aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--etc/signal-desktop.profile2
-rw-r--r--etc/tcpserver.net2
-rw-r--r--src/fbuilder/build_bin.c12
-rw-r--r--src/fbuilder/build_fs.c34
-rw-r--r--src/fbuilder/build_home.c30
-rw-r--r--src/fbuilder/build_profile.c22
-rw-r--r--src/fbuilder/build_seccomp.c22
-rw-r--r--src/fbuilder/fbuilder.h2
-rw-r--r--src/fbuilder/filedb.c10
-rw-r--r--src/fbuilder/main.c8
-rw-r--r--src/fbuilder/utils.c6
-rw-r--r--src/fcopy/main.c2
-rw-r--r--src/firecfg/desktop_files.c24
-rw-r--r--src/firejail/checkcfg.c2
-rw-r--r--src/firejail/fs.c4
-rw-r--r--src/firejail/fs_bin.c2
-rw-r--r--src/firejail/fs_dev.c6
-rw-r--r--src/firejail/fs_lib.c4
-rw-r--r--src/firejail/fs_lib2.c16
-rw-r--r--src/firejail/fs_whitelist.c2
-rw-r--r--src/firejail/join.c2
-rw-r--r--src/firejail/main.c6
-rw-r--r--src/firejail/network_main.c4
-rw-r--r--src/firejail/output.c4
-rw-r--r--src/firejail/preproc.c4
-rw-r--r--src/firejail/profile.c4
-rw-r--r--src/firejail/sandbox.c2
-rw-r--r--src/firejail/util.c2
-rw-r--r--src/firejail/x11.c2
-rw-r--r--src/firemon/firemon.c12
-rw-r--r--src/fldd/main.c6
-rw-r--r--src/fnetfilter/main.c4
-rw-r--r--src/fseccomp/seccomp.c2
-rw-r--r--src/fseccomp/seccomp_print.c18
-rw-r--r--src/man/firejail.txt4
35 files changed, 144 insertions, 144 deletions
diff --git a/etc/signal-desktop.profile b/etc/signal-desktop.profile
index b9f7a6c33..2cb2f644e 100644
--- a/etc/signal-desktop.profile
+++ b/etc/signal-desktop.profile
@@ -16,7 +16,7 @@ mkdir ${HOME}/.config/Signal
16whitelist ${DOWNLOADS} 16whitelist ${DOWNLOADS}
17whitelist ${HOME}/.config/Signal 17whitelist ${HOME}/.config/Signal
18include /etc/firejail/whitelist-common.inc 18include /etc/firejail/whitelist-common.inc
19include /etc/firejail/whitelist-var-common.inc 19include /etc/firejail/whitelist-var-common.inc
20 20
21caps.drop all 21caps.drop all
22netfilter 22netfilter
diff --git a/etc/tcpserver.net b/etc/tcpserver.net
index e60404e6b..9c39ee5fb 100644
--- a/etc/tcpserver.net
+++ b/etc/tcpserver.net
@@ -9,7 +9,7 @@
9# Usage: $ARG1 in this template is replaced by 5001 from command line below 9# Usage: $ARG1 in this template is replaced by 5001 from command line below
10# 10#
11# firejail --net=eth0 --ip=192.168.1.105 --netfilter=/etc/firejail/tcpserver.net,5001 server-program 11# firejail --net=eth0 --ip=192.168.1.105 --netfilter=/etc/firejail/tcpserver.net,5001 server-program
12# 12#
13################################################################### 13###################################################################
14 14
15# allow server traffic 15# allow server traffic
diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c
index fb92fb630..b69e089c3 100644
--- a/src/fbuilder/build_bin.c
+++ b/src/fbuilder/build_bin.c
@@ -23,21 +23,21 @@ static FileDB *bin_out = NULL;
23 23
24static void process_bin(const char *fname) { 24static void process_bin(const char *fname) {
25 assert(fname); 25 assert(fname);
26 26
27 // process trace file 27 // process trace file
28 FILE *fp = fopen(fname, "r"); 28 FILE *fp = fopen(fname, "r");
29 if (!fp) { 29 if (!fp) {
30 fprintf(stderr, "Error: cannot open %s\n", fname); 30 fprintf(stderr, "Error: cannot open %s\n", fname);
31 exit(1); 31 exit(1);
32 } 32 }
33 33
34 char buf[MAX_BUF]; 34 char buf[MAX_BUF];
35 while (fgets(buf, MAX_BUF, fp)) { 35 while (fgets(buf, MAX_BUF, fp)) {
36 // remove \n 36 // remove \n
37 char *ptr = strchr(buf, '\n'); 37 char *ptr = strchr(buf, '\n');
38 if (ptr) 38 if (ptr)
39 *ptr = '\0'; 39 *ptr = '\0';
40 40
41 // parse line: 4:galculator:access /etc/fonts/conf.d:0 41 // parse line: 4:galculator:access /etc/fonts/conf.d:0
42 // number followed by : 42 // number followed by :
43 ptr = buf; 43 ptr = buf;
@@ -89,7 +89,7 @@ static void process_bin(const char *fname) {
89 89
90 bin_out = filedb_add(bin_out, ptr); 90 bin_out = filedb_add(bin_out, ptr);
91 } 91 }
92 92
93 fclose(fp); 93 fclose(fp);
94} 94}
95 95
@@ -97,10 +97,10 @@ static void process_bin(const char *fname) {
97// process fname, fname.1, fname.2, fname.3, fname.4, fname.5 97// process fname, fname.1, fname.2, fname.3, fname.4, fname.5
98void build_bin(const char *fname, FILE *fp) { 98void build_bin(const char *fname, FILE *fp) {
99 assert(fname); 99 assert(fname);
100 100
101 // run fname 101 // run fname
102 process_bin(fname); 102 process_bin(fname);
103 103
104 // run all the rest 104 // run all the rest
105 struct stat s; 105 struct stat s;
106 int i; 106 int i;
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c
index f1a27a35a..3f685623e 100644
--- a/src/fbuilder/build_fs.c
+++ b/src/fbuilder/build_fs.c
@@ -25,23 +25,23 @@ static void process_file(const char *fname, const char *dir, void (*callback)(ch
25 assert(fname); 25 assert(fname);
26 assert(dir); 26 assert(dir);
27 assert(callback); 27 assert(callback);
28 28
29 int dir_len = strlen(dir); 29 int dir_len = strlen(dir);
30 30
31 // process trace file 31 // process trace file
32 FILE *fp = fopen(fname, "r"); 32 FILE *fp = fopen(fname, "r");
33 if (!fp) { 33 if (!fp) {
34 fprintf(stderr, "Error: cannot open %s\n", fname); 34 fprintf(stderr, "Error: cannot open %s\n", fname);
35 exit(1); 35 exit(1);
36 } 36 }
37 37
38 char buf[MAX_BUF]; 38 char buf[MAX_BUF];
39 while (fgets(buf, MAX_BUF, fp)) { 39 while (fgets(buf, MAX_BUF, fp)) {
40 // remove \n 40 // remove \n
41 char *ptr = strchr(buf, '\n'); 41 char *ptr = strchr(buf, '\n');
42 if (ptr) 42 if (ptr)
43 *ptr = '\0'; 43 *ptr = '\0';
44 44
45 // parse line: 4:galculator:access /etc/fonts/conf.d:0 45 // parse line: 4:galculator:access /etc/fonts/conf.d:0
46 // number followed by : 46 // number followed by :
47 ptr = buf; 47 ptr = buf;
@@ -78,10 +78,10 @@ static void process_file(const char *fname, const char *dir, void (*callback)(ch
78 if (!ptr2) 78 if (!ptr2)
79 continue; 79 continue;
80 *ptr2 = '\0'; 80 *ptr2 = '\0';
81 81
82 callback(ptr); 82 callback(ptr);
83 } 83 }
84 84
85 fclose(fp); 85 fclose(fp);
86} 86}
87 87
@@ -90,10 +90,10 @@ static void process_files(const char *fname, const char *dir, void (*callback)(c
90 assert(fname); 90 assert(fname);
91 assert(dir); 91 assert(dir);
92 assert(callback); 92 assert(callback);
93 93
94 // run fname 94 // run fname
95 process_file(fname, dir, callback); 95 process_file(fname, dir, callback);
96 96
97 // run all the rest 97 // run all the rest
98 struct stat s; 98 struct stat s;
99 int i; 99 int i;
@@ -127,9 +127,9 @@ static void etc_callback(char *ptr) {
127 127
128void build_etc(const char *fname, FILE *fp) { 128void build_etc(const char *fname, FILE *fp) {
129 assert(fname); 129 assert(fname);
130 130
131 process_files(fname, "/etc", etc_callback); 131 process_files(fname, "/etc", etc_callback);
132 132
133 fprintf(fp, "private-etc "); 133 fprintf(fp, "private-etc ");
134 if (etc_out == NULL) 134 if (etc_out == NULL)
135 fprintf(fp, "none\n"); 135 fprintf(fp, "none\n");
@@ -140,7 +140,7 @@ void build_etc(const char *fname, FILE *fp) {
140 ptr = ptr->next; 140 ptr = ptr->next;
141 } 141 }
142 fprintf(fp, "\n"); 142 fprintf(fp, "\n");
143 } 143 }
144} 144}
145 145
146//******************************************* 146//*******************************************
@@ -164,7 +164,7 @@ void build_var(const char *fname, FILE *fp) {
164 assert(fname); 164 assert(fname);
165 165
166 process_files(fname, "/var", var_callback); 166 process_files(fname, "/var", var_callback);
167 167
168 if (var_out == NULL) 168 if (var_out == NULL)
169 fprintf(fp, "blacklist /var\n"); 169 fprintf(fp, "blacklist /var\n");
170 else 170 else
@@ -218,9 +218,9 @@ static void tmp_callback(char *ptr) {
218 218
219void build_tmp(const char *fname, FILE *fp) { 219void build_tmp(const char *fname, FILE *fp) {
220 assert(fname); 220 assert(fname);
221 221
222 process_files(fname, "/tmp", tmp_callback); 222 process_files(fname, "/tmp", tmp_callback);
223 223
224 if (tmp_out == NULL) 224 if (tmp_out == NULL)
225 fprintf(fp, "private-tmp\n"); 225 fprintf(fp, "private-tmp\n");
226 else { 226 else {
@@ -247,7 +247,7 @@ static char *dev_skip[] = {
247 "/dev/random", 247 "/dev/random",
248 "/dev/urandom", 248 "/dev/urandom",
249 "/dev/tty", 249 "/dev/tty",
250 "/dev/snd", 250 "/dev/snd",
251 "/dev/dri", 251 "/dev/dri",
252 "/dev/pts", 252 "/dev/pts",
253 "/dev/nvidia0", 253 "/dev/nvidia0",
@@ -296,9 +296,9 @@ static void dev_callback(char *ptr) {
296 296
297void build_dev(const char *fname, FILE *fp) { 297void build_dev(const char *fname, FILE *fp) {
298 assert(fname); 298 assert(fname);
299 299
300 process_files(fname, "/dev", dev_callback); 300 process_files(fname, "/dev", dev_callback);
301 301
302 if (dev_out == NULL) 302 if (dev_out == NULL)
303 fprintf(fp, "private-dev\n"); 303 fprintf(fp, "private-dev\n");
304 else { 304 else {
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c
index 9bbd2c258..18bf5d702 100644
--- a/src/fbuilder/build_home.c
+++ b/src/fbuilder/build_home.c
@@ -29,7 +29,7 @@ static void load_whitelist_common(void) {
29 fprintf(stderr, "Error: cannot open whitelist-common.inc\n"); 29 fprintf(stderr, "Error: cannot open whitelist-common.inc\n");
30 exit(1); 30 exit(1);
31 } 31 }
32 32
33 char buf[MAX_BUF]; 33 char buf[MAX_BUF];
34 while (fgets(buf, MAX_BUF, fp)) { 34 while (fgets(buf, MAX_BUF, fp)) {
35 if (strncmp(buf, "whitelist ~/", 12) != 0) 35 if (strncmp(buf, "whitelist ~/", 12) != 0)
@@ -39,33 +39,33 @@ static void load_whitelist_common(void) {
39 if (!ptr) 39 if (!ptr)
40 continue; 40 continue;
41 *ptr = '\0'; 41 *ptr = '\0';
42 42
43 // add the file to skip list 43 // add the file to skip list
44 db_skip = filedb_add(db_skip, fn); 44 db_skip = filedb_add(db_skip, fn);
45 } 45 }
46 46
47 fclose(fp); 47 fclose(fp);
48} 48}
49 49
50void process_home(const char *fname, char *home, int home_len) { 50void process_home(const char *fname, char *home, int home_len) {
51 assert(fname); 51 assert(fname);
52 assert(home); 52 assert(home);
53 assert(home_len); 53 assert(home_len);
54 54
55 // process trace file 55 // process trace file
56 FILE *fp = fopen(fname, "r"); 56 FILE *fp = fopen(fname, "r");
57 if (!fp) { 57 if (!fp) {
58 fprintf(stderr, "Error: cannot open %s\n", fname); 58 fprintf(stderr, "Error: cannot open %s\n", fname);
59 exit(1); 59 exit(1);
60 } 60 }
61 61
62 char buf[MAX_BUF]; 62 char buf[MAX_BUF];
63 while (fgets(buf, MAX_BUF, fp)) { 63 while (fgets(buf, MAX_BUF, fp)) {
64 // remove \n 64 // remove \n
65 char *ptr = strchr(buf, '\n'); 65 char *ptr = strchr(buf, '\n');
66 if (ptr) 66 if (ptr)
67 *ptr = '\0'; 67 *ptr = '\0';
68 68
69 // parse line: 4:galculator:access /etc/fonts/conf.d:0 69 // parse line: 4:galculator:access /etc/fonts/conf.d:0
70 // number followed by : 70 // number followed by :
71 ptr = buf; 71 ptr = buf;
@@ -107,8 +107,8 @@ void process_home(const char *fname, char *home, int home_len) {
107 if (strcmp(ptr, home) == 0) 107 if (strcmp(ptr, home) == 0)
108 continue; 108 continue;
109 ptr += home_len + 1; 109 ptr += home_len + 1;
110 110
111 // skip files handled automatically by firejail 111 // skip files handled automatically by firejail
112 if (strcmp(ptr, ".Xauthority") == 0 || 112 if (strcmp(ptr, ".Xauthority") == 0 ||
113 strcmp(ptr, ".Xdefaults-debian") == 0 || 113 strcmp(ptr, ".Xdefaults-debian") == 0 ||
114 strncmp(ptr, ".config/pulse/", 13) == 0 || 114 strncmp(ptr, ".config/pulse/", 13) == 0 ||
@@ -116,8 +116,8 @@ void process_home(const char *fname, char *home, int home_len) {
116 strncmp(ptr, ".bash_hist", 10) == 0 || 116 strncmp(ptr, ".bash_hist", 10) == 0 ||
117 strcmp(ptr, ".bashrc") == 0) 117 strcmp(ptr, ".bashrc") == 0)
118 continue; 118 continue;
119 119
120 120
121 // try to find the relevant directory for this file 121 // try to find the relevant directory for this file
122 char *dir = extract_dir(ptr); 122 char *dir = extract_dir(ptr);
123 char *toadd = (dir)? dir: ptr; 123 char *toadd = (dir)? dir: ptr;
@@ -160,7 +160,7 @@ void process_home(const char *fname, char *home, int home_len) {
160// process fname, fname.1, fname.2, fname.3, fname.4, fname.5 160// process fname, fname.1, fname.2, fname.3, fname.4, fname.5
161void build_home(const char *fname, FILE *fp) { 161void build_home(const char *fname, FILE *fp) {
162 assert(fname); 162 assert(fname);
163 163
164 // load whitelist common 164 // load whitelist common
165 load_whitelist_common(); 165 load_whitelist_common();
166 166
@@ -172,10 +172,10 @@ void build_home(const char *fname, FILE *fp) {
172 if (!home) 172 if (!home)
173 errExit("getpwuid"); 173 errExit("getpwuid");
174 int home_len = strlen(home); 174 int home_len = strlen(home);
175 175
176 // run fname 176 // run fname
177 process_home(fname, home, home_len); 177 process_home(fname, home, home_len);
178 178
179 // run all the rest 179 // run all the rest
180 struct stat s; 180 struct stat s;
181 int i; 181 int i;
@@ -187,7 +187,7 @@ void build_home(const char *fname, FILE *fp) {
187 process_home(newname, home, home_len); 187 process_home(newname, home, home_len);
188 free(newname); 188 free(newname);
189 } 189 }
190 190
191 // print the out list if any 191 // print the out list if any
192 if (db_out) { 192 if (db_out) {
193 filedb_print(db_out, "whitelist ~/", fp); 193 filedb_print(db_out, "whitelist ~/", fp);
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c
index de9f79232..5fead41c5 100644
--- a/src/fbuilder/build_profile.c
+++ b/src/fbuilder/build_profile.c
@@ -43,7 +43,7 @@ static char *cmdlist[] = {
43static void clear_tmp_files(void) { 43static void clear_tmp_files(void) {
44 unlink(STRACE_OUTPUT); 44 unlink(STRACE_OUTPUT);
45 unlink(TRACE_OUTPUT); 45 unlink(TRACE_OUTPUT);
46 46
47 // run all the rest 47 // run all the rest
48 int i; 48 int i;
49 for (i = 1; i <= 5; i++) { 49 for (i = 1; i <= 5; i++) {
@@ -62,22 +62,22 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
62 fprintf(stderr, "Error: application name missing\n"); 62 fprintf(stderr, "Error: application name missing\n");
63 exit(1); 63 exit(1);
64 } 64 }
65 65
66 // clean /tmp files 66 // clean /tmp files
67 clear_tmp_files(); 67 clear_tmp_files();
68 68
69 // detect strace 69 // detect strace
70 int have_strace = 0; 70 int have_strace = 0;
71 if (access("/usr/bin/strace", X_OK) == 0) 71 if (access("/usr/bin/strace", X_OK) == 0)
72 have_strace = 1; 72 have_strace = 1;
73 73
74 // calculate command length 74 // calculate command length
75 unsigned len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1; 75 unsigned len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1;
76 if (arg_debug) 76 if (arg_debug)
77 printf("command len %d + %d + 1\n", (int) (sizeof(cmdlist) / sizeof(char*)), argc - index); 77 printf("command len %d + %d + 1\n", (int) (sizeof(cmdlist) / sizeof(char*)), argc - index);
78 char *cmd[len]; 78 char *cmd[len];
79 cmd[0] = cmdlist[0]; // explicit assignemnt to clean scan-build error 79 cmd[0] = cmdlist[0]; // explicit assignemnt to clean scan-build error
80 80
81 // build command 81 // build command
82 unsigned i = 0; 82 unsigned i = 0;
83 for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) { 83 for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) {
@@ -97,7 +97,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
97 for (i = 0; i < len; i++) 97 for (i = 0; i < len; i++)
98 printf("\t%s\n", cmd[i]); 98 printf("\t%s\n", cmd[i]);
99 } 99 }
100 100
101 // fork and execute 101 // fork and execute
102 pid_t child = fork(); 102 pid_t child = fork();
103 if (child == -1) 103 if (child == -1)
@@ -108,7 +108,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
108 (void) rv; 108 (void) rv;
109 errExit("execv"); 109 errExit("execv");
110 } 110 }
111 111
112 // wait for all processes to finish 112 // wait for all processes to finish
113 int status; 113 int status;
114 if (waitpid(child, &status, 0) != child) 114 if (waitpid(child, &status, 0) != child)
@@ -122,18 +122,18 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
122 fprintf(fp, "# Persistent global definitions\n"); 122 fprintf(fp, "# Persistent global definitions\n");
123 fprintf(fp, "# include /etc/firejail/globals.local\n"); 123 fprintf(fp, "# include /etc/firejail/globals.local\n");
124 fprintf(fp, "\n"); 124 fprintf(fp, "\n");
125 125
126 fprintf(fp, "### basic blacklisting\n"); 126 fprintf(fp, "### basic blacklisting\n");
127 fprintf(fp, "include /etc/firejail/disable-common.inc\n"); 127 fprintf(fp, "include /etc/firejail/disable-common.inc\n");
128 fprintf(fp, "# include /etc/firejail/disable-devel.inc\n"); 128 fprintf(fp, "# include /etc/firejail/disable-devel.inc\n");
129 fprintf(fp, "include /etc/firejail/disable-passwdmgr.inc\n"); 129 fprintf(fp, "include /etc/firejail/disable-passwdmgr.inc\n");
130 fprintf(fp, "# include /etc/firejail/disable-programs.inc\n"); 130 fprintf(fp, "# include /etc/firejail/disable-programs.inc\n");
131 fprintf(fp, "\n"); 131 fprintf(fp, "\n");
132 132
133 fprintf(fp, "### home directory whitelisting\n"); 133 fprintf(fp, "### home directory whitelisting\n");
134 build_home(TRACE_OUTPUT, fp); 134 build_home(TRACE_OUTPUT, fp);
135 fprintf(fp, "\n"); 135 fprintf(fp, "\n");
136 136
137 fprintf(fp, "### filesystem\n"); 137 fprintf(fp, "### filesystem\n");
138 build_tmp(TRACE_OUTPUT, fp); 138 build_tmp(TRACE_OUTPUT, fp);
139 build_dev(TRACE_OUTPUT, fp); 139 build_dev(TRACE_OUTPUT, fp);
@@ -158,7 +158,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) {
158 fprintf(fp, "### network\n"); 158 fprintf(fp, "### network\n");
159 build_protocol(TRACE_OUTPUT, fp); 159 build_protocol(TRACE_OUTPUT, fp);
160 fprintf(fp, "\n"); 160 fprintf(fp, "\n");
161 161
162 fprintf(fp, "### environment\n"); 162 fprintf(fp, "### environment\n");
163 fprintf(fp, "shell none\n"); 163 fprintf(fp, "shell none\n");
164 164
diff --git a/src/fbuilder/build_seccomp.c b/src/fbuilder/build_seccomp.c
index 63f37e34a..85190f0f2 100644
--- a/src/fbuilder/build_seccomp.c
+++ b/src/fbuilder/build_seccomp.c
@@ -23,13 +23,13 @@
23void build_seccomp(const char *fname, FILE *fp) { 23void build_seccomp(const char *fname, FILE *fp) {
24 assert(fname); 24 assert(fname);
25 assert(fp); 25 assert(fp);
26 26
27 FILE *fp2 = fopen(fname, "r"); 27 FILE *fp2 = fopen(fname, "r");
28 if (!fp2) { 28 if (!fp2) {
29 fprintf(stderr, "Error: cannot open %s\n", fname); 29 fprintf(stderr, "Error: cannot open %s\n", fname);
30 exit(1); 30 exit(1);
31 } 31 }
32 32
33 char buf[MAX_BUF]; 33 char buf[MAX_BUF];
34 int line = 1; 34 int line = 1;
35 int position = 0; 35 int position = 0;
@@ -39,7 +39,7 @@ void build_seccomp(const char *fname, FILE *fp) {
39 char *ptr = strchr(buf, '\n'); 39 char *ptr = strchr(buf, '\n');
40 if (ptr) 40 if (ptr)
41 *ptr = '\0'; 41 *ptr = '\0';
42 42
43 // first line: 43 // first line:
44 //% time seconds usecs/call calls errors syscall 44 //% time seconds usecs/call calls errors syscall
45 if (line == 1) { 45 if (line == 1) {
@@ -61,7 +61,7 @@ void build_seccomp(const char *fname, FILE *fp) {
61 // get out on the next "----" line 61 // get out on the next "----" line
62 if (*buf == '-') 62 if (*buf == '-')
63 break; 63 break;
64 64
65 if (line == 3) 65 if (line == 3)
66 fprintf(fp, "# seccomp.keep %s", buf + position); 66 fprintf(fp, "# seccomp.keep %s", buf + position);
67 else 67 else
@@ -89,21 +89,21 @@ int netlink = 0;
89int packet = 0; 89int packet = 0;
90static void process_protocol(const char *fname) { 90static void process_protocol(const char *fname) {
91 assert(fname); 91 assert(fname);
92 92
93 // process trace file 93 // process trace file
94 FILE *fp = fopen(fname, "r"); 94 FILE *fp = fopen(fname, "r");
95 if (!fp) { 95 if (!fp) {
96 fprintf(stderr, "Error: cannot open %s\n", fname); 96 fprintf(stderr, "Error: cannot open %s\n", fname);
97 exit(1); 97 exit(1);
98 } 98 }
99 99
100 char buf[MAX_BUF]; 100 char buf[MAX_BUF];
101 while (fgets(buf, MAX_BUF, fp)) { 101 while (fgets(buf, MAX_BUF, fp)) {
102 // remove \n 102 // remove \n
103 char *ptr = strchr(buf, '\n'); 103 char *ptr = strchr(buf, '\n');
104 if (ptr) 104 if (ptr)
105 *ptr = '\0'; 105 *ptr = '\0';
106 106
107 // parse line: 4:galculator:access /etc/fonts/conf.d:0 107 // parse line: 4:galculator:access /etc/fonts/conf.d:0
108 // number followed by : 108 // number followed by :
109 ptr = buf; 109 ptr = buf;
@@ -136,7 +136,7 @@ static void process_protocol(const char *fname) {
136 else if (strncmp(ptr, "AF_PACKET ", 9) == 0) 136 else if (strncmp(ptr, "AF_PACKET ", 9) == 0)
137 packet = 1; 137 packet = 1;
138 } 138 }
139 139
140 fclose(fp); 140 fclose(fp);
141} 141}
142 142
@@ -144,10 +144,10 @@ static void process_protocol(const char *fname) {
144// process fname, fname.1, fname.2, fname.3, fname.4, fname.5 144// process fname, fname.1, fname.2, fname.3, fname.4, fname.5
145void build_protocol(const char *fname, FILE *fp) { 145void build_protocol(const char *fname, FILE *fp) {
146 assert(fname); 146 assert(fname);
147 147
148 // run fname 148 // run fname
149 process_protocol(fname); 149 process_protocol(fname);
150 150
151 // run all the rest 151 // run all the rest
152 struct stat s; 152 struct stat s;
153 int i; 153 int i;
@@ -159,7 +159,7 @@ void build_protocol(const char *fname, FILE *fp) {
159 process_protocol(newname); 159 process_protocol(newname);
160 free(newname); 160 free(newname);
161 } 161 }
162 162
163 int net = 0; 163 int net = 0;
164 if (unix_s || inet || inet6 || netlink || packet) { 164 if (unix_s || inet || inet6 || netlink || packet) {
165 fprintf(fp, "protocol "); 165 fprintf(fp, "protocol ");
diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h
index 81dc951ec..711167704 100644
--- a/src/fbuilder/fbuilder.h
+++ b/src/fbuilder/fbuilder.h
@@ -25,7 +25,7 @@
25#include <pwd.h> 25#include <pwd.h>
26#include <sys/types.h> 26#include <sys/types.h>
27#include <sys/stat.h> 27#include <sys/stat.h>
28 28
29 29
30#define MAX_BUF 4096 30#define MAX_BUF 4096
31// main.c 31// main.c
diff --git a/src/fbuilder/filedb.c b/src/fbuilder/filedb.c
index b7162c2d6..6b57954d3 100644
--- a/src/fbuilder/filedb.c
+++ b/src/fbuilder/filedb.c
@@ -24,14 +24,14 @@ FileDB *filedb_find(FileDB *head, const char *fname) {
24 FileDB *ptr = head; 24 FileDB *ptr = head;
25 int found = 0; 25 int found = 0;
26 int len = strlen(fname); 26 int len = strlen(fname);
27 27
28 while (ptr) { 28 while (ptr) {
29 // exact name 29 // exact name
30 if (strcmp(fname, ptr->fname) == 0) { 30 if (strcmp(fname, ptr->fname) == 0) {
31 found = 1; 31 found = 1;
32 break; 32 break;
33 } 33 }
34 34
35 // parent directory in the list 35 // parent directory in the list
36 if (len > ptr->len && 36 if (len > ptr->len &&
37 fname[ptr->len] == '/' && 37 fname[ptr->len] == '/' &&
@@ -42,10 +42,10 @@ FileDB *filedb_find(FileDB *head, const char *fname) {
42 42
43 ptr = ptr->next; 43 ptr = ptr->next;
44 } 44 }
45 45
46 if (found) 46 if (found)
47 return ptr; 47 return ptr;
48 48
49 return NULL; 49 return NULL;
50} 50}
51 51
@@ -55,7 +55,7 @@ FileDB *filedb_add(FileDB *head, const char *fname) {
55 // don't add it if it is already there or if the parent directory is already in the list 55 // don't add it if it is already there or if the parent directory is already in the list
56 if (filedb_find(head, fname)) 56 if (filedb_find(head, fname))
57 return head; 57 return head;
58 58
59 // add a new entry 59 // add a new entry
60 FileDB *entry = malloc(sizeof(FileDB)); 60 FileDB *entry = malloc(sizeof(FileDB));
61 if (!entry) 61 if (!entry)
diff --git a/src/fbuilder/main.c b/src/fbuilder/main.c
index 1b997ccdb..697b53700 100644
--- a/src/fbuilder/main.c
+++ b/src/fbuilder/main.c
@@ -40,7 +40,7 @@ printf("\n");
40 int prog_index = 0; 40 int prog_index = 0;
41 FILE *fp = stdout; 41 FILE *fp = stdout;
42 int prof_file = 0; 42 int prof_file = 0;
43 43
44 // parse arguments and extract program index 44 // parse arguments and extract program index
45 for (i = 1; i < argc; i++) { 45 for (i = 1; i < argc; i++) {
46 if (strcmp(argv[i], "-h") == 0 || strcmp(argv[i], "--help") == 0 || strcmp(argv[i], "-?") ==0) { 46 if (strcmp(argv[i], "-h") == 0 || strcmp(argv[i], "--help") == 0 || strcmp(argv[i], "-?") ==0) {
@@ -57,7 +57,7 @@ printf("\n");
57 fprintf(stderr, "Error fbuild: --build=profile-name is not supported for root user.\n"); 57 fprintf(stderr, "Error fbuild: --build=profile-name is not supported for root user.\n");
58 exit(1); 58 exit(1);
59 } 59 }
60 60
61 // check file access 61 // check file access
62 fp = fopen(argv[i] + 8, "w"); 62 fp = fopen(argv[i] + 8, "w");
63 if (!fp) { 63 if (!fp) {
@@ -77,7 +77,7 @@ printf("\n");
77 break; 77 break;
78 } 78 }
79 } 79 }
80 80
81 if (prog_index == 0) { 81 if (prog_index == 0) {
82 fprintf(stderr, "Error fbuilder: program and arguments required\n"); 82 fprintf(stderr, "Error fbuilder: program and arguments required\n");
83 usage(); 83 usage();
@@ -85,7 +85,7 @@ printf("\n");
85 fclose(fp); 85 fclose(fp);
86 exit(1); 86 exit(1);
87 } 87 }
88 88
89 build_profile(argc, argv, prog_index, fp); 89 build_profile(argc, argv, prog_index, fp);
90 if (prof_file) 90 if (prof_file)
91 fclose(fp); 91 fclose(fp);
diff --git a/src/fbuilder/utils.c b/src/fbuilder/utils.c
index 902290899..c07d2e925 100644
--- a/src/fbuilder/utils.c
+++ b/src/fbuilder/utils.c
@@ -56,17 +56,17 @@ char *extract_dir(char *fname) {
56 assert(fname); 56 assert(fname);
57 if (is_dir(fname)) 57 if (is_dir(fname))
58 return NULL; 58 return NULL;
59 59
60 char *name = strdup(fname); 60 char *name = strdup(fname);
61 if (!name) 61 if (!name)
62 errExit("strdup"); 62 errExit("strdup");
63 63
64 char *ptr = strrchr(name, '/'); 64 char *ptr = strrchr(name, '/');
65 if (!ptr) { 65 if (!ptr) {
66 free(name); 66 free(name);
67 return NULL; 67 return NULL;
68 } 68 }
69 *ptr = '\0'; 69 *ptr = '\0';
70 70
71 return name; 71 return name;
72} 72}
diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index 753d9c0a0..913234702 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -122,7 +122,7 @@ void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid,
122 // if the link is already there, don't create it 122 // if the link is already there, don't create it
123 struct stat s; 123 struct stat s;
124 if (stat(linkpath, &s) == 0) 124 if (stat(linkpath, &s) == 0)
125 return; 125 return;
126 126
127 char *rp = realpath(target, NULL); 127 char *rp = realpath(target, NULL);
128 if (rp) { 128 if (rp) {
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c
index c1d456147..2edc4c83b 100644
--- a/src/firecfg/desktop_files.c
+++ b/src/firecfg/desktop_files.c
@@ -41,7 +41,7 @@ static int check_profile(const char *name, const char *homedir) {
41 printf("found %s\n", profname2); 41 printf("found %s\n", profname2);
42 rv = 1; 42 rv = 1;
43 } 43 }
44 44
45 free(profname1); 45 free(profname1);
46 free(profname2); 46 free(profname2);
47 return rv; 47 return rv;
@@ -58,11 +58,11 @@ static int have_profile(const char *filename, const char *homedir) {
58 58
59 // we get strange names here, such as .org.gnom.gedit.desktop, com.uploadedlobster.peek.desktop, 59 // we get strange names here, such as .org.gnom.gedit.desktop, com.uploadedlobster.peek.desktop,
60 // or io.github.Pithos.desktop; extract the word before .desktop 60 // or io.github.Pithos.desktop; extract the word before .desktop
61 61
62 char *tmpfname = strdup(filename); 62 char *tmpfname = strdup(filename);
63 if (!tmpfname) 63 if (!tmpfname)
64 errExit("strdup"); 64 errExit("strdup");
65 65
66 // check .desktop extension 66 // check .desktop extension
67 int len = strlen(tmpfname); 67 int len = strlen(tmpfname);
68 if (len <= 8) 68 if (len <= 8)
@@ -70,14 +70,14 @@ static int have_profile(const char *filename, const char *homedir) {
70 if (strcmp(tmpfname + len - 8, ".desktop")) 70 if (strcmp(tmpfname + len - 8, ".desktop"))
71 return 0; 71 return 0;
72 tmpfname[len - 8] = '\0'; 72 tmpfname[len - 8] = '\0';
73 73
74 // extract last word 74 // extract last word
75 char *last_word = strrchr(tmpfname, '.'); 75 char *last_word = strrchr(tmpfname, '.');
76 if (last_word) 76 if (last_word)
77 last_word++; 77 last_word++;
78 else 78 else
79 last_word = tmpfname; 79 last_word = tmpfname;
80 80
81 // try lowercase 81 // try lowercase
82 last_word[0] = tolower(last_word[0]); 82 last_word[0] = tolower(last_word[0]);
83 int rv = check_profile(last_word, homedir); 83 int rv = check_profile(last_word, homedir);
@@ -85,7 +85,7 @@ static int have_profile(const char *filename, const char *homedir) {
85 free(tmpfname); 85 free(tmpfname);
86 return rv; 86 return rv;
87 } 87 }
88 88
89 // try uppercase 89 // try uppercase
90 last_word[0] = toupper(last_word[0]); 90 last_word[0] = toupper(last_word[0]);
91 rv = check_profile(last_word, homedir); 91 rv = check_profile(last_word, homedir);
@@ -228,12 +228,12 @@ void fix_desktop_files(char *homedir) {
228 } 228 }
229 } 229 }
230 } 230 }
231 231
232 if (change_exec == NULL && change_dbus == 0) { 232 if (change_exec == NULL && change_dbus == 0) {
233 munmap(buf, sb.st_size + 1); 233 munmap(buf, sb.st_size + 1);
234 continue; 234 continue;
235 } 235 }
236 236
237 munmap(buf, sb.st_size + 1); 237 munmap(buf, sb.st_size + 1);
238 238
239 //**************************************************** 239 //****************************************************
@@ -247,13 +247,13 @@ void fix_desktop_files(char *homedir) {
247 printf(" %s skipped: file exists\n", filename); 247 printf(" %s skipped: file exists\n", filename);
248 continue; 248 continue;
249 } 249 }
250 250
251 FILE *fpin = fopen(filename, "r"); 251 FILE *fpin = fopen(filename, "r");
252 if (!fpin) { 252 if (!fpin) {
253 fprintf(stderr, "Error: cannot open /usr/share/applications/%s\n", filename); 253 fprintf(stderr, "Error: cannot open /usr/share/applications/%s\n", filename);
254 continue; 254 continue;
255 } 255 }
256 256
257 FILE *fpout = fopen(outname, "w"); 257 FILE *fpout = fopen(outname, "w");
258 if (!fpout) { 258 if (!fpout) {
259 fprintf(stderr, "Error: cannot open ~/.local/share/applications/%s\n", outname); 259 fprintf(stderr, "Error: cannot open ~/.local/share/applications/%s\n", outname);
@@ -277,9 +277,9 @@ void fix_desktop_files(char *homedir) {
277 fprintf(fpout, "Exec=%s\n", change_exec); 277 fprintf(fpout, "Exec=%s\n", change_exec);
278 } 278 }
279 else 279 else
280 fprintf(fpout, "%s", fbuf); 280 fprintf(fpout, "%s", fbuf);
281 } 281 }
282 282
283 if (change_exec) 283 if (change_exec)
284 free(change_exec); 284 free(change_exec);
285 fclose(fpin); 285 fclose(fpin);
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 2fedb2f81..f101a8457 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -364,7 +364,7 @@ int checkcfg(int val) {
364 } 364 }
365 else 365 else
366 goto errout; 366 goto errout;
367 367
368 free(ptr); 368 free(ptr);
369 } 369 }
370 370
diff --git a/src/firejail/fs.c b/src/firejail/fs.c
index 653a656b3..4d99b70bd 100644
--- a/src/firejail/fs.c
+++ b/src/firejail/fs.c
@@ -605,7 +605,7 @@ void fs_proc_sys_dev_boot(void) {
605 // disable various ipc sockets in /run/user 605 // disable various ipc sockets in /run/user
606 if (!arg_writable_run_user) { 606 if (!arg_writable_run_user) {
607 struct stat s; 607 struct stat s;
608 608
609 char *fname; 609 char *fname;
610 if (asprintf(&fname, "/run/user/%d", getuid()) == -1) 610 if (asprintf(&fname, "/run/user/%d", getuid()) == -1)
611 errExit("asprintf"); 611 errExit("asprintf");
@@ -619,7 +619,7 @@ void fs_proc_sys_dev_boot(void) {
619 if (stat(fnamegpg, &s) == 0) 619 if (stat(fnamegpg, &s) == 0)
620 disable_file(BLACKLIST_FILE, fnamegpg); 620 disable_file(BLACKLIST_FILE, fnamegpg);
621 free(fnamegpg); 621 free(fnamegpg);
622 622
623 // disable /run/user/{uid}/systemd 623 // disable /run/user/{uid}/systemd
624 char *fnamesysd; 624 char *fnamesysd;
625 if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) 625 if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1)
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c
index 9e19ac8d7..dc8423071 100644
--- a/src/firejail/fs_bin.c
+++ b/src/firejail/fs_bin.c
@@ -136,7 +136,7 @@ static int valid_full_path_file(const char *name) {
136 136
137static void report_duplication(const char *fname) { 137static void report_duplication(const char *fname) {
138 // report the file on all bin paths 138 // report the file on all bin paths
139 int i = 0; 139 int i = 0;
140 while (paths[i]) { 140 while (paths[i]) {
141 char *p; 141 char *p;
142 if (asprintf(&p, "%s/%s", paths[i], fname) == -1) 142 if (asprintf(&p, "%s/%s", paths[i], fname) == -1)
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index d839a0786..523f319ed 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -84,14 +84,14 @@ static void deventry_mount(void) {
84 while (dev[i].dev_fname != NULL) { 84 while (dev[i].dev_fname != NULL) {
85 struct stat s; 85 struct stat s;
86 if (stat(dev[i].run_fname, &s) == 0) { 86 if (stat(dev[i].run_fname, &s) == 0) {
87 87
88 // check device type and subsystem configuration 88 // check device type and subsystem configuration
89 if ((dev[i].type == DEV_SOUND && arg_nosound == 0) || 89 if ((dev[i].type == DEV_SOUND && arg_nosound == 0) ||
90 (dev[i].type == DEV_3D && arg_no3d == 0) || 90 (dev[i].type == DEV_3D && arg_no3d == 0) ||
91 (dev[i].type == DEV_VIDEO && arg_novideo == 0) || 91 (dev[i].type == DEV_VIDEO && arg_novideo == 0) ||
92 (dev[i].type == DEV_TV && arg_notv == 0) || 92 (dev[i].type == DEV_TV && arg_notv == 0) ||
93 (dev[i].type == DEV_DVD && arg_nodvd == 0)) { 93 (dev[i].type == DEV_DVD && arg_nodvd == 0)) {
94 94
95 int dir = is_dir(dev[i].run_fname); 95 int dir = is_dir(dev[i].run_fname);
96 if (arg_debug) 96 if (arg_debug)
97 printf("mounting %s %s\n", dev[i].run_fname, (dir)? "directory": "file"); 97 printf("mounting %s %s\n", dev[i].run_fname, (dir)? "directory": "file");
@@ -113,7 +113,7 @@ static void deventry_mount(void) {
113 fclose(fp); 113 fclose(fp);
114 } 114 }
115 } 115 }
116 116
117 if (mount(dev[i].run_fname, dev[i].dev_fname, NULL, MS_BIND|MS_REC, NULL) < 0) 117 if (mount(dev[i].run_fname, dev[i].dev_fname, NULL, MS_BIND|MS_REC, NULL) < 0)
118 errExit("mounting dev file"); 118 errExit("mounting dev file");
119 fs_logger2("whitelist", dev[i].dev_fname); 119 fs_logger2("whitelist", dev[i].dev_fname);
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 46ee22bf3..4cb8ed1c2 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -46,7 +46,7 @@ static void report_duplication(const char *full_path) {
46 char *fname = strrchr(full_path, '/'); 46 char *fname = strrchr(full_path, '/');
47 if (fname && *(++fname) != '\0') { 47 if (fname && *(++fname) != '\0') {
48 // report the file on all bin paths 48 // report the file on all bin paths
49 int i = 0; 49 int i = 0;
50 while (lib_paths[i]) { 50 while (lib_paths[i]) {
51 char *p; 51 char *p;
52 if (asprintf(&p, "%s/%s", lib_paths[i], fname) == -1) 52 if (asprintf(&p, "%s/%s", lib_paths[i], fname) == -1)
@@ -91,7 +91,7 @@ void fslib_duplicate(const char *full_path) {
91 return; 91 return;
92 } 92 }
93 free(name); 93 free(name);
94 94
95 if (arg_debug || arg_debug_private_lib) 95 if (arg_debug || arg_debug_private_lib)
96 printf("copying %s to private %s\n", full_path, dest_dir); 96 printf("copying %s to private %s\n", full_path, dest_dir);
97 97
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c
index e5c6bdaed..4e49730f4 100644
--- a/src/firejail/fs_lib2.c
+++ b/src/firejail/fs_lib2.c
@@ -88,7 +88,7 @@ static void stdc(const char *dirname) {
88 continue; 88 continue;
89 if (strcmp(entry->d_name, "..") == 0) 89 if (strcmp(entry->d_name, "..") == 0)
90 continue; 90 continue;
91 91
92 if (find_libc_list(entry->d_name)) { 92 if (find_libc_list(entry->d_name)) {
93 char *fname; 93 char *fname;
94 if (asprintf(&fname, "%s/%s", dirname, entry->d_name) == -1) 94 if (asprintf(&fname, "%s/%s", dirname, entry->d_name) == -1)
@@ -105,7 +105,7 @@ void fslib_install_stdc(void) {
105 // install standard C libraries 105 // install standard C libraries
106 struct stat s; 106 struct stat s;
107 char *stdclib = "/lib64"; // CentOS, Fedora, Arch 107 char *stdclib = "/lib64"; // CentOS, Fedora, Arch
108 108
109 if (stat("/lib/x86_64-linux-gnu", &s) == 0) { // Debian & friends 109 if (stat("/lib/x86_64-linux-gnu", &s) == 0) { // Debian & friends
110 mkdir_attr(RUN_LIB_DIR "/x86_64-linux-gnu", 0755, 0, 0); 110 mkdir_attr(RUN_LIB_DIR "/x86_64-linux-gnu", 0755, 0, 0);
111 stdclib = "/lib/x86_64-linux-gnu"; 111 stdclib = "/lib/x86_64-linux-gnu";
@@ -219,13 +219,13 @@ SysLib syslibs[] = {
219 "" // message 219 "" // message
220 } 220 }
221}; 221};
222 222
223void fslib_install_system(void) { 223void fslib_install_system(void) {
224 // look for installed libraries 224 // look for installed libraries
225 DIR *dir = opendir(RUN_LIB_DIR "/x86_64-linux-gnu"); 225 DIR *dir = opendir(RUN_LIB_DIR "/x86_64-linux-gnu");
226 if (!dir) 226 if (!dir)
227 dir = opendir(RUN_LIB_DIR); 227 dir = opendir(RUN_LIB_DIR);
228 228
229 if (dir) { 229 if (dir) {
230 struct dirent *entry; 230 struct dirent *entry;
231 while ((entry = readdir(dir)) != NULL) { 231 while ((entry = readdir(dir)) != NULL) {
@@ -238,12 +238,12 @@ void fslib_install_system(void) {
238 while (ptr->library) { 238 while (ptr->library) {
239 if (ptr->len == 0) 239 if (ptr->len == 0)
240 ptr->len = strlen(ptr->library); 240 ptr->len = strlen(ptr->library);
241 241
242 if (strncmp(entry->d_name, ptr->library, ptr->len) == 0) { 242 if (strncmp(entry->d_name, ptr->library, ptr->len) == 0) {
243 ptr->found = 1; 243 ptr->found = 1;
244 break; 244 break;
245 } 245 }
246 246
247 ptr++; 247 ptr++;
248 } 248 }
249 249
@@ -281,7 +281,7 @@ void fslib_install_system(void) {
281 } 281 }
282 } 282 }
283 free(name); 283 free(name);
284 284
285 if (*ptr->dir2 != '\0') { 285 if (*ptr->dir2 != '\0') {
286 // Debian & friends 286 // Debian & friends
287 if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir2) == -1) 287 if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir2) == -1)
@@ -302,7 +302,7 @@ void fslib_install_system(void) {
302 } 302 }
303 free(name); 303 free(name);
304 } 304 }
305 305
306 if (!arg_quiet) 306 if (!arg_quiet)
307 fprintf(stderr, "%s installed in %0.2f ms\n", ptr->message, timetrace_end()); 307 fprintf(stderr, "%s installed in %0.2f ms\n", ptr->message, timetrace_end());
308 } 308 }
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
index 7928aaf3d..da796f60f 100644
--- a/src/firejail/fs_whitelist.c
+++ b/src/firejail/fs_whitelist.c
@@ -275,7 +275,7 @@ static void whitelist_path(ProfileEntry *entry) {
275 } 275 }
276 276
277 // check if the file exists 277 // check if the file exists
278 assert(wfile); 278 assert(wfile);
279 struct stat s; 279 struct stat s;
280 if (stat(wfile, &s) == 0) { 280 if (stat(wfile, &s) == 0) {
281 if (arg_debug || arg_debug_whitelists) 281 if (arg_debug || arg_debug_whitelists)
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 9f52d4565..4ce690737 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -279,7 +279,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
279 if (child == 0) { 279 if (child == 0) {
280 // drop discretionary access control capabilities for root sandboxes 280 // drop discretionary access control capabilities for root sandboxes
281 caps_drop_dac_override(); 281 caps_drop_dac_override();
282 282
283 // chroot into /proc/PID/root directory 283 // chroot into /proc/PID/root directory
284 char *rootdir; 284 char *rootdir;
285 if (asprintf(&rootdir, "/proc/%d/root", pid) == -1) 285 if (asprintf(&rootdir, "/proc/%d/root", pid) == -1)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index d6b0a230e..df758e11e 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -506,7 +506,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
506 printf("%s", buf); 506 printf("%s", buf);
507 fclose(fp); 507 fclose(fp);
508 exit(0); 508 exit(0);
509 509
510 } 510 }
511 else if (strncmp(argv[i], "--cpu.print=", 12) == 0) { 511 else if (strncmp(argv[i], "--cpu.print=", 12) == 0) {
512 // join sandbox by pid or by name 512 // join sandbox by pid or by name
@@ -882,7 +882,7 @@ static void run_builder(int argc, char **argv) {
882 if (setuid(getuid()) < 0) 882 if (setuid(getuid()) < 0)
883 errExit("setuid/getuid"); 883 errExit("setuid/getuid");
884 assert(getenv("LD_PRELOAD") == NULL); 884 assert(getenv("LD_PRELOAD") == NULL);
885 885
886 argv[0] = LIBDIR "/firejail/fbuilder"; 886 argv[0] = LIBDIR "/firejail/fbuilder";
887 execvp(argv[0], argv); 887 execvp(argv[0], argv);
888 888
@@ -950,7 +950,7 @@ int main(int argc, char **argv) {
950 // profile builder 950 // profile builder
951 if (check_arg(argc, argv, "--build", 0)) // supports both --build and --build=filename 951 if (check_arg(argc, argv, "--build", 0)) // supports both --build and --build=filename
952 run_builder(argc, argv); // this function will not return 952 run_builder(argc, argv); // this function will not return
953 953
954 // check argv[0] symlink wrapper if this is not a login shell 954 // check argv[0] symlink wrapper if this is not a login shell
955 if (*argv[0] != '-') 955 if (*argv[0] != '-')
956 run_symlink(argc, argv); // if symlink detected, this function will not return 956 run_symlink(argc, argv); // if symlink detected, this function will not return
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c
index 91f1274bd..2719db958 100644
--- a/src/firejail/network_main.c
+++ b/src/firejail/network_main.c
@@ -262,14 +262,14 @@ void net_dns_print(pid_t pid) {
262 caps_drop_all(); 262 caps_drop_all();
263 if (chdir("/") < 0) 263 if (chdir("/") < 0)
264 errExit("chdir"); 264 errExit("chdir");
265 265
266 // access /etc/resolv.conf 266 // access /etc/resolv.conf
267 FILE *fp = fopen("/etc/resolv.conf", "r"); 267 FILE *fp = fopen("/etc/resolv.conf", "r");
268 if (!fp) { 268 if (!fp) {
269 fprintf(stderr, "Error: cannot access /etc/resolv.conf\n"); 269 fprintf(stderr, "Error: cannot access /etc/resolv.conf\n");
270 exit(1); 270 exit(1);
271 } 271 }
272 272
273 char buf[MAXBUF]; 273 char buf[MAXBUF];
274 while (fgets(buf, MAXBUF, fp)) 274 while (fgets(buf, MAXBUF, fp))
275 printf("%s", buf); 275 printf("%s", buf);
diff --git a/src/firejail/output.c b/src/firejail/output.c
index 4f68b8ca3..7d73f1ef2 100644
--- a/src/firejail/output.c
+++ b/src/firejail/output.c
@@ -28,7 +28,7 @@ void check_output(int argc, char **argv) {
28 int i; 28 int i;
29 int outindex = 0; 29 int outindex = 0;
30 int enable_stderr = 0; 30 int enable_stderr = 0;
31 31
32 for (i = 1; i < argc; i++) { 32 for (i = 1; i < argc; i++) {
33 if (strncmp(argv[i], "--output=", 9) == 0) { 33 if (strncmp(argv[i], "--output=", 9) == 0) {
34 outindex = i; 34 outindex = i;
@@ -90,7 +90,7 @@ void check_output(int argc, char **argv) {
90 continue; 90 continue;
91 ptr += sprintf(ptr, "%s ", argv[i]); 91 ptr += sprintf(ptr, "%s ", argv[i]);
92 } 92 }
93 93
94 if (enable_stderr) 94 if (enable_stderr)
95 sprintf(ptr, "2>&1 | %s/firejail/ftee %s", LIBDIR, outfile); 95 sprintf(ptr, "2>&1 | %s/firejail/ftee %s", LIBDIR, outfile);
96 else 96 else
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
index 5039c6238..6826d830f 100644
--- a/src/firejail/preproc.c
+++ b/src/firejail/preproc.c
@@ -146,7 +146,7 @@ void preproc_clean_run(void) {
146 pid %= max_pids; 146 pid %= max_pids;
147 if (end == entry->d_name || *end) 147 if (end == entry->d_name || *end)
148 continue; 148 continue;
149 149
150 if (pid < start_pid) 150 if (pid < start_pid)
151 continue; 151 continue;
152 pidarr[pid] = 1; 152 pidarr[pid] = 1;
@@ -169,7 +169,7 @@ void preproc_clean_run(void) {
169 pid %= max_pids; 169 pid %= max_pids;
170 if (end == entry->d_name || *end) 170 if (end == entry->d_name || *end)
171 continue; 171 continue;
172 172
173 if (pid < start_pid) 173 if (pid < start_pid)
174 continue; 174 continue;
175 if (pidarr[pid] == 0) 175 if (pidarr[pid] == 0)
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index c8bbff3fb..7d97842df 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1062,12 +1062,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
1062 1062
1063 return 0; 1063 return 0;
1064 } 1064 }
1065 1065
1066 if (strncmp(ptr, "timeout ", 8) == 0) { 1066 if (strncmp(ptr, "timeout ", 8) == 0) {
1067 cfg.timeout = extract_timeout(ptr +8); 1067 cfg.timeout = extract_timeout(ptr +8);
1068 return 0; 1068 return 0;
1069 } 1069 }
1070 1070
1071 if (strncmp(ptr, "join-or-start ", 14) == 0) { 1071 if (strncmp(ptr, "join-or-start ", 14) == 0) {
1072 // try to join by name only 1072 // try to join by name only
1073 pid_t pid; 1073 pid_t pid;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index b413407bd..8754f05bb 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -105,7 +105,7 @@ static void set_caps(void) {
105 caps_keep_list(arg_caps_list); 105 caps_keep_list(arg_caps_list);
106 else if (arg_caps_default_filter) 106 else if (arg_caps_default_filter)
107 caps_default_filter(); 107 caps_default_filter();
108 108
109 // drop discretionary access control capabilities for root sandboxes 109 // drop discretionary access control capabilities for root sandboxes
110 // if caps.keep, the user has to set it manually in the list 110 // if caps.keep, the user has to set it manually in the list
111 if (!arg_caps_keep) 111 if (!arg_caps_keep)
diff --git a/src/firejail/util.c b/src/firejail/util.c
index fde180e49..0d703a1b6 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -763,7 +763,7 @@ void invalid_filename(const char *fname, int globbing) {
763 return; 763 return;
764 764
765 int len = strlen(ptr); 765 int len = strlen(ptr);
766 766
767 if (globbing) { 767 if (globbing) {
768 // file globbing ('*?[]') is allowed 768 // file globbing ('*?[]') is allowed
769 if (strcspn(ptr, "\\&!\"'<>%^(){};,") != (size_t)len) { 769 if (strcspn(ptr, "\\&!\"'<>%^(){};,") != (size_t)len) {
diff --git a/src/firejail/x11.c b/src/firejail/x11.c
index d41f46d93..18617e75f 100644
--- a/src/firejail/x11.c
+++ b/src/firejail/x11.c
@@ -1043,7 +1043,7 @@ void x11_start_xpra(int argc, char **argv) {
1043 char *display_str; 1043 char *display_str;
1044 if (asprintf(&display_str, ":%d", display) == -1) 1044 if (asprintf(&display_str, ":%d", display) == -1)
1045 errExit("asprintf"); 1045 errExit("asprintf");
1046 1046
1047 if (checkcfg(CFG_XPRA_ATTACH)) 1047 if (checkcfg(CFG_XPRA_ATTACH))
1048 x11_start_xpra_new(argc, argv, display_str); 1048 x11_start_xpra_new(argc, argv, display_str);
1049 else 1049 else
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c
index 1f3fdd578..6f7356729 100644
--- a/src/firemon/firemon.c
+++ b/src/firemon/firemon.c
@@ -56,15 +56,15 @@ static void my_handler(int s){
56// return -1 if not found 56// return -1 if not found
57// 57//
58// Example: 58// Example:
59//14776:netblue:/usr/bin/firejail /usr/bin/transmission-qt 59//14776:netblue:/usr/bin/firejail /usr/bin/transmission-qt
60// 14777:netblue:/usr/bin/firejail /usr/bin/transmission-qt 60// 14777:netblue:/usr/bin/firejail /usr/bin/transmission-qt
61// 14792:netblue:/usr/bin/transmission-qt 61// 14792:netblue:/usr/bin/transmission-qt
62// We need 14792, the first real sandboxed process 62// We need 14792, the first real sandboxed process
63int find_child(int id) { 63int find_child(int id) {
64 int i; 64 int i;
65 int first_child = -1; 65 int first_child = -1;
66 66
67 // find the first child 67 // find the first child
68 for (i = 0; i < max_pids; i++) { 68 for (i = 0; i < max_pids; i++) {
69 if (pids[i].level == 2 && pids[i].parent == id) { 69 if (pids[i].level == 2 && pids[i].parent == id) {
70 first_child = i; 70 first_child = i;
@@ -74,13 +74,13 @@ int find_child(int id) {
74 74
75 if (first_child == -1) 75 if (first_child == -1)
76 return -1; 76 return -1;
77 77
78 // find the second child 78 // find the second child
79 for (i = 0; i < max_pids; i++) { 79 for (i = 0; i < max_pids; i++) {
80 if (pids[i].level == 3 && pids[i].parent == first_child) 80 if (pids[i].level == 3 && pids[i].parent == first_child)
81 return i; 81 return i;
82 } 82 }
83 83
84 return -1; 84 return -1;
85} 85}
86 86
diff --git a/src/fldd/main.c b/src/fldd/main.c
index 8e5b2bcb5..4439c6509 100644
--- a/src/fldd/main.c
+++ b/src/fldd/main.c
@@ -115,7 +115,7 @@ static void copy_libs_for_exe(const char *exe) {
115 fprintf(stderr, "Warning fldd: cannot open %s, skipping...\n", exe); 115 fprintf(stderr, "Warning fldd: cannot open %s, skipping...\n", exe);
116 return; 116 return;
117 } 117 }
118 118
119 struct stat s; 119 struct stat s;
120 char *base = NULL, *end; 120 char *base = NULL, *end;
121 if (fstat(f, &s) == -1) 121 if (fstat(f, &s) == -1)
@@ -217,7 +217,7 @@ static void copy_libs_for_exe(const char *exe) {
217 close: 217 close:
218 if (base) 218 if (base)
219 munmap(base, s.st_size); 219 munmap(base, s.st_size);
220 220
221 close(f); 221 close(f);
222} 222}
223 223
@@ -335,7 +335,7 @@ printf("\n");
335 usage(); 335 usage();
336 return 0; 336 return 0;
337 } 337 }
338 338
339 int fd = STDOUT_FILENO; 339 int fd = STDOUT_FILENO;
340 // attempt to open the file 340 // attempt to open the file
341 if (argc == 3) { 341 if (argc == 3) {
diff --git a/src/fnetfilter/main.c b/src/fnetfilter/main.c
index 723c1ac32..d6ed502b8 100644
--- a/src/fnetfilter/main.c
+++ b/src/fnetfilter/main.c
@@ -181,7 +181,7 @@ printf("\n");
181 } 181 }
182 182
183 char *destfile = (argc == 3)? argv[2]: argv[1]; 183 char *destfile = (argc == 3)? argv[2]: argv[1];
184 char *command = (argc == 3)? argv[1]: NULL; 184 char *command = (argc == 3)? argv[1]: NULL;
185//printf("command %s\n", command); 185//printf("command %s\n", command);
186//printf("destfile %s\n", destfile); 186//printf("destfile %s\n", destfile);
187 // destfile is a real filename 187 // destfile is a real filename
@@ -208,6 +208,6 @@ printf("\n");
208 else 208 else
209 copy(command, destfile); 209 copy(command, destfile);
210 } 210 }
211 211
212 return 0; 212 return 0;
213} 213}
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
index ef7dd5c54..028cd76a9 100644
--- a/src/fseccomp/seccomp.c
+++ b/src/fseccomp/seccomp.c
@@ -165,7 +165,7 @@ void seccomp_default_drop(const char *fname1, const char *fname2, char *list, in
165 165
166void seccomp_keep(const char *fname1, const char *fname2, char *list) { 166void seccomp_keep(const char *fname1, const char *fname2, char *list) {
167 (void) fname2; 167 (void) fname2;
168 168
169 // open file for pre-exec filter 169 // open file for pre-exec filter
170 int fd = open(fname1, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); 170 int fd = open(fname1, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
171 if (fd < 0) { 171 if (fd < 0) {
diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c
index e8df2bda5..ffc65e7c3 100644
--- a/src/fseccomp/seccomp_print.c
+++ b/src/fseccomp/seccomp_print.c
@@ -68,7 +68,7 @@ static int detect_filter_type(void) {
68 assert(filter); 68 assert(filter);
69 69
70 printf("SECCOMP Filter\n"); 70 printf("SECCOMP Filter\n");
71 71
72 // testing for main seccomp filter, protocol, mdwe - platform architecture 72 // testing for main seccomp filter, protocol, mdwe - platform architecture
73 const struct sock_filter start_main[] = { 73 const struct sock_filter start_main[] = {
74 VALIDATE_ARCHITECTURE, 74 VALIDATE_ARCHITECTURE,
@@ -79,7 +79,7 @@ static int detect_filter_type(void) {
79 EXAMINE_SYSCALL 79 EXAMINE_SYSCALL
80#endif 80#endif
81 }; 81 };
82 82
83 if (memcmp(&start_main[0], filter, sizeof(start_main)) == 0) { 83 if (memcmp(&start_main[0], filter, sizeof(start_main)) == 0) {
84 printf(" VALIDATE_ARCHITECTURE\n"); 84 printf(" VALIDATE_ARCHITECTURE\n");
85 printf(" EXAMINE_SYSCALL\n"); 85 printf(" EXAMINE_SYSCALL\n");
@@ -88,26 +88,26 @@ static int detect_filter_type(void) {
88#endif 88#endif
89 return sizeof(start_main) / sizeof(struct sock_filter); 89 return sizeof(start_main) / sizeof(struct sock_filter);
90 } 90 }
91 91
92 92
93 // testing for secondary 64 bit filter 93 // testing for secondary 64 bit filter
94 const struct sock_filter start_secondary_64[] = { 94 const struct sock_filter start_secondary_64[] = {
95 VALIDATE_ARCHITECTURE_64, 95 VALIDATE_ARCHITECTURE_64,
96 EXAMINE_SYSCALL, 96 EXAMINE_SYSCALL,
97 }; 97 };
98 98
99 if (memcmp(&start_secondary_64[0], filter, sizeof(start_secondary_64)) == 0) { 99 if (memcmp(&start_secondary_64[0], filter, sizeof(start_secondary_64)) == 0) {
100 printf(" VALIDATE_ARCHITECTURE_64\n"); 100 printf(" VALIDATE_ARCHITECTURE_64\n");
101 printf(" EXAMINE_SYSCALL\n"); 101 printf(" EXAMINE_SYSCALL\n");
102 return sizeof(start_secondary_64) / sizeof(struct sock_filter); 102 return sizeof(start_secondary_64) / sizeof(struct sock_filter);
103 } 103 }
104 104
105 // testing for secondary 32 bit filter 105 // testing for secondary 32 bit filter
106 const struct sock_filter start_secondary_32[] = { 106 const struct sock_filter start_secondary_32[] = {
107 VALIDATE_ARCHITECTURE_32, 107 VALIDATE_ARCHITECTURE_32,
108 EXAMINE_SYSCALL, 108 EXAMINE_SYSCALL,
109 }; 109 };
110 110
111 if (memcmp(&start_secondary_32[0], filter, sizeof(start_secondary_32)) == 0) { 111 if (memcmp(&start_secondary_32[0], filter, sizeof(start_secondary_32)) == 0) {
112 printf(" VALIDATE_ARCHITECTURE_32\n"); 112 printf(" VALIDATE_ARCHITECTURE_32\n");
113 printf(" EXAMINE_SYSCALL\n"); 113 printf(" EXAMINE_SYSCALL\n");
@@ -132,7 +132,7 @@ static int detect_filter_type(void) {
132#endif 132#endif
133 return sizeof(start_secondary_block) / sizeof(struct sock_filter); 133 return sizeof(start_secondary_block) / sizeof(struct sock_filter);
134 } 134 }
135 135
136 return 0; // filter unrecognized 136 return 0; // filter unrecognized
137} 137}
138 138
@@ -146,7 +146,7 @@ void filter_print(const char *fname) {
146 printf("Invalid seccomp filter %s\n", fname); 146 printf("Invalid seccomp filter %s\n", fname);
147 return; 147 return;
148 } 148 }
149 149
150 // loop trough the rest of commands 150 // loop trough the rest of commands
151 while (i < filter_cnt) { 151 while (i < filter_cnt) {
152 // minimal parsing! 152 // minimal parsing!
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index d9000fd5e..927c5e309 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -859,7 +859,7 @@ be created and configured using "ip netns".
859.TP 859.TP
860\fB\-\-netfilter 860\fB\-\-netfilter
861Enable a default firewall if a new network namespace is created inside the sandbox. 861Enable a default firewall if a new network namespace is created inside the sandbox.
862This option has no effect for sandboxes using the system network namespace. 862This option has no effect for sandboxes using the system network namespace.
863.br 863.br
864 864
865.br 865.br
@@ -970,7 +970,7 @@ $ firejail --netfilter.print=browser
970\fB\-\-netfilter6=filename 970\fB\-\-netfilter6=filename
971Enable the IPv6 firewall specified by filename if a new network namespace is created inside the sandbox. 971Enable the IPv6 firewall specified by filename if a new network namespace is created inside the sandbox.
972This option has no effect for sandboxes using the system network namespace. 972This option has no effect for sandboxes using the system network namespace.
973Please use the regular iptables-save/iptables-restore format for the filter file. 973Please use the regular iptables-save/iptables-restore format for the filter file.
974 974
975.TP 975.TP
976\fB\-\-netfilter6.print=name|pid 976\fB\-\-netfilter6.print=name|pid
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-01 06:48:03 +0000