diff options
| -rw-r--r-- | .github/workflows/build-extra.yml | 26 | ||||
| -rw-r--r-- | .github/workflows/build.yml | 6 | ||||
| -rw-r--r-- | .github/workflows/profile-checks.yml | 2 | ||||
| -rw-r--r-- | src/firejail/fs_bin.c | 6 | ||||
| -rw-r--r-- | src/firejail/fs_var.c | 2 | ||||
| -rw-r--r-- | src/lib/ldd_utils.c | 2 | ||||
| -rw-r--r-- | test/Makefile | 2 | ||||
| -rwxr-xr-x | test/environment/dns.exp | 32 | ||||
| -rwxr-xr-x | test/sysutils/less.exp | 1 | ||||
| -rwxr-xr-x | test/utils/man.exp | 1 | ||||
| -rwxr-xr-x | test/utils/trace.exp | 4 |
11 files changed, 47 insertions, 37 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 6f9a4bc2c..ff812ca32 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
| @@ -28,11 +28,13 @@ on: | |||
| 28 | 28 | ||
| 29 | jobs: | 29 | jobs: |
| 30 | build-clang: | 30 | build-clang: |
| 31 | runs-on: ubuntu-20.04 | 31 | runs-on: ubuntu-22.04 |
| 32 | steps: | 32 | steps: |
| 33 | - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b | 33 | - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b |
| 34 | - name: install dependencies | ||
| 35 | run: sudo apt-get install libapparmor-dev libselinux1-dev | ||
| 34 | - name: configure | 36 | - name: configure |
| 35 | run: CC=clang-11 ./configure --enable-fatal-warnings | 37 | run: CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor --enable-selinux |
| 36 | - name: make | 38 | - name: make |
| 37 | run: make | 39 | run: make |
| 38 | - name: make install | 40 | - name: make install |
| @@ -40,16 +42,26 @@ jobs: | |||
| 40 | - name: print version | 42 | - name: print version |
| 41 | run: command -V firejail && firejail --version | 43 | run: command -V firejail && firejail --version |
| 42 | scan-build: | 44 | scan-build: |
| 43 | runs-on: ubuntu-20.04 | 45 | runs-on: ubuntu-22.04 |
| 44 | steps: | 46 | steps: |
| 45 | - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b | 47 | - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b |
| 46 | - name: install clang-tools-11 | 48 | - name: install clang-tools-14 and dependencies |
| 47 | run: sudo apt-get install clang-tools-11 | 49 | run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev |
| 48 | - name: configure | 50 | - name: configure |
| 49 | run: CC=clang-11 ./configure --enable-fatal-warnings | 51 | run: CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor --enable-selinux |
| 50 | - name: scan-build | 52 | - name: scan-build |
| 51 | run: NO_EXTRA_CFLAGS="yes" scan-build-11 --status-bugs make | 53 | run: NO_EXTRA_CFLAGS="yes" scan-build-14 --status-bugs make |
| 52 | cppcheck: | 54 | cppcheck: |
| 55 | runs-on: ubuntu-22.04 | ||
| 56 | steps: | ||
| 57 | - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b | ||
| 58 | - name: install cppcheck | ||
| 59 | run: sudo apt-get install cppcheck | ||
| 60 | - name: cppcheck | ||
| 61 | run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance -i src/firejail/checkcfg.c -i src/firejail/main.c . | ||
| 62 | # new cppcheck version currently chokes on checkcfg.c and main.c, therefore scan all files also | ||
| 63 | # with older cppcheck version from ubuntu 20.04. | ||
| 64 | cppcheck_old: | ||
| 53 | runs-on: ubuntu-20.04 | 65 | runs-on: ubuntu-20.04 |
| 54 | steps: | 66 | steps: |
| 55 | - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b | 67 | - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cc7893305..75811d83a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
| @@ -20,15 +20,15 @@ on: | |||
| 20 | 20 | ||
| 21 | jobs: | 21 | jobs: |
| 22 | build_and_test: | 22 | build_and_test: |
| 23 | runs-on: ubuntu-20.04 | 23 | runs-on: ubuntu-22.04 |
| 24 | steps: | 24 | steps: |
| 25 | - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b | 25 | - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b |
| 26 | - name: update package information | 26 | - name: update package information |
| 27 | run: sudo apt-get update | 27 | run: sudo apt-get update |
| 28 | - name: install dependencies | 28 | - name: install dependencies |
| 29 | run: sudo apt-get install gcc-11 libapparmor-dev libselinux1-dev expect xzdec | 29 | run: sudo apt-get install gcc-12 libapparmor-dev libselinux1-dev expect xzdec |
| 30 | - name: configure | 30 | - name: configure |
| 31 | run: CC=gcc-11 ./configure --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux --prefix=/usr | 31 | run: CC=gcc-12 ./configure --enable-fatal-warnings --enable-analyzer --enable-apparmor --enable-selinux --prefix=/usr |
| 32 | - name: make | 32 | - name: make |
| 33 | run: make | 33 | run: make |
| 34 | - name: make install | 34 | - name: make install |
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml index 9138e8a57..d235aeb64 100644 --- a/.github/workflows/profile-checks.yml +++ b/.github/workflows/profile-checks.yml | |||
| @@ -18,7 +18,7 @@ on: | |||
| 18 | 18 | ||
| 19 | jobs: | 19 | jobs: |
| 20 | profile-checks: | 20 | profile-checks: |
| 21 | runs-on: ubuntu-20.04 | 21 | runs-on: ubuntu-latest |
| 22 | steps: | 22 | steps: |
| 23 | - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b | 23 | - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b |
| 24 | - name: sort.py | 24 | - name: sort.py |
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 2b0b3003e..6228e9740 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
| @@ -27,7 +27,7 @@ | |||
| 27 | 27 | ||
| 28 | static int prog_cnt = 0; | 28 | static int prog_cnt = 0; |
| 29 | 29 | ||
| 30 | static char *paths[] = { | 30 | static const char * const paths[] = { |
| 31 | "/usr/local/bin", | 31 | "/usr/local/bin", |
| 32 | "/usr/bin", | 32 | "/usr/bin", |
| 33 | "/bin", | 33 | "/bin", |
| @@ -40,7 +40,7 @@ static char *paths[] = { | |||
| 40 | }; | 40 | }; |
| 41 | 41 | ||
| 42 | // return 1 if found, 0 if not found | 42 | // return 1 if found, 0 if not found |
| 43 | static char *check_dir_or_file(const char *name) { | 43 | static const char *check_dir_or_file(const char *name) { |
| 44 | EUID_ASSERT(); | 44 | EUID_ASSERT(); |
| 45 | assert(name); | 45 | assert(name); |
| 46 | struct stat s; | 46 | struct stat s; |
| @@ -160,7 +160,7 @@ static void duplicate(char *fname) { | |||
| 160 | else { | 160 | else { |
| 161 | // Find the standard directory (by looping through paths[]) | 161 | // Find the standard directory (by looping through paths[]) |
| 162 | // where the filename fname is located | 162 | // where the filename fname is located |
| 163 | char *path = check_dir_or_file(fname); | 163 | const char *path = check_dir_or_file(fname); |
| 164 | if (!path) | 164 | if (!path) |
| 165 | return; | 165 | return; |
| 166 | if (asprintf(&full_path, "%s/%s", path, fname) == -1) | 166 | if (asprintf(&full_path, "%s/%s", path, fname) == -1) |
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 9523875d7..ad5ee6759 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
| @@ -300,7 +300,7 @@ void fs_var_utmp(void) { | |||
| 300 | 300 | ||
| 301 | // read current utmp | 301 | // read current utmp |
| 302 | struct utmp *u; | 302 | struct utmp *u; |
| 303 | struct utmp u_boot; | 303 | struct utmp u_boot = {0}; |
| 304 | setutent(); | 304 | setutent(); |
| 305 | while ((u = getutent()) != NULL) { | 305 | while ((u = getutent()) != NULL) { |
| 306 | if (u->ut_type == BOOT_TIME) { | 306 | if (u->ut_type == BOOT_TIME) { |
diff --git a/src/lib/ldd_utils.c b/src/lib/ldd_utils.c index bc4f7cf9c..a50b759c3 100644 --- a/src/lib/ldd_utils.c +++ b/src/lib/ldd_utils.c | |||
| @@ -47,7 +47,7 @@ int is_lib_64(const char *exe) { | |||
| 47 | if (fd < 0) | 47 | if (fd < 0) |
| 48 | return 0; | 48 | return 0; |
| 49 | 49 | ||
| 50 | unsigned char buf[EI_NIDENT]; | 50 | unsigned char buf[EI_NIDENT] = {0}; |
| 51 | ssize_t len = 0; | 51 | ssize_t len = 0; |
| 52 | while (len < EI_NIDENT) { | 52 | while (len < EI_NIDENT) { |
| 53 | ssize_t sz = read(fd, buf + len, EI_NIDENT - len); | 53 | ssize_t sz = read(fd, buf + len, EI_NIDENT - len); |
diff --git a/test/Makefile b/test/Makefile index 2f3a97d73..2c376da58 100644 --- a/test/Makefile +++ b/test/Makefile | |||
| @@ -3,7 +3,7 @@ TESTS=$(patsubst %/,%,$(wildcard */)) | |||
| 3 | .PHONY: $(TESTS) | 3 | .PHONY: $(TESTS) |
| 4 | $(TESTS): | 4 | $(TESTS): |
| 5 | cd $@ && ./$@.sh 2>&1 | tee $@.log | 5 | cd $@ && ./$@.sh 2>&1 | tee $@.log |
| 6 | cd $@ && grep -a TESTING $@.log && grep -a -L "TESTING ERROR" $@.log | 6 | cd $@ && grep -a TESTING $@.log && ! grep -a -q "TESTING ERROR" $@.log |
| 7 | 7 | ||
| 8 | .PHONY: clean | 8 | .PHONY: clean |
| 9 | clean: | 9 | clean: |
diff --git a/test/environment/dns.exp b/test/environment/dns.exp index b5a8c119b..2c00cfa1c 100755 --- a/test/environment/dns.exp +++ b/test/environment/dns.exp | |||
| @@ -110,23 +110,23 @@ expect { | |||
| 110 | send -- "exit\r" | 110 | send -- "exit\r" |
| 111 | sleep 1 | 111 | sleep 1 |
| 112 | 112 | ||
| 113 | send -- "firejail --trace --dns=208.67.222.222 wget -q debian.org\r" | 113 | # test disabled, as Github CI uses systemd-resolved, which does not work |
| 114 | expect { | 114 | # properly with --dns=, so curl does not use the specified nameserver |
| 115 | timeout {puts "TESTING ERROR 6.1\n";exit} | 115 | #send -- "firejail --trace --dns=208.67.222.222 -- curl --silent --output /dev/null debian.org\r" |
| 116 | "connect" | 116 | #expect { |
| 117 | } | 117 | # timeout {puts "TESTING ERROR 6.1\n";exit} |
| 118 | expect { | 118 | # "connect" |
| 119 | timeout {puts "TESTING ERROR 6.2\n";exit} | 119 | #} |
| 120 | "208.67.222.222" | 120 | #expect { |
| 121 | } | 121 | # timeout {puts "TESTING ERROR 6.2\n";exit} |
| 122 | expect { | 122 | # "208.67.222.222" |
| 123 | timeout {puts "TESTING ERROR 6.3\n";exit} | 123 | #} |
| 124 | "53" | 124 | #expect { |
| 125 | } | 125 | # timeout {puts "TESTING ERROR 6.3\n";exit} |
| 126 | after 100 | 126 | # "53" |
| 127 | #} | ||
| 128 | #after 100 | ||
| 127 | 129 | ||
| 128 | send -- "rm index.html\r" | ||
| 129 | after 100 | ||
| 130 | send -- "exit\r" | 130 | send -- "exit\r" |
| 131 | sleep 1 | 131 | sleep 1 |
| 132 | 132 | ||
diff --git a/test/sysutils/less.exp b/test/sysutils/less.exp index e6698eab0..01a298fe0 100755 --- a/test/sysutils/less.exp +++ b/test/sysutils/less.exp | |||
| @@ -11,6 +11,7 @@ send -- "firejail less sysutils.sh\r" | |||
| 11 | expect { | 11 | expect { |
| 12 | timeout {puts "TESTING ERROR 1\n";exit} | 12 | timeout {puts "TESTING ERROR 1\n";exit} |
| 13 | "(press RETURN)" {puts "TESTING SKIP 1.1\n";exit} | 13 | "(press RETURN)" {puts "TESTING SKIP 1.1\n";exit} |
| 14 | "Press RETURN to continue" {puts "TESTING SKIP 1.2\n";exit} | ||
| 14 | "MALLOC_CHECK" | 15 | "MALLOC_CHECK" |
| 15 | } | 16 | } |
| 16 | expect { | 17 | expect { |
diff --git a/test/utils/man.exp b/test/utils/man.exp index 3a0ca46d6..f62859a8f 100755 --- a/test/utils/man.exp +++ b/test/utils/man.exp | |||
| @@ -11,6 +11,7 @@ send -- "man firejail\r" | |||
| 11 | expect { | 11 | expect { |
| 12 | timeout {puts "TESTING ERROR 0\n";exit} | 12 | timeout {puts "TESTING ERROR 0\n";exit} |
| 13 | "(press RETURN)" {puts "TESTING SKIP 1.1\n";exit} | 13 | "(press RETURN)" {puts "TESTING SKIP 1.1\n";exit} |
| 14 | "Press RETURN to continue" {puts "TESTING SKIP 1.2\n";exit} | ||
| 14 | "Linux namespaces sandbox program" | 15 | "Linux namespaces sandbox program" |
| 15 | } | 16 | } |
| 16 | after 100 | 17 | after 100 |
diff --git a/test/utils/trace.exp b/test/utils/trace.exp index f14001c88..beb59d337 100755 --- a/test/utils/trace.exp +++ b/test/utils/trace.exp | |||
| @@ -68,10 +68,6 @@ expect { | |||
| 68 | "wget:fopen /etc/wgetrc" {puts "OK\n";} | 68 | "wget:fopen /etc/wgetrc" {puts "OK\n";} |
| 69 | } | 69 | } |
| 70 | expect { | 70 | expect { |
| 71 | timeout {puts "TESTING ERROR 8.4\n";exit} | ||
| 72 | "wget:fopen /etc/hosts" | ||
| 73 | } | ||
| 74 | expect { | ||
| 75 | timeout {puts "TESTING ERROR 8.5\n";exit} | 71 | timeout {puts "TESTING ERROR 8.5\n";exit} |
| 76 | "wget:connect" | 72 | "wget:connect" |
| 77 | } | 73 | } |