diff options
author | smitsohu <smitsohu@gmail.com> | 2019-09-22 13:18:23 +0200 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2019-09-22 13:18:23 +0200 |
commit | f82d9344dcef51a7306bbe718369b0015922e4f3 (patch) | |
tree | 28a8a07990d244c6797673973085fe839d0de2c1 /src | |
parent | apparmor: permit writing to trace file (diff) | |
download | firejail-f82d9344dcef51a7306bbe718369b0015922e4f3.tar.gz firejail-f82d9344dcef51a7306bbe718369b0015922e4f3.tar.zst firejail-f82d9344dcef51a7306bbe718369b0015922e4f3.zip |
various clarifications, minor fixes
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/appimage.c | 2 | ||||
-rw-r--r-- | src/firejail/mountinfo.c | 10 | ||||
-rw-r--r-- | src/firejail/network.c | 2 | ||||
-rw-r--r-- | src/firejail/sbox.c | 6 | ||||
-rw-r--r-- | src/firejail/util.c | 5 | ||||
-rw-r--r-- | src/firejail/x11.c | 14 | ||||
-rw-r--r-- | src/libtrace/libtrace.c | 20 |
7 files changed, 32 insertions, 27 deletions
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 1da765d8f..e886e81da 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c | |||
@@ -137,7 +137,7 @@ void appimage_set(const char *appimage) { | |||
137 | errExit("setenv"); | 137 | errExit("setenv"); |
138 | if (size != 0 && setenv("ARGV0", appimage, 1) < 0) | 138 | if (size != 0 && setenv("ARGV0", appimage, 1) < 0) |
139 | errExit("setenv"); | 139 | errExit("setenv"); |
140 | if (setenv("OWD", cfg.cwd, 1) < 0) | 140 | if (cfg.cwd && setenv("OWD", cfg.cwd, 1) < 0) |
141 | errExit("setenv"); | 141 | errExit("setenv"); |
142 | 142 | ||
143 | // build new command line | 143 | // build new command line |
diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c index 42e160dec..162f5dbec 100644 --- a/src/firejail/mountinfo.c +++ b/src/firejail/mountinfo.c | |||
@@ -225,9 +225,9 @@ char **build_mount_array(const int mount_id, const char *path) { | |||
225 | exit(1); | 225 | exit(1); |
226 | } | 226 | } |
227 | do { | 227 | do { |
228 | parse_line(buf, &mntp); | ||
228 | // find mount point with mount id | 229 | // find mount point with mount id |
229 | if (!found) { | 230 | if (!found) { |
230 | parse_line(buf, &mntp); | ||
231 | if (mntp.mountid == mount_id) { | 231 | if (mntp.mountid == mount_id) { |
232 | // give up if mount id has been reassigned, | 232 | // give up if mount id has been reassigned, |
233 | // don't remount blacklisted path | 233 | // don't remount blacklisted path |
@@ -236,19 +236,17 @@ char **build_mount_array(const int mount_id, const char *path) { | |||
236 | strstr(mntp.fsname, "firejail.ro.file")) | 236 | strstr(mntp.fsname, "firejail.ro.file")) |
237 | break; | 237 | break; |
238 | 238 | ||
239 | rv[0] = strdup(path); | 239 | rv[cnt] = strdup(path); |
240 | if (rv[0] == NULL) | 240 | if (rv[cnt] == NULL) |
241 | errExit("strdup"); | 241 | errExit("strdup"); |
242 | cnt++; | 242 | cnt++; |
243 | found = 1; | 243 | found = 1; |
244 | continue; | 244 | continue; |
245 | } | 245 | } |
246 | else | 246 | continue; |
247 | continue; | ||
248 | } | 247 | } |
249 | // from here on add all mount points below path, | 248 | // from here on add all mount points below path, |
250 | // don't remount blacklisted paths | 249 | // don't remount blacklisted paths |
251 | parse_line(buf, &mntp); | ||
252 | if (strncmp(mntp.dir, path, pathlen) == 0 && | 250 | if (strncmp(mntp.dir, path, pathlen) == 0 && |
253 | mntp.dir[pathlen] == '/' && | 251 | mntp.dir[pathlen] == '/' && |
254 | strstr(mntp.fsname, "firejail.ro.dir") == NULL && | 252 | strstr(mntp.fsname, "firejail.ro.dir") == NULL && |
diff --git a/src/firejail/network.c b/src/firejail/network.c index 3e6b9d29d..93249a29b 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c | |||
@@ -229,7 +229,7 @@ uint32_t network_get_defaultgw(void) { | |||
229 | continue; | 229 | continue; |
230 | 230 | ||
231 | char *ptr = buf; | 231 | char *ptr = buf; |
232 | while (*ptr != ' ' && *ptr != '\t') | 232 | while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0') |
233 | ptr++; | 233 | ptr++; |
234 | while (*ptr == ' ' || *ptr == '\t') | 234 | while (*ptr == ' ' || *ptr == '\t') |
235 | ptr++; | 235 | ptr++; |
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index a41e32569..e5739ecb5 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -154,13 +154,15 @@ int sbox_run(unsigned filtermask, int num, ...) { | |||
154 | fprintf(stderr,"Error: cannot open %s\n", SBOX_STDIN_FILE); | 154 | fprintf(stderr,"Error: cannot open %s\n", SBOX_STDIN_FILE); |
155 | exit(1); | 155 | exit(1); |
156 | } | 156 | } |
157 | dup2(fd,STDIN_FILENO); | 157 | if (dup2(fd, STDIN_FILENO) == -1) |
158 | errExit("dup2"); | ||
158 | close(fd); | 159 | close(fd); |
159 | } | 160 | } |
160 | else if ((filtermask & SBOX_ALLOW_STDIN) == 0) { | 161 | else if ((filtermask & SBOX_ALLOW_STDIN) == 0) { |
161 | int fd = open("/dev/null",O_RDWR, 0); | 162 | int fd = open("/dev/null",O_RDWR, 0); |
162 | if (fd != -1) { | 163 | if (fd != -1) { |
163 | dup2(fd, STDIN_FILENO); | 164 | if (dup2(fd, STDIN_FILENO) == -1) |
165 | errExit("dup2"); | ||
164 | close(fd); | 166 | close(fd); |
165 | } | 167 | } |
166 | else // the user could run the sandbox without /dev/null | 168 | else // the user could run the sandbox without /dev/null |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 918077235..a737f9d47 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -1276,14 +1276,13 @@ int has_handler(pid_t pid, int signal) { | |||
1276 | char buf[BUFLEN]; | 1276 | char buf[BUFLEN]; |
1277 | while (fgets(buf, BUFLEN, fp)) { | 1277 | while (fgets(buf, BUFLEN, fp)) { |
1278 | if (strncmp(buf, "SigCgt:", 7) == 0) { | 1278 | if (strncmp(buf, "SigCgt:", 7) == 0) { |
1279 | char *ptr = buf + 7; | ||
1280 | unsigned long long val; | 1279 | unsigned long long val; |
1281 | if (sscanf(ptr, "%llx", &val) != 1) { | 1280 | if (sscanf(buf + 7, "%llx", &val) != 1) { |
1282 | fprintf(stderr, "Error: cannot read /proc file\n"); | 1281 | fprintf(stderr, "Error: cannot read /proc file\n"); |
1283 | exit(1); | 1282 | exit(1); |
1284 | } | 1283 | } |
1285 | val >>= (signal - 1); | 1284 | val >>= (signal - 1); |
1286 | val &= 1; | 1285 | val &= 1ULL; |
1287 | fclose(fp); | 1286 | fclose(fp); |
1288 | return val; // 1 if process has a handler for the signal, else 0 | 1287 | return val; // 1 if process has a handler for the signal, else 0 |
1289 | } | 1288 | } |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 49ffc8723..0927593b0 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -1321,12 +1321,18 @@ void x11_block(void) { | |||
1321 | } | 1321 | } |
1322 | 1322 | ||
1323 | // blacklist sockets | 1323 | // blacklist sockets |
1324 | profile_check_line("blacklist /tmp/.X11-unix", 0, NULL); | 1324 | char *cmd = strdup("blacklist /tmp/.X11-unix"); |
1325 | profile_add(strdup("blacklist /tmp/.X11-unix")); | 1325 | if (!cmd) |
1326 | errExit("strdup"); | ||
1327 | profile_check_line(cmd, 0, NULL); | ||
1328 | profile_add(cmd); | ||
1326 | 1329 | ||
1327 | // blacklist .Xauthority | 1330 | // blacklist .Xauthority |
1328 | profile_check_line("blacklist ${HOME}/.Xauthority", 0, NULL); | 1331 | cmd = strdup("blacklist ${HOME}/.Xauthority"); |
1329 | profile_add(strdup("blacklist ${HOME}/.Xauthority")); | 1332 | if (!cmd) |
1333 | errExit("strdup"); | ||
1334 | profile_check_line(cmd, 0, NULL); | ||
1335 | profile_add(cmd); | ||
1330 | char *xauthority = getenv("XAUTHORITY"); | 1336 | char *xauthority = getenv("XAUTHORITY"); |
1331 | if (xauthority) { | 1337 | if (xauthority) { |
1332 | char *line; | 1338 | char *line; |
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c index 0c21b9b70..db04ee1ae 100644 --- a/src/libtrace/libtrace.c +++ b/src/libtrace/libtrace.c | |||
@@ -56,7 +56,7 @@ static orig_access_t orig_access = NULL; | |||
56 | static FILE *ftty = NULL; | 56 | static FILE *ftty = NULL; |
57 | static pid_t mypid = 0; | 57 | static pid_t mypid = 0; |
58 | #define MAXNAME 16 | 58 | #define MAXNAME 16 |
59 | static char myname[MAXNAME] = {'\0', }; | 59 | static char myname[MAXNAME] = "unknown"; |
60 | 60 | ||
61 | static void init(void) __attribute__((constructor)); | 61 | static void init(void) __attribute__((constructor)); |
62 | void init(void) { | 62 | void init(void) { |
@@ -84,13 +84,15 @@ void init(void) { | |||
84 | 84 | ||
85 | // process name | 85 | // process name |
86 | char *fname; | 86 | char *fname; |
87 | if (asprintf(&fname, "/proc/%u/comm", mypid) == -1) | 87 | if (asprintf(&fname, "/proc/%u/comm", mypid) != -1) { |
88 | strncpy(myname, "unknown", MAXNAME-1); | 88 | FILE *fp = orig_fopen(fname, "r"); |
89 | 89 | free(fname); | |
90 | // read file | 90 | if (fp) { |
91 | FILE *fp = orig_fopen(fname, "r"); | 91 | if (fgets(myname, MAXNAME, fp) == NULL) |
92 | if (!fp || fgets(myname, MAXNAME, fp) == NULL) | 92 | strncpy(myname, "unknown", MAXNAME-1); |
93 | strncpy(myname, "unknown", MAXNAME-1); | 93 | fclose(fp); |
94 | } | ||
95 | } | ||
94 | 96 | ||
95 | // clean '\n' | 97 | // clean '\n' |
96 | char *ptr = strchr(myname, '\n'); | 98 | char *ptr = strchr(myname, '\n'); |
@@ -98,8 +100,6 @@ void init(void) { | |||
98 | *ptr = '\0'; | 100 | *ptr = '\0'; |
99 | 101 | ||
100 | tprintf(ftty, "=== tracelib init() [%d:%s] === \n", mypid, myname); | 102 | tprintf(ftty, "=== tracelib init() [%d:%s] === \n", mypid, myname); |
101 | fclose(fp); | ||
102 | free(fname); | ||
103 | } | 103 | } |
104 | 104 | ||
105 | static void fini(void) __attribute__((destructor)); | 105 | static void fini(void) __attribute__((destructor)); |