1 files changed, 26 insertions, 26 deletions
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index 9640ef9ed..6cd58d78e 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -39,28 +39,28 @@ static struct sock_filter filter[] = {
 #endif
        // syscall list
-#ifdef SYS_mount                
+#ifdef SYS_mount
        BLACKLIST(SYS_mount),  // mount/unmount filesystems
 #endif
-#ifdef SYS_umount2              
+#ifdef SYS_umount2
        BLACKLIST(SYS_umount2),
 #endif
-#ifdef SYS_ptrace               
+#ifdef SYS_ptrace
        BLACKLIST(SYS_ptrace), // trace processes
 #endif
-#ifdef SYS_kexec_file_load              
+#ifdef SYS_kexec_file_load
        BLACKLIST(SYS_kexec_file_load),
 #endif
-#ifdef SYS_kexec_load           
+#ifdef SYS_kexec_load
        BLACKLIST(SYS_kexec_load), // loading a different kernel
 #endif
-#ifdef SYS_name_to_handle_at            
+#ifdef SYS_name_to_handle_at
        BLACKLIST(SYS_name_to_handle_at),
 #endif
-#ifdef SYS_open_by_handle_at            
+#ifdef SYS_open_by_handle_at
        BLACKLIST(SYS_open_by_handle_at), // open by handle
 #endif
-#ifdef SYS_init_module          
+#ifdef SYS_init_module
        BLACKLIST(SYS_init_module), // kernel module handling
 #endif
 #ifdef SYS_finit_module // introduced in 2013
@@ -69,31 +69,31 @@ static struct sock_filter filter[] = {
 #ifdef SYS_create_module
        BLACKLIST(SYS_create_module),
 #endif
-#ifdef SYS_delete_module                
+#ifdef SYS_delete_module
        BLACKLIST(SYS_delete_module),
 #endif
-#ifdef SYS_iopl         
+#ifdef SYS_iopl
        BLACKLIST(SYS_iopl), // io permissions
 #endif
-#ifdef  SYS_ioperm      
+#ifdef  SYS_ioperm
        BLACKLIST(SYS_ioperm),
 #endif
-#ifdef SYS_iopl         
+#ifdef SYS_iopl
        BLACKLIST(SYS_iopl), // io permissions
 #endif
-#ifdef  SYS_ioprio_set  
+#ifdef  SYS_ioprio_set
        BLACKLIST(SYS_ioprio_set),
 #endif
 #ifdef SYS_ni_syscall // new io permissions call on arm devices
        BLACKLIST(SYS_ni_syscall),
 #endif
-#ifdef SYS_swapon               
+#ifdef SYS_swapon
        BLACKLIST(SYS_swapon), // swap on/off
 #endif
-#ifdef SYS_swapoff              
+#ifdef SYS_swapoff
        BLACKLIST(SYS_swapoff),
 #endif
-#ifdef SYS_syslog               
+#ifdef SYS_syslog
        BLACKLIST(SYS_syslog), // kernel printk control
 #endif
        RETURN_ALLOW
@@ -113,7 +113,7 @@ typedef struct sbox_config {
 int sbox_run(unsigned filter, int num, ...) {
        EUID_ROOT();
-        
        int i;
        va_list valist;
        va_start(valist, num);
@@ -124,7 +124,7 @@ int sbox_run(unsigned filter, int num, ...) {
                arg[i] = va_arg(valist, char*);
        arg[i] = NULL;
        va_end(valist);
-        
        if (arg_debug) {
                printf("sbox run: ");
                for (i = 0; i <= num; i++)
@@ -138,7 +138,7 @@ int sbox_run(unsigned filter, int num, ...) {
        if (child == 0) {
                // clean the new process
                clearenv();
-                
                if (filter & SBOX_STDIN_FROM_FILE) {
                        int fd;
                        if((fd = open(SBOX_STDIN_FILE, O_RDONLY)) == -1) {
@@ -154,7 +154,7 @@ int sbox_run(unsigned filter, int num, ...) {
                        else // the user could run the sandbox without /dev/null
                                close(STDIN_FILENO);
                }
-                
                // close all other file descriptors
                int max = 20; // getdtablesize() is overkill for a firejail process
                for (i = 3; i < max; i++)
@@ -163,10 +163,10 @@ int sbox_run(unsigned filter, int num, ...) {
                if (arg_debug) {
                        printf("sbox file descriptors:\n");
                        int rv = system("ls -l /proc/self/fd");
-                        (void) rv;      
+                        (void) rv;
                }
-                umask(027);     
+                umask(027);
                // apply filters
                if (filter & SBOX_CAPS_NONE) {
@@ -178,7 +178,7 @@ int sbox_run(unsigned filter, int num, ...) {
                        set |=  ((uint64_t) 1) << CAP_NET_RAW;
                        caps_set(set);
 #endif
-                }       
+                }
                if (filter & SBOX_SECCOMP) {
                        if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
@@ -200,11 +200,11 @@ int sbox_run(unsigned filter, int num, ...) {
                        drop_privs(1);
                clearenv();
-                
                // --quiet is passed as an environment variable
                if (arg_quiet)
                        setenv("FIREJAIL_QUIET", "yes", 1);
-                
                if (arg[0])     // get rid of scan-build warning
                        execvp(arg[0], arg);
                else
@@ -221,6 +221,6 @@ int sbox_run(unsigned filter, int num, ...) {
                fprintf(stderr, "Error: failed to run %s\n", arg[0]);
                exit(1);
        }
-        
        return status;
 }

diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 9640ef9ed..6cd58d78e 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c
@@ -39,28 +39,28 @@ static struct sock_filter filter[] = {
39	#endif	39	#endif
40		40
41	// syscall list	41	// syscall list
42	#ifdef SYS_mount	42	#ifdef SYS_mount
43	BLACKLIST(SYS_mount), // mount/unmount filesystems	43	BLACKLIST(SYS_mount), // mount/unmount filesystems
44	#endif	44	#endif
45	#ifdef SYS_umount2	45	#ifdef SYS_umount2
46	BLACKLIST(SYS_umount2),	46	BLACKLIST(SYS_umount2),
47	#endif	47	#endif
48	#ifdef SYS_ptrace	48	#ifdef SYS_ptrace
49	BLACKLIST(SYS_ptrace), // trace processes	49	BLACKLIST(SYS_ptrace), // trace processes
50	#endif	50	#endif
51	#ifdef SYS_kexec_file_load	51	#ifdef SYS_kexec_file_load
52	BLACKLIST(SYS_kexec_file_load),	52	BLACKLIST(SYS_kexec_file_load),
53	#endif	53	#endif
54	#ifdef SYS_kexec_load	54	#ifdef SYS_kexec_load
55	BLACKLIST(SYS_kexec_load), // loading a different kernel	55	BLACKLIST(SYS_kexec_load), // loading a different kernel
56	#endif	56	#endif
57	#ifdef SYS_name_to_handle_at	57	#ifdef SYS_name_to_handle_at
58	BLACKLIST(SYS_name_to_handle_at),	58	BLACKLIST(SYS_name_to_handle_at),
59	#endif	59	#endif
60	#ifdef SYS_open_by_handle_at	60	#ifdef SYS_open_by_handle_at
61	BLACKLIST(SYS_open_by_handle_at), // open by handle	61	BLACKLIST(SYS_open_by_handle_at), // open by handle
62	#endif	62	#endif
63	#ifdef SYS_init_module	63	#ifdef SYS_init_module
64	BLACKLIST(SYS_init_module), // kernel module handling	64	BLACKLIST(SYS_init_module), // kernel module handling
65	#endif	65	#endif
66	#ifdef SYS_finit_module // introduced in 2013	66	#ifdef SYS_finit_module // introduced in 2013
@@ -69,31 +69,31 @@ static struct sock_filter filter[] = {
69	#ifdef SYS_create_module	69	#ifdef SYS_create_module
70	BLACKLIST(SYS_create_module),	70	BLACKLIST(SYS_create_module),
71	#endif	71	#endif
72	#ifdef SYS_delete_module	72	#ifdef SYS_delete_module
73	BLACKLIST(SYS_delete_module),	73	BLACKLIST(SYS_delete_module),
74	#endif	74	#endif
75	#ifdef SYS_iopl	75	#ifdef SYS_iopl
76	BLACKLIST(SYS_iopl), // io permissions	76	BLACKLIST(SYS_iopl), // io permissions
77	#endif	77	#endif
78	#ifdef SYS_ioperm	78	#ifdef SYS_ioperm
79	BLACKLIST(SYS_ioperm),	79	BLACKLIST(SYS_ioperm),
80	#endif	80	#endif
81	#ifdef SYS_iopl	81	#ifdef SYS_iopl
82	BLACKLIST(SYS_iopl), // io permissions	82	BLACKLIST(SYS_iopl), // io permissions
83	#endif	83	#endif
84	#ifdef SYS_ioprio_set	84	#ifdef SYS_ioprio_set
85	BLACKLIST(SYS_ioprio_set),	85	BLACKLIST(SYS_ioprio_set),
86	#endif	86	#endif
87	#ifdef SYS_ni_syscall // new io permissions call on arm devices	87	#ifdef SYS_ni_syscall // new io permissions call on arm devices
88	BLACKLIST(SYS_ni_syscall),	88	BLACKLIST(SYS_ni_syscall),
89	#endif	89	#endif
90	#ifdef SYS_swapon	90	#ifdef SYS_swapon
91	BLACKLIST(SYS_swapon), // swap on/off	91	BLACKLIST(SYS_swapon), // swap on/off
92	#endif	92	#endif
93	#ifdef SYS_swapoff	93	#ifdef SYS_swapoff
94	BLACKLIST(SYS_swapoff),	94	BLACKLIST(SYS_swapoff),
95	#endif	95	#endif
96	#ifdef SYS_syslog	96	#ifdef SYS_syslog
97	BLACKLIST(SYS_syslog), // kernel printk control	97	BLACKLIST(SYS_syslog), // kernel printk control
98	#endif	98	#endif
99	RETURN_ALLOW	99	RETURN_ALLOW
@@ -113,7 +113,7 @@ typedef struct sbox_config {
113		113
114	int sbox_run(unsigned filter, int num, ...) {	114	int sbox_run(unsigned filter, int num, ...) {
115	EUID_ROOT();	115	EUID_ROOT();
116		116
117	int i;	117	int i;
118	va_list valist;	118	va_list valist;
119	va_start(valist, num);	119	va_start(valist, num);
@@ -124,7 +124,7 @@ int sbox_run(unsigned filter, int num, ...) {
124	arg[i] = va_arg(valist, char*);	124	arg[i] = va_arg(valist, char*);
125	arg[i] = NULL;	125	arg[i] = NULL;
126	va_end(valist);	126	va_end(valist);
127		127
128	if (arg_debug) {	128	if (arg_debug) {
129	printf("sbox run: ");	129	printf("sbox run: ");
130	for (i = 0; i <= num; i++)	130	for (i = 0; i <= num; i++)
@@ -138,7 +138,7 @@ int sbox_run(unsigned filter, int num, ...) {
138	if (child == 0) {	138	if (child == 0) {
139	// clean the new process	139	// clean the new process
140	clearenv();	140	clearenv();
141		141
142	if (filter & SBOX_STDIN_FROM_FILE) {	142	if (filter & SBOX_STDIN_FROM_FILE) {
143	int fd;	143	int fd;
144	if((fd = open(SBOX_STDIN_FILE, O_RDONLY)) == -1) {	144	if((fd = open(SBOX_STDIN_FILE, O_RDONLY)) == -1) {
@@ -154,7 +154,7 @@ int sbox_run(unsigned filter, int num, ...) {
154	else // the user could run the sandbox without /dev/null	154	else // the user could run the sandbox without /dev/null
155	close(STDIN_FILENO);	155	close(STDIN_FILENO);
156	}	156	}
157		157
158	// close all other file descriptors	158	// close all other file descriptors
159	int max = 20; // getdtablesize() is overkill for a firejail process	159	int max = 20; // getdtablesize() is overkill for a firejail process
160	for (i = 3; i < max; i++)	160	for (i = 3; i < max; i++)
@@ -163,10 +163,10 @@ int sbox_run(unsigned filter, int num, ...) {
163	if (arg_debug) {	163	if (arg_debug) {
164	printf("sbox file descriptors:\n");	164	printf("sbox file descriptors:\n");
165	int rv = system("ls -l /proc/self/fd");	165	int rv = system("ls -l /proc/self/fd");
166	(void) rv;	166	(void) rv;
167	}	167	}
168		168
169	umask(027);	169	umask(027);
170		170
171	// apply filters	171	// apply filters
172	if (filter & SBOX_CAPS_NONE) {	172	if (filter & SBOX_CAPS_NONE) {
@@ -178,7 +178,7 @@ int sbox_run(unsigned filter, int num, ...) {
178	set \|= ((uint64_t) 1) << CAP_NET_RAW;	178	set \|= ((uint64_t) 1) << CAP_NET_RAW;
179	caps_set(set);	179	caps_set(set);
180	#endif	180	#endif
181	}	181	}
182		182
183	if (filter & SBOX_SECCOMP) {	183	if (filter & SBOX_SECCOMP) {
184	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {	184	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
@@ -200,11 +200,11 @@ int sbox_run(unsigned filter, int num, ...) {
200	drop_privs(1);	200	drop_privs(1);
201		201
202	clearenv();	202	clearenv();
203		203
204	// --quiet is passed as an environment variable	204	// --quiet is passed as an environment variable
205	if (arg_quiet)	205	if (arg_quiet)
206	setenv("FIREJAIL_QUIET", "yes", 1);	206	setenv("FIREJAIL_QUIET", "yes", 1);
207		207
208	if (arg[0]) // get rid of scan-build warning	208	if (arg[0]) // get rid of scan-build warning
209	execvp(arg[0], arg);	209	execvp(arg[0], arg);
210	else	210	else
@@ -221,6 +221,6 @@ int sbox_run(unsigned filter, int num, ...) {
221	fprintf(stderr, "Error: failed to run %s\n", arg[0]);	221	fprintf(stderr, "Error: failed to run %s\n", arg[0]);
222	exit(1);	222	exit(1);
223	}	223	}
224		224
225	return status;	225	return status;
226	}	226	}