diff options
-rw-r--r-- | Makefile.in | 3 | ||||
-rw-r--r-- | etc/firejail-local | 3 | ||||
-rw-r--r-- | etc/zoom.profile | 2 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 268 | ||||
-rw-r--r-- | src/firejail/profile.c | 2 | ||||
-rw-r--r-- | src/fldd/main.c | 7 | ||||
-rw-r--r-- | src/fsec-print/print.c | 2 | ||||
-rw-r--r-- | src/fseccomp/syscall.c | 3 | ||||
-rw-r--r-- | src/libtracelog/libtracelog.c | 4 | ||||
-rw-r--r-- | src/man/firejail.txt | 2 |
10 files changed, 55 insertions, 241 deletions
diff --git a/Makefile.in b/Makefile.in index 4e87d4ae0..0cbbb374c 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -134,7 +134,8 @@ ifeq ($(HAVE_APPARMOR),-DHAVE_APPARMOR) | |||
134 | sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;" | 134 | sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d; fi;" |
135 | install -c -m 0644 etc/firejail-default $(DESTDIR)/$(sysconfdir)/apparmor.d/. | 135 | install -c -m 0644 etc/firejail-default $(DESTDIR)/$(sysconfdir)/apparmor.d/. |
136 | sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;" | 136 | sh -c "if [ ! -d $(DESTDIR)/$(sysconfdir)/apparmor.d/local ]; then install -d -m 755 $(DESTDIR)/$(sysconfdir)/apparmor.d/local; fi;" |
137 | install -c -m 0644 etc/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/. | 137 | # install apparmor profile customization file |
138 | sh -c "if [ ! -f $(DESTDIR)/$(sysconfdir)/apparmor.d/local/firejail-local ]; then install -c -m 0644 etc/firejail-local $(DESTDIR)/$(sysconfdir)/apparmor.d/local/.; fi;" | ||
138 | endif | 139 | endif |
139 | # man pages | 140 | # man pages |
140 | install -m 0755 -d $(DESTDIR)/$(mandir)/man1 | 141 | install -m 0755 -d $(DESTDIR)/$(mandir)/man1 |
diff --git a/etc/firejail-local b/etc/firejail-local index cddf44f13..f086653f8 100644 --- a/etc/firejail-local +++ b/etc/firejail-local | |||
@@ -1 +1,2 @@ | |||
1 | # Site-specific additions and overrides for 'firejail-default' | 1 | # Site-specific additions and overrides for 'firejail-default'. |
2 | # For more details, please see /etc/apparmor.d/local/README. | ||
diff --git a/etc/zoom.profile b/etc/zoom.profile index 4fbf7ca01..456b197f3 100644 --- a/etc/zoom.profile +++ b/etc/zoom.profile | |||
@@ -6,6 +6,7 @@ include zoom.local | |||
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/zoomus.conf | 8 | noblacklist ${HOME}/.config/zoomus.conf |
9 | noblacklist ${HOME}/.zoom | ||
9 | 10 | ||
10 | include disable-common.inc | 11 | include disable-common.inc |
11 | include disable-devel.inc | 12 | include disable-devel.inc |
@@ -14,6 +15,7 @@ include disable-programs.inc | |||
14 | 15 | ||
15 | mkdir ${HOME}/.zoom | 16 | mkdir ${HOME}/.zoom |
16 | whitelist ${HOME}/.cache/zoom | 17 | whitelist ${HOME}/.cache/zoom |
18 | whitelist ${HOME}/.config/zoomus.conf | ||
17 | whitelist ${HOME}/.zoom | 19 | whitelist ${HOME}/.zoom |
18 | include whitelist-common.inc | 20 | include whitelist-common.inc |
19 | 21 | ||
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 0a3c5dd08..167bd591d 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -71,164 +71,48 @@ int checkcfg(int val) { | |||
71 | if (*buf == '#' || *buf == '\n') | 71 | if (*buf == '#' || *buf == '\n') |
72 | continue; | 72 | continue; |
73 | 73 | ||
74 | #define PARSE_YESNO(key, string) \ | ||
75 | else if (strncmp(ptr, string " ", strlen(string)+1) == 0) { \ | ||
76 | if (strcmp(ptr + strlen(string) + 1, "yes") == 0) \ | ||
77 | cfg_val[key] = 1; \ | ||
78 | else if (strcmp(ptr + strlen(string) + 1, "no") == 0) \ | ||
79 | cfg_val[key] = 0; \ | ||
80 | else \ | ||
81 | goto errout; \ | ||
82 | } | ||
83 | |||
74 | // parse line | 84 | // parse line |
75 | ptr = line_remove_spaces(buf); | 85 | ptr = line_remove_spaces(buf); |
76 | if (!ptr) | 86 | if (!ptr) |
77 | continue; | 87 | continue; |
88 | PARSE_YESNO(CFG_FILE_TRANSFER, "file-transfer") | ||
89 | PARSE_YESNO(CFG_DBUS, "dbus") | ||
90 | PARSE_YESNO(CFG_JOIN, "join") | ||
91 | PARSE_YESNO(CFG_X11, "x11") | ||
92 | PARSE_YESNO(CFG_APPARMOR, "apparmor") | ||
93 | PARSE_YESNO(CFG_BIND, "bind") | ||
94 | PARSE_YESNO(CFG_CGROUP, "cgroup") | ||
95 | PARSE_YESNO(CFG_NAME_CHANGE, "name-change") | ||
96 | PARSE_YESNO(CFG_USERNS, "userns") | ||
97 | PARSE_YESNO(CFG_CHROOT, "chroot") | ||
98 | PARSE_YESNO(CFG_FIREJAIL_PROMPT, "firejail-prompt") | ||
99 | PARSE_YESNO(CFG_FOLLOW_SYMLINK_AS_USER, "follow-symlink-as-user") | ||
100 | PARSE_YESNO(CFG_FORCE_NONEWPRIVS, "force-nonewprivs") | ||
101 | PARSE_YESNO(CFG_SECCOMP, "seccomp") | ||
102 | PARSE_YESNO(CFG_WHITELIST, "whitelist") | ||
103 | PARSE_YESNO(CFG_NETWORK, "network") | ||
104 | PARSE_YESNO(CFG_RESTRICTED_NETWORK, "restricted-network") | ||
105 | PARSE_YESNO(CFG_XEPHYR_WINDOW_TITLE, "xephyr-window-title") | ||
106 | PARSE_YESNO(CFG_OVERLAYFS, "overlayfs") | ||
107 | PARSE_YESNO(CFG_PRIVATE_HOME, "private-home") | ||
108 | PARSE_YESNO(CFG_PRIVATE_CACHE, "private-cache") | ||
109 | PARSE_YESNO(CFG_PRIVATE_LIB, "private-lib") | ||
110 | PARSE_YESNO(CFG_PRIVATE_BIN_NO_LOCAL, "private-bin-no-local") | ||
111 | PARSE_YESNO(CFG_DISABLE_MNT, "disable-mnt") | ||
112 | PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach") | ||
113 | PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f") | ||
114 | #undef PARSE_YESNO | ||
78 | 115 | ||
79 | // file transfer | ||
80 | else if (strncmp(ptr, "file-transfer ", 14) == 0) { | ||
81 | if (strcmp(ptr + 14, "yes") == 0) | ||
82 | cfg_val[CFG_FILE_TRANSFER] = 1; | ||
83 | else if (strcmp(ptr + 14, "no") == 0) | ||
84 | cfg_val[CFG_FILE_TRANSFER] = 0; | ||
85 | else | ||
86 | goto errout; | ||
87 | } | ||
88 | // dbus | ||
89 | else if (strncmp(ptr, "dbus ", 5) == 0) { | ||
90 | if (strcmp(ptr + 5, "yes") == 0) | ||
91 | cfg_val[CFG_DBUS] = 1; | ||
92 | else if (strcmp(ptr + 5, "no") == 0) | ||
93 | cfg_val[CFG_DBUS] = 0; | ||
94 | else | ||
95 | goto errout; | ||
96 | } | ||
97 | // join | ||
98 | else if (strncmp(ptr, "join ", 5) == 0) { | ||
99 | if (strcmp(ptr + 5, "yes") == 0) | ||
100 | cfg_val[CFG_JOIN] = 1; | ||
101 | else if (strcmp(ptr + 5, "no") == 0) | ||
102 | cfg_val[CFG_JOIN] = 0; | ||
103 | else | ||
104 | goto errout; | ||
105 | } | ||
106 | // x11 | ||
107 | else if (strncmp(ptr, "x11 ", 4) == 0) { | ||
108 | if (strcmp(ptr + 4, "yes") == 0) | ||
109 | cfg_val[CFG_X11] = 1; | ||
110 | else if (strcmp(ptr + 4, "no") == 0) | ||
111 | cfg_val[CFG_X11] = 0; | ||
112 | else | ||
113 | goto errout; | ||
114 | } | ||
115 | // apparmor | ||
116 | else if (strncmp(ptr, "apparmor ", 9) == 0) { | ||
117 | if (strcmp(ptr + 9, "yes") == 0) | ||
118 | cfg_val[CFG_APPARMOR] = 1; | ||
119 | else if (strcmp(ptr + 9, "no") == 0) | ||
120 | cfg_val[CFG_APPARMOR] = 0; | ||
121 | else | ||
122 | goto errout; | ||
123 | } | ||
124 | // bind | ||
125 | else if (strncmp(ptr, "bind ", 5) == 0) { | ||
126 | if (strcmp(ptr + 5, "yes") == 0) | ||
127 | cfg_val[CFG_BIND] = 1; | ||
128 | else if (strcmp(ptr + 5, "no") == 0) | ||
129 | cfg_val[CFG_BIND] = 0; | ||
130 | else | ||
131 | goto errout; | ||
132 | } | ||
133 | // cgroup | ||
134 | else if (strncmp(ptr, "cgroup ", 7) == 0) { | ||
135 | if (strcmp(ptr + 7, "yes") == 0) | ||
136 | cfg_val[CFG_CGROUP] = 1; | ||
137 | else if (strcmp(ptr + 7, "no") == 0) | ||
138 | cfg_val[CFG_CGROUP] = 0; | ||
139 | else | ||
140 | goto errout; | ||
141 | } | ||
142 | // name change | ||
143 | else if (strncmp(ptr, "name-change ", 12) == 0) { | ||
144 | if (strcmp(ptr + 12, "yes") == 0) | ||
145 | cfg_val[CFG_NAME_CHANGE] = 1; | ||
146 | else if (strcmp(ptr + 12, "no") == 0) | ||
147 | cfg_val[CFG_NAME_CHANGE] = 0; | ||
148 | else | ||
149 | goto errout; | ||
150 | } | ||
151 | // user namespace | ||
152 | else if (strncmp(ptr, "userns ", 7) == 0) { | ||
153 | if (strcmp(ptr + 7, "yes") == 0) | ||
154 | cfg_val[CFG_USERNS] = 1; | ||
155 | else if (strcmp(ptr + 7, "no") == 0) | ||
156 | cfg_val[CFG_USERNS] = 0; | ||
157 | else | ||
158 | goto errout; | ||
159 | } | ||
160 | // chroot | ||
161 | else if (strncmp(ptr, "chroot ", 7) == 0) { | ||
162 | if (strcmp(ptr + 7, "yes") == 0) | ||
163 | cfg_val[CFG_CHROOT] = 1; | ||
164 | else if (strcmp(ptr + 7, "no") == 0) | ||
165 | cfg_val[CFG_CHROOT] = 0; | ||
166 | else | ||
167 | goto errout; | ||
168 | } | ||
169 | // prompt | ||
170 | else if (strncmp(ptr, "firejail-prompt ", 16) == 0) { | ||
171 | if (strcmp(ptr + 16, "yes") == 0) | ||
172 | cfg_val[CFG_FIREJAIL_PROMPT] = 1; | ||
173 | else if (strcmp(ptr + 16, "no") == 0) | ||
174 | cfg_val[CFG_FIREJAIL_PROMPT] = 0; | ||
175 | else | ||
176 | goto errout; | ||
177 | } | ||
178 | // follow symlink as user | ||
179 | else if (strncmp(ptr, "follow-symlink-as-user ", 23) == 0) { | ||
180 | if (strcmp(ptr + 23, "yes") == 0) | ||
181 | cfg_val[CFG_FOLLOW_SYMLINK_AS_USER] = 1; | ||
182 | else if (strcmp(ptr + 23, "no") == 0) | ||
183 | cfg_val[CFG_FOLLOW_SYMLINK_AS_USER] = 0; | ||
184 | else | ||
185 | goto errout; | ||
186 | } | ||
187 | // nonewprivs | ||
188 | else if (strncmp(ptr, "force-nonewprivs ", 17) == 0) { | ||
189 | if (strcmp(ptr + 17, "yes") == 0) | ||
190 | cfg_val[CFG_FORCE_NONEWPRIVS] = 1; | ||
191 | else if (strcmp(ptr + 17, "no") == 0) | ||
192 | cfg_val[CFG_FORCE_NONEWPRIVS] = 0; | ||
193 | else | ||
194 | goto errout; | ||
195 | } | ||
196 | // seccomp | ||
197 | else if (strncmp(ptr, "seccomp ", 8) == 0) { | ||
198 | if (strcmp(ptr + 8, "yes") == 0) | ||
199 | cfg_val[CFG_SECCOMP] = 1; | ||
200 | else if (strcmp(ptr + 8, "no") == 0) | ||
201 | cfg_val[CFG_SECCOMP] = 0; | ||
202 | else | ||
203 | goto errout; | ||
204 | } | ||
205 | // whitelist | ||
206 | else if (strncmp(ptr, "whitelist ", 10) == 0) { | ||
207 | if (strcmp(ptr + 10, "yes") == 0) | ||
208 | cfg_val[CFG_WHITELIST] = 1; | ||
209 | else if (strcmp(ptr + 10, "no") == 0) | ||
210 | cfg_val[CFG_WHITELIST] = 0; | ||
211 | else | ||
212 | goto errout; | ||
213 | } | ||
214 | // network | ||
215 | else if (strncmp(ptr, "network ", 8) == 0) { | ||
216 | if (strcmp(ptr + 8, "yes") == 0) | ||
217 | cfg_val[CFG_NETWORK] = 1; | ||
218 | else if (strcmp(ptr + 8, "no") == 0) | ||
219 | cfg_val[CFG_NETWORK] = 0; | ||
220 | else | ||
221 | goto errout; | ||
222 | } | ||
223 | // network | ||
224 | else if (strncmp(ptr, "restricted-network ", 19) == 0) { | ||
225 | if (strcmp(ptr + 19, "yes") == 0) | ||
226 | cfg_val[CFG_RESTRICTED_NETWORK] = 1; | ||
227 | else if (strcmp(ptr + 19, "no") == 0) | ||
228 | cfg_val[CFG_RESTRICTED_NETWORK] = 0; | ||
229 | else | ||
230 | goto errout; | ||
231 | } | ||
232 | // netfilter | 116 | // netfilter |
233 | else if (strncmp(ptr, "netfilter-default ", 18) == 0) { | 117 | else if (strncmp(ptr, "netfilter-default ", 18) == 0) { |
234 | char *fname = ptr + 18; | 118 | char *fname = ptr + 18; |
@@ -266,16 +150,6 @@ int checkcfg(int val) { | |||
266 | errExit("asprintf"); | 150 | errExit("asprintf"); |
267 | } | 151 | } |
268 | 152 | ||
269 | // xephyr window title | ||
270 | else if (strncmp(ptr, "xephyr-window-title ", 20) == 0) { | ||
271 | if (strcmp(ptr + 20, "yes") == 0) | ||
272 | cfg_val[CFG_XEPHYR_WINDOW_TITLE] = 1; | ||
273 | else if (strcmp(ptr + 20, "no") == 0) | ||
274 | cfg_val[CFG_XEPHYR_WINDOW_TITLE] = 0; | ||
275 | else | ||
276 | goto errout; | ||
277 | } | ||
278 | |||
279 | // Xephyr command extra parameters | 153 | // Xephyr command extra parameters |
280 | else if (strncmp(ptr, "xephyr-extra-params ", 20) == 0) { | 154 | else if (strncmp(ptr, "xephyr-extra-params ", 20) == 0) { |
281 | if (*xephyr_extra_params != '\0') | 155 | if (*xephyr_extra_params != '\0') |
@@ -295,7 +169,7 @@ int checkcfg(int val) { | |||
295 | } | 169 | } |
296 | 170 | ||
297 | // Xvfb screen size | 171 | // Xvfb screen size |
298 | else if (strncmp(ptr, "xvfb-screen ", 12) == 0) { | 172 | else if (strncmp(ptr, "xvfb-screen ", 12) == 0) { |
299 | // expecting three numbers separated by x's | 173 | // expecting three numbers separated by x's |
300 | unsigned int n1; | 174 | unsigned int n1; |
301 | unsigned int n2; | 175 | unsigned int n2; |
@@ -325,54 +199,6 @@ int checkcfg(int val) { | |||
325 | else | 199 | else |
326 | goto errout; | 200 | goto errout; |
327 | } | 201 | } |
328 | else if (strncmp(ptr, "overlayfs ", 10) == 0) { | ||
329 | if (strcmp(ptr + 10, "yes") == 0) | ||
330 | cfg_val[CFG_OVERLAYFS] = 1; | ||
331 | else if (strcmp(ptr + 10, "no") == 0) | ||
332 | cfg_val[CFG_OVERLAYFS] = 0; | ||
333 | else | ||
334 | goto errout; | ||
335 | } | ||
336 | else if (strncmp(ptr, "private-home ", 13) == 0) { | ||
337 | if (strcmp(ptr + 13, "yes") == 0) | ||
338 | cfg_val[CFG_PRIVATE_HOME] = 1; | ||
339 | else if (strcmp(ptr + 13, "no") == 0) | ||
340 | cfg_val[CFG_PRIVATE_HOME] = 0; | ||
341 | else | ||
342 | goto errout; | ||
343 | } | ||
344 | else if (strncmp(ptr, "private-cache ", 14) == 0) { | ||
345 | if (strcmp(ptr + 14, "yes") == 0) | ||
346 | cfg_val[CFG_PRIVATE_CACHE] = 1; | ||
347 | else if (strcmp(ptr + 14, "no") == 0) | ||
348 | cfg_val[CFG_PRIVATE_CACHE] = 0; | ||
349 | else | ||
350 | goto errout; | ||
351 | } | ||
352 | else if (strncmp(ptr, "private-lib ", 12) == 0) { | ||
353 | if (strcmp(ptr + 12, "yes") == 0) | ||
354 | cfg_val[CFG_PRIVATE_LIB] = 1; | ||
355 | else if (strcmp(ptr + 12, "no") == 0) | ||
356 | cfg_val[CFG_PRIVATE_LIB] = 0; | ||
357 | else | ||
358 | goto errout; | ||
359 | } | ||
360 | else if (strncmp(ptr, "private-bin-no-local ", 21) == 0) { | ||
361 | if (strcmp(ptr + 21, "yes") == 0) | ||
362 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 1; | ||
363 | else if (strcmp(ptr + 21, "no") == 0) | ||
364 | cfg_val[CFG_PRIVATE_BIN_NO_LOCAL] = 0; | ||
365 | else | ||
366 | goto errout; | ||
367 | } | ||
368 | else if (strncmp(ptr, "disable-mnt ", 12) == 0) { | ||
369 | if (strcmp(ptr + 12, "yes") == 0) | ||
370 | cfg_val[CFG_DISABLE_MNT] = 1; | ||
371 | else if (strcmp(ptr + 12, "no") == 0) | ||
372 | cfg_val[CFG_DISABLE_MNT] = 0; | ||
373 | else | ||
374 | goto errout; | ||
375 | } | ||
376 | // arp probes | 202 | // arp probes |
377 | else if (strncmp(ptr, "arp-probes ", 11) == 0) { | 203 | else if (strncmp(ptr, "arp-probes ", 11) == 0) { |
378 | int arp_probes = atoi(ptr + 11); | 204 | int arp_probes = atoi(ptr + 11); |
@@ -380,24 +206,6 @@ int checkcfg(int val) { | |||
380 | goto errout; | 206 | goto errout; |
381 | cfg_val[CFG_ARP_PROBES] = arp_probes; | 207 | cfg_val[CFG_ARP_PROBES] = arp_probes; |
382 | } | 208 | } |
383 | // xpra-attach | ||
384 | else if (strncmp(ptr, "xpra-attach ", 12) == 0) { | ||
385 | if (strcmp(ptr + 12, "yes") == 0) | ||
386 | cfg_val[CFG_XPRA_ATTACH] = 1; | ||
387 | else if (strcmp(ptr + 12, "no") == 0) | ||
388 | cfg_val[CFG_XPRA_ATTACH] = 0; | ||
389 | else | ||
390 | goto errout; | ||
391 | } | ||
392 | // browser-disable-u2f | ||
393 | else if (strncmp(ptr, "browser-disable-u2f ", 20) == 0) { | ||
394 | if (strcmp(ptr + 20, "yes") == 0) | ||
395 | cfg_val[CFG_BROWSER_DISABLE_U2F] = 1; | ||
396 | else if (strcmp(ptr + 20, "no") == 0) | ||
397 | cfg_val[CFG_BROWSER_DISABLE_U2F] = 0; | ||
398 | else | ||
399 | goto errout; | ||
400 | } | ||
401 | else | 209 | else |
402 | goto errout; | 210 | goto errout; |
403 | 211 | ||
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index af7b54596..214275c7d 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -241,7 +241,9 @@ error: | |||
241 | // return 1 if the command is to be added to the linked list of profile commands | 241 | // return 1 if the command is to be added to the linked list of profile commands |
242 | // return 0 if the command was already executed inside the function | 242 | // return 0 if the command was already executed inside the function |
243 | int profile_check_line(char *ptr, int lineno, const char *fname) { | 243 | int profile_check_line(char *ptr, int lineno, const char *fname) { |
244 | #ifdef HAVE_WHITELIST | ||
244 | static int whitelist_warning_printed = 0; | 245 | static int whitelist_warning_printed = 0; |
246 | #endif | ||
245 | EUID_ASSERT(); | 247 | EUID_ASSERT(); |
246 | 248 | ||
247 | // check and process conditional profile lines | 249 | // check and process conditional profile lines |
diff --git a/src/fldd/main.c b/src/fldd/main.c index d9adcdcf6..566763ff4 100644 --- a/src/fldd/main.c +++ b/src/fldd/main.c | |||
@@ -297,7 +297,7 @@ printf("\n"); | |||
297 | } | 297 | } |
298 | 298 | ||
299 | 299 | ||
300 | if (strcmp(argv[1], "--help") == 0) { | 300 | if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") == 0) { |
301 | usage(); | 301 | usage(); |
302 | return 0; | 302 | return 0; |
303 | } | 303 | } |
@@ -312,11 +312,6 @@ printf("\n"); | |||
312 | if (quiet && strcmp(quiet, "yes") == 0) | 312 | if (quiet && strcmp(quiet, "yes") == 0) |
313 | arg_quiet = 1; | 313 | arg_quiet = 1; |
314 | 314 | ||
315 | if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) { | ||
316 | usage(); | ||
317 | return 0; | ||
318 | } | ||
319 | |||
320 | int fd = STDOUT_FILENO; | 315 | int fd = STDOUT_FILENO; |
321 | // attempt to open the file | 316 | // attempt to open the file |
322 | if (argc == 3) { | 317 | if (argc == 3) { |
diff --git a/src/fsec-print/print.c b/src/fsec-print/print.c index 1042f0c3e..1756d60dc 100644 --- a/src/fsec-print/print.c +++ b/src/fsec-print/print.c | |||
@@ -206,7 +206,7 @@ static void bpf_decode_args(const struct sock_filter *bpf, unsigned int line) { | |||
206 | printf("data.syscall-number"); | 206 | printf("data.syscall-number"); |
207 | syscall_loaded = 1; | 207 | syscall_loaded = 1; |
208 | } | 208 | } |
209 | else if (bpf->k == offsetof(struct seccomp_data, nr)) | 209 | else if (bpf->k == offsetof(struct seccomp_data, instruction_pointer)) |
210 | printf("data.instruction_pointer"); | 210 | printf("data.instruction_pointer"); |
211 | else { | 211 | else { |
212 | int index = bpf->k - offsetof(struct seccomp_data, args); | 212 | int index = bpf->k - offsetof(struct seccomp_data, args); |
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index 3f5fbbbfa..7ea1e749d 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c | |||
@@ -546,7 +546,7 @@ static void syscall_in_list(int fd, int syscall, int arg, void *ptrarg) { | |||
546 | } | 546 | } |
547 | else { // no problem, add to pre-exec list | 547 | else { // no problem, add to pre-exec list |
548 | // build syscall:error_no | 548 | // build syscall:error_no |
549 | char *newcall; | 549 | char *newcall = NULL; |
550 | if (arg != 0) { | 550 | if (arg != 0) { |
551 | if (asprintf(&newcall, "%s:%s", syscall_find_nr(syscall), errno_find_nr(arg)) == -1) | 551 | if (asprintf(&newcall, "%s:%s", syscall_find_nr(syscall), errno_find_nr(arg)) == -1) |
552 | errExit("asprintf"); | 552 | errExit("asprintf"); |
@@ -560,6 +560,7 @@ static void syscall_in_list(int fd, int syscall, int arg, void *ptrarg) { | |||
560 | if (ptr->prelist) { | 560 | if (ptr->prelist) { |
561 | if (asprintf(&ptr->prelist, "%s,%s", ptr->prelist, newcall) == -1) | 561 | if (asprintf(&ptr->prelist, "%s,%s", ptr->prelist, newcall) == -1) |
562 | errExit("asprintf"); | 562 | errExit("asprintf"); |
563 | free(newcall); | ||
563 | } | 564 | } |
564 | else | 565 | else |
565 | ptr->prelist = newcall; | 566 | ptr->prelist = newcall; |
diff --git a/src/libtracelog/libtracelog.c b/src/libtracelog/libtracelog.c index 0f8d5a00d..3e74051f8 100644 --- a/src/libtracelog/libtracelog.c +++ b/src/libtracelog/libtracelog.c | |||
@@ -181,7 +181,9 @@ static void load_blacklist(void) { | |||
181 | 181 | ||
182 | // extract blacklists | 182 | // extract blacklists |
183 | char buf[MAXBUF]; | 183 | char buf[MAXBUF]; |
184 | #ifdef DEBUG | ||
184 | int cnt = 0; | 185 | int cnt = 0; |
186 | #endif | ||
185 | while (fgets(buf, MAXBUF, fp)) { | 187 | while (fgets(buf, MAXBUF, fp)) { |
186 | if (strncmp(buf, "sandbox pid: ", 13) == 0) { | 188 | if (strncmp(buf, "sandbox pid: ", 13) == 0) { |
187 | char *ptr = strchr(buf, '\n'); | 189 | char *ptr = strchr(buf, '\n'); |
@@ -202,7 +204,9 @@ static void load_blacklist(void) { | |||
202 | if (ptr) | 204 | if (ptr) |
203 | *ptr = '\0'; | 205 | *ptr = '\0'; |
204 | storage_add(buf + 10); | 206 | storage_add(buf + 10); |
207 | #ifdef DEBUG | ||
205 | cnt++; | 208 | cnt++; |
209 | #endif | ||
206 | } | 210 | } |
207 | } | 211 | } |
208 | fclose(fp); | 212 | fclose(fp); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 16004193d..052aeb56b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -2527,7 +2527,7 @@ AppArmor support is disabled by default at compile time. Use --enable-apparmor c | |||
2527 | .br | 2527 | .br |
2528 | $ ./configure --prefix=/usr --enable-apparmor | 2528 | $ ./configure --prefix=/usr --enable-apparmor |
2529 | .TP | 2529 | .TP |
2530 | During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The local customizations can be placed in /etc/apparmor.d/local/firejail-local. The profile needs to be loaded into the kernel by reloading apparmor.service, rebooting the system or running the following command as root: | 2530 | During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The local customizations must be placed in /etc/apparmor.d/local/firejail-local. The profile needs to be loaded into the kernel by reloading apparmor.service, rebooting the system or running the following command as root: |
2531 | .br | 2531 | .br |
2532 | 2532 | ||
2533 | .br | 2533 | .br |