9 files changed, 37 insertions, 41 deletions
diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in
index 04c46f128..13025fbca 100644
--- a/src/fseccomp/Makefile.in
+++ b/src/fseccomp/Makefile.in
@@ -42,4 +42,3 @@ clean:; rm -f *.o fseccomp *.gcov *.gcda *.gcno
 distclean: clean
        rm -fr Makefile
diff --git a/src/fseccomp/errno.c b/src/fseccomp/errno.c
index 3e92a1f9d..e5cd4e226 100644
--- a/src/fseccomp/errno.c
+++ b/src/fseccomp/errno.c
@@ -167,7 +167,7 @@ static ErrnoEntry errnolist[] = {
        {"ENOTSUP", ENOTSUP},
 #ifdef  ENOATTR
        {"ENOATTR", ENOATTR},
-#endif  
+#endif
 };
 int errno_find_name(const char *name) {
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c
index 7e0239a5f..e322b5bbb 100644
--- a/src/fseccomp/main.c
+++ b/src/fseccomp/main.c
@@ -46,7 +46,7 @@ int i;
 for (i = 0; i < argc; i++)
        printf("*%s* ", argv[i]);
 printf("\n");
-}       
+}
 #endif
        if (argc < 2) {
                usage();
@@ -56,7 +56,7 @@ printf("\n");
        char *quiet = getenv("FIREJAIL_QUIET");
        if (quiet && strcmp(quiet, "yes") == 0)
                arg_quiet = 1;
-                
        if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) {
                usage();
                return 0;
@@ -71,7 +71,7 @@ printf("\n");
                protocol_build_filter(argv[3], argv[4]);
        else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "64") == 0)
                seccomp_secondary_64(argv[3]);
-        else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "32") == 0) 
+        else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "32") == 0)
                seccomp_secondary_32(argv[3]);
        else if (argc == 3 && strcmp(argv[1], "default") == 0)
                seccomp_default(argv[2], 0);
@@ -95,4 +95,4 @@ printf("\n");
        }
        return 0;
-}
-\ No newline at end of file
+}
diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c
index 4a0fadb3c..43bc3d562 100644
--- a/src/fseccomp/protocol.c
+++ b/src/fseccomp/protocol.c
@@ -87,7 +87,7 @@ static struct sock_filter *find_protocol_domain(const char *p) {
        }
        return NULL;
-}       
+}
 #endif
 void protocol_print(void) {
@@ -119,7 +119,7 @@ void protocol_build_filter(const char *prlist, const char *fname) {
        struct sock_filter filter[32];  // big enough
        memset(&filter[0], 0, sizeof(filter));
        uint8_t *ptr = (uint8_t *) &filter[0];
-        
        // header
        struct sock_filter filter_start[] = {
                VALIDATE_ARCHITECTURE,
@@ -153,7 +153,7 @@ printf("whitelist_len %u, struct sock_filter len %u\n", whitelist_len, (unsigned
        char *token = strtok(tmplist, ",");
        if (!token)
                errExit("strtok");
-                
        while (token) {
                struct sock_filter *domain = find_protocol_domain(token);
                if (domain == NULL) {
@@ -179,7 +179,7 @@ printf("entries %u\n",  (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (uns
 #endif
-        }       
+        }
        free(tmplist);
        // add end of filter
@@ -201,14 +201,14 @@ printf("entries %u\n",  (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (uns
        }
        printf("\n");
 }
-#endif  
+#endif
        // save filter to file
        int dst = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
        if (dst < 0) {
                fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
                exit(1);
        }
-        
        int size = (int) ((uintptr_t) ptr - (uintptr_t) (filter));
        int written = 0;
        while (written < size) {
@@ -220,5 +220,5 @@ printf("entries %u\n",  (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (uns
                written += rv;
        }
        close(dst);
-#endif // SYS_socket    
+#endif // SYS_socket
 }
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c
index 25a151a78..c12edfd90 100644
--- a/src/fseccomp/seccomp.c
+++ b/src/fseccomp/seccomp.c
@@ -257,7 +257,7 @@ void seccomp_default(const char *fname, int allow_debuggers) {
        filter_init(fd);
        add_default_list(fd, allow_debuggers);
        filter_end_blacklist(fd);
-        
        // close file
        close(fd);
 }
@@ -281,7 +281,7 @@ void seccomp_drop(const char *fname, char *list, int allow_debuggers) {
                exit(1);
        }
        filter_end_blacklist(fd);
-        
        // close file
        close(fd);
 }
@@ -305,7 +305,7 @@ void seccomp_default_drop(const char *fname, char *list, int allow_debuggers) {
                exit(1);
        }
        filter_end_blacklist(fd);
-        
        // close file
        close(fd);
 }
@@ -326,15 +326,14 @@ void seccomp_keep(const char *fname, char *list) {
        filter_add_whitelist(fd, SYS_setgroups, 0);
        filter_add_whitelist(fd, SYS_dup, 0);
        filter_add_whitelist(fd, SYS_prctl, 0);
-        
        if (syscall_check_list(list, filter_add_whitelist, fd, 0)) {
                fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
                exit(1);
        }
-        
        filter_end_whitelist(fd);
-        
        // close file
        close(fd);
 }
diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c
index d706b3359..c1e8d406f 100644
--- a/src/fseccomp/seccomp_file.c
+++ b/src/fseccomp/seccomp_file.c
@@ -24,7 +24,7 @@
 static void write_to_file(int fd, void *data, int size) {
        assert(data);
        assert(size);
-        
        int written = 0;
        while (written < size) {
                int rv = write(fd, (unsigned char *) data + written, size - written);
@@ -69,7 +69,7 @@ void filter_init(int fd) {
 void filter_add_whitelist(int fd, int syscall, int arg) {
        (void) arg;
-        
        struct sock_filter filter[] = {
                WHITELIST(syscall)
        };
@@ -78,7 +78,7 @@ void filter_add_whitelist(int fd, int syscall, int arg) {
 void filter_add_blacklist(int fd, int syscall, int arg) {
        (void) arg;
-        
        struct sock_filter filter[] = {
                BLACKLIST(syscall)
        };
@@ -105,4 +105,3 @@ void filter_end_whitelist(int fd) {
        };
        write_to_file(fd, filter, sizeof(filter));
 }
diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c
index d18f2efa5..67555e554 100644
--- a/src/fseccomp/seccomp_print.c
+++ b/src/fseccomp/seccomp_print.c
@@ -26,7 +26,7 @@ static int filter_cnt = 0;
 static void load_seccomp(const char *fname) {
        assert(fname);
-        
        // open filter file
        int fd = open(fname, O_RDONLY);
        if (fd == -1)
@@ -40,7 +40,7 @@ static void load_seccomp(const char *fname) {
                goto errexit;
        unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter);
        filter_cnt = entries;
-        
        // read filter
        filter = malloc(size);
        if (filter == NULL)
@@ -53,7 +53,7 @@ static void load_seccomp(const char *fname) {
                        goto errexit;
                rd += rv;
        }
-        
        // close file
        close(fd);
        return;
@@ -67,7 +67,7 @@ errexit:
 void filter_print(const char *fname) {
        assert(fname);
        load_seccomp(fname);
-        
        // start filter
        struct sock_filter start[] = {
                VALIDATE_ARCHITECTURE,
@@ -86,7 +86,7 @@ void filter_print(const char *fname) {
                printf("Invalid seccomp filter %s\n", fname);
                return;
        }
-        
        // loop trough blacklists
        int i = 4;
        while (i < filter_cnt) {
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c
index 79c85eb75..8270b7018 100644
--- a/src/fseccomp/seccomp_secondary.c
+++ b/src/fseccomp/seccomp_secondary.c
@@ -28,7 +28,7 @@ void seccomp_secondary_64(const char *fname) {
                EXAMINE_SYSCALL,
                BLACKLIST(165), // mount
                BLACKLIST(166), // umount2
-// todo: implement --allow-debuggers            
+// todo: implement --allow-debuggers
                BLACKLIST(101), // ptrace
                BLACKLIST(246), // kexec_load
                BLACKLIST(304), // open_by_handle_at
@@ -77,7 +77,7 @@ void seccomp_secondary_64(const char *fname) {
                BLACKLIST(169), // reboot
                BLACKLIST(180), // nfsservctl
                BLACKLIST(177), // get_kernel_syms
-                
                RETURN_ALLOW
        };
@@ -87,7 +87,7 @@ void seccomp_secondary_64(const char *fname) {
                fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
                exit(1);
        }
-        
        int size = (int) sizeof(filter);
        int written = 0;
        while (written < size) {
@@ -109,7 +109,7 @@ void seccomp_secondary_32(const char *fname) {
                EXAMINE_SYSCALL,
                BLACKLIST(21), // mount
                BLACKLIST(52), // umount2
-// todo: implement --allow-debuggers            
+// todo: implement --allow-debuggers
                BLACKLIST(26), // ptrace
                BLACKLIST(283), // kexec_load
                BLACKLIST(341), // name_to_handle_at
@@ -157,7 +157,7 @@ void seccomp_secondary_32(const char *fname) {
                BLACKLIST(88), // reboot
                BLACKLIST(169), // nfsservctl
                BLACKLIST(130), // get_kernel_syms
-                
                RETURN_ALLOW
        };
@@ -167,7 +167,7 @@ void seccomp_secondary_32(const char *fname) {
                fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
                exit(1);
        }
-        
        int size = (int) sizeof(filter);
        int written = 0;
        while (written < size) {
@@ -180,4 +180,3 @@ void seccomp_secondary_32(const char *fname) {
        }
        close(dst);
 }
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c
index b86c1c489..0a86dade0 100644
--- a/src/fseccomp/syscall.c
+++ b/src/fseccomp/syscall.c
@@ -43,7 +43,7 @@ int syscall_find_name(const char *name) {
                if (strcmp(name, syslist[i].name) == 0)
                        return syslist[i].nr;
        }
-        
        return -1;
 }
@@ -54,7 +54,7 @@ char *syscall_find_nr(int nr) {
                if (nr == syslist[i].nr)
                        return syslist[i].name;
        }
-        
        return "unknown";
 }
@@ -75,7 +75,7 @@ static void syscall_process_name(const char *name, int *syscall_nr, int *error_n
        if (strlen(name) == 0)
                goto error;
        *error_nr = -1;
-        
        // syntax check
        char *str = strdup(name);
        if (!str)
@@ -101,7 +101,7 @@ static void syscall_process_name(const char *name, int *syscall_nr, int *error_n
        free(str);
        return;
-        
 error:
        fprintf(stderr, "Error fseccomp: invalid syscall list entry %s\n", name);
        exit(1);
@@ -142,7 +142,7 @@ int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall,
                }
                ptr = strtok(NULL, ",");
        }
-        
        free(str);
        return 0;
 }

diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in index 04c46f128..13025fbca 100644 --- a/src/fseccomp/Makefile.in +++ b/src/fseccomp/Makefile.in
@@ -42,4 +42,3 @@ clean:; rm -f .o fseccomp .gcov .gcda .gcno
42		42
43	distclean: clean	43	distclean: clean
44	rm -fr Makefile	44	rm -fr Makefile
45


diff --git a/src/fseccomp/errno.c b/src/fseccomp/errno.c index 3e92a1f9d..e5cd4e226 100644 --- a/src/fseccomp/errno.c +++ b/src/fseccomp/errno.c
@@ -167,7 +167,7 @@ static ErrnoEntry errnolist[] = {
167	{"ENOTSUP", ENOTSUP},	167	{"ENOTSUP", ENOTSUP},
168	#ifdef ENOATTR	168	#ifdef ENOATTR
169	{"ENOATTR", ENOATTR},	169	{"ENOATTR", ENOATTR},
170	#endif	170	#endif
171	};	171	};
172		172
173	int errno_find_name(const char *name) {	173	int errno_find_name(const char *name) {


diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index 7e0239a5f..e322b5bbb 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c
@@ -46,7 +46,7 @@ int i;
46	for (i = 0; i < argc; i++)	46	for (i = 0; i < argc; i++)
47	printf("%s ", argv[i]);	47	printf("%s ", argv[i]);
48	printf("\n");	48	printf("\n");
49	}	49	}
50	#endif	50	#endif
51	if (argc < 2) {	51	if (argc < 2) {
52	usage();	52	usage();
@@ -56,7 +56,7 @@ printf("\n");
56	char *quiet = getenv("FIREJAIL_QUIET");	56	char *quiet = getenv("FIREJAIL_QUIET");
57	if (quiet && strcmp(quiet, "yes") == 0)	57	if (quiet && strcmp(quiet, "yes") == 0)
58	arg_quiet = 1;	58	arg_quiet = 1;
59		59
60	if (strcmp(argv[1], "-h") == 0 \|\| strcmp(argv[1], "--help") == 0 \|\| strcmp(argv[1], "-?") ==0) {	60	if (strcmp(argv[1], "-h") == 0 \|\| strcmp(argv[1], "--help") == 0 \|\| strcmp(argv[1], "-?") ==0) {
61	usage();	61	usage();
62	return 0;	62	return 0;
@@ -71,7 +71,7 @@ printf("\n");
71	protocol_build_filter(argv[3], argv[4]);	71	protocol_build_filter(argv[3], argv[4]);
72	else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "64") == 0)	72	else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "64") == 0)
73	seccomp_secondary_64(argv[3]);	73	seccomp_secondary_64(argv[3]);
74	else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "32") == 0)	74	else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "32") == 0)
75	seccomp_secondary_32(argv[3]);	75	seccomp_secondary_32(argv[3]);
76	else if (argc == 3 && strcmp(argv[1], "default") == 0)	76	else if (argc == 3 && strcmp(argv[1], "default") == 0)
77	seccomp_default(argv[2], 0);	77	seccomp_default(argv[2], 0);
@@ -95,4 +95,4 @@ printf("\n");
95	}	95	}
96		96
97	return 0;	97	return 0;
98	} \ No newline at end of file	98	}


diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c index 4a0fadb3c..43bc3d562 100644 --- a/src/fseccomp/protocol.c +++ b/src/fseccomp/protocol.c
@@ -87,7 +87,7 @@ static struct sock_filter find_protocol_domain(const char p) {
87	}	87	}
88		88
89	return NULL;	89	return NULL;
90	}	90	}
91	#endif	91	#endif
92		92
93	void protocol_print(void) {	93	void protocol_print(void) {
@@ -119,7 +119,7 @@ void protocol_build_filter(const char prlist, const char fname) {
119	struct sock_filter filter[32]; // big enough	119	struct sock_filter filter[32]; // big enough
120	memset(&filter[0], 0, sizeof(filter));	120	memset(&filter[0], 0, sizeof(filter));
121	uint8_t ptr = (uint8_t ) &filter[0];	121	uint8_t ptr = (uint8_t ) &filter[0];
122		122
123	// header	123	// header
124	struct sock_filter filter_start[] = {	124	struct sock_filter filter_start[] = {
125	VALIDATE_ARCHITECTURE,	125	VALIDATE_ARCHITECTURE,
@@ -153,7 +153,7 @@ printf("whitelist_len %u, struct sock_filter len %u\n", whitelist_len, (unsigned
153	char *token = strtok(tmplist, ",");	153	char *token = strtok(tmplist, ",");
154	if (!token)	154	if (!token)
155	errExit("strtok");	155	errExit("strtok");
156		156
157	while (token) {	157	while (token) {
158	struct sock_filter *domain = find_protocol_domain(token);	158	struct sock_filter *domain = find_protocol_domain(token);
159	if (domain == NULL) {	159	if (domain == NULL) {
@@ -179,7 +179,7 @@ printf("entries %u\n", (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (uns
179	#endif	179	#endif
180		180
181		181
182	}	182	}
183	free(tmplist);	183	free(tmplist);
184		184
185	// add end of filter	185	// add end of filter
@@ -201,14 +201,14 @@ printf("entries %u\n", (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (uns
201	}	201	}
202	printf("\n");	202	printf("\n");
203	}	203	}
204	#endif	204	#endif
205	// save filter to file	205	// save filter to file
206	int dst = open(fname, O_CREAT\|O_WRONLY\|O_TRUNC, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH);	206	int dst = open(fname, O_CREAT\|O_WRONLY\|O_TRUNC, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH);
207	if (dst < 0) {	207	if (dst < 0) {
208	fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);	208	fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
209	exit(1);	209	exit(1);
210	}	210	}
211		211
212	int size = (int) ((uintptr_t) ptr - (uintptr_t) (filter));	212	int size = (int) ((uintptr_t) ptr - (uintptr_t) (filter));
213	int written = 0;	213	int written = 0;
214	while (written < size) {	214	while (written < size) {
@@ -220,5 +220,5 @@ printf("entries %u\n", (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (uns
220	written += rv;	220	written += rv;
221	}	221	}
222	close(dst);	222	close(dst);
223	#endif // SYS_socket	223	#endif // SYS_socket
224	}	224	}


diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index 25a151a78..c12edfd90 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c
@@ -257,7 +257,7 @@ void seccomp_default(const char *fname, int allow_debuggers) {
257	filter_init(fd);	257	filter_init(fd);
258	add_default_list(fd, allow_debuggers);	258	add_default_list(fd, allow_debuggers);
259	filter_end_blacklist(fd);	259	filter_end_blacklist(fd);
260		260
261	// close file	261	// close file
262	close(fd);	262	close(fd);
263	}	263	}
@@ -281,7 +281,7 @@ void seccomp_drop(const char fname, char list, int allow_debuggers) {
281	exit(1);	281	exit(1);
282	}	282	}
283	filter_end_blacklist(fd);	283	filter_end_blacklist(fd);
284		284
285	// close file	285	// close file
286	close(fd);	286	close(fd);
287	}	287	}
@@ -305,7 +305,7 @@ void seccomp_default_drop(const char fname, char list, int allow_debuggers) {
305	exit(1);	305	exit(1);
306	}	306	}
307	filter_end_blacklist(fd);	307	filter_end_blacklist(fd);
308		308
309	// close file	309	// close file
310	close(fd);	310	close(fd);
311	}	311	}
@@ -326,15 +326,14 @@ void seccomp_keep(const char fname, char list) {
326	filter_add_whitelist(fd, SYS_setgroups, 0);	326	filter_add_whitelist(fd, SYS_setgroups, 0);
327	filter_add_whitelist(fd, SYS_dup, 0);	327	filter_add_whitelist(fd, SYS_dup, 0);
328	filter_add_whitelist(fd, SYS_prctl, 0);	328	filter_add_whitelist(fd, SYS_prctl, 0);
329		329
330	if (syscall_check_list(list, filter_add_whitelist, fd, 0)) {	330	if (syscall_check_list(list, filter_add_whitelist, fd, 0)) {
331	fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");	331	fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n");
332	exit(1);	332	exit(1);
333	}	333	}
334		334
335	filter_end_whitelist(fd);	335	filter_end_whitelist(fd);
336		336
337	// close file	337	// close file
338	close(fd);	338	close(fd);
339	}	339	}
340


diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c index d706b3359..c1e8d406f 100644 --- a/src/fseccomp/seccomp_file.c +++ b/src/fseccomp/seccomp_file.c
@@ -24,7 +24,7 @@
24	static void write_to_file(int fd, void *data, int size) {	24	static void write_to_file(int fd, void *data, int size) {
25	assert(data);	25	assert(data);
26	assert(size);	26	assert(size);
27		27
28	int written = 0;	28	int written = 0;
29	while (written < size) {	29	while (written < size) {
30	int rv = write(fd, (unsigned char *) data + written, size - written);	30	int rv = write(fd, (unsigned char *) data + written, size - written);
@@ -69,7 +69,7 @@ void filter_init(int fd) {
69		69
70	void filter_add_whitelist(int fd, int syscall, int arg) {	70	void filter_add_whitelist(int fd, int syscall, int arg) {
71	(void) arg;	71	(void) arg;
72		72
73	struct sock_filter filter[] = {	73	struct sock_filter filter[] = {
74	WHITELIST(syscall)	74	WHITELIST(syscall)
75	};	75	};
@@ -78,7 +78,7 @@ void filter_add_whitelist(int fd, int syscall, int arg) {
78		78
79	void filter_add_blacklist(int fd, int syscall, int arg) {	79	void filter_add_blacklist(int fd, int syscall, int arg) {
80	(void) arg;	80	(void) arg;
81		81
82	struct sock_filter filter[] = {	82	struct sock_filter filter[] = {
83	BLACKLIST(syscall)	83	BLACKLIST(syscall)
84	};	84	};
@@ -105,4 +105,3 @@ void filter_end_whitelist(int fd) {
105	};	105	};
106	write_to_file(fd, filter, sizeof(filter));	106	write_to_file(fd, filter, sizeof(filter));
107	}	107	}
108


diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c index d18f2efa5..67555e554 100644 --- a/src/fseccomp/seccomp_print.c +++ b/src/fseccomp/seccomp_print.c
@@ -26,7 +26,7 @@ static int filter_cnt = 0;
26		26
27	static void load_seccomp(const char *fname) {	27	static void load_seccomp(const char *fname) {
28	assert(fname);	28	assert(fname);
29		29
30	// open filter file	30	// open filter file
31	int fd = open(fname, O_RDONLY);	31	int fd = open(fname, O_RDONLY);
32	if (fd == -1)	32	if (fd == -1)
@@ -40,7 +40,7 @@ static void load_seccomp(const char *fname) {
40	goto errexit;	40	goto errexit;
41	unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter);	41	unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter);
42	filter_cnt = entries;	42	filter_cnt = entries;
43		43
44	// read filter	44	// read filter
45	filter = malloc(size);	45	filter = malloc(size);
46	if (filter == NULL)	46	if (filter == NULL)
@@ -53,7 +53,7 @@ static void load_seccomp(const char *fname) {
53	goto errexit;	53	goto errexit;
54	rd += rv;	54	rd += rv;
55	}	55	}
56		56
57	// close file	57	// close file
58	close(fd);	58	close(fd);
59	return;	59	return;
@@ -67,7 +67,7 @@ errexit:
67	void filter_print(const char *fname) {	67	void filter_print(const char *fname) {
68	assert(fname);	68	assert(fname);
69	load_seccomp(fname);	69	load_seccomp(fname);
70		70
71	// start filter	71	// start filter
72	struct sock_filter start[] = {	72	struct sock_filter start[] = {
73	VALIDATE_ARCHITECTURE,	73	VALIDATE_ARCHITECTURE,
@@ -86,7 +86,7 @@ void filter_print(const char *fname) {
86	printf("Invalid seccomp filter %s\n", fname);	86	printf("Invalid seccomp filter %s\n", fname);
87	return;	87	return;
88	}	88	}
89		89
90	// loop trough blacklists	90	// loop trough blacklists
91	int i = 4;	91	int i = 4;
92	while (i < filter_cnt) {	92	while (i < filter_cnt) {


diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c index 79c85eb75..8270b7018 100644 --- a/src/fseccomp/seccomp_secondary.c +++ b/src/fseccomp/seccomp_secondary.c
@@ -28,7 +28,7 @@ void seccomp_secondary_64(const char *fname) {
28	EXAMINE_SYSCALL,	28	EXAMINE_SYSCALL,
29	BLACKLIST(165), // mount	29	BLACKLIST(165), // mount
30	BLACKLIST(166), // umount2	30	BLACKLIST(166), // umount2
31	// todo: implement --allow-debuggers	31	// todo: implement --allow-debuggers
32	BLACKLIST(101), // ptrace	32	BLACKLIST(101), // ptrace
33	BLACKLIST(246), // kexec_load	33	BLACKLIST(246), // kexec_load
34	BLACKLIST(304), // open_by_handle_at	34	BLACKLIST(304), // open_by_handle_at
@@ -77,7 +77,7 @@ void seccomp_secondary_64(const char *fname) {
77	BLACKLIST(169), // reboot	77	BLACKLIST(169), // reboot
78	BLACKLIST(180), // nfsservctl	78	BLACKLIST(180), // nfsservctl
79	BLACKLIST(177), // get_kernel_syms	79	BLACKLIST(177), // get_kernel_syms
80		80
81	RETURN_ALLOW	81	RETURN_ALLOW
82	};	82	};
83		83
@@ -87,7 +87,7 @@ void seccomp_secondary_64(const char *fname) {
87	fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);	87	fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
88	exit(1);	88	exit(1);
89	}	89	}
90		90
91	int size = (int) sizeof(filter);	91	int size = (int) sizeof(filter);
92	int written = 0;	92	int written = 0;
93	while (written < size) {	93	while (written < size) {
@@ -109,7 +109,7 @@ void seccomp_secondary_32(const char *fname) {
109	EXAMINE_SYSCALL,	109	EXAMINE_SYSCALL,
110	BLACKLIST(21), // mount	110	BLACKLIST(21), // mount
111	BLACKLIST(52), // umount2	111	BLACKLIST(52), // umount2
112	// todo: implement --allow-debuggers	112	// todo: implement --allow-debuggers
113	BLACKLIST(26), // ptrace	113	BLACKLIST(26), // ptrace
114	BLACKLIST(283), // kexec_load	114	BLACKLIST(283), // kexec_load
115	BLACKLIST(341), // name_to_handle_at	115	BLACKLIST(341), // name_to_handle_at
@@ -157,7 +157,7 @@ void seccomp_secondary_32(const char *fname) {
157	BLACKLIST(88), // reboot	157	BLACKLIST(88), // reboot
158	BLACKLIST(169), // nfsservctl	158	BLACKLIST(169), // nfsservctl
159	BLACKLIST(130), // get_kernel_syms	159	BLACKLIST(130), // get_kernel_syms
160		160
161	RETURN_ALLOW	161	RETURN_ALLOW
162	};	162	};
163		163
@@ -167,7 +167,7 @@ void seccomp_secondary_32(const char *fname) {
167	fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);	167	fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname);
168	exit(1);	168	exit(1);
169	}	169	}
170		170
171	int size = (int) sizeof(filter);	171	int size = (int) sizeof(filter);
172	int written = 0;	172	int written = 0;
173	while (written < size) {	173	while (written < size) {
@@ -180,4 +180,3 @@ void seccomp_secondary_32(const char *fname) {
180	}	180	}
181	close(dst);	181	close(dst);
182	}	182	}
183


diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index b86c1c489..0a86dade0 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c
@@ -43,7 +43,7 @@ int syscall_find_name(const char *name) {
43	if (strcmp(name, syslist[i].name) == 0)	43	if (strcmp(name, syslist[i].name) == 0)
44	return syslist[i].nr;	44	return syslist[i].nr;
45	}	45	}
46		46
47	return -1;	47	return -1;
48	}	48	}
49		49
@@ -54,7 +54,7 @@ char *syscall_find_nr(int nr) {
54	if (nr == syslist[i].nr)	54	if (nr == syslist[i].nr)
55	return syslist[i].name;	55	return syslist[i].name;
56	}	56	}
57		57
58	return "unknown";	58	return "unknown";
59	}	59	}
60		60
@@ -75,7 +75,7 @@ static void syscall_process_name(const char name, int syscall_nr, int *error_n
75	if (strlen(name) == 0)	75	if (strlen(name) == 0)
76	goto error;	76	goto error;
77	*error_nr = -1;	77	*error_nr = -1;
78		78
79	// syntax check	79	// syntax check
80	char *str = strdup(name);	80	char *str = strdup(name);
81	if (!str)	81	if (!str)
@@ -101,7 +101,7 @@ static void syscall_process_name(const char name, int syscall_nr, int *error_n
101		101
102	free(str);	102	free(str);
103	return;	103	return;
104		104
105	error:	105	error:
106	fprintf(stderr, "Error fseccomp: invalid syscall list entry %s\n", name);	106	fprintf(stderr, "Error fseccomp: invalid syscall list entry %s\n", name);
107	exit(1);	107	exit(1);
@@ -142,7 +142,7 @@ int syscall_check_list(const char slist, void (callback)(int fd, int syscall,
142	}	142	}
143	ptr = strtok(NULL, ",");	143	ptr = strtok(NULL, ",");
144	}	144	}
145		145
146	free(str);	146	free(str);
147	return 0;	147	return 0;
148	}	148	}