diff options
author | netblue30 <netblue30@yahoo.com> | 2018-08-29 07:35:28 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2018-08-29 07:35:28 -0400 |
commit | ec9ac7df45acdde1eaaec75b2e85c6ad22f6c1a6 (patch) | |
tree | 44309790dc138e59143d147dda63ea7afac4094d /src | |
parent | silence warning about failed unmounting of /sys (overlay options) (diff) | |
download | firejail-ec9ac7df45acdde1eaaec75b2e85c6ad22f6c1a6.tar.gz firejail-ec9ac7df45acdde1eaaec75b2e85c6ad22f6c1a6.tar.zst firejail-ec9ac7df45acdde1eaaec75b2e85c6ad22f6c1a6.zip |
cleanup
Diffstat (limited to 'src')
-rw-r--r-- | src/firecfg/main.c | 5 | ||||
-rw-r--r-- | src/firejail/arp.c | 4 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 8 | ||||
-rw-r--r-- | src/firejail/network.c | 6 | ||||
-rw-r--r-- | src/firejail/preproc.c | 2 | ||||
-rw-r--r-- | src/firemon/interface.c | 2 | ||||
-rw-r--r-- | src/fldd/main.c | 2 | ||||
-rw-r--r-- | src/fnet/arp.c | 2 | ||||
-rw-r--r-- | src/fnet/interface.c | 16 |
9 files changed, 27 insertions, 20 deletions
diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 298314d4f..810af6ff2 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c | |||
@@ -318,13 +318,14 @@ int main(int argc, char **argv) { | |||
318 | 318 | ||
319 | // user setup | 319 | // user setup |
320 | char *user = get_user(); | 320 | char *user = get_user(); |
321 | assert(user); | ||
321 | uid_t uid; | 322 | uid_t uid; |
322 | gid_t gid; | 323 | gid_t gid; |
323 | char *home = get_homedir(user, &uid, &gid); | 324 | char *home = get_homedir(user, &uid, &gid); |
324 | 325 | ||
325 | 326 | ||
326 | // check for --bindir | 327 | // check for --bindir |
327 | for (i = i; i < argc; i++) { | 328 | for (i = 1; i < argc; i++) { |
328 | if (strncmp(argv[i], "--bindir=", 9) == 0) { | 329 | if (strncmp(argv[i], "--bindir=", 9) == 0) { |
329 | if (strncmp(argv[i] + 9, "~/", 2) == 0) { | 330 | if (strncmp(argv[i] + 9, "~/", 2) == 0) { |
330 | if (asprintf(&arg_bindir, "%s/%s", home, argv[i] + 11) == -1) | 331 | if (asprintf(&arg_bindir, "%s/%s", home, argv[i] + 11) == -1) |
@@ -430,7 +431,7 @@ int main(int argc, char **argv) { | |||
430 | set_links_firecfg(); | 431 | set_links_firecfg(); |
431 | 432 | ||
432 | // add user to firejail access database - only for root | 433 | // add user to firejail access database - only for root |
433 | if (user && getuid() == 0) { | 434 | if (getuid() == 0) { |
434 | printf("\nAdding user %s to Firejail access database in %s/firejail.users\n", user, SYSCONFDIR); | 435 | printf("\nAdding user %s to Firejail access database in %s/firejail.users\n", user, SYSCONFDIR); |
435 | firejail_user_add(user); | 436 | firejail_user_add(user); |
436 | } | 437 | } |
diff --git a/src/firejail/arp.c b/src/firejail/arp.c index c19cb0a47..288e5ded3 100644 --- a/src/firejail/arp.c +++ b/src/firejail/arp.c | |||
@@ -66,7 +66,7 @@ void arp_announce(const char *dev, Bridge *br) { | |||
66 | // Find interface MAC address | 66 | // Find interface MAC address |
67 | struct ifreq ifr; | 67 | struct ifreq ifr; |
68 | memset(&ifr, 0, sizeof (ifr)); | 68 | memset(&ifr, 0, sizeof (ifr)); |
69 | strncpy(ifr.ifr_name, dev, IFNAMSIZ); | 69 | strncpy(ifr.ifr_name, dev, IFNAMSIZ - 1); |
70 | if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0) | 70 | if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0) |
71 | errExit("ioctl"); | 71 | errExit("ioctl"); |
72 | close(sock); | 72 | close(sock); |
@@ -138,7 +138,7 @@ int arp_check(const char *dev, uint32_t destaddr) { | |||
138 | // Find interface MAC address | 138 | // Find interface MAC address |
139 | struct ifreq ifr; | 139 | struct ifreq ifr; |
140 | memset(&ifr, 0, sizeof (ifr)); | 140 | memset(&ifr, 0, sizeof (ifr)); |
141 | strncpy(ifr.ifr_name, dev, IFNAMSIZ); | 141 | strncpy(ifr.ifr_name, dev, IFNAMSIZ - 1); |
142 | if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0) | 142 | if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0) |
143 | errExit("ioctl"); | 143 | errExit("ioctl"); |
144 | close(sock); | 144 | close(sock); |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index e983a071d..8a402f692 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -506,14 +506,18 @@ void fs_whitelist(void) { | |||
506 | // both path and absolute path are under /home | 506 | // both path and absolute path are under /home |
507 | if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) == 0) { | 507 | if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) == 0) { |
508 | // entire home directory is not allowed | 508 | // entire home directory is not allowed |
509 | if (*(fname + strlen(cfg.homedir)) != '/') | 509 | if (*(fname + strlen(cfg.homedir)) != '/') { |
510 | free(fname); | ||
510 | goto errexit; | 511 | goto errexit; |
512 | } | ||
511 | } | 513 | } |
512 | else { | 514 | else { |
513 | if (checkcfg(CFG_FOLLOW_SYMLINK_AS_USER)) { | 515 | if (checkcfg(CFG_FOLLOW_SYMLINK_AS_USER)) { |
514 | // check if the file is owned by the user | 516 | // check if the file is owned by the user |
515 | if (stat(fname, &s) == 0 && s.st_uid != getuid()) | 517 | if (stat(fname, &s) == 0 && s.st_uid != getuid()) { |
518 | free(fname); | ||
516 | goto errexit; | 519 | goto errexit; |
520 | } | ||
517 | } | 521 | } |
518 | } | 522 | } |
519 | } | 523 | } |
diff --git a/src/firejail/network.c b/src/firejail/network.c index 7b84854d3..fed7539ca 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c | |||
@@ -78,7 +78,7 @@ int net_get_mtu(const char *ifname) { | |||
78 | 78 | ||
79 | memset(&ifr, 0, sizeof(ifr)); | 79 | memset(&ifr, 0, sizeof(ifr)); |
80 | ifr.ifr_addr.sa_family = AF_INET; | 80 | ifr.ifr_addr.sa_family = AF_INET; |
81 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); | 81 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); |
82 | if (ioctl(s, SIOCGIFMTU, (caddr_t)&ifr) == 0) | 82 | if (ioctl(s, SIOCGIFMTU, (caddr_t)&ifr) == 0) |
83 | mtu = ifr.ifr_mtu; | 83 | mtu = ifr.ifr_mtu; |
84 | if (arg_debug) | 84 | if (arg_debug) |
@@ -106,7 +106,7 @@ void net_set_mtu(const char *ifname, int mtu) { | |||
106 | 106 | ||
107 | memset(&ifr, 0, sizeof(ifr)); | 107 | memset(&ifr, 0, sizeof(ifr)); |
108 | ifr.ifr_addr.sa_family = AF_INET; | 108 | ifr.ifr_addr.sa_family = AF_INET; |
109 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); | 109 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); |
110 | ifr.ifr_mtu = mtu; | 110 | ifr.ifr_mtu = mtu; |
111 | if (ioctl(s, SIOCSIFMTU, (caddr_t)&ifr) != 0) | 111 | if (ioctl(s, SIOCSIFMTU, (caddr_t)&ifr) != 0) |
112 | fwarning("cannot set mtu for interface %s\n", ifname); | 112 | fwarning("cannot set mtu for interface %s\n", ifname); |
@@ -269,7 +269,7 @@ int net_get_mac(const char *ifname, unsigned char mac[6]) { | |||
269 | errExit("socket"); | 269 | errExit("socket"); |
270 | 270 | ||
271 | memset(&ifr, 0, sizeof(ifr)); | 271 | memset(&ifr, 0, sizeof(ifr)); |
272 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); | 272 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); |
273 | ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER; | 273 | ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER; |
274 | 274 | ||
275 | if (ioctl(sock, SIOCGIFHWADDR, &ifr) == -1) | 275 | if (ioctl(sock, SIOCGIFHWADDR, &ifr) == -1) |
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index 9fb4840c6..f519ed85f 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -140,6 +140,8 @@ void preproc_clean_run(void) { | |||
140 | if (fp) { | 140 | if (fp) { |
141 | int val; | 141 | int val; |
142 | if (fscanf(fp, "%d", &val) == 1) { | 142 | if (fscanf(fp, "%d", &val) == 1) { |
143 | if (val > 4194304) // this is the max value supported on 64 bit Linux kernels | ||
144 | val = 4194304; | ||
143 | if (val >= max_pids) | 145 | if (val >= max_pids) |
144 | max_pids = val + 1; | 146 | max_pids = val + 1; |
145 | } | 147 | } |
diff --git a/src/firemon/interface.c b/src/firemon/interface.c index 71026c7b7..3e0f10d0b 100644 --- a/src/firemon/interface.c +++ b/src/firemon/interface.c | |||
@@ -62,7 +62,7 @@ static void net_ifprint(void) { | |||
62 | // extract mac address | 62 | // extract mac address |
63 | struct ifreq ifr; | 63 | struct ifreq ifr; |
64 | memset(&ifr, 0, sizeof(ifr)); | 64 | memset(&ifr, 0, sizeof(ifr)); |
65 | strncpy(ifr.ifr_name, ifa->ifa_name, IFNAMSIZ); | 65 | strncpy(ifr.ifr_name, ifa->ifa_name, IFNAMSIZ - 1); |
66 | int rv = ioctl (fd, SIOCGIFHWADDR, &ifr); | 66 | int rv = ioctl (fd, SIOCGIFHWADDR, &ifr); |
67 | 67 | ||
68 | if (rv == 0) | 68 | if (rv == 0) |
diff --git a/src/fldd/main.c b/src/fldd/main.c index 4658e82fb..d9adcdcf6 100644 --- a/src/fldd/main.c +++ b/src/fldd/main.c | |||
@@ -321,7 +321,7 @@ printf("\n"); | |||
321 | // attempt to open the file | 321 | // attempt to open the file |
322 | if (argc == 3) { | 322 | if (argc == 3) { |
323 | fd = open(argv[2], O_CREAT | O_TRUNC | O_WRONLY, 0644); | 323 | fd = open(argv[2], O_CREAT | O_TRUNC | O_WRONLY, 0644); |
324 | if (!fd) { | 324 | if (fd == -1) { |
325 | fprintf(stderr, "Error fldd: invalid arguments\n"); | 325 | fprintf(stderr, "Error fldd: invalid arguments\n"); |
326 | usage(); | 326 | usage(); |
327 | exit(1); | 327 | exit(1); |
diff --git a/src/fnet/arp.c b/src/fnet/arp.c index 2b6df6945..794f6c8c8 100644 --- a/src/fnet/arp.c +++ b/src/fnet/arp.c | |||
@@ -60,7 +60,7 @@ void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) { | |||
60 | errExit("socket"); | 60 | errExit("socket"); |
61 | struct ifreq ifr; | 61 | struct ifreq ifr; |
62 | memset(&ifr, 0, sizeof (ifr)); | 62 | memset(&ifr, 0, sizeof (ifr)); |
63 | strncpy(ifr.ifr_name, dev, IFNAMSIZ); | 63 | strncpy(ifr.ifr_name, dev, IFNAMSIZ - 1); |
64 | if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0) | 64 | if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0) |
65 | errExit("ioctl"); | 65 | errExit("ioctl"); |
66 | close(sock); | 66 | close(sock); |
diff --git a/src/fnet/interface.c b/src/fnet/interface.c index f3e9a8993..283c6d312 100644 --- a/src/fnet/interface.c +++ b/src/fnet/interface.c | |||
@@ -58,7 +58,7 @@ void net_bridge_add_interface(const char *bridge, const char *dev) { | |||
58 | errExit("socket"); | 58 | errExit("socket"); |
59 | 59 | ||
60 | memset(&ifr, 0, sizeof(ifr)); | 60 | memset(&ifr, 0, sizeof(ifr)); |
61 | strncpy(ifr.ifr_name, bridge, IFNAMSIZ); | 61 | strncpy(ifr.ifr_name, bridge, IFNAMSIZ - 1); |
62 | #ifdef SIOCBRADDIF | 62 | #ifdef SIOCBRADDIF |
63 | ifr.ifr_ifindex = ifindex; | 63 | ifr.ifr_ifindex = ifindex; |
64 | err = ioctl(sock, SIOCBRADDIF, &ifr); | 64 | err = ioctl(sock, SIOCBRADDIF, &ifr); |
@@ -90,7 +90,7 @@ void net_if_up(const char *ifname) { | |||
90 | // get the existing interface flags | 90 | // get the existing interface flags |
91 | struct ifreq ifr; | 91 | struct ifreq ifr; |
92 | memset(&ifr, 0, sizeof(ifr)); | 92 | memset(&ifr, 0, sizeof(ifr)); |
93 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); | 93 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); |
94 | ifr.ifr_addr.sa_family = AF_INET; | 94 | ifr.ifr_addr.sa_family = AF_INET; |
95 | 95 | ||
96 | // read the existing flags | 96 | // read the existing flags |
@@ -135,7 +135,7 @@ int net_get_mtu(const char *ifname) { | |||
135 | 135 | ||
136 | memset(&ifr, 0, sizeof(ifr)); | 136 | memset(&ifr, 0, sizeof(ifr)); |
137 | ifr.ifr_addr.sa_family = AF_INET; | 137 | ifr.ifr_addr.sa_family = AF_INET; |
138 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); | 138 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); |
139 | if (ioctl(s, SIOCGIFMTU, (caddr_t)&ifr) == 0) | 139 | if (ioctl(s, SIOCGIFMTU, (caddr_t)&ifr) == 0) |
140 | mtu = ifr.ifr_mtu; | 140 | mtu = ifr.ifr_mtu; |
141 | close(s); | 141 | close(s); |
@@ -154,7 +154,7 @@ void net_set_mtu(const char *ifname, int mtu) { | |||
154 | 154 | ||
155 | memset(&ifr, 0, sizeof(ifr)); | 155 | memset(&ifr, 0, sizeof(ifr)); |
156 | ifr.ifr_addr.sa_family = AF_INET; | 156 | ifr.ifr_addr.sa_family = AF_INET; |
157 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); | 157 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); |
158 | ifr.ifr_mtu = mtu; | 158 | ifr.ifr_mtu = mtu; |
159 | if (ioctl(s, SIOCSIFMTU, (caddr_t)&ifr) != 0) { | 159 | if (ioctl(s, SIOCSIFMTU, (caddr_t)&ifr) != 0) { |
160 | if (!arg_quiet) | 160 | if (!arg_quiet) |
@@ -238,7 +238,7 @@ int net_get_mac(const char *ifname, unsigned char mac[6]) { | |||
238 | errExit("socket"); | 238 | errExit("socket"); |
239 | 239 | ||
240 | memset(&ifr, 0, sizeof(ifr)); | 240 | memset(&ifr, 0, sizeof(ifr)); |
241 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); | 241 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); |
242 | ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER; | 242 | ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER; |
243 | 243 | ||
244 | if (ioctl(sock, SIOCGIFHWADDR, &ifr) == -1) | 244 | if (ioctl(sock, SIOCGIFHWADDR, &ifr) == -1) |
@@ -258,7 +258,7 @@ void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) { | |||
258 | 258 | ||
259 | struct ifreq ifr; | 259 | struct ifreq ifr; |
260 | memset(&ifr, 0, sizeof(ifr)); | 260 | memset(&ifr, 0, sizeof(ifr)); |
261 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); | 261 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); |
262 | ifr.ifr_addr.sa_family = AF_INET; | 262 | ifr.ifr_addr.sa_family = AF_INET; |
263 | 263 | ||
264 | ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(ip); | 264 | ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(ip); |
@@ -292,7 +292,7 @@ int net_if_mac(const char *ifname, const unsigned char mac[6]) { | |||
292 | errExit("socket"); | 292 | errExit("socket"); |
293 | 293 | ||
294 | memset(&ifr, 0, sizeof(ifr)); | 294 | memset(&ifr, 0, sizeof(ifr)); |
295 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); | 295 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); |
296 | ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER; | 296 | ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER; |
297 | memcpy(ifr.ifr_hwaddr.sa_data, mac, 6); | 297 | memcpy(ifr.ifr_hwaddr.sa_data, mac, 6); |
298 | 298 | ||
@@ -350,7 +350,7 @@ void net_if_ip6(const char *ifname, const char *addr6) { | |||
350 | // find interface index | 350 | // find interface index |
351 | struct ifreq ifr; | 351 | struct ifreq ifr; |
352 | memset(&ifr, 0, sizeof(ifr)); | 352 | memset(&ifr, 0, sizeof(ifr)); |
353 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); | 353 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); |
354 | ifr.ifr_addr.sa_family = AF_INET; | 354 | ifr.ifr_addr.sa_family = AF_INET; |
355 | if (ioctl(sock, SIOGIFINDEX, &ifr) < 0) { | 355 | if (ioctl(sock, SIOGIFINDEX, &ifr) < 0) { |
356 | perror("ioctl SIOGIFINDEX"); | 356 | perror("ioctl SIOGIFINDEX"); |