diff options
author | startx2017 <vradu.startx@yandex.com> | 2017-04-13 08:20:08 -0400 |
---|---|---|
committer | startx2017 <vradu.startx@yandex.com> | 2017-04-13 08:20:08 -0400 |
commit | 05e9768345dc3660974d2eecb0b5134d17b20434 (patch) | |
tree | 1f585c97ce51120186975fda5c490f00b44c5f3c /src/firejail | |
parent | fix /sys handling for overlayfs and chroot (diff) | |
download | firejail-05e9768345dc3660974d2eecb0b5134d17b20434.tar.gz firejail-05e9768345dc3660974d2eecb0b5134d17b20434.tar.zst firejail-05e9768345dc3660974d2eecb0b5134d17b20434.zip |
redirect all warnings to fwarning function and control the output with --quiet
Diffstat (limited to 'src/firejail')
-rw-r--r-- | src/firejail/appimage.c | 5 | ||||
-rw-r--r-- | src/firejail/cgroup.c | 2 | ||||
-rw-r--r-- | src/firejail/cpu.c | 16 | ||||
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/fs.c | 21 | ||||
-rw-r--r-- | src/firejail/fs_bin.c | 2 | ||||
-rw-r--r-- | src/firejail/fs_dev.c | 4 | ||||
-rw-r--r-- | src/firejail/fs_etc.c | 5 | ||||
-rw-r--r-- | src/firejail/fs_home.c | 2 | ||||
-rw-r--r-- | src/firejail/fs_mkdir.c | 4 | ||||
-rw-r--r-- | src/firejail/fs_var.c | 8 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 5 | ||||
-rw-r--r-- | src/firejail/join.c | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 24 | ||||
-rw-r--r-- | src/firejail/netns.c | 2 | ||||
-rw-r--r-- | src/firejail/network.c | 2 | ||||
-rw-r--r-- | src/firejail/network_main.c | 2 | ||||
-rw-r--r-- | src/firejail/no_sandbox.c | 11 | ||||
-rw-r--r-- | src/firejail/profile.c | 6 | ||||
-rw-r--r-- | src/firejail/protocol.c | 4 | ||||
-rw-r--r-- | src/firejail/restrict_users.c | 6 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 51 | ||||
-rw-r--r-- | src/firejail/seccomp.c | 2 | ||||
-rw-r--r-- | src/firejail/util.c | 31 |
24 files changed, 104 insertions, 115 deletions
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 980c80bd9..e14de3c27 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c | |||
@@ -155,15 +155,14 @@ void appimage_clear(void) { | |||
155 | break; | 155 | break; |
156 | } | 156 | } |
157 | if (rv == -1 && errno == EBUSY) { | 157 | if (rv == -1 && errno == EBUSY) { |
158 | if (!arg_quiet) | 158 | fwarning("EBUSY error trying to unmount %s\n", mntdir); |
159 | printf("Warning: EBUSY error trying to unmount %s\n", mntdir); | ||
160 | sleep(2); | 159 | sleep(2); |
161 | continue; | 160 | continue; |
162 | } | 161 | } |
163 | 162 | ||
164 | // rv = -1 | 163 | // rv = -1 |
165 | if (!arg_quiet) { | 164 | if (!arg_quiet) { |
166 | printf("Warning: error trying to unmount %s\n", mntdir); | 165 | fwarning("error trying to unmount %s\n", mntdir); |
167 | perror("umount"); | 166 | perror("umount"); |
168 | } | 167 | } |
169 | } | 168 | } |
diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c index 143180bfb..6ceb647ff 100644 --- a/src/firejail/cgroup.c +++ b/src/firejail/cgroup.c | |||
@@ -63,7 +63,7 @@ void load_cgroup(const char *fname) { | |||
63 | return; | 63 | return; |
64 | } | 64 | } |
65 | errout: | 65 | errout: |
66 | fprintf(stderr, "Warning: cannot load control group\n"); | 66 | fwarning("cannot load control group\n"); |
67 | if (fp) | 67 | if (fp) |
68 | fclose(fp); | 68 | fclose(fp); |
69 | } | 69 | } |
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c index 7a3e056c1..9c0214502 100644 --- a/src/firejail/cpu.c +++ b/src/firejail/cpu.c | |||
@@ -100,7 +100,7 @@ void load_cpu(const char *fname) { | |||
100 | fclose(fp); | 100 | fclose(fp); |
101 | } | 101 | } |
102 | else | 102 | else |
103 | fprintf(stderr, "Warning: cannot load cpu affinity mask\n"); | 103 | fwarning("cannot load cpu affinity mask\n"); |
104 | } | 104 | } |
105 | 105 | ||
106 | void set_cpu_affinity(void) { | 106 | void set_cpu_affinity(void) { |
@@ -115,20 +115,14 @@ void set_cpu_affinity(void) { | |||
115 | CPU_SET(i, &mask); | 115 | CPU_SET(i, &mask); |
116 | } | 116 | } |
117 | 117 | ||
118 | if (sched_setaffinity(0, sizeof(mask), &mask) == -1) { | 118 | if (sched_setaffinity(0, sizeof(mask), &mask) == -1) |
119 | fprintf(stderr, "Warning: cannot set cpu affinity\n"); | 119 | fwarning("cannot set cpu affinity\n"); |
120 | fprintf(stderr, " "); | ||
121 | perror("sched_setaffinity"); | ||
122 | } | ||
123 | 120 | ||
124 | // verify cpu affinity | 121 | // verify cpu affinity |
125 | cpu_set_t mask2; | 122 | cpu_set_t mask2; |
126 | CPU_ZERO(&mask2); | 123 | CPU_ZERO(&mask2); |
127 | if (sched_getaffinity(0, sizeof(mask2), &mask2) == -1) { | 124 | if (sched_getaffinity(0, sizeof(mask2), &mask2) == -1) |
128 | fprintf(stderr, "Warning: cannot verify cpu affinity\n"); | 125 | fwarning("cannot verify cpu affinity\n"); |
129 | fprintf(stderr, " "); | ||
130 | perror("sched_getaffinity"); | ||
131 | } | ||
132 | else if (arg_debug) { | 126 | else if (arg_debug) { |
133 | if (CPU_EQUAL(&mask, &mask2)) | 127 | if (CPU_EQUAL(&mask, &mask2)) |
134 | printf("CPU affinity set\n"); | 128 | printf("CPU affinity set\n"); |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7258dd2f8..8831d07f0 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -21,6 +21,7 @@ | |||
21 | #define FIREJAIL_H | 21 | #define FIREJAIL_H |
22 | #include "../include/common.h" | 22 | #include "../include/common.h" |
23 | #include "../include/euid_common.h" | 23 | #include "../include/euid_common.h" |
24 | #include <stdarg.h> | ||
24 | 25 | ||
25 | // debug restricted shell | 26 | // debug restricted shell |
26 | //#define DEBUG_RESTRICTED_SHELL | 27 | //#define DEBUG_RESTRICTED_SHELL |
@@ -446,6 +447,7 @@ int arp_check(const char *dev, uint32_t destaddr, uint32_t srcaddr); | |||
446 | uint32_t arp_assign(const char *dev, Bridge *br); | 447 | uint32_t arp_assign(const char *dev, Bridge *br); |
447 | 448 | ||
448 | // util.c | 449 | // util.c |
450 | void fwarning(char* fmt, ...); | ||
449 | void drop_privs(int nogroups); | 451 | void drop_privs(int nogroups); |
450 | int mkpath_as_root(const char* path); | 452 | int mkpath_as_root(const char* path); |
451 | void extract_command_name(int index, char **argv); | 453 | void extract_command_name(int index, char **argv); |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index f6aba7048..fa66da617 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -97,7 +97,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
97 | return; | 97 | return; |
98 | if (stat(fname, &s) == -1) { | 98 | if (stat(fname, &s) == -1) { |
99 | if (arg_debug) | 99 | if (arg_debug) |
100 | printf("Warning: %s does not exist, skipping...\n", fname); | 100 | fwarning("%s does not exist, skipping...\n", fname); |
101 | free(fname); | 101 | free(fname); |
102 | return; | 102 | return; |
103 | } | 103 | } |
@@ -108,8 +108,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
108 | if ((strcmp(fname, "/bin") == 0 || strcmp(fname, "/usr/bin") == 0) && | 108 | if ((strcmp(fname, "/bin") == 0 || strcmp(fname, "/usr/bin") == 0) && |
109 | is_link(filename) && | 109 | is_link(filename) && |
110 | S_ISDIR(s.st_mode)) { | 110 | S_ISDIR(s.st_mode)) { |
111 | if (!arg_quiet) | 111 | fwarning("%s directory link was not blacklisted\n", filename); |
112 | fprintf(stderr, "Warning: %s directory link was not blacklisted\n", filename); | ||
113 | } | 112 | } |
114 | else { | 113 | else { |
115 | if (arg_debug) { | 114 | if (arg_debug) { |
@@ -175,7 +174,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
175 | fs_logger2("tmpfs", fname); | 174 | fs_logger2("tmpfs", fname); |
176 | } | 175 | } |
177 | else | 176 | else |
178 | printf("Warning: %s is not a directory; cannot mount a tmpfs on top of it.\n", fname); | 177 | fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname); |
179 | } | 178 | } |
180 | else | 179 | else |
181 | assert(0); | 180 | assert(0); |
@@ -444,8 +443,7 @@ static void fs_rdwr(const char *dir) { | |||
444 | // if the file is outside /home directory, allow only root user | 443 | // if the file is outside /home directory, allow only root user |
445 | uid_t u = getuid(); | 444 | uid_t u = getuid(); |
446 | if (u != 0 && s.st_uid != u) { | 445 | if (u != 0 && s.st_uid != u) { |
447 | if (!arg_quiet) | 446 | fwarning("you are not allowed to change %s to read-write\n", dir); |
448 | fprintf(stderr, "Warning: you are not allowed to change %s to read-write\n", dir); | ||
449 | return; | 447 | return; |
450 | } | 448 | } |
451 | 449 | ||
@@ -501,9 +499,9 @@ void fs_proc_sys_dev_boot(void) { | |||
501 | if (arg_debug) | 499 | if (arg_debug) |
502 | printf("Remounting /sys directory\n"); | 500 | printf("Remounting /sys directory\n"); |
503 | if (umount2("/sys", MNT_DETACH) < 0) | 501 | if (umount2("/sys", MNT_DETACH) < 0) |
504 | fprintf(stderr, "Warning: failed to unmount /sys\n"); | 502 | fwarning("failed to unmount /sys\n"); |
505 | if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) | 503 | if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) |
506 | fprintf(stderr, "Warning: failed to mount /sys\n"); | 504 | fwarning("failed to mount /sys\n"); |
507 | else | 505 | else |
508 | fs_logger("remount /sys"); | 506 | fs_logger("remount /sys"); |
509 | 507 | ||
@@ -913,7 +911,8 @@ void fs_overlayfs(void) { | |||
913 | // issue #263 end code | 911 | // issue #263 end code |
914 | //*************************** | 912 | //*************************** |
915 | } | 913 | } |
916 | printf("OverlayFS configured in %s directory\n", basedir); | 914 | if (!arg_quiet) |
915 | printf("OverlayFS configured in %s directory\n", basedir); | ||
917 | 916 | ||
918 | // mount-bind dev directory | 917 | // mount-bind dev directory |
919 | if (arg_debug) | 918 | if (arg_debug) |
@@ -943,7 +942,7 @@ void fs_overlayfs(void) { | |||
943 | if (asprintf(&x11, "%s/tmp/.X11-unix", oroot) == -1) | 942 | if (asprintf(&x11, "%s/tmp/.X11-unix", oroot) == -1) |
944 | errExit("asprintf"); | 943 | errExit("asprintf"); |
945 | if (mount("/tmp/.X11-unix", x11, NULL, MS_BIND|MS_REC, NULL) < 0) | 944 | if (mount("/tmp/.X11-unix", x11, NULL, MS_BIND|MS_REC, NULL) < 0) |
946 | fprintf(stderr, "Warning: cannot mount /tmp/.X11-unix in overlay\n"); | 945 | fwarning("cannot mount /tmp/.X11-unix in overlay\n"); |
947 | else | 946 | else |
948 | fs_logger("whitelist /tmp/.X11-unix"); | 947 | fs_logger("whitelist /tmp/.X11-unix"); |
949 | free(x11); | 948 | free(x11); |
@@ -1172,7 +1171,7 @@ void fs_chroot(const char *rootdir) { | |||
1172 | exit(1); | 1171 | exit(1); |
1173 | } | 1172 | } |
1174 | if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1) // root needed | 1173 | if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1) // root needed |
1175 | fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n"); | 1174 | fwarning("/etc/resolv.conf not initialized\n"); |
1176 | } | 1175 | } |
1177 | 1176 | ||
1178 | // chroot into the new directory | 1177 | // chroot into the new directory |
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 73edd2ef9..c572bec88 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
@@ -86,7 +86,7 @@ static char *check_dir_or_file(const char *name) { | |||
86 | 86 | ||
87 | if (!fname) { | 87 | if (!fname) { |
88 | if (arg_debug) | 88 | if (arg_debug) |
89 | fprintf(stderr, "Warning: file %s not found\n", name); | 89 | fwarning("file %s not found\n", name); |
90 | return NULL; | 90 | return NULL; |
91 | } | 91 | } |
92 | 92 | ||
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index fd21e7515..20fcf56e7 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -72,7 +72,7 @@ static void deventry_mount(void) { | |||
72 | struct stat s; | 72 | struct stat s; |
73 | if (stat(dev[i].run_fname, &s) == -1) { | 73 | if (stat(dev[i].run_fname, &s) == -1) { |
74 | if (arg_debug) | 74 | if (arg_debug) |
75 | printf("Warning: cannot stat %s file\n", dev[i].run_fname); | 75 | fwarning("cannot stat %s file\n", dev[i].run_fname); |
76 | i++; | 76 | i++; |
77 | continue; | 77 | continue; |
78 | } | 78 | } |
@@ -254,7 +254,7 @@ void fs_dev_shm(void) { | |||
254 | free(lnk); | 254 | free(lnk); |
255 | } | 255 | } |
256 | else { | 256 | else { |
257 | fprintf(stderr, "Warning: /dev/shm not mounted\n"); | 257 | fwarning("/dev/shm not mounted\n"); |
258 | dbg_test_dir("/dev/shm"); | 258 | dbg_test_dir("/dev/shm"); |
259 | } | 259 | } |
260 | 260 | ||
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 69c422f1d..59700dd9b 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -81,7 +81,7 @@ static int check_dir_or_file(const char *fname) { | |||
81 | struct stat s; | 81 | struct stat s; |
82 | if (stat(fname, &s) == -1) { | 82 | if (stat(fname, &s) == -1) { |
83 | if (arg_debug) | 83 | if (arg_debug) |
84 | printf("Warning: file %s not found.\n", fname); | 84 | fwarning("file %s not found.\n", fname); |
85 | return 0; | 85 | return 0; |
86 | } | 86 | } |
87 | 87 | ||
@@ -109,8 +109,7 @@ static void duplicate(const char *fname, const char *private_dir, const char *pr | |||
109 | if (asprintf(&src, "%s/%s", private_dir, fname) == -1) | 109 | if (asprintf(&src, "%s/%s", private_dir, fname) == -1) |
110 | errExit("asprintf"); | 110 | errExit("asprintf"); |
111 | if (check_dir_or_file(src) == 0) { | 111 | if (check_dir_or_file(src) == 0) { |
112 | if (!arg_quiet) | 112 | fwarning("skipping %s for private %s\n", fname, private_dir); |
113 | fprintf(stderr, "Warning: skipping %s for private %s\n", fname, private_dir); | ||
114 | free(src); | 113 | free(src); |
115 | return; | 114 | return; |
116 | } | 115 | } |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 3364ef797..d24f19da7 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -119,7 +119,7 @@ static int store_xauthority(void) { | |||
119 | struct stat s; | 119 | struct stat s; |
120 | if (stat(src, &s) == 0) { | 120 | if (stat(src, &s) == 0) { |
121 | if (is_link(src)) { | 121 | if (is_link(src)) { |
122 | fprintf(stderr, "Warning: invalid .Xauthority file\n"); | 122 | fwarning("invalid .Xauthority file\n"); |
123 | return 0; | 123 | return 0; |
124 | } | 124 | } |
125 | 125 | ||
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index f90b7df60..4397f0721 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c | |||
@@ -39,11 +39,11 @@ static void mkdir_recursive(char *path) { | |||
39 | if (stat(subdir, &s) == -1) { | 39 | if (stat(subdir, &s) == -1) { |
40 | /* coverity[toctou] */ | 40 | /* coverity[toctou] */ |
41 | if (mkdir(subdir, 0700) == -1) { | 41 | if (mkdir(subdir, 0700) == -1) { |
42 | fprintf(stderr, "Warning: cannot create %s directory\n", subdir); | 42 | fwarning("cannot create %s directory\n", subdir); |
43 | return; | 43 | return; |
44 | } | 44 | } |
45 | } else if (!S_ISDIR(s.st_mode)) { | 45 | } else if (!S_ISDIR(s.st_mode)) { |
46 | fprintf(stderr, "Warning: '%s' exists, but is no directory\n", subdir); | 46 | fwarning("'%s exists, but is not a directory\n", subdir); |
47 | return; | 47 | return; |
48 | } | 48 | } |
49 | if (chdir(subdir)) { | 49 | if (chdir(subdir)) { |
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index bbea3b392..426ef48bf 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
@@ -143,7 +143,7 @@ void fs_var_log(void) { | |||
143 | fs_logger("touch /var/log/btmp"); | 143 | fs_logger("touch /var/log/btmp"); |
144 | } | 144 | } |
145 | else | 145 | else |
146 | fprintf(stderr, "Warning: cannot hide /var/log directory\n"); | 146 | fwarning("cannot hide /var/log directory\n"); |
147 | } | 147 | } |
148 | 148 | ||
149 | void fs_var_lib(void) { | 149 | void fs_var_lib(void) { |
@@ -269,7 +269,7 @@ void fs_var_lock(void) { | |||
269 | fs_logger("tmpfs /var/lock"); | 269 | fs_logger("tmpfs /var/lock"); |
270 | } | 270 | } |
271 | else { | 271 | else { |
272 | fprintf(stderr, "Warning: /var/lock not mounted\n"); | 272 | fwarning("/var/lock not mounted\n"); |
273 | dbg_test_dir("/var/lock"); | 273 | dbg_test_dir("/var/lock"); |
274 | } | 274 | } |
275 | } | 275 | } |
@@ -287,7 +287,7 @@ void fs_var_tmp(void) { | |||
287 | } | 287 | } |
288 | } | 288 | } |
289 | else { | 289 | else { |
290 | fprintf(stderr, "Warning: /var/tmp not mounted\n"); | 290 | fwarning("/var/tmp not mounted\n"); |
291 | dbg_test_dir("/var/tmp"); | 291 | dbg_test_dir("/var/tmp"); |
292 | } | 292 | } |
293 | } | 293 | } |
@@ -300,7 +300,7 @@ void fs_var_utmp(void) { | |||
300 | if (stat(UTMP_FILE, &s) == 0) | 300 | if (stat(UTMP_FILE, &s) == 0) |
301 | utmp_group = s.st_gid; | 301 | utmp_group = s.st_gid; |
302 | else { | 302 | else { |
303 | fprintf(stderr, "Warning: cannot find /var/run/utmp\n"); | 303 | fwarning("cannot find /var/run/utmp\n"); |
304 | return; | 304 | return; |
305 | } | 305 | } |
306 | 306 | ||
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 43a9269ff..407192200 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -352,7 +352,7 @@ void fs_whitelist(void) { | |||
352 | dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10; | 352 | dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10; |
353 | } | 353 | } |
354 | else { | 354 | else { |
355 | if (!nowhitelist_flag) { | 355 | if (!nowhitelist_flag && !arg_quiet) { |
356 | fprintf(stderr, "***\n"); | 356 | fprintf(stderr, "***\n"); |
357 | fprintf(stderr, "*** Warning: cannot whitelist Downloads directory\n"); | 357 | fprintf(stderr, "*** Warning: cannot whitelist Downloads directory\n"); |
358 | fprintf(stderr, "*** \tAny file saved will be lost when the sandbox is closed.\n"); | 358 | fprintf(stderr, "*** \tAny file saved will be lost when the sandbox is closed.\n"); |
@@ -438,8 +438,7 @@ void fs_whitelist(void) { | |||
438 | if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) { | 438 | if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) { |
439 | // whitelisting home directory is disabled if --private option is present | 439 | // whitelisting home directory is disabled if --private option is present |
440 | if (arg_private) { | 440 | if (arg_private) { |
441 | if (!arg_quiet) | 441 | fwarning("\"%s\" disabled by --private\n", entry->data); |
442 | printf("Warning: \"%s\" disabled by --private\n", entry->data); | ||
443 | 442 | ||
444 | *entry->data = '\0'; | 443 | *entry->data = '\0'; |
445 | continue; | 444 | continue; |
diff --git a/src/firejail/join.c b/src/firejail/join.c index a4b16ff8d..2f6f070e0 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -308,7 +308,7 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
308 | int rv = nice(cfg.nice); | 308 | int rv = nice(cfg.nice); |
309 | (void) rv; | 309 | (void) rv; |
310 | if (errno) { | 310 | if (errno) { |
311 | fprintf(stderr, "Warning: cannot set nice value\n"); | 311 | fwarning("cannot set nice value\n"); |
312 | errno = 0; | 312 | errno = 0; |
313 | } | 313 | } |
314 | } | 314 | } |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 216488287..4357ddaa4 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -272,8 +272,7 @@ void check_user_namespace(void) { | |||
272 | return; | 272 | return; |
273 | 273 | ||
274 | errout: | 274 | errout: |
275 | if (!arg_quiet || arg_debug) | 275 | fwarning("noroot option is not available\n"); |
276 | fprintf(stderr, "Warning: noroot option is not available\n"); | ||
277 | arg_noroot = 0; | 276 | arg_noroot = 0; |
278 | 277 | ||
279 | } | 278 | } |
@@ -1074,8 +1073,7 @@ int main(int argc, char **argv) { | |||
1074 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { | 1073 | else if (strncmp(argv[i], "--protocol=", 11) == 0) { |
1075 | if (checkcfg(CFG_SECCOMP)) { | 1074 | if (checkcfg(CFG_SECCOMP)) { |
1076 | if (cfg.protocol) { | 1075 | if (cfg.protocol) { |
1077 | if (!arg_quiet) | 1076 | fwarning("a protocol list is present, the new list \"%s\" will not be installed\n", argv[i] + 11); |
1078 | fprintf(stderr, "Warning: a protocol list is present, the new list \"%s\" will not be installed\n", argv[i] + 11); | ||
1079 | } | 1077 | } |
1080 | else { | 1078 | else { |
1081 | // store list | 1079 | // store list |
@@ -1708,8 +1706,7 @@ int main(int argc, char **argv) { | |||
1708 | errExit("strdup"); | 1706 | errExit("strdup"); |
1709 | 1707 | ||
1710 | if (net_get_if_addr(intf->dev, &intf->ip, &intf->mask, intf->mac, &intf->mtu)) { | 1708 | if (net_get_if_addr(intf->dev, &intf->ip, &intf->mask, intf->mac, &intf->mtu)) { |
1711 | if (!arg_quiet || arg_debug) | 1709 | fwarning("interface %s is not configured\n", intf->dev); |
1712 | fprintf(stderr, "Warning: interface %s is not configured\n", intf->dev); | ||
1713 | } | 1710 | } |
1714 | intf->configured = 1; | 1711 | intf->configured = 1; |
1715 | } | 1712 | } |
@@ -2186,8 +2183,7 @@ int main(int argc, char **argv) { | |||
2186 | 2183 | ||
2187 | // check trace configuration | 2184 | // check trace configuration |
2188 | if (arg_trace && arg_tracelog) { | 2185 | if (arg_trace && arg_tracelog) { |
2189 | if (!arg_quiet || arg_debug) | 2186 | fwarning("--trace and --tracelog are mutually exclusive; --tracelog disabled\n"); |
2190 | fprintf(stderr, "Warning: --trace and --tracelog are mutually exclusive; --tracelog disabled\n"); | ||
2191 | } | 2187 | } |
2192 | 2188 | ||
2193 | // check user namespace (--noroot) options | 2189 | // check user namespace (--noroot) options |
@@ -2273,12 +2269,10 @@ int main(int argc, char **argv) { | |||
2273 | // use default.profile as the default | 2269 | // use default.profile as the default |
2274 | if (!custom_profile && !arg_noprofile) { | 2270 | if (!custom_profile && !arg_noprofile) { |
2275 | if (cfg.chrootdir) { | 2271 | if (cfg.chrootdir) { |
2276 | if (!arg_quiet || arg_debug) | 2272 | fwarning("default profile disabled by --chroot option\n"); |
2277 | fprintf(stderr, "Warning: default profile disabled by --chroot option\n"); | ||
2278 | } | 2273 | } |
2279 | else if (arg_overlay) { | 2274 | else if (arg_overlay) { |
2280 | if (!arg_quiet || arg_debug) | 2275 | fwarning("default profile disabled by --overlay option\n"); |
2281 | fprintf(stderr, "Warning: default profile disabled by --overlay option\n"); | ||
2282 | } | 2276 | } |
2283 | else { | 2277 | else { |
2284 | // try to load a default profile | 2278 | // try to load a default profile |
@@ -2346,13 +2340,11 @@ int main(int argc, char **argv) { | |||
2346 | errExit("pipe"); | 2340 | errExit("pipe"); |
2347 | 2341 | ||
2348 | if (arg_noroot && arg_overlay) { | 2342 | if (arg_noroot && arg_overlay) { |
2349 | if (!arg_quiet || arg_debug) | 2343 | fwarning("--overlay and --noroot are mutually exclusive, noroot disabled\n"); |
2350 | fprintf(stderr, "Warning: --overlay and --noroot are mutually exclusive, noroot disabled\n"); | ||
2351 | arg_noroot = 0; | 2344 | arg_noroot = 0; |
2352 | } | 2345 | } |
2353 | else if (arg_noroot && cfg.chrootdir) { | 2346 | else if (arg_noroot && cfg.chrootdir) { |
2354 | if (!arg_quiet || arg_debug) | 2347 | fwarning("--chroot and --noroot are mutually exclusive, noroot disabled\n"); |
2355 | fprintf(stderr, "Warning: --chroot and --noroot are mutually exclusive, noroot disabled\n"); | ||
2356 | arg_noroot = 0; | 2348 | arg_noroot = 0; |
2357 | } | 2349 | } |
2358 | 2350 | ||
diff --git a/src/firejail/netns.c b/src/firejail/netns.c index 477d56b3d..fdd108652 100644 --- a/src/firejail/netns.c +++ b/src/firejail/netns.c | |||
@@ -103,7 +103,7 @@ void netns_mounts(const char *nsname) { | |||
103 | asprintf(&etc_name, "/etc/%s", entry->d_name) < 0) | 103 | asprintf(&etc_name, "/etc/%s", entry->d_name) < 0) |
104 | errExit("asprintf"); | 104 | errExit("asprintf"); |
105 | if (mount(netns_name, etc_name, "none", MS_BIND, 0) < 0) { | 105 | if (mount(netns_name, etc_name, "none", MS_BIND, 0) < 0) { |
106 | fprintf(stderr, "Warning: bind %s -> %s failed: %s\n", | 106 | fwarning("bind %s -> %s failed: %s\n", |
107 | netns_name, etc_name, strerror(errno)); | 107 | netns_name, etc_name, strerror(errno)); |
108 | } | 108 | } |
109 | free(netns_name); | 109 | free(netns_name); |
diff --git a/src/firejail/network.c b/src/firejail/network.c index 673c607ca..44fc4f68f 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c | |||
@@ -75,7 +75,7 @@ void net_set_mtu(const char *ifname, int mtu) { | |||
75 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); | 75 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); |
76 | ifr.ifr_mtu = mtu; | 76 | ifr.ifr_mtu = mtu; |
77 | if (ioctl(s, SIOCSIFMTU, (caddr_t)&ifr) != 0) | 77 | if (ioctl(s, SIOCSIFMTU, (caddr_t)&ifr) != 0) |
78 | fprintf(stderr, "Warning: cannot set mtu for interface %s\n", ifname); | 78 | fwarning("cannot set mtu for interface %s\n", ifname); |
79 | close(s); | 79 | close(s); |
80 | } | 80 | } |
81 | 81 | ||
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index 924a94091..3450bceea 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c | |||
@@ -59,7 +59,7 @@ void net_configure_bridge(Bridge *br, char *dev_name) { | |||
59 | 59 | ||
60 | // allow unconfigured interfaces | 60 | // allow unconfigured interfaces |
61 | if (net_get_if_addr(br->dev, &br->ip, &br->mask, br->mac, &br->mtu)) { | 61 | if (net_get_if_addr(br->dev, &br->ip, &br->mask, br->mac, &br->mtu)) { |
62 | fprintf(stderr, "Warning: the network interface %s is not configured\n", br->dev); | 62 | fwarning("the network interface %s is not configured\n", br->dev); |
63 | br->configured = 1; | 63 | br->configured = 1; |
64 | br->arg_ip_none = 1; | 64 | br->arg_ip_none = 1; |
65 | return; | 65 | return; |
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 7cca6b291..ecbc5d1d0 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -118,7 +118,7 @@ int check_kernel_procs(void) { | |||
118 | /* coverity[toctou] */ | 118 | /* coverity[toctou] */ |
119 | FILE *fp = fopen(fname, "r"); | 119 | FILE *fp = fopen(fname, "r"); |
120 | if (!fp) { | 120 | if (!fp) { |
121 | fprintf(stderr, "Warning: cannot open %s\n", fname); | 121 | fwarning("cannot open %s\n", fname); |
122 | free(fname); | 122 | free(fname); |
123 | continue; | 123 | continue; |
124 | } | 124 | } |
@@ -126,7 +126,7 @@ int check_kernel_procs(void) { | |||
126 | // read file | 126 | // read file |
127 | char buf[100]; | 127 | char buf[100]; |
128 | if (fgets(buf, 10, fp) == NULL) { | 128 | if (fgets(buf, 10, fp) == NULL) { |
129 | fprintf(stderr, "Warning: cannot read %s\n", fname); | 129 | fwarning("cannot read %s\n", fname); |
130 | fclose(fp); | 130 | fclose(fp); |
131 | free(fname); | 131 | free(fname); |
132 | continue; | 132 | continue; |
@@ -171,7 +171,7 @@ void run_no_sandbox(int argc, char **argv) { | |||
171 | strcmp(argv[i], "--zsh") == 0 || | 171 | strcmp(argv[i], "--zsh") == 0 || |
172 | strcmp(argv[i], "--shell=none") == 0 || | 172 | strcmp(argv[i], "--shell=none") == 0 || |
173 | strncmp(argv[i], "--shell=", 8) == 0) | 173 | strncmp(argv[i], "--shell=", 8) == 0) |
174 | fprintf(stderr, "Warning: shell-related command line options are disregarded - using SHELL environment variable\n"); | 174 | fwarning("shell-related command line options are disregarded - using SHELL environment variable\n"); |
175 | } | 175 | } |
176 | 176 | ||
177 | // use $SHELL to get shell used in sandbox | 177 | // use $SHELL to get shell used in sandbox |
@@ -225,9 +225,8 @@ void run_no_sandbox(int argc, char **argv) { | |||
225 | command = cfg.shell; | 225 | command = cfg.shell; |
226 | else | 226 | else |
227 | command = argv[prog_index]; | 227 | command = argv[prog_index]; |
228 | if (!arg_quiet) | 228 | fwarning("an existing sandbox was detected. " |
229 | fprintf(stderr, "Warning: an existing sandbox was detected. " | 229 | "%s will run without any additional sandboxing features\n", command); |
230 | "%s will run without any additional sandboxing features\n", command); | ||
231 | 230 | ||
232 | arg_quiet = 1; | 231 | arg_quiet = 1; |
233 | start_application(); | 232 | start_application(); |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 53fa38845..172aff121 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -64,8 +64,7 @@ int profile_find(const char *name, const char *dir) { | |||
64 | //*************************************************** | 64 | //*************************************************** |
65 | 65 | ||
66 | static void warning_feature_disabled(const char *feature) { | 66 | static void warning_feature_disabled(const char *feature) { |
67 | if (!arg_quiet) | 67 | fwarning("%s feature is disabled in Firejail configuration file\n", feature); |
68 | fprintf(stderr, "Warning: %s feature is disabled in Firejail configuration file\n", feature); | ||
69 | } | 68 | } |
70 | 69 | ||
71 | 70 | ||
@@ -513,8 +512,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
513 | #ifdef HAVE_SECCOMP | 512 | #ifdef HAVE_SECCOMP |
514 | if (checkcfg(CFG_SECCOMP)) { | 513 | if (checkcfg(CFG_SECCOMP)) { |
515 | if (cfg.protocol) { | 514 | if (cfg.protocol) { |
516 | if (!arg_quiet) | 515 | fwarning("a protocol list is present, the new list \"%s\" will not be installed\n", ptr + 9); |
517 | fprintf(stderr, "Warning: a protocol list is present, the new list \"%s\" will not be installed\n", ptr + 9); | ||
518 | return 0; | 516 | return 0; |
519 | } | 517 | } |
520 | 518 | ||
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index 382d469f1..098c9fb16 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c | |||
@@ -107,8 +107,8 @@ void protocol_print_filter(pid_t pid) { | |||
107 | printf("%s\n", cfg.protocol); | 107 | printf("%s\n", cfg.protocol); |
108 | exit(0); | 108 | exit(0); |
109 | #else | 109 | #else |
110 | fprintf(stderr, "Warning: --protocol not supported on this platform\n"); | 110 | fwarning("--protocol not supported on this platform\n"); |
111 | return; | 111 | return; |
112 | #endif | 112 | #endif |
113 | } | 113 | } |
114 | 114 | ||
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index f759e7333..086af48b0 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -69,7 +69,7 @@ static void sanitize_home(void) { | |||
69 | struct stat s; | 69 | struct stat s; |
70 | if (stat(cfg.homedir, &s) == -1) { | 70 | if (stat(cfg.homedir, &s) == -1) { |
71 | // cannot find home directory, just return | 71 | // cannot find home directory, just return |
72 | fprintf(stderr, "Warning: cannot find home directory\n"); | 72 | fwarning("cannot find home directory\n"); |
73 | return; | 73 | return; |
74 | } | 74 | } |
75 | 75 | ||
@@ -194,7 +194,7 @@ static void sanitize_passwd(void) { | |||
194 | return; | 194 | return; |
195 | 195 | ||
196 | errout: | 196 | errout: |
197 | fprintf(stderr, "Warning: failed to clean up /etc/passwd\n"); | 197 | fwarning("failed to clean up /etc/passwd\n"); |
198 | if (fpin) | 198 | if (fpin) |
199 | fclose(fpin); | 199 | fclose(fpin); |
200 | if (fpout) | 200 | if (fpout) |
@@ -322,7 +322,7 @@ static void sanitize_group(void) { | |||
322 | return; | 322 | return; |
323 | 323 | ||
324 | errout: | 324 | errout: |
325 | fprintf(stderr, "Warning: failed to clean up /etc/group\n"); | 325 | fwarning("failed to clean up /etc/group\n"); |
326 | if (fpin) | 326 | if (fpin) |
327 | fclose(fpin); | 327 | fclose(fpin); |
328 | if (fpout) | 328 | if (fpout) |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 6cb1aca28..35ca4ff2d 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -391,8 +391,8 @@ static void enforce_filters(void) { | |||
391 | } | 391 | } |
392 | 392 | ||
393 | // disable all capabilities | 393 | // disable all capabilities |
394 | if ((arg_caps_default_filter || arg_caps_list) && !arg_quiet) | 394 | if (arg_caps_default_filter || arg_caps_list) |
395 | fprintf(stderr, "Warning: all capabilities disabled for a regular user in chroot\n"); | 395 | fwarning("all capabilities disabled for a regular user in chroot\n"); |
396 | arg_caps_drop_all = 1; | 396 | arg_caps_drop_all = 1; |
397 | 397 | ||
398 | // drop all supplementary groups; /etc/group file inside chroot | 398 | // drop all supplementary groups; /etc/group file inside chroot |
@@ -525,8 +525,7 @@ int sandbox(void* sandbox_arg) { | |||
525 | if (cfg.defaultgw) { | 525 | if (cfg.defaultgw) { |
526 | // set the default route | 526 | // set the default route |
527 | if (net_add_route(0, 0, cfg.defaultgw)) { | 527 | if (net_add_route(0, 0, cfg.defaultgw)) { |
528 | if (!arg_quiet) | 528 | fwarning("cannot configure default route\n"); |
529 | fprintf(stderr, "Warning: cannot configure default route\n"); | ||
530 | gw_cfg_failed = 1; | 529 | gw_cfg_failed = 1; |
531 | } | 530 | } |
532 | } | 531 | } |
@@ -655,17 +654,17 @@ int sandbox(void* sandbox_arg) { | |||
655 | if (arg_private) { | 654 | if (arg_private) { |
656 | if (cfg.home_private) { // --private= | 655 | if (cfg.home_private) { // --private= |
657 | if (cfg.chrootdir) | 656 | if (cfg.chrootdir) |
658 | fprintf(stderr, "Warning: private=directory feature is disabled in chroot\n"); | 657 | fwarning("private=directory feature is disabled in chroot\n"); |
659 | else if (arg_overlay) | 658 | else if (arg_overlay) |
660 | fprintf(stderr, "Warning: private=directory feature is disabled in overlay\n"); | 659 | fwarning("private=directory feature is disabled in overlay\n"); |
661 | else | 660 | else |
662 | fs_private_homedir(); | 661 | fs_private_homedir(); |
663 | } | 662 | } |
664 | else if (cfg.home_private_keep) { // --private-home= | 663 | else if (cfg.home_private_keep) { // --private-home= |
665 | if (cfg.chrootdir) | 664 | if (cfg.chrootdir) |
666 | fprintf(stderr, "Warning: private-home= feature is disabled in chroot\n"); | 665 | fwarning("private-home= feature is disabled in chroot\n"); |
667 | else if (arg_overlay) | 666 | else if (arg_overlay) |
668 | fprintf(stderr, "Warning: private-home= feature is disabled in overlay\n"); | 667 | fwarning("private-home= feature is disabled in overlay\n"); |
669 | else | 668 | else |
670 | fs_private_home_list(); | 669 | fs_private_home_list(); |
671 | } | 670 | } |
@@ -675,18 +674,18 @@ int sandbox(void* sandbox_arg) { | |||
675 | 674 | ||
676 | if (arg_private_dev) { | 675 | if (arg_private_dev) { |
677 | if (cfg.chrootdir) | 676 | if (cfg.chrootdir) |
678 | fprintf(stderr, "Warning: private-dev feature is disabled in chroot\n"); | 677 | fwarning("private-dev feature is disabled in chroot\n"); |
679 | else if (arg_overlay) | 678 | else if (arg_overlay) |
680 | fprintf(stderr, "Warning: private-dev feature is disabled in overlay\n"); | 679 | fwarning("private-dev feature is disabled in overlay\n"); |
681 | else | 680 | else |
682 | fs_private_dev(); | 681 | fs_private_dev(); |
683 | } | 682 | } |
684 | 683 | ||
685 | if (arg_private_etc) { | 684 | if (arg_private_etc) { |
686 | if (cfg.chrootdir) | 685 | if (cfg.chrootdir) |
687 | fprintf(stderr, "Warning: private-etc feature is disabled in chroot\n"); | 686 | fwarning("private-etc feature is disabled in chroot\n"); |
688 | else if (arg_overlay) | 687 | else if (arg_overlay) |
689 | fprintf(stderr, "Warning: private-etc feature is disabled in overlay\n"); | 688 | fwarning("private-etc feature is disabled in overlay\n"); |
690 | else { | 689 | else { |
691 | fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep); | 690 | fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep); |
692 | // create /etc/ld.so.preload file again | 691 | // create /etc/ld.so.preload file again |
@@ -697,9 +696,9 @@ int sandbox(void* sandbox_arg) { | |||
697 | 696 | ||
698 | if (arg_private_opt) { | 697 | if (arg_private_opt) { |
699 | if (cfg.chrootdir) | 698 | if (cfg.chrootdir) |
700 | fprintf(stderr, "Warning: private-opt feature is disabled in chroot\n"); | 699 | fwarning("private-opt feature is disabled in chroot\n"); |
701 | else if (arg_overlay) | 700 | else if (arg_overlay) |
702 | fprintf(stderr, "Warning: private-opt feature is disabled in overlay\n"); | 701 | fwarning("private-opt feature is disabled in overlay\n"); |
703 | else { | 702 | else { |
704 | fs_private_dir_list("/opt", RUN_OPT_DIR, cfg.opt_private_keep); | 703 | fs_private_dir_list("/opt", RUN_OPT_DIR, cfg.opt_private_keep); |
705 | } | 704 | } |
@@ -707,9 +706,9 @@ int sandbox(void* sandbox_arg) { | |||
707 | 706 | ||
708 | if (arg_private_srv) { | 707 | if (arg_private_srv) { |
709 | if (cfg.chrootdir) | 708 | if (cfg.chrootdir) |
710 | fprintf(stderr, "Warning: private-srv feature is disabled in chroot\n"); | 709 | fwarning("private-srv feature is disabled in chroot\n"); |
711 | else if (arg_overlay) | 710 | else if (arg_overlay) |
712 | fprintf(stderr, "Warning: private-srv feature is disabled in overlay\n"); | 711 | fwarning("private-srv feature is disabled in overlay\n"); |
713 | else { | 712 | else { |
714 | fs_private_dir_list("/srv", RUN_SRV_DIR, cfg.srv_private_keep); | 713 | fs_private_dir_list("/srv", RUN_SRV_DIR, cfg.srv_private_keep); |
715 | } | 714 | } |
@@ -717,9 +716,9 @@ int sandbox(void* sandbox_arg) { | |||
717 | 716 | ||
718 | if (arg_private_bin) { | 717 | if (arg_private_bin) { |
719 | if (cfg.chrootdir) | 718 | if (cfg.chrootdir) |
720 | fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n"); | 719 | fwarning("private-bin feature is disabled in chroot\n"); |
721 | else if (arg_overlay) | 720 | else if (arg_overlay) |
722 | fprintf(stderr, "Warning: private-bin feature is disabled in overlay\n"); | 721 | fwarning("private-bin feature is disabled in overlay\n"); |
723 | else { | 722 | else { |
724 | // for --x11=xorg we need to add xauth command | 723 | // for --x11=xorg we need to add xauth command |
725 | if (arg_x11_xorg) { | 724 | if (arg_x11_xorg) { |
@@ -736,9 +735,9 @@ int sandbox(void* sandbox_arg) { | |||
736 | 735 | ||
737 | if (arg_private_tmp) { | 736 | if (arg_private_tmp) { |
738 | if (cfg.chrootdir) | 737 | if (cfg.chrootdir) |
739 | fprintf(stderr, "Warning: private-tmp feature is disabled in chroot\n"); | 738 | fwarning("private-tmp feature is disabled in chroot\n"); |
740 | else if (arg_overlay) | 739 | else if (arg_overlay) |
741 | fprintf(stderr, "Warning: private-tmp feature is disabled in overlay\n"); | 740 | fwarning("private-tmp feature is disabled in overlay\n"); |
742 | else { | 741 | else { |
743 | // private-tmp is implemented as a whitelist | 742 | // private-tmp is implemented as a whitelist |
744 | EUID_USER(); | 743 | EUID_USER(); |
@@ -794,9 +793,9 @@ int sandbox(void* sandbox_arg) { | |||
794 | //**************************** | 793 | //**************************** |
795 | // apply all whitelist commands ... | 794 | // apply all whitelist commands ... |
796 | if (cfg.chrootdir) | 795 | if (cfg.chrootdir) |
797 | fprintf(stderr, "Warning: whitelist feature is disabled in chroot\n"); | 796 | fwarning("whitelist feature is disabled in chroot\n"); |
798 | else if (arg_overlay) | 797 | else if (arg_overlay) |
799 | fprintf(stderr, "Warning: whitelist feature is disabled in overlay\n"); | 798 | fwarning("whitelist feature is disabled in overlay\n"); |
800 | else | 799 | else |
801 | fs_whitelist(); | 800 | fs_whitelist(); |
802 | 801 | ||
@@ -873,8 +872,7 @@ int sandbox(void* sandbox_arg) { | |||
873 | int rv = nice(cfg.nice); | 872 | int rv = nice(cfg.nice); |
874 | (void) rv; | 873 | (void) rv; |
875 | if (errno) { | 874 | if (errno) { |
876 | if (!arg_quiet) | 875 | fwarning("cannot set nice value\n"); |
877 | fprintf(stderr, "Warning: cannot set nice value\n"); | ||
878 | errno = 0; | 876 | errno = 0; |
879 | } | 877 | } |
880 | } | 878 | } |
@@ -930,8 +928,7 @@ int sandbox(void* sandbox_arg) { | |||
930 | if (arg_noroot) { | 928 | if (arg_noroot) { |
931 | int rv = unshare(CLONE_NEWUSER); | 929 | int rv = unshare(CLONE_NEWUSER); |
932 | if (rv == -1) { | 930 | if (rv == -1) { |
933 | if (!arg_quiet) | 931 | fwarning("cannot create a new user namespace, going forward without it...\n"); |
934 | fprintf(stderr, "Warning: cannot create a new user namespace, going forward without it...\n"); | ||
935 | drop_privs(arg_nogroups); | 932 | drop_privs(arg_nogroups); |
936 | arg_noroot = 0; | 933 | arg_noroot = 0; |
937 | } | 934 | } |
@@ -963,7 +960,7 @@ int sandbox(void* sandbox_arg) { | |||
963 | int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); | 960 | int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); |
964 | 961 | ||
965 | if(no_new_privs != 0 && !arg_quiet) | 962 | if(no_new_privs != 0 && !arg_quiet) |
966 | fprintf(stderr, "Warning: NO_NEW_PRIVS disabled, it requires a Linux kernel version 3.5 or newer.\n"); | 963 | fwarning("NO_NEW_PRIVS disabled, it requires a Linux kernel version 3.5 or newer.\n"); |
967 | else if (arg_debug) | 964 | else if (arg_debug) |
968 | printf("NO_NEW_PRIVS set\n"); | 965 | printf("NO_NEW_PRIVS set\n"); |
969 | } | 966 | } |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index ee10f3abf..17930c0e8 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -90,7 +90,7 @@ int seccomp_load(const char *fname) { | |||
90 | .filter = filter, | 90 | .filter = filter, |
91 | }; | 91 | }; |
92 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { | 92 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { |
93 | fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); | 93 | fwarning("seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); |
94 | return 1; | 94 | return 1; |
95 | } | 95 | } |
96 | 96 | ||
diff --git a/src/firejail/util.c b/src/firejail/util.c index 901ea87db..bb612516b 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -59,14 +59,14 @@ void drop_privs(int nogroups) { | |||
59 | } | 59 | } |
60 | 60 | ||
61 | if (rv == -1) { | 61 | if (rv == -1) { |
62 | fprintf(stderr, "Warning: cannot extract supplementary group list, dropping them\n"); | 62 | fwarning("cannot extract supplementary group list, dropping them\n"); |
63 | if (setgroups(0, NULL) < 0) | 63 | if (setgroups(0, NULL) < 0) |
64 | errExit("setgroups"); | 64 | errExit("setgroups"); |
65 | } | 65 | } |
66 | else { | 66 | else { |
67 | rv = setgroups(ngroups, groups); | 67 | rv = setgroups(ngroups, groups); |
68 | if (rv) { | 68 | if (rv) { |
69 | fprintf(stderr, "Warning: cannot set supplementary group list, dropping them\n"); | 69 | fwarning("cannot set supplementary group list, dropping them\n"); |
70 | if (setgroups(0, NULL) < 0) | 70 | if (setgroups(0, NULL) < 0) |
71 | errExit("setgroups"); | 71 | errExit("setgroups"); |
72 | } | 72 | } |
@@ -115,6 +115,18 @@ int mkpath_as_root(const char* path) { | |||
115 | return 0; | 115 | return 0; |
116 | } | 116 | } |
117 | 117 | ||
118 | void fwarning(char* fmt, ...) { | ||
119 | printf("arg_quiet %d\n", arg_quiet); | ||
120 | if (arg_quiet) | ||
121 | return; | ||
122 | |||
123 | va_list args; | ||
124 | va_start(args,fmt); | ||
125 | fprintf(stderr, "Warning: "); | ||
126 | vfprintf(stderr, fmt, args); | ||
127 | va_end(args); | ||
128 | } | ||
129 | |||
118 | 130 | ||
119 | void logsignal(int s) { | 131 | void logsignal(int s) { |
120 | if (!arg_debug) | 132 | if (!arg_debug) |
@@ -197,14 +209,14 @@ int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, m | |||
197 | // open source | 209 | // open source |
198 | int src = open(srcname, O_RDONLY); | 210 | int src = open(srcname, O_RDONLY); |
199 | if (src < 0) { | 211 | if (src < 0) { |
200 | fprintf(stderr, "Warning: cannot open source file %s, file not copied\n", srcname); | 212 | fwarning("cannot open source file %s, file not copied\n", srcname); |
201 | return -1; | 213 | return -1; |
202 | } | 214 | } |
203 | 215 | ||
204 | // open destination | 216 | // open destination |
205 | int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); | 217 | int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
206 | if (dst < 0) { | 218 | if (dst < 0) { |
207 | fprintf(stderr, "Warning: cannot open destination file %s, file not copied\n", destname); | 219 | fwarning("cannot open destination file %s, file not copied\n", destname); |
208 | close(src); | 220 | close(src); |
209 | return -1; | 221 | return -1; |
210 | } | 222 | } |
@@ -233,7 +245,7 @@ void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid | |||
233 | // copy, set permissions and ownership | 245 | // copy, set permissions and ownership |
234 | int rv = copy_file(srcname, destname, uid, gid, mode); // already a regular user | 246 | int rv = copy_file(srcname, destname, uid, gid, mode); // already a regular user |
235 | if (rv) | 247 | if (rv) |
236 | fprintf(stderr, "Warning: cannot copy %s\n", srcname); | 248 | fwarning("cannot copy %s\n", srcname); |
237 | #ifdef HAVE_GCOV | 249 | #ifdef HAVE_GCOV |
238 | __gcov_flush(); | 250 | __gcov_flush(); |
239 | #endif | 251 | #endif |
@@ -247,7 +259,7 @@ void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_ | |||
247 | // open destination | 259 | // open destination |
248 | int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); | 260 | int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
249 | if (dst < 0) { | 261 | if (dst < 0) { |
250 | fprintf(stderr, "Warning: cannot open destination file %s, file not copied\n", destname); | 262 | fwarning("cannot open destination file %s, file not copied\n", destname); |
251 | return; | 263 | return; |
252 | } | 264 | } |
253 | 265 | ||
@@ -260,10 +272,10 @@ void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_ | |||
260 | 272 | ||
261 | int src = open(srcname, O_RDONLY); | 273 | int src = open(srcname, O_RDONLY); |
262 | if (src < 0) { | 274 | if (src < 0) { |
263 | fprintf(stderr, "Warning: cannot open source file %s, file not copied\n", srcname); | 275 | fwarning("cannot open source file %s, file not copied\n", srcname); |
264 | } else { | 276 | } else { |
265 | if (copy_file_by_fd(src, dst)) { | 277 | if (copy_file_by_fd(src, dst)) { |
266 | fprintf(stderr, "Warning: cannot copy %s\n", srcname); | 278 | fwarning("cannot copy %s\n", srcname); |
267 | } | 279 | } |
268 | close(src); | 280 | close(src); |
269 | } | 281 | } |
@@ -794,8 +806,7 @@ void flush_stdin(void) { | |||
794 | int cnt = 0; | 806 | int cnt = 0; |
795 | int rv = ioctl(STDIN_FILENO, FIONREAD, &cnt); | 807 | int rv = ioctl(STDIN_FILENO, FIONREAD, &cnt); |
796 | if (rv == 0 && cnt) { | 808 | if (rv == 0 && cnt) { |
797 | if (!arg_quiet) | 809 | fwarning("removing %d bytes from stdin\n", cnt); |
798 | printf("Warning: removing %d bytes from stdin\n", cnt); | ||
799 | rv = ioctl(STDIN_FILENO, TCFLSH, TCIFLUSH); | 810 | rv = ioctl(STDIN_FILENO, TCFLSH, TCIFLUSH); |
800 | (void) rv; | 811 | (void) rv; |
801 | } | 812 | } |