10 files changed, 57 insertions, 38 deletions
diff --git a/.travis.yml b/.travis.yml
index 9a2c68361..5dd77e1f5 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -3,7 +3,7 @@ dist: trusty
 sudo: true
 script:
-  - sudo apt-get -y install expect csh zsh
+  - sudo apt-get -y install expect csh xzdec
  - ( cd firejail ; ./configure --prefix=/usr --enable-git-install && make && sudo make install && make test-travis )
  - ( cd firejail ; sudo make install-strip DESTDIR=$(readlink -f appdir) )
  - ( cd appdir/ ; tar cfvj ../firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2 . )
diff --git a/Makefile.in b/Makefile.in
index 442766e27..9111a3c95 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -2,7 +2,7 @@ all: apps man filters
 MYLIBS = src/lib
 APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fcopy src/fldd src/libpostexecseccomp
 MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
-SECCOMP_FILTERS = seccomp seccomp.debug seccomp.i386 seccomp.amd64 seccomp.block_secondary seccomp.mwdx
+SECCOMP_FILTERS = seccomp seccomp.debug seccomp.i386 seccomp.amd64 seccomp.block_secondary seccomp.mdwx
 prefix=@prefix@
 exec_prefix=@exec_prefix@
@@ -186,7 +186,7 @@ uninstall:
        rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg
 DISTFILES = "src etc platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES"
-DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils"
+DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot"
 dist:
        mv config.status config.status.old
@@ -269,10 +269,10 @@ test-fs:
 test-fcopy:
        cd test/fcopy; ./fcopy.sh | grep TESTING
-test: test-profiles test-fcopy test-fs test-utils  test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments
+test: test-profiles test-fcopy test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments
        echo "TEST COMPLETE"
-test-travis: test-profiles test-fcopy test-fs test-utils  test-environment test-filters test-arguments
+test-travis: test-profiles test-fcopy test-fs test-utils test-sysutils test-environment test-filters test-arguments
        echo "TEST COMPLETE"
 ##########################################
diff --git a/configure b/configure
index d1911cea6..2f14e0a83 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for firejail 0.9.50~rc1.
+# Generated by GNU Autoconf 2.69 for firejail 0.9.50~rc2.
 #
 # Report bugs to <netblue30@yahoo.com>.
 #
@@ -580,8 +580,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='firejail'
 PACKAGE_TARNAME='firejail'
-PACKAGE_VERSION='0.9.50~rc1'
+PACKAGE_VERSION='0.9.50~rc2'
-PACKAGE_STRING='firejail 0.9.50~rc1'
+PACKAGE_STRING='firejail 0.9.50~rc2'
 PACKAGE_BUGREPORT='netblue30@yahoo.com'
 PACKAGE_URL='http://firejail.wordpress.com'
@@ -1276,7 +1276,7 @@ if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
-\`configure' configures firejail 0.9.50~rc1 to adapt to many kinds of systems.
+\`configure' configures firejail 0.9.50~rc2 to adapt to many kinds of systems.
 Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1338,7 +1338,7 @@ fi
 if test -n "$ac_init_help"; then
  case $ac_init_help in
-     short | recursive ) echo "Configuration of firejail 0.9.50~rc1:";;
+     short | recursive ) echo "Configuration of firejail 0.9.50~rc2:";;
   esac
  cat <<\_ACEOF
@@ -1446,7 +1446,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
  cat <<\_ACEOF
-firejail configure 0.9.50~rc1
+firejail configure 0.9.50~rc2
 generated by GNU Autoconf 2.69
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1748,7 +1748,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
-It was created by firejail $as_me 0.9.50~rc1, which was
+It was created by firejail $as_me 0.9.50~rc2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  $ $0 $@
@@ -4367,7 +4367,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by firejail $as_me 0.9.50~rc1, which was
+This file was extended by firejail $as_me 0.9.50~rc2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
  CONFIG_FILES    = $CONFIG_FILES
@@ -4421,7 +4421,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-firejail config.status 0.9.50~rc1
+firejail config.status 0.9.50~rc2
 configured by $0, generated by GNU Autoconf 2.69,
  with options \\"\$ac_cs_config\\"
diff --git a/configure.ac b/configure.ac
index 0ebeebd08..b9f3cbde9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.68])
-AC_INIT(firejail, 0.9.50~rc1, netblue30@yahoo.com, , http://firejail.wordpress.com)
+AC_INIT(firejail, 0.9.50~rc2, netblue30@yahoo.com, , http://firejail.wordpress.com)
 AC_CONFIG_SRCDIR([src/firejail/main.c])
 #AC_CONFIG_HEADERS([config.h])
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index 110f027f7..d2c8fbbc8 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -105,7 +105,7 @@ static int valid_full_path_file(const char *name) {
        char *fname = strrchr(full_name, '/');
        if (!fname)
                goto errexit;
-        if (++fname == '\0')
+        if (*(++fname) == '\0')
                goto errexit;
        int i = 0;
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 480df1766..dad8545a0 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -368,12 +368,12 @@ void fs_whitelist(void) {
                // replace ~/ or ${HOME} into /home/username
                new_name = expand_home(dataptr, cfg.homedir);
                assert(new_name);
-                if (arg_debug)
+                if (arg_debug || arg_debug_whitelists)
                        fprintf(stderr, "Debug %d: new_name #%s#, %s\n", __LINE__, new_name, (nowhitelist_flag)? "nowhitelist": "whitelist");
                // valid path referenced to filesystem root
                if (*new_name != '/') {
-                        if (arg_debug)
+                        if (arg_debug || arg_debug_whitelists)
                                fprintf(stderr, "Debug %d: \n", __LINE__);
                        goto errexit;
                }
@@ -417,6 +417,8 @@ void fs_whitelist(void) {
                        entry->data = EMPTY_STRING;
                        continue;
                }
+                else if (arg_debug_whitelists)
+                        printf("real path %s\n", fname);
                if (nowhitelist_flag) {
                        // store the path in nowhitelist array
@@ -501,9 +503,15 @@ void fs_whitelist(void) {
                else if (strncmp(new_name, "/dev/", 5) == 0) {
                        entry->dev_dir = 1;
                        dev_dir = 1;
-                        // both path and absolute path are under /dev
-                        if (strncmp(fname, "/dev/", 5) != 0) {
+                        // special handling for /dev/shm
-                                goto errexit;
+                        // on some platforms (Debian wheezy, Ubuntu 14.04), it is a symlink to /run/shm
+                        if (strcmp(new_name, "/dev/shm") == 0 && strcmp(fname, "/run/shm") == 0);
+                        else {
+                                // both path and absolute path are under /dev
+                                if (strncmp(fname, "/dev/", 5) != 0) {
+                                        goto errexit;
+                                }
                        }
                }
                else if (strncmp(new_name, "/opt/", 5) == 0) {
@@ -708,7 +716,6 @@ void fs_whitelist(void) {
        }
        // go through profile rules again, and interpret whitelist commands
        entry = cfg.profile;
        while (entry) {
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c
index ad123be50..c68e2e51b 100644
--- a/src/firemon/netstats.c
+++ b/src/firemon/netstats.c
@@ -161,8 +161,8 @@ static void print_proc(int index, int itv, int col) {
        }
        // pid
-        char pidstr[10];
+        char pidstr[11];
-        snprintf(pidstr, 10, "%u", index);
+        snprintf(pidstr, 11, "%d", index);
        // user
        char *user = get_user_name(pids[index].uid);
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
index 8abc249ec..e14a473fe 100644
--- a/src/fseccomp/seccomp.c
+++ b/src/fseccomp/seccomp.c
@@ -191,6 +191,21 @@ void seccomp_keep(const char *fname1, const char *fname2, char *list) {
        close(fd);
 }
+#if defined(__x86_64__) || defined(__aarch64__) || defined(__powerpc64__)
+# define filter_syscall SYS_mmap
+# undef block_syscall
+#elif defined(__i386__)
+# define filter_syscall SYS_mmap2
+# define block_syscall SYS_mmap
+#elif defined(__arm__)
+# define filter_syscall SYS_mmap2
+# undef block_syscall
+#else
+# warning "Platform does not support seccomp memory-deny-write-execute filter yet"
+# undef filter_syscall
+# undef block_syscall
+#endif
 void memory_deny_write_execute(const char *fname) {
        // open file
        int fd = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
@@ -203,22 +218,19 @@ void memory_deny_write_execute(const char *fname) {
        // build filter
        static const struct sock_filter filter[] = {
-#ifndef __x86_64__
+#ifdef block_syscall
                // block old multiplexing mmap syscall for i386
-                BLACKLIST(SYS_mmap),
+                BLACKLIST(block_syscall),
 #endif
+#ifdef filter_syscall
                // block mmap(,,x|PROT_WRITE|PROT_EXEC) so W&X memory can't be created
-#ifndef __x86_64__
+                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, filter_syscall, 0, 5),
-                // mmap2 is used for mmap on i386 these days
-                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mmap2, 0, 5),
-#else
-                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mmap, 0, 5),
-#endif
                EXAMINE_ARGUMENT(2),
                BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_WRITE|PROT_EXEC),
                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE|PROT_EXEC, 0, 1),
                KILL_PROCESS,
                RETURN_ALLOW,
+#endif
                // block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable
                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mprotect, 0, 5),
@@ -228,7 +240,7 @@ void memory_deny_write_execute(const char *fname) {
                KILL_PROCESS,
                RETURN_ALLOW,
-// shmat is not implemented as a syscall on some platforms (i386, possibly arm)
+// shmat is not implemented as a syscall on some platforms (i386, powerpc64, powerpc64le)
 #ifdef SYS_shmat
                // block shmat(,,x|SHM_EXEC) so W&X shared memory can't be created
                BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_shmat, 0, 5),
diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c
index 7af95d51c..3793e125d 100644
--- a/src/fseccomp/seccomp_print.c
+++ b/src/fseccomp/seccomp_print.c
@@ -92,7 +92,7 @@ static int detect_filter_type(void) {
        
        // testing for secondare amd64 filter
        const struct sock_filter start_secondary_64[] = {
-                VALIDATE_ARCHITECTURE,
+                VALIDATE_ARCHITECTURE_64,
                EXAMINE_SYSCALL,
        };
        
diff --git a/test/fs/whitelist-dev.exp b/test/fs/whitelist-dev.exp
index b064671b6..b6ae6319f 100755
--- a/test/fs/whitelist-dev.exp
+++ b/test/fs/whitelist-dev.exp
@@ -25,14 +25,14 @@ sleep 1
 send -- "firejail --whitelist=/dev/null --whitelist=/dev/shm --whitelist=/dev/random\r"
 expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
        "Child process initialized"
 }
 sleep 1
 send -- "find /dev | wc -l\r"
 expect {
-        timeout {puts "TESTING ERROR 0.1\n";exit}
+        timeout {puts "TESTING ERROR 3\n";exit}
        "4"
 }
 after 100
@@ -41,14 +41,14 @@ sleep 1
 send -- "firejail --private-dev --debug\r"
 expect {
-        timeout {puts "TESTING ERROR 2\n";exit}
+        timeout {puts "TESTING ERROR 4\n";exit}
        "Child process initialized"
 }
 sleep 1
 send -- "ls -l /dev | wc -l\r"
 expect {
-        timeout {puts "TESTING ERROR 3\n";exit}
+        timeout {puts "TESTING ERROR 5\n";exit}
        "12" {puts "OK\n"}
        "13" {puts "OK\n"}
        "14" {puts "OK\n"}

diff --git a/.travis.yml b/.travis.yml index 9a2c68361..5dd77e1f5 100644 --- a/.travis.yml +++ b/.travis.yml
@@ -3,7 +3,7 @@ dist: trusty
3	sudo: true	3	sudo: true
4		4
5	script:	5	script:
6	- sudo apt-get -y install expect csh zsh	6	- sudo apt-get -y install expect csh xzdec
7	- ( cd firejail ; ./configure --prefix=/usr --enable-git-install && make && sudo make install && make test-travis )	7	- ( cd firejail ; ./configure --prefix=/usr --enable-git-install && make && sudo make install && make test-travis )
8	- ( cd firejail ; sudo make install-strip DESTDIR=$(readlink -f appdir) )	8	- ( cd firejail ; sudo make install-strip DESTDIR=$(readlink -f appdir) )
9	- ( cd appdir/ ; tar cfvj ../firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2 . )	9	- ( cd appdir/ ; tar cfvj ../firejail-build$TRAVIS_BUILD_NUMBER.tar.bz2 . )


diff --git a/Makefile.in b/Makefile.in index 442766e27..9111a3c95 100644 --- a/Makefile.in +++ b/Makefile.in
@@ -2,7 +2,7 @@ all: apps man filters
2	MYLIBS = src/lib	2	MYLIBS = src/lib
3	APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fcopy src/fldd src/libpostexecseccomp	3	APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fcopy src/fldd src/libpostexecseccomp
4	MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5	4	MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
5	SECCOMP_FILTERS = seccomp seccomp.debug seccomp.i386 seccomp.amd64 seccomp.block_secondary seccomp.mwdx	5	SECCOMP_FILTERS = seccomp seccomp.debug seccomp.i386 seccomp.amd64 seccomp.block_secondary seccomp.mdwx
6		6
7	prefix=@prefix@	7	prefix=@prefix@
8	exec_prefix=@exec_prefix@	8	exec_prefix=@exec_prefix@
@@ -186,7 +186,7 @@ uninstall:
186	rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg	186	rm -f $(DESTDIR)/$(datarootdir)/bash-completion/completions/firecfg
187		187
188	DISTFILES = "src etc platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES"	188	DISTFILES = "src etc platform contrib configure configure.ac Makefile.in install.sh mkman.sh mketc.sh mkdeb.sh mkuid.sh COPYING README RELNOTES"
189	DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils"	189	DISTFILES_TEST = "test/apps test/apps-x11 test/apps-x11-xorg test/root test/fcopy test/environment test/profiles test/utils test/compile test/filters test/network test/arguments test/fs test/sysutils test/chroot"
190		190
191	dist:	191	dist:
192	mv config.status config.status.old	192	mv config.status config.status.old
@@ -269,10 +269,10 @@ test-fs:
269	test-fcopy:	269	test-fcopy:
270	cd test/fcopy; ./fcopy.sh \| grep TESTING	270	cd test/fcopy; ./fcopy.sh \| grep TESTING
271		271
272	test: test-profiles test-fcopy test-fs test-utils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments	272	test: test-profiles test-fcopy test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments
273	echo "TEST COMPLETE"	273	echo "TEST COMPLETE"
274		274
275	test-travis: test-profiles test-fcopy test-fs test-utils test-environment test-filters test-arguments	275	test-travis: test-profiles test-fcopy test-fs test-utils test-sysutils test-environment test-filters test-arguments
276	echo "TEST COMPLETE"	276	echo "TEST COMPLETE"
277		277
278	##########################################	278	##########################################


diff --git a/configure b/configure index d1911cea6..2f14e0a83 100755 --- a/configure +++ b/configure
@@ -1,6 +1,6 @@
1	#! /bin/sh	1	#! /bin/sh
2	# Guess values for system-dependent variables and create Makefiles.	2	# Guess values for system-dependent variables and create Makefiles.
3	# Generated by GNU Autoconf 2.69 for firejail 0.9.50~rc1.	3	# Generated by GNU Autoconf 2.69 for firejail 0.9.50~rc2.
4	#	4	#
5	# Report bugs to <netblue30@yahoo.com>.	5	# Report bugs to <netblue30@yahoo.com>.
6	#	6	#
@@ -580,8 +580,8 @@ MAKEFLAGS=
580	# Identity of this package.	580	# Identity of this package.
581	PACKAGE_NAME='firejail'	581	PACKAGE_NAME='firejail'
582	PACKAGE_TARNAME='firejail'	582	PACKAGE_TARNAME='firejail'
583	PACKAGE_VERSION='0.9.50~rc1'	583	PACKAGE_VERSION='0.9.50~rc2'
584	PACKAGE_STRING='firejail 0.9.50~rc1'	584	PACKAGE_STRING='firejail 0.9.50~rc2'
585	PACKAGE_BUGREPORT='netblue30@yahoo.com'	585	PACKAGE_BUGREPORT='netblue30@yahoo.com'
586	PACKAGE_URL='http://firejail.wordpress.com'	586	PACKAGE_URL='http://firejail.wordpress.com'
587		587
@@ -1276,7 +1276,7 @@ if test "$ac_init_help" = "long"; then
1276	# Omit some internal or obsolete options to make the list less imposing.	1276	# Omit some internal or obsolete options to make the list less imposing.
1277	# This message is too long to be a string in the A/UX 3.1 sh.	1277	# This message is too long to be a string in the A/UX 3.1 sh.
1278	cat <<_ACEOF	1278	cat <<_ACEOF
1279	\`configure' configures firejail 0.9.50~rc1 to adapt to many kinds of systems.	1279	\`configure' configures firejail 0.9.50~rc2 to adapt to many kinds of systems.
1280		1280
1281	Usage: $0 [OPTION]... [VAR=VALUE]...	1281	Usage: $0 [OPTION]... [VAR=VALUE]...
1282		1282
@@ -1338,7 +1338,7 @@ fi
1338		1338
1339	if test -n "$ac_init_help"; then	1339	if test -n "$ac_init_help"; then
1340	case $ac_init_help in	1340	case $ac_init_help in
1341	short \| recursive ) echo "Configuration of firejail 0.9.50~rc1:";;	1341	short \| recursive ) echo "Configuration of firejail 0.9.50~rc2:";;
1342	esac	1342	esac
1343	cat <<\_ACEOF	1343	cat <<\_ACEOF
1344		1344
@@ -1446,7 +1446,7 @@ fi
1446	test -n "$ac_init_help" && exit $ac_status	1446	test -n "$ac_init_help" && exit $ac_status
1447	if $ac_init_version; then	1447	if $ac_init_version; then
1448	cat <<\_ACEOF	1448	cat <<\_ACEOF
1449	firejail configure 0.9.50~rc1	1449	firejail configure 0.9.50~rc2
1450	generated by GNU Autoconf 2.69	1450	generated by GNU Autoconf 2.69
1451		1451
1452	Copyright (C) 2012 Free Software Foundation, Inc.	1452	Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1748,7 +1748,7 @@ cat >config.log <<_ACEOF
1748	This file contains any messages produced by compilers while	1748	This file contains any messages produced by compilers while
1749	running configure, to aid debugging if configure makes a mistake.	1749	running configure, to aid debugging if configure makes a mistake.
1750		1750
1751	It was created by firejail $as_me 0.9.50~rc1, which was	1751	It was created by firejail $as_me 0.9.50~rc2, which was
1752	generated by GNU Autoconf 2.69. Invocation command line was	1752	generated by GNU Autoconf 2.69. Invocation command line was
1753		1753
1754	$ $0 $@	1754	$ $0 $@
@@ -4367,7 +4367,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF \|\| ac_write_fail=1
4367	# report actual input values of CONFIG_FILES etc. instead of their	4367	# report actual input values of CONFIG_FILES etc. instead of their
4368	# values after options handling.	4368	# values after options handling.
4369	ac_log="	4369	ac_log="
4370	This file was extended by firejail $as_me 0.9.50~rc1, which was	4370	This file was extended by firejail $as_me 0.9.50~rc2, which was
4371	generated by GNU Autoconf 2.69. Invocation command line was	4371	generated by GNU Autoconf 2.69. Invocation command line was
4372		4372
4373	CONFIG_FILES = $CONFIG_FILES	4373	CONFIG_FILES = $CONFIG_FILES
@@ -4421,7 +4421,7 @@ _ACEOF
4421	cat >>$CONFIG_STATUS <<_ACEOF \|\| ac_write_fail=1	4421	cat >>$CONFIG_STATUS <<_ACEOF \|\| ac_write_fail=1
4422	ac_cs_config="`$as_echo "$ac_configure_args" \| sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"	4422	ac_cs_config="`$as_echo "$ac_configure_args" \| sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
4423	ac_cs_version="\\	4423	ac_cs_version="\\
4424	firejail config.status 0.9.50~rc1	4424	firejail config.status 0.9.50~rc2
4425	configured by $0, generated by GNU Autoconf 2.69,	4425	configured by $0, generated by GNU Autoconf 2.69,
4426	with options \\"\$ac_cs_config\\"	4426	with options \\"\$ac_cs_config\\"
4427		4427


diff --git a/configure.ac b/configure.ac index 0ebeebd08..b9f3cbde9 100644 --- a/configure.ac +++ b/configure.ac
@@ -1,5 +1,5 @@
1	AC_PREREQ([2.68])	1	AC_PREREQ([2.68])
2	AC_INIT(firejail, 0.9.50~rc1, netblue30@yahoo.com, , http://firejail.wordpress.com)	2	AC_INIT(firejail, 0.9.50~rc2, netblue30@yahoo.com, , http://firejail.wordpress.com)
3	AC_CONFIG_SRCDIR([src/firejail/main.c])	3	AC_CONFIG_SRCDIR([src/firejail/main.c])
4	#AC_CONFIG_HEADERS([config.h])	4	#AC_CONFIG_HEADERS([config.h])
5		5


diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 110f027f7..d2c8fbbc8 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c
@@ -105,7 +105,7 @@ static int valid_full_path_file(const char *name) {
105	char *fname = strrchr(full_name, '/');	105	char *fname = strrchr(full_name, '/');
106	if (!fname)	106	if (!fname)
107	goto errexit;	107	goto errexit;
108	if (++fname == '\0')	108	if (*(++fname) == '\0')
109	goto errexit;	109	goto errexit;
110		110
111	int i = 0;	111	int i = 0;


diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 480df1766..dad8545a0 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c
@@ -368,12 +368,12 @@ void fs_whitelist(void) {
368	// replace ~/ or ${HOME} into /home/username	368	// replace ~/ or ${HOME} into /home/username
369	new_name = expand_home(dataptr, cfg.homedir);	369	new_name = expand_home(dataptr, cfg.homedir);
370	assert(new_name);	370	assert(new_name);
371	if (arg_debug)	371	if (arg_debug \|\| arg_debug_whitelists)
372	fprintf(stderr, "Debug %d: new_name #%s#, %s\n", __LINE__, new_name, (nowhitelist_flag)? "nowhitelist": "whitelist");	372	fprintf(stderr, "Debug %d: new_name #%s#, %s\n", __LINE__, new_name, (nowhitelist_flag)? "nowhitelist": "whitelist");
373		373
374	// valid path referenced to filesystem root	374	// valid path referenced to filesystem root
375	if (*new_name != '/') {	375	if (*new_name != '/') {
376	if (arg_debug)	376	if (arg_debug \|\| arg_debug_whitelists)
377	fprintf(stderr, "Debug %d: \n", __LINE__);	377	fprintf(stderr, "Debug %d: \n", __LINE__);
378	goto errexit;	378	goto errexit;
379	}	379	}
@@ -417,6 +417,8 @@ void fs_whitelist(void) {
417	entry->data = EMPTY_STRING;	417	entry->data = EMPTY_STRING;
418	continue;	418	continue;
419	}	419	}
		420	else if (arg_debug_whitelists)
		421	printf("real path %s\n", fname);
420		422
421	if (nowhitelist_flag) {	423	if (nowhitelist_flag) {
422	// store the path in nowhitelist array	424	// store the path in nowhitelist array
@@ -501,9 +503,15 @@ void fs_whitelist(void) {
501	else if (strncmp(new_name, "/dev/", 5) == 0) {	503	else if (strncmp(new_name, "/dev/", 5) == 0) {
502	entry->dev_dir = 1;	504	entry->dev_dir = 1;
503	dev_dir = 1;	505	dev_dir = 1;
504	// both path and absolute path are under /dev	506
505	if (strncmp(fname, "/dev/", 5) != 0) {	507	// special handling for /dev/shm
506	goto errexit;	508	// on some platforms (Debian wheezy, Ubuntu 14.04), it is a symlink to /run/shm
		509	if (strcmp(new_name, "/dev/shm") == 0 && strcmp(fname, "/run/shm") == 0);
		510	else {
		511	// both path and absolute path are under /dev
		512	if (strncmp(fname, "/dev/", 5) != 0) {
		513	goto errexit;
		514	}
507	}	515	}
508	}	516	}
509	else if (strncmp(new_name, "/opt/", 5) == 0) {	517	else if (strncmp(new_name, "/opt/", 5) == 0) {
@@ -708,7 +716,6 @@ void fs_whitelist(void) {
708	}	716	}
709		717
710		718
711
712	// go through profile rules again, and interpret whitelist commands	719	// go through profile rules again, and interpret whitelist commands
713	entry = cfg.profile;	720	entry = cfg.profile;
714	while (entry) {	721	while (entry) {


diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c index ad123be50..c68e2e51b 100644 --- a/src/firemon/netstats.c +++ b/src/firemon/netstats.c
@@ -161,8 +161,8 @@ static void print_proc(int index, int itv, int col) {
161	}	161	}
162		162
163	// pid	163	// pid
164	char pidstr[10];	164	char pidstr[11];
165	snprintf(pidstr, 10, "%u", index);	165	snprintf(pidstr, 11, "%d", index);
166		166
167	// user	167	// user
168	char *user = get_user_name(pids[index].uid);	168	char *user = get_user_name(pids[index].uid);


diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index 8abc249ec..e14a473fe 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c
@@ -191,6 +191,21 @@ void seccomp_keep(const char fname1, const char fname2, char *list) {
191	close(fd);	191	close(fd);
192	}	192	}
193		193
		194	#if defined(__x86_64__) \|\| defined(__aarch64__) \|\| defined(__powerpc64__)
		195	# define filter_syscall SYS_mmap
		196	# undef block_syscall
		197	#elif defined(__i386__)
		198	# define filter_syscall SYS_mmap2
		199	# define block_syscall SYS_mmap
		200	#elif defined(__arm__)
		201	# define filter_syscall SYS_mmap2
		202	# undef block_syscall
		203	#else
		204	# warning "Platform does not support seccomp memory-deny-write-execute filter yet"
		205	# undef filter_syscall
		206	# undef block_syscall
		207	#endif
		208
194	void memory_deny_write_execute(const char *fname) {	209	void memory_deny_write_execute(const char *fname) {
195	// open file	210	// open file
196	int fd = open(fname, O_CREAT\|O_WRONLY\|O_TRUNC, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH);	211	int fd = open(fname, O_CREAT\|O_WRONLY\|O_TRUNC, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH);
@@ -203,22 +218,19 @@ void memory_deny_write_execute(const char *fname) {
203		218
204	// build filter	219	// build filter
205	static const struct sock_filter filter[] = {	220	static const struct sock_filter filter[] = {
206	#ifndef __x86_64__	221	#ifdef block_syscall
207	// block old multiplexing mmap syscall for i386	222	// block old multiplexing mmap syscall for i386
208	BLACKLIST(SYS_mmap),	223	BLACKLIST(block_syscall),
209	#endif	224	#endif
		225	#ifdef filter_syscall
210	// block mmap(,,x\|PROT_WRITE\|PROT_EXEC) so W&X memory can't be created	226	// block mmap(,,x\|PROT_WRITE\|PROT_EXEC) so W&X memory can't be created
211	#ifndef __x86_64__	227	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, filter_syscall, 0, 5),
212	// mmap2 is used for mmap on i386 these days
213	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mmap2, 0, 5),
214	#else
215	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mmap, 0, 5),
216	#endif
217	EXAMINE_ARGUMENT(2),	228	EXAMINE_ARGUMENT(2),
218	BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_WRITE\|PROT_EXEC),	229	BPF_STMT(BPF_ALU+BPF_AND+BPF_K, PROT_WRITE\|PROT_EXEC),
219	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE\|PROT_EXEC, 0, 1),	230	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, PROT_WRITE\|PROT_EXEC, 0, 1),
220	KILL_PROCESS,	231	KILL_PROCESS,
221	RETURN_ALLOW,	232	RETURN_ALLOW,
		233	#endif
222		234
223	// block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable	235	// block mprotect(,,PROT_EXEC) so writable memory can't be turned into executable
224	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mprotect, 0, 5),	236	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mprotect, 0, 5),
@@ -228,7 +240,7 @@ void memory_deny_write_execute(const char *fname) {
228	KILL_PROCESS,	240	KILL_PROCESS,
229	RETURN_ALLOW,	241	RETURN_ALLOW,
230		242
231	// shmat is not implemented as a syscall on some platforms (i386, possibly arm)	243	// shmat is not implemented as a syscall on some platforms (i386, powerpc64, powerpc64le)
232	#ifdef SYS_shmat	244	#ifdef SYS_shmat
233	// block shmat(,,x\|SHM_EXEC) so W&X shared memory can't be created	245	// block shmat(,,x\|SHM_EXEC) so W&X shared memory can't be created
234	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_shmat, 0, 5),	246	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_shmat, 0, 5),


diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c index 7af95d51c..3793e125d 100644 --- a/src/fseccomp/seccomp_print.c +++ b/src/fseccomp/seccomp_print.c
@@ -92,7 +92,7 @@ static int detect_filter_type(void) {
92		92
93	// testing for secondare amd64 filter	93	// testing for secondare amd64 filter
94	const struct sock_filter start_secondary_64[] = {	94	const struct sock_filter start_secondary_64[] = {
95	VALIDATE_ARCHITECTURE,	95	VALIDATE_ARCHITECTURE_64,
96	EXAMINE_SYSCALL,	96	EXAMINE_SYSCALL,
97	};	97	};
98		98


diff --git a/test/fs/whitelist-dev.exp b/test/fs/whitelist-dev.exp index b064671b6..b6ae6319f 100755 --- a/test/fs/whitelist-dev.exp +++ b/test/fs/whitelist-dev.exp
@@ -25,14 +25,14 @@ sleep 1
25		25
26	send -- "firejail --whitelist=/dev/null --whitelist=/dev/shm --whitelist=/dev/random\r"	26	send -- "firejail --whitelist=/dev/null --whitelist=/dev/shm --whitelist=/dev/random\r"
27	expect {	27	expect {
28	timeout {puts "TESTING ERROR 0\n";exit}	28	timeout {puts "TESTING ERROR 2\n";exit}
29	"Child process initialized"	29	"Child process initialized"
30	}	30	}
31	sleep 1	31	sleep 1
32		32
33	send -- "find /dev \| wc -l\r"	33	send -- "find /dev \| wc -l\r"
34	expect {	34	expect {
35	timeout {puts "TESTING ERROR 0.1\n";exit}	35	timeout {puts "TESTING ERROR 3\n";exit}
36	"4"	36	"4"
37	}	37	}
38	after 100	38	after 100
@@ -41,14 +41,14 @@ sleep 1
41		41
42	send -- "firejail --private-dev --debug\r"	42	send -- "firejail --private-dev --debug\r"
43	expect {	43	expect {
44	timeout {puts "TESTING ERROR 2\n";exit}	44	timeout {puts "TESTING ERROR 4\n";exit}
45	"Child process initialized"	45	"Child process initialized"
46	}	46	}
47	sleep 1	47	sleep 1
48		48
49	send -- "ls -l /dev \| wc -l\r"	49	send -- "ls -l /dev \| wc -l\r"
50	expect {	50	expect {
51	timeout {puts "TESTING ERROR 3\n";exit}	51	timeout {puts "TESTING ERROR 5\n";exit}
52	"12" {puts "OK\n"}	52	"12" {puts "OK\n"}
53	"13" {puts "OK\n"}	53	"13" {puts "OK\n"}
54	"14" {puts "OK\n"}	54	"14" {puts "OK\n"}