1 files changed, 354 insertions, 0 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
new file mode 100644
index 000000000..2ec6e54c9
--- /dev/null
+++ b/src/firejail/firejail.h
@@ -0,0 +1,354 @@
+/*
+ * Copyright (C) 2014, 2015 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#ifndef FIREJAIL_H
+#define FIREJAIL_H
+#include "../include/common.h"
+#define USELOCK
+#define FIREJAIL_DIR    "/tmp/firejail"
+#define RO_DIR  "/tmp/firejail/firejail.ro.dir"
+#define RO_FILE "/tmp/firejail/firejail.ro.file"
+#define MNT_DIR "/tmp/firejail/mnt"
+#define OVERLAY_DIR     "/tmp/firejail/overlay"
+#define HOME_DIR        "/tmp/firejail/mnt/home"
+#define MAX_INCLUDE_LEVEL 6
+// main.c
+typedef struct bridge_t {
+        // on the host
+        char *dev;              // interface device name: bridge or regular ethernet
+        uint32_t ip;            // interface device IP address
+        uint32_t mask;          // interface device mask
+        uint8_t mac[6];         // interface mac address
+        
+        // inside the sandbox
+        char *devsandbox;       // name of the device inside the sandbox
+        uint32_t ipsandbox;     // ip address inside the sandbox
+        uint8_t macsandbox[6]; // mac address inside the sandbox
+        uint32_t iprange_start;// iprange arp scan start range
+        uint32_t iprange_end;   // iprange arp scan end range
+        
+        // flags
+        uint8_t arg_ip_none;    // --ip=none
+        uint8_t macvlan;        // set by --net=eth0 (or eth1, ...); reset by --net=br0 (or br1, ...)
+        uint8_t configured;
+        uint8_t scan;           // set by --scan
+}  Bridge;
+typedef struct profile_entry_t {
+        struct profile_entry_t *next;
+        char *data;
+}ProfileEntry;
+typedef struct config_t {
+        // user data
+        char *username;
+        char *homedir;
+        
+        // filesystem
+        ProfileEntry *profile;
+        char *chrootdir;        // chroot directory
+        char *home_private;     // private home directory
+        char *home_private_keep;        // keep list for private home directory
+        char *cwd;              // current working directory
+        // networking
+        char *hostname;
+        uint32_t defaultgw;     // default gateway
+        Bridge bridge0;
+        Bridge bridge1;
+        Bridge bridge2;
+        Bridge bridge3;
+        uint32_t dns1;  // up to 3 IP addresses for dns servers
+        uint32_t dns2;
+        uint32_t dns3;
+        // rlimits
+        unsigned rlimit_nofile;
+        unsigned rlimit_nproc;
+        unsigned rlimit_fsize;
+        unsigned rlimit_sigpending;
+        
+        // cpu affinity and control groups
+        uint32_t cpus;
+        char *cgroup;
+        
+        // command line
+        char *command_line;
+        char *command_name;
+        char *shell;
+        char **original_argv;
+        int original_argc;
+        int original_program_index;
+} Config;
+extern Config cfg;
+static inline int any_bridge_configured(void) {
+        if (cfg.bridge3.configured || cfg.bridge2.configured || cfg.bridge1.configured || cfg.bridge0.configured)
+                return 1;
+        else
+                return 0;
+}
+extern int arg_private;         // mount private /home and /tmp directory
+extern int arg_debug;           // print debug messages
+extern int arg_nonetwork;       // --net=none
+extern int arg_command; // -c
+extern int arg_overlay;         // --overlay
+extern int arg_zsh;             // use zsh as default shell
+extern int arg_csh;             // use csh as default shell
+extern int arg_seccomp; // enable default seccomp filter
+extern char *arg_seccomp_list;//  optional seccomp list on top of default filter
+extern char *arg_seccomp_list_drop;             // seccomp drop list
+extern char *arg_seccomp_list_keep;             // seccomp keep list
+extern int arg_caps_default_filter;     // enable default capabilities filter
+extern int arg_caps_drop;               // drop list
+extern int arg_caps_drop_all;           // drop all capabilities
+extern int arg_caps_keep;               // keep list
+extern char *arg_caps_list;             // optional caps list
+extern int arg_trace;           // syscall tracing support
+extern int arg_rlimit_nofile;   // rlimit nofile
+extern int arg_rlimit_nproc;    // rlimit nproc
+extern int arg_rlimit_fsize;    // rlimit fsize
+extern int arg_rlimit_sigpending;// rlimit sigpending
+extern int arg_nox11;           // kill the program if x11 unix domain socket is accessed
+extern int arg_nodbus;          // kill the program if D-Bus is accessed
+extern int arg_nogroups;        // disable supplementary groups
+extern int arg_noroot;          // create a new user namespace and disable root user
+extern int arg_netfilter;       // enable netfilter
+extern char *arg_netfilter_file;        // netfilter file
+extern int arg_doubledash;      // double dash
+extern int arg_shell_none;      // run the program directly without a shell
+extern int arg_private_dev;     // private dev directory
+extern int arg_scan;            // arp-scan all interfaces
+extern int parent_to_child_fds[2];
+extern int child_to_parent_fds[2];
+extern pid_t sandbox_pid;
+#define MAX_ARGS 128            // maximum number of command arguments (argc)
+extern char *fullargv[MAX_ARGS];
+extern int fullargc;
+// main.c
+void check_user_namespace(void);
+// sandbox.c
+int sandbox(void* sandbox_arg);
+// network_main.c
+void net_configure_bridge(Bridge *br, char *dev_name);
+void net_configure_sandbox_ip(Bridge *br);
+void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child);
+void net_check_cfg(void);
+void net_dns_print_name(const char *name);
+void net_dns_print(pid_t pid);
+// network.c
+void net_if_up(const char *ifname);
+void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask);
+int net_get_if_addr(const char *bridge, uint32_t *ip, uint32_t *mask, uint8_t mac[6]);
+int net_add_route(uint32_t dest, uint32_t mask, uint32_t gw);
+void net_ifprint(void);
+void net_bridge_add_interface(const char *bridge, const char *dev);
+uint32_t network_get_defaultgw(void);
+int net_config_mac(const char *ifname, const unsigned char mac[6]);
+int net_get_mac(const char *ifname, unsigned char mac[6]);
+// fs.c
+// build /tmp/firejail directory
+void fs_build_firejail_dir(void);
+// build /tmp/firejail/mnt directory
+void fs_build_mnt_dir(void);
+// blacklist files or directoies by mounting empty files on top of them
+void fs_blacklist(const char *homedir);
+//void fs_blacklist(char **blacklist, const char *homedir);
+// remount a directory read-only
+void fs_rdonly(const char *dir);
+// mount /proc and /sys directories
+void fs_proc_sys_dev_boot(void);
+// build a basic read-only filesystem
+void fs_basic_fs(void);
+// mount overlayfs on top of / directory
+void fs_overlayfs(void);
+// chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf
+void fs_chroot(const char *rootdir);
+int fs_check_chroot_dir(const char *rootdir);
+// profile.c
+// find and read the profile specified by name from dir directory
+int profile_find(const char *name, const char *dir);
+// read a profile file
+void profile_read(const char *fname, const char *skip1, const char *skip2);
+// check profile line; if line == 0, this was generated from a command line option
+// return 1 if the command is to be added to the linked list of profile commands
+// return 0 if the command was already executed inside the function
+int profile_check_line(char *ptr, int lineno);
+// add a profile entry in cfg.profile list; use str to populate the list
+void profile_add(char *str);
+// list.c
+void list(void);
+void tree(void);
+void top(void);
+void netstats(void);
+// usage.c
+void usage(void);
+// join.c
+void join(pid_t pid, const char *homedir, int argc, char **argv, int index);
+void join_name(const char *name, const char *homedir, int argc, char **argv, int index);
+void shut(pid_t pid);
+void shut_name(const char *name);
+// restricted_shell.c
+extern char *restricted_user;
+int restricted_shell(const char *user);
+// arp.c
+// returns 0 if the address is not in use, -1 otherwise
+int arp_check(const char *dev, uint32_t destaddr, uint32_t srcaddr);
+// assign an IP address using arp scanning
+uint32_t arp_assign(const char *dev, Bridge *br);
+// scan interface (--scan option)
+void arp_scan(const char *dev, uint32_t srcaddr, uint32_t srcmask);
+// veth.c
+int net_create_veth(const char *dev, const char *nsdev, unsigned pid);
+int net_create_macvlan(const char *dev, const char *parent, unsigned pid);
+// util.c
+void drop_privs(int nogroups);
+void extract_command_name(const char *str);
+void logsignal(int s);
+void logmsg(const char *msg);
+void logargs(int argc, char **argv) ;
+void logerr(const char *msg);
+int copy_file(const char *srcname, const char *destname);
+char *get_link(const char *fname);
+int is_dir(const char *fname);
+int is_link(const char *fname);
+char *line_remove_spaces(const char *buf);
+char *split_comma(char *str);
+int not_unsigned(const char *str);
+int find_child(pid_t parent, pid_t *child);
+void check_private_dir(void);
+void update_map(char *mapping, char *map_file);
+void wait_for_other(int fd);
+void notify_other(int fd);
+// fs_var.c
+void fs_var_log(void);  // mounting /var/log
+void fs_var_lib(void);  // various other fixes for software in /var directory
+void fs_var_cache(void); // various other fixes for software in /var/cache directory
+void fs_var_run(void);
+void fs_var_lock(void);
+void fs_var_tmp(void);
+void fs_var_utmp(void);
+void dbg_test_dir(const char *dir);
+// fs_dev.c
+void fs_dev_shm(void);
+void fs_private_dev(void);
+// fs_home.c
+// private mode (--private)
+void fs_private(void);
+// private mode (--private=homedir)
+void fs_private_homedir(void);
+// private mode (--private.keep=list)
+void fs_private_home_list(void);
+// check directory linst specified by user (--private.keep option) - exit if it fails
+void fs_check_home_list(void);
+// check new private home directory (--private= option) - exit if it fails
+void fs_check_private_dir(void);
+// seccomp.c
+int seccomp_filter_drop(void);
+int seccomp_filter_keep(void);
+void seccomp_set(void);
+void seccomp_print_filter_name(const char *name);
+void seccomp_print_filter(pid_t pid);
+// caps.c
+int caps_default_filter(void);
+void caps_print(void);
+void caps_drop_all(void);
+void caps_set(uint64_t caps);
+int caps_check_list(const char *clist, void (*callback)(int));
+void caps_drop_list(const char *clist);
+void caps_keep_list(const char *clist);
+void caps_print_filter(pid_t pid);
+void caps_print_filter_name(const char *name);
+// syscall.c
+const char *syscall_find_nr(int nr);
+// return -1 if error, 0 if no error
+int syscall_check_list(const char *slist, void (*callback)(int));
+// print all available syscalls
+void syscall_print(void);
+// fs_trace.c
+void fs_trace_preload(void);
+void fs_trace(void);
+// fs_hostname.c
+void fs_hostname(const char *hostname);
+void fs_resolvconf(void);
+// rlimit.c
+void set_rlimits(void);
+// cpu.c
+void read_cpu_list(const char *str);
+void set_cpu_affinity(void);
+void load_cpu(const char *fname);
+void save_cpu(void);
+// cgroup.c
+void save_cgroup(void);
+void load_cgroup(const char *fname);
+void set_cgroup(const char *path);
+// output.c
+void check_output(int argc, char **argv);
+// netfilter.c
+void check_netfilter_file(const char *fname);
+void netfilter(const char *fname);
+// bandwidth.c
+void shm_create_firejail_dir(void);
+void bandwidth_shm_del_file(pid_t pid);
+void bandwidth_shm_set(pid_t pid, const char *dev, int down, int up);
+void bandwidth_name(const char *name, const char *command, const char *dev, int down, int up);
+void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, int up);
+void network_shm_del_file(pid_t pid);
+void network_shm_set_file(pid_t pid);
+#endif
+\ No newline at end of file

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h new file mode 100644 index 000000000..2ec6e54c9 --- /dev/null +++ b/src/firejail/firejail.h
@@ -0,0 +1,354 @@
	1	/*
	2	* Copyright (C) 2014, 2015 Firejail Authors
	3	*
	4	* This file is part of firejail project
	5	*
	6	* This program is free software; you can redistribute it and/or modify
	7	* it under the terms of the GNU General Public License as published by
	8	* the Free Software Foundation; either version 2 of the License, or
	9	* (at your option) any later version.
	10	*
	11	* This program is distributed in the hope that it will be useful,
	12	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	14	* GNU General Public License for more details.
	15	*
	16	* You should have received a copy of the GNU General Public License along
	17	* with this program; if not, write to the Free Software Foundation, Inc.,
	18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
	19	*/
	20	#ifndef FIREJAIL_H
	21	#define FIREJAIL_H
	22	#include "../include/common.h"
	23
	24	#define USELOCK
	25	#define FIREJAIL_DIR "/tmp/firejail"
	26	#define RO_DIR "/tmp/firejail/firejail.ro.dir"
	27	#define RO_FILE "/tmp/firejail/firejail.ro.file"
	28	#define MNT_DIR "/tmp/firejail/mnt"
	29	#define OVERLAY_DIR "/tmp/firejail/overlay"
	30	#define HOME_DIR "/tmp/firejail/mnt/home"
	31	#define MAX_INCLUDE_LEVEL 6
	32
	33	// main.c
	34	typedef struct bridge_t {
	35	// on the host
	36	char *dev; // interface device name: bridge or regular ethernet
	37	uint32_t ip; // interface device IP address
	38	uint32_t mask; // interface device mask
	39	uint8_t mac[6]; // interface mac address
	40
	41	// inside the sandbox
	42	char *devsandbox; // name of the device inside the sandbox
	43	uint32_t ipsandbox; // ip address inside the sandbox
	44	uint8_t macsandbox[6]; // mac address inside the sandbox
	45	uint32_t iprange_start;// iprange arp scan start range
	46	uint32_t iprange_end; // iprange arp scan end range
	47
	48	// flags
	49	uint8_t arg_ip_none; // --ip=none
	50	uint8_t macvlan; // set by --net=eth0 (or eth1, ...); reset by --net=br0 (or br1, ...)
	51	uint8_t configured;
	52	uint8_t scan; // set by --scan
	53	} Bridge;
	54
	55	typedef struct profile_entry_t {
	56	struct profile_entry_t *next;
	57	char *data;
	58	}ProfileEntry;
	59
	60	typedef struct config_t {
	61	// user data
	62	char *username;
	63	char *homedir;
	64
	65	// filesystem
	66	ProfileEntry *profile;
	67	char *chrootdir; // chroot directory
	68	char *home_private; // private home directory
	69	char *home_private_keep; // keep list for private home directory
	70	char *cwd; // current working directory
	71
	72	// networking
	73	char *hostname;
	74	uint32_t defaultgw; // default gateway
	75	Bridge bridge0;
	76	Bridge bridge1;
	77	Bridge bridge2;
	78	Bridge bridge3;
	79	uint32_t dns1; // up to 3 IP addresses for dns servers
	80	uint32_t dns2;
	81	uint32_t dns3;
	82
	83	// rlimits
	84	unsigned rlimit_nofile;
	85	unsigned rlimit_nproc;
	86	unsigned rlimit_fsize;
	87	unsigned rlimit_sigpending;
	88
	89	// cpu affinity and control groups
	90	uint32_t cpus;
	91	char *cgroup;
	92
	93
	94	// command line
	95	char *command_line;
	96	char *command_name;
	97	char *shell;
	98	char **original_argv;
	99	int original_argc;
	100	int original_program_index;
	101	} Config;
	102	extern Config cfg;
	103
	104	static inline int any_bridge_configured(void) {
	105	if (cfg.bridge3.configured \|\| cfg.bridge2.configured \|\| cfg.bridge1.configured \|\| cfg.bridge0.configured)
	106	return 1;
	107	else
	108	return 0;
	109	}
	110	extern int arg_private; // mount private /home and /tmp directory
	111	extern int arg_debug; // print debug messages
	112	extern int arg_nonetwork; // --net=none
	113	extern int arg_command; // -c
	114	extern int arg_overlay; // --overlay
	115	extern int arg_zsh; // use zsh as default shell
	116	extern int arg_csh; // use csh as default shell
	117
	118	extern int arg_seccomp; // enable default seccomp filter
	119	extern char *arg_seccomp_list;// optional seccomp list on top of default filter
	120	extern char *arg_seccomp_list_drop; // seccomp drop list
	121	extern char *arg_seccomp_list_keep; // seccomp keep list
	122
	123	extern int arg_caps_default_filter; // enable default capabilities filter
	124	extern int arg_caps_drop; // drop list
	125	extern int arg_caps_drop_all; // drop all capabilities
	126	extern int arg_caps_keep; // keep list
	127	extern char *arg_caps_list; // optional caps list
	128
	129	extern int arg_trace; // syscall tracing support
	130	extern int arg_rlimit_nofile; // rlimit nofile
	131	extern int arg_rlimit_nproc; // rlimit nproc
	132	extern int arg_rlimit_fsize; // rlimit fsize
	133	extern int arg_rlimit_sigpending;// rlimit sigpending
	134	extern int arg_nox11; // kill the program if x11 unix domain socket is accessed
	135	extern int arg_nodbus; // kill the program if D-Bus is accessed
	136	extern int arg_nogroups; // disable supplementary groups
	137	extern int arg_noroot; // create a new user namespace and disable root user
	138	extern int arg_netfilter; // enable netfilter
	139	extern char *arg_netfilter_file; // netfilter file
	140	extern int arg_doubledash; // double dash
	141	extern int arg_shell_none; // run the program directly without a shell
	142	extern int arg_private_dev; // private dev directory
	143	extern int arg_scan; // arp-scan all interfaces
	144
	145	extern int parent_to_child_fds[2];
	146	extern int child_to_parent_fds[2];
	147	extern pid_t sandbox_pid;
	148
	149
	150
	151	#define MAX_ARGS 128 // maximum number of command arguments (argc)
	152	extern char *fullargv[MAX_ARGS];
	153	extern int fullargc;
	154
	155	// main.c
	156	void check_user_namespace(void);
	157
	158	// sandbox.c
	159	int sandbox(void* sandbox_arg);
	160
	161	// network_main.c
	162	void net_configure_bridge(Bridge br, char dev_name);
	163	void net_configure_sandbox_ip(Bridge *br);
	164	void net_configure_veth_pair(Bridge br, const char ifname, pid_t child);
	165	void net_check_cfg(void);
	166	void net_dns_print_name(const char *name);
	167	void net_dns_print(pid_t pid);
	168
	169	// network.c
	170	void net_if_up(const char *ifname);
	171	void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask);
	172	int net_get_if_addr(const char bridge, uint32_t ip, uint32_t *mask, uint8_t mac[6]);
	173	int net_add_route(uint32_t dest, uint32_t mask, uint32_t gw);
	174	void net_ifprint(void);
	175	void net_bridge_add_interface(const char bridge, const char dev);
	176	uint32_t network_get_defaultgw(void);
	177	int net_config_mac(const char *ifname, const unsigned char mac[6]);
	178	int net_get_mac(const char *ifname, unsigned char mac[6]);
	179
	180	// fs.c
	181	// build /tmp/firejail directory
	182	void fs_build_firejail_dir(void);
	183	// build /tmp/firejail/mnt directory
	184	void fs_build_mnt_dir(void);
	185	// blacklist files or directoies by mounting empty files on top of them
	186	void fs_blacklist(const char *homedir);
	187	//void fs_blacklist(char *blacklist, const char homedir);
	188	// remount a directory read-only
	189	void fs_rdonly(const char *dir);
	190	// mount /proc and /sys directories
	191	void fs_proc_sys_dev_boot(void);
	192	// build a basic read-only filesystem
	193	void fs_basic_fs(void);
	194	// mount overlayfs on top of / directory
	195	void fs_overlayfs(void);
	196	// chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf
	197	void fs_chroot(const char *rootdir);
	198	int fs_check_chroot_dir(const char *rootdir);
	199
	200	// profile.c
	201	// find and read the profile specified by name from dir directory
	202	int profile_find(const char name, const char dir);
	203	// read a profile file
	204	void profile_read(const char fname, const char skip1, const char *skip2);
	205	// check profile line; if line == 0, this was generated from a command line option
	206	// return 1 if the command is to be added to the linked list of profile commands
	207	// return 0 if the command was already executed inside the function
	208	int profile_check_line(char *ptr, int lineno);
	209	// add a profile entry in cfg.profile list; use str to populate the list
	210	void profile_add(char *str);
	211
	212	// list.c
	213	void list(void);
	214	void tree(void);
	215	void top(void);
	216	void netstats(void);
	217
	218	// usage.c
	219	void usage(void);
	220
	221	// join.c
	222	void join(pid_t pid, const char homedir, int argc, char *argv, int index);
	223	void join_name(const char name, const char homedir, int argc, char **argv, int index);
	224	void shut(pid_t pid);
	225	void shut_name(const char *name);
	226
	227	// restricted_shell.c
	228	extern char *restricted_user;
	229	int restricted_shell(const char *user);
	230
	231	// arp.c
	232	// returns 0 if the address is not in use, -1 otherwise
	233	int arp_check(const char *dev, uint32_t destaddr, uint32_t srcaddr);
	234	// assign an IP address using arp scanning
	235	uint32_t arp_assign(const char dev, Bridge br);
	236	// scan interface (--scan option)
	237	void arp_scan(const char *dev, uint32_t srcaddr, uint32_t srcmask);
	238
	239	// veth.c
	240	int net_create_veth(const char dev, const char nsdev, unsigned pid);
	241	int net_create_macvlan(const char dev, const char parent, unsigned pid);
	242
	243	// util.c
	244	void drop_privs(int nogroups);
	245	void extract_command_name(const char *str);
	246	void logsignal(int s);
	247	void logmsg(const char *msg);
	248	void logargs(int argc, char **argv) ;
	249	void logerr(const char *msg);
	250	int copy_file(const char srcname, const char destname);
	251	char get_link(const char fname);
	252	int is_dir(const char *fname);
	253	int is_link(const char *fname);
	254	char line_remove_spaces(const char buf);
	255	char split_comma(char str);
	256	int not_unsigned(const char *str);
	257	int find_child(pid_t parent, pid_t *child);
	258	void check_private_dir(void);
	259	void update_map(char mapping, char map_file);
	260	void wait_for_other(int fd);
	261	void notify_other(int fd);
	262
	263	// fs_var.c
	264	void fs_var_log(void); // mounting /var/log
	265	void fs_var_lib(void); // various other fixes for software in /var directory
	266	void fs_var_cache(void); // various other fixes for software in /var/cache directory
	267	void fs_var_run(void);
	268	void fs_var_lock(void);
	269	void fs_var_tmp(void);
	270	void fs_var_utmp(void);
	271	void dbg_test_dir(const char *dir);
	272
	273	// fs_dev.c
	274	void fs_dev_shm(void);
	275	void fs_private_dev(void);
	276
	277	// fs_home.c
	278	// private mode (--private)
	279	void fs_private(void);
	280	// private mode (--private=homedir)
	281	void fs_private_homedir(void);
	282	// private mode (--private.keep=list)
	283	void fs_private_home_list(void);
	284	// check directory linst specified by user (--private.keep option) - exit if it fails
	285	void fs_check_home_list(void);
	286	// check new private home directory (--private= option) - exit if it fails
	287	void fs_check_private_dir(void);
	288
	289
	290	// seccomp.c
	291	int seccomp_filter_drop(void);
	292	int seccomp_filter_keep(void);
	293	void seccomp_set(void);
	294	void seccomp_print_filter_name(const char *name);
	295	void seccomp_print_filter(pid_t pid);
	296
	297	// caps.c
	298	int caps_default_filter(void);
	299	void caps_print(void);
	300	void caps_drop_all(void);
	301	void caps_set(uint64_t caps);
	302	int caps_check_list(const char clist, void (callback)(int));
	303	void caps_drop_list(const char *clist);
	304	void caps_keep_list(const char *clist);
	305	void caps_print_filter(pid_t pid);
	306	void caps_print_filter_name(const char *name);
	307
	308	// syscall.c
	309	const char *syscall_find_nr(int nr);
	310	// return -1 if error, 0 if no error
	311	int syscall_check_list(const char slist, void (callback)(int));
	312	// print all available syscalls
	313	void syscall_print(void);
	314
	315	// fs_trace.c
	316	void fs_trace_preload(void);
	317	void fs_trace(void);
	318
	319	// fs_hostname.c
	320	void fs_hostname(const char *hostname);
	321	void fs_resolvconf(void);
	322
	323	// rlimit.c
	324	void set_rlimits(void);
	325
	326	// cpu.c
	327	void read_cpu_list(const char *str);
	328	void set_cpu_affinity(void);
	329	void load_cpu(const char *fname);
	330	void save_cpu(void);
	331
	332	// cgroup.c
	333	void save_cgroup(void);
	334	void load_cgroup(const char *fname);
	335	void set_cgroup(const char *path);
	336
	337	// output.c
	338	void check_output(int argc, char **argv);
	339
	340	// netfilter.c
	341	void check_netfilter_file(const char *fname);
	342	void netfilter(const char *fname);
	343
	344	// bandwidth.c
	345	void shm_create_firejail_dir(void);
	346	void bandwidth_shm_del_file(pid_t pid);
	347	void bandwidth_shm_set(pid_t pid, const char *dev, int down, int up);
	348	void bandwidth_name(const char name, const char command, const char *dev, int down, int up);
	349	void bandwidth_pid(pid_t pid, const char command, const char dev, int down, int up);
	350	void network_shm_del_file(pid_t pid);
	351	void network_shm_set_file(pid_t pid);
	352
	353
	354	#endif \ No newline at end of file