%.03f", tx_kbps); 156 sprintf(ptrtx, "%.03f", tx_kbps);
157 157
158 char buf[1024 + 1]; 158 char buf[1024 + 1];
159 snprintf(buf, 1024, "%-5.5s %-9.9s %-10.10s %-10.10s %s", 159 snprintf(buf, 1024, "%-5.5s %-9.9s %-10.10s %-10.10s %s",
160 pidstr, ptruser, ptrrx, ptrtx, ptrcmd); 160 pidstr, ptruser, ptrrx, ptrtx, ptrcmd);
161 if (col < 1024) 161 if (col < 1024)
162 buf[col] = '\0'; 162 buf[col] = '\0';
163 printf("%s\n", buf); 163 printf("%s\n", buf);
164 164
165 if (cmd) 165 if (cmd)
166 free(cmd); 166 free(cmd);
167 if (user) 167 if (user)
168 free(user); 168 free(user);
169 169
170} 170}
171 171
172void netstats(void) { 172void netstats(void) {
173 pid_read(0); // include all processes 173 pid_read(0); // include all processes
174 174
175 printf("Displaying network statistics only for sandboxes using a new network namespace.\n"); 175 printf("Displaying network statistics only for sandboxes using a new network namespace.\n");
176 176
177 // print processes 177 // print processes
178 while (1) { 178 while (1) {
179 // set pid table 179 // set pid table
@@ -186,10 +186,10 @@ void netstats(void) {
186 if (pids[i].level == 1) 186 if (pids[i].level == 1)
187 get_stats(i); 187 get_stats(i);
188 } 188 }
189 189
190 // wait 5 seconds 190 // wait 5 seconds
191 firemon_sleep(itv); 191 firemon_sleep(itv);
192 192
193 // grab screen size 193 // grab screen size
194 struct winsize sz; 194 struct winsize sz;
195 int row = 24; 195 int row = 24;
@@ -198,7 +198,7 @@ void netstats(void) {
198 col = sz.ws_col; 198 col = sz.ws_col;
199 row = sz.ws_row; 199 row = sz.ws_row;
200 } 200 }
201 201
202 // start printing 202 // start printing
203 firemon_clrscr(); 203 firemon_clrscr();
204 char *header = get_header(); 204 char *header = get_header();
@@ -221,4 +221,3 @@ void netstats(void) {
221#endif 221#endif
222 } 222 }
223} 223}
224
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c
index 378bdefe9..d6afed93a 100644
--- a/src/firemon/procevent.c
+++ b/src/firemon/procevent.c
@@ -40,12 +40,12 @@ static int pid_is_firejail(pid_t pid) {
40 printf("%s: %d, pid %d\n", __FUNCTION__, __LINE__, pid); 40 printf("%s: %d, pid %d\n", __FUNCTION__, __LINE__, pid);
41#endif 41#endif
42 uid_t rv = 0; 42 uid_t rv = 0;
43 43
44 // open /proc/self/comm 44 // open /proc/self/comm
45 char *file; 45 char *file;
46 if (asprintf(&file, "/proc/%u/comm", pid) == -1) 46 if (asprintf(&file, "/proc/%u/comm", pid) == -1)
47 errExit("asprintf"); 47 errExit("asprintf");
48 48
49 FILE *fp = fopen(file, "r"); 49 FILE *fp = fopen(file, "r");
50 if (!fp) { 50 if (!fp) {
51 free(file); 51 free(file);
@@ -58,7 +58,7 @@ static int pid_is_firejail(pid_t pid) {
58 if (strncmp(buf, "firejail", 8) == 0) 58 if (strncmp(buf, "firejail", 8) == 0)
59 rv = 1; 59 rv = 1;
60 } 60 }
61 61
62#ifdef DEBUG_PRCTL 62#ifdef DEBUG_PRCTL
63 printf("%s: %d, comm %s, rv %d\n", __FUNCTION__, __LINE__, buf, rv); 63 printf("%s: %d, comm %s, rv %d\n", __FUNCTION__, __LINE__, buf, rv);
64#endif 64#endif
@@ -76,7 +76,7 @@ static int pid_is_firejail(pid_t pid) {
76 goto doexit; 76 goto doexit;
77 } 77 }
78 free(fname); 78 free(fname);
79 79
80 // read file 80 // read file
81#define BUFLEN 4096 81#define BUFLEN 4096
82 unsigned char buffer[BUFLEN]; 82 unsigned char buffer[BUFLEN];
@@ -90,16 +90,16 @@ static int pid_is_firejail(pid_t pid) {
90 } 90 }
91 buffer[len] = '\0'; 91 buffer[len] = '\0';
92 close(fd); 92 close(fd);
93 93
94 // list of firejail arguments that don't trigger sandbox creation 94 // list of firejail arguments that don't trigger sandbox creation
95 // the initial -- is not included 95 // the initial -- is not included
96 char *exclude_args[] = { 96 char *exclude_args[] = {
97 "ls", "list", "tree", "x11", "help", "version", "top", "netstats", "debug-syscalls", 97 "ls", "list", "tree", "x11", "help", "version", "top", "netstats", "debug-syscalls",
98 "debug-errnos", "debug-protocols", "protocol.print", "debug.caps", 98 "debug-errnos", "debug-protocols", "protocol.print", "debug.caps",
99 "shutdown", "bandwidth", "caps.print", "cpu.print", "debug-caps", 99 "shutdown", "bandwidth", "caps.print", "cpu.print", "debug-caps",
100 "fs.print", "get", "overlay-clean", NULL 100 "fs.print", "get", "overlay-clean", NULL
101 }; 101 };
102 102
103 int i; 103 int i;
104 char *start; 104 char *start;
105 int first = 1; 105 int first = 1;
@@ -114,30 +114,30 @@ static int pid_is_firejail(pid_t pid) {
114 if (strncmp(start, "--", 2) != 0) 114 if (strncmp(start, "--", 2) != 0)
115 break; 115 break;
116 start += 2; 116 start += 2;
117 117
118 // clan starting with = 118 // clan starting with =
119 char *ptr = strchr(start, '='); 119 char *ptr = strchr(start, '=');
120 if (ptr) 120 if (ptr)
121 *ptr = '\0'; 121 *ptr = '\0';
122 122
123 // look into exclude list 123 // look into exclude list
124 int j = 0; 124 int j = 0;
125 while (exclude_args[j] != NULL) { 125 while (exclude_args[j] != NULL) {
126 if (strcmp(start, exclude_args[j]) == 0) { 126 if (strcmp(start, exclude_args[j]) == 0) {
127 rv = 0; 127 rv = 0;
128#ifdef DEBUG_PRCTL 128#ifdef DEBUG_PRCTL
129printf("start=#%s#, ptr=#%s#, flip rv %d\n", start, ptr, rv); 129printf("start=#%s#, ptr=#%s#, flip rv %d\n", start, ptr, rv);
130#endif 130#endif
131 break; 131 break;
132 } 132 }
133 j++; 133 j++;
134 } 134 }
135 135
136 start = (char *) buffer + i + 1; 136 start = (char *) buffer + i + 1;
137 } 137 }
138 } 138 }
139 139
140doexit: 140doexit:
141 fclose(fp); 141 fclose(fp);
142 free(file); 142 free(file);
143#ifdef DEBUG_PRCTL 143#ifdef DEBUG_PRCTL
@@ -187,7 +187,7 @@ static int procevent_netlink_setup(void) {
187 187
188 if (writev(sock, iov, 3) == -1) 188 if (writev(sock, iov, 3) == -1)
189 goto errexit; 189 goto errexit;
190 190
191 return sock; 191 return sock;
192errexit: 192errexit:
193 fprintf(stderr, "Error: netlink socket problem\n"); 193 fprintf(stderr, "Error: netlink socket problem\n");
@@ -209,29 +209,29 @@ static int procevent_monitor(const int sock, pid_t mypid) {
209 __gcov_flush(); 209 __gcov_flush();
210#endif 210#endif
211 211
212#define BUFFSIZE 4096 212#define BUFFSIZE 4096
213 char __attribute__ ((aligned(NLMSG_ALIGNTO)))buf[BUFFSIZE]; 213 char __attribute__ ((aligned(NLMSG_ALIGNTO)))buf[BUFFSIZE];
214 214
215 fd_set readfds; 215 fd_set readfds;
216 int max; 216 int max;
217 FD_ZERO(&readfds); 217 FD_ZERO(&readfds);
218 FD_SET(sock, &readfds); 218 FD_SET(sock, &readfds);
219 max = sock; 219 max = sock;
220 max++; 220 max++;
221 221
222 int rv = select(max, &readfds, NULL, NULL, &tv); 222 int rv = select(max, &readfds, NULL, NULL, &tv);
223 if (rv == -1) { 223 if (rv == -1) {
224 fprintf(stderr, "recv: %s\n", strerror(errno)); 224 fprintf(stderr, "recv: %s\n", strerror(errno));
225 return -1; 225 return -1;
226 } 226 }
227 227
228 // timeout 228 // timeout
229 if (rv == 0) { 229 if (rv == 0) {
230 tv.tv_sec = 30; 230 tv.tv_sec = 30;
231 tv.tv_usec = 0; 231 tv.tv_usec = 0;
232 continue; 232 continue;
233 } 233 }
234 234
235 235
236 if ((len = recv(sock, buf, sizeof(buf), 0)) == 0) { 236 if ((len = recv(sock, buf, sizeof(buf), 0)) == 0) {
237 return 0; 237 return 0;
@@ -304,7 +304,7 @@ static int procevent_monitor(const int sock, pid_t mypid) {
304 } 304 }
305 sprintf(lineptr, " exec"); 305 sprintf(lineptr, " exec");
306 break; 306 break;
307 307
308 case PROC_EVENT_EXIT: 308 case PROC_EVENT_EXIT:
309 if (proc_ev->event_data.exit.process_pid != 309 if (proc_ev->event_data.exit.process_pid !=
310 proc_ev->event_data.exit.process_tgid) 310 proc_ev->event_data.exit.process_tgid)
@@ -317,7 +317,7 @@ static int procevent_monitor(const int sock, pid_t mypid) {
317 remove_pid = 1; 317 remove_pid = 1;
318 sprintf(lineptr, " exit"); 318 sprintf(lineptr, " exit");
319 break; 319 break;
320 320
321 case PROC_EVENT_UID: 321 case PROC_EVENT_UID:
322 pid = proc_ev->event_data.id.process_tgid; 322 pid = proc_ev->event_data.id.process_tgid;
323#ifdef DEBUG_PRCTL 323#ifdef DEBUG_PRCTL
@@ -363,11 +363,11 @@ static int procevent_monitor(const int sock, pid_t mypid) {
363 continue; 363 continue;
364 } 364 }
365 } 365 }
366 366
367 lineptr += strlen(lineptr); 367 lineptr += strlen(lineptr);
368 sprintf(lineptr, " %u", pid); 368 sprintf(lineptr, " %u", pid);
369 lineptr += strlen(lineptr); 369 lineptr += strlen(lineptr);
370 370
371 char *user = pids[pid].user; 371 char *user = pids[pid].user;
372 if (!user) 372 if (!user)
373 user = pid_get_user_name(pids[pid].uid); 373 user = pid_get_user_name(pids[pid].uid);
@@ -376,7 +376,7 @@ static int procevent_monitor(const int sock, pid_t mypid) {
376 sprintf(lineptr, " (%s)", user); 376 sprintf(lineptr, " (%s)", user);
377 lineptr += strlen(lineptr); 377 lineptr += strlen(lineptr);
378 } 378 }
379 379
380 380
381 int sandbox_closed = 0; // exit sandbox flag 381 int sandbox_closed = 0; // exit sandbox flag
382 char *cmd = pids[pid].cmd; 382 char *cmd = pids[pid].cmd;
@@ -409,11 +409,11 @@ static int procevent_monitor(const int sock, pid_t mypid) {
409 lineptr += strlen(lineptr); 409 lineptr += strlen(lineptr);
410 } 410 }
411 (void) lineptr; 411 (void) lineptr;
412 412
413 // print the event 413 // print the event
414 printf("%s", line); 414 printf("%s", line);
415 fflush(0); 415 fflush(0);
416 416
417 // unflag pid for exit events 417 // unflag pid for exit events
418 if (remove_pid) { 418 if (remove_pid) {
419 if (pids[pid].user) 419 if (pids[pid].user)
@@ -433,15 +433,15 @@ static int procevent_monitor(const int sock, pid_t mypid) {
433 else 433 else
434 printf("\tchild %u\n", child); 434 printf("\tchild %u\n", child);
435 } 435 }
436 436
437 // on uid events the uid is changing 437 // on uid events the uid is changing
438 if (proc_ev->what == PROC_EVENT_UID) { 438 if (proc_ev->what == PROC_EVENT_UID) {
439 if (pids[pid].user) 439 if (pids[pid].user)
440 free(pids[pid].user); 440 free(pids[pid].user);
441 pids[pid].user = 0; 441 pids[pid].user = 0;
442 pids[pid].uid = pid_get_uid(pid); 442 pids[pid].uid = pid_get_uid(pid);
443 } 443 }
444 444
445 if (sandbox_closed) 445 if (sandbox_closed)
446 exit(0); 446 exit(0);
447 } 447 }
diff --git a/src/firemon/route.c b/src/firemon/route.c
index 145daa152..f083ada0b 100644
--- a/src/firemon/route.c
+++ b/src/firemon/route.c
@@ -36,7 +36,7 @@ static IfList *list_find(uint32_t ip, uint32_t mask) {
36 return ptr; 36 return ptr;
37 ptr = ptr->next; 37 ptr = ptr->next;
38 } 38 }
39 39
40 return NULL; 40 return NULL;
41} 41}
42 42
@@ -47,15 +47,15 @@ static void extract_if(const char *fname) {
47 free(ifs); 47 free(ifs);
48 ifs = tmp; 48 ifs = tmp;
49 } 49 }
50 assert(ifs == NULL); 50 assert(ifs == NULL);
51 51
52 FILE *fp = fopen(fname, "r"); 52 FILE *fp = fopen(fname, "r");
53 if (!fp) 53 if (!fp)
54 return; 54 return;
55 55
56 char buf[MAXBUF]; 56 char buf[MAXBUF];
57 int state = 0; // 0 -wait for Local 57 int state = 0; // 0 -wait for Local
58 // 58 //
59 while (fgets(buf, MAXBUF, fp)) { 59 while (fgets(buf, MAXBUF, fp)) {
60 // remove blanks, \n 60 // remove blanks, \n
61 char *ptr = buf; 61 char *ptr = buf;
@@ -67,7 +67,7 @@ static void extract_if(const char *fname) {
67 ptr = strchr(ptr, '\n'); 67 ptr = strchr(ptr, '\n');
68 if (ptr) 68 if (ptr)
69 *ptr = '\0'; 69 *ptr = '\0';
70 70
71 if (state == 0) { 71 if (state == 0) {
72 if (strncmp(buf, "Local:", 6) == 0) { 72 if (strncmp(buf, "Local:", 6) == 0) {
73 state = 1; 73 state = 1;
@@ -105,7 +105,7 @@ static void extract_if(const char *fname) {
105 } 105 }
106 } 106 }
107 } 107 }
108 108
109 fclose(fp); 109 fclose(fp);
110 110
111 111
@@ -115,7 +115,7 @@ static void print_route(const char *fname) {
115 FILE *fp = fopen(fname, "r"); 115 FILE *fp = fopen(fname, "r");
116 if (!fp) 116 if (!fp)
117 return; 117 return;
118 118
119 printf(" Route table:\n"); 119 printf(" Route table:\n");
120 char buf[MAXBUF]; 120 char buf[MAXBUF];
121 while (fgets(buf, MAXBUF, fp)) { 121 while (fgets(buf, MAXBUF, fp)) {
@@ -147,7 +147,7 @@ static void print_route(const char *fname) {
147 int rv = sscanf(start, "%s %s %s %s %s %s %s %s\n", ifname, destination, gateway, flags, refcnt, use, metric, mask); 147 int rv = sscanf(start, "%s %s %s %s %s %s %s %s\n", ifname, destination, gateway, flags, refcnt, use, metric, mask);
148 if (rv != 8) 148 if (rv != 8)
149 continue; 149 continue;
150 150
151 // destination ip 151 // destination ip
152 uint32_t destip; 152 uint32_t destip;
153 sscanf(destination, "%x", &destip); 153 sscanf(destination, "%x", &destip);
@@ -158,7 +158,7 @@ static void print_route(const char *fname) {
158 uint32_t gw; 158 uint32_t gw;
159 sscanf(gateway, "%x", &gw); 159 sscanf(gateway, "%x", &gw);
160 gw = ntohl(gw); 160 gw = ntohl(gw);
161 161
162// printf("#%s# #%s# #%s# #%s# #%s# #%s# #%s# #%s#\n", ifname, destination, gateway, flags, refcnt, use, metric, mask); 162// printf("#%s# #%s# #%s# #%s# #%s# #%s# #%s# #%s#\n", ifname, destination, gateway, flags, refcnt, use, metric, mask);
163 if (gw != 0) 163 if (gw != 0)
164 printf(" %u.%u.%u.%u/%u via %u.%u.%u.%u, dev %s, metric %s\n", 164 printf(" %u.%u.%u.%u/%u via %u.%u.%u.%u, dev %s, metric %s\n",
@@ -176,14 +176,14 @@ static void print_route(const char *fname) {
176 } 176 }
177 } 177 }
178 } 178 }
179 179
180 fclose(fp); 180 fclose(fp);
181 181
182} 182}
183 183
184void route(pid_t pid, int print_procs) { 184void route(pid_t pid, int print_procs) {
185 pid_read(pid); 185 pid_read(pid);
186 186
187 // print processes 187 // print processes
188 int i; 188 int i;
189 for (i = 0; i < max_pids; i++) { 189 for (i = 0; i < max_pids; i++) {
@@ -207,5 +207,3 @@ void route(pid_t pid, int print_procs) {
207 } 207 }
208 printf("\n"); 208 printf("\n");
209} 209}
210
211
diff --git a/src/firemon/seccomp.c b/src/firemon/seccomp.c
index e530fa1c3..73d962fc9 100644
--- a/src/firemon/seccomp.c
+++ b/src/firemon/seccomp.c
@@ -31,7 +31,7 @@ static void print_seccomp(int pid) {
31 free(file); 31 free(file);
32 return; 32 return;
33 } 33 }
34 34
35 char buf[MAXBUF]; 35 char buf[MAXBUF];
36 while (fgets(buf, MAXBUF, fp)) { 36 while (fgets(buf, MAXBUF, fp)) {
37 if (strncmp(buf, "Seccomp:", 8) == 0) { 37 if (strncmp(buf, "Seccomp:", 8) == 0) {
@@ -43,10 +43,10 @@ static void print_seccomp(int pid) {
43 fclose(fp); 43 fclose(fp);
44 free(file); 44 free(file);
45} 45}
46 46
47void seccomp(pid_t pid, int print_procs) { 47void seccomp(pid_t pid, int print_procs) {
48 pid_read(pid); // include all processes 48 pid_read(pid); // include all processes
49 49
50 // print processes 50 // print processes
51 int i; 51 int i;
52 for (i = 0; i < max_pids; i++) { 52 for (i = 0; i < max_pids; i++) {
@@ -60,4 +60,3 @@ void seccomp(pid_t pid, int print_procs) {
60 } 60 }
61 printf("\n"); 61 printf("\n");
62} 62}
63
diff --git a/src/firemon/top.c b/src/firemon/top.c
index 081f04eba..fc6e6289e 100644
--- a/src/firemon/top.c
+++ b/src/firemon/top.c
@@ -23,7 +23,7 @@
23#include <sys/types.h> 23#include <sys/types.h>
24#include <sys/stat.h> 24#include <sys/stat.h>
25#include <unistd.h> 25#include <unistd.h>
26 26
27static unsigned pgs_rss = 0; 27static unsigned pgs_rss = 0;
28static unsigned pgs_shared = 0; 28static unsigned pgs_shared = 0;
29static unsigned clocktick = 0; 29static unsigned clocktick = 0;
@@ -40,7 +40,7 @@ static char *get_user_name(uid_t uid) {
40 } 40 }
41 else if (uid == cached_uid) 41 else if (uid == cached_uid)
42 return strdup(cached_user_name); 42 return strdup(cached_user_name);
43 else 43 else
44 return pid_get_user_name(uid); 44 return pid_get_user_name(uid);
45} 45}
46 46
@@ -49,7 +49,7 @@ static char *get_header(void) {
49 if (asprintf(&rv, "%-5.5s %-9.9s %-8.8s %-8.8s %-5.5s %-4.4s %-9.9s %s", 49 if (asprintf(&rv, "%-5.5s %-9.9s %-8.8s %-8.8s %-5.5s %-4.4s %-9.9s %s",
50 "PID", "User", "RES(KiB)", "SHR(KiB)", "CPU%", "Prcs", "Uptime", "Command") == -1) 50 "PID", "User", "RES(KiB)", "SHR(KiB)", "CPU%", "Prcs", "Uptime", "Command") == -1)
51 errExit("asprintf"); 51 errExit("asprintf");
52 52
53 return rv; 53 return rv;
54} 54}
55 55
@@ -66,7 +66,7 @@ static char *print_top(unsigned index, unsigned parent, unsigned *utime, unsigne
66 struct stat s; 66 struct stat s;
67 if (stat(procdir, &s) == -1) 67 if (stat(procdir, &s) == -1)
68 return NULL; 68 return NULL;
69 69
70 if (pids[index].level == 1) { 70 if (pids[index].level == 1) {
71 pgs_rss = 0; 71 pgs_rss = 0;
72 pgs_shared = 0; 72 pgs_shared = 0;
@@ -74,7 +74,7 @@ static char *print_top(unsigned index, unsigned parent, unsigned *utime, unsigne
74 *stime = 0; 74 *stime = 0;
75 *cnt = 0; 75 *cnt = 0;
76 } 76 }
77 77
78 (*cnt)++; 78 (*cnt)++;
79 pid_getmem(index, &pgs_rss, &pgs_shared); 79 pid_getmem(index, &pgs_rss, &pgs_shared);
80 unsigned utmp; 80 unsigned utmp;
@@ -82,8 +82,8 @@ static char *print_top(unsigned index, unsigned parent, unsigned *utime, unsigne
82 pid_get_cpu_time(index, &utmp, &stmp); 82 pid_get_cpu_time(index, &utmp, &stmp);
83 *utime += utmp; 83 *utime += utmp;
84 *stime += stmp; 84 *stime += stmp;
85 85
86 86
87 int i; 87 int i;
88 for (i = index + 1; i < max_pids; i++) { 88 for (i = index + 1; i < max_pids; i++) {
89 if (pids[i].parent == (pid_t)index) 89 if (pids[i].parent == (pid_t)index)
@@ -108,7 +108,7 @@ static char *print_top(unsigned index, unsigned parent, unsigned *utime, unsigne
108 ptrcmd = cmd + 9; 108 ptrcmd = cmd + 9;
109 else 109 else
110 ptrcmd = cmd; 110 ptrcmd = cmd;
111 111
112 // user 112 // user
113 char *user = get_user_name(pids[index].uid); 113 char *user = get_user_name(pids[index].uid);
114 char *ptruser; 114 char *ptruser;
@@ -116,7 +116,7 @@ static char *print_top(unsigned index, unsigned parent, unsigned *utime, unsigne
116 ptruser = user; 116 ptruser = user;
117 else 117 else
118 ptruser = ""; 118 ptruser = "";
119 119
120 // memory 120 // memory
121 if (pgsz == 0) 121 if (pgsz == 0)
122 pgsz = getpagesize(); 122 pgsz = getpagesize();
@@ -124,7 +124,7 @@ static char *print_top(unsigned index, unsigned parent, unsigned *utime, unsigne
124 snprintf(rss, 10, "%u", pgs_rss * pgsz / 1024); 124 snprintf(rss, 10, "%u", pgs_rss * pgsz / 1024);
125 char shared[10]; 125 char shared[10];
126 snprintf(shared, 10, "%u", pgs_shared * pgsz / 1024); 126 snprintf(shared, 10, "%u", pgs_shared * pgsz / 1024);
127 127
128 // uptime 128 // uptime
129 unsigned long long uptime = pid_get_start_time(index); 129 unsigned long long uptime = pid_get_start_time(index);
130 if (clocktick == 0) 130 if (clocktick == 0)
@@ -140,7 +140,7 @@ static char *print_top(unsigned index, unsigned parent, unsigned *utime, unsigne
140 unsigned hour = uptime; 140 unsigned hour = uptime;
141 char uptime_str[50]; 141 char uptime_str[50];
142 snprintf(uptime_str, 50, "%02u:%02u:%02u", hour, min, sec); 142 snprintf(uptime_str, 50, "%02u:%02u:%02u", hour, min, sec);
143 143
144 // cpu 144 // cpu
145 itv *= clocktick; 145 itv *= clocktick;
146 float ud = (float) (*utime - pids[index].utime) / itv * 100; 146 float ud = (float) (*utime - pids[index].utime) / itv * 100;
@@ -153,18 +153,18 @@ static char *print_top(unsigned index, unsigned parent, unsigned *utime, unsigne
153 // process count 153 // process count
154 char prcs_str[10]; 154 char prcs_str[10];
155 snprintf(prcs_str, 10, "%d", *cnt); 155 snprintf(prcs_str, 10, "%d", *cnt);
156 156
157 if (asprintf(&rv, "%-5.5s %-9.9s %-8.8s %-8.8s %-5.5s %-4.4s %-9.9s %s", 157 if (asprintf(&rv, "%-5.5s %-9.9s %-8.8s %-8.8s %-5.5s %-4.4s %-9.9s %s",
158 pidstr, ptruser, rss, shared, cpu_str, prcs_str, uptime_str, ptrcmd) == -1) 158 pidstr, ptruser, rss, shared, cpu_str, prcs_str, uptime_str, ptrcmd) == -1)
159 errExit("asprintf"); 159 errExit("asprintf");
160 160
161 if (cmd) 161 if (cmd)
162 free(cmd); 162 free(cmd);
163 if (user) 163 if (user)
164 free(user); 164 free(user);
165 165
166 } 166 }
167 167
168 return rv; 168 return rv;
169} 169}
170 170
@@ -174,7 +174,7 @@ typedef struct node_t {
174 char *line; 174 char *line;
175 float cpu; 175 float cpu;
176} Node; 176} Node;
177 177
178static Node *head = NULL; 178static Node *head = NULL;
179 179
180static void head_clear(void) { 180static void head_clear(void) {
@@ -186,7 +186,7 @@ static void head_clear(void) {
186 free(ptr); 186 free(ptr);
187 ptr = next; 187 ptr = next;
188 } 188 }
189 189
190 head = NULL; 190 head = NULL;
191} 191}
192 192
@@ -198,14 +198,14 @@ static void head_add(float cpu, char *line) {
198 node->line = line; 198 node->line = line;
199 node->cpu = cpu; 199 node->cpu = cpu;
200 node->next = NULL; 200 node->next = NULL;
201 201
202 // insert in first list position 202 // insert in first list position
203 if (head == NULL || head->cpu < cpu) { 203 if (head == NULL || head->cpu < cpu) {
204 node->next = head; 204 node->next = head;
205 head = node; 205 head = node;
206 return; 206 return;
207 } 207 }
208 208
209 // insert in the right place 209 // insert in the right place
210 Node *ptr = head; 210 Node *ptr = head;
211 while (1) { 211 while (1) {
@@ -215,14 +215,14 @@ static void head_add(float cpu, char *line) {
215 ptr->next = node; 215 ptr->next = node;
216 return; 216 return;
217 } 217 }
218 218
219 // current position 219 // current position
220 if (current->cpu < cpu) { 220 if (current->cpu < cpu) {
221 ptr->next = node; 221 ptr->next = node;
222 node->next = current; 222 node->next = current;
223 return; 223 return;
224 } 224 }
225 225
226 ptr = current; 226 ptr = current;
227 } 227 }
228} 228}
@@ -233,10 +233,10 @@ void head_print(int col, int row) {
233 while (ptr) { 233 while (ptr) {
234 if (current >= row) 234 if (current >= row)
235 break; 235 break;
236 236
237 if (strlen(ptr->line) > (size_t)col) 237 if (strlen(ptr->line) > (size_t)col)
238 ptr->line[col] = '\0'; 238 ptr->line[col] = '\0';
239 239
240 if (ptr->next == NULL || current == (row - 1)) { 240 if (ptr->next == NULL || current == (row - 1)) {
241 printf("%s", ptr->line); 241 printf("%s", ptr->line);
242 fflush(0); 242 fflush(0);
@@ -253,7 +253,7 @@ void top(void) {
253 while (1) { 253 while (1) {
254 // clear linked list 254 // clear linked list
255 head_clear(); 255 head_clear();
256 256
257 // set pid table 257 // set pid table
258 int i; 258 int i;
259 int itv = 1; // 1 second interval 259 int itv = 1; // 1 second interval
@@ -266,10 +266,10 @@ void top(void) {
266 if (pids[i].level == 1) 266 if (pids[i].level == 1)
267 pid_store_cpu(i, 0, &utime, &stime); 267 pid_store_cpu(i, 0, &utime, &stime);
268 } 268 }
269 269
270 // wait 1 second 270 // wait 1 second
271 firemon_sleep(itv); 271 firemon_sleep(itv);
272 272
273 // grab screen size 273 // grab screen size
274 struct winsize sz; 274 struct winsize sz;
275 int row = 24; 275 int row = 24;
@@ -288,7 +288,7 @@ void top(void) {
288 if (row > 0) 288 if (row > 0)
289 row--; 289 row--;
290 free(header); 290 free(header);
291 291
292 // find system uptime 292 // find system uptime
293 FILE *fp = fopen("/proc/uptime", "r"); 293 FILE *fp = fopen("/proc/uptime", "r");
294 if (fp) { 294 if (fp) {
@@ -315,4 +315,3 @@ void top(void) {
315#endif 315#endif
316 } 316 }
317} 317}
318
diff --git a/src/firemon/tree.c b/src/firemon/tree.c
index 3fdcc4d37..99f68c262 100644
--- a/src/firemon/tree.c
+++ b/src/firemon/tree.c
@@ -21,7 +21,7 @@
21 21
22void tree(pid_t pid) { 22void tree(pid_t pid) {
23 pid_read(pid); 23 pid_read(pid);
24 24
25 // print processes 25 // print processes
26 int i; 26 int i;
27 for (i = 0; i < max_pids; i++) { 27 for (i = 0; i < max_pids; i++) {
@@ -30,4 +30,3 @@ void tree(pid_t pid) {
30 } 30 }
31 printf("\n"); 31 printf("\n");
32} 32}
33
diff --git a/src/firemon/x11.c b/src/firemon/x11.c
index c923c8ef8..7e331795f 100644
--- a/src/firemon/x11.c
+++ b/src/firemon/x11.c
@@ -21,17 +21,17 @@
21#include <sys/types.h> 21#include <sys/types.h>
22#include <sys/stat.h> 22#include <sys/stat.h>
23#include <unistd.h> 23#include <unistd.h>
24 24
25void x11(pid_t pid, int print_procs) { 25void x11(pid_t pid, int print_procs) {
26 pid_read(pid); 26 pid_read(pid);
27 27
28 // print processes 28 // print processes
29 int i; 29 int i;
30 for (i = 0; i < max_pids; i++) { 30 for (i = 0; i < max_pids; i++) {
31 if (pids[i].level == 1) { 31 if (pids[i].level == 1) {
32 if (print_procs || pid == 0) 32 if (print_procs || pid == 0)
33 pid_print_list(i, arg_nowrap); 33 pid_print_list(i, arg_nowrap);
34 34
35 char *x11file; 35 char *x11file;
36 // todo: use macro from src/firejail/firejail.h for /run/firejail/x11 directory 36 // todo: use macro from src/firejail/firejail.h for /run/firejail/x11 directory
37 if (asprintf(&x11file, "/run/firejail/x11/%d", i) == -1) 37 if (asprintf(&x11file, "/run/firejail/x11/%d", i) == -1)
@@ -53,4 +53,3 @@ void x11(pid_t pid, int print_procs) {
53 } 53 }
54 printf("\n"); 54 printf("\n");
55} 55}
56
diff --git a/src/floader/README.md b/src/floader/README.md
index d437763a7..c1e14b2a6 100644
--- a/src/floader/README.md
+++ b/src/floader/README.md
@@ -5,5 +5,3 @@ READ ME
5* Add comma separated process names to ~/.loader.conf 5* Add comma separated process names to ~/.loader.conf
6* export LD_PRELOAD=<path>./loader.so (ideally to .bashrc) 6* export LD_PRELOAD=<path>./loader.so (ideally to .bashrc)
7* Run any application within shell 7* Run any application within shell
8
9
diff --git a/src/floader/loader.c b/src/floader/loader.c
index 0970794e9..6b9f92f18 100644
--- a/src/floader/loader.c
+++ b/src/floader/loader.c
@@ -1,13 +1,13 @@
1/* 1/*
2 * Copyright (C) 2017 Madura A. (madura.x86@gmail.com) 2 * Copyright (C) 2017 Madura A. (madura.x86@gmail.com)
3 * 3 *
4 */ 4 */
5#include <sys/types.h> 5#include <sys/types.h>
6#include <sys/stat.h> 6#include <sys/stat.h>
7#include <sys/mman.h> 7#include <sys/mman.h>
8#include <fcntl.h> 8#include <fcntl.h>
9#include <unistd.h> 9#include <unistd.h>
10 10
11#include <string.h> 11#include <string.h>
12#include <stdio.h> 12#include <stdio.h>
13#include <stdlib.h> 13#include <stdlib.h>
@@ -35,7 +35,7 @@ void remove_trailing_spaces(char *str)
35 { 35 {
36 str++; 36 str++;
37 } 37 }
38 38
39 while (*str != '\0') 39 while (*str != '\0')
40 { 40 {
41 *str = '\0'; 41 *str = '\0';
@@ -70,7 +70,7 @@ void make_args()
70 { 70 {
71 if (cmdline[cI] == '\0') 71 if (cmdline[cI] == '\0')
72 { 72 {
73 args[argI]= argstart; 73 args[argI]= argstart;
74 argstart = &cmdline[cI+1]; 74 argstart = &cmdline[cI+1];
75 argI++; 75 argI++;
76 if (*argstart == '\0') 76 if (*argstart == '\0')
@@ -89,11 +89,11 @@ void loader_main()
89 snprintf(confFile, 255, "%s/.loader.conf", getenv("HOME")); 89 snprintf(confFile, 255, "%s/.loader.conf", getenv("HOME"));
90 90
91 struct stat confFileStat; 91 struct stat confFileStat;
92 92
93 stat(confFile, &confFileStat); 93 stat(confFile, &confFileStat);
94 94
95 int confFd = open(confFile, O_RDONLY); 95 int confFd = open(confFile, O_RDONLY);
96 96
97 if (confFd == -1) 97 if (confFd == -1)
98 { 98 {
99 close(confFd); 99 close(confFd);
@@ -111,7 +111,7 @@ void loader_main()
111 close(confFd); 111 close(confFd);
112 return; 112 return;
113 } 113 }
114 114
115 close(confFd); 115 close(confFd);
116 size_t fI = 0; 116 size_t fI = 0;
117 int matchId = 0; 117 int matchId = 0;
@@ -123,17 +123,17 @@ void loader_main()
123 { 123 {
124 names[matchId] = &conf[fI+1]; 124 names[matchId] = &conf[fI+1];
125 conf[fI] = '\0'; 125 conf[fI] = '\0';
126 126
127 matchId++; 127 matchId++;
128 } 128 }
129 } 129 }
130 130
131 remove_trailing_spaces(names[matchId-1]); 131 remove_trailing_spaces(names[matchId-1]);
132 132
133 read_cmdline(); 133 read_cmdline();
134 134
135 make_args(); 135 make_args();
136 136
137#ifdef DEBUG 137#ifdef DEBUG
138 int xarg=0; 138 int xarg=0;
139 while (args[xarg] != NULL) 139 while (args[xarg] != NULL)
@@ -144,18 +144,18 @@ void loader_main()
144#endif 144#endif
145 145
146 int x; 146 int x;
147 147
148 for (x = 0;x<matchId;x++) 148 for (x = 0;x<matchId;x++)
149 { 149 {
150 DBG("%s\n",names[x]); 150 DBG("%s\n",names[x]);
151 if (strstr(args[0], names[x]) != NULL) 151 if (strstr(args[0], names[x]) != NULL)
152 { 152 {
153 DBG("highjack!\n"); 153 DBG("highjack!\n");
154 154
155 free(conf); 155 free(conf);
156 156
157 execvp(loader, args ); 157 execvp(loader, args );
158 } 158 }
159 } 159 }
160 160
161} 161}
diff --git a/src/floader/makefile b/src/floader/makefile
index 0de6a3138..eeb96571d 100644
--- a/src/floader/makefile
+++ b/src/floader/makefile
@@ -3,5 +3,3 @@ all:
3 3
4debug: 4debug:
5 gcc -ggdb -shared -DDEBUG -fPIC loader.c -o loader.so 5 gcc -ggdb -shared -DDEBUG -fPIC loader.c -o loader.so
6
7
diff --git a/src/fnet/Makefile.in b/src/fnet/Makefile.in
index 32f08882a..5932737ce 100644
--- a/src/fnet/Makefile.in
+++ b/src/fnet/Makefile.in
@@ -42,4 +42,3 @@ clean:; rm -f *.o fnet *.gcov *.gcda *.gcno
42 42
43distclean: clean 43distclean: clean
44 rm -fr Makefile 44 rm -fr Makefile
45
diff --git a/src/fnet/arp.c b/src/fnet/arp.c
index a7f0a603a..4736f3509 100644
--- a/src/fnet/arp.c
+++ b/src/fnet/arp.c
@@ -48,12 +48,12 @@ void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) {
48 48
49// printf("Scanning interface %s (%d.%d.%d.%d/%d)\n", 49// printf("Scanning interface %s (%d.%d.%d.%d/%d)\n",
50// dev, PRINT_IP(ifip & ifmask), mask2bits(ifmask)); 50// dev, PRINT_IP(ifip & ifmask), mask2bits(ifmask));
51 51
52 if (strlen(dev) > IFNAMSIZ) { 52 if (strlen(dev) > IFNAMSIZ) {
53 fprintf(stderr, "Error: invalid network device name %s\n", dev); 53 fprintf(stderr, "Error: invalid network device name %s\n", dev);
54 exit(1); 54 exit(1);
55 } 55 }
56 56
57 // find interface mac address 57 // find interface mac address
58 int sock; 58 int sock;
59 if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) 59 if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
@@ -70,7 +70,7 @@ void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) {
70 // open layer2 socket 70 // open layer2 socket
71 if ((sock = socket(PF_PACKET, SOCK_RAW, htons (ETH_P_ALL))) < 0) 71 if ((sock = socket(PF_PACKET, SOCK_RAW, htons (ETH_P_ALL))) < 0)
72 errExit("socket"); 72 errExit("socket");
73 73
74 // try all possible ip addresses in ascending order 74 // try all possible ip addresses in ascending order
75 uint32_t range = ~ifmask + 1; // the number of potential addresses 75 uint32_t range = ~ifmask + 1; // the number of potential addresses
76 // this software is not supported for /31 networks 76 // this software is not supported for /31 networks
@@ -90,7 +90,7 @@ void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) {
90 struct timeval ts; 90 struct timeval ts;
91 ts.tv_sec = 2; // 2 seconds receive timeout 91 ts.tv_sec = 2; // 2 seconds receive timeout
92 ts.tv_usec = 0; 92 ts.tv_usec = 0;
93 93
94 while (1) { 94 while (1) {
95 fd_set rfds; 95 fd_set rfds;
96 FD_ZERO(&rfds); 96 FD_ZERO(&rfds);
@@ -101,21 +101,21 @@ void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) {
101 int maxfd = sock; 101 int maxfd = sock;
102 102
103 uint8_t frame[ETH_FRAME_LEN]; // includes eht header, vlan, and crc 103 uint8_t frame[ETH_FRAME_LEN]; // includes eht header, vlan, and crc
104 memset(frame, 0, ETH_FRAME_LEN); 104 memset(frame, 0, ETH_FRAME_LEN);
105 105
106 int nready; 106 int nready;
107 if (dest < last) 107 if (dest < last)
108 nready = select(maxfd + 1, &rfds, &wfds, (fd_set *) 0, NULL); 108 nready = select(maxfd + 1, &rfds, &wfds, (fd_set *) 0, NULL);
109 else 109 else
110 nready = select(maxfd + 1, &rfds, (fd_set *) 0, (fd_set *) 0, &ts); 110 nready = select(maxfd + 1, &rfds, (fd_set *) 0, (fd_set *) 0, &ts);
111 111
112 if (nready < 0) 112 if (nready < 0)
113 errExit("select"); 113 errExit("select");
114 114
115 if (nready == 0) { // timeout 115 if (nready == 0) { // timeout
116 break; 116 break;
117 } 117 }
118 118
119 if (FD_ISSET(sock, &wfds) && dest < last) { 119 if (FD_ISSET(sock, &wfds) && dest < last) {
120 // configure layer2 socket address information 120 // configure layer2 socket address information
121 struct sockaddr_ll addr; 121 struct sockaddr_ll addr;
@@ -125,7 +125,7 @@ void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) {
125 addr.sll_family = AF_PACKET; 125 addr.sll_family = AF_PACKET;
126 memcpy (addr.sll_addr, mac, 6); 126 memcpy (addr.sll_addr, mac, 6);
127 addr.sll_halen = htons(6); 127 addr.sll_halen = htons(6);
128 128
129 // build the arp packet header 129 // build the arp packet header
130 ArpHdr hdr; 130 ArpHdr hdr;
131 memset(&hdr, 0, sizeof(hdr)); 131 memset(&hdr, 0, sizeof(hdr));
@@ -138,7 +138,7 @@ void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) {
138 memcpy(hdr.sender_ip, (uint8_t *)&src, 4); 138 memcpy(hdr.sender_ip, (uint8_t *)&src, 4);
139 uint32_t dst = htonl(dest); 139 uint32_t dst = htonl(dest);
140 memcpy(hdr.target_ip, (uint8_t *)&dst, 4); 140 memcpy(hdr.target_ip, (uint8_t *)&dst, 4);
141 141
142 // build ethernet frame 142 // build ethernet frame
143 uint8_t frame[ETH_FRAME_LEN]; // includes eht header, vlan, and crc 143 uint8_t frame[ETH_FRAME_LEN]; // includes eht header, vlan, and crc
144 memset(frame, 0, sizeof(frame)); 144 memset(frame, 0, sizeof(frame));
@@ -147,16 +147,16 @@ void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) {
147 frame[12] = ETH_P_ARP / 256; 147 frame[12] = ETH_P_ARP / 256;
148 frame[13] = ETH_P_ARP % 256; 148 frame[13] = ETH_P_ARP % 256;
149 memcpy (frame + 14, &hdr, sizeof(hdr)); 149 memcpy (frame + 14, &hdr, sizeof(hdr));
150 150
151 // send packet 151 // send packet
152 int len; 152 int len;
153 if ((len = sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr))) <= 0) 153 if ((len = sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr))) <= 0)
154 errExit("send"); 154 errExit("send");
155//printf("send %d bytes to %d.%d.%d.%d\n", len, PRINT_IP(dest)); 155//printf("send %d bytes to %d.%d.%d.%d\n", len, PRINT_IP(dest));
156 fflush(0); 156 fflush(0);
157 dest++; 157 dest++;
158 } 158 }
159 159
160 if (FD_ISSET(sock, &rfds)) { 160 if (FD_ISSET(sock, &rfds)) {
161 // read the incoming packet 161 // read the incoming packet
162 int len = recvfrom(sock, frame, ETH_FRAME_LEN, 0, NULL, NULL); 162 int len = recvfrom(sock, frame, ETH_FRAME_LEN, 0, NULL, NULL);
@@ -185,24 +185,21 @@ void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) {
185 continue; 185 continue;
186 memcpy(&ip, hdr.sender_ip, 4); 186 memcpy(&ip, hdr.sender_ip, 4);
187 ip = ntohl(ip); 187 ip = ntohl(ip);
188 188
189 if (ip == last_ip) // filter duplicates 189 if (ip == last_ip) // filter duplicates
190 continue; 190 continue;
191 last_ip = ip; 191 last_ip = ip;
192 192
193 // printing 193 // printing
194 if (header_printed == 0) { 194 if (header_printed == 0) {
195 printf(" Network scan:\n"); 195 printf(" Network scan:\n");
196 header_printed = 1; 196 header_printed = 1;
197 } 197 }
198 printf(" %02x:%02x:%02x:%02x:%02x:%02x\t%d.%d.%d.%d\n", 198 printf(" %02x:%02x:%02x:%02x:%02x:%02x\t%d.%d.%d.%d\n",
199 PRINT_MAC(hdr.sender_mac), PRINT_IP(ip)); 199 PRINT_MAC(hdr.sender_mac), PRINT_IP(ip));
200 } 200 }
201 } 201 }
202 } 202 }
203 203
204 close(sock); 204 close(sock);
205} 205}
206
207
208
diff --git a/src/fnet/interface.c b/src/fnet/interface.c
index 33ad766ec..8c1fd6ca4 100644
--- a/src/fnet/interface.c
+++ b/src/fnet/interface.c
@@ -40,7 +40,7 @@ static void check_if_name(const char *ifname) {
40void net_bridge_add_interface(const char *bridge, const char *dev) { 40void net_bridge_add_interface(const char *bridge, const char *dev) {
41 check_if_name(bridge); 41 check_if_name(bridge);
42 check_if_name(dev); 42 check_if_name(dev);
43 43
44 // somehow adding the interface to the bridge resets MTU on bridge device!!! 44 // somehow adding the interface to the bridge resets MTU on bridge device!!!
45 // workaround: restore MTU on the bridge device 45 // workaround: restore MTU on the bridge device
46 // todo: put a real fix in 46 // todo: put a real fix in
@@ -82,7 +82,7 @@ void net_bridge_add_interface(const char *bridge, const char *dev) {
82// bring interface up 82// bring interface up
83void net_if_up(const char *ifname) { 83void net_if_up(const char *ifname) {
84 check_if_name(ifname); 84 check_if_name(ifname);
85 85
86 int sock = socket(AF_INET,SOCK_DGRAM,0); 86 int sock = socket(AF_INET,SOCK_DGRAM,0);
87 if (sock < 0) 87 if (sock < 0)
88 errExit("socket"); 88 errExit("socket");
@@ -139,8 +139,8 @@ int net_get_mtu(const char *ifname) {
139 if (ioctl(s, SIOCGIFMTU, (caddr_t)&ifr) == 0) 139 if (ioctl(s, SIOCGIFMTU, (caddr_t)&ifr) == 0)
140 mtu = ifr.ifr_mtu; 140 mtu = ifr.ifr_mtu;
141 close(s); 141 close(s);
142 142
143 143
144 return mtu; 144 return mtu;
145} 145}
146 146
@@ -197,7 +197,7 @@ void net_ifprint(int scan) {
197 sprintf(ipstr, "%d.%d.%d.%d", PRINT_IP(ip)); 197 sprintf(ipstr, "%d.%d.%d.%d", PRINT_IP(ip));
198 char maskstr[30]; 198 char maskstr[30];
199 sprintf(maskstr, "%d.%d.%d.%d", PRINT_IP(mask)); 199 sprintf(maskstr, "%d.%d.%d.%d", PRINT_IP(mask));
200 200
201 // mac address 201 // mac address
202 unsigned char mac[6]; 202 unsigned char mac[6];
203 net_get_mac(ifa->ifa_name, mac); 203 net_get_mac(ifa->ifa_name, mac);
@@ -207,7 +207,7 @@ void net_ifprint(int scan) {
207 else 207 else
208 sprintf(macstr, "%02x:%02x:%02x:%02x:%02x:%02x", PRINT_MAC(mac)); 208 sprintf(macstr, "%02x:%02x:%02x:%02x:%02x:%02x", PRINT_MAC(mac));
209 209
210 // print 210 // print
211 printf("%-17.17s%-19.19s%-17.17s%-17.17s%-6.6s\n", 211 printf("%-17.17s%-19.19s%-17.17s%-17.17s%-6.6s\n",
212 ifa->ifa_name, macstr, ipstr, maskstr, status); 212 ifa->ifa_name, macstr, ipstr, maskstr, status);
213 213
@@ -240,7 +240,7 @@ int net_get_mac(const char *ifname, unsigned char mac[6]) {
240 memset(&ifr, 0, sizeof(ifr)); 240 memset(&ifr, 0, sizeof(ifr));
241 strncpy(ifr.ifr_name, ifname, IFNAMSIZ); 241 strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
242 ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER; 242 ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER;
243 243
244 if (ioctl(sock, SIOCGIFHWADDR, &ifr) == -1) 244 if (ioctl(sock, SIOCGIFHWADDR, &ifr) == -1)
245 errExit("ioctl"); 245 errExit("ioctl");
246 memcpy(mac, ifr.ifr_hwaddr.sa_data, 6); 246 memcpy(mac, ifr.ifr_hwaddr.sa_data, 6);
@@ -262,7 +262,7 @@ void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) {
262 ifr.ifr_addr.sa_family = AF_INET; 262 ifr.ifr_addr.sa_family = AF_INET;
263 263
264 ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(ip); 264 ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(ip);
265 if (ioctl( sock, SIOCSIFADDR, &ifr ) < 0) 265 if (ioctl( sock, SIOCSIFADDR, &ifr ) < 0)
266 errExit("ioctl"); 266 errExit("ioctl");
267 267
268 if (ip != 0) { 268 if (ip != 0) {
@@ -270,7 +270,7 @@ void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) {
270 if (ioctl( sock, SIOCSIFNETMASK, &ifr ) < 0) 270 if (ioctl( sock, SIOCSIFNETMASK, &ifr ) < 0)
271 errExit("ioctl"); 271 errExit("ioctl");
272 } 272 }
273 273
274 // configure mtu 274 // configure mtu
275 if (mtu > 0) { 275 if (mtu > 0) {
276 ifr.ifr_mtu = mtu; 276 ifr.ifr_mtu = mtu;
@@ -295,7 +295,7 @@ int net_if_mac(const char *ifname, const unsigned char mac[6]) {
295 strncpy(ifr.ifr_name, ifname, IFNAMSIZ); 295 strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
296 ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER; 296 ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER;
297 memcpy(ifr.ifr_hwaddr.sa_data, mac, 6); 297 memcpy(ifr.ifr_hwaddr.sa_data, mac, 6);
298 298
299 if (ioctl(sock, SIOCSIFHWADDR, &ifr) == -1) 299 if (ioctl(sock, SIOCSIFHWADDR, &ifr) == -1)
300 errExit("ioctl"); 300 errExit("ioctl");
301 close(sock); 301 close(sock);
@@ -315,7 +315,7 @@ void net_if_ip6(const char *ifname, const char *addr6) {
315 fprintf(stderr, "Error fnet: invalid IPv6 address %s\n", addr6); 315 fprintf(stderr, "Error fnet: invalid IPv6 address %s\n", addr6);
316 exit(1); 316 exit(1);
317 } 317 }
318 318
319 // extract prefix 319 // extract prefix
320 unsigned long prefix; 320 unsigned long prefix;
321 char *ptr; 321 char *ptr;
@@ -367,6 +367,6 @@ void net_if_ip6(const char *ifname, const char *addr6) {
367 perror("ioctl SIOCSIFADDR"); 367 perror("ioctl SIOCSIFADDR");
368 exit(1); 368 exit(1);
369 } 369 }
370 370
371 close(sock); 371 close(sock);
372} 372}
diff --git a/src/fnet/main.c b/src/fnet/main.c
index 0c55f3141..f44760b5c 100644
--- a/src/fnet/main.c
+++ b/src/fnet/main.c
@@ -41,7 +41,7 @@ int i;
41for (i = 0; i < argc; i++) 41for (i = 0; i < argc; i++)
42 printf("*%s* ", argv[i]); 42 printf("*%s* ", argv[i]);
43printf("\n"); 43printf("\n");
44} 44}
45#endif 45#endif
46 if (argc < 2) { 46 if (argc < 2) {
47 usage(); 47 usage();
@@ -51,7 +51,7 @@ printf("\n");
51 char *quiet = getenv("FIREJAIL_QUIET"); 51 char *quiet = getenv("FIREJAIL_QUIET");
52 if (quiet && strcmp(quiet, "yes") == 0) 52 if (quiet && strcmp(quiet, "yes") == 0)
53 arg_quiet = 1; 53 arg_quiet = 1;
54 54
55 if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) { 55 if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) {
56 usage(); 56 usage();
57 return 0; 57 return 0;
diff --git a/src/fnet/veth.c b/src/fnet/veth.c
index 86d9d5190..d37c93a19 100644
--- a/src/fnet/veth.c
+++ b/src/fnet/veth.c
@@ -1,16 +1,16 @@
1/* code based on iproute2 ip/iplink.c, modified to be included in firejail project 1/* code based on iproute2 ip/iplink.c, modified to be included in firejail project
2 * 2 *
3 * Original source code: 3 * Original source code:
4 * 4 *
5 * Information: 5 * Information:
6 * http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2 6 * http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2
7 * 7 *
8 * Download: 8 * Download:
9 * http://www.kernel.org/pub/linux/utils/net/iproute2/ 9 * http://www.kernel.org/pub/linux/utils/net/iproute2/
10 * 10 *
11 * Repository: 11 * Repository:
12 * git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git 12 * git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git
13 * 13 *
14 * License: GPL v2 14 * License: GPL v2
15 * 15 *
16 * Original copyright header 16 * Original copyright header
@@ -112,7 +112,7 @@ int net_create_veth(const char *dev, const char *nsdev, unsigned pid) {
112 exit(2); 112 exit(2);
113 113
114 rtnl_close(&rth); 114 rtnl_close(&rth);
115 115
116 return 0; 116 return 0;
117} 117}
118 118
@@ -134,13 +134,13 @@ int net_create_macvlan(const char *dev, const char *parent, unsigned pid) {
134 req.n.nlmsg_flags = NLM_F_REQUEST|NLM_F_CREATE|NLM_F_EXCL; 134 req.n.nlmsg_flags = NLM_F_REQUEST|NLM_F_CREATE|NLM_F_EXCL;
135 req.n.nlmsg_type = RTM_NEWLINK; 135 req.n.nlmsg_type = RTM_NEWLINK;
136 req.i.ifi_family = 0; 136 req.i.ifi_family = 0;
137 137
138 // find parent ifindex 138 // find parent ifindex
139 int parent_ifindex = if_nametoindex(parent); 139 int parent_ifindex = if_nametoindex(parent);
140 if (parent_ifindex <= 0) { 140 if (parent_ifindex <= 0) {
141 fprintf(stderr, "Error: cannot find network device %s\n", parent); 141 fprintf(stderr, "Error: cannot find network device %s\n", parent);
142 exit(1); 142 exit(1);
143 } 143 }
144 144
145 // add parent 145 // add parent
146 addattr_l(&req.n, sizeof(req), IFLA_LINK, &parent_ifindex, 4); 146 addattr_l(&req.n, sizeof(req), IFLA_LINK, &parent_ifindex, 4);
@@ -148,7 +148,7 @@ int net_create_macvlan(const char *dev, const char *parent, unsigned pid) {
148 // add new interface name 148 // add new interface name
149 len = strlen(dev) + 1; 149 len = strlen(dev) + 1;
150 addattr_l(&req.n, sizeof(req), IFLA_IFNAME, dev, len); 150 addattr_l(&req.n, sizeof(req), IFLA_IFNAME, dev, len);
151 151
152 // place the interface in child namespace 152 // place the interface in child namespace
153 addattr_l (&req.n, sizeof(req), IFLA_NET_NS_PID, &pid, 4); 153 addattr_l (&req.n, sizeof(req), IFLA_NET_NS_PID, &pid, 4);
154 154
@@ -176,7 +176,7 @@ int net_create_macvlan(const char *dev, const char *parent, unsigned pid) {
176 exit(2); 176 exit(2);
177 177
178 rtnl_close(&rth); 178 rtnl_close(&rth);
179 179
180 return 0; 180 return 0;
181} 181}
182 182
@@ -197,7 +197,7 @@ int net_move_interface(const char *dev, unsigned pid) {
197 req.n.nlmsg_flags = NLM_F_REQUEST; 197 req.n.nlmsg_flags = NLM_F_REQUEST;
198 req.n.nlmsg_type = RTM_NEWLINK; 198 req.n.nlmsg_type = RTM_NEWLINK;
199 req.i.ifi_family = 0; 199 req.i.ifi_family = 0;
200 200
201 // find ifindex 201 // find ifindex
202 int ifindex = if_nametoindex(dev); 202 int ifindex = if_nametoindex(dev);
203 if (ifindex <= 0) { 203 if (ifindex <= 0) {
@@ -205,7 +205,7 @@ int net_move_interface(const char *dev, unsigned pid) {
205 exit(1); 205 exit(1);
206 } 206 }
207 req.i.ifi_index = ifindex; 207 req.i.ifi_index = ifindex;
208 208
209 // place the interface in child namespace 209 // place the interface in child namespace
210 addattr_l (&req.n, sizeof(req), IFLA_NET_NS_PID, &pid, 4); 210 addattr_l (&req.n, sizeof(req), IFLA_NET_NS_PID, &pid, 4);
211 211
@@ -214,7 +214,7 @@ int net_move_interface(const char *dev, unsigned pid) {
214 exit(2); 214 exit(2);
215 215
216 rtnl_close(&rth); 216 rtnl_close(&rth);
217 217
218 return 0; 218 return 0;
219} 219}
220 220
@@ -233,4 +233,4 @@ int main(int argc, char **argv) {
233 233
234 return 0; 234 return 0;
235} 235}
236*/ \ No newline at end of file 236*/
diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in
index 04c46f128..13025fbca 100644
--- a/src/fseccomp/Makefile.in
+++ b/src/fseccomp/Makefile.in
@@ -42,4 +42,3 @@ clean:; rm -f *.o fseccomp *.gcov *.gcda *.gcno
42 42
43distclean: clean 43distclean: clean
44 rm -fr Makefile 44 rm -fr Makefile
45
diff --git a/src/fseccomp/errno.c b/src/fseccomp/errno.c
index 3e92a1f9d..e5cd4e226 100644
--- a/src/fseccomp/errno.c
+++ b/src/fseccomp/errno.c
@@ -167,7 +167,7 @@ static ErrnoEntry errnolist[] = {
167 {"ENOTSUP", ENOTSUP}, 167 {"ENOTSUP", ENOTSUP},
168#ifdef ENOATTR 168#ifdef ENOATTR
169 {"ENOATTR", ENOATTR}, 169 {"ENOATTR", ENOATTR},
170#endif 170#endif
171}; 171};
172 172
173int errno_find_name(const char *name) { 173int errno_find_name(const char *name) {
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index 7e0239a5f..e322b5bbb 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -46,7 +46,7 @@ int i;
46for (i = 0; i < argc; i++) 46for (i = 0; i < argc; i++)
47 printf("*%s* ", argv[i]); 47 printf("*%s* ", argv[i]);
48printf("\n"); 48printf("\n");
49} 49}
50#endif 50#endif
51 if (argc < 2) { 51 if (argc < 2) {
52 usage(); 52 usage();
@@ -56,7 +56,7 @@ printf("\n");
56 char *quiet = getenv("FIREJAIL_QUIET"); 56 char *quiet = getenv("FIREJAIL_QUIET");
57 if (quiet && strcmp(quiet, "yes") == 0) 57 if (quiet && strcmp(quiet, "yes") == 0)
58 arg_quiet = 1; 58 arg_quiet = 1;
59 59
60 if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) { 60 if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) {
61 usage(); 61 usage();
62 return 0; 62 return 0;
@@ -71,7 +71,7 @@ printf("\n");
71 protocol_build_filter(argv[3], argv[4]); 71 protocol_build_filter(argv[3], argv[4]);
72 else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "64") == 0) 72 else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "64") == 0)
73 seccomp_secondary_64(argv[3]); 73 seccomp_secondary_64(argv[3]);
74 else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "32") == 0) 74 else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "32") == 0)
75 seccomp_secondary_32(argv[3]); 75 seccomp_secondary_32(argv[3]);
76 else if (argc == 3 && strcmp(argv[1], "default") == 0) 76 else if (argc == 3 && strcmp(argv[1], "default") == 0)
77 seccomp_default(argv[2], 0); 77 seccomp_default(argv[2], 0);
@@ -95,4 +95,4 @@ printf("\n");
95 } 95 }
96 96
97 return 0; 97 return 0;
98} \ No newline at end of file 98}
diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c
index 4a0fadb3c..43bc3d562 100644
--- a/src/fseccomp/protocol.c
+++ b/src/fseccomp/protocol.c
@@ -87,7 +87,7 @@ static struct sock_filter *find_protocol_domain(const char *p) {
87 } 87 }
88 88
89 return NULL; 89 return NULL;
90} 90}
91#endif 91#endif
92 92
93void protocol_print(void) { 93void protocol_print(void) {
@@ -119,7 +119,7 @@ void protocol_build_filter(const char *prlist, const char *fname) {
119 struct sock_filter filter[32]; // big enough 119 struct sock_filter filter[32]; // big enough
120 memset(&filter[0], 0, sizeof(filter)); 120 memset(&filter[0], 0, sizeof(filter));
121 uint8_t *ptr = (uint8_t *) &filter[0]; 121 uint8_t *ptr = (uint8_t *) &filter[0];
122 122
123 // header 123 // header
124 struct sock_filter filter_start[] = { 124 struct sock_filter filter_start[] = {
125 VALIDATE_ARCHITECTURE, 125 VALIDATE_ARCHITECTURE,
@@ -153,7 +153,7 @@ printf("whitelist_len %u, struct sock_filter len %u\n", whitelist_len, (unsigned
153 char *token = strtok(tmplist, ","); 153 char *token = strtok(tmplist, ",");
154 if (!token) 154 if (!token)
155 errExit("strtok"); 155 errExit("strtok");
156 156
157 while (token) { 157 while (token) {
158 struct sock_filter *domain = find_protocol_domain(token); 158 struct sock_filter *domain = find_protocol_domain(token);
159 if (domain == NULL) { 159 if (domain == NULL) {
@@ -179,7 +179,7 @@ printf("entries %u\n", (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (uns
179#endif 179#endif
180 180
181 181
182 } 182 }
183 free(tmplist); 183 free(tmplist);
184 184
185 // add end of filter 185 // add end of filter
@@ -201,14 +201,14 @@ printf("entries %u\n", (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (uns
201 } 201 }
202 printf("\n"); 202 printf("\n");
203} 203}
204#endif 204#endif
205 // save filter to file 205 // save filter to file
206 int dst = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); 206 int dst = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
207 if (dst < 0) { 207 if (dst < 0) {
208 fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname); 208 fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
209 exit(1); 209 exit(1);
210 } 210 }
211 211
212 int size = (int) ((uintptr_t) ptr - (uintptr_t) (filter)); 212 int size = (int) ((uintptr_t) ptr - (uintptr_t) (filter));
213 int written = 0; 213 int written = 0;
214 while (written < size) { 214 while (written < size) {
@@ -220,5 +220,5 @@ printf("entries %u\n", (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (uns
220 written += rv; 220 written += rv;
221 } 221 }
222 close(dst); 222 close(dst);
223#endif // SYS_socket 223#endif // SYS_socket
224} 224}
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
index 25a151a78..c12edfd90 100644
--- a/src/fseccomp/seccomp.c
+++ b/src/fseccomp/seccomp.c
@@ -257,7 +257,7 @@ void seccomp_default(const char *fname, int allow_debuggers) {
257 filter_init(fd); 257 filter_init(fd);
258 add_default_list(fd, allow_debuggers); 258 add_default_list(fd, allow_debuggers);
259 filter_end_blacklist(fd); 259 filter_end_blacklist(fd);
260 260
261 // close file 261 // close file
262 close(fd); 262 close(fd);
263} 263}
@@ -281,7 +281,7 @@ void seccomp_drop(const char *fname, char *list, int allow_debuggers) {
281 exit(1); 281 exit(1);
282 } 282 }
283 filter_end_blacklist(fd); 283 filter_end_blacklist(fd);
284 284
285 // close file 285 // close file
286 close(fd); 286 close(fd);
287} 287}
@@ -305,7 +305,7 @@ void seccomp_default_drop(const char *fname, char *list, int allow_debuggers) {
305 exit(1); 305 exit(1);
306 } 306 }
307 filter_end_blacklist(fd); 307 filter_end_blacklist(fd);
308 308
309 // close file 309 // close file
310 close(fd); 310 close(fd);
311} 311}
@@ -326,15 +326,14 @@ void seccomp_keep(const char *fname, char *list) {
326 filter_add_whitelist(fd, SYS_setgroups, 0); 326 filter_add_whitelist(fd, SYS_setgroups, 0);
327 filter_add_whitelist(fd, SYS_dup, 0); 327 filter_add_whitelist(fd, SYS_dup, 0);
328 filter_add_whitelist(fd, SYS_prctl, 0); 328 filter_add_whitelist(fd, SYS_prctl, 0);
329 329
330 if (syscall_check_list(list, filter_add_whitelist, fd, 0)) { 330 if (syscall_check_list(list, filter_add_whitelist, fd, 0)) {
331 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); 331 fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
332 exit(1); 332 exit(1);
333 } 333 }
334 334
335 filter_end_whitelist(fd); 335 filter_end_whitelist(fd);
336 336
337 // close file 337 // close file
338 close(fd); 338 close(fd);
339} 339}
340
diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c
index d706b3359..c1e8d406f 100644
--- a/src/fseccomp/seccomp_file.c
+++ b/src/fseccomp/seccomp_file.c
@@ -24,7 +24,7 @@
24static void write_to_file(int fd, void *data, int size) { 24static void write_to_file(int fd, void *data, int size) {
25 assert(data); 25 assert(data);
26 assert(size); 26 assert(size);
27 27
28 int written = 0; 28 int written = 0;
29 while (written < size) { 29 while (written < size) {
30 int rv = write(fd, (unsigned char *) data + written, size - written); 30 int rv = write(fd, (unsigned char *) data + written, size - written);
@@ -69,7 +69,7 @@ void filter_init(int fd) {
69 69
70void filter_add_whitelist(int fd, int syscall, int arg) { 70void filter_add_whitelist(int fd, int syscall, int arg) {
71 (void) arg; 71 (void) arg;
72 72
73 struct sock_filter filter[] = { 73 struct sock_filter filter[] = {
74 WHITELIST(syscall) 74 WHITELIST(syscall)
75 }; 75 };
@@ -78,7 +78,7 @@ void filter_add_whitelist(int fd, int syscall, int arg) {
78 78
79void filter_add_blacklist(int fd, int syscall, int arg) { 79void filter_add_blacklist(int fd, int syscall, int arg) {
80 (void) arg; 80 (void) arg;
81 81
82 struct sock_filter filter[] = { 82 struct sock_filter filter[] = {
83 BLACKLIST(syscall) 83 BLACKLIST(syscall)
84 }; 84 };
@@ -105,4 +105,3 @@ void filter_end_whitelist(int fd) {
105 }; 105 };
106 write_to_file(fd, filter, sizeof(filter)); 106 write_to_file(fd, filter, sizeof(filter));
107} 107}
108
diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c
index d18f2efa5..67555e554 100644
--- a/src/fseccomp/seccomp_print.c
+++ b/src/fseccomp/seccomp_print.c
@@ -26,7 +26,7 @@ static int filter_cnt = 0;
26 26
27static void load_seccomp(const char *fname) { 27static void load_seccomp(const char *fname) {
28 assert(fname); 28 assert(fname);
29 29
30 // open filter file 30 // open filter file
31 int fd = open(fname, O_RDONLY); 31 int fd = open(fname, O_RDONLY);
32 if (fd == -1) 32 if (fd == -1)
@@ -40,7 +40,7 @@ static void load_seccomp(const char *fname) {
40 goto errexit; 40 goto errexit;
41 unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter); 41 unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter);
42 filter_cnt = entries; 42 filter_cnt = entries;
43 43
44 // read filter 44 // read filter
45 filter = malloc(size); 45 filter = malloc(size);
46 if (filter == NULL) 46 if (filter == NULL)
@@ -53,7 +53,7 @@ static void load_seccomp(const char *fname) {
53 goto errexit; 53 goto errexit;
54 rd += rv; 54 rd += rv;
55 } 55 }
56 56
57 // close file 57 // close file
58 close(fd); 58 close(fd);
59 return; 59 return;
@@ -67,7 +67,7 @@ errexit:
67void filter_print(const char *fname) { 67void filter_print(const char *fname) {
68 assert(fname); 68 assert(fname);
69 load_seccomp(fname); 69 load_seccomp(fname);
70 70
71 // start filter 71 // start filter
72 struct sock_filter start[] = { 72 struct sock_filter start[] = {
73 VALIDATE_ARCHITECTURE, 73 VALIDATE_ARCHITECTURE,
@@ -86,7 +86,7 @@ void filter_print(const char *fname) {
86 printf("Invalid seccomp filter %s\n", fname); 86 printf("Invalid seccomp filter %s\n", fname);
87 return; 87 return;
88 } 88 }
89 89
90 // loop trough blacklists 90 // loop trough blacklists
91 int i = 4; 91 int i = 4;
92 while (i < filter_cnt) { 92 while (i < filter_cnt) {
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c
index 79c85eb75..8270b7018 100644
--- a/src/fseccomp/seccomp_secondary.c
+++ b/src/fseccomp/seccomp_secondary.c
@@ -28,7 +28,7 @@ void seccomp_secondary_64(const char *fname) {
28 EXAMINE_SYSCALL, 28 EXAMINE_SYSCALL,
29 BLACKLIST(165), // mount 29 BLACKLIST(165), // mount
30 BLACKLIST(166), // umount2 30 BLACKLIST(166), // umount2
31// todo: implement --allow-debuggers 31// todo: implement --allow-debuggers
32 BLACKLIST(101), // ptrace 32 BLACKLIST(101), // ptrace
33 BLACKLIST(246), // kexec_load 33 BLACKLIST(246), // kexec_load
34 BLACKLIST(304), // open_by_handle_at 34 BLACKLIST(304), // open_by_handle_at
@@ -77,7 +77,7 @@ void seccomp_secondary_64(const char *fname) {
77 BLACKLIST(169), // reboot 77 BLACKLIST(169), // reboot
78 BLACKLIST(180), // nfsservctl 78 BLACKLIST(180), // nfsservctl
79 BLACKLIST(177), // get_kernel_syms 79 BLACKLIST(177), // get_kernel_syms
80 80
81 RETURN_ALLOW 81 RETURN_ALLOW
82 }; 82 };
83 83
@@ -87,7 +87,7 @@ void seccomp_secondary_64(const char *fname) {
87 fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname); 87 fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
88 exit(1); 88 exit(1);
89 } 89 }
90 90
91 int size = (int) sizeof(filter); 91 int size = (int) sizeof(filter);
92 int written = 0; 92 int written = 0;
93 while (written < size) { 93 while (written < size) {
@@ -109,7 +109,7 @@ void seccomp_secondary_32(const char *fname) {
109 EXAMINE_SYSCALL, 109 EXAMINE_SYSCALL,
110 BLACKLIST(21), // mount 110 BLACKLIST(21), // mount
111 BLACKLIST(52), // umount2 111 BLACKLIST(52), // umount2
112// todo: implement --allow-debuggers 112// todo: implement --allow-debuggers
113 BLACKLIST(26), // ptrace 113 BLACKLIST(26), // ptrace
114 BLACKLIST(283), // kexec_load 114 BLACKLIST(283), // kexec_load
115 BLACKLIST(341), // name_to_handle_at 115 BLACKLIST(341), // name_to_handle_at
@@ -157,7 +157,7 @@ void seccomp_secondary_32(const char *fname) {
157 BLACKLIST(88), // reboot 157 BLACKLIST(88), // reboot
158 BLACKLIST(169), // nfsservctl 158 BLACKLIST(169), // nfsservctl
159 BLACKLIST(130), // get_kernel_syms 159 BLACKLIST(130), // get_kernel_syms
160 160
161 RETURN_ALLOW 161 RETURN_ALLOW
162 }; 162 };
163 163
@@ -167,7 +167,7 @@ void seccomp_secondary_32(const char *fname) {
167 fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname); 167 fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
168 exit(1); 168 exit(1);
169 } 169 }
170 170
171 int size = (int) sizeof(filter); 171 int size = (int) sizeof(filter);
172 int written = 0; 172 int written = 0;
173 while (written < size) { 173 while (written < size) {
@@ -180,4 +180,3 @@ void seccomp_secondary_32(const char *fname) {
180 } 180 }
181 close(dst); 181 close(dst);
182} 182}
183
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c
index b86c1c489..0a86dade0 100644
--- a/src/fseccomp/syscall.c
+++ b/src/fseccomp/syscall.c
@@ -43,7 +43,7 @@ int syscall_find_name(const char *name) {
43 if (strcmp(name, syslist[i].name) == 0) 43 if (strcmp(name, syslist[i].name) == 0)
44 return syslist[i].nr; 44 return syslist[i].nr;
45 } 45 }
46 46
47 return -1; 47 return -1;
48} 48}
49 49
@@ -54,7 +54,7 @@ char *syscall_find_nr(int nr) {
54 if (nr == syslist[i].nr) 54 if (nr == syslist[i].nr)
55 return syslist[i].name; 55 return syslist[i].name;
56 } 56 }
57 57
58 return "unknown"; 58 return "unknown";
59} 59}
60 60
@@ -75,7 +75,7 @@ static void syscall_process_name(const char *name, int *syscall_nr, int *error_n
75 if (strlen(name) == 0) 75 if (strlen(name) == 0)
76 goto error; 76 goto error;
77 *error_nr = -1; 77 *error_nr = -1;
78 78
79 // syntax check 79 // syntax check
80 char *str = strdup(name); 80 char *str = strdup(name);
81 if (!str) 81 if (!str)
@@ -101,7 +101,7 @@ static void syscall_process_name(const char *name, int *syscall_nr, int *error_n
101 101
102 free(str); 102 free(str);
103 return; 103 return;
104 104
105error: 105error:
106 fprintf(stderr, "Error fseccomp: invalid syscall list entry %s\n", name); 106 fprintf(stderr, "Error fseccomp: invalid syscall list entry %s\n", name);
107 exit(1); 107 exit(1);
@@ -142,7 +142,7 @@ int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall,
142 } 142 }
143 ptr = strtok(NULL, ","); 143 ptr = strtok(NULL, ",");
144 } 144 }
145 145
146 free(str); 146 free(str);
147 return 0; 147 return 0;
148} 148}
diff --git a/src/fshaper/fshaper.sh b/src/fshaper/fshaper.sh
index 4045fd5a4..470137895 100755
--- a/src/fshaper/fshaper.sh
+++ b/src/fshaper/fshaper.sh
@@ -19,13 +19,13 @@ if [ "$1" = "--clear" ]; then
19 usage 19 usage
20 exit 20 exit
21 fi 21 fi
22 22
23 DEV=$2 23 DEV=$2
24 echo "Removing bandwith limits" 24 echo "Removing bandwith limits"
25 /sbin/tc qdisc del dev $DEV root 2> /dev/null > /dev/null 25 /sbin/tc qdisc del dev $DEV root 2> /dev/null > /dev/null
26 /sbin/tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null 26 /sbin/tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null
27 exit 27 exit
28 28
29fi 29fi
30 30
31if [ "$1" = "--set" ]; then 31if [ "$1" = "--set" ]; then
@@ -38,22 +38,22 @@ if [ "$1" = "--set" ]; then
38 usage 38 usage
39 exit 39 exit
40 fi 40 fi
41 41
42 DEV=$2 42 DEV=$2
43 echo "Configuring interface $DEV " 43 echo "Configuring interface $DEV "
44 44
45 IN=$3 45 IN=$3
46 IN=$((${IN} * 8)) 46 IN=$((${IN} * 8))
47 echo "Download speed ${IN}kbps" 47 echo "Download speed ${IN}kbps"
48 48
49 OUT=$4 49 OUT=$4
50 OUT=$((${OUT} * 8)) 50 OUT=$((${OUT} * 8))
51 echo "Upload speed ${OUT}kbps" 51 echo "Upload speed ${OUT}kbps"
52 52
53 echo "cleaning limits" 53 echo "cleaning limits"
54 /sbin/tc qdisc del dev $DEV root 2> /dev/null > /dev/null 54 /sbin/tc qdisc del dev $DEV root 2> /dev/null > /dev/null
55 /sbin/tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null 55 /sbin/tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null
56 56
57 echo "configuring tc ingress" 57 echo "configuring tc ingress"
58 /sbin/tc qdisc add dev $DEV handle ffff: ingress #2> /dev/null > /dev/null 58 /sbin/tc qdisc add dev $DEV handle ffff: ingress #2> /dev/null > /dev/null
59 /sbin/tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \ 59 /sbin/tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \
@@ -63,7 +63,7 @@ if [ "$1" = "--set" ]; then
63 /sbin/tc qdisc add dev $DEV root tbf rate ${OUT}kbit latency 25ms burst 10k #2> /dev/null > /dev/null 63 /sbin/tc qdisc add dev $DEV root tbf rate ${OUT}kbit latency 25ms burst 10k #2> /dev/null > /dev/null
64 exit 64 exit
65fi 65fi
66 66
67echo "Error: missing parameters" 67echo "Error: missing parameters"
68usage 68usage
69exit 1 69exit 1
diff --git a/src/ftee/Makefile.in b/src/ftee/Makefile.in
index ad508cadd..0f14a7bd4 100644
--- a/src/ftee/Makefile.in
+++ b/src/ftee/Makefile.in
@@ -24,4 +24,3 @@ clean:; rm -f *.o ftee *.gcov *.gcda *.gcno
24 24
25distclean: clean 25distclean: clean
26 rm -fr Makefile 26 rm -fr Makefile
27
diff --git a/src/ftee/ftee.h b/src/ftee/ftee.h
index b663f1f38..5070cf12e 100644
--- a/src/ftee/ftee.h
+++ b/src/ftee/ftee.h
@@ -21,4 +21,4 @@
21#define FTEE_H 21#define FTEE_H
22#include "../include/common.h" 22#include "../include/common.h"
23 23
24#endif \ No newline at end of file 24#endif
diff --git a/src/ftee/main.c b/src/ftee/main.c
index d425be07c..2628a77c5 100644
--- a/src/ftee/main.c
+++ b/src/ftee/main.c
@@ -47,7 +47,7 @@ static void log_rotate(const char *fname) {
47 strcpy(name1, fname); 47 strcpy(name1, fname);
48 strcpy(name2, fname); 48 strcpy(name2, fname);
49 fflush(0); 49 fflush(0);
50 50
51 // delete filename.5 51 // delete filename.5
52 sprintf(name1 + index, ".5"); 52 sprintf(name1 + index, ".5");
53 if (stat(name1, &s) == 0) { 53 if (stat(name1, &s) == 0) {
@@ -55,7 +55,7 @@ static void log_rotate(const char *fname) {
55 if (rv == -1) 55 if (rv == -1)
56 perror("unlink"); 56 perror("unlink");
57 } 57 }
58 58
59 // move files 1 to 4 down one position 59 // move files 1 to 4 down one position
60 sprintf(name2 + index, ".4"); 60 sprintf(name2 + index, ".4");
61 if (stat(name2, &s) == 0) { 61 if (stat(name2, &s) == 0) {
@@ -96,14 +96,14 @@ static void log_rotate(const char *fname) {
96 if (rv == -1) 96 if (rv == -1)
97 perror("rename"); 97 perror("rename");
98 } 98 }
99 99
100 free(name1); 100 free(name1);
101 free(name2); 101 free(name2);
102} 102}
103 103
104static void log_write(const unsigned char *str, int len, const char *fname) { 104static void log_write(const unsigned char *str, int len, const char *fname) {
105 assert(fname); 105 assert(fname);
106 106
107 if (out_fp == NULL) { 107 if (out_fp == NULL) {
108 out_fp = fopen(fname, "w"); 108 out_fp = fopen(fname, "w");
109 if (!out_fp) { 109 if (!out_fp) {
@@ -112,7 +112,7 @@ static void log_write(const unsigned char *str, int len, const char *fname) {
112 } 112 }
113 out_cnt = 0; 113 out_cnt = 0;
114 } 114 }
115 115
116 // rotate files 116 // rotate files
117 out_cnt += len; 117 out_cnt += len;
118 if (out_cnt >= out_max) { 118 if (out_cnt >= out_max) {
@@ -127,9 +127,9 @@ static void log_write(const unsigned char *str, int len, const char *fname) {
127 exit(1); 127 exit(1);
128 } 128 }
129 out_cnt = len; 129 out_cnt = len;
130 } 130 }
131 131
132 fwrite(str, len, 1, out_fp); 132 fwrite(str, len, 1, out_fp);
133 fflush(0); 133 fflush(0);
134} 134}
135 135
@@ -139,7 +139,7 @@ static int is_dir(const char *fname) {
139 assert(fname); 139 assert(fname);
140 if (*fname == '\0') 140 if (*fname == '\0')
141 return 0; 141 return 0;
142 142
143 // if fname doesn't end in '/', add one 143 // if fname doesn't end in '/', add one
144 int rv; 144 int rv;
145 struct stat s; 145 struct stat s;
@@ -150,14 +150,14 @@ static int is_dir(const char *fname) {
150 if (asprintf(&tmp, "%s/", fname) == -1) { 150 if (asprintf(&tmp, "%s/", fname) == -1) {
151 fprintf(stderr, "Error: cannot allocate memory, %s:%d\n", __FILE__, __LINE__); 151 fprintf(stderr, "Error: cannot allocate memory, %s:%d\n", __FILE__, __LINE__);
152 exit(1); 152 exit(1);
153 } 153 }
154 rv = stat(tmp, &s); 154 rv = stat(tmp, &s);
155 free(tmp); 155 free(tmp);
156 } 156 }
157 157
158 if (rv == -1) 158 if (rv == -1)
159 return 0; 159 return 0;
160 160
161 if (S_ISDIR(s.st_mode)) 161 if (S_ISDIR(s.st_mode))
162 return 1; 162 return 1;
163 163
@@ -199,13 +199,13 @@ int main(int argc, char **argv) {
199 // do not accept directories, links, and files with ".." 199 // do not accept directories, links, and files with ".."
200 if (strstr(fname, "..") || is_link(fname) || is_dir(fname)) 200 if (strstr(fname, "..") || is_link(fname) || is_dir(fname))
201 goto errexit; 201 goto errexit;
202 202
203 struct stat s; 203 struct stat s;
204 if (stat(fname, &s) == 0) { 204 if (stat(fname, &s) == 0) {
205 // check permissions 205 // check permissions
206 if (s.st_uid != getuid() || s.st_gid != getgid()) 206 if (s.st_uid != getuid() || s.st_gid != getgid())
207 goto errexit; 207 goto errexit;
208 208
209 // check hard links 209 // check hard links
210 if (s.st_nlink != 1) 210 if (s.st_nlink != 1)
211 goto errexit; 211 goto errexit;
@@ -229,11 +229,11 @@ int main(int argc, char **argv) {
229 continue; 229 continue;
230 if (n <= 0) 230 if (n <= 0)
231 break; 231 break;
232 232
233 fwrite(buf, n, 1, stdout); 233 fwrite(buf, n, 1, stdout);
234 log_write(buf, n, fname); 234 log_write(buf, n, fname);
235 } 235 }
236 236
237 log_close(); 237 log_close();
238 return 0; 238 return 0;
239 239
diff --git a/src/include/common.h b/src/include/common.h
index 7067ae68c..5a5ff67d1 100644
--- a/src/include/common.h
+++ b/src/include/common.h
@@ -64,7 +64,7 @@ static inline int atoip(const char *str, uint32_t *ip) {
64 64
65 if (sscanf(str, "%u.%u.%u.%u", &a, &b, &c, &d) != 4 || a > 255 || b > 255 || c > 255 || d > 255) 65 if (sscanf(str, "%u.%u.%u.%u", &a, &b, &c, &d) != 4 || a > 255 || b > 255 || c > 255 || d > 255)
66 return 1; 66 return 1;
67 67
68 *ip = a * 0x1000000 + b * 0x10000 + c * 0x100 + d; 68 *ip = a * 0x1000000 + b * 0x10000 + c * 0x100 + d;
69 return 0; 69 return 0;
70} 70}
@@ -91,7 +91,7 @@ static inline int atomac(char *str, unsigned char macAddr[6]) {
91 for (i = 0; i < 6; i++) { 91 for (i = 0; i < 6; i++) {
92 if (mac[i] > 0xff) 92 if (mac[i] > 0xff)
93 return 1; 93 return 1;
94 94
95 macAddr[i] = (unsigned char) mac[i]; 95 macAddr[i] = (unsigned char) mac[i];
96 } 96 }
97 97
@@ -105,16 +105,16 @@ static inline int mac_not_zero(const unsigned char mac[6]) {
105 if (mac[i] != 0) 105 if (mac[i] != 0)
106 return 1; 106 return 1;
107 } 107 }
108 108
109 return 0; 109 return 0;
110} 110}
111 111
112// rtdsc timestamp on x86-64/amd64 processors 112// rtdsc timestamp on x86-64/amd64 processors
113static inline unsigned long long getticks(void) { 113static inline unsigned long long getticks(void) {
114#if defined(__x86_64__) 114#if defined(__x86_64__)
115 unsigned a, d; 115 unsigned a, d;
116 asm volatile("rdtsc" : "=a" (a), "=d" (d)); 116 asm volatile("rdtsc" : "=a" (a), "=d" (d));
117 return ((unsigned long long)a) | (((unsigned long long)d) << 32); 117 return ((unsigned long long)a) | (((unsigned long long)d) << 32);
118#elif defined(__i386__) 118#elif defined(__i386__)
119 unsigned long long ret; 119 unsigned long long ret;
120 __asm__ __volatile__("rdtsc" : "=A" (ret)); 120 __asm__ __volatile__("rdtsc" : "=A" (ret));
diff --git a/src/include/libnetlink.h b/src/include/libnetlink.h
index 7ff5d01b6..01fd2675d 100644
--- a/src/include/libnetlink.h
+++ b/src/include/libnetlink.h
@@ -1,16 +1,16 @@
1/* file extracted from iproute2 software package 1/* file extracted from iproute2 software package
2 * 2 *
3 * Original source code: 3 * Original source code:
4 * 4 *
5 * Information: 5 * Information:
6 * http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2 6 * http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2
7 * 7 *
8 * Download: 8 * Download:
9 * http://www.kernel.org/pub/linux/utils/net/iproute2/ 9 * http://www.kernel.org/pub/linux/utils/net/iproute2/
10 * 10 *
11 * Repository: 11 * Repository:
12 * git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git 12 * git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git
13 * 13 *
14 * License: GPL v2 14 * License: GPL v2
15 */ 15 */
16 16
@@ -161,4 +161,3 @@ extern int rtnl_from_file(FILE *, rtnl_filter_t handler,
161#endif 161#endif
162 162
163#endif /* __LIBNETLINK_H__ */ 163#endif /* __LIBNETLINK_H__ */
164
diff --git a/src/include/syscall.h b/src/include/syscall.h
index 8852fcbd5..df9a03ffb 100644
--- a/src/include/syscall.h
+++ b/src/include/syscall.h
@@ -5144,4 +5144,3 @@
5144#endif 5144#endif
5145#endif 5145#endif
5146//#endif 5146//#endif
5147
diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in
index 5549aca11..06ba3fee9 100644
--- a/src/lib/Makefile.in
+++ b/src/lib/Makefile.in
@@ -10,7 +10,7 @@ C_FILE_LIST = $(sort $(wildcard *.c))
10OBJS = $(C_FILE_LIST:.c=.o) 10OBJS = $(C_FILE_LIST:.c=.o)
11BINOBJS = $(foreach file, $(OBJS), $file) 11BINOBJS = $(foreach file, $(OBJS), $file)
12CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security 12CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
13LDFLAGS:=-pic -Wl,-z,relro -Wl,-z,now 13LDFLAGS:=-pic -Wl,-z,relro -Wl,-z,now
14 14
15all: $(OBJS) 15all: $(OBJS)
16 16
diff --git a/src/lib/common.c b/src/lib/common.c
index 6f2cebf12..98cb48abf 100644
--- a/src/lib/common.c
+++ b/src/lib/common.c
@@ -37,7 +37,7 @@ int join_namespace(pid_t pid, char *type) {
37 char *path; 37 char *path;
38 if (asprintf(&path, "/proc/%u/ns/%s", pid, type) == -1) 38 if (asprintf(&path, "/proc/%u/ns/%s", pid, type) == -1)
39 errExit("asprintf"); 39 errExit("asprintf");
40 40
41 int fd = open(path, O_RDONLY); 41 int fd = open(path, O_RDONLY);
42 if (fd < 0) 42 if (fd < 0)
43 goto errout; 43 goto errout;
@@ -55,14 +55,14 @@ errout:
55 free(path); 55 free(path);
56 fprintf(stderr, "Error: cannot join namespace %s\\n", type); 56 fprintf(stderr, "Error: cannot join namespace %s\\n", type);
57 return -1; 57 return -1;
58 58
59} 59}
60 60
61// return 1 if error 61// return 1 if error
62// this function requires root access - todo: fix it! 62// this function requires root access - todo: fix it!
63int name2pid(const char *name, pid_t *pid) { 63int name2pid(const char *name, pid_t *pid) {
64 pid_t parent = getpid(); 64 pid_t parent = getpid();
65 65
66 DIR *dir; 66 DIR *dir;
67 if (!(dir = opendir("/proc"))) { 67 if (!(dir = opendir("/proc"))) {
68 // sleep 2 seconds and try again 68 // sleep 2 seconds and try again
@@ -72,7 +72,7 @@ int name2pid(const char *name, pid_t *pid) {
72 exit(1); 72 exit(1);
73 } 73 }
74 } 74 }
75 75
76 struct dirent *entry; 76 struct dirent *entry;
77 char *end; 77 char *end;
78 while ((entry = readdir(dir))) { 78 while ((entry = readdir(dir))) {
@@ -91,7 +91,7 @@ int name2pid(const char *name, pid_t *pid) {
91 } 91 }
92 free(comm); 92 free(comm);
93 } 93 }
94 94
95 // look for the sandbox name in /run/firejail/name/<PID> 95 // look for the sandbox name in /run/firejail/name/<PID>
96 // todo: use RUN_FIREJAIL_NAME_DIR define from src/firejail/firejail.h 96 // todo: use RUN_FIREJAIL_NAME_DIR define from src/firejail/firejail.h
97 char *fname; 97 char *fname;
@@ -249,10 +249,10 @@ int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid) {
249 break; 249 break;
250 if (strncmp(arg, "--", 2) != 0) 250 if (strncmp(arg, "--", 2) != 0)
251 break; 251 break;
252 252
253 if (strcmp(arg, "--x11=xorg") == 0) 253 if (strcmp(arg, "--x11=xorg") == 0)
254 return 0; 254 return 0;
255 255
256 // check x11 xpra or xephyr 256 // check x11 xpra or xephyr
257 if (strncmp(arg, "--x11", 5) == 0) 257 if (strncmp(arg, "--x11", 5) == 0)
258 return 1; 258 return 1;
@@ -267,7 +267,7 @@ int pid_hidepid(void) {
267 FILE *fp = fopen("/proc/mounts", "r"); 267 FILE *fp = fopen("/proc/mounts", "r");
268 if (!fp) 268 if (!fp)
269 return 1; 269 return 1;
270 270
271 char buf[BUFLEN]; 271 char buf[BUFLEN];
272 while (fgets(buf, BUFLEN, fp)) { 272 while (fgets(buf, BUFLEN, fp)) {
273 if (strstr(buf, "proc /proc proc")) { 273 if (strstr(buf, "proc /proc proc")) {
@@ -278,10 +278,7 @@ int pid_hidepid(void) {
278 return 0; 278 return 0;
279 } 279 }
280 } 280 }
281 281
282 fclose(fp); 282 fclose(fp);
283 return 0; 283 return 0;
284} 284}
285
286
287
diff --git a/src/lib/libnetlink.c b/src/lib/libnetlink.c
index 417ef2c5f..d2975bd57 100644
--- a/src/lib/libnetlink.c
+++ b/src/lib/libnetlink.c
@@ -1,16 +1,16 @@
1/* file extracted from iproute2 software package 1/* file extracted from iproute2 software package
2 * 2 *
3 * Original source code: 3 * Original source code:
4 * 4 *
5 * Information: 5 * Information:
6 * http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2 6 * http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2
7 * 7 *
8 * Download: 8 * Download:
9 * http://www.kernel.org/pub/linux/utils/net/iproute2/ 9 * http://www.kernel.org/pub/linux/utils/net/iproute2/
10 * 10 *
11 * Repository: 11 * Repository:
12 * git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git 12 * git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git
13 * 13 *
14 * License: GPL v2 14 * License: GPL v2
15 * 15 *
16 * Original copyright header 16 * Original copyright header
@@ -166,7 +166,7 @@ int rtnl_send_check(struct rtnl_handle *rth, const void *buf, int len)
166 struct nlmsgerr *err = (struct nlmsgerr*)NLMSG_DATA(h); 166 struct nlmsgerr *err = (struct nlmsgerr*)NLMSG_DATA(h);
167 if (h->nlmsg_len < NLMSG_LENGTH(sizeof(struct nlmsgerr))) 167 if (h->nlmsg_len < NLMSG_LENGTH(sizeof(struct nlmsgerr)))
168 fprintf(stderr, "ERROR truncated\n"); 168 fprintf(stderr, "ERROR truncated\n");
169 else 169 else
170 errno = -err->error; 170 errno = -err->error;
171 return -1; 171 return -1;
172 } 172 }
@@ -600,7 +600,7 @@ if (type == IFLA_LINK) {
600 for (i = 0; i < alen; i++) 600 for (i = 0; i < alen; i++)
601 printf("%02x, ", *((unsigned char *)data + i)); 601 printf("%02x, ", *((unsigned char *)data + i));
602 printf("\n"); 602 printf("\n");
603} 603}
604else if (type == IFLA_IFNAME) { 604else if (type == IFLA_IFNAME) {
605 printf("IFLA_IFNAME\n"); 605 printf("IFLA_IFNAME\n");
606 printf("\tdata - #%s#\n", data); 606 printf("\tdata - #%s#\n", data);
@@ -615,8 +615,8 @@ else if (type == IFLA_ADDRESS) {
615 printf("\n"); 615 printf("\n");
616} 616}
617else if (type == IFLA_BROADCAST) printf("IFLA_BROADCAST or IFLA_INFO_DATA\n"); 617else if (type == IFLA_BROADCAST) printf("IFLA_BROADCAST or IFLA_INFO_DATA\n");
618 618
619printf("\tdata length: %d\n", alen); 619printf("\tdata length: %d\n", alen);
620#endif 620#endif
621 621
622 int len = RTA_LENGTH(alen); 622 int len = RTA_LENGTH(alen);
diff --git a/src/lib/pid.c b/src/lib/pid.c
index 7ae5a8d3e..ed1e7b375 100644
--- a/src/lib/pid.c
+++ b/src/lib/pid.c
@@ -24,7 +24,7 @@
24#include <pwd.h> 24#include <pwd.h>
25#include <sys/ioctl.h> 25#include <sys/ioctl.h>
26#include <dirent.h> 26#include <dirent.h>
27 27
28#define PIDS_BUFLEN 4096 28#define PIDS_BUFLEN 4096
29//Process pids[max_pids]; 29//Process pids[max_pids];
30Process *pids = NULL; 30Process *pids = NULL;
@@ -36,14 +36,14 @@ void pid_getmem(unsigned pid, unsigned *rss, unsigned *shared) {
36 char *file; 36 char *file;
37 if (asprintf(&file, "/proc/%u/statm", pid) == -1) 37 if (asprintf(&file, "/proc/%u/statm", pid) == -1)
38 errExit("asprintf"); 38 errExit("asprintf");
39 39
40 FILE *fp = fopen(file, "r"); 40 FILE *fp = fopen(file, "r");
41 if (!fp) { 41 if (!fp) {
42 free(file); 42 free(file);
43 return; 43 return;
44 } 44 }
45 free(file); 45 free(file);
46 46
47 unsigned a, b, c; 47 unsigned a, b, c;
48 if (3 != fscanf(fp, "%u %u %u", &a, &b, &c)) { 48 if (3 != fscanf(fp, "%u %u %u", &a, &b, &c)) {
49 fclose(fp); 49 fclose(fp);
@@ -67,7 +67,7 @@ void pid_get_cpu_time(unsigned pid, unsigned *utime, unsigned *stime) {
67 return; 67 return;
68 } 68 }
69 free(file); 69 free(file);
70 70
71 char line[PIDS_BUFLEN]; 71 char line[PIDS_BUFLEN];
72 if (fgets(line, PIDS_BUFLEN - 1, fp)) { 72 if (fgets(line, PIDS_BUFLEN - 1, fp)) {
73 char *ptr = line; 73 char *ptr = line;
@@ -84,7 +84,7 @@ void pid_get_cpu_time(unsigned pid, unsigned *utime, unsigned *stime) {
84 goto myexit; 84 goto myexit;
85 } 85 }
86 86
87myexit: 87myexit:
88 fclose(fp); 88 fclose(fp);
89} 89}
90 90
@@ -100,7 +100,7 @@ unsigned long long pid_get_start_time(unsigned pid) {
100 return 0; 100 return 0;
101 } 101 }
102 free(file); 102 free(file);
103 103
104 char line[PIDS_BUFLEN]; 104 char line[PIDS_BUFLEN];
105 unsigned long long retval = 0; 105 unsigned long long retval = 0;
106 if (fgets(line, PIDS_BUFLEN - 1, fp)) { 106 if (fgets(line, PIDS_BUFLEN - 1, fp)) {
@@ -117,7 +117,7 @@ unsigned long long pid_get_start_time(unsigned pid) {
117 if (1 != sscanf(ptr, "%llu", &retval)) 117 if (1 != sscanf(ptr, "%llu", &retval))
118 goto myexit; 118 goto myexit;
119 } 119 }
120 120
121myexit: 121myexit:
122 fclose(fp); 122 fclose(fp);
123 return retval; 123 return retval;
@@ -154,12 +154,12 @@ uid_t pid_get_uid(pid_t pid) {
154 } 154 }
155 if (*ptr == '\0') 155 if (*ptr == '\0')
156 goto doexit; 156 goto doexit;
157 157
158 rv = atoi(ptr); 158 rv = atoi(ptr);
159 break; // break regardless! 159 break; // break regardless!
160 } 160 }
161 } 161 }
162doexit: 162doexit:
163 fclose(fp); 163 fclose(fp);
164 free(file); 164 free(file);
165 return rv; 165 return rv;
@@ -187,7 +187,7 @@ static void print_elem(unsigned index, int nowrap) {
187 if (user ==NULL) 187 if (user ==NULL)
188 user = ""; 188 user = "";
189 if (cmd) { 189 if (cmd) {
190 if (col < 4 || nowrap) 190 if (col < 4 || nowrap)
191 printf("%s%u:%s:%s\n", indent, index, user, cmd); 191 printf("%s%u:%s:%s\n", indent, index, user, cmd);
192 else { 192 else {
193 char *out; 193 char *out;
@@ -201,7 +201,7 @@ static void print_elem(unsigned index, int nowrap) {
201 printf("%s", out); 201 printf("%s", out);
202 free(out); 202 free(out);
203 } 203 }
204 204
205 free(cmd); 205 free(cmd);
206 } 206 }
207 else { 207 else {
@@ -220,7 +220,7 @@ void pid_print_tree(unsigned index, unsigned parent, int nowrap) {
220 220
221 // Remove unused parameter warning 221 // Remove unused parameter warning
222 (void)parent; 222 (void)parent;
223 223
224 unsigned i; 224 unsigned i;
225 for (i = index + 1; i < (unsigned)max_pids; i++) { 225 for (i = index + 1; i < (unsigned)max_pids; i++) {
226 if (pids[i].parent == (pid_t)index) 226 if (pids[i].parent == (pid_t)index)
@@ -246,13 +246,13 @@ void pid_store_cpu(unsigned index, unsigned parent, unsigned *utime, unsigned *s
246 246
247 // Remove unused parameter warning 247 // Remove unused parameter warning
248 (void)parent; 248 (void)parent;
249 249
250 unsigned utmp = 0; 250 unsigned utmp = 0;
251 unsigned stmp = 0; 251 unsigned stmp = 0;
252 pid_get_cpu_time(index, &utmp, &stmp); 252 pid_get_cpu_time(index, &utmp, &stmp);
253 *utime += utmp; 253 *utime += utmp;
254 *stime += stmp; 254 *stime += stmp;
255 255
256 unsigned i; 256 unsigned i;
257 for (i = index + 1; i < (unsigned)max_pids; i++) { 257 for (i = index + 1; i < (unsigned)max_pids; i++) {
258 if (pids[i].parent == (pid_t)index) 258 if (pids[i].parent == (pid_t)index)
@@ -293,7 +293,7 @@ void pid_read(pid_t mon_pid) {
293 exit(1); 293 exit(1);
294 } 294 }
295 } 295 }
296 296
297 pid_t child = -1; 297 pid_t child = -1;
298 struct dirent *entry; 298 struct dirent *entry;
299 char *end; 299 char *end;
@@ -308,7 +308,7 @@ void pid_read(pid_t mon_pid) {
308 // skip PID 1 just in case we run a sandbox-in-sandbox 308 // skip PID 1 just in case we run a sandbox-in-sandbox
309 if (pid == 1) 309 if (pid == 1)
310 continue; 310 continue;
311 311
312 // open stat file 312 // open stat file
313 char *file; 313 char *file;
314 if (asprintf(&file, "/proc/%u/status", pid) == -1) 314 if (asprintf(&file, "/proc/%u/status", pid) == -1)
diff --git a/src/libtrace/Makefile.in b/src/libtrace/Makefile.in
index 9de0b40eb..93416cac6 100644
--- a/src/libtrace/Makefile.in
+++ b/src/libtrace/Makefile.in
@@ -8,7 +8,7 @@ C_FILE_LIST = $(sort $(wildcard *.c))
8OBJS = $(C_FILE_LIST:.c=.o) 8OBJS = $(C_FILE_LIST:.c=.o)
9BINOBJS = $(foreach file, $(OBJS), $file) 9BINOBJS = $(foreach file, $(OBJS), $file)
10CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security 10CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
11LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now 11LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
12 12
13all: libtrace.so 13all: libtrace.so
14 14
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c
index 1be89052c..5cdb254a3 100644
--- a/src/libtrace/libtrace.c
+++ b/src/libtrace/libtrace.c
@@ -57,7 +57,7 @@ static char *name(void) {
57 if (!nameinit) { 57 if (!nameinit) {
58 // initialize the name of the process based on /proc/PID/comm 58 // initialize the name of the process based on /proc/PID/comm
59 memset(myname, 0, MAXNAME); 59 memset(myname, 0, MAXNAME);
60 60
61 pid_t p = pid(); 61 pid_t p = pid();
62 char *fname; 62 char *fname;
63 if (asprintf(&fname, "/proc/%u/comm", p) == -1) 63 if (asprintf(&fname, "/proc/%u/comm", p) == -1)
@@ -74,17 +74,17 @@ static char *name(void) {
74 free(fname); 74 free(fname);
75 return "unknown"; 75 return "unknown";
76 } 76 }
77 77
78 // clean '\n' 78 // clean '\n'
79 char *ptr = strchr(myname, '\n'); 79 char *ptr = strchr(myname, '\n');
80 if (ptr) 80 if (ptr)
81 *ptr = '\0'; 81 *ptr = '\0';
82 82
83 fclose(fp); 83 fclose(fp);
84 free(fname); 84 free(fname);
85 nameinit = 1; 85 nameinit = 1;
86 } 86 }
87 87
88 return myname; 88 return myname;
89} 89}
90 90
@@ -99,20 +99,20 @@ typedef struct {
99static XTable socket_type[] = { 99static XTable socket_type[] = {
100#ifdef SOCK_STREAM 100#ifdef SOCK_STREAM
101 { SOCK_STREAM, "SOCK_STREAM" }, 101 { SOCK_STREAM, "SOCK_STREAM" },
102#endif 102#endif
103#ifdef SOCK_DGRAM 103#ifdef SOCK_DGRAM
104 { SOCK_DGRAM, "SOCK_DGRAM" }, 104 { SOCK_DGRAM, "SOCK_DGRAM" },
105#endif 105#endif
106#ifdef SOCK_RAW 106#ifdef SOCK_RAW
107 { SOCK_RAW, "SOCK_RAW" }, 107 { SOCK_RAW, "SOCK_RAW" },
108#endif 108#endif
109#ifdef SOCK_RDM 109#ifdef SOCK_RDM
110 { SOCK_RDM, "SOCK_RDM" }, 110 { SOCK_RDM, "SOCK_RDM" },
111#endif 111#endif
112#ifdef SOCK_SEQPACKET 112#ifdef SOCK_SEQPACKET
113 { SOCK_SEQPACKET, "SOCK_SEQPACKET" }, 113 { SOCK_SEQPACKET, "SOCK_SEQPACKET" },
114#endif 114#endif
115#ifdef SOCK_DCCP 115#ifdef SOCK_DCCP
116 { SOCK_DCCP, "SOCK_DCCP" }, 116 { SOCK_DCCP, "SOCK_DCCP" },
117#endif 117#endif
118 { 0, NULL} // NULL terminated 118 { 0, NULL} // NULL terminated
@@ -198,7 +198,7 @@ static XTable socket_protocol[] = {
198#ifdef IPPROTO_AH 198#ifdef IPPROTO_AH
199 { IPPROTO_AH, "IPPROTO_AH" }, 199 { IPPROTO_AH, "IPPROTO_AH" },
200#endif 200#endif
201#ifdef IPPROTO_BEETPH 201#ifdef IPPROTO_BEETPH
202 { IPPROTO_BEETPH, "IPPROTO_BEETPH" }, 202 { IPPROTO_BEETPH, "IPPROTO_BEETPH" },
203#endif 203#endif
204#ifdef IPPROTO_PIM 204#ifdef IPPROTO_PIM
@@ -225,7 +225,7 @@ static char *translate(XTable *table, int val) {
225 return table->name; 225 return table->name;
226 table++; 226 table++;
227 } 227 }
228 228
229 return NULL; 229 return NULL;
230} 230}
231 231
@@ -262,7 +262,7 @@ static orig_open_t orig_open = NULL;
262int open(const char *pathname, int flags, mode_t mode) { 262int open(const char *pathname, int flags, mode_t mode) {
263 if (!orig_open) 263 if (!orig_open)
264 orig_open = (orig_open_t)dlsym(RTLD_NEXT, "open"); 264 orig_open = (orig_open_t)dlsym(RTLD_NEXT, "open");
265 265
266 int rv = orig_open(pathname, flags, mode); 266 int rv = orig_open(pathname, flags, mode);
267 printf("%u:%s:open %s:%d\n", pid(), name(), pathname, rv); 267 printf("%u:%s:open %s:%d\n", pid(), name(), pathname, rv);
268 return rv; 268 return rv;
@@ -273,7 +273,7 @@ static orig_open64_t orig_open64 = NULL;
273int open64(const char *pathname, int flags, mode_t mode) { 273int open64(const char *pathname, int flags, mode_t mode) {
274 if (!orig_open64) 274 if (!orig_open64)
275 orig_open64 = (orig_open64_t)dlsym(RTLD_NEXT, "open64"); 275 orig_open64 = (orig_open64_t)dlsym(RTLD_NEXT, "open64");
276 276
277 int rv = orig_open64(pathname, flags, mode); 277 int rv = orig_open64(pathname, flags, mode);
278 printf("%u:%s:open64 %s:%d\n", pid(), name(), pathname, rv); 278 printf("%u:%s:open64 %s:%d\n", pid(), name(), pathname, rv);
279 return rv; 279 return rv;
@@ -285,7 +285,7 @@ static orig_openat_t orig_openat = NULL;
285int openat(int dirfd, const char *pathname, int flags, mode_t mode) { 285int openat(int dirfd, const char *pathname, int flags, mode_t mode) {
286 if (!orig_openat) 286 if (!orig_openat)
287 orig_openat = (orig_openat_t)dlsym(RTLD_NEXT, "openat"); 287 orig_openat = (orig_openat_t)dlsym(RTLD_NEXT, "openat");
288 288
289 int rv = orig_openat(dirfd, pathname, flags, mode); 289 int rv = orig_openat(dirfd, pathname, flags, mode);
290 printf("%u:%s:openat %s:%d\n", pid(), name(), pathname, rv); 290 printf("%u:%s:openat %s:%d\n", pid(), name(), pathname, rv);
291 return rv; 291 return rv;
@@ -296,7 +296,7 @@ static orig_openat64_t orig_openat64 = NULL;
296int openat64(int dirfd, const char *pathname, int flags, mode_t mode) { 296int openat64(int dirfd, const char *pathname, int flags, mode_t mode) {
297 if (!orig_openat64) 297 if (!orig_openat64)
298 orig_openat64 = (orig_openat64_t)dlsym(RTLD_NEXT, "openat64"); 298 orig_openat64 = (orig_openat64_t)dlsym(RTLD_NEXT, "openat64");
299 299
300 int rv = orig_openat64(dirfd, pathname, flags, mode); 300 int rv = orig_openat64(dirfd, pathname, flags, mode);
301 printf("%u:%s:openat64 %s:%d\n", pid(), name(), pathname, rv); 301 printf("%u:%s:openat64 %s:%d\n", pid(), name(), pathname, rv);
302 return rv; 302 return rv;
@@ -307,7 +307,7 @@ int openat64(int dirfd, const char *pathname, int flags, mode_t mode) {
307FILE *fopen(const char *pathname, const char *mode) { 307FILE *fopen(const char *pathname, const char *mode) {
308 if (!orig_fopen) 308 if (!orig_fopen)
309 orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen"); 309 orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen");
310 310
311 FILE *rv = orig_fopen(pathname, mode); 311 FILE *rv = orig_fopen(pathname, mode);
312 printf("%u:%s:fopen %s:%p\n", pid(), name(), pathname, rv); 312 printf("%u:%s:fopen %s:%p\n", pid(), name(), pathname, rv);
313 return rv; 313 return rv;
@@ -317,7 +317,7 @@ FILE *fopen(const char *pathname, const char *mode) {
317FILE *fopen64(const char *pathname, const char *mode) { 317FILE *fopen64(const char *pathname, const char *mode) {
318 if (!orig_fopen64) 318 if (!orig_fopen64)
319 orig_fopen64 = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen64"); 319 orig_fopen64 = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen64");
320 320
321 FILE *rv = orig_fopen64(pathname, mode); 321 FILE *rv = orig_fopen64(pathname, mode);
322 printf("%u:%s:fopen64 %s:%p\n", pid(), name(), pathname, rv); 322 printf("%u:%s:fopen64 %s:%p\n", pid(), name(), pathname, rv);
323 return rv; 323 return rv;
@@ -331,7 +331,7 @@ static orig_freopen_t orig_freopen = NULL;
331FILE *freopen(const char *pathname, const char *mode, FILE *stream) { 331FILE *freopen(const char *pathname, const char *mode, FILE *stream) {
332 if (!orig_freopen) 332 if (!orig_freopen)
333 orig_freopen = (orig_freopen_t)dlsym(RTLD_NEXT, "freopen"); 333 orig_freopen = (orig_freopen_t)dlsym(RTLD_NEXT, "freopen");
334 334
335 FILE *rv = orig_freopen(pathname, mode, stream); 335 FILE *rv = orig_freopen(pathname, mode, stream);
336 printf("%u:%s:freopen %s:%p\n", pid(), name(), pathname, rv); 336 printf("%u:%s:freopen %s:%p\n", pid(), name(), pathname, rv);
337 return rv; 337 return rv;
@@ -343,7 +343,7 @@ static orig_freopen64_t orig_freopen64 = NULL;
343FILE *freopen64(const char *pathname, const char *mode, FILE *stream) { 343FILE *freopen64(const char *pathname, const char *mode, FILE *stream) {
344 if (!orig_freopen64) 344 if (!orig_freopen64)
345 orig_freopen64 = (orig_freopen64_t)dlsym(RTLD_NEXT, "freopen64"); 345 orig_freopen64 = (orig_freopen64_t)dlsym(RTLD_NEXT, "freopen64");
346 346
347 FILE *rv = orig_freopen64(pathname, mode, stream); 347 FILE *rv = orig_freopen64(pathname, mode, stream);
348 printf("%u:%s:freopen64 %s:%p\n", pid(), name(), pathname, rv); 348 printf("%u:%s:freopen64 %s:%p\n", pid(), name(), pathname, rv);
349 return rv; 349 return rv;
@@ -356,7 +356,7 @@ static orig_unlink_t orig_unlink = NULL;
356int unlink(const char *pathname) { 356int unlink(const char *pathname) {
357 if (!orig_unlink) 357 if (!orig_unlink)
358 orig_unlink = (orig_unlink_t)dlsym(RTLD_NEXT, "unlink"); 358 orig_unlink = (orig_unlink_t)dlsym(RTLD_NEXT, "unlink");
359 359
360 int rv = orig_unlink(pathname); 360 int rv = orig_unlink(pathname);
361 printf("%u:%s:unlink %s:%d\n", pid(), name(), pathname, rv); 361 printf("%u:%s:unlink %s:%d\n", pid(), name(), pathname, rv);
362 return rv; 362 return rv;
@@ -367,7 +367,7 @@ static orig_unlinkat_t orig_unlinkat = NULL;
367int unlinkat(int dirfd, const char *pathname, int flags) { 367int unlinkat(int dirfd, const char *pathname, int flags) {
368 if (!orig_unlinkat) 368 if (!orig_unlinkat)
369 orig_unlinkat = (orig_unlinkat_t)dlsym(RTLD_NEXT, "unlinkat"); 369 orig_unlinkat = (orig_unlinkat_t)dlsym(RTLD_NEXT, "unlinkat");
370 370
371 int rv = orig_unlinkat(dirfd, pathname, flags); 371 int rv = orig_unlinkat(dirfd, pathname, flags);
372 printf("%u:%s:unlinkat %s:%d\n", pid(), name(), pathname, rv); 372 printf("%u:%s:unlinkat %s:%d\n", pid(), name(), pathname, rv);
373 return rv; 373 return rv;
@@ -379,7 +379,7 @@ static orig_mkdir_t orig_mkdir = NULL;
379int mkdir(const char *pathname, mode_t mode) { 379int mkdir(const char *pathname, mode_t mode) {
380 if (!orig_mkdir) 380 if (!orig_mkdir)
381 orig_mkdir = (orig_mkdir_t)dlsym(RTLD_NEXT, "mkdir"); 381 orig_mkdir = (orig_mkdir_t)dlsym(RTLD_NEXT, "mkdir");
382 382
383 int rv = orig_mkdir(pathname, mode); 383 int rv = orig_mkdir(pathname, mode);
384 printf("%u:%s:mkdir %s:%d\n", pid(), name(), pathname, rv); 384 printf("%u:%s:mkdir %s:%d\n", pid(), name(), pathname, rv);
385 return rv; 385 return rv;
@@ -390,7 +390,7 @@ static orig_mkdirat_t orig_mkdirat = NULL;
390int mkdirat(int dirfd, const char *pathname, mode_t mode) { 390int mkdirat(int dirfd, const char *pathname, mode_t mode) {
391 if (!orig_mkdirat) 391 if (!orig_mkdirat)
392 orig_mkdirat = (orig_mkdirat_t)dlsym(RTLD_NEXT, "mkdirat"); 392 orig_mkdirat = (orig_mkdirat_t)dlsym(RTLD_NEXT, "mkdirat");
393 393
394 int rv = orig_mkdirat(dirfd, pathname, mode); 394 int rv = orig_mkdirat(dirfd, pathname, mode);
395 printf("%u:%s:mkdirat %s:%d\n", pid(), name(), pathname, rv); 395 printf("%u:%s:mkdirat %s:%d\n", pid(), name(), pathname, rv);
396 return rv; 396 return rv;
@@ -401,7 +401,7 @@ static orig_rmdir_t orig_rmdir = NULL;
401int rmdir(const char *pathname) { 401int rmdir(const char *pathname) {
402 if (!orig_rmdir) 402 if (!orig_rmdir)
403 orig_rmdir = (orig_rmdir_t)dlsym(RTLD_NEXT, "rmdir"); 403 orig_rmdir = (orig_rmdir_t)dlsym(RTLD_NEXT, "rmdir");
404 404
405 int rv = orig_rmdir(pathname); 405 int rv = orig_rmdir(pathname);
406 printf("%u:%s:rmdir %s:%d\n", pid(), name(), pathname, rv); 406 printf("%u:%s:rmdir %s:%d\n", pid(), name(), pathname, rv);
407 return rv; 407 return rv;
@@ -413,7 +413,7 @@ static orig_stat_t orig_stat = NULL;
413int stat(const char *pathname, struct stat *buf) { 413int stat(const char *pathname, struct stat *buf) {
414 if (!orig_stat) 414 if (!orig_stat)
415 orig_stat = (orig_stat_t)dlsym(RTLD_NEXT, "stat"); 415 orig_stat = (orig_stat_t)dlsym(RTLD_NEXT, "stat");
416 416
417 int rv = orig_stat(pathname, buf); 417 int rv = orig_stat(pathname, buf);
418 printf("%u:%s:stat %s:%d\n", pid(), name(), pathname, rv); 418 printf("%u:%s:stat %s:%d\n", pid(), name(), pathname, rv);
419 return rv; 419 return rv;
@@ -425,7 +425,7 @@ static orig_stat64_t orig_stat64 = NULL;
425int stat64(const char *pathname, struct stat64 *buf) { 425int stat64(const char *pathname, struct stat64 *buf) {
426 if (!orig_stat64) 426 if (!orig_stat64)
427 orig_stat64 = (orig_stat64_t)dlsym(RTLD_NEXT, "stat64"); 427 orig_stat64 = (orig_stat64_t)dlsym(RTLD_NEXT, "stat64");
428 428
429 int rv = orig_stat64(pathname, buf); 429 int rv = orig_stat64(pathname, buf);
430 printf("%u:%s:stat64 %s:%d\n", pid(), name(), pathname, rv); 430 printf("%u:%s:stat64 %s:%d\n", pid(), name(), pathname, rv);
431 return rv; 431 return rv;
@@ -463,7 +463,7 @@ static orig_opendir_t orig_opendir = NULL;
463DIR *opendir(const char *pathname) { 463DIR *opendir(const char *pathname) {
464 if (!orig_opendir) 464 if (!orig_opendir)
465 orig_opendir = (orig_opendir_t)dlsym(RTLD_NEXT, "opendir"); 465 orig_opendir = (orig_opendir_t)dlsym(RTLD_NEXT, "opendir");
466 466
467 DIR *rv = orig_opendir(pathname); 467 DIR *rv = orig_opendir(pathname);
468 printf("%u:%s:opendir %s:%p\n", pid(), name(), pathname, rv); 468 printf("%u:%s:opendir %s:%p\n", pid(), name(), pathname, rv);
469 return rv; 469 return rv;
@@ -475,7 +475,7 @@ static orig_access_t orig_access = NULL;
475int access(const char *pathname, int mode) { 475int access(const char *pathname, int mode) {
476 if (!orig_access) 476 if (!orig_access)
477 orig_access = (orig_access_t)dlsym(RTLD_NEXT, "access"); 477 orig_access = (orig_access_t)dlsym(RTLD_NEXT, "access");
478 478
479 int rv = orig_access(pathname, mode); 479 int rv = orig_access(pathname, mode);
480 printf("%u:%s:access %s:%d\n", pid(), name(), pathname, rv); 480 printf("%u:%s:access %s:%d\n", pid(), name(), pathname, rv);
481 return rv; 481 return rv;
@@ -488,7 +488,7 @@ static orig_connect_t orig_connect = NULL;
488int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) { 488int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) {
489 if (!orig_connect) 489 if (!orig_connect)
490 orig_connect = (orig_connect_t)dlsym(RTLD_NEXT, "connect"); 490 orig_connect = (orig_connect_t)dlsym(RTLD_NEXT, "connect");
491 491
492 int rv = orig_connect(sockfd, addr, addrlen); 492 int rv = orig_connect(sockfd, addr, addrlen);
493 print_sockaddr(sockfd, "connect", addr, rv); 493 print_sockaddr(sockfd, "connect", addr, rv);
494 494
@@ -502,7 +502,7 @@ static char buf[1024];
502int socket(int domain, int type, int protocol) { 502int socket(int domain, int type, int protocol) {
503 if (!orig_socket) 503 if (!orig_socket)
504 orig_socket = (orig_socket_t)dlsym(RTLD_NEXT, "socket"); 504 orig_socket = (orig_socket_t)dlsym(RTLD_NEXT, "socket");
505 505
506 int rv = orig_socket(domain, type, protocol); 506 int rv = orig_socket(domain, type, protocol);
507 char *ptr = buf; 507 char *ptr = buf;
508 ptr += sprintf(ptr, "%u:%s:socket ", pid(), name()); 508 ptr += sprintf(ptr, "%u:%s:socket ", pid(), name());
@@ -545,7 +545,7 @@ static orig_bind_t orig_bind = NULL;
545int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen) { 545int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen) {
546 if (!orig_bind) 546 if (!orig_bind)
547 orig_bind = (orig_bind_t)dlsym(RTLD_NEXT, "bind"); 547 orig_bind = (orig_bind_t)dlsym(RTLD_NEXT, "bind");
548 548
549 int rv = orig_bind(sockfd, addr, addrlen); 549 int rv = orig_bind(sockfd, addr, addrlen);
550 print_sockaddr(sockfd, "bind", addr, rv); 550 print_sockaddr(sockfd, "bind", addr, rv);
551 551
@@ -558,7 +558,7 @@ static orig_accept_t orig_accept = NULL;
558int accept(int sockfd, struct sockaddr *addr, socklen_t addrlen) { 558int accept(int sockfd, struct sockaddr *addr, socklen_t addrlen) {
559 if (!orig_accept) 559 if (!orig_accept)
560 orig_accept = (orig_accept_t)dlsym(RTLD_NEXT, "accept"); 560 orig_accept = (orig_accept_t)dlsym(RTLD_NEXT, "accept");
561 561
562 int rv = orig_accept(sockfd, addr, addrlen); 562 int rv = orig_accept(sockfd, addr, addrlen);
563 print_sockaddr(sockfd, "accept", addr, rv); 563 print_sockaddr(sockfd, "accept", addr, rv);
564 564
@@ -571,7 +571,7 @@ static orig_system_t orig_system = NULL;
571int system(const char *command) { 571int system(const char *command) {
572 if (!orig_system) 572 if (!orig_system)
573 orig_system = (orig_system_t)dlsym(RTLD_NEXT, "system"); 573 orig_system = (orig_system_t)dlsym(RTLD_NEXT, "system");
574 574
575 int rv = orig_system(command); 575 int rv = orig_system(command);
576 printf("%u:%s:system %s:%d\n", pid(), name(), command, rv); 576 printf("%u:%s:system %s:%d\n", pid(), name(), command, rv);
577 577
@@ -583,7 +583,7 @@ static orig_setuid_t orig_setuid = NULL;
583int setuid(uid_t uid) { 583int setuid(uid_t uid) {
584 if (!orig_setuid) 584 if (!orig_setuid)
585 orig_setuid = (orig_setuid_t)dlsym(RTLD_NEXT, "setuid"); 585 orig_setuid = (orig_setuid_t)dlsym(RTLD_NEXT, "setuid");
586 586
587 int rv = orig_setuid(uid); 587 int rv = orig_setuid(uid);
588 printf("%u:%s:setuid %d:%d\n", pid(), name(), uid, rv); 588 printf("%u:%s:setuid %d:%d\n", pid(), name(), uid, rv);
589 589
@@ -595,7 +595,7 @@ static orig_setgid_t orig_setgid = NULL;
595int setgid(gid_t gid) { 595int setgid(gid_t gid) {
596 if (!orig_setgid) 596 if (!orig_setgid)
597 orig_setgid = (orig_setgid_t)dlsym(RTLD_NEXT, "setgid"); 597 orig_setgid = (orig_setgid_t)dlsym(RTLD_NEXT, "setgid");
598 598
599 int rv = orig_setgid(gid); 599 int rv = orig_setgid(gid);
600 printf("%u:%s:setgid %d:%d\n", pid(), name(), gid, rv); 600 printf("%u:%s:setgid %d:%d\n", pid(), name(), gid, rv);
601 601
@@ -607,7 +607,7 @@ static orig_setfsuid_t orig_setfsuid = NULL;
607int setfsuid(uid_t uid) { 607int setfsuid(uid_t uid) {
608 if (!orig_setfsuid) 608 if (!orig_setfsuid)
609 orig_setfsuid = (orig_setfsuid_t)dlsym(RTLD_NEXT, "setfsuid"); 609 orig_setfsuid = (orig_setfsuid_t)dlsym(RTLD_NEXT, "setfsuid");
610 610
611 int rv = orig_setfsuid(uid); 611 int rv = orig_setfsuid(uid);
612 printf("%u:%s:setfsuid %d:%d\n", pid(), name(), uid, rv); 612 printf("%u:%s:setfsuid %d:%d\n", pid(), name(), uid, rv);
613 613
@@ -619,7 +619,7 @@ static orig_setfsgid_t orig_setfsgid = NULL;
619int setfsgid(gid_t gid) { 619int setfsgid(gid_t gid) {
620 if (!orig_setfsgid) 620 if (!orig_setfsgid)
621 orig_setfsgid = (orig_setfsgid_t)dlsym(RTLD_NEXT, "setfsgid"); 621 orig_setfsgid = (orig_setfsgid_t)dlsym(RTLD_NEXT, "setfsgid");
622 622
623 int rv = orig_setfsgid(gid); 623 int rv = orig_setfsgid(gid);
624 printf("%u:%s:setfsgid %d:%d\n", pid(), name(), gid, rv); 624 printf("%u:%s:setfsgid %d:%d\n", pid(), name(), gid, rv);
625 625
@@ -631,7 +631,7 @@ static orig_setreuid_t orig_setreuid = NULL;
631int setreuid(uid_t ruid, uid_t euid) { 631int setreuid(uid_t ruid, uid_t euid) {
632 if (!orig_setreuid) 632 if (!orig_setreuid)
633 orig_setreuid = (orig_setreuid_t)dlsym(RTLD_NEXT, "setreuid"); 633 orig_setreuid = (orig_setreuid_t)dlsym(RTLD_NEXT, "setreuid");
634 634
635 int rv = orig_setreuid(ruid, euid); 635 int rv = orig_setreuid(ruid, euid);
636 printf("%u:%s:setreuid %d %d:%d\n", pid(), name(), ruid, euid, rv); 636 printf("%u:%s:setreuid %d %d:%d\n", pid(), name(), ruid, euid, rv);
637 637
@@ -643,7 +643,7 @@ static orig_setregid_t orig_setregid = NULL;
643int setregid(gid_t rgid, gid_t egid) { 643int setregid(gid_t rgid, gid_t egid) {
644 if (!orig_setregid) 644 if (!orig_setregid)
645 orig_setregid = (orig_setregid_t)dlsym(RTLD_NEXT, "setregid"); 645 orig_setregid = (orig_setregid_t)dlsym(RTLD_NEXT, "setregid");
646 646
647 int rv = orig_setregid(rgid, egid); 647 int rv = orig_setregid(rgid, egid);
648 printf("%u:%s:setregid %d %d:%d\n", pid(), name(), rgid, egid, rv); 648 printf("%u:%s:setregid %d %d:%d\n", pid(), name(), rgid, egid, rv);
649 649
@@ -655,7 +655,7 @@ static orig_setresuid_t orig_setresuid = NULL;
655int setresuid(uid_t ruid, uid_t euid, uid_t suid) { 655int setresuid(uid_t ruid, uid_t euid, uid_t suid) {
656 if (!orig_setresuid) 656 if (!orig_setresuid)
657 orig_setresuid = (orig_setresuid_t)dlsym(RTLD_NEXT, "setresuid"); 657 orig_setresuid = (orig_setresuid_t)dlsym(RTLD_NEXT, "setresuid");
658 658
659 int rv = orig_setresuid(ruid, euid, suid); 659 int rv = orig_setresuid(ruid, euid, suid);
660 printf("%u:%s:setresuid %d %d %d:%d\n", pid(), name(), ruid, euid, suid, rv); 660 printf("%u:%s:setresuid %d %d %d:%d\n", pid(), name(), ruid, euid, suid, rv);
661 661
@@ -667,7 +667,7 @@ static orig_setresgid_t orig_setresgid = NULL;
667int setresgid(gid_t rgid, gid_t egid, gid_t sgid) { 667int setresgid(gid_t rgid, gid_t egid, gid_t sgid) {
668 if (!orig_setresgid) 668 if (!orig_setresgid)
669 orig_setresgid = (orig_setresgid_t)dlsym(RTLD_NEXT, "setresgid"); 669 orig_setresgid = (orig_setresgid_t)dlsym(RTLD_NEXT, "setresgid");
670 670
671 int rv = orig_setresgid(rgid, egid, sgid); 671 int rv = orig_setresgid(rgid, egid, sgid);
672 printf("%u:%s:setresgid %d %d %d:%d\n", pid(), name(), rgid, egid, sgid, rv); 672 printf("%u:%s:setresgid %d %d %d:%d\n", pid(), name(), rgid, egid, sgid, rv);
673 673
diff --git a/src/libtracelog/Makefile.in b/src/libtracelog/Makefile.in
index 5c199d338..7ce5e4c41 100644
--- a/src/libtracelog/Makefile.in
+++ b/src/libtracelog/Makefile.in
@@ -8,7 +8,7 @@ C_FILE_LIST = $(sort $(wildcard *.c))
8OBJS = $(C_FILE_LIST:.c=.o) 8OBJS = $(C_FILE_LIST:.c=.o)
9BINOBJS = $(foreach file, $(OBJS), $file) 9BINOBJS = $(foreach file, $(OBJS), $file)
10CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security 10CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
11LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now 11LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
12 12
13all: libtracelog.so 13all: libtracelog.so
14 14
diff --git a/src/libtracelog/libtracelog.c b/src/libtracelog/libtracelog.c
index abacb7115..dc68b0620 100644
--- a/src/libtracelog/libtracelog.c
+++ b/src/libtracelog/libtracelog.c
@@ -52,7 +52,7 @@ typedef struct list_elem_t {
52#define HMASK 0x0ff 52#define HMASK 0x0ff
53ListElem *storage[HMASK + 1]; 53ListElem *storage[HMASK + 1];
54 54
55// djb2 55// djb2
56static inline uint32_t hash(const char *str) { 56static inline uint32_t hash(const char *str) {
57 uint32_t hash = 5381; 57 uint32_t hash = 5381;
58 int c; 58 int c;
@@ -70,10 +70,10 @@ static void storage_add(const char *str) {
70 if (!str) { 70 if (!str) {
71#ifdef DEBUG 71#ifdef DEBUG
72 printf("null pointer passed to storage_add\n"); 72 printf("null pointer passed to storage_add\n");
73#endif 73#endif
74 return; 74 return;
75 } 75 }
76 76
77 ListElem *ptr = malloc(sizeof(ListElem)); 77 ListElem *ptr = malloc(sizeof(ListElem));
78 if (!ptr) { 78 if (!ptr) {
79 fprintf(stderr, "Error: cannot allocate memory\n"); 79 fprintf(stderr, "Error: cannot allocate memory\n");
@@ -85,7 +85,7 @@ static void storage_add(const char *str) {
85 free(ptr); 85 free(ptr);
86 return; 86 return;
87 } 87 }
88 88
89 // insert it into the hash table 89 // insert it into the hash table
90 uint32_t h = hash(ptr->path); 90 uint32_t h = hash(ptr->path);
91 ptr->next = storage[h]; 91 ptr->next = storage[h];
@@ -147,11 +147,11 @@ static char *storage_find(const char *str) {
147 } 147 }
148 ptr = ptr->next; 148 ptr = ptr->next;
149 } 149 }
150 150
151 if (allocated) 151 if (allocated)
152 free((char *) tofind); 152 free((char *) tofind);
153#ifdef DEBUG 153#ifdef DEBUG
154 printf("storage not found\n"); 154 printf("storage not found\n");
155#endif 155#endif
156 return NULL; 156 return NULL;
157} 157}
@@ -168,7 +168,7 @@ static char *sandbox_name_str = NULL;
168static void load_blacklist(void) { 168static void load_blacklist(void) {
169 if (blacklist_loaded) 169 if (blacklist_loaded)
170 return; 170 return;
171 171
172 // open filesystem log 172 // open filesystem log
173 if (!orig_fopen) 173 if (!orig_fopen)
174 orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen"); 174 orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen");
@@ -204,7 +204,7 @@ static void load_blacklist(void) {
204 } 204 }
205 fclose(fp); 205 fclose(fp);
206 blacklist_loaded = 1; 206 blacklist_loaded = 1;
207#ifdef DEBUG 207#ifdef DEBUG
208 printf("Monitoring %d blacklists\n", cnt); 208 printf("Monitoring %d blacklists\n", cnt);
209 { 209 {
210 int i; 210 int i;
@@ -215,7 +215,7 @@ static void load_blacklist(void) {
215 cnt++; 215 cnt++;
216 ptr = ptr->next; 216 ptr = ptr->next;
217 } 217 }
218 218
219 if ((i % 16) == 0) 219 if ((i % 16) == 0)
220 printf("\n"); 220 printf("\n");
221 printf("%02d ", cnt); 221 printf("%02d ", cnt);
@@ -232,8 +232,8 @@ static void sendlog(const char *name, const char *call, const char *path) {
232 printf("null pointer passed to sendlog\n"); 232 printf("null pointer passed to sendlog\n");
233#endif 233#endif
234 return; 234 return;
235 } 235 }
236 236
237 openlog ("firejail", LOG_CONS | LOG_PID | LOG_NDELAY, LOG_LOCAL1); 237 openlog ("firejail", LOG_CONS | LOG_PID | LOG_NDELAY, LOG_LOCAL1);
238 if (sandbox_pid_str && sandbox_name_str) 238 if (sandbox_pid_str && sandbox_name_str)
239 syslog (LOG_INFO, "blacklist violation - sandbox %s, name %s, exe %s, syscall %s, path %s", 239 syslog (LOG_INFO, "blacklist violation - sandbox %s, name %s, exe %s, syscall %s, path %s",
@@ -266,10 +266,10 @@ static char myname[MAXNAME];
266static int nameinit = 0; 266static int nameinit = 0;
267static char *name(void) { 267static char *name(void) {
268 if (!nameinit) { 268 if (!nameinit) {
269 269
270 // initialize the name of the process based on /proc/PID/comm 270 // initialize the name of the process based on /proc/PID/comm
271 memset(myname, 0, MAXNAME); 271 memset(myname, 0, MAXNAME);
272 272
273 pid_t p = pid(); 273 pid_t p = pid();
274 char *fname; 274 char *fname;
275 if (asprintf(&fname, "/proc/%u/comm", p) == -1) 275 if (asprintf(&fname, "/proc/%u/comm", p) == -1)
@@ -286,17 +286,17 @@ static char *name(void) {
286 free(fname); 286 free(fname);
287 return "unknown"; 287 return "unknown";
288 } 288 }
289 289
290 // clean '\n' 290 // clean '\n'
291 char *ptr = strchr(myname, '\n'); 291 char *ptr = strchr(myname, '\n');
292 if (ptr) 292 if (ptr)
293 *ptr = '\0'; 293 *ptr = '\0';
294 294
295 fclose(fp); 295 fclose(fp);
296 free(fname); 296 free(fname);
297 nameinit = 1; 297 nameinit = 1;
298 } 298 }
299 299
300 return myname; 300 return myname;
301} 301}
302 302
@@ -313,10 +313,10 @@ int open(const char *pathname, int flags, mode_t mode) {
313#endif 313#endif
314 if (!orig_open) 314 if (!orig_open)
315 orig_open = (orig_open_t)dlsym(RTLD_NEXT, "open"); 315 orig_open = (orig_open_t)dlsym(RTLD_NEXT, "open");
316 316
317 if (!blacklist_loaded) 317 if (!blacklist_loaded)
318 load_blacklist(); 318 load_blacklist();
319 319
320 if (storage_find(pathname)) 320 if (storage_find(pathname))
321 sendlog(name(), __FUNCTION__, pathname); 321 sendlog(name(), __FUNCTION__, pathname);
322 int rv = orig_open(pathname, flags, mode); 322 int rv = orig_open(pathname, flags, mode);
@@ -337,7 +337,7 @@ int open64(const char *pathname, int flags, mode_t mode) {
337 orig_open64 = (orig_open64_t)dlsym(RTLD_NEXT, "open64"); 337 orig_open64 = (orig_open64_t)dlsym(RTLD_NEXT, "open64");
338 if (!blacklist_loaded) 338 if (!blacklist_loaded)
339 load_blacklist(); 339 load_blacklist();
340 340
341 if (storage_find(pathname)) 341 if (storage_find(pathname))
342 sendlog(name(), __FUNCTION__, pathname); 342 sendlog(name(), __FUNCTION__, pathname);
343 int rv = orig_open64(pathname, flags, mode); 343 int rv = orig_open64(pathname, flags, mode);
@@ -357,7 +357,7 @@ int openat(int dirfd, const char *pathname, int flags, mode_t mode) {
357 orig_openat = (orig_openat_t)dlsym(RTLD_NEXT, "openat"); 357 orig_openat = (orig_openat_t)dlsym(RTLD_NEXT, "openat");
358 if (!blacklist_loaded) 358 if (!blacklist_loaded)
359 load_blacklist(); 359 load_blacklist();
360 360
361 if (storage_find(pathname)) 361 if (storage_find(pathname))
362 sendlog(name(), __FUNCTION__, pathname); 362 sendlog(name(), __FUNCTION__, pathname);
363 int rv = orig_openat(dirfd, pathname, flags, mode); 363 int rv = orig_openat(dirfd, pathname, flags, mode);
@@ -374,7 +374,7 @@ int openat64(int dirfd, const char *pathname, int flags, mode_t mode) {
374 orig_openat64 = (orig_openat64_t)dlsym(RTLD_NEXT, "openat64"); 374 orig_openat64 = (orig_openat64_t)dlsym(RTLD_NEXT, "openat64");
375 if (!blacklist_loaded) 375 if (!blacklist_loaded)
376 load_blacklist(); 376 load_blacklist();
377 377
378 if (storage_find(pathname)) 378 if (storage_find(pathname))
379 sendlog(name(), __FUNCTION__, pathname); 379 sendlog(name(), __FUNCTION__, pathname);
380 int rv = orig_openat64(dirfd, pathname, flags, mode); 380 int rv = orig_openat64(dirfd, pathname, flags, mode);
@@ -391,7 +391,7 @@ FILE *fopen(const char *pathname, const char *mode) {
391 orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen"); 391 orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen");
392 if (!blacklist_loaded) 392 if (!blacklist_loaded)
393 load_blacklist(); 393 load_blacklist();
394 394
395 if (storage_find(pathname)) 395 if (storage_find(pathname))
396 sendlog(name(), __FUNCTION__, pathname); 396 sendlog(name(), __FUNCTION__, pathname);
397 FILE *rv = orig_fopen(pathname, mode); 397 FILE *rv = orig_fopen(pathname, mode);
@@ -407,7 +407,7 @@ FILE *fopen64(const char *pathname, const char *mode) {
407 orig_fopen64 = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen64"); 407 orig_fopen64 = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen64");
408 if (!blacklist_loaded) 408 if (!blacklist_loaded)
409 load_blacklist(); 409 load_blacklist();
410 410
411 if (storage_find(pathname)) 411 if (storage_find(pathname))
412 sendlog(name(), __FUNCTION__, pathname); 412 sendlog(name(), __FUNCTION__, pathname);
413 FILE *rv = orig_fopen64(pathname, mode); 413 FILE *rv = orig_fopen64(pathname, mode);
@@ -427,7 +427,7 @@ FILE *freopen(const char *pathname, const char *mode, FILE *stream) {
427 orig_freopen = (orig_freopen_t)dlsym(RTLD_NEXT, "freopen"); 427 orig_freopen = (orig_freopen_t)dlsym(RTLD_NEXT, "freopen");
428 if (!blacklist_loaded) 428 if (!blacklist_loaded)
429 load_blacklist(); 429 load_blacklist();
430 430
431 if (storage_find(pathname)) 431 if (storage_find(pathname))
432 sendlog(name(), __FUNCTION__, pathname); 432 sendlog(name(), __FUNCTION__, pathname);
433 FILE *rv = orig_freopen(pathname, mode, stream); 433 FILE *rv = orig_freopen(pathname, mode, stream);
@@ -445,7 +445,7 @@ FILE *freopen64(const char *pathname, const char *mode, FILE *stream) {
445 orig_freopen64 = (orig_freopen64_t)dlsym(RTLD_NEXT, "freopen64"); 445 orig_freopen64 = (orig_freopen64_t)dlsym(RTLD_NEXT, "freopen64");
446 if (!blacklist_loaded) 446 if (!blacklist_loaded)
447 load_blacklist(); 447 load_blacklist();
448 448
449 if (storage_find(pathname)) 449 if (storage_find(pathname))
450 sendlog(name(), __FUNCTION__, pathname); 450 sendlog(name(), __FUNCTION__, pathname);
451 FILE *rv = orig_freopen64(pathname, mode, stream); 451 FILE *rv = orig_freopen64(pathname, mode, stream);
@@ -464,7 +464,7 @@ int unlink(const char *pathname) {
464 orig_unlink = (orig_unlink_t)dlsym(RTLD_NEXT, "unlink"); 464 orig_unlink = (orig_unlink_t)dlsym(RTLD_NEXT, "unlink");
465 if (!blacklist_loaded) 465 if (!blacklist_loaded)
466 load_blacklist(); 466 load_blacklist();
467 467
468 if (storage_find(pathname)) 468 if (storage_find(pathname))
469 sendlog(name(), __FUNCTION__, pathname); 469 sendlog(name(), __FUNCTION__, pathname);
470 int rv = orig_unlink(pathname); 470 int rv = orig_unlink(pathname);
@@ -481,7 +481,7 @@ int unlinkat(int dirfd, const char *pathname, int flags) {
481 orig_unlinkat = (orig_unlinkat_t)dlsym(RTLD_NEXT, "unlinkat"); 481 orig_unlinkat = (orig_unlinkat_t)dlsym(RTLD_NEXT, "unlinkat");
482 if (!blacklist_loaded) 482 if (!blacklist_loaded)
483 load_blacklist(); 483 load_blacklist();
484 484
485 if (storage_find(pathname)) 485 if (storage_find(pathname))
486 sendlog(name(), __FUNCTION__, pathname); 486 sendlog(name(), __FUNCTION__, pathname);
487 int rv = orig_unlinkat(dirfd, pathname, flags); 487 int rv = orig_unlinkat(dirfd, pathname, flags);
@@ -499,7 +499,7 @@ int mkdir(const char *pathname, mode_t mode) {
499 orig_mkdir = (orig_mkdir_t)dlsym(RTLD_NEXT, "mkdir"); 499 orig_mkdir = (orig_mkdir_t)dlsym(RTLD_NEXT, "mkdir");
500 if (!blacklist_loaded) 500 if (!blacklist_loaded)
501 load_blacklist(); 501 load_blacklist();
502 502
503 if (storage_find(pathname)) 503 if (storage_find(pathname))
504 sendlog(name(), __FUNCTION__, pathname); 504 sendlog(name(), __FUNCTION__, pathname);
505 int rv = orig_mkdir(pathname, mode); 505 int rv = orig_mkdir(pathname, mode);
@@ -516,7 +516,7 @@ int mkdirat(int dirfd, const char *pathname, mode_t mode) {
516 orig_mkdirat = (orig_mkdirat_t)dlsym(RTLD_NEXT, "mkdirat"); 516 orig_mkdirat = (orig_mkdirat_t)dlsym(RTLD_NEXT, "mkdirat");
517 if (!blacklist_loaded) 517 if (!blacklist_loaded)
518 load_blacklist(); 518 load_blacklist();
519 519
520 if (storage_find(pathname)) 520 if (storage_find(pathname))
521 sendlog(name(), __FUNCTION__, pathname); 521 sendlog(name(), __FUNCTION__, pathname);
522 int rv = orig_mkdirat(dirfd, pathname, mode); 522 int rv = orig_mkdirat(dirfd, pathname, mode);
@@ -533,7 +533,7 @@ int rmdir(const char *pathname) {
533 orig_rmdir = (orig_rmdir_t)dlsym(RTLD_NEXT, "rmdir"); 533 orig_rmdir = (orig_rmdir_t)dlsym(RTLD_NEXT, "rmdir");
534 if (!blacklist_loaded) 534 if (!blacklist_loaded)
535 load_blacklist(); 535 load_blacklist();
536 536
537 if (storage_find(pathname)) 537 if (storage_find(pathname))
538 sendlog(name(), __FUNCTION__, pathname); 538 sendlog(name(), __FUNCTION__, pathname);
539 int rv = orig_rmdir(pathname); 539 int rv = orig_rmdir(pathname);
@@ -551,7 +551,7 @@ int stat(const char *pathname, struct stat *buf) {
551 orig_stat = (orig_stat_t)dlsym(RTLD_NEXT, "stat"); 551 orig_stat = (orig_stat_t)dlsym(RTLD_NEXT, "stat");
552 if (!blacklist_loaded) 552 if (!blacklist_loaded)
553 load_blacklist(); 553 load_blacklist();
554 554
555 if (storage_find(pathname)) 555 if (storage_find(pathname))
556 sendlog(name(), __FUNCTION__, pathname); 556 sendlog(name(), __FUNCTION__, pathname);
557 int rv = orig_stat(pathname, buf); 557 int rv = orig_stat(pathname, buf);
@@ -569,7 +569,7 @@ int stat64(const char *pathname, struct stat64 *buf) {
569 orig_stat64 = (orig_stat64_t)dlsym(RTLD_NEXT, "stat64"); 569 orig_stat64 = (orig_stat64_t)dlsym(RTLD_NEXT, "stat64");
570 if (!blacklist_loaded) 570 if (!blacklist_loaded)
571 load_blacklist(); 571 load_blacklist();
572 572
573 if (storage_find(pathname)) 573 if (storage_find(pathname))
574 sendlog(name(), __FUNCTION__, pathname); 574 sendlog(name(), __FUNCTION__, pathname);
575 int rv = orig_stat64(pathname, buf); 575 int rv = orig_stat64(pathname, buf);
@@ -587,7 +587,7 @@ int lstat(const char *pathname, struct stat *buf) {
587 orig_lstat = (orig_lstat_t)dlsym(RTLD_NEXT, "lstat"); 587 orig_lstat = (orig_lstat_t)dlsym(RTLD_NEXT, "lstat");
588 if (!blacklist_loaded) 588 if (!blacklist_loaded)
589 load_blacklist(); 589 load_blacklist();
590 590
591 if (storage_find(pathname)) 591 if (storage_find(pathname))
592 sendlog(name(), __FUNCTION__, pathname); 592 sendlog(name(), __FUNCTION__, pathname);
593 int rv = orig_lstat(pathname, buf); 593 int rv = orig_lstat(pathname, buf);
@@ -605,7 +605,7 @@ int lstat64(const char *pathname, struct stat64 *buf) {
605 orig_lstat64 = (orig_lstat64_t)dlsym(RTLD_NEXT, "lstat64"); 605 orig_lstat64 = (orig_lstat64_t)dlsym(RTLD_NEXT, "lstat64");
606 if (!blacklist_loaded) 606 if (!blacklist_loaded)
607 load_blacklist(); 607 load_blacklist();
608 608
609 if (storage_find(pathname)) 609 if (storage_find(pathname))
610 sendlog(name(), __FUNCTION__, pathname); 610 sendlog(name(), __FUNCTION__, pathname);
611 int rv = orig_lstat64(pathname, buf); 611 int rv = orig_lstat64(pathname, buf);
@@ -624,7 +624,7 @@ int access(const char *pathname, int mode) {
624 orig_access = (orig_access_t)dlsym(RTLD_NEXT, "access"); 624 orig_access = (orig_access_t)dlsym(RTLD_NEXT, "access");
625 if (!blacklist_loaded) 625 if (!blacklist_loaded)
626 load_blacklist(); 626 load_blacklist();
627 627
628 if (storage_find(pathname)) 628 if (storage_find(pathname))
629 sendlog(name(), __FUNCTION__, pathname); 629 sendlog(name(), __FUNCTION__, pathname);
630 int rv = orig_access(pathname, mode); 630 int rv = orig_access(pathname, mode);
@@ -642,7 +642,7 @@ DIR *opendir(const char *pathname) {
642 orig_opendir = (orig_opendir_t)dlsym(RTLD_NEXT, "opendir"); 642 orig_opendir = (orig_opendir_t)dlsym(RTLD_NEXT, "opendir");
643 if (!blacklist_loaded) 643 if (!blacklist_loaded)
644 load_blacklist(); 644 load_blacklist();
645 645
646 if (storage_find(pathname)) 646 if (storage_find(pathname))
647 sendlog(name(), __FUNCTION__, pathname); 647 sendlog(name(), __FUNCTION__, pathname);
648 DIR *rv = orig_opendir(pathname); 648 DIR *rv = orig_opendir(pathname);
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt
index 8cb9bcb3e..f99704579 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.txt
@@ -4,7 +4,7 @@ Firecfg \- Desktop integration utility for Firejail software.
4.SH SYNOPSIS 4.SH SYNOPSIS
5firecfg [OPTIONS] 5firecfg [OPTIONS]
6.SH DESCRIPTION 6.SH DESCRIPTION
7Firecfg is the desktop integration utility for Firejail sandbox. 7Firecfg is the desktop integration utility for Firejail sandbox.
8It allows the user to sandbox applications automatically by 8It allows the user to sandbox applications automatically by
9clicking on desktop manager icons and menus. 9clicking on desktop manager icons and menus.
10 10
@@ -102,5 +102,3 @@ Homepage: http://firejail.wordpress.com
102\&\flfiremon\fR\|(1), 102\&\flfiremon\fR\|(1),
103\&\flfirejail-profile\fR\|(5), 103\&\flfirejail-profile\fR\|(5),
104\&\flfirejail-login\fR\|(5) 104\&\flfirejail-login\fR\|(5)
105
106
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt
index 796179d0b..cb192b450 100644
--- a/src/man/firejail-login.txt
+++ b/src/man/firejail-login.txt
@@ -38,5 +38,3 @@ Homepage: http://firejail.wordpress.com
38\&\flfiremon\fR\|(1), 38\&\flfiremon\fR\|(1),
39\&\flfirecfg\fR\|(1), 39\&\flfirecfg\fR\|(1),
40\&\flfirejail-profile\fR\|(5) 40\&\flfirejail-profile\fR\|(5)
41
42
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index ecb626fc6..957a224c6 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -112,5 +112,3 @@ Homepage: http://firejail.wordpress.com
112\&\flfirecfg\fR\|(1), 112\&\flfirecfg\fR\|(1),
113\&\flfirejail-profile\fR\|(5), 113\&\flfirejail-profile\fR\|(5),
114\&\flfirejail-login\fR\|(5) 114\&\flfirejail-login\fR\|(5)
115
116
diff --git a/src/tools/extract_caps.c b/src/tools/extract_caps.c
index 66d86e1a6..b33fdf61f 100644
--- a/src/tools/extract_caps.c
+++ b/src/tools/extract_caps.c
@@ -29,14 +29,14 @@ int main(int argc, char **argv) {
29 printf("usage: %s /usr/include/linux/capability.h\n", argv[0]); 29 printf("usage: %s /usr/include/linux/capability.h\n", argv[0]);
30 return 1; 30 return 1;
31 } 31 }
32 32
33 //open file 33 //open file
34 FILE *fp = fopen(argv[1], "r"); 34 FILE *fp = fopen(argv[1], "r");
35 if (!fp) { 35 if (!fp) {
36 fprintf(stderr, "Error: cannot open file\n"); 36 fprintf(stderr, "Error: cannot open file\n");
37 return 1; 37 return 1;
38 } 38 }
39 39
40 // read file 40 // read file
41 char buf[BUFMAX]; 41 char buf[BUFMAX];
42 while (fgets(buf, BUFMAX, fp)) { 42 while (fgets(buf, BUFMAX, fp)) {
@@ -47,12 +47,12 @@ int main(int argc, char **argv) {
47 char *end = strchr(start, '\n'); 47 char *end = strchr(start, '\n');
48 if (end) 48 if (end)
49 *end = '\0'; 49 *end = '\0';
50 50
51 // parsing 51 // parsing
52 if (strncmp(start, "#define CAP_", 12) == 0) { 52 if (strncmp(start, "#define CAP_", 12) == 0) {
53 if (strstr(start, "CAP_LAST_CAP")) 53 if (strstr(start, "CAP_LAST_CAP"))
54 break; 54 break;
55 55
56 char *ptr1 = start + 8; 56 char *ptr1 = start + 8;
57 char *ptr2 = ptr1; 57 char *ptr2 = ptr1;
58 while (*ptr2 == ' ' || *ptr2 == '\t') 58 while (*ptr2 == ' ' || *ptr2 == '\t')
@@ -60,7 +60,7 @@ int main(int argc, char **argv) {
60 while (*ptr2 != ' ' && *ptr2 != '\t') 60 while (*ptr2 != ' ' && *ptr2 != '\t')
61 ptr2++; 61 ptr2++;
62 *ptr2 = '\0'; 62 *ptr2 = '\0';
63 63
64 ptr2 = strdup(ptr1); 64 ptr2 = strdup(ptr1);
65 assert(ptr2); 65 assert(ptr2);
66 ptr2 += 4; 66 ptr2 += 4;
@@ -69,14 +69,14 @@ int main(int argc, char **argv) {
69 *ptr3 = tolower(*ptr3); 69 *ptr3 = tolower(*ptr3);
70 ptr3++; 70 ptr3++;
71 } 71 }
72 72
73 73
74 printf("#ifdef %s\n", ptr1); 74 printf("#ifdef %s\n", ptr1);
75 printf("\t{\"%s\", %s },\n", ptr2, ptr1); 75 printf("\t{\"%s\", %s },\n", ptr2, ptr1);
76 printf("#endif\n"); 76 printf("#endif\n");
77 77
78 } 78 }
79 79
80 } 80 }
81 fclose(fp); 81 fclose(fp);
82 return 0; 82 return 0;
diff --git a/src/tools/extract_syscalls.c b/src/tools/extract_syscalls.c
index 9af24b8cd..4dad0d2b6 100644
--- a/src/tools/extract_syscalls.c
+++ b/src/tools/extract_syscalls.c
@@ -28,14 +28,14 @@ int main(int argc, char **argv) {
28 printf("usage: %s /usr/include/x86_64-linux-gnu/bits/syscall.h\n", argv[0]); 28 printf("usage: %s /usr/include/x86_64-linux-gnu/bits/syscall.h\n", argv[0]);
29 return 1; 29 return 1;
30 } 30 }
31 31
32 //open file 32 //open file
33 FILE *fp = fopen(argv[1], "r"); 33 FILE *fp = fopen(argv[1], "r");
34 if (!fp) { 34 if (!fp) {
35 fprintf(stderr, "Error: cannot open file\n"); 35 fprintf(stderr, "Error: cannot open file\n");
36 return 1; 36 return 1;
37 } 37 }
38 38
39 // read file 39 // read file
40 char buf[BUFMAX]; 40 char buf[BUFMAX];
41 while (fgets(buf, BUFMAX, fp)) { 41 while (fgets(buf, BUFMAX, fp)) {
@@ -46,7 +46,7 @@ int main(int argc, char **argv) {
46 char *end = strchr(start, '\n'); 46 char *end = strchr(start, '\n');
47 if (end) 47 if (end)
48 *end = '\0'; 48 *end = '\0';
49 49
50 // parsing 50 // parsing
51 if (strncmp(start, "# error", 7) == 0) 51 if (strncmp(start, "# error", 7) == 0)
52 continue; 52 continue;
@@ -66,7 +66,7 @@ int main(int argc, char **argv) {
66 return 1; 66 return 1;
67 } 67 }
68 *(ptr2 - 1) = '\0'; 68 *(ptr2 - 1) = '\0';
69 69
70 char *ptr3 = ptr1; 70 char *ptr3 = ptr1;
71 while (*ptr3 != ' ' && *ptr3 != '\t' && *ptr3 != '\0') 71 while (*ptr3 != ' ' && *ptr3 != '\t' && *ptr3 != '\0')
72 ptr3++; 72 ptr3++;
@@ -75,17 +75,17 @@ int main(int argc, char **argv) {
75 while (*ptr3 != ' ' && *ptr3 != '\t' && *ptr3 != '\0') 75 while (*ptr3 != ' ' && *ptr3 != '\t' && *ptr3 != '\0')
76 ptr3++; 76 ptr3++;
77 *ptr3 = '\0'; 77 *ptr3 = '\0';
78 78
79 ptr3 = ptr1; 79 ptr3 = ptr1;
80 while (*ptr3 != '_') 80 while (*ptr3 != '_')
81 ptr3++; 81 ptr3++;
82 ptr3++; 82 ptr3++;
83 83
84 printf("#ifdef %s\n", ptr1); 84 printf("#ifdef %s\n", ptr1);
85 printf("#ifdef %s\n", ptr2); 85 printf("#ifdef %s\n", ptr2);
86 printf("\t{\"%s\", %s},\n", ptr3, ptr2); 86 printf("\t{\"%s\", %s},\n", ptr3, ptr2);
87 printf("#endif\n"); 87 printf("#endif\n");
88 printf("#endif\n"); 88 printf("#endif\n");
89 } 89 }
90 } 90 }
91 fclose(fp); 91 fclose(fp);
diff --git a/src/tools/mkcoverit.sh b/src/tools/mkcoverit.sh
index 65b06f9fa..d4a68e397 100755
--- a/src/tools/mkcoverit.sh
+++ b/src/tools/mkcoverit.sh
@@ -29,7 +29,7 @@ then
29 pwd 29 pwd
30 ./configure --prefix=/usr 30 ./configure --prefix=/usr
31 cd .. 31 cd ..
32 32
33else 33else
34 echo "Error: firetools source archive missing" 34 echo "Error: firetools source archive missing"
35 exit 1 35 exit 1
diff --git a/src/tools/rvtest.c b/src/tools/rvtest.c
index d108672d2..3432ab9b4 100644
--- a/src/tools/rvtest.c
+++ b/src/tools/rvtest.c
@@ -64,7 +64,7 @@ int main(int argc, char **argv) {
64 // open test file 64 // open test file
65 char *fname = argv[1]; 65 char *fname = argv[1];
66 FILE *fp = fopen(fname, "r"); 66 FILE *fp = fopen(fname, "r");
67 67
68 // read test file 68 // read test file
69 char buf[MAXBUF]; 69 char buf[MAXBUF];
70 int line = 0; 70 int line = 0;
@@ -80,22 +80,22 @@ int main(int argc, char **argv) {
80 *ptr ='\0'; 80 *ptr ='\0';
81 if (*start == '\0') 81 if (*start == '\0')
82 continue; 82 continue;
83 83
84 // skip comments 84 // skip comments
85 if (*start == '#') 85 if (*start == '#')
86 continue; 86 continue;
87 ptr = strchr(start, '#'); 87 ptr = strchr(start, '#');
88 if (ptr) 88 if (ptr)
89 *ptr = '\0'; 89 *ptr = '\0';
90 90
91 // extract exit status 91 // extract exit status
92 int status; 92 int status;
93 int rv = sscanf(start, "%d\n", &status); 93 int rv = sscanf(start, "%d\n", &status);
94 if (rv != 1) { 94 if (rv != 1) {
95 fprintf(stderr, "Error: invalid line %d in %s\n", line, fname); 95 fprintf(stderr, "Error: invalid line %d in %s\n", line, fname);
96 exit(1); 96 exit(1);
97 } 97 }
98 98
99 // extract command 99 // extract command
100 char *cmd = strchr(start, ' '); 100 char *cmd = strchr(start, ' ');
101 if (!cmd) { 101 if (!cmd) {
@@ -124,21 +124,21 @@ int main(int argc, char **argv) {
124 // parent 124 // parent
125 else { 125 else {
126 int exit_status; 126 int exit_status;
127 127
128 alarm(TIMEOUT); 128 alarm(TIMEOUT);
129 pid = waitpid(pid, &exit_status, 0); 129 pid = waitpid(pid, &exit_status, 0);
130 if (pid == -1) { 130 if (pid == -1) {
131 perror("waitpid"); 131 perror("waitpid");
132 exit(1); 132 exit(1);
133 } 133 }
134 134
135 if (WEXITSTATUS(exit_status) != status) 135 if (WEXITSTATUS(exit_status) != status)
136 printf("ERROR TESTING: %s\n", cmd); 136 printf("ERROR TESTING: %s\n", cmd);
137 } 137 }
138 138
139 fflush(0); 139 fflush(0);
140 } 140 }
141 fclose(fp); 141 fclose(fp);
142 142
143 return 0; 143 return 0;
144} \ No newline at end of file 144}
diff --git a/src/tools/unixsocket.c b/src/tools/unixsocket.c
index 88475ea3e..c4302eed3 100644
--- a/src/tools/unixsocket.c
+++ b/src/tools/unixsocket.c
@@ -1,5 +1,5 @@
1#include <stdio.h> 1#include <stdio.h>
2#include <sys/types.h> 2#include <sys/types.h>
3#include <sys/socket.h> 3#include <sys/socket.h>
4#include <sys/un.h> 4#include <sys/un.h>
5 5
@@ -21,7 +21,7 @@ int main(void) {
21 fprintf(stderr, "Error: cannot connect to socket\n"); 21 fprintf(stderr, "Error: cannot connect to socket\n");
22 return 1; 22 return 1;
23 } 23 }
24 24
25 printf("connected to %s\n", socketpath); 25 printf("connected to %s\n", socketpath);
26 close(s); 26 close(s);
27 27
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-28 02:57:32 +0000