diff options
-rw-r--r-- | src/firecfg/desktop_files.c | 4 | ||||
-rw-r--r-- | src/firejail/fs_whitelist.c | 19 | ||||
-rw-r--r-- | src/firejail/main.c | 6 | ||||
-rw-r--r-- | src/firejail/profile.c | 1 | ||||
-rw-r--r-- | src/firejail/restrict_users.c | 2 | ||||
-rw-r--r-- | src/fsec-optimize/main.c | 3 |
6 files changed, 28 insertions, 7 deletions
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c index de2b8cfa2..f09a23977 100644 --- a/src/firecfg/desktop_files.c +++ b/src/firecfg/desktop_files.c | |||
@@ -184,7 +184,9 @@ void fix_desktop_files(char *homedir) { | |||
184 | } | 184 | } |
185 | 185 | ||
186 | fseek(fp, 0, SEEK_END); | 186 | fseek(fp, 0, SEEK_END); |
187 | size_t size = ftell(fp); | 187 | long size = ftell(fp); |
188 | if (size == -1) | ||
189 | errExit("ftell"); | ||
188 | fseek(fp, 0, SEEK_SET); | 190 | fseek(fp, 0, SEEK_SET); |
189 | char *buf = malloc(size + 1); | 191 | char *buf = malloc(size + 1); |
190 | if (!buf) | 192 | if (!buf) |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 9b68b6753..e983a071d 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -523,6 +523,7 @@ void fs_whitelist(void) { | |||
523 | 523 | ||
524 | // both path and absolute path are under /tmp | 524 | // both path and absolute path are under /tmp |
525 | if (strncmp(fname, "/tmp/", 5) != 0) { | 525 | if (strncmp(fname, "/tmp/", 5) != 0) { |
526 | free(fname); | ||
526 | goto errexit; | 527 | goto errexit; |
527 | } | 528 | } |
528 | } | 529 | } |
@@ -531,6 +532,7 @@ void fs_whitelist(void) { | |||
531 | media_dir = 1; | 532 | media_dir = 1; |
532 | // both path and absolute path are under /media | 533 | // both path and absolute path are under /media |
533 | if (strncmp(fname, "/media/", 7) != 0) { | 534 | if (strncmp(fname, "/media/", 7) != 0) { |
535 | free(fname); | ||
534 | goto errexit; | 536 | goto errexit; |
535 | } | 537 | } |
536 | } | 538 | } |
@@ -539,6 +541,7 @@ void fs_whitelist(void) { | |||
539 | mnt_dir = 1; | 541 | mnt_dir = 1; |
540 | // both path and absolute path are under /mnt | 542 | // both path and absolute path are under /mnt |
541 | if (strncmp(fname, "/mnt/", 5) != 0) { | 543 | if (strncmp(fname, "/mnt/", 5) != 0) { |
544 | free(fname); | ||
542 | goto errexit; | 545 | goto errexit; |
543 | } | 546 | } |
544 | } | 547 | } |
@@ -553,6 +556,7 @@ void fs_whitelist(void) { | |||
553 | else { | 556 | else { |
554 | // both path and absolute path are under /var | 557 | // both path and absolute path are under /var |
555 | if (strncmp(fname, "/var/", 5) != 0) { | 558 | if (strncmp(fname, "/var/", 5) != 0) { |
559 | free(fname); | ||
556 | goto errexit; | 560 | goto errexit; |
557 | } | 561 | } |
558 | } | 562 | } |
@@ -573,6 +577,7 @@ void fs_whitelist(void) { | |||
573 | else { | 577 | else { |
574 | // both path and absolute path are under /dev | 578 | // both path and absolute path are under /dev |
575 | if (strncmp(fname, "/dev/", 5) != 0) { | 579 | if (strncmp(fname, "/dev/", 5) != 0) { |
580 | free(fname); | ||
576 | goto errexit; | 581 | goto errexit; |
577 | } | 582 | } |
578 | } | 583 | } |
@@ -582,6 +587,7 @@ void fs_whitelist(void) { | |||
582 | opt_dir = 1; | 587 | opt_dir = 1; |
583 | // both path and absolute path are under /dev | 588 | // both path and absolute path are under /dev |
584 | if (strncmp(fname, "/opt/", 5) != 0) { | 589 | if (strncmp(fname, "/opt/", 5) != 0) { |
590 | free(fname); | ||
585 | goto errexit; | 591 | goto errexit; |
586 | } | 592 | } |
587 | } | 593 | } |
@@ -590,6 +596,7 @@ void fs_whitelist(void) { | |||
590 | srv_dir = 1; | 596 | srv_dir = 1; |
591 | // both path and absolute path are under /srv | 597 | // both path and absolute path are under /srv |
592 | if (strncmp(fname, "/srv/", 5) != 0) { | 598 | if (strncmp(fname, "/srv/", 5) != 0) { |
599 | free(fname); | ||
593 | goto errexit; | 600 | goto errexit; |
594 | } | 601 | } |
595 | } | 602 | } |
@@ -602,23 +609,29 @@ void fs_whitelist(void) { | |||
602 | else if (strcmp(new_name, "/etc/os-release") == 0); | 609 | else if (strcmp(new_name, "/etc/os-release") == 0); |
603 | // both path and absolute path are under /etc | 610 | // both path and absolute path are under /etc |
604 | else { | 611 | else { |
605 | if (strncmp(fname, "/etc/", 5) != 0) | 612 | if (strncmp(fname, "/etc/", 5) != 0) { |
613 | free(fname); | ||
606 | goto errexit; | 614 | goto errexit; |
615 | } | ||
607 | } | 616 | } |
608 | } | 617 | } |
609 | else if (strncmp(new_name, "/usr/share/", 11) == 0) { | 618 | else if (strncmp(new_name, "/usr/share/", 11) == 0) { |
610 | entry->share_dir = 1; | 619 | entry->share_dir = 1; |
611 | share_dir = 1; | 620 | share_dir = 1; |
612 | // both path and absolute path are under /etc | 621 | // both path and absolute path are under /etc |
613 | if (strncmp(fname, "/usr/share/", 11) != 0) | 622 | if (strncmp(fname, "/usr/share/", 11) != 0) { |
623 | free(fname); | ||
614 | goto errexit; | 624 | goto errexit; |
625 | } | ||
615 | } | 626 | } |
616 | else if (strncmp(new_name, "/sys/module/", 12) == 0) { | 627 | else if (strncmp(new_name, "/sys/module/", 12) == 0) { |
617 | entry->module_dir = 1; | 628 | entry->module_dir = 1; |
618 | module_dir = 1; | 629 | module_dir = 1; |
619 | // both path and absolute path are under /sys/module | 630 | // both path and absolute path are under /sys/module |
620 | if (strncmp(fname, "/sys/module/", 12) != 0) | 631 | if (strncmp(fname, "/sys/module/", 12) != 0) { |
632 | free(fname); | ||
621 | goto errexit; | 633 | goto errexit; |
634 | } | ||
622 | } | 635 | } |
623 | else { | 636 | else { |
624 | goto errexit; | 637 | goto errexit; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index b3a8dcfd7..ba952b1cb 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -2409,8 +2409,10 @@ int main(int argc, char **argv) { | |||
2409 | int display = x11_display(); | 2409 | int display = x11_display(); |
2410 | if (display > 0) | 2410 | if (display > 0) |
2411 | set_x11_run_file(sandbox_pid, display); | 2411 | set_x11_run_file(sandbox_pid, display); |
2412 | flock(lockfd_directory, LOCK_UN); | 2412 | if (lockfd_directory != -1) { |
2413 | close(lockfd_directory); | 2413 | flock(lockfd_directory, LOCK_UN); |
2414 | close(lockfd_directory); | ||
2415 | } | ||
2414 | EUID_USER(); | 2416 | EUID_USER(); |
2415 | 2417 | ||
2416 | // clone environment | 2418 | // clone environment |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 168d7e268..bc5915d46 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -724,6 +724,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
724 | cfg.dns4 = dns; | 724 | cfg.dns4 = dns; |
725 | else { | 725 | else { |
726 | fprintf(stderr, "Error: up to 4 DNS servers can be specified\n"); | 726 | fprintf(stderr, "Error: up to 4 DNS servers can be specified\n"); |
727 | free(dns); | ||
727 | return 1; | 728 | return 1; |
728 | } | 729 | } |
729 | return 0; | 730 | return 0; |
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index d66deeb97..fa672eccb 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -41,6 +41,8 @@ static void ulist_add(const char *user) { | |||
41 | assert(user); | 41 | assert(user); |
42 | 42 | ||
43 | USER_LIST *nlist = malloc(sizeof(USER_LIST)); | 43 | USER_LIST *nlist = malloc(sizeof(USER_LIST)); |
44 | if (!nlist) | ||
45 | errExit("malloc"); | ||
44 | memset(nlist, 0, sizeof(USER_LIST)); | 46 | memset(nlist, 0, sizeof(USER_LIST)); |
45 | nlist->user = user; | 47 | nlist->user = user; |
46 | nlist->next = ulist; | 48 | nlist->next = ulist; |
diff --git a/src/fsec-optimize/main.c b/src/fsec-optimize/main.c index f4300f350..80ca098cb 100644 --- a/src/fsec-optimize/main.c +++ b/src/fsec-optimize/main.c | |||
@@ -87,7 +87,8 @@ printf("\n"); | |||
87 | 87 | ||
88 | return 0; | 88 | return 0; |
89 | errexit: | 89 | errexit: |
90 | close(fd); | 90 | if (fd != -1) |
91 | close(fd); | ||
91 | fprintf(stderr, "Error: cannot read %s\n", fname); | 92 | fprintf(stderr, "Error: cannot read %s\n", fname); |
92 | exit(1); | 93 | exit(1); |
93 | 94 | ||