diff options
| author |  smitsohu <smitsohu@gmail.com> | 2019-01-20 19:07:43 +0100 |
|---|---|---|
| committer | smitsohu <smitsohu@gmail.com> | 2019-01-20 19:07:43 +0100 |
| commit | a26a25db063bcf174dc5c01688b7fd04228a77d8 (patch) | |
| tree | 354193c96efac1aae82d96fb0f8f86d0e6376f07 /src | |
| parent | disallow zero seconds timeout (diff) | |
| download | firejail-a26a25db063bcf174dc5c01688b7fd04228a77d8.tar.gz firejail-a26a25db063bcf174dc5c01688b7fd04228a77d8.tar.zst firejail-a26a25db063bcf174dc5c01688b7fd04228a77d8.zip | |
cleanup, minor improvements
Diffstat (limited to 'src')
| -rw-r--r-- | src/firejail/fs.c | 7 | ||||
| -rw-r--r-- | src/firejail/fs_whitelist.c | 1 | ||||
| -rw-r--r-- | src/firejail/join.c | 3 | ||||
| -rw-r--r-- | src/firejail/mountinfo.c | 3 | ||||
| -rw-r--r-- | src/firejail/sandbox.c | 2 | ||||
| -rw-r--r-- | src/firejail/util.c | 5 |
6 files changed, 7 insertions, 14 deletions
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index ce2b1a8bc..184875f58 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
| @@ -35,7 +35,7 @@ | |||
| 35 | //#define TEST_NO_BLACKLIST_MATCHING | 35 | //#define TEST_NO_BLACKLIST_MATCHING |
| 36 | 36 | ||
| 37 | 37 | ||
| 38 | static int mount_warning = 0; // remember if warning was printed already | 38 | static int mount_warning = 0; |
| 39 | static void fs_rdwr(const char *dir); | 39 | static void fs_rdwr(const char *dir); |
| 40 | static void fs_rdwr_rec(const char *dir); | 40 | static void fs_rdwr_rec(const char *dir); |
| 41 | 41 | ||
| @@ -468,12 +468,11 @@ void fs_tmpfs(const char *dir, unsigned check_owner) { | |||
| 468 | char *options; | 468 | char *options; |
| 469 | if (asprintf(&options, "mode=%o,uid=%u,gid=%u", s.st_mode & 07777, s.st_uid, s.st_gid) == -1) | 469 | if (asprintf(&options, "mode=%o,uid=%u,gid=%u", s.st_mode & 07777, s.st_uid, s.st_gid) == -1) |
| 470 | errExit("asprintf"); | 470 | errExit("asprintf"); |
| 471 | // preserve some mount flags | 471 | // preserve mount flags, but remove read-only flag |
| 472 | struct statvfs buf; | 472 | struct statvfs buf; |
| 473 | if (fstatvfs(fd, &buf) == -1) | 473 | if (fstatvfs(fd, &buf) == -1) |
| 474 | errExit("fstatvfs"); | 474 | errExit("fstatvfs"); |
| 475 | unsigned long flags = buf.f_flag & // remove read-only flag | 475 | unsigned long flags = buf.f_flag & ~(MS_RDONLY|MS_BIND); |
| 476 | (MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_MANDLOCK|MS_STRICTATIME|MS_NODIRATIME|MS_RELATIME|MS_NOATIME); | ||
| 477 | // mount via the symbolic link in /proc/self/fd | 476 | // mount via the symbolic link in /proc/self/fd |
| 478 | char *proc; | 477 | char *proc; |
| 479 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) | 478 | if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 829636b9c..74b9449be 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
| @@ -119,7 +119,6 @@ static int mkpath(const char* path, mode_t mode) { | |||
| 119 | static void whitelist_path(ProfileEntry *entry) { | 119 | static void whitelist_path(ProfileEntry *entry) { |
| 120 | assert(entry); | 120 | assert(entry); |
| 121 | const char *path = entry->data + 10; | 121 | const char *path = entry->data + 10; |
| 122 | assert(path); | ||
| 123 | const char *fname; | 122 | const char *fname; |
| 124 | char *wfile = NULL; | 123 | char *wfile = NULL; |
| 125 | 124 | ||
diff --git a/src/firejail/join.c b/src/firejail/join.c index d05a4a465..60980fb2e 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
| @@ -31,7 +31,6 @@ | |||
| 31 | 31 | ||
| 32 | static int apply_caps = 0; | 32 | static int apply_caps = 0; |
| 33 | static uint64_t caps = 0; | 33 | static uint64_t caps = 0; |
| 34 | static int apply_seccomp = 0; | ||
| 35 | static unsigned display = 0; | 34 | static unsigned display = 0; |
| 36 | #define BUFLEN 4096 | 35 | #define BUFLEN 4096 |
| 37 | 36 | ||
| @@ -321,7 +320,7 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
| 321 | EUID_ROOT(); | 320 | EUID_ROOT(); |
| 322 | // in user mode set caps seccomp, cpu, cgroup, etc | 321 | // in user mode set caps seccomp, cpu, cgroup, etc |
| 323 | if (getuid() != 0) { | 322 | if (getuid() != 0) { |
| 324 | extract_nonewprivs(pid); // redundant on Linux >= 4.10; duplicated in function extract_caps_seccomp | 323 | extract_nonewprivs(pid); // redundant on Linux >= 4.10; duplicated in function extract_caps |
| 325 | extract_caps(pid); | 324 | extract_caps(pid); |
| 326 | extract_cpu(pid); | 325 | extract_cpu(pid); |
| 327 | extract_cgroup(pid); | 326 | extract_cgroup(pid); |
diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c index c89845ace..02c28cc5e 100644 --- a/src/firejail/mountinfo.c +++ b/src/firejail/mountinfo.c | |||
| @@ -199,8 +199,7 @@ int get_mount_id(const char *path) { | |||
| 199 | return -2; | 199 | return -2; |
| 200 | } | 200 | } |
| 201 | 201 | ||
| 202 | // Check /proc/self/mountinfo if path has any submounts (or if path would have submounts | 202 | // Check /proc/self/mountinfo if path contains any mounts points. |
| 203 | // if it was made a mount point). | ||
| 204 | // Returns an array that can be iterated over for recursive remounting. | 203 | // Returns an array that can be iterated over for recursive remounting. |
| 205 | char **build_mount_array(const int mount_id, const char *path) { | 204 | char **build_mount_array(const int mount_id, const char *path) { |
| 206 | assert(path); | 205 | assert(path); |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index ba9a36250..735bab684 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -1178,7 +1178,7 @@ int sandbox(void* sandbox_arg) { | |||
| 1178 | // drop privileges, fork the application and monitor it | 1178 | // drop privileges, fork the application and monitor it |
| 1179 | //**************************************** | 1179 | //**************************************** |
| 1180 | drop_privs(arg_nogroups); | 1180 | drop_privs(arg_nogroups); |
| 1181 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died | 1181 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the sandbox in case the parent died |
| 1182 | pid_t app_pid = fork(); | 1182 | pid_t app_pid = fork(); |
| 1183 | if (app_pid == -1) | 1183 | if (app_pid == -1) |
| 1184 | errExit("fork"); | 1184 | errExit("fork"); |
diff --git a/src/firejail/util.c b/src/firejail/util.c index f1c4f7059..b1fba4226 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
| @@ -454,7 +454,6 @@ void trim_trailing_slash_or_dot(char *path) { | |||
| 454 | assert(path); | 454 | assert(path); |
| 455 | 455 | ||
| 456 | char *end = strchr(path, '\0'); | 456 | char *end = strchr(path, '\0'); |
| 457 | assert(end); | ||
| 458 | if ((end - path) > 1) { | 457 | if ((end - path) > 1) { |
| 459 | end--; | 458 | end--; |
| 460 | while (*end == '/' || | 459 | while (*end == '/' || |
| @@ -941,9 +940,7 @@ int remove_overlay_directory(void) { | |||
| 941 | // wait for the child to finish | 940 | // wait for the child to finish |
| 942 | waitpid(child, NULL, 0); | 941 | waitpid(child, NULL, 0); |
| 943 | // check if ~/.firejail was deleted | 942 | // check if ~/.firejail was deleted |
| 944 | if (stat(path, &s) == -1) | 943 | if (stat(path, &s) == 0) |
| 945 | return 0; | ||
| 946 | else | ||
| 947 | return 1; | 944 | return 1; |
| 948 | } | 945 | } |
| 949 | return 0; | 946 | return 0; |