diff options
author | smitsohu <smitsohu@gmail.com> | 2019-01-20 19:07:43 +0100 |
---|---|---|
committer | smitsohu <smitsohu@gmail.com> | 2019-01-20 19:07:43 +0100 |
commit | a26a25db063bcf174dc5c01688b7fd04228a77d8 (patch) | |
tree | 354193c96efac1aae82d96fb0f8f86d0e6376f07 /src | |
parent | disallow zero seconds timeout (diff) | |
download | firejail-a26a25db063bcf174dc5c01688b7fd04228a77d8.tar.gz firejail-a26a25db063bcf174dc5c01688b7fd04228a77d8.tar.zst firejail-a26a25db063bcf174dc5c01688b7fd04228a77d8.zip |
cleanup, minor improvements
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs.c | 7 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 1 | ||||
-rw-r--r-- | src/firejail/join.c | 3 | ||||
-rw-r--r-- | src/firejail/mountinfo.c | 3 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 2 | ||||
-rw-r--r-- | src/firejail/util.c | 5 |
6 files changed, 7 insertions, 14 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index ce2b1a8bc..184875f58 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -35,7 +35,7 @@ | |||
35 | //#define TEST_NO_BLACKLIST_MATCHING | 35 | //#define TEST_NO_BLACKLIST_MATCHING |
36 | 36 | ||
37 | 37 | ||
38 | static int mount_warning = 0; // remember if warning was printed already | 38 | static int mount_warning = 0; |
39 | static void fs_rdwr(const char *dir); | 39 | static void fs_rdwr(const char *dir); |
40 | static void fs_rdwr_rec(const char *dir); | 40 | static void fs_rdwr_rec(const char *dir); |
41 | 41 | ||
@@ -468,12 +468,11 @@ void fs_tmpfs(const char *dir, unsigned check_owner) { | |||
468 | char *options; | 468 | char *options; |
469 | if (asprintf(&options, "mode=%o,uid=%u,gid=%u", s.st_mode & 07777, s.st_uid, s.st_gid) == -1) | 469 | if (asprintf(&options, "mode=%o,uid=%u,gid=%u", s.st_mode & 07777, s.st_uid, s.st_gid) == -1) |
470 | errExit("asprintf"); | 470 | errExit("asprintf"); |
471 | // preserve some mount flags | 471 | // preserve mount flags, but remove read-only flag |
472 | struct statvfs buf; | 472 | struct statvfs buf; |
473 | if (fstatvfs(fd, &buf) == -1) | 473 | if (fstatvfs(fd, &buf) == -1) |
474 | errExit("fstatvfs"); | 474 | errExit("fstatvfs"); |
475 | unsigned long flags = buf.f_flag & // remove read-only flag | 475 | unsigned long flags = buf.f_flag & ~(MS_RDONLY|MS_BIND); |
476 | (MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_MANDLOCK|MS_STRICTATIME|MS_NODIRATIME|MS_RELATIME|MS_NOATIME); | ||
477 | // mount via the symbolic link in /proc/self/fd | 476 | // mount via the symbolic link in /proc/self/fd |
478 | char *proc; | 477 | char *proc; |
479 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | 478 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 829636b9c..74b9449be 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -119,7 +119,6 @@ static int mkpath(const char* path, mode_t mode) { | |||
119 | static void whitelist_path(ProfileEntry *entry) { | 119 | static void whitelist_path(ProfileEntry *entry) { |
120 | assert(entry); | 120 | assert(entry); |
121 | const char *path = entry->data + 10; | 121 | const char *path = entry->data + 10; |
122 | assert(path); | ||
123 | const char *fname; | 122 | const char *fname; |
124 | char *wfile = NULL; | 123 | char *wfile = NULL; |
125 | 124 | ||
diff --git a/src/firejail/join.c b/src/firejail/join.c index d05a4a465..60980fb2e 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -31,7 +31,6 @@ | |||
31 | 31 | ||
32 | static int apply_caps = 0; | 32 | static int apply_caps = 0; |
33 | static uint64_t caps = 0; | 33 | static uint64_t caps = 0; |
34 | static int apply_seccomp = 0; | ||
35 | static unsigned display = 0; | 34 | static unsigned display = 0; |
36 | #define BUFLEN 4096 | 35 | #define BUFLEN 4096 |
37 | 36 | ||
@@ -321,7 +320,7 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
321 | EUID_ROOT(); | 320 | EUID_ROOT(); |
322 | // in user mode set caps seccomp, cpu, cgroup, etc | 321 | // in user mode set caps seccomp, cpu, cgroup, etc |
323 | if (getuid() != 0) { | 322 | if (getuid() != 0) { |
324 | extract_nonewprivs(pid); // redundant on Linux >= 4.10; duplicated in function extract_caps_seccomp | 323 | extract_nonewprivs(pid); // redundant on Linux >= 4.10; duplicated in function extract_caps |
325 | extract_caps(pid); | 324 | extract_caps(pid); |
326 | extract_cpu(pid); | 325 | extract_cpu(pid); |
327 | extract_cgroup(pid); | 326 | extract_cgroup(pid); |
diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c index c89845ace..02c28cc5e 100644 --- a/src/firejail/mountinfo.c +++ b/src/firejail/mountinfo.c | |||
@@ -199,8 +199,7 @@ int get_mount_id(const char *path) { | |||
199 | return -2; | 199 | return -2; |
200 | } | 200 | } |
201 | 201 | ||
202 | // Check /proc/self/mountinfo if path has any submounts (or if path would have submounts | 202 | // Check /proc/self/mountinfo if path contains any mounts points. |
203 | // if it was made a mount point). | ||
204 | // Returns an array that can be iterated over for recursive remounting. | 203 | // Returns an array that can be iterated over for recursive remounting. |
205 | char **build_mount_array(const int mount_id, const char *path) { | 204 | char **build_mount_array(const int mount_id, const char *path) { |
206 | assert(path); | 205 | assert(path); |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index ba9a36250..735bab684 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -1178,7 +1178,7 @@ int sandbox(void* sandbox_arg) { | |||
1178 | // drop privileges, fork the application and monitor it | 1178 | // drop privileges, fork the application and monitor it |
1179 | //**************************************** | 1179 | //**************************************** |
1180 | drop_privs(arg_nogroups); | 1180 | drop_privs(arg_nogroups); |
1181 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died | 1181 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the sandbox in case the parent died |
1182 | pid_t app_pid = fork(); | 1182 | pid_t app_pid = fork(); |
1183 | if (app_pid == -1) | 1183 | if (app_pid == -1) |
1184 | errExit("fork"); | 1184 | errExit("fork"); |
diff --git a/src/firejail/util.c b/src/firejail/util.c index f1c4f7059..b1fba4226 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -454,7 +454,6 @@ void trim_trailing_slash_or_dot(char *path) { | |||
454 | assert(path); | 454 | assert(path); |
455 | 455 | ||
456 | char *end = strchr(path, '\0'); | 456 | char *end = strchr(path, '\0'); |
457 | assert(end); | ||
458 | if ((end - path) > 1) { | 457 | if ((end - path) > 1) { |
459 | end--; | 458 | end--; |
460 | while (*end == '/' || | 459 | while (*end == '/' || |
@@ -941,9 +940,7 @@ int remove_overlay_directory(void) { | |||
941 | // wait for the child to finish | 940 | // wait for the child to finish |
942 | waitpid(child, NULL, 0); | 941 | waitpid(child, NULL, 0); |
943 | // check if ~/.firejail was deleted | 942 | // check if ~/.firejail was deleted |
944 | if (stat(path, &s) == -1) | 943 | if (stat(path, &s) == 0) |
945 | return 0; | ||
946 | else | ||
947 | return 1; | 944 | return 1; |
948 | } | 945 | } |
949 | return 0; | 946 | return 0; |