Merge branch 'master' of https://github.com/netblue30/firejail

15 files changed, 169 insertions, 106 deletions

diff --git a/src/common.mk.in b/src/common.mk.in
index 8104bc258..22c25c6aa 100644
--- a/src/common.mk.in
+++ b/src/common.mk.in
@@ -9,8 +9,6 @@ sysconfdir=@sysconfdir@
 
 VERSION=@PACKAGE_VERSION@
 NAME=@PACKAGE_NAME@
-HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
-HAVE_SECCOMP=@HAVE_SECCOMP@
 HAVE_CHROOT=@HAVE_CHROOT@
 HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
 HAVE_NETWORK=@HAVE_NETWORK@
@@ -34,7 +32,8 @@ BINOBJS =  $(foreach file, $(OBJS), $file)
 CFLAGS = @CFLAGS@
 CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV)
 CFLAGS += -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"'
-CFLAGS += $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_FIRETUNNEL) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
+MANFLAGS = $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) $(HAVE_SELINUX)
+CFLAGS += $(MANFLAGS)
 CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
 LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
 EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index f6b3b3252..fb19e8f5a 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -226,7 +226,6 @@ int checkcfg(int val) {
 
                         // seccomp error action
                         else if (strncmp(ptr, "seccomp-error-action ", 21) == 0) {
-#ifdef HAVE_SECCOMP
                                 if (strcmp(ptr + 21, "kill") == 0)
                                         cfg_val[CFG_SECCOMP_ERROR_ACTION] = SECCOMP_RET_KILL;
                                 else if (strcmp(ptr + 21, "log") == 0)
@@ -239,9 +238,6 @@ int checkcfg(int val) {
                                 config_seccomp_error_action_str = strdup(ptr + 21);
                                 if (!config_seccomp_error_action_str)
                                         errExit("strdup");
-#else
-                                warning_feature_disabled("seccomp");
-#endif
                         }
 
                         else
@@ -347,14 +343,6 @@ void print_compiletime_support(void) {
 #endif
                 );
 
-        printf("\t- seccomp-bpf support is %s\n",
-#ifdef HAVE_SECCOMP
-                "enabled"
-#else
-                "disabled"
-#endif
-                );
-
         printf("\t- SELinux support is %s\n",
 #ifdef HAVE_SELINUX
                 "enabled"
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
index 36d110ac7..f0ba10afc 100644
--- a/src/firejail/dbus.c
+++ b/src/firejail/dbus.c
@@ -555,10 +555,8 @@ void dbus_apply_policy(void) {
                 return;
 
         // --protocol=unix
-#ifdef HAVE_SECCOMP
         if (cfg.protocol && !strstr(cfg.protocol, "unix"))
                 return;
-#endif
 
         fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n");
 }
diff --git a/src/firejail/join.c b/src/firejail/join.c
index c7619ef3b..7fd5ec3d3 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -465,10 +465,8 @@ void join(pid_t pid, int argc, char **argv, int index) {
                 EUID_ROOT();
                 if (apply_caps == 1)    // not available for uid 0
                         caps_set(caps);
-#ifdef HAVE_SECCOMP
                 if (getuid() != 0)
                         seccomp_load_file_list();
-#endif
 
                 // mount user namespace or drop privileges
                 if (arg_noroot) {       // not available for uid 0
diff --git a/src/firejail/main.c b/src/firejail/main.c
index df890ecea..75324b66a 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -479,7 +479,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
         //*************************************
         // independent commands - the program will exit!
         //*************************************
-#ifdef HAVE_SECCOMP
         else if (strcmp(argv[i], "--debug-syscalls") == 0) {
                 if (checkcfg(CFG_SECCOMP)) {
                         int rv = sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 2, PATH_FSECCOMP_MAIN, "debug-syscalls");
@@ -529,7 +528,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                         exit_err_feature("seccomp");
                 exit(0);
         }
-#endif
         else if (strncmp(argv[i], "--profile.print=", 16) == 0) {
                 pid_t pid = require_pid(argv[i] + 16);
 
@@ -950,7 +948,6 @@ void filter_add_blacklist_override(int fd, int syscall, int arg, void *ptrarg, b
         (void) native;
 }
 
-#ifdef HAVE_SECCOMP
 static int check_postexec(const char *list) {
         char *prelist, *postlist;
 
@@ -961,7 +958,6 @@ static int check_postexec(const char *list) {
         }
         return 0;
 }
-#endif
 
 //*******************************************
 // Main program
@@ -1264,7 +1260,6 @@ int main(int argc, char **argv, char **envp) {
                 else if (strcmp(argv[i], "--apparmor") == 0)
                         arg_apparmor = 1;
 #endif
-#ifdef HAVE_SECCOMP
                 else if (strncmp(argv[i], "--protocol=", 11) == 0) {
                         if (checkcfg(CFG_SECCOMP)) {
                                 if (cfg.protocol) {
@@ -1402,7 +1397,6 @@ int main(int argc, char **argv, char **envp) {
                         } else
                                 exit_err_feature("seccomp");
                 }
-#endif
                 else if (strcmp(argv[i], "--caps") == 0) {
                         arg_caps_default_filter = 1;
                         arg_caps_cmdline = 1;
@@ -2783,10 +2777,9 @@ int main(int argc, char **argv, char **envp) {
         // check network configuration options - it will exit if anything went wrong
         net_check_cfg();
 
-#ifdef HAVE_SECCOMP
         if (arg_seccomp)
                 arg_seccomp_postexec = check_postexec(cfg.seccomp_list) || check_postexec(cfg.seccomp_list_drop);
-#endif
+
         bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec;
         if (need_preload && (cfg.seccomp_list32 || cfg.seccomp_list_drop32 || cfg.seccomp_list_keep32))
                 fwarning("preload libraries (trace, tracelog, postexecseccomp due to seccomp.drop=execve etc.) are incompatible with 32 bit filters\n");
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index c0b09e945..836526593 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -103,7 +103,6 @@ void preproc_mount_mnt_dir(void) {
                 if (arg_tracefile)
                         fs_tracefile();
 
-#ifdef HAVE_SECCOMP
                 create_empty_dir_as_root(RUN_SECCOMP_DIR, 0755);
 
                 if (arg_seccomp_block_secondary)
@@ -132,7 +131,6 @@ void preproc_mount_mnt_dir(void) {
                 create_empty_file_as_root(RUN_SECCOMP_POSTEXEC_32, 0644);
                 if (set_perms(RUN_SECCOMP_POSTEXEC_32, getuid(), getgid(), 0644))
                         errExit("set_perms");
-#endif
         }
 }
 
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 970033899..8eaae9a30 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -327,12 +327,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 return 0;
         }
         else if (strcmp(ptr, "seccomp") == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP))
                         arg_seccomp = 1;
                 else
                         warning_feature_disabled("seccomp");
-#endif
                 return 0;
         }
         else if (strcmp(ptr, "caps") == 0) {
@@ -861,7 +859,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
         }
 
         if (strncmp(ptr, "protocol ", 9) == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
                         if (cfg.protocol) {
                                 fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol);
@@ -875,7 +872,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                 }
                 else
                         warning_feature_disabled("seccomp");
-#endif
                 return 0;
         }
 
@@ -890,102 +886,85 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 
         // seccomp drop list on top of default list
         if (strncmp(ptr, "seccomp ", 8) == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp = 1;
                         cfg.seccomp_list = seccomp_check_list(ptr + 8);
                 }
                 else if (!arg_quiet)
                         warning_feature_disabled("seccomp");
-#endif
 
                 return 0;
         }
         if (strncmp(ptr, "seccomp.32 ", 11) == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp32 = 1;
                         cfg.seccomp_list32 = seccomp_check_list(ptr + 11);
                 }
                 else if (!arg_quiet)
                         warning_feature_disabled("seccomp");
-#endif
 
                 return 0;
         }
 
         if (strcmp(ptr, "seccomp.block-secondary") == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp_block_secondary = 1;
                 }
                 else
                         warning_feature_disabled("seccomp");
-#endif
                 return 0;
         }
         // seccomp drop list without default list
         if (strncmp(ptr, "seccomp.drop ", 13) == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp = 1;
                         cfg.seccomp_list_drop = seccomp_check_list(ptr + 13);
                 }
                 else
                         warning_feature_disabled("seccomp");
-#endif
                 return 0;
         }
         if (strncmp(ptr, "seccomp.32.drop ", 13) == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp32 = 1;
                         cfg.seccomp_list_drop32 = seccomp_check_list(ptr + 13);
                 }
                 else
                         warning_feature_disabled("seccomp");
-#endif
                 return 0;
         }
 
         // seccomp keep list
         if (strncmp(ptr, "seccomp.keep ", 13) == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp = 1;
                         cfg.seccomp_list_keep= seccomp_check_list(ptr + 13);
                 }
                 else
                         warning_feature_disabled("seccomp");
-#endif
                 return 0;
         }
         if (strncmp(ptr, "seccomp.32.keep ", 13) == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
                         arg_seccomp32 = 1;
                         cfg.seccomp_list_keep32 = seccomp_check_list(ptr + 13);
                 }
                 else
                         warning_feature_disabled("seccomp");
-#endif
                 return 0;
         }
 
         // memory deny write&execute
         if (strcmp(ptr, "memory-deny-write-execute") == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP))
                         arg_memory_deny_write_execute = 1;
                 else
                         warning_feature_disabled("seccomp");
-#endif
                 return 0;
         }
 
         // seccomp error action
         if (strncmp(ptr, "seccomp-error-action ", 21) == 0) {
-#ifdef HAVE_SECCOMP
                 if (checkcfg(CFG_SECCOMP)) {
                         int config_seccomp_error_action = checkcfg(CFG_SECCOMP_ERROR_ACTION);
                         if (config_seccomp_error_action == -1) {
@@ -1008,7 +987,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                         }
                 } else
                         warning_feature_disabled("seccomp");
-#endif
                 return 0;
         }
 
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c
index a1594d6b9..cd54eb72d 100644
--- a/src/firejail/protocol.c
+++ b/src/firejail/protocol.c
@@ -18,7 +18,6 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 
-#ifdef HAVE_SECCOMP
 #include "firejail.h"
 #include "../include/seccomp.h"
 
@@ -93,6 +92,3 @@ void protocol_print_filter(pid_t pid) {
         exit(1);
 #endif
 }
-
-
-#endif // HAVE_SECCOMP
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 5a4741a56..3bb4858c9 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -141,7 +141,6 @@ void set_apparmor(void) {
 }
 #endif
 
-#ifdef HAVE_SECCOMP
 void seccomp_debug(void) {
         if (arg_debug == 0)
                 return;
@@ -158,7 +157,6 @@ void seccomp_debug(void) {
                 printf("No active seccomp files\n");
         EUID_ROOT();
 }
-#endif
 
 static void save_nogroups(void) {
         if (arg_nogroups == 0)
@@ -497,9 +495,7 @@ void start_application(int no_sandbox, char *set_sandbox_status) {
 #ifdef HAVE_GCOV
                 __gcov_dump();
 #endif
-#ifdef HAVE_SECCOMP
                 seccomp_install_filters();
-#endif
                 if (set_sandbox_status)
                         *set_sandbox_status = SANDBOX_DONE;
                 execl(arg_audit_prog, arg_audit_prog, NULL);
@@ -536,9 +532,8 @@ void start_application(int no_sandbox, char *set_sandbox_status) {
 #ifdef HAVE_GCOV
                 __gcov_dump();
 #endif
-#ifdef HAVE_SECCOMP
                 seccomp_install_filters();
-#endif
+
                 if (set_sandbox_status)
                         *set_sandbox_status = SANDBOX_DONE;
                 execvp(cfg.original_argv[cfg.original_program_index], &cfg.original_argv[cfg.original_program_index]);
@@ -591,9 +586,8 @@ void start_application(int no_sandbox, char *set_sandbox_status) {
 #ifdef HAVE_GCOV
                 __gcov_dump();
 #endif
-#ifdef HAVE_SECCOMP
                 seccomp_install_filters();
-#endif
+
                 if (set_sandbox_status)
                         *set_sandbox_status = SANDBOX_DONE;
                 execvp(arg[0], arg);
@@ -797,7 +791,6 @@ int sandbox(void* sandbox_arg) {
         //  - build seccomp filters
         //  - create an empty /etc/ld.so.preload
         //****************************
-#ifdef HAVE_SECCOMP
         if (cfg.protocol) {
                 if (arg_debug)
                         printf("Build protocol filter: %s\n", cfg.protocol);
@@ -808,7 +801,6 @@ int sandbox(void* sandbox_arg) {
                 if (rv)
                         exit(rv);
         }
-#endif
 
         // need ld.so.preload if tracing or seccomp with any non-default lists
         bool need_preload = arg_trace || arg_tracelog || arg_seccomp_postexec;
@@ -1107,7 +1099,6 @@ int sandbox(void* sandbox_arg) {
         save_cgroup();
 
         // set seccomp
-#ifdef HAVE_SECCOMP
         // install protocol filter
 #ifdef SYS_socket
         if (cfg.protocol) {
@@ -1151,7 +1142,6 @@ int sandbox(void* sandbox_arg) {
         // make seccomp filters read-only
         fs_remount(RUN_SECCOMP_DIR, MOUNT_READONLY, 0);
         seccomp_debug();
-#endif
 
         // set capabilities
         set_caps();
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c
index 7f55ccc0e..e47e6c910 100644
--- a/src/firejail/seccomp.c
+++ b/src/firejail/seccomp.c
@@ -18,7 +18,6 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 
-#ifdef HAVE_SECCOMP
 #include "firejail.h"
 #include "../include/seccomp.h"
 #include <sys/mman.h>
@@ -445,5 +444,3 @@ errexit:
         printf("Cannot access seccomp filter.\n");
         exit(1);
 }
-
-#endif // HAVE_SECCOMP
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 2390706f2..d58bbb409 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -123,10 +123,8 @@ static char *usage_str =
         "    --mac=xx:xx:xx:xx:xx:xx - set interface MAC address.\n"
 #endif
         "    --machine-id - preserve /etc/machine-id\n"
-#ifdef HAVE_SECCOMP
         "    --memory-deny-write-execute - seccomp filter to block attempts to create\n"
         "\tmemory mappings that are both writable and executable.\n"
-#endif
 #ifdef HAVE_NETWORK
         "    --mtu=number - set interface MTU.\n"
 #endif
@@ -215,7 +213,6 @@ static char *usage_str =
 #ifdef HAVE_NETWORK
         "    --scan - ARP-scan all the networks from inside a network namespace.\n"
 #endif
-#ifdef HAVE_SECCOMP
         "    --seccomp - enable seccomp filter and apply the default blacklist.\n"
         "    --seccomp=syscall,syscall,syscall - enable seccomp filter, blacklist the\n"
         "\tdefault syscall list and the syscalls specified by the command.\n"
@@ -229,7 +226,6 @@ static char *usage_str =
         "    --seccomp.32[.drop,.keep][=syscall] - like above but for 32 bit architecture.\n"
         "    --seccomp-error-action=errno|kill|log - change error code, kill process\n"
         "\tor log the attempt.\n"
-#endif
         "    --shell=none - run the program directly without a user shell.\n"
         "    --shell=program - set default user shell.\n"
         "    --shutdown=name|pid - shutdown the sandbox identified by name or PID.\n"
diff --git a/src/include/seccomp.h b/src/include/seccomp.h
index 29b858c70..90db16d39 100644
--- a/src/include/seccomp.h
+++ b/src/include/seccomp.h
@@ -96,24 +96,7 @@
 # define PR_SET_NO_NEW_PRIVS 38
 #endif
 
-#if HAVE_SECCOMP_H
 #include <linux/seccomp.h>
-#else
-#define SECCOMP_MODE_FILTER     2
-#define SECCOMP_RET_KILL        0x00000000U
-#define SECCOMP_RET_TRAP        0x00030000U
-#define SECCOMP_RET_ALLOW       0x7fff0000U
-#define SECCOMP_RET_ERRNO       0x00050000U
-#define SECCOMP_RET_DATA        0x0000ffffU
-
-struct seccomp_data {
-    int nr;
-    __u32 arch;
-    __u64 instruction_pointer;
-    __u64 args[6];
-};
-#endif
-
 #ifndef SECCOMP_RET_LOG
 #define SECCOMP_RET_LOG         0x7ffc0000U
 #endif
diff --git a/src/lib/syscall.c b/src/lib/syscall.c
index 2f8ccaed7..4903971ad 100644
--- a/src/lib/syscall.c
+++ b/src/lib/syscall.c
@@ -230,6 +230,7 @@ static const SyscallGroupList sysgroups[] = {
           "@cpu-emulation,"
           "@debug,"
           "@module,"
+          "@mount,"
           "@obsolete,"
           "@raw-io,"
           "@reboot,"
@@ -297,9 +298,6 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_vmsplice
           "vmsplice,"
 #endif
-#ifdef SYS_umount
-          "umount,"
-#endif
 #ifdef SYS_userfaultfd
           "userfaultfd,"
 #endif
@@ -309,27 +307,15 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_bpf
           "bpf,"
 #endif
-#ifdef SYS_chroot
-          "chroot,"
-#endif
-#ifdef SYS_mount
-          "mount,"
-#endif
 #ifdef SYS_nfsservctl
           "nfsservctl,"
 #endif
-#ifdef SYS_pivot_root
-          "pivot_root,"
-#endif
 #ifdef SYS_setdomainname
           "setdomainname,"
 #endif
 #ifdef SYS_sethostname
           "sethostname,"
 #endif
-#ifdef SYS_umount2
-          "umount2,"
-#endif
 #ifdef SYS_vhangup
           "vhangup"
 #endif
diff --git a/src/man/Makefile.in b/src/man/Makefile.in
new file mode 100644
index 000000000..0180baee5
--- /dev/null
+++ b/src/man/Makefile.in
@@ -0,0 +1,17 @@
+all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man
+
+include ../common.mk
+
+%.o : %.c $(H_FILE_LIST)
+        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
+
+preproc: $(OBJS)
+        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
+
+%.man: %.txt preproc
+        ./preproc $(MANFLAGS) $<
+
+clean:; rm -fr *.o preproc *.gcov *.gcda *.gcno *.plist *.man alldone
+
+distclean: clean
+        rm -fr Makefile
diff --git a/src/man/preproc.c b/src/man/preproc.c
new file mode 100644
index 000000000..34a49d335
--- /dev/null
+++ b/src/man/preproc.c
@@ -0,0 +1,146 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+
+#define MAXBUF 4096
+#define MAXMACROS 64
+static char *macro[MAXMACROS] = {NULL};
+
+static void add_macro(char *m) {
+        assert(m);
+        int i;
+        for (i = 0; i < MAXMACROS && macro[i]; i++);
+        if (i == MAXMACROS) {
+                fprintf(stderr, "Error: maximum number of marcros (%d) exceeded\n", MAXMACROS);
+                exit(1);
+        }
+
+        macro[i] = m;
+}
+
+static char *find_macro(char *m) {
+        assert(m);
+        int i = 0;
+        while (i < MAXMACROS && macro[i]) {
+                if (strcmp(macro[i], m) == 0)
+                        return m;
+                i++;
+        }
+
+        return NULL;
+}
+
+static void usage(void) {
+        printf("Simple preprocessor for man pages. It supports:\n");
+        printf("\t#if 0 ... #endif\n");
+        printf("\t#ifdef macro ... #endif\n");
+        printf("Usage: preproc [--help] [-Dmacro] manpage.txt\n");
+        return;
+}
+
+
+int main(int argc, char **argv) {
+        if (argc == 1) {
+                fprintf(stderr, "Error: no files/arguments provided\n");
+                usage();
+                exit(1);
+        }
+
+        int i;
+        for (i = 1; i < argc; i++) {
+                if (strncmp(argv[i], "-D", 2) == 0)
+                        add_macro(argv[i] + 2);
+                else if (strcmp(argv[i], "--help") == 0) {
+                        usage();
+                        return 0;
+                }
+                else if (*argv[i] == '-') {
+                        fprintf(stderr, "Error: invalid argument %s\n", argv[i]);
+                        exit(1);
+                }
+                else
+                        break;
+        }
+
+        char *ptr = strstr(argv[i], ".txt");
+        if (!ptr || strlen(ptr) != 4) {
+                fprintf(stderr, "Error: input file needs to have a .txt extension\n"),
+                exit(1);
+        }
+
+        FILE *fp = fopen(argv[i], "r");
+        if (!fp) {
+                fprintf(stderr, "Error: cannot open %s\n", argv[i]);
+                exit(1);
+        }
+        char *outfile = strdup(argv[i]);
+        if (!outfile)
+                goto errout;
+        ptr = strstr(outfile, ".txt");
+        assert(ptr);
+        strcpy(ptr, ".man");
+        FILE *fpout = fopen(outfile, "w");
+        if (!fpout)
+                goto errout;
+
+        char buf[MAXBUF];
+        int disabled = 0;
+        int enabled = 0;
+        int line = 0;;
+        while (fgets(buf, MAXBUF, fp)) {
+                line++;
+                if (disabled && strncmp(buf, "#if", 3) == 0) {
+                        fprintf(stderr, "Error %d: already in a #if block on line %d\n", __LINE__, line);
+                        exit(1);
+                }
+                if ((!disabled && !enabled) && strncmp(buf, "#endif", 6) == 0) {
+                        fprintf(stderr, "Error %d: unmatched #endif on line %d\n", __LINE__, line);
+                        exit(1);
+                }
+
+                char *ptr = strchr(buf, '\n');
+                if (ptr)
+                        *ptr = '\0';
+
+                if (strncmp(buf, "#if 0", 5) == 0) {
+                        disabled = 1;
+                        continue;
+                }
+                if (strncmp(buf, "#ifdef", 6) == 0) {
+                        char *ptr = buf + 6;
+                        if (*ptr != ' ' && *ptr != '\t') {
+                                fprintf(stderr, "Error %d: invalid macro on line %d\n", __LINE__, line);
+                                exit(1);
+                        }
+
+                        while (*ptr == ' ' || *ptr == '\t')
+                                ptr++;
+
+                        if (!find_macro(ptr))
+                                disabled = 1;
+                        else
+                                enabled = 1;
+                        continue;
+                }
+
+                if (strncmp(buf, "#endif", 6) == 0) {
+                        disabled = 0;
+                        enabled = 1;
+                        continue;
+                }
+
+                if (!disabled) {
+//                      printf("%s\n", buf);
+                        fprintf(fpout, "%s\n", buf);
+                }
+        }
+        fclose(fp);
+
+        return 0;
+
+errout:
+        fclose(fp);
+        fprintf(stderr, "Error: cannot open output file\n");
+        exit(1);
+}