diff options
Diffstat (limited to 'src')
115 files changed, 1061 insertions, 1134 deletions
diff --git a/src/bash_completion/firecfg.bash_completion b/src/bash_completion/firecfg.bash_completion index 79b74e49d..36f066f0a 100644 --- a/src/bash_completion/firecfg.bash_completion +++ b/src/bash_completion/firecfg.bash_completion | |||
@@ -34,6 +34,3 @@ _firecfg() | |||
34 | fi | 34 | fi |
35 | } && | 35 | } && |
36 | complete -F _firecfg firecfg | 36 | complete -F _firecfg firecfg |
37 | |||
38 | |||
39 | |||
diff --git a/src/bash_completion/firejail.bash_completion b/src/bash_completion/firejail.bash_completion index 0b2caed61..09798f505 100644 --- a/src/bash_completion/firejail.bash_completion +++ b/src/bash_completion/firejail.bash_completion | |||
@@ -109,6 +109,3 @@ _firejail() | |||
109 | 109 | ||
110 | } && | 110 | } && |
111 | complete -F _firejail firejail | 111 | complete -F _firejail firejail |
112 | |||
113 | |||
114 | |||
diff --git a/src/bash_completion/firemon.bash_completion b/src/bash_completion/firemon.bash_completion index befbf2388..a33935602 100644 --- a/src/bash_completion/firemon.bash_completion +++ b/src/bash_completion/firemon.bash_completion | |||
@@ -34,6 +34,3 @@ _firemon() | |||
34 | fi | 34 | fi |
35 | } && | 35 | } && |
36 | complete -F _firemon firemon | 36 | complete -F _firemon firemon |
37 | |||
38 | |||
39 | |||
diff --git a/src/faudit/Makefile.in b/src/faudit/Makefile.in index 995a0bf49..ec36ca80c 100644 --- a/src/faudit/Makefile.in +++ b/src/faudit/Makefile.in | |||
@@ -22,4 +22,3 @@ clean:; rm -f *.o faudit | |||
22 | 22 | ||
23 | distclean: clean | 23 | distclean: clean |
24 | rm -fr Makefile | 24 | rm -fr Makefile |
25 | |||
diff --git a/src/faudit/caps.c b/src/faudit/caps.c index b200c6792..d4a98676c 100644 --- a/src/faudit/caps.c +++ b/src/faudit/caps.c | |||
@@ -26,7 +26,7 @@ static int extract_caps(uint64_t *val) { | |||
26 | FILE *fp = fopen("/proc/self/status", "r"); | 26 | FILE *fp = fopen("/proc/self/status", "r"); |
27 | if (!fp) | 27 | if (!fp) |
28 | return 1; | 28 | return 1; |
29 | 29 | ||
30 | char buf[MAXBUF]; | 30 | char buf[MAXBUF]; |
31 | while (fgets(buf, MAXBUF, fp)) { | 31 | while (fgets(buf, MAXBUF, fp)) { |
32 | if (strncmp(buf, "CapBnd:\t", 8) == 0) { | 32 | if (strncmp(buf, "CapBnd:\t", 8) == 0) { |
@@ -47,7 +47,7 @@ static int extract_caps(uint64_t *val) { | |||
47 | static int check_capability(uint64_t map, int cap) { | 47 | static int check_capability(uint64_t map, int cap) { |
48 | int i; | 48 | int i; |
49 | uint64_t mask = 1ULL; | 49 | uint64_t mask = 1ULL; |
50 | 50 | ||
51 | for (i = 0; i < 64; i++, mask <<= 1) { | 51 | for (i = 0; i < 64; i++, mask <<= 1) { |
52 | if ((i == cap) && (mask & map)) | 52 | if ((i == cap) && (mask & map)) |
53 | return 1; | 53 | return 1; |
@@ -58,22 +58,21 @@ static int check_capability(uint64_t map, int cap) { | |||
58 | 58 | ||
59 | void caps_test(void) { | 59 | void caps_test(void) { |
60 | uint64_t caps_val; | 60 | uint64_t caps_val; |
61 | 61 | ||
62 | if (extract_caps(&caps_val)) { | 62 | if (extract_caps(&caps_val)) { |
63 | printf("SKIP: cannot extract capabilities on this platform.\n"); | 63 | printf("SKIP: cannot extract capabilities on this platform.\n"); |
64 | return; | 64 | return; |
65 | } | 65 | } |
66 | 66 | ||
67 | if (caps_val) { | 67 | if (caps_val) { |
68 | printf("BAD: the capability map is %llx, it should be all zero. ", (unsigned long long) caps_val); | 68 | printf("BAD: the capability map is %llx, it should be all zero. ", (unsigned long long) caps_val); |
69 | printf("Use \"firejail --caps.drop=all\" to fix it.\n"); | 69 | printf("Use \"firejail --caps.drop=all\" to fix it.\n"); |
70 | 70 | ||
71 | if (check_capability(caps_val, CAP_SYS_ADMIN)) | 71 | if (check_capability(caps_val, CAP_SYS_ADMIN)) |
72 | printf("UGLY: CAP_SYS_ADMIN is enabled.\n"); | 72 | printf("UGLY: CAP_SYS_ADMIN is enabled.\n"); |
73 | if (check_capability(caps_val, CAP_SYS_BOOT)) | 73 | if (check_capability(caps_val, CAP_SYS_BOOT)) |
74 | printf("UGLY: CAP_SYS_BOOT is enabled.\n"); | 74 | printf("UGLY: CAP_SYS_BOOT is enabled.\n"); |
75 | } | 75 | } |
76 | else | 76 | else |
77 | printf("GOOD: all capabilities are disabled.\n"); | 77 | printf("GOOD: all capabilities are disabled.\n"); |
78 | } | 78 | } |
79 | |||
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c index 1b1fbb817..54300c9b8 100644 --- a/src/faudit/dbus.c +++ b/src/faudit/dbus.c | |||
@@ -28,7 +28,7 @@ int check_unix(const char *sockfile) { | |||
28 | 28 | ||
29 | // open socket | 29 | // open socket |
30 | int sock = socket(AF_UNIX, SOCK_STREAM, 0); | 30 | int sock = socket(AF_UNIX, SOCK_STREAM, 0); |
31 | if (sock == -1) | 31 | if (sock == -1) |
32 | return rv; | 32 | return rv; |
33 | 33 | ||
34 | // connect | 34 | // connect |
@@ -41,7 +41,7 @@ int check_unix(const char *sockfile) { | |||
41 | remote.sun_path[0] = '\0'; | 41 | remote.sun_path[0] = '\0'; |
42 | if (connect(sock, (struct sockaddr *)&remote, len) == 0) | 42 | if (connect(sock, (struct sockaddr *)&remote, len) == 0) |
43 | rv = 0; | 43 | rv = 0; |
44 | 44 | ||
45 | close(sock); | 45 | close(sock); |
46 | return rv; | 46 | return rv; |
47 | } | 47 | } |
@@ -60,7 +60,7 @@ void dbus_test(void) { | |||
60 | *sockfile = '@'; | 60 | *sockfile = '@'; |
61 | char *ptr = strchr(sockfile, ','); | 61 | char *ptr = strchr(sockfile, ','); |
62 | if (ptr) | 62 | if (ptr) |
63 | *ptr = '\0'; | 63 | *ptr = '\0'; |
64 | rv = check_unix(sockfile); | 64 | rv = check_unix(sockfile); |
65 | *sockfile = '@'; | 65 | *sockfile = '@'; |
66 | if (rv == 0) | 66 | if (rv == 0) |
@@ -83,13 +83,10 @@ void dbus_test(void) { | |||
83 | printf("UGLY: session bus configured for TCP communication.\n"); | 83 | printf("UGLY: session bus configured for TCP communication.\n"); |
84 | else | 84 | else |
85 | printf("GOOD: cannot find a D-Bus socket\n"); | 85 | printf("GOOD: cannot find a D-Bus socket\n"); |
86 | 86 | ||
87 | 87 | ||
88 | free(bus); | 88 | free(bus); |
89 | } | 89 | } |
90 | else | 90 | else |
91 | printf("GOOD: DBUS_SESSION_BUS_ADDRESS environment variable not configured."); | 91 | printf("GOOD: DBUS_SESSION_BUS_ADDRESS environment variable not configured."); |
92 | } | 92 | } |
93 | |||
94 | |||
95 | |||
diff --git a/src/faudit/dev.c b/src/faudit/dev.c index 74adbca9c..6bafaf93e 100644 --- a/src/faudit/dev.c +++ b/src/faudit/dev.c | |||
@@ -26,19 +26,19 @@ void dev_test(void) { | |||
26 | fprintf(stderr, "Error: cannot open /dev directory\n"); | 26 | fprintf(stderr, "Error: cannot open /dev directory\n"); |
27 | return; | 27 | return; |
28 | } | 28 | } |
29 | 29 | ||
30 | struct dirent *entry; | 30 | struct dirent *entry; |
31 | printf("INFO: files visible in /dev directory: "); | 31 | printf("INFO: files visible in /dev directory: "); |
32 | int cnt = 0; | 32 | int cnt = 0; |
33 | while ((entry = readdir(dir)) != NULL) { | 33 | while ((entry = readdir(dir)) != NULL) { |
34 | if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) | 34 | if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) |
35 | continue; | 35 | continue; |
36 | 36 | ||
37 | printf("%s, ", entry->d_name); | 37 | printf("%s, ", entry->d_name); |
38 | cnt++; | 38 | cnt++; |
39 | } | 39 | } |
40 | printf("\n"); | 40 | printf("\n"); |
41 | 41 | ||
42 | if (cnt > 20) | 42 | if (cnt > 20) |
43 | printf("MAYBE: /dev directory seems to be fully populated. Use --private-dev or --whitelist to restrict the access.\n"); | 43 | printf("MAYBE: /dev directory seems to be fully populated. Use --private-dev or --whitelist to restrict the access.\n"); |
44 | else | 44 | else |
diff --git a/src/faudit/files.c b/src/faudit/files.c index 46256f5f0..aa5b3aafb 100644 --- a/src/faudit/files.c +++ b/src/faudit/files.c | |||
@@ -26,7 +26,7 @@ static char *homedir = NULL; | |||
26 | 26 | ||
27 | static void check_home_file(const char *name) { | 27 | static void check_home_file(const char *name) { |
28 | assert(homedir); | 28 | assert(homedir); |
29 | 29 | ||
30 | char *fname; | 30 | char *fname; |
31 | if (asprintf(&fname, "%s/%s", homedir, name) == -1) | 31 | if (asprintf(&fname, "%s/%s", homedir, name) == -1) |
32 | errExit("asprintf"); | 32 | errExit("asprintf"); |
@@ -37,7 +37,7 @@ static void check_home_file(const char *name) { | |||
37 | } | 37 | } |
38 | else | 38 | else |
39 | printf("GOOD: I cannot access files in %s directory.\n", fname); | 39 | printf("GOOD: I cannot access files in %s directory.\n", fname); |
40 | 40 | ||
41 | free(fname); | 41 | free(fname); |
42 | } | 42 | } |
43 | 43 | ||
@@ -47,14 +47,14 @@ void files_test(void) { | |||
47 | fprintf(stderr, "Error: cannot retrieve user account information\n"); | 47 | fprintf(stderr, "Error: cannot retrieve user account information\n"); |
48 | return; | 48 | return; |
49 | } | 49 | } |
50 | 50 | ||
51 | username = strdup(pw->pw_name); | 51 | username = strdup(pw->pw_name); |
52 | if (!username) | 52 | if (!username) |
53 | errExit("strdup"); | 53 | errExit("strdup"); |
54 | homedir = strdup(pw->pw_dir); | 54 | homedir = strdup(pw->pw_dir); |
55 | if (!homedir) | 55 | if (!homedir) |
56 | errExit("strdup"); | 56 | errExit("strdup"); |
57 | 57 | ||
58 | // check access to .ssh directory | 58 | // check access to .ssh directory |
59 | check_home_file(".ssh"); | 59 | check_home_file(".ssh"); |
60 | 60 | ||
@@ -66,10 +66,10 @@ void files_test(void) { | |||
66 | 66 | ||
67 | // check access to Chromium browser directory | 67 | // check access to Chromium browser directory |
68 | check_home_file(".config/chromium"); | 68 | check_home_file(".config/chromium"); |
69 | 69 | ||
70 | // check access to Debian Icedove directory | 70 | // check access to Debian Icedove directory |
71 | check_home_file(".icedove"); | 71 | check_home_file(".icedove"); |
72 | 72 | ||
73 | // check access to Thunderbird directory | 73 | // check access to Thunderbird directory |
74 | check_home_file(".thunderbird"); | 74 | check_home_file(".thunderbird"); |
75 | } | 75 | } |
diff --git a/src/faudit/main.c b/src/faudit/main.c index 2572bf332..8ab0de5a6 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c | |||
@@ -24,19 +24,19 @@ int main(int argc, char **argv) { | |||
24 | // make test-arguments helper | 24 | // make test-arguments helper |
25 | if (getenv("FIREJAIL_TEST_ARGUMENTS")) { | 25 | if (getenv("FIREJAIL_TEST_ARGUMENTS")) { |
26 | printf("Arguments:\n"); | 26 | printf("Arguments:\n"); |
27 | 27 | ||
28 | int i; | 28 | int i; |
29 | for (i = 0; i < argc; i++) { | 29 | for (i = 0; i < argc; i++) { |
30 | printf("#%s#\n", argv[i]); | 30 | printf("#%s#\n", argv[i]); |
31 | } | 31 | } |
32 | 32 | ||
33 | return 0; | 33 | return 0; |
34 | } | 34 | } |
35 | 35 | ||
36 | 36 | ||
37 | if (argc != 1) { | 37 | if (argc != 1) { |
38 | int i; | 38 | int i; |
39 | 39 | ||
40 | for (i = 1; i < argc; i++) { | 40 | for (i = 1; i < argc; i++) { |
41 | if (strcmp(argv[i], "syscall")) { | 41 | if (strcmp(argv[i], "syscall")) { |
42 | syscall_helper(argc, argv); | 42 | syscall_helper(argc, argv); |
@@ -56,16 +56,16 @@ int main(int argc, char **argv) { | |||
56 | errExit("strdup"); | 56 | errExit("strdup"); |
57 | } | 57 | } |
58 | printf("INFO: starting %s.\n", prog); | 58 | printf("INFO: starting %s.\n", prog); |
59 | 59 | ||
60 | 60 | ||
61 | // check pid namespace | 61 | // check pid namespace |
62 | pid_test(); | 62 | pid_test(); |
63 | printf("\n"); | 63 | printf("\n"); |
64 | 64 | ||
65 | // check seccomp | 65 | // check seccomp |
66 | seccomp_test(); | 66 | seccomp_test(); |
67 | printf("\n"); | 67 | printf("\n"); |
68 | 68 | ||
69 | // check capabilities | 69 | // check capabilities |
70 | caps_test(); | 70 | caps_test(); |
71 | printf("\n"); | 71 | printf("\n"); |
@@ -73,11 +73,11 @@ int main(int argc, char **argv) { | |||
73 | // check some well-known problematic files and directories | 73 | // check some well-known problematic files and directories |
74 | files_test(); | 74 | files_test(); |
75 | printf("\n"); | 75 | printf("\n"); |
76 | 76 | ||
77 | // network | 77 | // network |
78 | network_test(); | 78 | network_test(); |
79 | printf("\n"); | 79 | printf("\n"); |
80 | 80 | ||
81 | // dbus | 81 | // dbus |
82 | dbus_test(); | 82 | dbus_test(); |
83 | printf("\n"); | 83 | printf("\n"); |
diff --git a/src/faudit/network.c b/src/faudit/network.c index 67c11e835..797c15ba8 100644 --- a/src/faudit/network.c +++ b/src/faudit/network.c | |||
@@ -35,15 +35,15 @@ static void check_ssh(void) { | |||
35 | struct sockaddr_in server; | 35 | struct sockaddr_in server; |
36 | server.sin_addr.s_addr = inet_addr("127.0.0.1"); | 36 | server.sin_addr.s_addr = inet_addr("127.0.0.1"); |
37 | server.sin_family = AF_INET; | 37 | server.sin_family = AF_INET; |
38 | server.sin_port = htons(22); | 38 | server.sin_port = htons(22); |
39 | 39 | ||
40 | if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) | 40 | if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) |
41 | printf("GOOD: SSH server not available on localhost.\n"); | 41 | printf("GOOD: SSH server not available on localhost.\n"); |
42 | else { | 42 | else { |
43 | printf("MAYBE: an SSH server is accessible on localhost. "); | 43 | printf("MAYBE: an SSH server is accessible on localhost. "); |
44 | printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); | 44 | printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); |
45 | } | 45 | } |
46 | 46 | ||
47 | close(sock); | 47 | close(sock); |
48 | } | 48 | } |
49 | 49 | ||
@@ -59,15 +59,15 @@ static void check_http(void) { | |||
59 | struct sockaddr_in server; | 59 | struct sockaddr_in server; |
60 | server.sin_addr.s_addr = inet_addr("127.0.0.1"); | 60 | server.sin_addr.s_addr = inet_addr("127.0.0.1"); |
61 | server.sin_family = AF_INET; | 61 | server.sin_family = AF_INET; |
62 | server.sin_port = htons(80); | 62 | server.sin_port = htons(80); |
63 | 63 | ||
64 | if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) | 64 | if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) |
65 | printf("GOOD: HTTP server not available on localhost.\n"); | 65 | printf("GOOD: HTTP server not available on localhost.\n"); |
66 | else { | 66 | else { |
67 | printf("MAYBE: an HTTP server is accessible on localhost. "); | 67 | printf("MAYBE: an HTTP server is accessible on localhost. "); |
68 | printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); | 68 | printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); |
69 | } | 69 | } |
70 | 70 | ||
71 | close(sock); | 71 | close(sock); |
72 | } | 72 | } |
73 | 73 | ||
@@ -88,12 +88,12 @@ void check_netlink(void) { | |||
88 | close(sock); | 88 | close(sock); |
89 | return; | 89 | return; |
90 | } | 90 | } |
91 | 91 | ||
92 | close(sock); | 92 | close(sock); |
93 | printf("MAYBE: I can connect to netlink socket. Network utilities such as iproute2 will work fine in the sandbox. "); | 93 | printf("MAYBE: I can connect to netlink socket. Network utilities such as iproute2 will work fine in the sandbox. "); |
94 | printf("You can use \"--protocol\" to disable the socket.\n"); | 94 | printf("You can use \"--protocol\" to disable the socket.\n"); |
95 | } | 95 | } |
96 | 96 | ||
97 | void network_test(void) { | 97 | void network_test(void) { |
98 | check_ssh(); | 98 | check_ssh(); |
99 | check_http(); | 99 | check_http(); |
diff --git a/src/faudit/pid.c b/src/faudit/pid.c index 34f6d1691..0aa2ddd44 100644 --- a/src/faudit/pid.c +++ b/src/faudit/pid.c | |||
@@ -32,7 +32,7 @@ void pid_test(void) { | |||
32 | 32 | ||
33 | // look at the first 10 processes | 33 | // look at the first 10 processes |
34 | int not_visible = 1; | 34 | int not_visible = 1; |
35 | for (i = 1; i <= 10; i++) { | 35 | for (i = 1; i <= 10; i++) { |
36 | struct stat s; | 36 | struct stat s; |
37 | char *fname; | 37 | char *fname; |
38 | if (asprintf(&fname, "/proc/%d/comm", i) == -1) | 38 | if (asprintf(&fname, "/proc/%d/comm", i) == -1) |
@@ -41,7 +41,7 @@ void pid_test(void) { | |||
41 | free(fname); | 41 | free(fname); |
42 | continue; | 42 | continue; |
43 | } | 43 | } |
44 | 44 | ||
45 | // open file | 45 | // open file |
46 | /* coverity[toctou] */ | 46 | /* coverity[toctou] */ |
47 | FILE *fp = fopen(fname, "r"); | 47 | FILE *fp = fopen(fname, "r"); |
@@ -49,7 +49,7 @@ void pid_test(void) { | |||
49 | free(fname); | 49 | free(fname); |
50 | continue; | 50 | continue; |
51 | } | 51 | } |
52 | 52 | ||
53 | // read file | 53 | // read file |
54 | char buf[100]; | 54 | char buf[100]; |
55 | if (fgets(buf, 10, fp) == NULL) { | 55 | if (fgets(buf, 10, fp) == NULL) { |
@@ -63,7 +63,7 @@ void pid_test(void) { | |||
63 | char *ptr; | 63 | char *ptr; |
64 | if ((ptr = strchr(buf, '\n')) != NULL) | 64 | if ((ptr = strchr(buf, '\n')) != NULL) |
65 | *ptr = '\0'; | 65 | *ptr = '\0'; |
66 | 66 | ||
67 | // check process name against the kernel list | 67 | // check process name against the kernel list |
68 | int j = 0; | 68 | int j = 0; |
69 | while (kern_proc[j] != NULL) { | 69 | while (kern_proc[j] != NULL) { |
@@ -76,7 +76,7 @@ void pid_test(void) { | |||
76 | } | 76 | } |
77 | j++; | 77 | j++; |
78 | } | 78 | } |
79 | 79 | ||
80 | fclose(fp); | 80 | fclose(fp); |
81 | free(fname); | 81 | free(fname); |
82 | } | 82 | } |
@@ -86,7 +86,7 @@ void pid_test(void) { | |||
86 | printf("BAD: Process %d is not running in a PID namespace.\n", pid); | 86 | printf("BAD: Process %d is not running in a PID namespace.\n", pid); |
87 | else | 87 | else |
88 | printf("GOOD: process %d is running in a PID namespace.\n", pid); | 88 | printf("GOOD: process %d is running in a PID namespace.\n", pid); |
89 | 89 | ||
90 | // try to guess the type of container/sandbox | 90 | // try to guess the type of container/sandbox |
91 | char *str = getenv("container"); | 91 | char *str = getenv("container"); |
92 | if (str) | 92 | if (str) |
diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c index 1c188aa45..2e9665fd9 100644 --- a/src/faudit/seccomp.c +++ b/src/faudit/seccomp.c | |||
@@ -24,7 +24,7 @@ static int extract_seccomp(int *val) { | |||
24 | FILE *fp = fopen("/proc/self/status", "r"); | 24 | FILE *fp = fopen("/proc/self/status", "r"); |
25 | if (!fp) | 25 | if (!fp) |
26 | return 1; | 26 | return 1; |
27 | 27 | ||
28 | char buf[MAXBUF]; | 28 | char buf[MAXBUF]; |
29 | while (fgets(buf, MAXBUF, fp)) { | 29 | while (fgets(buf, MAXBUF, fp)) { |
30 | if (strncmp(buf, "Seccomp:\t", 8) == 0) { | 30 | if (strncmp(buf, "Seccomp:\t", 8) == 0) { |
@@ -44,12 +44,12 @@ static int extract_seccomp(int *val) { | |||
44 | void seccomp_test(void) { | 44 | void seccomp_test(void) { |
45 | int seccomp_status; | 45 | int seccomp_status; |
46 | int rv = extract_seccomp(&seccomp_status); | 46 | int rv = extract_seccomp(&seccomp_status); |
47 | 47 | ||
48 | if (rv) { | 48 | if (rv) { |
49 | printf("INFO: cannot extract seccomp configuration on this platform.\n"); | 49 | printf("INFO: cannot extract seccomp configuration on this platform.\n"); |
50 | return; | 50 | return; |
51 | } | 51 | } |
52 | 52 | ||
53 | if (seccomp_status == 0) { | 53 | if (seccomp_status == 0) { |
54 | printf("BAD: seccomp disabled. Use \"firejail --seccomp\" to enable it.\n"); | 54 | printf("BAD: seccomp disabled. Use \"firejail --seccomp\" to enable it.\n"); |
55 | } | 55 | } |
@@ -67,10 +67,10 @@ void seccomp_test(void) { | |||
67 | 67 | ||
68 | printf("ptrace... "); fflush(0); | 68 | printf("ptrace... "); fflush(0); |
69 | syscall_run("ptrace"); | 69 | syscall_run("ptrace"); |
70 | 70 | ||
71 | printf("swapon... "); fflush(0); | 71 | printf("swapon... "); fflush(0); |
72 | syscall_run("swapon"); | 72 | syscall_run("swapon"); |
73 | 73 | ||
74 | printf("swapoff... "); fflush(0); | 74 | printf("swapoff... "); fflush(0); |
75 | syscall_run("swapoff"); | 75 | syscall_run("swapoff"); |
76 | 76 | ||
@@ -79,20 +79,20 @@ void seccomp_test(void) { | |||
79 | 79 | ||
80 | printf("delete_module... "); fflush(0); | 80 | printf("delete_module... "); fflush(0); |
81 | syscall_run("delete_module"); | 81 | syscall_run("delete_module"); |
82 | 82 | ||
83 | printf("chroot... "); fflush(0); | 83 | printf("chroot... "); fflush(0); |
84 | syscall_run("chroot"); | 84 | syscall_run("chroot"); |
85 | 85 | ||
86 | printf("pivot_root... "); fflush(0); | 86 | printf("pivot_root... "); fflush(0); |
87 | syscall_run("pivot_root"); | 87 | syscall_run("pivot_root"); |
88 | 88 | ||
89 | #if defined(__i386__) || defined(__x86_64__) | 89 | #if defined(__i386__) || defined(__x86_64__) |
90 | printf("iopl... "); fflush(0); | 90 | printf("iopl... "); fflush(0); |
91 | syscall_run("iopl"); | 91 | syscall_run("iopl"); |
92 | 92 | ||
93 | printf("ioperm... "); fflush(0); | 93 | printf("ioperm... "); fflush(0); |
94 | syscall_run("ioperm"); | 94 | syscall_run("ioperm"); |
95 | #endif | 95 | #endif |
96 | printf("\n"); | 96 | printf("\n"); |
97 | } | 97 | } |
98 | else | 98 | else |
diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c index 40b1ecc84..2925a6c30 100644 --- a/src/faudit/syscall.c +++ b/src/faudit/syscall.c | |||
@@ -33,7 +33,7 @@ extern int pivot_root(const char *new_root, const char *put_old); | |||
33 | 33 | ||
34 | void syscall_helper(int argc, char **argv) { | 34 | void syscall_helper(int argc, char **argv) { |
35 | (void) argc; | 35 | (void) argc; |
36 | 36 | ||
37 | if (strcmp(argv[2], "mount") == 0) { | 37 | if (strcmp(argv[2], "mount") == 0) { |
38 | int rv = mount(NULL, NULL, NULL, 0, NULL); | 38 | int rv = mount(NULL, NULL, NULL, 0, NULL); |
39 | (void) rv; | 39 | (void) rv; |
@@ -87,7 +87,7 @@ void syscall_helper(int argc, char **argv) { | |||
87 | 87 | ||
88 | void syscall_run(const char *name) { | 88 | void syscall_run(const char *name) { |
89 | assert(prog); | 89 | assert(prog); |
90 | 90 | ||
91 | pid_t child = fork(); | 91 | pid_t child = fork(); |
92 | if (child < 0) | 92 | if (child < 0) |
93 | errExit("fork"); | 93 | errExit("fork"); |
@@ -96,7 +96,7 @@ void syscall_run(const char *name) { | |||
96 | perror("execl"); | 96 | perror("execl"); |
97 | _exit(1); | 97 | _exit(1); |
98 | } | 98 | } |
99 | 99 | ||
100 | // wait for the child to finish | 100 | // wait for the child to finish |
101 | waitpid(child, NULL, 0); | 101 | waitpid(child, NULL, 0); |
102 | } | 102 | } |
diff --git a/src/faudit/x11.c b/src/faudit/x11.c index 4cf1511a5..f0cc0eed4 100644 --- a/src/faudit/x11.c +++ b/src/faudit/x11.c | |||
@@ -29,7 +29,7 @@ void x11_test(void) { | |||
29 | 29 | ||
30 | if (check_unix("@/tmp/.X11-unix/X0") == 0) | 30 | if (check_unix("@/tmp/.X11-unix/X0") == 0) |
31 | printf("MAYBE: X11 socket @/tmp/.X11-unix/X0 is available\n"); | 31 | printf("MAYBE: X11 socket @/tmp/.X11-unix/X0 is available\n"); |
32 | 32 | ||
33 | // check all unix sockets in /tmp/.X11-unix directory | 33 | // check all unix sockets in /tmp/.X11-unix directory |
34 | DIR *dir; | 34 | DIR *dir; |
35 | if (!(dir = opendir("/tmp/.X11-unix"))) { | 35 | if (!(dir = opendir("/tmp/.X11-unix"))) { |
@@ -39,7 +39,7 @@ void x11_test(void) { | |||
39 | ; | 39 | ; |
40 | } | 40 | } |
41 | } | 41 | } |
42 | 42 | ||
43 | if (dir == NULL) | 43 | if (dir == NULL) |
44 | printf("GOOD: cannot open /tmp/.X11-unix directory\n"); | 44 | printf("GOOD: cannot open /tmp/.X11-unix directory\n"); |
45 | else { | 45 | else { |
diff --git a/src/fcopy/Makefile.in b/src/fcopy/Makefile.in index 278957a4f..a5dc7a0f4 100644 --- a/src/fcopy/Makefile.in +++ b/src/fcopy/Makefile.in | |||
@@ -42,4 +42,3 @@ clean:; rm -f *.o fcopy *.gcov *.gcda *.gcno | |||
42 | 42 | ||
43 | distclean: clean | 43 | distclean: clean |
44 | rm -fr Makefile | 44 | rm -fr Makefile |
45 | |||
diff --git a/src/firecfg/Makefile.in b/src/firecfg/Makefile.in index f9fe08768..b7412b7f0 100644 --- a/src/firecfg/Makefile.in +++ b/src/firecfg/Makefile.in | |||
@@ -37,4 +37,3 @@ clean:; rm -f *.o firecfg firecfg.1 firecfg.1.gz *.gcov *.gcda *.gcno | |||
37 | 37 | ||
38 | distclean: clean | 38 | distclean: clean |
39 | rm -fr Makefile | 39 | rm -fr Makefile |
40 | |||
diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 4f957b4ae..ea439cf0e 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c | |||
@@ -79,7 +79,7 @@ static void sound(void) { | |||
79 | if (!home) { | 79 | if (!home) { |
80 | goto errexit; | 80 | goto errexit; |
81 | } | 81 | } |
82 | 82 | ||
83 | // the input file is /etc/pulse/client.conf | 83 | // the input file is /etc/pulse/client.conf |
84 | FILE *fpin = fopen("/etc/pulse/client.conf", "r"); | 84 | FILE *fpin = fopen("/etc/pulse/client.conf", "r"); |
85 | if (!fpin) { | 85 | if (!fpin) { |
@@ -95,18 +95,18 @@ static void sound(void) { | |||
95 | free(fname); | 95 | free(fname); |
96 | if (!fpout) | 96 | if (!fpout) |
97 | goto errexit; | 97 | goto errexit; |
98 | 98 | ||
99 | // copy default config | 99 | // copy default config |
100 | char buf[MAX_BUF]; | 100 | char buf[MAX_BUF]; |
101 | while (fgets(buf, MAX_BUF, fpin)) | 101 | while (fgets(buf, MAX_BUF, fpin)) |
102 | fputs(buf, fpout); | 102 | fputs(buf, fpout); |
103 | 103 | ||
104 | // disable shm | 104 | // disable shm |
105 | fprintf(fpout, "\nenable-shm = no\n"); | 105 | fprintf(fpout, "\nenable-shm = no\n"); |
106 | fclose(fpin); | 106 | fclose(fpin); |
107 | fclose(fpout); | 107 | fclose(fpout); |
108 | printf("PulseAudio configured, please logout and login back again\n"); | 108 | printf("PulseAudio configured, please logout and login back again\n"); |
109 | return; | 109 | return; |
110 | 110 | ||
111 | errexit: | 111 | errexit: |
112 | fprintf(stderr, "Error: cannot configure sound file\n"); | 112 | fprintf(stderr, "Error: cannot configure sound file\n"); |
@@ -116,18 +116,18 @@ errexit: | |||
116 | // return 1 if the program is found | 116 | // return 1 if the program is found |
117 | static int find(const char *program, const char *directory) { | 117 | static int find(const char *program, const char *directory) { |
118 | int retval = 0; | 118 | int retval = 0; |
119 | 119 | ||
120 | char *fname; | 120 | char *fname; |
121 | if (asprintf(&fname, "/%s/%s", directory, program) == -1) | 121 | if (asprintf(&fname, "/%s/%s", directory, program) == -1) |
122 | errExit("asprintf"); | 122 | errExit("asprintf"); |
123 | 123 | ||
124 | struct stat s; | 124 | struct stat s; |
125 | if (stat(fname, &s) == 0) { | 125 | if (stat(fname, &s) == 0) { |
126 | if (arg_debug) | 126 | if (arg_debug) |
127 | printf("found %s in directory %s\n", program, directory); | 127 | printf("found %s in directory %s\n", program, directory); |
128 | retval = 1; | 128 | retval = 1; |
129 | } | 129 | } |
130 | 130 | ||
131 | free(fname); | 131 | free(fname); |
132 | return retval; | 132 | return retval; |
133 | } | 133 | } |
@@ -140,14 +140,14 @@ static int which(const char *program) { | |||
140 | find(program, "/sbin") || find(program, "/usr/sbin") || | 140 | find(program, "/sbin") || find(program, "/usr/sbin") || |
141 | find(program, "/usr/games")) | 141 | find(program, "/usr/games")) |
142 | return 1; | 142 | return 1; |
143 | 143 | ||
144 | // check environment | 144 | // check environment |
145 | char *path1 = getenv("PATH"); | 145 | char *path1 = getenv("PATH"); |
146 | if (path1) { | 146 | if (path1) { |
147 | char *path2 = strdup(path1); | 147 | char *path2 = strdup(path1); |
148 | if (!path2) | 148 | if (!path2) |
149 | errExit("strdup"); | 149 | errExit("strdup"); |
150 | 150 | ||
151 | // use path2 to count the entries | 151 | // use path2 to count the entries |
152 | char *ptr = strtok(path2, ":"); | 152 | char *ptr = strtok(path2, ":"); |
153 | while (ptr) { | 153 | while (ptr) { |
@@ -159,7 +159,7 @@ static int which(const char *program) { | |||
159 | } | 159 | } |
160 | free(path2); | 160 | free(path2); |
161 | } | 161 | } |
162 | 162 | ||
163 | return 0; | 163 | return 0; |
164 | } | 164 | } |
165 | 165 | ||
@@ -193,11 +193,11 @@ static void list(void) { | |||
193 | while ((entry = readdir(dir)) != NULL) { | 193 | while ((entry = readdir(dir)) != NULL) { |
194 | if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) | 194 | if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) |
195 | continue; | 195 | continue; |
196 | 196 | ||
197 | char *fullname; | 197 | char *fullname; |
198 | if (asprintf(&fullname, "/usr/local/bin/%s", entry->d_name) == -1) | 198 | if (asprintf(&fullname, "/usr/local/bin/%s", entry->d_name) == -1) |
199 | errExit("asprintf"); | 199 | errExit("asprintf"); |
200 | 200 | ||
201 | if (is_link(fullname)) { | 201 | if (is_link(fullname)) { |
202 | char* fname = realpath(fullname, NULL); | 202 | char* fname = realpath(fullname, NULL); |
203 | if (fname) { | 203 | if (fname) { |
@@ -208,7 +208,7 @@ static void list(void) { | |||
208 | } | 208 | } |
209 | free(fullname); | 209 | free(fullname); |
210 | } | 210 | } |
211 | 211 | ||
212 | closedir(dir); | 212 | closedir(dir); |
213 | free(firejail_exec); | 213 | free(firejail_exec); |
214 | } | 214 | } |
@@ -233,11 +233,11 @@ static void clear(void) { | |||
233 | while ((entry = readdir(dir)) != NULL) { | 233 | while ((entry = readdir(dir)) != NULL) { |
234 | if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) | 234 | if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) |
235 | continue; | 235 | continue; |
236 | 236 | ||
237 | char *fullname; | 237 | char *fullname; |
238 | if (asprintf(&fullname, "/usr/local/bin/%s", entry->d_name) == -1) | 238 | if (asprintf(&fullname, "/usr/local/bin/%s", entry->d_name) == -1) |
239 | errExit("asprintf"); | 239 | errExit("asprintf"); |
240 | 240 | ||
241 | if (is_link(fullname)) { | 241 | if (is_link(fullname)) { |
242 | char* fname = realpath(fullname, NULL); | 242 | char* fname = realpath(fullname, NULL); |
243 | if (fname) { | 243 | if (fname) { |
@@ -250,7 +250,7 @@ static void clear(void) { | |||
250 | } | 250 | } |
251 | free(fullname); | 251 | free(fullname); |
252 | } | 252 | } |
253 | 253 | ||
254 | closedir(dir); | 254 | closedir(dir); |
255 | free(firejail_exec); | 255 | free(firejail_exec); |
256 | } | 256 | } |
@@ -262,7 +262,7 @@ static void set_file(const char *name, const char *firejail_exec) { | |||
262 | char *fname; | 262 | char *fname; |
263 | if (asprintf(&fname, "/usr/local/bin/%s", name) == -1) | 263 | if (asprintf(&fname, "/usr/local/bin/%s", name) == -1) |
264 | errExit("asprintf"); | 264 | errExit("asprintf"); |
265 | 265 | ||
266 | struct stat s; | 266 | struct stat s; |
267 | if (stat(fname, &s) != 0) { | 267 | if (stat(fname, &s) != 0) { |
268 | int rv = symlink(firejail_exec, fname); | 268 | int rv = symlink(firejail_exec, fname); |
@@ -273,7 +273,7 @@ static void set_file(const char *name, const char *firejail_exec) { | |||
273 | else | 273 | else |
274 | printf(" %s created\n", name); | 274 | printf(" %s created\n", name); |
275 | } | 275 | } |
276 | 276 | ||
277 | free(fname); | 277 | free(fname); |
278 | } | 278 | } |
279 | 279 | ||
@@ -292,7 +292,7 @@ static void set_links(void) { | |||
292 | exit(1); | 292 | exit(1); |
293 | } | 293 | } |
294 | printf("Configuring symlinks in /usr/local/bin\n"); | 294 | printf("Configuring symlinks in /usr/local/bin\n"); |
295 | 295 | ||
296 | char buf[MAX_BUF]; | 296 | char buf[MAX_BUF]; |
297 | int lineno = 0; | 297 | int lineno = 0; |
298 | while (fgets(buf, MAX_BUF,fp)) { | 298 | while (fgets(buf, MAX_BUF,fp)) { |
@@ -305,18 +305,18 @@ static void set_links(void) { | |||
305 | fprintf(stderr, "Error: invalid line %d in %s\n", lineno, cfgfile); | 305 | fprintf(stderr, "Error: invalid line %d in %s\n", lineno, cfgfile); |
306 | exit(1); | 306 | exit(1); |
307 | } | 307 | } |
308 | 308 | ||
309 | // remove \n | 309 | // remove \n |
310 | char *ptr = strchr(buf, '\n'); | 310 | char *ptr = strchr(buf, '\n'); |
311 | if (ptr) | 311 | if (ptr) |
312 | *ptr = '\0'; | 312 | *ptr = '\0'; |
313 | 313 | ||
314 | // trim spaces | 314 | // trim spaces |
315 | ptr = buf; | 315 | ptr = buf; |
316 | while (*ptr == ' ' || *ptr == '\t') | 316 | while (*ptr == ' ' || *ptr == '\t') |
317 | ptr++; | 317 | ptr++; |
318 | char *start = ptr; | 318 | char *start = ptr; |
319 | 319 | ||
320 | // empty line | 320 | // empty line |
321 | if (*start == '\0') | 321 | if (*start == '\0') |
322 | continue; | 322 | continue; |
@@ -334,7 +334,7 @@ int have_profile(const char *filename) { | |||
334 | // remove .desktop extension | 334 | // remove .desktop extension |
335 | char *f1 = strdup(filename); | 335 | char *f1 = strdup(filename); |
336 | if (!f1) | 336 | if (!f1) |
337 | errExit("strdup"); | 337 | errExit("strdup"); |
338 | f1[strlen(filename) - 8] = '\0'; | 338 | f1[strlen(filename) - 8] = '\0'; |
339 | 339 | ||
340 | // build profile name | 340 | // build profile name |
@@ -358,7 +358,7 @@ static void fix_desktop_files(char *homedir) { | |||
358 | fprintf(stderr, "Error: this option is not supported for root user; please run as a regular user.\n"); | 358 | fprintf(stderr, "Error: this option is not supported for root user; please run as a regular user.\n"); |
359 | exit(1); | 359 | exit(1); |
360 | } | 360 | } |
361 | 361 | ||
362 | // destination | 362 | // destination |
363 | // create ~/.local/share/applications directory if necessary | 363 | // create ~/.local/share/applications directory if necessary |
364 | char *user_apps_dir; | 364 | char *user_apps_dir; |
@@ -373,7 +373,7 @@ static void fix_desktop_files(char *homedir) { | |||
373 | } | 373 | } |
374 | rv = chmod(user_apps_dir, 0700); | 374 | rv = chmod(user_apps_dir, 0700); |
375 | (void) rv; | 375 | (void) rv; |
376 | } | 376 | } |
377 | 377 | ||
378 | // source | 378 | // source |
379 | DIR *dir = opendir("/usr/share/applications"); | 379 | DIR *dir = opendir("/usr/share/applications"); |
@@ -527,7 +527,7 @@ static void fix_desktop_files(char *homedir) { | |||
527 | 527 | ||
528 | int main(int argc, char **argv) { | 528 | int main(int argc, char **argv) { |
529 | int i; | 529 | int i; |
530 | 530 | ||
531 | for (i = 1; i < argc; i++) { | 531 | for (i = 1; i < argc; i++) { |
532 | // default options | 532 | // default options |
533 | if (strcmp(argv[i], "--help") == 0 || | 533 | if (strcmp(argv[i], "--help") == 0 || |
@@ -572,7 +572,7 @@ int main(int argc, char **argv) { | |||
572 | return 1; | 572 | return 1; |
573 | } | 573 | } |
574 | } | 574 | } |
575 | 575 | ||
576 | // set symlinks in /usr/local/bin | 576 | // set symlinks in /usr/local/bin |
577 | if (getuid() != 0) { | 577 | if (getuid() != 0) { |
578 | fprintf(stderr, "Error: cannot set the symbolic links in /usr/local/bin\n"); | 578 | fprintf(stderr, "Error: cannot set the symbolic links in /usr/local/bin\n"); |
@@ -615,11 +615,10 @@ int main(int argc, char **argv) { | |||
615 | printf("%s %d %d %d %d\n", user, getuid(), getgid(), geteuid(), getegid()); | 615 | printf("%s %d %d %d %d\n", user, getuid(), getgid(), geteuid(), getegid()); |
616 | fix_desktop_files(home); | 616 | fix_desktop_files(home); |
617 | } | 617 | } |
618 | 618 | ||
619 | return 0; | 619 | return 0; |
620 | 620 | ||
621 | errexit: | 621 | errexit: |
622 | fprintf(stderr, "Error: cannot detect login user in order to set desktop files in ~/.local/share/applications\n"); | 622 | fprintf(stderr, "Error: cannot detect login user in order to set desktop files in ~/.local/share/applications\n"); |
623 | return 1; | 623 | return 1; |
624 | } | 624 | } |
625 | |||
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 80f35ff4d..2059713ac 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in | |||
@@ -42,4 +42,3 @@ clean:; rm -f *.o firejail firejail.1 firejail.1.gz *.gcov *.gcda *.gcno | |||
42 | 42 | ||
43 | distclean: clean | 43 | distclean: clean |
44 | rm -fr Makefile | 44 | rm -fr Makefile |
45 | |||
diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index e14de3c27..976750f8f 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c | |||
@@ -28,7 +28,7 @@ | |||
28 | #include <linux/loop.h> | 28 | #include <linux/loop.h> |
29 | #include <errno.h> | 29 | #include <errno.h> |
30 | 30 | ||
31 | static char *devloop = NULL; // device file | 31 | static char *devloop = NULL; // device file |
32 | static char *mntdir = NULL; // mount point in /tmp directory | 32 | static char *mntdir = NULL; // mount point in /tmp directory |
33 | 33 | ||
34 | static void err_loop(void) { | 34 | static void err_loop(void) { |
@@ -40,7 +40,7 @@ void appimage_set(const char *appimage) { | |||
40 | assert(appimage); | 40 | assert(appimage); |
41 | assert(devloop == NULL); // don't call this twice! | 41 | assert(devloop == NULL); // don't call this twice! |
42 | EUID_ASSERT(); | 42 | EUID_ASSERT(); |
43 | 43 | ||
44 | #ifdef LOOP_CTL_GET_FREE // test for older kernels; this definition is found in /usr/include/linux/loop.h | 44 | #ifdef LOOP_CTL_GET_FREE // test for older kernels; this definition is found in /usr/include/linux/loop.h |
45 | // check appimage file | 45 | // check appimage file |
46 | invalid_filename(appimage); | 46 | invalid_filename(appimage); |
@@ -74,13 +74,13 @@ void appimage_set(const char *appimage) { | |||
74 | close(cfd); | 74 | close(cfd); |
75 | if (asprintf(&devloop, "/dev/loop%d", devnr) == -1) | 75 | if (asprintf(&devloop, "/dev/loop%d", devnr) == -1) |
76 | errExit("asprintf"); | 76 | errExit("asprintf"); |
77 | 77 | ||
78 | int lfd = open(devloop, O_RDONLY); | 78 | int lfd = open(devloop, O_RDONLY); |
79 | if (lfd == -1) | 79 | if (lfd == -1) |
80 | err_loop(); | 80 | err_loop(); |
81 | if (ioctl(lfd, LOOP_SET_FD, ffd) == -1) | 81 | if (ioctl(lfd, LOOP_SET_FD, ffd) == -1) |
82 | err_loop(); | 82 | err_loop(); |
83 | 83 | ||
84 | if (size) { | 84 | if (size) { |
85 | struct loop_info64 info; | 85 | struct loop_info64 info; |
86 | memset(&info, 0, sizeof(struct loop_info64)); | 86 | memset(&info, 0, sizeof(struct loop_info64)); |
@@ -88,7 +88,7 @@ void appimage_set(const char *appimage) { | |||
88 | if (ioctl(lfd, LOOP_SET_STATUS64, &info) == -1) | 88 | if (ioctl(lfd, LOOP_SET_STATUS64, &info) == -1) |
89 | err_loop(); | 89 | err_loop(); |
90 | } | 90 | } |
91 | 91 | ||
92 | close(lfd); | 92 | close(lfd); |
93 | close(ffd); | 93 | close(ffd); |
94 | EUID_USER(); | 94 | EUID_USER(); |
@@ -99,13 +99,13 @@ void appimage_set(const char *appimage) { | |||
99 | EUID_ROOT(); | 99 | EUID_ROOT(); |
100 | mkdir_attr(mntdir, 0700, getuid(), getgid()); | 100 | mkdir_attr(mntdir, 0700, getuid(), getgid()); |
101 | EUID_USER(); | 101 | EUID_USER(); |
102 | 102 | ||
103 | // mount | 103 | // mount |
104 | char *mode; | 104 | char *mode; |
105 | if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1) | 105 | if (asprintf(&mode, "mode=700,uid=%d,gid=%d", getuid(), getgid()) == -1) |
106 | errExit("asprintf"); | 106 | errExit("asprintf"); |
107 | EUID_ROOT(); | 107 | EUID_ROOT(); |
108 | 108 | ||
109 | if (size == 0) { | 109 | if (size == 0) { |
110 | if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL|MS_RDONLY, mode) < 0) | 110 | if (mount(devloop, mntdir, "iso9660",MS_MGC_VAL|MS_RDONLY, mode) < 0) |
111 | errExit("mounting appimage"); | 111 | errExit("mounting appimage"); |
@@ -128,7 +128,7 @@ void appimage_set(const char *appimage) { | |||
128 | // build new command line | 128 | // build new command line |
129 | if (asprintf(&cfg.command_line, "%s/AppRun", mntdir) == -1) | 129 | if (asprintf(&cfg.command_line, "%s/AppRun", mntdir) == -1) |
130 | errExit("asprintf"); | 130 | errExit("asprintf"); |
131 | 131 | ||
132 | free(mode); | 132 | free(mode); |
133 | #ifdef HAVE_GCOV | 133 | #ifdef HAVE_GCOV |
134 | __gcov_flush(); | 134 | __gcov_flush(); |
@@ -151,7 +151,7 @@ void appimage_clear(void) { | |||
151 | if (rv == 0) { | 151 | if (rv == 0) { |
152 | if (!arg_quiet) | 152 | if (!arg_quiet) |
153 | printf("AppImage unmounted\n"); | 153 | printf("AppImage unmounted\n"); |
154 | 154 | ||
155 | break; | 155 | break; |
156 | } | 156 | } |
157 | if (rv == -1 && errno == EBUSY) { | 157 | if (rv == -1 && errno == EBUSY) { |
@@ -159,14 +159,14 @@ void appimage_clear(void) { | |||
159 | sleep(2); | 159 | sleep(2); |
160 | continue; | 160 | continue; |
161 | } | 161 | } |
162 | 162 | ||
163 | // rv = -1 | 163 | // rv = -1 |
164 | if (!arg_quiet) { | 164 | if (!arg_quiet) { |
165 | fwarning("error trying to unmount %s\n", mntdir); | 165 | fwarning("error trying to unmount %s\n", mntdir); |
166 | perror("umount"); | 166 | perror("umount"); |
167 | } | 167 | } |
168 | } | 168 | } |
169 | 169 | ||
170 | if (rv == 0) { | 170 | if (rv == 0) { |
171 | rmdir(mntdir); | 171 | rmdir(mntdir); |
172 | free(mntdir); | 172 | free(mntdir); |
diff --git a/src/firejail/appimage_size.c b/src/firejail/appimage_size.c index 1632440ed..c750f9028 100644 --- a/src/firejail/appimage_size.c +++ b/src/firejail/appimage_size.c | |||
@@ -156,5 +156,3 @@ getout: | |||
156 | close(fd); | 156 | close(fd); |
157 | return size; | 157 | return size; |
158 | } | 158 | } |
159 | |||
160 | |||
diff --git a/src/firejail/arg-checking.txt b/src/firejail/arg-checking.txt index 07e61df93..cfed454f8 100644 --- a/src/firejail/arg-checking.txt +++ b/src/firejail/arg-checking.txt | |||
@@ -49,7 +49,7 @@ arg checking: | |||
49 | - checking no link | 49 | - checking no link |
50 | - checking no ".." | 50 | - checking no ".." |
51 | - unit test | 51 | - unit test |
52 | 52 | ||
53 | 8. --private=dirname | 53 | 8. --private=dirname |
54 | - supported in profiles | 54 | - supported in profiles |
55 | - expand "~" | 55 | - expand "~" |
@@ -58,7 +58,7 @@ arg checking: | |||
58 | - checking no ".." | 58 | - checking no ".." |
59 | - check same owner | 59 | - check same owner |
60 | - unit test | 60 | - unit test |
61 | 61 | ||
62 | 9. --private-home=filelist | 62 | 9. --private-home=filelist |
63 | - supported in profiles | 63 | - supported in profiles |
64 | - checking no ".." | 64 | - checking no ".." |
@@ -66,7 +66,7 @@ arg checking: | |||
66 | - checking same owner | 66 | - checking same owner |
67 | - checking no link | 67 | - checking no link |
68 | - unit test | 68 | - unit test |
69 | 69 | ||
70 | 10. --netfilter=filename | 70 | 10. --netfilter=filename |
71 | - supported in profiles | 71 | - supported in profiles |
72 | - check access as real GID/UID | 72 | - check access as real GID/UID |
@@ -74,7 +74,7 @@ arg checking: | |||
74 | - checking no link | 74 | - checking no link |
75 | - checking no ".." | 75 | - checking no ".." |
76 | - unit test | 76 | - unit test |
77 | 77 | ||
78 | 11. --shell=filename | 78 | 11. --shell=filename |
79 | - not supported in profiles | 79 | - not supported in profiles |
80 | - check access as real GID/UID | 80 | - check access as real GID/UID |
@@ -82,4 +82,3 @@ arg checking: | |||
82 | - checking no link | 82 | - checking no link |
83 | - checking no ".." | 83 | - checking no ".." |
84 | - unit test | 84 | - unit test |
85 | |||
diff --git a/src/firejail/arp.c b/src/firejail/arp.c index 55ffbb301..10cfe507f 100644 --- a/src/firejail/arp.c +++ b/src/firejail/arp.c | |||
@@ -47,7 +47,7 @@ int arp_check(const char *dev, uint32_t destaddr, uint32_t srcaddr) { | |||
47 | fprintf(stderr, "Error: invalid network device name %s\n", dev); | 47 | fprintf(stderr, "Error: invalid network device name %s\n", dev); |
48 | exit(1); | 48 | exit(1); |
49 | } | 49 | } |
50 | 50 | ||
51 | if (arg_debug) | 51 | if (arg_debug) |
52 | printf("Trying %d.%d.%d.%d ...\n", PRINT_IP(destaddr)); | 52 | printf("Trying %d.%d.%d.%d ...\n", PRINT_IP(destaddr)); |
53 | 53 | ||
@@ -66,7 +66,7 @@ int arp_check(const char *dev, uint32_t destaddr, uint32_t srcaddr) { | |||
66 | if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0) | 66 | if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0) |
67 | errExit("ioctl"); | 67 | errExit("ioctl"); |
68 | close(sock); | 68 | close(sock); |
69 | 69 | ||
70 | // configure layer2 socket address information | 70 | // configure layer2 socket address information |
71 | struct sockaddr_ll addr; | 71 | struct sockaddr_ll addr; |
72 | memset(&addr, 0, sizeof(addr)); | 72 | memset(&addr, 0, sizeof(addr)); |
@@ -105,7 +105,7 @@ int arp_check(const char *dev, uint32_t destaddr, uint32_t srcaddr) { | |||
105 | if ((len = sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr))) <= 0) | 105 | if ((len = sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr))) <= 0) |
106 | errExit("send"); | 106 | errExit("send"); |
107 | fflush(0); | 107 | fflush(0); |
108 | 108 | ||
109 | // wait not more than one second for an answer | 109 | // wait not more than one second for an answer |
110 | fd_set fds; | 110 | fd_set fds; |
111 | FD_ZERO(&fds); | 111 | FD_ZERO(&fds); |
@@ -130,7 +130,7 @@ int arp_check(const char *dev, uint32_t destaddr, uint32_t srcaddr) { | |||
130 | close(sock); | 130 | close(sock); |
131 | return -1; | 131 | return -1; |
132 | } | 132 | } |
133 | 133 | ||
134 | // parse the incoming packet | 134 | // parse the incoming packet |
135 | if ((unsigned int) len < 14 + sizeof(ArpHdr)) | 135 | if ((unsigned int) len < 14 + sizeof(ArpHdr)) |
136 | continue; | 136 | continue; |
@@ -147,7 +147,7 @@ int arp_check(const char *dev, uint32_t destaddr, uint32_t srcaddr) { | |||
147 | memcpy(&ip, hdr.target_ip, 4); | 147 | memcpy(&ip, hdr.target_ip, 4); |
148 | if (ip != srcaddr) { | 148 | if (ip != srcaddr) { |
149 | continue; | 149 | continue; |
150 | } | 150 | } |
151 | close(sock); | 151 | close(sock); |
152 | return -1; | 152 | return -1; |
153 | } | 153 | } |
@@ -180,13 +180,13 @@ static uint32_t arp_random(const char *dev, Bridge *br) { | |||
180 | return 0; // the user will have to set the IP address manually | 180 | return 0; // the user will have to set the IP address manually |
181 | range -= 2; // subtract the network address and the broadcast address | 181 | range -= 2; // subtract the network address and the broadcast address |
182 | uint32_t start = (ifip & ifmask) + 1; | 182 | uint32_t start = (ifip & ifmask) + 1; |
183 | 183 | ||
184 | // adjust range based on --iprange params | 184 | // adjust range based on --iprange params |
185 | if (br->iprange_start && br->iprange_end) { | 185 | if (br->iprange_start && br->iprange_end) { |
186 | start = br->iprange_start; | 186 | start = br->iprange_start; |
187 | range = br->iprange_end - br->iprange_start; | 187 | range = br->iprange_end - br->iprange_start; |
188 | } | 188 | } |
189 | 189 | ||
190 | if (arg_debug) | 190 | if (arg_debug) |
191 | printf("IP address range from %d.%d.%d.%d to %d.%d.%d.%d\n", | 191 | printf("IP address range from %d.%d.%d.%d to %d.%d.%d.%d\n", |
192 | PRINT_IP(start), PRINT_IP(start + range)); | 192 | PRINT_IP(start), PRINT_IP(start + range)); |
@@ -198,13 +198,13 @@ static uint32_t arp_random(const char *dev, Bridge *br) { | |||
198 | dest = start + ((uint32_t) rand()) % range; | 198 | dest = start + ((uint32_t) rand()) % range; |
199 | if (dest == ifip) // do not allow the interface address | 199 | if (dest == ifip) // do not allow the interface address |
200 | continue; // try again | 200 | continue; // try again |
201 | 201 | ||
202 | // if we've made it up to here, we have a valid address | 202 | // if we've made it up to here, we have a valid address |
203 | break; | 203 | break; |
204 | } | 204 | } |
205 | if (i == 10) // we failed 10 times | 205 | if (i == 10) // we failed 10 times |
206 | return 0; | 206 | return 0; |
207 | 207 | ||
208 | // check address | 208 | // check address |
209 | uint32_t rv = arp_check(dev, dest, ifip); | 209 | uint32_t rv = arp_check(dev, dest, ifip); |
210 | if (!rv) | 210 | if (!rv) |
@@ -237,7 +237,7 @@ static uint32_t arp_sequential(const char *dev, Bridge *br) { | |||
237 | uint32_t last = dest + range - 1; | 237 | uint32_t last = dest + range - 1; |
238 | if (br->iprange_end) | 238 | if (br->iprange_end) |
239 | last = br->iprange_end; | 239 | last = br->iprange_end; |
240 | 240 | ||
241 | if (arg_debug) | 241 | if (arg_debug) |
242 | printf("Trying IP address range from %d.%d.%d.%d to %d.%d.%d.%d\n", | 242 | printf("Trying IP address range from %d.%d.%d.%d to %d.%d.%d.%d\n", |
243 | PRINT_IP(dest), PRINT_IP(last)); | 243 | PRINT_IP(dest), PRINT_IP(last)); |
@@ -272,19 +272,17 @@ uint32_t arp_assign(const char *dev, Bridge *br) { | |||
272 | ip = arp_random(dev, br); | 272 | ip = arp_random(dev, br); |
273 | if (!ip) | 273 | if (!ip) |
274 | ip = arp_random(dev, br); | 274 | ip = arp_random(dev, br); |
275 | 275 | ||
276 | // try all possible IP addresses one by one | 276 | // try all possible IP addresses one by one |
277 | if (!ip) | 277 | if (!ip) |
278 | ip = arp_sequential(dev, br); | 278 | ip = arp_sequential(dev, br); |
279 | 279 | ||
280 | // print result | 280 | // print result |
281 | if (!ip) { | 281 | if (!ip) { |
282 | fprintf(stderr, "Error: cannot assign an IP address; it looks like all of them are in use.\n"); | 282 | fprintf(stderr, "Error: cannot assign an IP address; it looks like all of them are in use.\n"); |
283 | logerr("Cannot assign an IP address; it looks like all of them are in use."); | 283 | logerr("Cannot assign an IP address; it looks like all of them are in use."); |
284 | exit(1); | 284 | exit(1); |
285 | } | 285 | } |
286 | 286 | ||
287 | return ip; | 287 | return ip; |
288 | } | 288 | } |
289 | |||
290 | |||
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index 998fe5ffe..24d027d54 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c | |||
@@ -58,30 +58,30 @@ IFBW *ifbw_find(const char *dev) { | |||
58 | assert(dev); | 58 | assert(dev); |
59 | int len = strlen(dev); | 59 | int len = strlen(dev); |
60 | assert(len); | 60 | assert(len); |
61 | 61 | ||
62 | if (ifbw == NULL) | 62 | if (ifbw == NULL) |
63 | return NULL; | 63 | return NULL; |
64 | 64 | ||
65 | IFBW *ptr = ifbw; | 65 | IFBW *ptr = ifbw; |
66 | while (ptr) { | 66 | while (ptr) { |
67 | if (strncmp(ptr->txt, dev, len) == 0 && ptr->txt[len] == ':') | 67 | if (strncmp(ptr->txt, dev, len) == 0 && ptr->txt[len] == ':') |
68 | return ptr; | 68 | return ptr; |
69 | ptr = ptr->next; | 69 | ptr = ptr->next; |
70 | } | 70 | } |
71 | 71 | ||
72 | return NULL; | 72 | return NULL; |
73 | } | 73 | } |
74 | 74 | ||
75 | void ifbw_remove(IFBW *r) { | 75 | void ifbw_remove(IFBW *r) { |
76 | if (ifbw == NULL) | 76 | if (ifbw == NULL) |
77 | return; | 77 | return; |
78 | 78 | ||
79 | // remove the first element | 79 | // remove the first element |
80 | if (ifbw == r) { | 80 | if (ifbw == r) { |
81 | ifbw = ifbw->next; | 81 | ifbw = ifbw->next; |
82 | return; | 82 | return; |
83 | } | 83 | } |
84 | 84 | ||
85 | // walk the list | 85 | // walk the list |
86 | IFBW *ptr = ifbw->next; | 86 | IFBW *ptr = ifbw->next; |
87 | IFBW *prev = ifbw; | 87 | IFBW *prev = ifbw; |
@@ -90,11 +90,11 @@ void ifbw_remove(IFBW *r) { | |||
90 | prev->next = ptr->next; | 90 | prev->next = ptr->next; |
91 | return; | 91 | return; |
92 | } | 92 | } |
93 | 93 | ||
94 | prev = ptr; | 94 | prev = ptr; |
95 | ptr = ptr->next; | 95 | ptr = ptr->next; |
96 | } | 96 | } |
97 | 97 | ||
98 | return; | 98 | return; |
99 | } | 99 | } |
100 | 100 | ||
@@ -106,10 +106,10 @@ int fibw_count(void) { | |||
106 | rv++; | 106 | rv++; |
107 | ptr = ptr->next; | 107 | ptr = ptr->next; |
108 | } | 108 | } |
109 | 109 | ||
110 | return rv; | 110 | return rv; |
111 | } | 111 | } |
112 | 112 | ||
113 | 113 | ||
114 | //*********************************** | 114 | //*********************************** |
115 | // run file handling | 115 | // run file handling |
@@ -118,7 +118,7 @@ static void bandwidth_create_run_file(pid_t pid) { | |||
118 | char *fname; | 118 | char *fname; |
119 | if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1) | 119 | if (asprintf(&fname, "%s/%d-bandwidth", RUN_FIREJAIL_BANDWIDTH_DIR, (int) pid) == -1) |
120 | errExit("asprintf"); | 120 | errExit("asprintf"); |
121 | 121 | ||
122 | // if the file already exists, do nothing | 122 | // if the file already exists, do nothing |
123 | struct stat s; | 123 | struct stat s; |
124 | if (stat(fname, &s) == 0) { | 124 | if (stat(fname, &s) == 0) { |
@@ -137,7 +137,7 @@ static void bandwidth_create_run_file(pid_t pid) { | |||
137 | fprintf(stderr, "Error: cannot create bandwidth file\n"); | 137 | fprintf(stderr, "Error: cannot create bandwidth file\n"); |
138 | exit(1); | 138 | exit(1); |
139 | } | 139 | } |
140 | 140 | ||
141 | free(fname); | 141 | free(fname); |
142 | } | 142 | } |
143 | 143 | ||
@@ -162,7 +162,7 @@ void network_set_run_file(pid_t pid) { | |||
162 | char *fname; | 162 | char *fname; |
163 | if (asprintf(&fname, "%s/%d-netmap", RUN_FIREJAIL_NETWORK_DIR, (int) pid) == -1) | 163 | if (asprintf(&fname, "%s/%d-netmap", RUN_FIREJAIL_NETWORK_DIR, (int) pid) == -1) |
164 | errExit("asprintf"); | 164 | errExit("asprintf"); |
165 | 165 | ||
166 | // create an empty file and set mod and ownership | 166 | // create an empty file and set mod and ownership |
167 | FILE *fp = fopen(fname, "w"); | 167 | FILE *fp = fopen(fname, "w"); |
168 | if (fp) { | 168 | if (fp) { |
@@ -182,7 +182,7 @@ void network_set_run_file(pid_t pid) { | |||
182 | fprintf(stderr, "Error: cannot create network map file\n"); | 182 | fprintf(stderr, "Error: cannot create network map file\n"); |
183 | exit(1); | 183 | exit(1); |
184 | } | 184 | } |
185 | 185 | ||
186 | free(fname); | 186 | free(fname); |
187 | } | 187 | } |
188 | 188 | ||
@@ -204,7 +204,7 @@ static void read_bandwidth_file(pid_t pid) { | |||
204 | *ptr = '\0'; | 204 | *ptr = '\0'; |
205 | if (strlen(buf) == 0) | 205 | if (strlen(buf) == 0) |
206 | continue; | 206 | continue; |
207 | 207 | ||
208 | // create a new IFBW entry | 208 | // create a new IFBW entry |
209 | IFBW *ifbw_new = malloc(sizeof(IFBW)); | 209 | IFBW *ifbw_new = malloc(sizeof(IFBW)); |
210 | if (!ifbw_new) | 210 | if (!ifbw_new) |
@@ -213,12 +213,12 @@ static void read_bandwidth_file(pid_t pid) { | |||
213 | ifbw_new->txt = strdup(buf); | 213 | ifbw_new->txt = strdup(buf); |
214 | if (!ifbw_new->txt) | 214 | if (!ifbw_new->txt) |
215 | errExit("strdup"); | 215 | errExit("strdup"); |
216 | 216 | ||
217 | // add it to the linked list | 217 | // add it to the linked list |
218 | ifbw_add(ifbw_new); | 218 | ifbw_add(ifbw_new); |
219 | } | 219 | } |
220 | 220 | ||
221 | fclose(fp); | 221 | fclose(fp); |
222 | } | 222 | } |
223 | } | 223 | } |
224 | 224 | ||
@@ -256,17 +256,17 @@ errout: | |||
256 | // remove interface from run file | 256 | // remove interface from run file |
257 | void bandwidth_remove(pid_t pid, const char *dev) { | 257 | void bandwidth_remove(pid_t pid, const char *dev) { |
258 | bandwidth_create_run_file(pid); | 258 | bandwidth_create_run_file(pid); |
259 | 259 | ||
260 | // read bandwidth file | 260 | // read bandwidth file |
261 | read_bandwidth_file(pid); | 261 | read_bandwidth_file(pid); |
262 | 262 | ||
263 | // find the element and remove it | 263 | // find the element and remove it |
264 | IFBW *elem = ifbw_find(dev); | 264 | IFBW *elem = ifbw_find(dev); |
265 | if (elem) { | 265 | if (elem) { |
266 | ifbw_remove(elem); | 266 | ifbw_remove(elem); |
267 | write_bandwidth_file(pid) ; | 267 | write_bandwidth_file(pid) ; |
268 | } | 268 | } |
269 | 269 | ||
270 | // remove the file if there are no entries in the list | 270 | // remove the file if there are no entries in the list |
271 | if (ifbw == NULL) { | 271 | if (ifbw == NULL) { |
272 | bandwidth_del_run_file(pid); | 272 | bandwidth_del_run_file(pid); |
@@ -282,7 +282,7 @@ void bandwidth_set(pid_t pid, const char *dev, int down, int up) { | |||
282 | char *txt; | 282 | char *txt; |
283 | if (asprintf(&txt, "%s: RX %dKB/s, TX %dKB/s", dev, down, up) == -1) | 283 | if (asprintf(&txt, "%s: RX %dKB/s, TX %dKB/s", dev, down, up) == -1) |
284 | errExit("asprintf"); | 284 | errExit("asprintf"); |
285 | 285 | ||
286 | // read bandwidth file | 286 | // read bandwidth file |
287 | read_bandwidth_file(pid); | 287 | read_bandwidth_file(pid); |
288 | 288 | ||
@@ -300,7 +300,7 @@ void bandwidth_set(pid_t pid, const char *dev, int down, int up) { | |||
300 | errExit("malloc"); | 300 | errExit("malloc"); |
301 | memset(ifbw_new, 0, sizeof(IFBW)); | 301 | memset(ifbw_new, 0, sizeof(IFBW)); |
302 | ifbw_new->txt = txt; | 302 | ifbw_new->txt = txt; |
303 | 303 | ||
304 | // add it to the linked list | 304 | // add it to the linked list |
305 | ifbw_add(ifbw_new); | 305 | ifbw_add(ifbw_new); |
306 | } | 306 | } |
@@ -330,7 +330,7 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in | |||
330 | exit(1); | 330 | exit(1); |
331 | } | 331 | } |
332 | free(comm); | 332 | free(comm); |
333 | 333 | ||
334 | // check network namespace | 334 | // check network namespace |
335 | char *name; | 335 | char *name; |
336 | if (asprintf(&name, "/run/firejail/network/%d-netmap", pid) == -1) | 336 | if (asprintf(&name, "/run/firejail/network/%d-netmap", pid) == -1) |
@@ -376,7 +376,7 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in | |||
376 | fprintf(stderr, "Error: cannot read network map file %s\n", fname); | 376 | fprintf(stderr, "Error: cannot read network map file %s\n", fname); |
377 | exit(1); | 377 | exit(1); |
378 | } | 378 | } |
379 | 379 | ||
380 | char buf[1024]; | 380 | char buf[1024]; |
381 | int len = strlen(dev); | 381 | int len = strlen(dev); |
382 | while (fgets(buf, 1024, fp)) { | 382 | while (fgets(buf, 1024, fp)) { |
@@ -402,7 +402,7 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in | |||
402 | free(fname); | 402 | free(fname); |
403 | fclose(fp); | 403 | fclose(fp); |
404 | } | 404 | } |
405 | 405 | ||
406 | // build fshaper.sh command | 406 | // build fshaper.sh command |
407 | char *cmd = NULL; | 407 | char *cmd = NULL; |
408 | if (devname) { | 408 | if (devname) { |
@@ -442,7 +442,7 @@ void bandwidth_pid(pid_t pid, const char *command, const char *dev, int down, in | |||
442 | arg[3] = NULL; | 442 | arg[3] = NULL; |
443 | clearenv(); | 443 | clearenv(); |
444 | execvp(arg[0], arg); | 444 | execvp(arg[0], arg); |
445 | 445 | ||
446 | // it will never get here | 446 | // it will never get here |
447 | errExit("execvp"); | 447 | errExit("execvp"); |
448 | } | 448 | } |
diff --git a/src/firejail/caps.c b/src/firejail/caps.c index 30693f7a0..d45ba20ce 100644 --- a/src/firejail/caps.c +++ b/src/firejail/caps.c | |||
@@ -154,12 +154,12 @@ static CapsEntry capslist[] = { | |||
154 | // not in Debian 7 | 154 | // not in Debian 7 |
155 | #ifdef CAP_BLOCK_SUSPEND | 155 | #ifdef CAP_BLOCK_SUSPEND |
156 | {"block_suspend", CAP_BLOCK_SUSPEND }, | 156 | {"block_suspend", CAP_BLOCK_SUSPEND }, |
157 | #else | 157 | #else |
158 | {"block_suspend", 36 }, | 158 | {"block_suspend", 36 }, |
159 | #endif | 159 | #endif |
160 | #ifdef CAP_AUDIT_READ | 160 | #ifdef CAP_AUDIT_READ |
161 | {"audit_read", CAP_AUDIT_READ }, | 161 | {"audit_read", CAP_AUDIT_READ }, |
162 | #else | 162 | #else |
163 | {"audit_read", 37 }, | 163 | {"audit_read", 37 }, |
164 | #endif | 164 | #endif |
165 | 165 | ||
@@ -176,7 +176,7 @@ static int caps_find_name(const char *name) { | |||
176 | if (strcmp(name, capslist[i].name) == 0) | 176 | if (strcmp(name, capslist[i].name) == 0) |
177 | return capslist[i].nr; | 177 | return capslist[i].nr; |
178 | } | 178 | } |
179 | 179 | ||
180 | return -1; | 180 | return -1; |
181 | } | 181 | } |
182 | 182 | ||
@@ -205,32 +205,32 @@ void caps_check_list(const char *clist, void (*callback)(int)) { | |||
205 | goto errexit; | 205 | goto errexit; |
206 | else if (callback != NULL) | 206 | else if (callback != NULL) |
207 | callback(nr); | 207 | callback(nr); |
208 | 208 | ||
209 | start = ptr + 1; | 209 | start = ptr + 1; |
210 | } | 210 | } |
211 | ptr++; | 211 | ptr++; |
212 | } | 212 | } |
213 | if (*start != '\0') { | 213 | if (*start != '\0') { |
214 | int nr = caps_find_name(start); | 214 | int nr = caps_find_name(start); |
215 | if (nr == -1) | 215 | if (nr == -1) |
216 | goto errexit; | 216 | goto errexit; |
217 | else if (callback != NULL) | 217 | else if (callback != NULL) |
218 | callback(nr); | 218 | callback(nr); |
219 | } | 219 | } |
220 | 220 | ||
221 | free(str); | 221 | free(str); |
222 | return; | 222 | return; |
223 | 223 | ||
224 | errexit: | 224 | errexit: |
225 | fprintf(stderr, "Error: capability \"%s\" not found\n", start); | 225 | fprintf(stderr, "Error: capability \"%s\" not found\n", start); |
226 | exit(1); | 226 | exit(1); |
227 | } | 227 | } |
228 | 228 | ||
229 | void caps_print(void) { | 229 | void caps_print(void) { |
230 | EUID_ASSERT(); | 230 | EUID_ASSERT(); |
231 | int i; | 231 | int i; |
232 | int elems = sizeof(capslist) / sizeof(capslist[0]); | 232 | int elems = sizeof(capslist) / sizeof(capslist[0]); |
233 | 233 | ||
234 | // check current caps supported by the kernel | 234 | // check current caps supported by the kernel |
235 | int cnt = 0; | 235 | int cnt = 0; |
236 | unsigned long cap; | 236 | unsigned long cap; |
@@ -242,7 +242,7 @@ void caps_print(void) { | |||
242 | } | 242 | } |
243 | EUID_USER(); | 243 | EUID_USER(); |
244 | printf("Your kernel supports %d capabilities.\n", cnt); | 244 | printf("Your kernel supports %d capabilities.\n", cnt); |
245 | 245 | ||
246 | for (i = 0; i < elems; i++) { | 246 | for (i = 0; i < elems; i++) { |
247 | printf("%d\t- %s\n", capslist[i].nr, capslist[i].name); | 247 | printf("%d\t- %s\n", capslist[i].nr, capslist[i].name); |
248 | } | 248 | } |
@@ -300,7 +300,7 @@ int caps_default_filter(void) { | |||
300 | 300 | ||
301 | errexit: | 301 | errexit: |
302 | fprintf(stderr, "Error: cannot drop capabilities\n"); | 302 | fprintf(stderr, "Error: cannot drop capabilities\n"); |
303 | exit(1); | 303 | exit(1); |
304 | } | 304 | } |
305 | 305 | ||
306 | void caps_drop_all(void) { | 306 | void caps_drop_all(void) { |
@@ -359,7 +359,7 @@ void caps_keep_list(const char *clist) { | |||
359 | #define MAXBUF 4098 | 359 | #define MAXBUF 4098 |
360 | static uint64_t extract_caps(int pid) { | 360 | static uint64_t extract_caps(int pid) { |
361 | EUID_ASSERT(); | 361 | EUID_ASSERT(); |
362 | 362 | ||
363 | char *file; | 363 | char *file; |
364 | if (asprintf(&file, "/proc/%d/status", pid) == -1) | 364 | if (asprintf(&file, "/proc/%d/status", pid) == -1) |
365 | errExit("asprintf"); | 365 | errExit("asprintf"); |
@@ -369,7 +369,7 @@ static uint64_t extract_caps(int pid) { | |||
369 | EUID_USER(); // grsecurity | 369 | EUID_USER(); // grsecurity |
370 | if (!fp) | 370 | if (!fp) |
371 | goto errexit; | 371 | goto errexit; |
372 | 372 | ||
373 | char buf[MAXBUF]; | 373 | char buf[MAXBUF]; |
374 | while (fgets(buf, MAXBUF, fp)) { | 374 | while (fgets(buf, MAXBUF, fp)) { |
375 | if (strncmp(buf, "CapBnd:\t", 8) == 0) { | 375 | if (strncmp(buf, "CapBnd:\t", 8) == 0) { |
@@ -383,7 +383,7 @@ static uint64_t extract_caps(int pid) { | |||
383 | } | 383 | } |
384 | fclose(fp); | 384 | fclose(fp); |
385 | 385 | ||
386 | errexit: | 386 | errexit: |
387 | free(file); | 387 | free(file); |
388 | fprintf(stderr, "Error: cannot read caps configuration\n"); | 388 | fprintf(stderr, "Error: cannot read caps configuration\n"); |
389 | exit(1); | 389 | exit(1); |
@@ -391,7 +391,7 @@ errexit: | |||
391 | 391 | ||
392 | void caps_print_filter(pid_t pid) { | 392 | void caps_print_filter(pid_t pid) { |
393 | EUID_ASSERT(); | 393 | EUID_ASSERT(); |
394 | 394 | ||
395 | // if the pid is that of a firejail process, use the pid of the first child process | 395 | // if the pid is that of a firejail process, use the pid of the first child process |
396 | EUID_ROOT(); // grsecurity | 396 | EUID_ROOT(); // grsecurity |
397 | char *comm = pid_proc_comm(pid); | 397 | char *comm = pid_proc_comm(pid); |
diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c index 6ceb647ff..70f07dd23 100644 --- a/src/firejail/cgroup.c +++ b/src/firejail/cgroup.c | |||
@@ -25,7 +25,7 @@ | |||
25 | void save_cgroup(void) { | 25 | void save_cgroup(void) { |
26 | if (cfg.cgroup == NULL) | 26 | if (cfg.cgroup == NULL) |
27 | return; | 27 | return; |
28 | 28 | ||
29 | FILE *fp = fopen(RUN_CGROUP_CFG, "w"); | 29 | FILE *fp = fopen(RUN_CGROUP_CFG, "w"); |
30 | if (fp) { | 30 | if (fp) { |
31 | fprintf(fp, "%s", cfg.cgroup); | 31 | fprintf(fp, "%s", cfg.cgroup); |
@@ -36,7 +36,7 @@ void save_cgroup(void) { | |||
36 | } | 36 | } |
37 | else | 37 | else |
38 | goto errout; | 38 | goto errout; |
39 | 39 | ||
40 | return; | 40 | return; |
41 | 41 | ||
42 | errout: | 42 | errout: |
@@ -58,7 +58,7 @@ void load_cgroup(const char *fname) { | |||
58 | } | 58 | } |
59 | else | 59 | else |
60 | goto errout; | 60 | goto errout; |
61 | 61 | ||
62 | fclose(fp); | 62 | fclose(fp); |
63 | return; | 63 | return; |
64 | } | 64 | } |
@@ -71,34 +71,34 @@ errout: | |||
71 | 71 | ||
72 | void set_cgroup(const char *path) { | 72 | void set_cgroup(const char *path) { |
73 | EUID_ASSERT(); | 73 | EUID_ASSERT(); |
74 | 74 | ||
75 | invalid_filename(path); | 75 | invalid_filename(path); |
76 | 76 | ||
77 | // path starts with /sys/fs/cgroup | 77 | // path starts with /sys/fs/cgroup |
78 | if (strncmp(path, "/sys/fs/cgroup", 14) != 0) | 78 | if (strncmp(path, "/sys/fs/cgroup", 14) != 0) |
79 | goto errout; | 79 | goto errout; |
80 | 80 | ||
81 | // path ends in tasks | 81 | // path ends in tasks |
82 | char *ptr = strstr(path, "tasks"); | 82 | char *ptr = strstr(path, "tasks"); |
83 | if (!ptr) | 83 | if (!ptr) |
84 | goto errout; | 84 | goto errout; |
85 | if (*(ptr + 5) != '\0') | 85 | if (*(ptr + 5) != '\0') |
86 | goto errout; | 86 | goto errout; |
87 | 87 | ||
88 | // no .. traversal | 88 | // no .. traversal |
89 | ptr = strstr(path, ".."); | 89 | ptr = strstr(path, ".."); |
90 | if (ptr) | 90 | if (ptr) |
91 | goto errout; | 91 | goto errout; |
92 | 92 | ||
93 | // tasks file exists | 93 | // tasks file exists |
94 | struct stat s; | 94 | struct stat s; |
95 | if (stat(path, &s) == -1) | 95 | if (stat(path, &s) == -1) |
96 | goto errout; | 96 | goto errout; |
97 | 97 | ||
98 | // task file belongs to the user running the sandbox | 98 | // task file belongs to the user running the sandbox |
99 | if (s.st_uid != getuid() && s.st_gid != getgid()) | 99 | if (s.st_uid != getuid() && s.st_gid != getgid()) |
100 | goto errout2; | 100 | goto errout2; |
101 | 101 | ||
102 | // add the task to cgroup | 102 | // add the task to cgroup |
103 | /* coverity[toctou] */ | 103 | /* coverity[toctou] */ |
104 | FILE *fp = fopen(path, "a"); | 104 | FILE *fp = fopen(path, "a"); |
@@ -110,10 +110,10 @@ void set_cgroup(const char *path) { | |||
110 | fclose(fp); | 110 | fclose(fp); |
111 | return; | 111 | return; |
112 | 112 | ||
113 | errout: | 113 | errout: |
114 | fprintf(stderr, "Error: invalid cgroup\n"); | 114 | fprintf(stderr, "Error: invalid cgroup\n"); |
115 | exit(1); | 115 | exit(1); |
116 | errout2: | 116 | errout2: |
117 | fprintf(stderr, "Error: you don't have permissions to use this control group\n"); | 117 | fprintf(stderr, "Error: you don't have permissions to use this control group\n"); |
118 | exit(1); | 118 | exit(1); |
119 | } | 119 | } |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 3c0c1b9ac..f4e28f084 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -49,33 +49,33 @@ int checkcfg(int val) { | |||
49 | cfg_val[CFG_FIREJAIL_PROMPT] = 0; | 49 | cfg_val[CFG_FIREJAIL_PROMPT] = 0; |
50 | cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 0; | 50 | cfg_val[CFG_FOLLOW_SYMLINK_PRIVATE_BIN] = 0; |
51 | cfg_val[CFG_DISABLE_MNT] = 0; | 51 | cfg_val[CFG_DISABLE_MNT] = 0; |
52 | 52 | ||
53 | // open configuration file | 53 | // open configuration file |
54 | const char *fname = SYSCONFDIR "/firejail.config"; | 54 | const char *fname = SYSCONFDIR "/firejail.config"; |
55 | fp = fopen(fname, "r"); | 55 | fp = fopen(fname, "r"); |
56 | if (!fp) { | 56 | if (!fp) { |
57 | #ifdef HAVE_GLOBALCFG | 57 | #ifdef HAVE_GLOBALCFG |
58 | fprintf(stderr, "Error: Firejail configuration file %s not found\n", fname); | 58 | fprintf(stderr, "Error: Firejail configuration file %s not found\n", fname); |
59 | exit(1); | 59 | exit(1); |
60 | #else | 60 | #else |
61 | initialized = 1; | 61 | initialized = 1; |
62 | return cfg_val[val]; | 62 | return cfg_val[val]; |
63 | #endif | 63 | #endif |
64 | } | 64 | } |
65 | 65 | ||
66 | // read configuration file | 66 | // read configuration file |
67 | char buf[MAX_READ]; | 67 | char buf[MAX_READ]; |
68 | while (fgets(buf,MAX_READ, fp)) { | 68 | while (fgets(buf,MAX_READ, fp)) { |
69 | line++; | 69 | line++; |
70 | if (*buf == '#' || *buf == '\n') | 70 | if (*buf == '#' || *buf == '\n') |
71 | continue; | 71 | continue; |
72 | 72 | ||
73 | // parse line | 73 | // parse line |
74 | ptr = line_remove_spaces(buf); | 74 | ptr = line_remove_spaces(buf); |
75 | if (!ptr) | 75 | if (!ptr) |
76 | continue; | 76 | continue; |
77 | 77 | ||
78 | // file transfer | 78 | // file transfer |
79 | else if (strncmp(ptr, "file-transfer ", 14) == 0) { | 79 | else if (strncmp(ptr, "file-transfer ", 14) == 0) { |
80 | if (strcmp(ptr + 14, "yes") == 0) | 80 | if (strcmp(ptr + 14, "yes") == 0) |
81 | cfg_val[CFG_FILE_TRANSFER] = 1; | 81 | cfg_val[CFG_FILE_TRANSFER] = 1; |
@@ -209,14 +209,14 @@ int checkcfg(int val) { | |||
209 | char *end = strchr(fname, ' '); | 209 | char *end = strchr(fname, ' '); |
210 | if (end) | 210 | if (end) |
211 | *end = '\0'; | 211 | *end = '\0'; |
212 | 212 | ||
213 | // is the file present? | 213 | // is the file present? |
214 | struct stat s; | 214 | struct stat s; |
215 | if (stat(fname, &s) == -1) { | 215 | if (stat(fname, &s) == -1) { |
216 | fprintf(stderr, "Error: netfilter-default file %s not available\n", fname); | 216 | fprintf(stderr, "Error: netfilter-default file %s not available\n", fname); |
217 | exit(1); | 217 | exit(1); |
218 | } | 218 | } |
219 | 219 | ||
220 | if (netfilter_default) | 220 | if (netfilter_default) |
221 | goto errout; | 221 | goto errout; |
222 | netfilter_default = strdup(fname); | 222 | netfilter_default = strdup(fname); |
@@ -225,7 +225,7 @@ int checkcfg(int val) { | |||
225 | if (arg_debug) | 225 | if (arg_debug) |
226 | printf("netfilter default file %s\n", fname); | 226 | printf("netfilter default file %s\n", fname); |
227 | } | 227 | } |
228 | 228 | ||
229 | // Xephyr screen size | 229 | // Xephyr screen size |
230 | else if (strncmp(ptr, "xephyr-screen ", 14) == 0) { | 230 | else if (strncmp(ptr, "xephyr-screen ", 14) == 0) { |
231 | // expecting two numbers and an x between them | 231 | // expecting two numbers and an x between them |
@@ -237,7 +237,7 @@ int checkcfg(int val) { | |||
237 | if (asprintf(&xephyr_screen, "%dx%d", n1, n2) == -1) | 237 | if (asprintf(&xephyr_screen, "%dx%d", n1, n2) == -1) |
238 | errExit("asprintf"); | 238 | errExit("asprintf"); |
239 | } | 239 | } |
240 | 240 | ||
241 | // xephyr window title | 241 | // xephyr window title |
242 | else if (strncmp(ptr, "xephyr-window-title ", 20) == 0) { | 242 | else if (strncmp(ptr, "xephyr-window-title ", 20) == 0) { |
243 | if (strcmp(ptr + 20, "yes") == 0) | 243 | if (strcmp(ptr + 20, "yes") == 0) |
@@ -247,7 +247,7 @@ int checkcfg(int val) { | |||
247 | else | 247 | else |
248 | goto errout; | 248 | goto errout; |
249 | } | 249 | } |
250 | 250 | ||
251 | // Xephyr command extra parameters | 251 | // Xephyr command extra parameters |
252 | else if (strncmp(ptr, "xephyr-extra-params ", 20) == 0) { | 252 | else if (strncmp(ptr, "xephyr-extra-params ", 20) == 0) { |
253 | if (*xephyr_extra_params != '\0') | 253 | if (*xephyr_extra_params != '\0') |
@@ -256,7 +256,7 @@ int checkcfg(int val) { | |||
256 | if (!xephyr_extra_params) | 256 | if (!xephyr_extra_params) |
257 | errExit("strdup"); | 257 | errExit("strdup"); |
258 | } | 258 | } |
259 | 259 | ||
260 | // xpra server extra parameters | 260 | // xpra server extra parameters |
261 | else if (strncmp(ptr, "xpra-extra-params ", 18) == 0) { | 261 | else if (strncmp(ptr, "xpra-extra-params ", 18) == 0) { |
262 | if (*xpra_extra_params != '\0') | 262 | if (*xpra_extra_params != '\0') |
@@ -287,7 +287,7 @@ int checkcfg(int val) { | |||
287 | if (!xvfb_extra_params) | 287 | if (!xvfb_extra_params) |
288 | errExit("strdup"); | 288 | errExit("strdup"); |
289 | } | 289 | } |
290 | 290 | ||
291 | // quiet by default | 291 | // quiet by default |
292 | else if (strncmp(ptr, "quiet-by-default ", 17) == 0) { | 292 | else if (strncmp(ptr, "quiet-by-default ", 17) == 0) { |
293 | if (strcmp(ptr + 17, "yes") == 0) | 293 | if (strcmp(ptr + 17, "yes") == 0) |
@@ -355,9 +355,9 @@ int checkcfg(int val) { | |||
355 | fclose(fp); | 355 | fclose(fp); |
356 | initialized = 1; | 356 | initialized = 1; |
357 | } | 357 | } |
358 | 358 | ||
359 | return cfg_val[val]; | 359 | return cfg_val[val]; |
360 | 360 | ||
361 | errout: | 361 | errout: |
362 | assert(ptr); | 362 | assert(ptr); |
363 | free(ptr); | 363 | free(ptr); |
@@ -477,5 +477,5 @@ void print_compiletime_support(void) { | |||
477 | "disabled" | 477 | "disabled" |
478 | #endif | 478 | #endif |
479 | ); | 479 | ); |
480 | 480 | ||
481 | } | 481 | } |
diff --git a/src/firejail/cmdline.c b/src/firejail/cmdline.c index e62ed8d33..114173b6a 100644 --- a/src/firejail/cmdline.c +++ b/src/firejail/cmdline.c | |||
@@ -28,7 +28,7 @@ | |||
28 | 28 | ||
29 | static int cmdline_length(int argc, char **argv, int index) { | 29 | static int cmdline_length(int argc, char **argv, int index) { |
30 | assert(index != -1); | 30 | assert(index != -1); |
31 | 31 | ||
32 | unsigned i,j; | 32 | unsigned i,j; |
33 | int len = 0; | 33 | int len = 0; |
34 | unsigned argcnt = argc - index; | 34 | unsigned argcnt = argc - index; |
@@ -91,7 +91,7 @@ static void quote_cmdline(char *command_line, char *window_title, int len, int a | |||
91 | if (j > 0 && argv[i + index][j-1] == '\'') { | 91 | if (j > 0 && argv[i + index][j-1] == '\'') { |
92 | ptr1--; | 92 | ptr1--; |
93 | sprintf(ptr1, "\'\""); | 93 | sprintf(ptr1, "\'\""); |
94 | } | 94 | } |
95 | // this first in series | 95 | // this first in series |
96 | else | 96 | else |
97 | { | 97 | { |
@@ -151,9 +151,9 @@ void build_cmdline(char **command_line, char **window_title, int argc, char **ar | |||
151 | *window_title = malloc(len + 1); | 151 | *window_title = malloc(len + 1); |
152 | if (!*window_title) | 152 | if (!*window_title) |
153 | errExit("malloc"); | 153 | errExit("malloc"); |
154 | 154 | ||
155 | quote_cmdline(*command_line, *window_title, len, argc, argv, index); | 155 | quote_cmdline(*command_line, *window_title, len, argc, argv, index); |
156 | 156 | ||
157 | if (arg_debug) | 157 | if (arg_debug) |
158 | printf("Building quoted command line: %s\n", *command_line); | 158 | printf("Building quoted command line: %s\n", *command_line); |
159 | 159 | ||
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c index 9c0214502..6b3fc063d 100644 --- a/src/firejail/cpu.c +++ b/src/firejail/cpu.c | |||
@@ -26,13 +26,13 @@ | |||
26 | static void set_cpu(const char *str) { | 26 | static void set_cpu(const char *str) { |
27 | if (strlen(str) == 0) | 27 | if (strlen(str) == 0) |
28 | return; | 28 | return; |
29 | 29 | ||
30 | int val = atoi(str); | 30 | int val = atoi(str); |
31 | if (val < 0 || val >= 32) { | 31 | if (val < 0 || val >= 32) { |
32 | fprintf(stderr, "Error: invalid cpu number. Accepted values are between 0 and 31.\n"); | 32 | fprintf(stderr, "Error: invalid cpu number. Accepted values are between 0 and 31.\n"); |
33 | exit(1); | 33 | exit(1); |
34 | } | 34 | } |
35 | 35 | ||
36 | uint32_t mask = 1; | 36 | uint32_t mask = 1; |
37 | int i; | 37 | int i; |
38 | for (i = 0; i < val; i++, mask <<= 1); | 38 | for (i = 0; i < val; i++, mask <<= 1); |
@@ -41,11 +41,11 @@ static void set_cpu(const char *str) { | |||
41 | 41 | ||
42 | void read_cpu_list(const char *str) { | 42 | void read_cpu_list(const char *str) { |
43 | EUID_ASSERT(); | 43 | EUID_ASSERT(); |
44 | 44 | ||
45 | char *tmp = strdup(str); | 45 | char *tmp = strdup(str); |
46 | if (tmp == NULL) | 46 | if (tmp == NULL) |
47 | errExit("strdup"); | 47 | errExit("strdup"); |
48 | 48 | ||
49 | char *ptr = tmp; | 49 | char *ptr = tmp; |
50 | while (*ptr != '\0') { | 50 | while (*ptr != '\0') { |
51 | if (*ptr == ',' || isdigit(*ptr)) | 51 | if (*ptr == ',' || isdigit(*ptr)) |
@@ -56,7 +56,7 @@ void read_cpu_list(const char *str) { | |||
56 | } | 56 | } |
57 | ptr++; | 57 | ptr++; |
58 | } | 58 | } |
59 | 59 | ||
60 | char *start = tmp; | 60 | char *start = tmp; |
61 | ptr = tmp; | 61 | ptr = tmp; |
62 | while (*ptr != '\0') { | 62 | while (*ptr != '\0') { |
@@ -107,17 +107,17 @@ void set_cpu_affinity(void) { | |||
107 | // set cpu affinity | 107 | // set cpu affinity |
108 | cpu_set_t mask; | 108 | cpu_set_t mask; |
109 | CPU_ZERO(&mask); | 109 | CPU_ZERO(&mask); |
110 | 110 | ||
111 | int i; | 111 | int i; |
112 | uint32_t m = 1; | 112 | uint32_t m = 1; |
113 | for (i = 0; i < 32; i++, m <<= 1) { | 113 | for (i = 0; i < 32; i++, m <<= 1) { |
114 | if (cfg.cpus & m) | 114 | if (cfg.cpus & m) |
115 | CPU_SET(i, &mask); | 115 | CPU_SET(i, &mask); |
116 | } | 116 | } |
117 | 117 | ||
118 | if (sched_setaffinity(0, sizeof(mask), &mask) == -1) | 118 | if (sched_setaffinity(0, sizeof(mask), &mask) == -1) |
119 | fwarning("cannot set cpu affinity\n"); | 119 | fwarning("cannot set cpu affinity\n"); |
120 | 120 | ||
121 | // verify cpu affinity | 121 | // verify cpu affinity |
122 | cpu_set_t mask2; | 122 | cpu_set_t mask2; |
123 | CPU_ZERO(&mask2); | 123 | CPU_ZERO(&mask2); |
@@ -147,7 +147,7 @@ static void print_cpu(int pid) { | |||
147 | return; | 147 | return; |
148 | } | 148 | } |
149 | 149 | ||
150 | #define MAXBUF 4096 | 150 | #define MAXBUF 4096 |
151 | char buf[MAXBUF]; | 151 | char buf[MAXBUF]; |
152 | while (fgets(buf, MAXBUF, fp)) { | 152 | while (fgets(buf, MAXBUF, fp)) { |
153 | if (strncmp(buf, "Cpus_allowed_list:", 18) == 0) { | 153 | if (strncmp(buf, "Cpus_allowed_list:", 18) == 0) { |
@@ -164,7 +164,7 @@ static void print_cpu(int pid) { | |||
164 | 164 | ||
165 | void cpu_print_filter(pid_t pid) { | 165 | void cpu_print_filter(pid_t pid) { |
166 | EUID_ASSERT(); | 166 | EUID_ASSERT(); |
167 | 167 | ||
168 | // if the pid is that of a firejail process, use the pid of the first child process | 168 | // if the pid is that of a firejail process, use the pid of the first child process |
169 | EUID_ROOT(); // grsecurity | 169 | EUID_ROOT(); // grsecurity |
170 | char *comm = pid_proc_comm(pid); | 170 | char *comm = pid_proc_comm(pid); |
@@ -192,4 +192,3 @@ void cpu_print_filter(pid_t pid) { | |||
192 | print_cpu(pid); | 192 | print_cpu(pid); |
193 | exit(0); | 193 | exit(0); |
194 | } | 194 | } |
195 | |||
diff --git a/src/firejail/env.c b/src/firejail/env.c index c54b429c3..b2e4c17f3 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c | |||
@@ -33,13 +33,13 @@ static Env *envlist = NULL; | |||
33 | 33 | ||
34 | static void env_add(Env *env) { | 34 | static void env_add(Env *env) { |
35 | env->next = NULL; | 35 | env->next = NULL; |
36 | 36 | ||
37 | // add the new entry at the end of the list | 37 | // add the new entry at the end of the list |
38 | if (envlist == NULL) { | 38 | if (envlist == NULL) { |
39 | envlist = env; | 39 | envlist = env; |
40 | return; | 40 | return; |
41 | } | 41 | } |
42 | 42 | ||
43 | Env *ptr = envlist; | 43 | Env *ptr = envlist; |
44 | while (1) { | 44 | while (1) { |
45 | if (ptr->next == NULL) { | 45 | if (ptr->next == NULL) { |
@@ -77,7 +77,7 @@ void env_ibus_load(void) { | |||
77 | continue; | 77 | continue; |
78 | if (strlen(ptr) != 6) | 78 | if (strlen(ptr) != 6) |
79 | continue; | 79 | continue; |
80 | 80 | ||
81 | // open the file | 81 | // open the file |
82 | char *fname; | 82 | char *fname; |
83 | if (asprintf(&fname, "%s/%s", dirname, entry->d_name) == -1) | 83 | if (asprintf(&fname, "%s/%s", dirname, entry->d_name) == -1) |
@@ -86,7 +86,7 @@ void env_ibus_load(void) { | |||
86 | free(fname); | 86 | free(fname); |
87 | if (!fp) | 87 | if (!fp) |
88 | continue; | 88 | continue; |
89 | 89 | ||
90 | // read the file | 90 | // read the file |
91 | const int maxline = 4096; | 91 | const int maxline = 4096; |
92 | char buf[maxline]; | 92 | char buf[maxline]; |
@@ -137,24 +137,24 @@ void env_defaults(void) { | |||
137 | if (prompt && strcmp(prompt, "yes") == 0) | 137 | if (prompt && strcmp(prompt, "yes") == 0) |
138 | set_prompt = 1; | 138 | set_prompt = 1; |
139 | } | 139 | } |
140 | 140 | ||
141 | if (set_prompt) { | 141 | if (set_prompt) { |
142 | //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' | 142 | //export PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] ' |
143 | if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) | 143 | if (setenv("PROMPT_COMMAND", "export PS1=\"\\[\\e[1;32m\\][\\u@\\h \\W]\\$\\[\\e[0m\\] \"", 1) < 0) |
144 | errExit("setenv"); | 144 | errExit("setenv"); |
145 | } | 145 | } |
146 | 146 | ||
147 | // set the window title | 147 | // set the window title |
148 | if (!arg_quiet) | 148 | if (!arg_quiet) |
149 | printf("\033]0;firejail %s\007", cfg.window_title); | 149 | printf("\033]0;firejail %s\007", cfg.window_title); |
150 | fflush(0); | 150 | fflush(0); |
151 | } | 151 | } |
152 | 152 | ||
153 | // parse and store the environment setting | 153 | // parse and store the environment setting |
154 | void env_store(const char *str, ENV_OP op) { | 154 | void env_store(const char *str, ENV_OP op) { |
155 | EUID_ASSERT(); | 155 | EUID_ASSERT(); |
156 | assert(str); | 156 | assert(str); |
157 | 157 | ||
158 | // some basic checking | 158 | // some basic checking |
159 | if (*str == '\0') | 159 | if (*str == '\0') |
160 | goto errexit; | 160 | goto errexit; |
@@ -182,11 +182,11 @@ void env_store(const char *str, ENV_OP op) { | |||
182 | env->value = ptr2 + 1; | 182 | env->value = ptr2 + 1; |
183 | } | 183 | } |
184 | env->op = op; | 184 | env->op = op; |
185 | 185 | ||
186 | // add entry to the list | 186 | // add entry to the list |
187 | env_add(env); | 187 | env_add(env); |
188 | return; | 188 | return; |
189 | 189 | ||
190 | errexit: | 190 | errexit: |
191 | fprintf(stderr, "Error: invalid --env setting\n"); | 191 | fprintf(stderr, "Error: invalid --env setting\n"); |
192 | exit(1); | 192 | exit(1); |
@@ -195,7 +195,7 @@ errexit: | |||
195 | // set env variables in the new sandbox process | 195 | // set env variables in the new sandbox process |
196 | void env_apply(void) { | 196 | void env_apply(void) { |
197 | Env *env = envlist; | 197 | Env *env = envlist; |
198 | 198 | ||
199 | while (env) { | 199 | while (env) { |
200 | if (env->op == SETENV) { | 200 | if (env->op == SETENV) { |
201 | if (setenv(env->name, env->value, 1) < 0) | 201 | if (setenv(env->name, env->value, 1) < 0) |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index ac68e7738..c60322dda 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -55,7 +55,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
55 | assert(filename); | 55 | assert(filename); |
56 | assert(op <OPERATION_MAX); | 56 | assert(op <OPERATION_MAX); |
57 | last_disable = UNSUCCESSFUL; | 57 | last_disable = UNSUCCESSFUL; |
58 | 58 | ||
59 | // Resolve all symlinks | 59 | // Resolve all symlinks |
60 | char* fname = realpath(filename, NULL); | 60 | char* fname = realpath(filename, NULL); |
61 | if (fname == NULL && errno != EACCES) { | 61 | if (fname == NULL && errno != EACCES) { |
@@ -87,10 +87,10 @@ static void disable_file(OPERATION op, const char *filename) { | |||
87 | if (arg_debug) | 87 | if (arg_debug) |
88 | printf("Warning (blacklisting): %s is an invalid file, skipping...\n", filename); | 88 | printf("Warning (blacklisting): %s is an invalid file, skipping...\n", filename); |
89 | } | 89 | } |
90 | 90 | ||
91 | return; | 91 | return; |
92 | } | 92 | } |
93 | 93 | ||
94 | // if the file is not present, do nothing | 94 | // if the file is not present, do nothing |
95 | struct stat s; | 95 | struct stat s; |
96 | if (fname == NULL) | 96 | if (fname == NULL) |
@@ -124,7 +124,7 @@ static void disable_file(OPERATION op, const char *filename) { | |||
124 | else | 124 | else |
125 | printf(" - no logging\n"); | 125 | printf(" - no logging\n"); |
126 | } | 126 | } |
127 | 127 | ||
128 | if (S_ISDIR(s.st_mode)) { | 128 | if (S_ISDIR(s.st_mode)) { |
129 | if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | 129 | if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) |
130 | errExit("disable file"); | 130 | errExit("disable file"); |
@@ -243,7 +243,7 @@ void fs_blacklist(void) { | |||
243 | ProfileEntry *entry = cfg.profile; | 243 | ProfileEntry *entry = cfg.profile; |
244 | if (!entry) | 244 | if (!entry) |
245 | return; | 245 | return; |
246 | 246 | ||
247 | size_t noblacklist_c = 0; | 247 | size_t noblacklist_c = 0; |
248 | size_t noblacklist_m = 32; | 248 | size_t noblacklist_m = 32; |
249 | char **noblacklist = calloc(noblacklist_m, sizeof(*noblacklist)); | 249 | char **noblacklist = calloc(noblacklist_m, sizeof(*noblacklist)); |
@@ -256,7 +256,7 @@ void fs_blacklist(void) { | |||
256 | char *ptr; | 256 | char *ptr; |
257 | 257 | ||
258 | // whitelist commands handled by fs_whitelist() | 258 | // whitelist commands handled by fs_whitelist() |
259 | if (strncmp(entry->data, "whitelist ", 10) == 0 || | 259 | if (strncmp(entry->data, "whitelist ", 10) == 0 || |
260 | strncmp(entry->data, "nowhitelist ", 12) == 0 || | 260 | strncmp(entry->data, "nowhitelist ", 12) == 0 || |
261 | *entry->data == '\0') { | 261 | *entry->data == '\0') { |
262 | entry = entry->next; | 262 | entry = entry->next; |
@@ -275,7 +275,7 @@ void fs_blacklist(void) { | |||
275 | entry = entry->next; | 275 | entry = entry->next; |
276 | continue; | 276 | continue; |
277 | } | 277 | } |
278 | 278 | ||
279 | // mount --bind olddir newdir | 279 | // mount --bind olddir newdir |
280 | if (arg_debug) | 280 | if (arg_debug) |
281 | printf("Mount-bind %s on top of %s\n", dname1, dname2); | 281 | printf("Mount-bind %s on top of %s\n", dname1, dname2); |
@@ -284,8 +284,8 @@ void fs_blacklist(void) { | |||
284 | errExit("mount bind"); | 284 | errExit("mount bind"); |
285 | /* coverity[toctou] */ | 285 | /* coverity[toctou] */ |
286 | if (set_perms(dname2, s.st_uid, s.st_gid,s.st_mode)) | 286 | if (set_perms(dname2, s.st_uid, s.st_gid,s.st_mode)) |
287 | errExit("set_perms"); | 287 | errExit("set_perms"); |
288 | 288 | ||
289 | entry = entry->next; | 289 | entry = entry->next; |
290 | continue; | 290 | continue; |
291 | } | 291 | } |
@@ -348,33 +348,33 @@ void fs_blacklist(void) { | |||
348 | else if (strncmp(entry->data, "read-only ", 10) == 0) { | 348 | else if (strncmp(entry->data, "read-only ", 10) == 0) { |
349 | ptr = entry->data + 10; | 349 | ptr = entry->data + 10; |
350 | op = MOUNT_READONLY; | 350 | op = MOUNT_READONLY; |
351 | } | 351 | } |
352 | else if (strncmp(entry->data, "read-write ", 11) == 0) { | 352 | else if (strncmp(entry->data, "read-write ", 11) == 0) { |
353 | ptr = entry->data + 11; | 353 | ptr = entry->data + 11; |
354 | op = MOUNT_RDWR; | 354 | op = MOUNT_RDWR; |
355 | } | 355 | } |
356 | else if (strncmp(entry->data, "noexec ", 7) == 0) { | 356 | else if (strncmp(entry->data, "noexec ", 7) == 0) { |
357 | ptr = entry->data + 7; | 357 | ptr = entry->data + 7; |
358 | op = MOUNT_NOEXEC; | 358 | op = MOUNT_NOEXEC; |
359 | } | 359 | } |
360 | else if (strncmp(entry->data, "tmpfs ", 6) == 0) { | 360 | else if (strncmp(entry->data, "tmpfs ", 6) == 0) { |
361 | ptr = entry->data + 6; | 361 | ptr = entry->data + 6; |
362 | op = MOUNT_TMPFS; | 362 | op = MOUNT_TMPFS; |
363 | } | 363 | } |
364 | else if (strncmp(entry->data, "mkdir ", 6) == 0) { | 364 | else if (strncmp(entry->data, "mkdir ", 6) == 0) { |
365 | EUID_USER(); | 365 | EUID_USER(); |
366 | fs_mkdir(entry->data + 6); | 366 | fs_mkdir(entry->data + 6); |
367 | EUID_ROOT(); | 367 | EUID_ROOT(); |
368 | entry = entry->next; | 368 | entry = entry->next; |
369 | continue; | 369 | continue; |
370 | } | 370 | } |
371 | else if (strncmp(entry->data, "mkfile ", 7) == 0) { | 371 | else if (strncmp(entry->data, "mkfile ", 7) == 0) { |
372 | EUID_USER(); | 372 | EUID_USER(); |
373 | fs_mkfile(entry->data + 7); | 373 | fs_mkfile(entry->data + 7); |
374 | EUID_ROOT(); | 374 | EUID_ROOT(); |
375 | entry = entry->next; | 375 | entry = entry->next; |
376 | continue; | 376 | continue; |
377 | } | 377 | } |
378 | else { | 378 | else { |
379 | fprintf(stderr, "Error: invalid profile line %s\n", entry->data); | 379 | fprintf(stderr, "Error: invalid profile line %s\n", entry->data); |
380 | entry = entry->next; | 380 | entry = entry->next; |
@@ -446,10 +446,10 @@ static void fs_rdwr(const char *dir) { | |||
446 | fwarning("you are not allowed to change %s to read-write\n", dir); | 446 | fwarning("you are not allowed to change %s to read-write\n", dir); |
447 | return; | 447 | return; |
448 | } | 448 | } |
449 | 449 | ||
450 | // mount --bind /bin /bin | 450 | // mount --bind /bin /bin |
451 | // mount --bind -o remount,rw /bin | 451 | // mount --bind -o remount,rw /bin |
452 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || | 452 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || |
453 | mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0) | 453 | mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_REC, NULL) < 0) |
454 | errExit("mount read-write"); | 454 | errExit("mount read-write"); |
455 | fs_logger2("read-write", dir); | 455 | fs_logger2("read-write", dir); |
@@ -464,7 +464,7 @@ void fs_noexec(const char *dir) { | |||
464 | if (rv == 0) { | 464 | if (rv == 0) { |
465 | // mount --bind /bin /bin | 465 | // mount --bind /bin /bin |
466 | // mount --bind -o remount,ro /bin | 466 | // mount --bind -o remount,ro /bin |
467 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || | 467 | if (mount(dir, dir, NULL, MS_BIND|MS_REC, NULL) < 0 || |
468 | mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_REC, NULL) < 0) | 468 | mount(NULL, dir, NULL, MS_BIND|MS_REMOUNT|MS_NOEXEC|MS_NODEV|MS_NOSUID|MS_REC, NULL) < 0) |
469 | errExit("mount noexec"); | 469 | errExit("mount noexec"); |
470 | fs_logger2("noexec", dir); | 470 | fs_logger2("noexec", dir); |
@@ -504,11 +504,11 @@ void fs_proc_sys_dev_boot(void) { | |||
504 | fwarning("failed to mount /sys\n"); | 504 | fwarning("failed to mount /sys\n"); |
505 | else | 505 | else |
506 | fs_logger("remount /sys"); | 506 | fs_logger("remount /sys"); |
507 | 507 | ||
508 | disable_file(BLACKLIST_FILE, "/sys/firmware"); | 508 | disable_file(BLACKLIST_FILE, "/sys/firmware"); |
509 | disable_file(BLACKLIST_FILE, "/sys/hypervisor"); | 509 | disable_file(BLACKLIST_FILE, "/sys/hypervisor"); |
510 | { // allow user access to /sys/fs if "--noblacklist=/sys/fs" is present on the command line | 510 | { // allow user access to /sys/fs if "--noblacklist=/sys/fs" is present on the command line |
511 | EUID_USER(); | 511 | EUID_USER(); |
512 | profile_add("blacklist /sys/fs"); | 512 | profile_add("blacklist /sys/fs"); |
513 | EUID_ROOT(); | 513 | EUID_ROOT(); |
514 | } | 514 | } |
@@ -519,11 +519,11 @@ void fs_proc_sys_dev_boot(void) { | |||
519 | disable_file(BLACKLIST_FILE, "/sys/kernel/uevent_helper"); | 519 | disable_file(BLACKLIST_FILE, "/sys/kernel/uevent_helper"); |
520 | 520 | ||
521 | // various /proc/sys files | 521 | // various /proc/sys files |
522 | disable_file(BLACKLIST_FILE, "/proc/sys/security"); | 522 | disable_file(BLACKLIST_FILE, "/proc/sys/security"); |
523 | disable_file(BLACKLIST_FILE, "/proc/sys/efi/vars"); | 523 | disable_file(BLACKLIST_FILE, "/proc/sys/efi/vars"); |
524 | disable_file(BLACKLIST_FILE, "/proc/sys/fs/binfmt_misc"); | 524 | disable_file(BLACKLIST_FILE, "/proc/sys/fs/binfmt_misc"); |
525 | disable_file(BLACKLIST_FILE, "/proc/sys/kernel/core_pattern"); | 525 | disable_file(BLACKLIST_FILE, "/proc/sys/kernel/core_pattern"); |
526 | disable_file(BLACKLIST_FILE, "/proc/sys/kernel/modprobe"); | 526 | disable_file(BLACKLIST_FILE, "/proc/sys/kernel/modprobe"); |
527 | disable_file(BLACKLIST_FILE, "/proc/sysrq-trigger"); | 527 | disable_file(BLACKLIST_FILE, "/proc/sysrq-trigger"); |
528 | disable_file(BLACKLIST_FILE, "/proc/sys/kernel/hotplug"); | 528 | disable_file(BLACKLIST_FILE, "/proc/sys/kernel/hotplug"); |
529 | disable_file(BLACKLIST_FILE, "/proc/sys/vm/panic_on_oom"); | 529 | disable_file(BLACKLIST_FILE, "/proc/sys/vm/panic_on_oom"); |
@@ -531,15 +531,15 @@ void fs_proc_sys_dev_boot(void) { | |||
531 | // various /proc files | 531 | // various /proc files |
532 | disable_file(BLACKLIST_FILE, "/proc/irq"); | 532 | disable_file(BLACKLIST_FILE, "/proc/irq"); |
533 | disable_file(BLACKLIST_FILE, "/proc/bus"); | 533 | disable_file(BLACKLIST_FILE, "/proc/bus"); |
534 | disable_file(BLACKLIST_FILE, "/proc/config.gz"); | 534 | disable_file(BLACKLIST_FILE, "/proc/config.gz"); |
535 | disable_file(BLACKLIST_FILE, "/proc/sched_debug"); | 535 | disable_file(BLACKLIST_FILE, "/proc/sched_debug"); |
536 | disable_file(BLACKLIST_FILE, "/proc/timer_list"); | 536 | disable_file(BLACKLIST_FILE, "/proc/timer_list"); |
537 | disable_file(BLACKLIST_FILE, "/proc/timer_stats"); | 537 | disable_file(BLACKLIST_FILE, "/proc/timer_stats"); |
538 | disable_file(BLACKLIST_FILE, "/proc/kcore"); | 538 | disable_file(BLACKLIST_FILE, "/proc/kcore"); |
539 | disable_file(BLACKLIST_FILE, "/proc/kallsyms"); | 539 | disable_file(BLACKLIST_FILE, "/proc/kallsyms"); |
540 | disable_file(BLACKLIST_FILE, "/proc/mem"); | 540 | disable_file(BLACKLIST_FILE, "/proc/mem"); |
541 | disable_file(BLACKLIST_FILE, "/proc/kmem"); | 541 | disable_file(BLACKLIST_FILE, "/proc/kmem"); |
542 | 542 | ||
543 | // remove kernel symbol information | 543 | // remove kernel symbol information |
544 | if (!arg_allow_debuggers) { | 544 | if (!arg_allow_debuggers) { |
545 | disable_file(BLACKLIST_FILE, "/usr/src/linux"); | 545 | disable_file(BLACKLIST_FILE, "/usr/src/linux"); |
@@ -547,18 +547,18 @@ void fs_proc_sys_dev_boot(void) { | |||
547 | disable_file(BLACKLIST_FILE, "/usr/lib/debug"); | 547 | disable_file(BLACKLIST_FILE, "/usr/lib/debug"); |
548 | disable_file(BLACKLIST_FILE, "/boot"); | 548 | disable_file(BLACKLIST_FILE, "/boot"); |
549 | } | 549 | } |
550 | 550 | ||
551 | // disable /selinux | 551 | // disable /selinux |
552 | disable_file(BLACKLIST_FILE, "/selinux"); | 552 | disable_file(BLACKLIST_FILE, "/selinux"); |
553 | 553 | ||
554 | // disable /dev/port | 554 | // disable /dev/port |
555 | disable_file(BLACKLIST_FILE, "/dev/port"); | 555 | disable_file(BLACKLIST_FILE, "/dev/port"); |
556 | 556 | ||
557 | 557 | ||
558 | 558 | ||
559 | // disable various ipc sockets in /run/user | 559 | // disable various ipc sockets in /run/user |
560 | struct stat s; | 560 | struct stat s; |
561 | 561 | ||
562 | char *fname; | 562 | char *fname; |
563 | if (asprintf(&fname, "/run/usr/%d", getuid()) == -1) | 563 | if (asprintf(&fname, "/run/usr/%d", getuid()) == -1) |
564 | errExit("asprintf"); | 564 | errExit("asprintf"); |
@@ -567,24 +567,24 @@ void fs_proc_sys_dev_boot(void) { | |||
567 | char *fnamegpg; | 567 | char *fnamegpg; |
568 | if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1) | 568 | if (asprintf(&fnamegpg, "/run/user/%d/gnupg", getuid()) == -1) |
569 | errExit("asprintf"); | 569 | errExit("asprintf"); |
570 | if (stat(fnamegpg, &s) == -1) | 570 | if (stat(fnamegpg, &s) == -1) |
571 | mkdir_attr(fnamegpg, 0700, getuid(), getgid()); | 571 | mkdir_attr(fnamegpg, 0700, getuid(), getgid()); |
572 | if (stat(fnamegpg, &s) == 0) | 572 | if (stat(fnamegpg, &s) == 0) |
573 | disable_file(BLACKLIST_FILE, fnamegpg); | 573 | disable_file(BLACKLIST_FILE, fnamegpg); |
574 | free(fnamegpg); | 574 | free(fnamegpg); |
575 | 575 | ||
576 | // disable /run/user/{uid}/systemd | 576 | // disable /run/user/{uid}/systemd |
577 | char *fnamesysd; | 577 | char *fnamesysd; |
578 | if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) | 578 | if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) |
579 | errExit("asprintf"); | 579 | errExit("asprintf"); |
580 | if (stat(fnamesysd, &s) == -1) | 580 | if (stat(fnamesysd, &s) == -1) |
581 | mkdir_attr(fnamesysd, 0755, getuid(), getgid()); | 581 | mkdir_attr(fnamesysd, 0755, getuid(), getgid()); |
582 | if (stat(fnamesysd, &s) == 0) | 582 | if (stat(fnamesysd, &s) == 0) |
583 | disable_file(BLACKLIST_FILE, fnamesysd); | 583 | disable_file(BLACKLIST_FILE, fnamesysd); |
584 | free(fnamesysd); | 584 | free(fnamesysd); |
585 | } | 585 | } |
586 | free(fname); | 586 | free(fname); |
587 | 587 | ||
588 | if (getuid() != 0) { | 588 | if (getuid() != 0) { |
589 | // disable /dev/kmsg and /proc/kmsg | 589 | // disable /dev/kmsg and /proc/kmsg |
590 | disable_file(BLACKLIST_FILE, "/dev/kmsg"); | 590 | disable_file(BLACKLIST_FILE, "/dev/kmsg"); |
@@ -602,7 +602,7 @@ static void disable_config(void) { | |||
602 | if (stat(fname, &s) == 0) | 602 | if (stat(fname, &s) == 0) |
603 | disable_file(BLACKLIST_FILE, fname); | 603 | disable_file(BLACKLIST_FILE, fname); |
604 | free(fname); | 604 | free(fname); |
605 | 605 | ||
606 | // disable run time information | 606 | // disable run time information |
607 | if (stat(RUN_FIREJAIL_NETWORK_DIR, &s) == 0) | 607 | if (stat(RUN_FIREJAIL_NETWORK_DIR, &s) == 0) |
608 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR); | 608 | disable_file(BLACKLIST_FILE, RUN_FIREJAIL_NETWORK_DIR); |
@@ -618,7 +618,7 @@ static void disable_config(void) { | |||
618 | // build a basic read-only filesystem | 618 | // build a basic read-only filesystem |
619 | void fs_basic_fs(void) { | 619 | void fs_basic_fs(void) { |
620 | uid_t uid = getuid(); | 620 | uid_t uid = getuid(); |
621 | 621 | ||
622 | if (arg_debug) | 622 | if (arg_debug) |
623 | printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr"); | 623 | printf("Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr"); |
624 | if (!arg_writable_etc) { | 624 | if (!arg_writable_etc) { |
@@ -649,15 +649,15 @@ void fs_basic_fs(void) { | |||
649 | fs_var_log(); | 649 | fs_var_log(); |
650 | else | 650 | else |
651 | fs_rdwr("/var/log"); | 651 | fs_rdwr("/var/log"); |
652 | 652 | ||
653 | fs_var_lib(); | 653 | fs_var_lib(); |
654 | fs_var_cache(); | 654 | fs_var_cache(); |
655 | fs_var_utmp(); | 655 | fs_var_utmp(); |
656 | fs_machineid(); | 656 | fs_machineid(); |
657 | 657 | ||
658 | // don't leak user information | 658 | // don't leak user information |
659 | restrict_users(); | 659 | restrict_users(); |
660 | 660 | ||
661 | // when starting as root, firejail config is not disabled; | 661 | // when starting as root, firejail config is not disabled; |
662 | // this mode could be used to install and test new software by chaining | 662 | // this mode could be used to install and test new software by chaining |
663 | // firejail sandboxes (firejail --force) | 663 | // firejail sandboxes (firejail --force) |
@@ -675,7 +675,7 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { | |||
675 | // create ~/.firejail directory | 675 | // create ~/.firejail directory |
676 | if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) | 676 | if (asprintf(&dirname, "%s/.firejail", cfg.homedir) == -1) |
677 | errExit("asprintf"); | 677 | errExit("asprintf"); |
678 | 678 | ||
679 | if (is_link(dirname)) { | 679 | if (is_link(dirname)) { |
680 | fprintf(stderr, "Error: invalid ~/.firejail directory\n"); | 680 | fprintf(stderr, "Error: invalid ~/.firejail directory\n"); |
681 | exit(1); | 681 | exit(1); |
@@ -688,7 +688,7 @@ char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { | |||
688 | if (child == 0) { | 688 | if (child == 0) { |
689 | // drop privileges | 689 | // drop privileges |
690 | drop_privs(0); | 690 | drop_privs(0); |
691 | 691 | ||
692 | // create directory | 692 | // create directory |
693 | if (mkdir(dirname, 0700)) | 693 | if (mkdir(dirname, 0700)) |
694 | errExit("mkdir"); | 694 | errExit("mkdir"); |
@@ -770,7 +770,7 @@ void fs_overlayfs(void) { | |||
770 | fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version); | 770 | fprintf(stderr, "Error: cannot extract Linux kernel version: %s\n", u.version); |
771 | exit(1); | 771 | exit(1); |
772 | } | 772 | } |
773 | 773 | ||
774 | if (arg_debug) | 774 | if (arg_debug) |
775 | printf("Linux kernel version %d.%d\n", major, minor); | 775 | printf("Linux kernel version %d.%d\n", major, minor); |
776 | int oldkernel = 0; | 776 | int oldkernel = 0; |
@@ -780,7 +780,7 @@ void fs_overlayfs(void) { | |||
780 | } | 780 | } |
781 | if (major == 3 && minor < 18) | 781 | if (major == 3 && minor < 18) |
782 | oldkernel = 1; | 782 | oldkernel = 1; |
783 | 783 | ||
784 | char *oroot; | 784 | char *oroot; |
785 | if(asprintf(&oroot, "%s/oroot", RUN_MNT_DIR) == -1) | 785 | if(asprintf(&oroot, "%s/oroot", RUN_MNT_DIR) == -1) |
786 | errExit("asprintf"); | 786 | errExit("asprintf"); |
@@ -818,7 +818,7 @@ void fs_overlayfs(void) { | |||
818 | } | 818 | } |
819 | else if (set_perms(odiff, 0, 0, 0755)) | 819 | else if (set_perms(odiff, 0, 0, 0755)) |
820 | errExit("set_perms"); | 820 | errExit("set_perms"); |
821 | 821 | ||
822 | char *owork; | 822 | char *owork; |
823 | if(asprintf(&owork, "%s/owork", basedir) == -1) | 823 | if(asprintf(&owork, "%s/owork", basedir) == -1) |
824 | errExit("asprintf"); | 824 | errExit("asprintf"); |
@@ -829,7 +829,7 @@ void fs_overlayfs(void) { | |||
829 | } | 829 | } |
830 | else if (set_perms(owork, 0, 0, 0755)) | 830 | else if (set_perms(owork, 0, 0, 0755)) |
831 | errExit("chown"); | 831 | errExit("chown"); |
832 | 832 | ||
833 | // mount overlayfs | 833 | // mount overlayfs |
834 | if (arg_debug) | 834 | if (arg_debug) |
835 | printf("Mounting OverlayFS\n"); | 835 | printf("Mounting OverlayFS\n"); |
@@ -849,11 +849,11 @@ void fs_overlayfs(void) { | |||
849 | errExit("asprintf"); | 849 | errExit("asprintf"); |
850 | if (mount("overlay", oroot, "overlay", MS_MGC_VAL, option) < 0) | 850 | if (mount("overlay", oroot, "overlay", MS_MGC_VAL, option) < 0) |
851 | errExit("mounting overlayfs"); | 851 | errExit("mounting overlayfs"); |
852 | 852 | ||
853 | //*************************** | 853 | //*************************** |
854 | // issue #263 start code | 854 | // issue #263 start code |
855 | // My setup has a separate mount point for /home. When the overlay is mounted, | 855 | // My setup has a separate mount point for /home. When the overlay is mounted, |
856 | // the overlay does not contain the original /home contents. | 856 | // the overlay does not contain the original /home contents. |
857 | // I added code to create a second overlay for /home if the overlay home dir is empty and this seems to work | 857 | // I added code to create a second overlay for /home if the overlay home dir is empty and this seems to work |
858 | // @dshmgh, Jan 2016 | 858 | // @dshmgh, Jan 2016 |
859 | { | 859 | { |
@@ -862,22 +862,22 @@ void fs_overlayfs(void) { | |||
862 | char *hroot; | 862 | char *hroot; |
863 | char *hdiff; | 863 | char *hdiff; |
864 | char *hwork; | 864 | char *hwork; |
865 | 865 | ||
866 | // dons add debug | 866 | // dons add debug |
867 | if (arg_debug) printf ("DEBUG: chroot dirs are oroot %s odiff %s owork %s\n",oroot,odiff,owork); | 867 | if (arg_debug) printf ("DEBUG: chroot dirs are oroot %s odiff %s owork %s\n",oroot,odiff,owork); |
868 | 868 | ||
869 | // BEFORE NEXT, WE NEED TO TEST IF /home has any contents or do we need to mount it? | 869 | // BEFORE NEXT, WE NEED TO TEST IF /home has any contents or do we need to mount it? |
870 | // must create var for oroot/cfg.homedir | 870 | // must create var for oroot/cfg.homedir |
871 | if (asprintf(&overlayhome,"%s%s",oroot,cfg.homedir) == -1) | 871 | if (asprintf(&overlayhome,"%s%s",oroot,cfg.homedir) == -1) |
872 | errExit("asprintf"); | 872 | errExit("asprintf"); |
873 | if (arg_debug) printf ("DEBUG: overlayhome var holds ##%s##\n",overlayhome); | 873 | if (arg_debug) printf ("DEBUG: overlayhome var holds ##%s##\n",overlayhome); |
874 | 874 | ||
875 | // if no homedir in overlay -- create another overlay for /home | 875 | // if no homedir in overlay -- create another overlay for /home |
876 | if (stat(overlayhome, &s) == -1) { | 876 | if (stat(overlayhome, &s) == -1) { |
877 | 877 | ||
878 | if(asprintf(&hroot, "%s/oroot/home", RUN_MNT_DIR) == -1) | 878 | if(asprintf(&hroot, "%s/oroot/home", RUN_MNT_DIR) == -1) |
879 | errExit("asprintf"); | 879 | errExit("asprintf"); |
880 | 880 | ||
881 | if(asprintf(&hdiff, "%s/hdiff", basedir) == -1) | 881 | if(asprintf(&hdiff, "%s/hdiff", basedir) == -1) |
882 | errExit("asprintf"); | 882 | errExit("asprintf"); |
883 | 883 | ||
@@ -887,7 +887,7 @@ void fs_overlayfs(void) { | |||
887 | } | 887 | } |
888 | else if (set_perms(hdiff, 0, 0, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH)) | 888 | else if (set_perms(hdiff, 0, 0, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH)) |
889 | errExit("set_perms"); | 889 | errExit("set_perms"); |
890 | 890 | ||
891 | if(asprintf(&hwork, "%s/hwork", basedir) == -1) | 891 | if(asprintf(&hwork, "%s/hwork", basedir) == -1) |
892 | errExit("asprintf"); | 892 | errExit("asprintf"); |
893 | 893 | ||
@@ -897,13 +897,13 @@ void fs_overlayfs(void) { | |||
897 | } | 897 | } |
898 | else if (set_perms(hwork, 0, 0, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH)) | 898 | else if (set_perms(hwork, 0, 0, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH)) |
899 | errExit("set_perms"); | 899 | errExit("set_perms"); |
900 | 900 | ||
901 | // no homedir in overlay so now mount another overlay for /home | 901 | // no homedir in overlay so now mount another overlay for /home |
902 | if (asprintf(&option, "lowerdir=/home,upperdir=%s,workdir=%s", hdiff, hwork) == -1) | 902 | if (asprintf(&option, "lowerdir=/home,upperdir=%s,workdir=%s", hdiff, hwork) == -1) |
903 | errExit("asprintf"); | 903 | errExit("asprintf"); |
904 | if (mount("overlay", hroot, "overlay", MS_MGC_VAL, option) < 0) | 904 | if (mount("overlay", hroot, "overlay", MS_MGC_VAL, option) < 0) |
905 | errExit("mounting overlayfs for mounted home directory"); | 905 | errExit("mounting overlayfs for mounted home directory"); |
906 | 906 | ||
907 | printf("OverlayFS for /home configured in %s directory\n", basedir); | 907 | printf("OverlayFS for /home configured in %s directory\n", basedir); |
908 | } // stat(overlayhome) | 908 | } // stat(overlayhome) |
909 | free(overlayhome); | 909 | free(overlayhome); |
@@ -913,7 +913,7 @@ void fs_overlayfs(void) { | |||
913 | } | 913 | } |
914 | if (!arg_quiet) | 914 | if (!arg_quiet) |
915 | printf("OverlayFS configured in %s directory\n", basedir); | 915 | printf("OverlayFS configured in %s directory\n", basedir); |
916 | 916 | ||
917 | // mount-bind dev directory | 917 | // mount-bind dev directory |
918 | if (arg_debug) | 918 | if (arg_debug) |
919 | printf("Mounting /dev\n"); | 919 | printf("Mounting /dev\n"); |
@@ -964,7 +964,7 @@ void fs_overlayfs(void) { | |||
964 | fs_var_log(); | 964 | fs_var_log(); |
965 | else | 965 | else |
966 | fs_rdwr("/var/log"); | 966 | fs_rdwr("/var/log"); |
967 | 967 | ||
968 | fs_var_lib(); | 968 | fs_var_lib(); |
969 | fs_var_cache(); | 969 | fs_var_cache(); |
970 | fs_var_utmp(); | 970 | fs_var_utmp(); |
@@ -987,7 +987,7 @@ void fs_overlayfs(void) { | |||
987 | #endif | 987 | #endif |
988 | 988 | ||
989 | 989 | ||
990 | #ifdef HAVE_CHROOT | 990 | #ifdef HAVE_CHROOT |
991 | // return 1 if error | 991 | // return 1 if error |
992 | void fs_check_chroot_dir(const char *rootdir) { | 992 | void fs_check_chroot_dir(const char *rootdir) { |
993 | EUID_ASSERT(); | 993 | EUID_ASSERT(); |
@@ -1035,7 +1035,7 @@ void fs_check_chroot_dir(const char *rootdir) { | |||
1035 | exit(1); | 1035 | exit(1); |
1036 | } | 1036 | } |
1037 | free(name); | 1037 | free(name); |
1038 | 1038 | ||
1039 | // check /proc | 1039 | // check /proc |
1040 | if (asprintf(&name, "%s/proc", rootdir) == -1) | 1040 | if (asprintf(&name, "%s/proc", rootdir) == -1) |
1041 | errExit("asprintf"); | 1041 | errExit("asprintf"); |
@@ -1048,7 +1048,7 @@ void fs_check_chroot_dir(const char *rootdir) { | |||
1048 | exit(1); | 1048 | exit(1); |
1049 | } | 1049 | } |
1050 | free(name); | 1050 | free(name); |
1051 | 1051 | ||
1052 | // check /tmp | 1052 | // check /tmp |
1053 | if (asprintf(&name, "%s/tmp", rootdir) == -1) | 1053 | if (asprintf(&name, "%s/tmp", rootdir) == -1) |
1054 | errExit("asprintf"); | 1054 | errExit("asprintf"); |
@@ -1110,7 +1110,7 @@ void fs_check_chroot_dir(const char *rootdir) { | |||
1110 | // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf | 1110 | // chroot into an existing directory; mount exiting /dev and update /etc/resolv.conf |
1111 | void fs_chroot(const char *rootdir) { | 1111 | void fs_chroot(const char *rootdir) { |
1112 | assert(rootdir); | 1112 | assert(rootdir); |
1113 | 1113 | ||
1114 | if (checkcfg(CFG_CHROOT_DESKTOP)) { | 1114 | if (checkcfg(CFG_CHROOT_DESKTOP)) { |
1115 | // mount-bind a /dev in rootdir | 1115 | // mount-bind a /dev in rootdir |
1116 | char *newdev; | 1116 | char *newdev; |
@@ -1121,7 +1121,7 @@ void fs_chroot(const char *rootdir) { | |||
1121 | if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0) | 1121 | if (mount("/dev", newdev, NULL, MS_BIND|MS_REC, NULL) < 0) |
1122 | errExit("mounting /dev"); | 1122 | errExit("mounting /dev"); |
1123 | free(newdev); | 1123 | free(newdev); |
1124 | 1124 | ||
1125 | // x11 | 1125 | // x11 |
1126 | if (getenv("FIREJAIL_X11")) { | 1126 | if (getenv("FIREJAIL_X11")) { |
1127 | char *newx11; | 1127 | char *newx11; |
@@ -1133,7 +1133,7 @@ void fs_chroot(const char *rootdir) { | |||
1133 | errExit("mounting /tmp/.X11-unix"); | 1133 | errExit("mounting /tmp/.X11-unix"); |
1134 | free(newx11); | 1134 | free(newx11); |
1135 | } | 1135 | } |
1136 | 1136 | ||
1137 | // some older distros don't have a /run directory | 1137 | // some older distros don't have a /run directory |
1138 | // create one by default | 1138 | // create one by default |
1139 | // create /run/firejail directory in chroot | 1139 | // create /run/firejail directory in chroot |
@@ -1150,7 +1150,7 @@ void fs_chroot(const char *rootdir) { | |||
1150 | errExit("asprintf"); | 1150 | errExit("asprintf"); |
1151 | create_empty_dir_as_root(rundir, 0755); | 1151 | create_empty_dir_as_root(rundir, 0755); |
1152 | free(rundir); | 1152 | free(rundir); |
1153 | 1153 | ||
1154 | // create /run/firejail/mnt directory in chroot and mount the current one | 1154 | // create /run/firejail/mnt directory in chroot and mount the current one |
1155 | if (asprintf(&rundir, "%s%s", rootdir, RUN_MNT_DIR) == -1) | 1155 | if (asprintf(&rundir, "%s%s", rootdir, RUN_MNT_DIR) == -1) |
1156 | errExit("asprintf"); | 1156 | errExit("asprintf"); |
@@ -1173,7 +1173,7 @@ void fs_chroot(const char *rootdir) { | |||
1173 | if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1) // root needed | 1173 | if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1) // root needed |
1174 | fwarning("/etc/resolv.conf not initialized\n"); | 1174 | fwarning("/etc/resolv.conf not initialized\n"); |
1175 | } | 1175 | } |
1176 | 1176 | ||
1177 | // chroot into the new directory | 1177 | // chroot into the new directory |
1178 | #ifdef HAVE_GCOV | 1178 | #ifdef HAVE_GCOV |
1179 | __gcov_flush(); | 1179 | __gcov_flush(); |
@@ -1196,15 +1196,15 @@ void fs_chroot(const char *rootdir) { | |||
1196 | fs_var_log(); | 1196 | fs_var_log(); |
1197 | else | 1197 | else |
1198 | fs_rdwr("/var/log"); | 1198 | fs_rdwr("/var/log"); |
1199 | 1199 | ||
1200 | fs_var_lib(); | 1200 | fs_var_lib(); |
1201 | fs_var_cache(); | 1201 | fs_var_cache(); |
1202 | fs_var_utmp(); | 1202 | fs_var_utmp(); |
1203 | fs_machineid(); | 1203 | fs_machineid(); |
1204 | 1204 | ||
1205 | // don't leak user information | 1205 | // don't leak user information |
1206 | restrict_users(); | 1206 | restrict_users(); |
1207 | 1207 | ||
1208 | // when starting as root, firejail config is not disabled; | 1208 | // when starting as root, firejail config is not disabled; |
1209 | // this mode could be used to install and test new software by chaining | 1209 | // this mode could be used to install and test new software by chaining |
1210 | // firejail sandboxes (firejail --force) | 1210 | // firejail sandboxes (firejail --force) |
@@ -1229,10 +1229,10 @@ void fs_private_tmp(void) { | |||
1229 | if (rp) | 1229 | if (rp) |
1230 | free(rp); | 1230 | free(rp); |
1231 | } | 1231 | } |
1232 | 1232 | ||
1233 | // whitelist x11 directory | 1233 | // whitelist x11 directory |
1234 | profile_add("whitelist /tmp/.X11-unix"); | 1234 | profile_add("whitelist /tmp/.X11-unix"); |
1235 | 1235 | ||
1236 | // whitelist any pulse* file in /tmp directory | 1236 | // whitelist any pulse* file in /tmp directory |
1237 | // some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user | 1237 | // some distros use PulseAudio sockets under /tmp instead of the socket in /urn/user |
1238 | DIR *dir; | 1238 | DIR *dir; |
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index c572bec88..5170f2edc 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
@@ -39,10 +39,10 @@ static char *paths[] = { | |||
39 | // return 1 if found, 0 if not found | 39 | // return 1 if found, 0 if not found |
40 | static char *check_dir_or_file(const char *name) { | 40 | static char *check_dir_or_file(const char *name) { |
41 | assert(name); | 41 | assert(name); |
42 | 42 | ||
43 | struct stat s; | 43 | struct stat s; |
44 | char *fname = NULL; | 44 | char *fname = NULL; |
45 | 45 | ||
46 | int i = 0; | 46 | int i = 0; |
47 | while (paths[i]) { | 47 | while (paths[i]) { |
48 | // private-bin-no-local can be disabled in /etc/firejail/firejail.config | 48 | // private-bin-no-local can be disabled in /etc/firejail/firejail.config |
@@ -50,12 +50,12 @@ static char *check_dir_or_file(const char *name) { | |||
50 | i++; | 50 | i++; |
51 | continue; | 51 | continue; |
52 | } | 52 | } |
53 | 53 | ||
54 | // check file | 54 | // check file |
55 | if (asprintf(&fname, "%s/%s", paths[i], name) == -1) | 55 | if (asprintf(&fname, "%s/%s", paths[i], name) == -1) |
56 | errExit("asprintf"); | 56 | errExit("asprintf"); |
57 | if (arg_debug) | 57 | if (arg_debug) |
58 | printf("Checking %s/%s\n", paths[i], name); | 58 | printf("Checking %s/%s\n", paths[i], name); |
59 | if (stat(fname, &s) == 0 && !S_ISDIR(s.st_mode)) { // do not allow directories | 59 | if (stat(fname, &s) == 0 && !S_ISDIR(s.st_mode)) { // do not allow directories |
60 | // check symlink to firejail executable in /usr/local/bin | 60 | // check symlink to firejail executable in /usr/local/bin |
61 | if (strcmp(paths[i], "/usr/local/bin") == 0 && is_link(fname)) { | 61 | if (strcmp(paths[i], "/usr/local/bin") == 0 && is_link(fname)) { |
@@ -74,11 +74,11 @@ static char *check_dir_or_file(const char *name) { | |||
74 | } | 74 | } |
75 | free(actual_path); | 75 | free(actual_path); |
76 | } | 76 | } |
77 | 77 | ||
78 | } | 78 | } |
79 | break; // file found | 79 | break; // file found |
80 | } | 80 | } |
81 | 81 | ||
82 | free(fname); | 82 | free(fname); |
83 | fname = NULL; | 83 | fname = NULL; |
84 | i++; | 84 | i++; |
@@ -89,7 +89,7 @@ static char *check_dir_or_file(const char *name) { | |||
89 | fwarning("file %s not found\n", name); | 89 | fwarning("file %s not found\n", name); |
90 | return NULL; | 90 | return NULL; |
91 | } | 91 | } |
92 | 92 | ||
93 | free(fname); | 93 | free(fname); |
94 | return paths[i]; | 94 | return paths[i]; |
95 | } | 95 | } |
@@ -109,7 +109,7 @@ static void duplicate(char *fname) { | |||
109 | char *full_path; | 109 | char *full_path; |
110 | if (asprintf(&full_path, "%s/%s", path, fname) == -1) | 110 | if (asprintf(&full_path, "%s/%s", path, fname) == -1) |
111 | errExit("asprintf"); | 111 | errExit("asprintf"); |
112 | 112 | ||
113 | // copy the file | 113 | // copy the file |
114 | if (checkcfg(CFG_FOLLOW_SYMLINK_PRIVATE_BIN)) | 114 | if (checkcfg(CFG_FOLLOW_SYMLINK_PRIVATE_BIN)) |
115 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, RUN_BIN_DIR); | 115 | sbox_run(SBOX_ROOT| SBOX_SECCOMP, 4, PATH_FCOPY, "--follow-link", full_path, RUN_BIN_DIR); |
@@ -123,10 +123,10 @@ static void duplicate(char *fname) { | |||
123 | void fs_private_bin_list(void) { | 123 | void fs_private_bin_list(void) { |
124 | char *private_list = cfg.bin_private_keep; | 124 | char *private_list = cfg.bin_private_keep; |
125 | assert(private_list); | 125 | assert(private_list); |
126 | 126 | ||
127 | // create /run/firejail/mnt/bin directory | 127 | // create /run/firejail/mnt/bin directory |
128 | mkdir_attr(RUN_BIN_DIR, 0755, 0, 0); | 128 | mkdir_attr(RUN_BIN_DIR, 0755, 0, 0); |
129 | 129 | ||
130 | if (arg_debug) | 130 | if (arg_debug) |
131 | printf("Copying files in the new bin directory\n"); | 131 | printf("Copying files in the new bin directory\n"); |
132 | 132 | ||
@@ -134,12 +134,12 @@ void fs_private_bin_list(void) { | |||
134 | char *dlist = strdup(private_list); | 134 | char *dlist = strdup(private_list); |
135 | if (!dlist) | 135 | if (!dlist) |
136 | errExit("strdup"); | 136 | errExit("strdup"); |
137 | 137 | ||
138 | char *ptr = strtok(dlist, ","); | 138 | char *ptr = strtok(dlist, ","); |
139 | duplicate(ptr); | 139 | duplicate(ptr); |
140 | while ((ptr = strtok(NULL, ",")) != NULL) | 140 | while ((ptr = strtok(NULL, ",")) != NULL) |
141 | duplicate(ptr); | 141 | duplicate(ptr); |
142 | free(dlist); | 142 | free(dlist); |
143 | fs_logger_print(); | 143 | fs_logger_print(); |
144 | 144 | ||
145 | // mount-bind | 145 | // mount-bind |
@@ -157,4 +157,3 @@ void fs_private_bin_list(void) { | |||
157 | i++; | 157 | i++; |
158 | } | 158 | } |
159 | } | 159 | } |
160 | |||
diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 59700dd9b..b0835d50b 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c | |||
@@ -36,20 +36,20 @@ void fs_machineid(void) { | |||
36 | return; | 36 | return; |
37 | if (arg_debug) | 37 | if (arg_debug) |
38 | printf("Generating a new machine-id\n"); | 38 | printf("Generating a new machine-id\n"); |
39 | 39 | ||
40 | // init random number generator | 40 | // init random number generator |
41 | srand(time(NULL)); | 41 | srand(time(NULL)); |
42 | 42 | ||
43 | // generate random id | 43 | // generate random id |
44 | mid.u32[0] = rand(); | 44 | mid.u32[0] = rand(); |
45 | mid.u32[1] = rand(); | 45 | mid.u32[1] = rand(); |
46 | mid.u32[2] = rand(); | 46 | mid.u32[2] = rand(); |
47 | mid.u32[3] = rand(); | 47 | mid.u32[3] = rand(); |
48 | 48 | ||
49 | // UUID version 4 and DCE variant | 49 | // UUID version 4 and DCE variant |
50 | mid.u8[6] = (mid.u8[6] & 0x0F) | 0x40; | 50 | mid.u8[6] = (mid.u8[6] & 0x0F) | 0x40; |
51 | mid.u8[8] = (mid.u8[8] & 0x3F) | 0x80; | 51 | mid.u8[8] = (mid.u8[8] & 0x3F) | 0x80; |
52 | 52 | ||
53 | // write it in a file | 53 | // write it in a file |
54 | FILE *fp = fopen(RUN_MACHINEID, "w"); | 54 | FILE *fp = fopen(RUN_MACHINEID, "w"); |
55 | if (!fp) | 55 | if (!fp) |
@@ -58,7 +58,7 @@ void fs_machineid(void) { | |||
58 | fclose(fp); | 58 | fclose(fp); |
59 | if (set_perms(RUN_MACHINEID, 0, 0, 0444)) | 59 | if (set_perms(RUN_MACHINEID, 0, 0, 0444)) |
60 | errExit("set_perms"); | 60 | errExit("set_perms"); |
61 | 61 | ||
62 | 62 | ||
63 | struct stat s; | 63 | struct stat s; |
64 | if (stat("/etc/machine-id", &s) == 0) { | 64 | if (stat("/etc/machine-id", &s) == 0) { |
@@ -93,7 +93,7 @@ static int check_dir_or_file(const char *fname) { | |||
93 | if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || !is_link(fname)) | 93 | if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || !is_link(fname)) |
94 | return 1; // normal exit | 94 | return 1; // normal exit |
95 | 95 | ||
96 | errexit: | 96 | errexit: |
97 | fprintf(stderr, "Error: invalid file type, %s.\n", fname); | 97 | fprintf(stderr, "Error: invalid file type, %s.\n", fname); |
98 | exit(1); | 98 | exit(1); |
99 | } | 99 | } |
@@ -116,7 +116,7 @@ static void duplicate(const char *fname, const char *private_dir, const char *pr | |||
116 | 116 | ||
117 | if (arg_debug) | 117 | if (arg_debug) |
118 | printf("copying %s to private %s\n", src, private_dir); | 118 | printf("copying %s to private %s\n", src, private_dir); |
119 | 119 | ||
120 | struct stat s; | 120 | struct stat s; |
121 | if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) { | 121 | if (stat(src, &s) == 0 && S_ISDIR(s.st_mode)) { |
122 | // create the directory in RUN_ETC_DIR | 122 | // create the directory in RUN_ETC_DIR |
@@ -139,11 +139,11 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c | |||
139 | assert(private_dir); | 139 | assert(private_dir); |
140 | assert(private_run_dir); | 140 | assert(private_run_dir); |
141 | assert(private_list); | 141 | assert(private_list); |
142 | 142 | ||
143 | // create /run/firejail/mnt/etc directory | 143 | // create /run/firejail/mnt/etc directory |
144 | mkdir_attr(private_run_dir, 0755, 0, 0); | 144 | mkdir_attr(private_run_dir, 0755, 0, 0); |
145 | fs_logger2("tmpfs", private_dir); | 145 | fs_logger2("tmpfs", private_dir); |
146 | 146 | ||
147 | fs_logger_print(); // save the current log | 147 | fs_logger_print(); // save the current log |
148 | 148 | ||
149 | 149 | ||
@@ -157,21 +157,20 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c | |||
157 | char *dlist = strdup(private_list); | 157 | char *dlist = strdup(private_list); |
158 | if (!dlist) | 158 | if (!dlist) |
159 | errExit("strdup"); | 159 | errExit("strdup"); |
160 | 160 | ||
161 | 161 | ||
162 | char *ptr = strtok(dlist, ","); | 162 | char *ptr = strtok(dlist, ","); |
163 | duplicate(ptr, private_dir, private_run_dir); | 163 | duplicate(ptr, private_dir, private_run_dir); |
164 | 164 | ||
165 | while ((ptr = strtok(NULL, ",")) != NULL) | 165 | while ((ptr = strtok(NULL, ",")) != NULL) |
166 | duplicate(ptr, private_dir, private_run_dir); | 166 | duplicate(ptr, private_dir, private_run_dir); |
167 | free(dlist); | 167 | free(dlist); |
168 | fs_logger_print(); | 168 | fs_logger_print(); |
169 | } | 169 | } |
170 | 170 | ||
171 | if (arg_debug) | 171 | if (arg_debug) |
172 | printf("Mount-bind %s on top of %s\n", private_run_dir, private_dir); | 172 | printf("Mount-bind %s on top of %s\n", private_run_dir, private_dir); |
173 | if (mount(private_run_dir, private_dir, NULL, MS_BIND|MS_REC, NULL) < 0) | 173 | if (mount(private_run_dir, private_dir, NULL, MS_BIND|MS_REC, NULL) < 0) |
174 | errExit("mount bind"); | 174 | errExit("mount bind"); |
175 | fs_logger2("mount", private_dir); | 175 | fs_logger2("mount", private_dir); |
176 | } | 176 | } |
177 | |||
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 70f0388e6..e5e068583 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -63,7 +63,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) { | |||
63 | if (asprintf(&fname, "%s/.cshrc", homedir) == -1) | 63 | if (asprintf(&fname, "%s/.cshrc", homedir) == -1) |
64 | errExit("asprintf"); | 64 | errExit("asprintf"); |
65 | struct stat s; | 65 | struct stat s; |
66 | 66 | ||
67 | // don't copy it if we already have the file | 67 | // don't copy it if we already have the file |
68 | if (stat(fname, &s) == 0) | 68 | if (stat(fname, &s) == 0) |
69 | return; | 69 | return; |
@@ -88,7 +88,7 @@ static void skel(const char *homedir, uid_t u, gid_t g) { | |||
88 | errExit("asprintf"); | 88 | errExit("asprintf"); |
89 | struct stat s; | 89 | struct stat s; |
90 | // don't copy it if we already have the file | 90 | // don't copy it if we already have the file |
91 | if (stat(fname, &s) == 0) | 91 | if (stat(fname, &s) == 0) |
92 | return; | 92 | return; |
93 | if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat | 93 | if (is_link(fname)) { // stat on dangling symlinks fails, try again using lstat |
94 | fprintf(stderr, "Error: invalid %s file\n", fname); | 94 | fprintf(stderr, "Error: invalid %s file\n", fname); |
@@ -113,10 +113,10 @@ static int store_xauthority(void) { | |||
113 | SET_PERMS_STREAM(fp, getuid(), getgid(), 0600); | 113 | SET_PERMS_STREAM(fp, getuid(), getgid(), 0600); |
114 | fclose(fp); | 114 | fclose(fp); |
115 | } | 115 | } |
116 | 116 | ||
117 | if (asprintf(&src, "%s/.Xauthority", cfg.homedir) == -1) | 117 | if (asprintf(&src, "%s/.Xauthority", cfg.homedir) == -1) |
118 | errExit("asprintf"); | 118 | errExit("asprintf"); |
119 | 119 | ||
120 | struct stat s; | 120 | struct stat s; |
121 | if (stat(src, &s) == 0) { | 121 | if (stat(src, &s) == 0) { |
122 | if (is_link(src)) { | 122 | if (is_link(src)) { |
@@ -128,7 +128,7 @@ static int store_xauthority(void) { | |||
128 | fs_logger2("clone", dest); | 128 | fs_logger2("clone", dest); |
129 | return 1; // file copied | 129 | return 1; // file copied |
130 | } | 130 | } |
131 | 131 | ||
132 | return 0; | 132 | return 0; |
133 | } | 133 | } |
134 | 134 | ||
@@ -143,10 +143,10 @@ static int store_asoundrc(void) { | |||
143 | SET_PERMS_STREAM(fp, getuid(), getgid(), 0644); | 143 | SET_PERMS_STREAM(fp, getuid(), getgid(), 0644); |
144 | fclose(fp); | 144 | fclose(fp); |
145 | } | 145 | } |
146 | 146 | ||
147 | if (asprintf(&src, "%s/.asoundrc", cfg.homedir) == -1) | 147 | if (asprintf(&src, "%s/.asoundrc", cfg.homedir) == -1) |
148 | errExit("asprintf"); | 148 | errExit("asprintf"); |
149 | 149 | ||
150 | struct stat s; | 150 | struct stat s; |
151 | if (stat(src, &s) == 0) { | 151 | if (stat(src, &s) == 0) { |
152 | if (is_link(src)) { | 152 | if (is_link(src)) { |
@@ -168,7 +168,7 @@ static int store_asoundrc(void) { | |||
168 | fs_logger2("clone", dest); | 168 | fs_logger2("clone", dest); |
169 | return 1; // file copied | 169 | return 1; // file copied |
170 | } | 170 | } |
171 | 171 | ||
172 | return 0; | 172 | return 0; |
173 | } | 173 | } |
174 | 174 | ||
@@ -178,7 +178,7 @@ static void copy_xauthority(void) { | |||
178 | char *dest; | 178 | char *dest; |
179 | if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1) | 179 | if (asprintf(&dest, "%s/.Xauthority", cfg.homedir) == -1) |
180 | errExit("asprintf"); | 180 | errExit("asprintf"); |
181 | 181 | ||
182 | // if destination is a symbolic link, exit the sandbox!!! | 182 | // if destination is a symbolic link, exit the sandbox!!! |
183 | if (is_link(dest)) { | 183 | if (is_link(dest)) { |
184 | fprintf(stderr, "Error: %s is a symbolic link\n", dest); | 184 | fprintf(stderr, "Error: %s is a symbolic link\n", dest); |
@@ -187,7 +187,7 @@ static void copy_xauthority(void) { | |||
187 | 187 | ||
188 | copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user | 188 | copy_file_as_user(src, dest, getuid(), getgid(), S_IRUSR | S_IWUSR); // regular user |
189 | fs_logger2("clone", dest); | 189 | fs_logger2("clone", dest); |
190 | 190 | ||
191 | // delete the temporary file | 191 | // delete the temporary file |
192 | unlink(src); | 192 | unlink(src); |
193 | } | 193 | } |
@@ -198,7 +198,7 @@ static void copy_asoundrc(void) { | |||
198 | char *dest; | 198 | char *dest; |
199 | if (asprintf(&dest, "%s/.asoundrc", cfg.homedir) == -1) | 199 | if (asprintf(&dest, "%s/.asoundrc", cfg.homedir) == -1) |
200 | errExit("asprintf"); | 200 | errExit("asprintf"); |
201 | 201 | ||
202 | // if destination is a symbolic link, exit the sandbox!!! | 202 | // if destination is a symbolic link, exit the sandbox!!! |
203 | if (is_link(dest)) { | 203 | if (is_link(dest)) { |
204 | fprintf(stderr, "Error: %s is a symbolic link\n", dest); | 204 | fprintf(stderr, "Error: %s is a symbolic link\n", dest); |
@@ -222,10 +222,10 @@ void fs_private_homedir(void) { | |||
222 | char *private_homedir = cfg.home_private; | 222 | char *private_homedir = cfg.home_private; |
223 | assert(homedir); | 223 | assert(homedir); |
224 | assert(private_homedir); | 224 | assert(private_homedir); |
225 | 225 | ||
226 | int xflag = store_xauthority(); | 226 | int xflag = store_xauthority(); |
227 | int aflag = store_asoundrc(); | 227 | int aflag = store_asoundrc(); |
228 | 228 | ||
229 | uid_t u = getuid(); | 229 | uid_t u = getuid(); |
230 | gid_t g = getgid(); | 230 | gid_t g = getgid(); |
231 | 231 | ||
@@ -258,7 +258,7 @@ void fs_private_homedir(void) { | |||
258 | errExit("mounting home directory"); | 258 | errExit("mounting home directory"); |
259 | fs_logger("tmpfs /home"); | 259 | fs_logger("tmpfs /home"); |
260 | } | 260 | } |
261 | 261 | ||
262 | 262 | ||
263 | skel(homedir, u, g); | 263 | skel(homedir, u, g); |
264 | if (xflag) | 264 | if (xflag) |
@@ -309,7 +309,7 @@ void fs_private(void) { | |||
309 | errExit("chown"); | 309 | errExit("chown"); |
310 | fs_logger2("mkdir", homedir); | 310 | fs_logger2("mkdir", homedir); |
311 | } | 311 | } |
312 | 312 | ||
313 | skel(homedir, u, g); | 313 | skel(homedir, u, g); |
314 | if (xflag) | 314 | if (xflag) |
315 | copy_xauthority(); | 315 | copy_xauthority(); |
@@ -322,12 +322,12 @@ void fs_private(void) { | |||
322 | void fs_check_private_dir(void) { | 322 | void fs_check_private_dir(void) { |
323 | EUID_ASSERT(); | 323 | EUID_ASSERT(); |
324 | invalid_filename(cfg.home_private); | 324 | invalid_filename(cfg.home_private); |
325 | 325 | ||
326 | // Expand the home directory | 326 | // Expand the home directory |
327 | char *tmp = expand_home(cfg.home_private, cfg.homedir); | 327 | char *tmp = expand_home(cfg.home_private, cfg.homedir); |
328 | cfg.home_private = realpath(tmp, NULL); | 328 | cfg.home_private = realpath(tmp, NULL); |
329 | free(tmp); | 329 | free(tmp); |
330 | 330 | ||
331 | if (!cfg.home_private | 331 | if (!cfg.home_private |
332 | || !is_dir(cfg.home_private) | 332 | || !is_dir(cfg.home_private) |
333 | || is_link(cfg.home_private) | 333 | || is_link(cfg.home_private) |
@@ -383,7 +383,7 @@ static char *check_dir_or_file(const char *name) { | |||
383 | // we allow only files in user home directory or symbolic links to files or directories owned by the user | 383 | // we allow only files in user home directory or symbolic links to files or directories owned by the user |
384 | struct stat s; | 384 | struct stat s; |
385 | if (lstat(fname, &s) == 0 && S_ISLNK(s.st_mode)) { | 385 | if (lstat(fname, &s) == 0 && S_ISLNK(s.st_mode)) { |
386 | if (stat(fname, &s) == 0) { | 386 | if (stat(fname, &s) == 0) { |
387 | if (s.st_uid != getuid()) { | 387 | if (s.st_uid != getuid()) { |
388 | fprintf(stderr, "Error: symbolic link %s to file or directory not owned by the user\n", fname); | 388 | fprintf(stderr, "Error: symbolic link %s to file or directory not owned by the user\n", fname); |
389 | exit(1); | 389 | exit(1); |
@@ -404,7 +404,7 @@ static char *check_dir_or_file(const char *name) { | |||
404 | fprintf(stderr, "Error: invalid file %s\n", name); | 404 | fprintf(stderr, "Error: invalid file %s\n", name); |
405 | exit(1); | 405 | exit(1); |
406 | } | 406 | } |
407 | 407 | ||
408 | // only top files and directories in user home are allowed | 408 | // only top files and directories in user home are allowed |
409 | char *ptr = rname + strlen(cfg.homedir); | 409 | char *ptr = rname + strlen(cfg.homedir); |
410 | assert(*ptr != '\0'); | 410 | assert(*ptr != '\0'); |
@@ -480,7 +480,7 @@ void fs_private_home_list(void) { | |||
480 | char *dlist = strdup(cfg.home_private_keep); | 480 | char *dlist = strdup(cfg.home_private_keep); |
481 | if (!dlist) | 481 | if (!dlist) |
482 | errExit("strdup"); | 482 | errExit("strdup"); |
483 | 483 | ||
484 | char *ptr = strtok(dlist, ","); | 484 | char *ptr = strtok(dlist, ","); |
485 | duplicate(ptr); | 485 | duplicate(ptr); |
486 | while ((ptr = strtok(NULL, ",")) != NULL) | 486 | while ((ptr = strtok(NULL, ",")) != NULL) |
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index 32243c700..42255070c 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c | |||
@@ -27,7 +27,7 @@ | |||
27 | 27 | ||
28 | void fs_hostname(const char *hostname) { | 28 | void fs_hostname(const char *hostname) { |
29 | struct stat s; | 29 | struct stat s; |
30 | 30 | ||
31 | // create a new /etc/hostname | 31 | // create a new /etc/hostname |
32 | if (stat("/etc/hostname", &s) == 0) { | 32 | if (stat("/etc/hostname", &s) == 0) { |
33 | if (arg_debug) | 33 | if (arg_debug) |
@@ -40,7 +40,7 @@ void fs_hostname(const char *hostname) { | |||
40 | errExit("mount bind /etc/hostname"); | 40 | errExit("mount bind /etc/hostname"); |
41 | fs_logger("create /etc/hostname"); | 41 | fs_logger("create /etc/hostname"); |
42 | } | 42 | } |
43 | 43 | ||
44 | // create a new /etc/hosts | 44 | // create a new /etc/hosts |
45 | if (cfg.hosts_file == NULL && stat("/etc/hosts", &s) == 0) { | 45 | if (cfg.hosts_file == NULL && stat("/etc/hosts", &s) == 0) { |
46 | if (arg_debug) | 46 | if (arg_debug) |
@@ -56,7 +56,7 @@ void fs_hostname(const char *hostname) { | |||
56 | fclose(fp1); | 56 | fclose(fp1); |
57 | goto errexit; | 57 | goto errexit; |
58 | } | 58 | } |
59 | 59 | ||
60 | char buf[4096]; | 60 | char buf[4096]; |
61 | int done = 0; | 61 | int done = 0; |
62 | while (fgets(buf, sizeof(buf), fp1)) { | 62 | while (fgets(buf, sizeof(buf), fp1)) { |
@@ -64,7 +64,7 @@ void fs_hostname(const char *hostname) { | |||
64 | char *ptr = strchr(buf, '\n'); | 64 | char *ptr = strchr(buf, '\n'); |
65 | if (ptr) | 65 | if (ptr) |
66 | *ptr = '\0'; | 66 | *ptr = '\0'; |
67 | 67 | ||
68 | // copy line | 68 | // copy line |
69 | if (strstr(buf, "127.0.0.1") && done == 0) { | 69 | if (strstr(buf, "127.0.0.1") && done == 0) { |
70 | done = 1; | 70 | done = 1; |
@@ -77,7 +77,7 @@ void fs_hostname(const char *hostname) { | |||
77 | // mode and owner | 77 | // mode and owner |
78 | SET_PERMS_STREAM(fp2, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); | 78 | SET_PERMS_STREAM(fp2, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); |
79 | fclose(fp2); | 79 | fclose(fp2); |
80 | 80 | ||
81 | // bind-mount the file on top of /etc/hostname | 81 | // bind-mount the file on top of /etc/hostname |
82 | fs_mount_hosts_file(); | 82 | fs_mount_hosts_file(); |
83 | } | 83 | } |
@@ -93,7 +93,7 @@ void fs_resolvconf(void) { | |||
93 | return; | 93 | return; |
94 | 94 | ||
95 | struct stat s; | 95 | struct stat s; |
96 | 96 | ||
97 | // create a new /etc/hostname | 97 | // create a new /etc/hostname |
98 | if (stat("/etc/resolv.conf", &s) == 0) { | 98 | if (stat("/etc/resolv.conf", &s) == 0) { |
99 | if (arg_debug) | 99 | if (arg_debug) |
@@ -103,7 +103,7 @@ void fs_resolvconf(void) { | |||
103 | fprintf(stderr, "Error: cannot create %s\n", RUN_RESOLVCONF_FILE); | 103 | fprintf(stderr, "Error: cannot create %s\n", RUN_RESOLVCONF_FILE); |
104 | exit(1); | 104 | exit(1); |
105 | } | 105 | } |
106 | 106 | ||
107 | if (cfg.dns1) | 107 | if (cfg.dns1) |
108 | fprintf(fp, "nameserver %d.%d.%d.%d\n", PRINT_IP(cfg.dns1)); | 108 | fprintf(fp, "nameserver %d.%d.%d.%d\n", PRINT_IP(cfg.dns1)); |
109 | if (cfg.dns2) | 109 | if (cfg.dns2) |
@@ -115,7 +115,7 @@ void fs_resolvconf(void) { | |||
115 | SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); | 115 | SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); |
116 | 116 | ||
117 | fclose(fp); | 117 | fclose(fp); |
118 | 118 | ||
119 | // bind-mount the file on top of /etc/hostname | 119 | // bind-mount the file on top of /etc/hostname |
120 | if (mount(RUN_RESOLVCONF_FILE, "/etc/resolv.conf", NULL, MS_BIND|MS_REC, NULL) < 0) | 120 | if (mount(RUN_RESOLVCONF_FILE, "/etc/resolv.conf", NULL, MS_BIND|MS_REC, NULL) < 0) |
121 | errExit("mount bind /etc/resolv.conf"); | 121 | errExit("mount bind /etc/resolv.conf"); |
@@ -135,7 +135,7 @@ char *fs_check_hosts_file(const char *fname) { | |||
135 | // no a link | 135 | // no a link |
136 | if (is_link(rv)) | 136 | if (is_link(rv)) |
137 | goto errexit; | 137 | goto errexit; |
138 | 138 | ||
139 | // the user has read access to the file | 139 | // the user has read access to the file |
140 | if (access(rv, R_OK)) | 140 | if (access(rv, R_OK)) |
141 | goto errexit; | 141 | goto errexit; |
@@ -175,4 +175,3 @@ errexit: | |||
175 | fprintf(stderr, "Error: invalid /etc/hosts file\n"); | 175 | fprintf(stderr, "Error: invalid /etc/hosts file\n"); |
176 | exit(1); | 176 | exit(1); |
177 | } | 177 | } |
178 | |||
diff --git a/src/firejail/fs_logger.c b/src/firejail/fs_logger.c index a2b6b317e..354e720a1 100644 --- a/src/firejail/fs_logger.c +++ b/src/firejail/fs_logger.c | |||
@@ -17,7 +17,7 @@ | |||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | 17 | * with this program; if not, write to the Free Software Foundation, Inc., |
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | 20 | ||
21 | #include "firejail.h" | 21 | #include "firejail.h" |
22 | #include <sys/types.h> | 22 | #include <sys/types.h> |
23 | #include <sys/stat.h> | 23 | #include <sys/stat.h> |
@@ -47,7 +47,7 @@ static inline void insertmsg(FsMsg *ptr) { | |||
47 | last = ptr; | 47 | last = ptr; |
48 | return; | 48 | return; |
49 | } | 49 | } |
50 | 50 | ||
51 | assert(last); | 51 | assert(last); |
52 | last->next = ptr; | 52 | last->next = ptr; |
53 | last = ptr; | 53 | last = ptr; |
@@ -91,14 +91,14 @@ void fs_logger3(const char *msg1, const char *msg2, const char *msg3) { | |||
91 | void fs_logger_print(void) { | 91 | void fs_logger_print(void) { |
92 | if (!head) | 92 | if (!head) |
93 | return; | 93 | return; |
94 | 94 | ||
95 | FILE *fp = fopen(RUN_FSLOGGER_FILE, "a"); | 95 | FILE *fp = fopen(RUN_FSLOGGER_FILE, "a"); |
96 | if (!fp) { | 96 | if (!fp) { |
97 | perror("fopen"); | 97 | perror("fopen"); |
98 | return; | 98 | return; |
99 | } | 99 | } |
100 | SET_PERMS_STREAM_NOERR(fp, getuid(), getgid(), 0644); | 100 | SET_PERMS_STREAM_NOERR(fp, getuid(), getgid(), 0644); |
101 | 101 | ||
102 | FsMsg *ptr = head; | 102 | FsMsg *ptr = head; |
103 | while (ptr) { | 103 | while (ptr) { |
104 | fprintf(fp, "%s\n", ptr->msg); | 104 | fprintf(fp, "%s\n", ptr->msg); |
@@ -162,7 +162,7 @@ void fs_logger_print_log(pid_t pid) { | |||
162 | fprintf(stderr, "Error: Cannot open filesystem log\n"); | 162 | fprintf(stderr, "Error: Cannot open filesystem log\n"); |
163 | exit(1); | 163 | exit(1); |
164 | } | 164 | } |
165 | 165 | ||
166 | char buf[MAXBUF]; | 166 | char buf[MAXBUF]; |
167 | while (fgets(buf, MAXBUF, fp)) | 167 | while (fgets(buf, MAXBUF, fp)) |
168 | printf("%s", buf); | 168 | printf("%s", buf); |
diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index 4397f0721..20ffe825a 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c | |||
@@ -57,7 +57,7 @@ static void mkdir_recursive(char *path) { | |||
57 | 57 | ||
58 | void fs_mkdir(const char *name) { | 58 | void fs_mkdir(const char *name) { |
59 | EUID_ASSERT(); | 59 | EUID_ASSERT(); |
60 | 60 | ||
61 | // check directory name | 61 | // check directory name |
62 | invalid_filename(name); | 62 | invalid_filename(name); |
63 | char *expanded = expand_home(name, cfg.homedir); | 63 | char *expanded = expand_home(name, cfg.homedir); |
@@ -93,11 +93,11 @@ void fs_mkdir(const char *name) { | |||
93 | 93 | ||
94 | doexit: | 94 | doexit: |
95 | free(expanded); | 95 | free(expanded); |
96 | } | 96 | } |
97 | 97 | ||
98 | void fs_mkfile(const char *name) { | 98 | void fs_mkfile(const char *name) { |
99 | EUID_ASSERT(); | 99 | EUID_ASSERT(); |
100 | 100 | ||
101 | // check file name | 101 | // check file name |
102 | invalid_filename(name); | 102 | invalid_filename(name); |
103 | char *expanded = expand_home(name, cfg.homedir); | 103 | char *expanded = expand_home(name, cfg.homedir); |
@@ -115,7 +115,7 @@ void fs_mkfile(const char *name) { | |||
115 | 115 | ||
116 | // create file | 116 | // create file |
117 | touch_file_as_user(expanded, getuid(), getgid(), 0600); | 117 | touch_file_as_user(expanded, getuid(), getgid(), 0600); |
118 | 118 | ||
119 | doexit: | 119 | doexit: |
120 | free(expanded); | 120 | free(expanded); |
121 | } | 121 | } |
diff --git a/src/firejail/fs_trace.c b/src/firejail/fs_trace.c index 2a58d1eb2..f964c05d0 100644 --- a/src/firejail/fs_trace.c +++ b/src/firejail/fs_trace.c | |||
@@ -58,11 +58,11 @@ void fs_trace(void) { | |||
58 | fprintf(fp, "%s/firejail/libtracelog.so\n", LIBDIR); | 58 | fprintf(fp, "%s/firejail/libtracelog.so\n", LIBDIR); |
59 | if (!arg_quiet) | 59 | if (!arg_quiet) |
60 | printf("Blacklist violations are logged to syslog\n"); | 60 | printf("Blacklist violations are logged to syslog\n"); |
61 | } | 61 | } |
62 | 62 | ||
63 | SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); | 63 | SET_PERMS_STREAM(fp, 0, 0, S_IRUSR | S_IWRITE | S_IRGRP | S_IROTH); |
64 | fclose(fp); | 64 | fclose(fp); |
65 | 65 | ||
66 | // mount the new preload file | 66 | // mount the new preload file |
67 | if (arg_debug) | 67 | if (arg_debug) |
68 | printf("Mount the new ld.so.preload file\n"); | 68 | printf("Mount the new ld.so.preload file\n"); |
@@ -70,4 +70,3 @@ void fs_trace(void) { | |||
70 | errExit("mount bind ld.so.preload"); | 70 | errExit("mount bind ld.so.preload"); |
71 | fs_logger("create /etc/ld.so.preload"); | 71 | fs_logger("create /etc/ld.so.preload"); |
72 | } | 72 | } |
73 | |||
diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index 426ef48bf..9452d162d 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c | |||
@@ -48,7 +48,7 @@ static void release_all(void) { | |||
48 | } | 48 | } |
49 | dirlist = NULL; | 49 | dirlist = NULL; |
50 | } | 50 | } |
51 | 51 | ||
52 | static void build_list(const char *srcdir) { | 52 | static void build_list(const char *srcdir) { |
53 | // extract current /var/log directory data | 53 | // extract current /var/log directory data |
54 | struct dirent *dir; | 54 | struct dirent *dir; |
@@ -77,7 +77,7 @@ static void build_list(const char *srcdir) { | |||
77 | // s.st_uid, | 77 | // s.st_uid, |
78 | // s.st_gid, | 78 | // s.st_gid, |
79 | // dir->d_name); | 79 | // dir->d_name); |
80 | 80 | ||
81 | DirData *ptr = malloc(sizeof(DirData)); | 81 | DirData *ptr = malloc(sizeof(DirData)); |
82 | if (ptr == NULL) | 82 | if (ptr == NULL) |
83 | errExit("malloc"); | 83 | errExit("malloc"); |
@@ -87,8 +87,8 @@ static void build_list(const char *srcdir) { | |||
87 | ptr->st_uid = s.st_uid; | 87 | ptr->st_uid = s.st_uid; |
88 | ptr->st_gid = s.st_gid; | 88 | ptr->st_gid = s.st_gid; |
89 | ptr->next = dirlist; | 89 | ptr->next = dirlist; |
90 | dirlist = ptr; | 90 | dirlist = ptr; |
91 | } | 91 | } |
92 | } | 92 | } |
93 | closedir(d); | 93 | closedir(d); |
94 | } | 94 | } |
@@ -102,10 +102,10 @@ static void build_dirs(void) { | |||
102 | ptr = ptr->next; | 102 | ptr = ptr->next; |
103 | } | 103 | } |
104 | } | 104 | } |
105 | 105 | ||
106 | void fs_var_log(void) { | 106 | void fs_var_log(void) { |
107 | build_list("/var/log"); | 107 | build_list("/var/log"); |
108 | 108 | ||
109 | // note: /var/log is not created here, if it does not exist, this section fails. | 109 | // note: /var/log is not created here, if it does not exist, this section fails. |
110 | // create /var/log if it doesn't exit | 110 | // create /var/log if it doesn't exit |
111 | if (is_dir("/var/log")) { | 111 | if (is_dir("/var/log")) { |
@@ -114,17 +114,17 @@ void fs_var_log(void) { | |||
114 | gid_t wtmp_group = 0; | 114 | gid_t wtmp_group = 0; |
115 | if (stat("/var/log/wtmp", &s) == 0) | 115 | if (stat("/var/log/wtmp", &s) == 0) |
116 | wtmp_group = s.st_gid; | 116 | wtmp_group = s.st_gid; |
117 | 117 | ||
118 | // mount a tmpfs on top of /var/log | 118 | // mount a tmpfs on top of /var/log |
119 | if (arg_debug) | 119 | if (arg_debug) |
120 | printf("Mounting tmpfs on /var/log\n"); | 120 | printf("Mounting tmpfs on /var/log\n"); |
121 | if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 121 | if (mount("tmpfs", "/var/log", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
122 | errExit("mounting /var/log"); | 122 | errExit("mounting /var/log"); |
123 | fs_logger("tmpfs /var/log"); | 123 | fs_logger("tmpfs /var/log"); |
124 | 124 | ||
125 | build_dirs(); | 125 | build_dirs(); |
126 | release_all(); | 126 | release_all(); |
127 | 127 | ||
128 | // create an empty /var/log/wtmp file | 128 | // create an empty /var/log/wtmp file |
129 | /* coverity[toctou] */ | 129 | /* coverity[toctou] */ |
130 | FILE *fp = fopen("/var/log/wtmp", "w"); | 130 | FILE *fp = fopen("/var/log/wtmp", "w"); |
@@ -133,7 +133,7 @@ void fs_var_log(void) { | |||
133 | fclose(fp); | 133 | fclose(fp); |
134 | } | 134 | } |
135 | fs_logger("touch /var/log/wtmp"); | 135 | fs_logger("touch /var/log/wtmp"); |
136 | 136 | ||
137 | // create an empty /var/log/btmp file | 137 | // create an empty /var/log/btmp file |
138 | fp = fopen("/var/log/btmp", "w"); | 138 | fp = fopen("/var/log/btmp", "w"); |
139 | if (fp) { | 139 | if (fp) { |
@@ -148,7 +148,7 @@ void fs_var_log(void) { | |||
148 | 148 | ||
149 | void fs_var_lib(void) { | 149 | void fs_var_lib(void) { |
150 | struct stat s; | 150 | struct stat s; |
151 | 151 | ||
152 | // ISC DHCP multiserver | 152 | // ISC DHCP multiserver |
153 | if (stat("/var/lib/dhcp", &s) == 0) { | 153 | if (stat("/var/lib/dhcp", &s) == 0) { |
154 | if (arg_debug) | 154 | if (arg_debug) |
@@ -156,10 +156,10 @@ void fs_var_lib(void) { | |||
156 | if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 156 | if (mount("tmpfs", "/var/lib/dhcp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
157 | errExit("mounting /var/lib/dhcp"); | 157 | errExit("mounting /var/lib/dhcp"); |
158 | fs_logger("tmpfs /var/lib/dhcp"); | 158 | fs_logger("tmpfs /var/lib/dhcp"); |
159 | 159 | ||
160 | // isc dhcp server requires a /var/lib/dhcp/dhcpd.leases file | 160 | // isc dhcp server requires a /var/lib/dhcp/dhcpd.leases file |
161 | FILE *fp = fopen("/var/lib/dhcp/dhcpd.leases", "w"); | 161 | FILE *fp = fopen("/var/lib/dhcp/dhcpd.leases", "w"); |
162 | 162 | ||
163 | if (fp) { | 163 | if (fp) { |
164 | fprintf(fp, "\n"); | 164 | fprintf(fp, "\n"); |
165 | SET_PERMS_STREAM(fp, 0, 0, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); | 165 | SET_PERMS_STREAM(fp, 0, 0, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); |
@@ -175,7 +175,7 @@ void fs_var_lib(void) { | |||
175 | if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 175 | if (mount("tmpfs", "/var/lib/nginx", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
176 | errExit("mounting /var/lib/nginx"); | 176 | errExit("mounting /var/lib/nginx"); |
177 | fs_logger("tmpfs /var/lib/nginx"); | 177 | fs_logger("tmpfs /var/lib/nginx"); |
178 | } | 178 | } |
179 | 179 | ||
180 | // net-snmp multiserver | 180 | // net-snmp multiserver |
181 | if (stat("/var/lib/snmp", &s) == 0) { | 181 | if (stat("/var/lib/snmp", &s) == 0) { |
@@ -184,7 +184,7 @@ void fs_var_lib(void) { | |||
184 | if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 184 | if (mount("tmpfs", "/var/lib/snmp", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
185 | errExit("mounting /var/lib/snmp"); | 185 | errExit("mounting /var/lib/snmp"); |
186 | fs_logger("tmpfs /var/lib/snmp"); | 186 | fs_logger("tmpfs /var/lib/snmp"); |
187 | } | 187 | } |
188 | 188 | ||
189 | // this is where sudo remembers its state | 189 | // this is where sudo remembers its state |
190 | if (stat("/var/lib/sudo", &s) == 0) { | 190 | if (stat("/var/lib/sudo", &s) == 0) { |
@@ -193,7 +193,7 @@ void fs_var_lib(void) { | |||
193 | if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 193 | if (mount("tmpfs", "/var/lib/sudo", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
194 | errExit("mounting /var/lib/sudo"); | 194 | errExit("mounting /var/lib/sudo"); |
195 | fs_logger("tmpfs /var/lib/sudo"); | 195 | fs_logger("tmpfs /var/lib/sudo"); |
196 | } | 196 | } |
197 | } | 197 | } |
198 | 198 | ||
199 | void fs_var_cache(void) { | 199 | void fs_var_cache(void) { |
@@ -205,7 +205,7 @@ void fs_var_cache(void) { | |||
205 | if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 205 | if (mount("tmpfs", "/var/cache/apache2", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
206 | errExit("mounting /var/cache/apache2"); | 206 | errExit("mounting /var/cache/apache2"); |
207 | fs_logger("tmpfs /var/cache/apache2"); | 207 | fs_logger("tmpfs /var/cache/apache2"); |
208 | } | 208 | } |
209 | 209 | ||
210 | if (stat("/var/cache/lighttpd", &s) == 0) { | 210 | if (stat("/var/cache/lighttpd", &s) == 0) { |
211 | if (arg_debug) | 211 | if (arg_debug) |
@@ -221,13 +221,13 @@ void fs_var_cache(void) { | |||
221 | uid = p->pw_uid; | 221 | uid = p->pw_uid; |
222 | gid = p->pw_gid; | 222 | gid = p->pw_gid; |
223 | } | 223 | } |
224 | 224 | ||
225 | mkdir_attr("/var/cache/lighttpd/compress", 0755, uid, gid); | 225 | mkdir_attr("/var/cache/lighttpd/compress", 0755, uid, gid); |
226 | fs_logger("mkdir /var/cache/lighttpd/compress"); | 226 | fs_logger("mkdir /var/cache/lighttpd/compress"); |
227 | 227 | ||
228 | mkdir_attr("/var/cache/lighttpd/uploads", 0755, uid, gid); | 228 | mkdir_attr("/var/cache/lighttpd/uploads", 0755, uid, gid); |
229 | fs_logger("/var/cache/lighttpd/uploads"); | 229 | fs_logger("/var/cache/lighttpd/uploads"); |
230 | } | 230 | } |
231 | } | 231 | } |
232 | 232 | ||
233 | void dbg_test_dir(const char *dir) { | 233 | void dbg_test_dir(const char *dir) { |
@@ -312,7 +312,7 @@ void fs_var_utmp(void) { | |||
312 | FILE *fp = fopen(RUN_UTMP_FILE, "w"); | 312 | FILE *fp = fopen(RUN_UTMP_FILE, "w"); |
313 | if (!fp) | 313 | if (!fp) |
314 | errExit("fopen"); | 314 | errExit("fopen"); |
315 | 315 | ||
316 | // read current utmp | 316 | // read current utmp |
317 | struct utmp *u; | 317 | struct utmp *u; |
318 | struct utmp u_boot; | 318 | struct utmp u_boot; |
@@ -324,12 +324,12 @@ void fs_var_utmp(void) { | |||
324 | } | 324 | } |
325 | } | 325 | } |
326 | endutent(); | 326 | endutent(); |
327 | 327 | ||
328 | // save new utmp file | 328 | // save new utmp file |
329 | fwrite(&u_boot, sizeof(u_boot), 1, fp); | 329 | fwrite(&u_boot, sizeof(u_boot), 1, fp); |
330 | SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH); | 330 | SET_PERMS_STREAM(fp, 0, utmp_group, S_IRUSR | S_IWRITE | S_IRGRP | S_IWGRP | S_IROTH); |
331 | fclose(fp); | 331 | fclose(fp); |
332 | 332 | ||
333 | // mount the new utmp file | 333 | // mount the new utmp file |
334 | if (arg_debug) | 334 | if (arg_debug) |
335 | printf("Mount the new utmp file\n"); | 335 | printf("Mount the new utmp file\n"); |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 407192200..3403c57a7 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -44,11 +44,11 @@ static char *resolve_downloads(int nowhitelist_flag) { | |||
44 | while (dentry[i] != NULL) { | 44 | while (dentry[i] != NULL) { |
45 | if (asprintf(&fname, "%s/%s", cfg.homedir, dentry[i]) == -1) | 45 | if (asprintf(&fname, "%s/%s", cfg.homedir, dentry[i]) == -1) |
46 | errExit("asprintf"); | 46 | errExit("asprintf"); |
47 | 47 | ||
48 | if (stat(fname, &s) == 0) { | 48 | if (stat(fname, &s) == 0) { |
49 | if (arg_debug || arg_debug_whitelists) | 49 | if (arg_debug || arg_debug_whitelists) |
50 | printf("Downloads directory resolved as \"%s\"\n", fname); | 50 | printf("Downloads directory resolved as \"%s\"\n", fname); |
51 | 51 | ||
52 | char *rv; | 52 | char *rv; |
53 | if (nowhitelist_flag) { | 53 | if (nowhitelist_flag) { |
54 | if (asprintf(&rv, "nowhitelist ~/%s", dentry[i]) == -1) | 54 | if (asprintf(&rv, "nowhitelist ~/%s", dentry[i]) == -1) |
@@ -72,14 +72,14 @@ static char *resolve_downloads(int nowhitelist_flag) { | |||
72 | if (!fp) { | 72 | if (!fp) { |
73 | free(fname); | 73 | free(fname); |
74 | return NULL; | 74 | return NULL; |
75 | } | 75 | } |
76 | free(fname); | 76 | free(fname); |
77 | 77 | ||
78 | // extract downloads directory | 78 | // extract downloads directory |
79 | char buf[MAXBUF]; | 79 | char buf[MAXBUF]; |
80 | while (fgets(buf, MAXBUF, fp)) { | 80 | while (fgets(buf, MAXBUF, fp)) { |
81 | char *ptr = buf; | 81 | char *ptr = buf; |
82 | 82 | ||
83 | // skip blanks | 83 | // skip blanks |
84 | while (*ptr == ' ' || *ptr == '\t') | 84 | while (*ptr == ' ' || *ptr == '\t') |
85 | ptr++; | 85 | ptr++; |
@@ -97,15 +97,15 @@ static char *resolve_downloads(int nowhitelist_flag) { | |||
97 | if (strlen(ptr1) != 0) { | 97 | if (strlen(ptr1) != 0) { |
98 | if (arg_debug || arg_debug_whitelists) | 98 | if (arg_debug || arg_debug_whitelists) |
99 | printf("Downloads directory resolved as \"%s\"\n", ptr1); | 99 | printf("Downloads directory resolved as \"%s\"\n", ptr1); |
100 | 100 | ||
101 | if (asprintf(&fname, "%s/%s", cfg.homedir, ptr1) == -1) | 101 | if (asprintf(&fname, "%s/%s", cfg.homedir, ptr1) == -1) |
102 | errExit("asprintf"); | 102 | errExit("asprintf"); |
103 | 103 | ||
104 | if (stat(fname, &s) == -1) { | 104 | if (stat(fname, &s) == -1) { |
105 | free(fname); | 105 | free(fname); |
106 | goto errout; | 106 | goto errout; |
107 | } | 107 | } |
108 | 108 | ||
109 | char *rv; | 109 | char *rv; |
110 | if (nowhitelist_flag) { | 110 | if (nowhitelist_flag) { |
111 | if (asprintf(&rv, "nowhitelist ~/%s", ptr + 24) == -1) | 111 | if (asprintf(&rv, "nowhitelist ~/%s", ptr + 24) == -1) |
@@ -122,7 +122,7 @@ static char *resolve_downloads(int nowhitelist_flag) { | |||
122 | } | 122 | } |
123 | } | 123 | } |
124 | } | 124 | } |
125 | 125 | ||
126 | fclose(fp); | 126 | fclose(fp); |
127 | return NULL; | 127 | return NULL; |
128 | 128 | ||
@@ -131,13 +131,13 @@ errout: | |||
131 | fprintf(stderr, "*** Error: Downloads directory was not found in user home.\n"); | 131 | fprintf(stderr, "*** Error: Downloads directory was not found in user home.\n"); |
132 | fprintf(stderr, "*** \tAny files saved by the program, will be lost when the sandbox is closed.\n"); | 132 | fprintf(stderr, "*** \tAny files saved by the program, will be lost when the sandbox is closed.\n"); |
133 | fprintf(stderr, "***\n"); | 133 | fprintf(stderr, "***\n"); |
134 | 134 | ||
135 | return NULL; | 135 | return NULL; |
136 | } | 136 | } |
137 | 137 | ||
138 | static int mkpath(const char* path, mode_t mode) { | 138 | static int mkpath(const char* path, mode_t mode) { |
139 | assert(path && *path); | 139 | assert(path && *path); |
140 | 140 | ||
141 | mode |= 0111; | 141 | mode |= 0111; |
142 | 142 | ||
143 | // create directories with uid/gid as root or as current user if inside home directory | 143 | // create directories with uid/gid as root or as current user if inside home directory |
@@ -168,13 +168,13 @@ static int mkpath(const char* path, mode_t mode) { | |||
168 | if (set_perms(file_path, uid, gid, mode)) | 168 | if (set_perms(file_path, uid, gid, mode)) |
169 | errExit("set_perms"); | 169 | errExit("set_perms"); |
170 | done = 1; | 170 | done = 1; |
171 | } | 171 | } |
172 | 172 | ||
173 | *p='/'; | 173 | *p='/'; |
174 | } | 174 | } |
175 | if (done) | 175 | if (done) |
176 | fs_logger2("mkpath", path); | 176 | fs_logger2("mkpath", path); |
177 | 177 | ||
178 | free(file_path); | 178 | free(file_path); |
179 | return 0; | 179 | return 0; |
180 | } | 180 | } |
@@ -187,14 +187,14 @@ static void whitelist_path(ProfileEntry *entry) { | |||
187 | char *wfile = NULL; | 187 | char *wfile = NULL; |
188 | 188 | ||
189 | if (entry->home_dir) { | 189 | if (entry->home_dir) { |
190 | if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) { | 190 | if (strncmp(path, cfg.homedir, strlen(cfg.homedir)) == 0) { |
191 | fname = path + strlen(cfg.homedir); | 191 | fname = path + strlen(cfg.homedir); |
192 | if (*fname == '\0') | 192 | if (*fname == '\0') |
193 | goto errexit; | 193 | goto errexit; |
194 | } | 194 | } |
195 | else | 195 | else |
196 | fname = path; | 196 | fname = path; |
197 | 197 | ||
198 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1) | 198 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_HOME_USER_DIR, fname) == -1) |
199 | errExit("asprintf"); | 199 | errExit("asprintf"); |
200 | } | 200 | } |
@@ -202,7 +202,7 @@ static void whitelist_path(ProfileEntry *entry) { | |||
202 | fname = path + 4; // strlen("/tmp") | 202 | fname = path + 4; // strlen("/tmp") |
203 | if (*fname == '\0') | 203 | if (*fname == '\0') |
204 | goto errexit; | 204 | goto errexit; |
205 | 205 | ||
206 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_TMP_DIR, fname) == -1) | 206 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_TMP_DIR, fname) == -1) |
207 | errExit("asprintf"); | 207 | errExit("asprintf"); |
208 | } | 208 | } |
@@ -210,7 +210,7 @@ static void whitelist_path(ProfileEntry *entry) { | |||
210 | fname = path + 6; // strlen("/media") | 210 | fname = path + 6; // strlen("/media") |
211 | if (*fname == '\0') | 211 | if (*fname == '\0') |
212 | goto errexit; | 212 | goto errexit; |
213 | 213 | ||
214 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MEDIA_DIR, fname) == -1) | 214 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_MEDIA_DIR, fname) == -1) |
215 | errExit("asprintf"); | 215 | errExit("asprintf"); |
216 | } | 216 | } |
@@ -226,7 +226,7 @@ static void whitelist_path(ProfileEntry *entry) { | |||
226 | fname = path + 4; // strlen("/var") | 226 | fname = path + 4; // strlen("/var") |
227 | if (*fname == '\0') | 227 | if (*fname == '\0') |
228 | goto errexit; | 228 | goto errexit; |
229 | 229 | ||
230 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_VAR_DIR, fname) == -1) | 230 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_VAR_DIR, fname) == -1) |
231 | errExit("asprintf"); | 231 | errExit("asprintf"); |
232 | } | 232 | } |
@@ -234,7 +234,7 @@ static void whitelist_path(ProfileEntry *entry) { | |||
234 | fname = path + 4; // strlen("/dev") | 234 | fname = path + 4; // strlen("/dev") |
235 | if (*fname == '\0') | 235 | if (*fname == '\0') |
236 | goto errexit; | 236 | goto errexit; |
237 | 237 | ||
238 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_DEV_DIR, fname) == -1) | 238 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_DEV_DIR, fname) == -1) |
239 | errExit("asprintf"); | 239 | errExit("asprintf"); |
240 | } | 240 | } |
@@ -242,7 +242,7 @@ static void whitelist_path(ProfileEntry *entry) { | |||
242 | fname = path + 4; // strlen("/opt") | 242 | fname = path + 4; // strlen("/opt") |
243 | if (*fname == '\0') | 243 | if (*fname == '\0') |
244 | goto errexit; | 244 | goto errexit; |
245 | 245 | ||
246 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1) | 246 | if (asprintf(&wfile, "%s/%s", RUN_WHITELIST_OPT_DIR, fname) == -1) |
247 | errExit("asprintf"); | 247 | errExit("asprintf"); |
248 | } | 248 | } |
@@ -263,18 +263,18 @@ static void whitelist_path(ProfileEntry *entry) { | |||
263 | else { | 263 | else { |
264 | return; | 264 | return; |
265 | } | 265 | } |
266 | 266 | ||
267 | // create the path if necessary | 267 | // create the path if necessary |
268 | mkpath(path, s.st_mode); | 268 | mkpath(path, s.st_mode); |
269 | fs_logger2("whitelist", path); | 269 | fs_logger2("whitelist", path); |
270 | 270 | ||
271 | // process directory | 271 | // process directory |
272 | if (S_ISDIR(s.st_mode)) { | 272 | if (S_ISDIR(s.st_mode)) { |
273 | // create directory | 273 | // create directory |
274 | int rv = mkdir(path, 0755); | 274 | int rv = mkdir(path, 0755); |
275 | (void) rv; | 275 | (void) rv; |
276 | } | 276 | } |
277 | 277 | ||
278 | // process regular file | 278 | // process regular file |
279 | else { | 279 | else { |
280 | if (access(path, R_OK)) { | 280 | if (access(path, R_OK)) { |
@@ -291,7 +291,7 @@ static void whitelist_path(ProfileEntry *entry) { | |||
291 | else | 291 | else |
292 | return; // the file is already present | 292 | return; // the file is already present |
293 | } | 293 | } |
294 | 294 | ||
295 | // mount | 295 | // mount |
296 | if (mount(wfile, path, NULL, MS_BIND|MS_REC, NULL) < 0) | 296 | if (mount(wfile, path, NULL, MS_BIND|MS_REC, NULL) < 0) |
297 | errExit("mount bind"); | 297 | errExit("mount bind"); |
@@ -328,11 +328,11 @@ void fs_whitelist(void) { | |||
328 | char **nowhitelist = calloc(nowhitelist_m, sizeof(*nowhitelist)); | 328 | char **nowhitelist = calloc(nowhitelist_m, sizeof(*nowhitelist)); |
329 | if (nowhitelist == NULL) | 329 | if (nowhitelist == NULL) |
330 | errExit("failed allocating memory for nowhitelist entries"); | 330 | errExit("failed allocating memory for nowhitelist entries"); |
331 | 331 | ||
332 | // verify whitelist files, extract symbolic links, etc. | 332 | // verify whitelist files, extract symbolic links, etc. |
333 | while (entry) { | 333 | while (entry) { |
334 | int nowhitelist_flag = 0; | 334 | int nowhitelist_flag = 0; |
335 | 335 | ||
336 | // handle only whitelist and nowhitelist commands | 336 | // handle only whitelist and nowhitelist commands |
337 | if (strncmp(entry->data, "whitelist ", 10) == 0) | 337 | if (strncmp(entry->data, "whitelist ", 10) == 0) |
338 | nowhitelist_flag = 0; | 338 | nowhitelist_flag = 0; |
@@ -412,16 +412,16 @@ void fs_whitelist(void) { | |||
412 | else if (strncmp(new_name, "/srv/", 5) == 0) | 412 | else if (strncmp(new_name, "/srv/", 5) == 0) |
413 | opt_dir = 1; | 413 | opt_dir = 1; |
414 | } | 414 | } |
415 | 415 | ||
416 | *entry->data = '\0'; | 416 | *entry->data = '\0'; |
417 | continue; | 417 | continue; |
418 | } | 418 | } |
419 | 419 | ||
420 | if (nowhitelist_flag) { | 420 | if (nowhitelist_flag) { |
421 | // store the path in nowhitelist array | 421 | // store the path in nowhitelist array |
422 | if (arg_debug || arg_debug_whitelists) | 422 | if (arg_debug || arg_debug_whitelists) |
423 | printf("Storing nowhitelist %s\n", fname); | 423 | printf("Storing nowhitelist %s\n", fname); |
424 | 424 | ||
425 | if (nowhitelist_c >= nowhitelist_m) { | 425 | if (nowhitelist_c >= nowhitelist_m) { |
426 | nowhitelist_m *= 2; | 426 | nowhitelist_m *= 2; |
427 | nowhitelist = realloc(nowhitelist, sizeof(*nowhitelist) * nowhitelist_m); | 427 | nowhitelist = realloc(nowhitelist, sizeof(*nowhitelist) * nowhitelist_m); |
@@ -432,8 +432,8 @@ void fs_whitelist(void) { | |||
432 | *entry->data = 0; | 432 | *entry->data = 0; |
433 | continue; | 433 | continue; |
434 | } | 434 | } |
435 | 435 | ||
436 | 436 | ||
437 | // check for supported directories | 437 | // check for supported directories |
438 | if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) { | 438 | if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) { |
439 | // whitelisting home directory is disabled if --private option is present | 439 | // whitelisting home directory is disabled if --private option is present |
@@ -544,7 +544,7 @@ void fs_whitelist(void) { | |||
544 | free(fname); | 544 | free(fname); |
545 | continue; | 545 | continue; |
546 | } | 546 | } |
547 | } | 547 | } |
548 | 548 | ||
549 | // mark symbolic links | 549 | // mark symbolic links |
550 | if (is_link(new_name)) | 550 | if (is_link(new_name)) |
@@ -566,29 +566,29 @@ void fs_whitelist(void) { | |||
566 | free(fname); | 566 | free(fname); |
567 | entry = entry->next; | 567 | entry = entry->next; |
568 | } | 568 | } |
569 | 569 | ||
570 | // release nowhitelist memory | 570 | // release nowhitelist memory |
571 | assert(nowhitelist); | 571 | assert(nowhitelist); |
572 | free(nowhitelist); | 572 | free(nowhitelist); |
573 | 573 | ||
574 | // /home/user | 574 | // /home/user |
575 | if (home_dir) { | 575 | if (home_dir) { |
576 | // keep a copy of real home dir in RUN_WHITELIST_HOME_USER_DIR | 576 | // keep a copy of real home dir in RUN_WHITELIST_HOME_USER_DIR |
577 | mkdir_attr(RUN_WHITELIST_HOME_USER_DIR, 0755, getuid(), getgid()); | 577 | mkdir_attr(RUN_WHITELIST_HOME_USER_DIR, 0755, getuid(), getgid()); |
578 | if (mount(cfg.homedir, RUN_WHITELIST_HOME_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 578 | if (mount(cfg.homedir, RUN_WHITELIST_HOME_USER_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
579 | errExit("mount bind"); | 579 | errExit("mount bind"); |
580 | 580 | ||
581 | // mount a tmpfs and initialize /home/user | 581 | // mount a tmpfs and initialize /home/user |
582 | fs_private(); | 582 | fs_private(); |
583 | } | 583 | } |
584 | 584 | ||
585 | // /tmp mountpoint | 585 | // /tmp mountpoint |
586 | if (tmp_dir) { | 586 | if (tmp_dir) { |
587 | // keep a copy of real /tmp directory in | 587 | // keep a copy of real /tmp directory in |
588 | mkdir_attr(RUN_WHITELIST_TMP_DIR, 1777, 0, 0); | 588 | mkdir_attr(RUN_WHITELIST_TMP_DIR, 1777, 0, 0); |
589 | if (mount("/tmp", RUN_WHITELIST_TMP_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 589 | if (mount("/tmp", RUN_WHITELIST_TMP_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
590 | errExit("mount bind"); | 590 | errExit("mount bind"); |
591 | 591 | ||
592 | // mount tmpfs on /tmp | 592 | // mount tmpfs on /tmp |
593 | if (arg_debug || arg_debug_whitelists) | 593 | if (arg_debug || arg_debug_whitelists) |
594 | printf("Mounting tmpfs on /tmp directory\n"); | 594 | printf("Mounting tmpfs on /tmp directory\n"); |
@@ -596,7 +596,7 @@ void fs_whitelist(void) { | |||
596 | errExit("mounting tmpfs on /tmp"); | 596 | errExit("mounting tmpfs on /tmp"); |
597 | fs_logger("tmpfs /tmp"); | 597 | fs_logger("tmpfs /tmp"); |
598 | } | 598 | } |
599 | 599 | ||
600 | // /media mountpoint | 600 | // /media mountpoint |
601 | if (media_dir) { | 601 | if (media_dir) { |
602 | // some distros don't have a /media directory | 602 | // some distros don't have a /media directory |
@@ -606,7 +606,7 @@ void fs_whitelist(void) { | |||
606 | mkdir_attr(RUN_WHITELIST_MEDIA_DIR, 0755, 0, 0); | 606 | mkdir_attr(RUN_WHITELIST_MEDIA_DIR, 0755, 0, 0); |
607 | if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 607 | if (mount("/media", RUN_WHITELIST_MEDIA_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
608 | errExit("mount bind"); | 608 | errExit("mount bind"); |
609 | 609 | ||
610 | // mount tmpfs on /media | 610 | // mount tmpfs on /media |
611 | if (arg_debug || arg_debug_whitelists) | 611 | if (arg_debug || arg_debug_whitelists) |
612 | printf("Mounting tmpfs on /media directory\n"); | 612 | printf("Mounting tmpfs on /media directory\n"); |
@@ -646,7 +646,7 @@ void fs_whitelist(void) { | |||
646 | mkdir_attr(RUN_WHITELIST_VAR_DIR, 0755, 0, 0); | 646 | mkdir_attr(RUN_WHITELIST_VAR_DIR, 0755, 0, 0); |
647 | if (mount("/var", RUN_WHITELIST_VAR_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 647 | if (mount("/var", RUN_WHITELIST_VAR_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
648 | errExit("mount bind"); | 648 | errExit("mount bind"); |
649 | 649 | ||
650 | // mount tmpfs on /var | 650 | // mount tmpfs on /var |
651 | if (arg_debug || arg_debug_whitelists) | 651 | if (arg_debug || arg_debug_whitelists) |
652 | printf("Mounting tmpfs on /var directory\n"); | 652 | printf("Mounting tmpfs on /var directory\n"); |
@@ -661,7 +661,7 @@ void fs_whitelist(void) { | |||
661 | mkdir_attr(RUN_WHITELIST_DEV_DIR, 0755, 0, 0); | 661 | mkdir_attr(RUN_WHITELIST_DEV_DIR, 0755, 0, 0); |
662 | if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC, "mode=755,gid=0") < 0) | 662 | if (mount("/dev", RUN_WHITELIST_DEV_DIR, NULL, MS_BIND|MS_REC, "mode=755,gid=0") < 0) |
663 | errExit("mount bind"); | 663 | errExit("mount bind"); |
664 | 664 | ||
665 | // mount tmpfs on /dev | 665 | // mount tmpfs on /dev |
666 | if (arg_debug || arg_debug_whitelists) | 666 | if (arg_debug || arg_debug_whitelists) |
667 | printf("Mounting tmpfs on /dev directory\n"); | 667 | printf("Mounting tmpfs on /dev directory\n"); |
@@ -676,7 +676,7 @@ void fs_whitelist(void) { | |||
676 | mkdir_attr(RUN_WHITELIST_OPT_DIR, 0755, 0, 0); | 676 | mkdir_attr(RUN_WHITELIST_OPT_DIR, 0755, 0, 0); |
677 | if (mount("/opt", RUN_WHITELIST_OPT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) | 677 | if (mount("/opt", RUN_WHITELIST_OPT_DIR, NULL, MS_BIND|MS_REC, NULL) < 0) |
678 | errExit("mount bind"); | 678 | errExit("mount bind"); |
679 | 679 | ||
680 | // mount tmpfs on /opt | 680 | // mount tmpfs on /opt |
681 | if (arg_debug || arg_debug_whitelists) | 681 | if (arg_debug || arg_debug_whitelists) |
682 | printf("Mounting tmpfs on /opt directory\n"); | 682 | printf("Mounting tmpfs on /opt directory\n"); |
@@ -707,7 +707,7 @@ void fs_whitelist(void) { | |||
707 | } | 707 | } |
708 | 708 | ||
709 | 709 | ||
710 | 710 | ||
711 | // go through profile rules again, and interpret whitelist commands | 711 | // go through profile rules again, and interpret whitelist commands |
712 | entry = cfg.profile; | 712 | entry = cfg.profile; |
713 | while (entry) { | 713 | while (entry) { |
@@ -719,7 +719,7 @@ void fs_whitelist(void) { | |||
719 | 719 | ||
720 | //printf("here %d#%s#\n", __LINE__, entry->data); | 720 | //printf("here %d#%s#\n", __LINE__, entry->data); |
721 | // whitelist the real file | 721 | // whitelist the real file |
722 | if (strcmp(entry->data, "whitelist /run") == 0 && | 722 | if (strcmp(entry->data, "whitelist /run") == 0 && |
723 | (strcmp(entry->link, "/var/run") == 0 || strcmp(entry->link, "/var/lock") == 0)) { | 723 | (strcmp(entry->link, "/var/run") == 0 || strcmp(entry->link, "/var/lock") == 0)) { |
724 | int rv = symlink(entry->data + 10, entry->link); | 724 | int rv = symlink(entry->data + 10, entry->link); |
725 | if (rv) | 725 | if (rv) |
@@ -729,7 +729,7 @@ void fs_whitelist(void) { | |||
729 | } | 729 | } |
730 | else { | 730 | else { |
731 | whitelist_path(entry); | 731 | whitelist_path(entry); |
732 | 732 | ||
733 | // create the link if any | 733 | // create the link if any |
734 | if (entry->link) { | 734 | if (entry->link) { |
735 | // if the link is already there, do not bother | 735 | // if the link is already there, do not bother |
@@ -737,7 +737,7 @@ void fs_whitelist(void) { | |||
737 | if (stat(entry->link, &s) != 0) { | 737 | if (stat(entry->link, &s) != 0) { |
738 | // create the path if necessary | 738 | // create the path if necessary |
739 | mkpath(entry->link, s.st_mode); | 739 | mkpath(entry->link, s.st_mode); |
740 | 740 | ||
741 | int rv = symlink(entry->data + 10, entry->link); | 741 | int rv = symlink(entry->data + 10, entry->link); |
742 | if (rv) | 742 | if (rv) |
743 | fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link); | 743 | fprintf(stderr, "Warning cannot create symbolic link %s\n", entry->link); |
@@ -756,7 +756,7 @@ void fs_whitelist(void) { | |||
756 | errExit("mount tmpfs"); | 756 | errExit("mount tmpfs"); |
757 | fs_logger2("tmpfs", RUN_WHITELIST_HOME_USER_DIR); | 757 | fs_logger2("tmpfs", RUN_WHITELIST_HOME_USER_DIR); |
758 | } | 758 | } |
759 | 759 | ||
760 | // mask the real /tmp directory, currently mounted on RUN_WHITELIST_TMP_DIR | 760 | // mask the real /tmp directory, currently mounted on RUN_WHITELIST_TMP_DIR |
761 | if (tmp_dir) { | 761 | if (tmp_dir) { |
762 | if (mount("tmpfs", RUN_WHITELIST_TMP_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) | 762 | if (mount("tmpfs", RUN_WHITELIST_TMP_DIR, "tmpfs", MS_NOSUID | MS_STRICTATIME | MS_REC, "mode=755,gid=0") < 0) |
@@ -808,7 +808,7 @@ void fs_whitelist(void) { | |||
808 | 808 | ||
809 | if (new_name) | 809 | if (new_name) |
810 | free(new_name); | 810 | free(new_name); |
811 | 811 | ||
812 | return; | 812 | return; |
813 | 813 | ||
814 | errexit: | 814 | errexit: |
diff --git a/src/firejail/git.c b/src/firejail/git.c index c4dd54a1b..ae28f7ec1 100644 --- a/src/firejail/git.c +++ b/src/firejail/git.c | |||
@@ -19,7 +19,7 @@ | |||
19 | */ | 19 | */ |
20 | 20 | ||
21 | #ifdef HAVE_GIT_INSTALL | 21 | #ifdef HAVE_GIT_INSTALL |
22 | 22 | ||
23 | #include "firejail.h" | 23 | #include "firejail.h" |
24 | #include <sys/utsname.h> | 24 | #include <sys/utsname.h> |
25 | #include <sched.h> | 25 | #include <sched.h> |
@@ -46,7 +46,7 @@ static void sbox_ns(void) { | |||
46 | errExit("setgid/getgid"); | 46 | errExit("setgid/getgid"); |
47 | if (setuid(getuid()) < 0) | 47 | if (setuid(getuid()) < 0) |
48 | errExit("setuid/getuid"); | 48 | errExit("setuid/getuid"); |
49 | assert(getenv("LD_PRELOAD") == NULL); | 49 | assert(getenv("LD_PRELOAD") == NULL); |
50 | 50 | ||
51 | printf("Running as "); fflush(0); | 51 | printf("Running as "); fflush(0); |
52 | int rv = system("whoami"); | 52 | int rv = system("whoami"); |
@@ -55,16 +55,16 @@ static void sbox_ns(void) { | |||
55 | rv = system("ls -l /tmp"); | 55 | rv = system("ls -l /tmp"); |
56 | (void) rv; | 56 | (void) rv; |
57 | } | 57 | } |
58 | 58 | ||
59 | 59 | ||
60 | void git_install(void) { | 60 | void git_install(void) { |
61 | // redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh" | 61 | // redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh" |
62 | EUID_ASSERT(); | 62 | EUID_ASSERT(); |
63 | EUID_ROOT(); | 63 | EUID_ROOT(); |
64 | 64 | ||
65 | // install a mount namespace with a tmpfs on top of /tmp | 65 | // install a mount namespace with a tmpfs on top of /tmp |
66 | sbox_ns(); | 66 | sbox_ns(); |
67 | 67 | ||
68 | // run command | 68 | // run command |
69 | const char *cmd = LIBDIR "/firejail/fgit-install.sh"; | 69 | const char *cmd = LIBDIR "/firejail/fgit-install.sh"; |
70 | int rv = system(cmd); | 70 | int rv = system(cmd); |
@@ -76,15 +76,15 @@ void git_uninstall(void) { | |||
76 | // redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh" | 76 | // redirect to "/usr/bin/firejail --noprofile --private-tmp /usr/lib/firejail/fgit-install.sh" |
77 | EUID_ASSERT(); | 77 | EUID_ASSERT(); |
78 | EUID_ROOT(); | 78 | EUID_ROOT(); |
79 | 79 | ||
80 | // install a mount namespace with a tmpfs on top of /tmp | 80 | // install a mount namespace with a tmpfs on top of /tmp |
81 | sbox_ns(); | 81 | sbox_ns(); |
82 | 82 | ||
83 | // run command | 83 | // run command |
84 | const char *cmd = LIBDIR "/firejail/fgit-uninstall.sh"; | 84 | const char *cmd = LIBDIR "/firejail/fgit-uninstall.sh"; |
85 | int rv = system(cmd); | 85 | int rv = system(cmd); |
86 | (void) rv; | 86 | (void) rv; |
87 | exit(0); | 87 | exit(0); |
88 | } | 88 | } |
89 | 89 | ||
90 | #endif // HAVE_GIT_INSTALL | 90 | #endif // HAVE_GIT_INSTALL |
diff --git a/src/firejail/join.c b/src/firejail/join.c index 2f6f070e0..b5b45a3bf 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -48,7 +48,7 @@ static void extract_command(int argc, char **argv, int index) { | |||
48 | if (index >= argc) | 48 | if (index >= argc) |
49 | return; | 49 | return; |
50 | } | 50 | } |
51 | 51 | ||
52 | // first argv needs to be a valid command | 52 | // first argv needs to be a valid command |
53 | if (arg_doubledash == 0 && *argv[index] == '-') { | 53 | if (arg_doubledash == 0 && *argv[index] == '-') { |
54 | fprintf(stderr, "Error: invalid option %s after --join\n", argv[index]); | 54 | fprintf(stderr, "Error: invalid option %s after --join\n", argv[index]); |
@@ -66,7 +66,7 @@ static void extract_nogroups(pid_t pid) { | |||
66 | char *fname; | 66 | char *fname; |
67 | if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_GROUPS_CFG) == -1) | 67 | if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_GROUPS_CFG) == -1) |
68 | errExit("asprintf"); | 68 | errExit("asprintf"); |
69 | 69 | ||
70 | struct stat s; | 70 | struct stat s; |
71 | if (stat(fname, &s) == -1) | 71 | if (stat(fname, &s) == -1) |
72 | return; | 72 | return; |
@@ -79,11 +79,11 @@ static void extract_cpu(pid_t pid) { | |||
79 | char *fname; | 79 | char *fname; |
80 | if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_CPU_CFG) == -1) | 80 | if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_CPU_CFG) == -1) |
81 | errExit("asprintf"); | 81 | errExit("asprintf"); |
82 | 82 | ||
83 | struct stat s; | 83 | struct stat s; |
84 | if (stat(fname, &s) == -1) | 84 | if (stat(fname, &s) == -1) |
85 | return; | 85 | return; |
86 | 86 | ||
87 | // there is a CPU_CFG file, load it! | 87 | // there is a CPU_CFG file, load it! |
88 | load_cpu(fname); | 88 | load_cpu(fname); |
89 | free(fname); | 89 | free(fname); |
@@ -93,11 +93,11 @@ static void extract_cgroup(pid_t pid) { | |||
93 | char *fname; | 93 | char *fname; |
94 | if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_CGROUP_CFG) == -1) | 94 | if (asprintf(&fname, "/proc/%d/root%s", pid, RUN_CGROUP_CFG) == -1) |
95 | errExit("asprintf"); | 95 | errExit("asprintf"); |
96 | 96 | ||
97 | struct stat s; | 97 | struct stat s; |
98 | if (stat(fname, &s) == -1) | 98 | if (stat(fname, &s) == -1) |
99 | return; | 99 | return; |
100 | 100 | ||
101 | // there is a cgroup file CGROUP_CFG, load it! | 101 | // there is a cgroup file CGROUP_CFG, load it! |
102 | load_cgroup(fname); | 102 | load_cgroup(fname); |
103 | free(fname); | 103 | free(fname); |
@@ -127,7 +127,7 @@ static void extract_caps_seccomp(pid_t pid) { | |||
127 | apply_seccomp = 1; | 127 | apply_seccomp = 1; |
128 | break; | 128 | break; |
129 | } | 129 | } |
130 | else if (strncmp(buf, "CapBnd:", 7) == 0) { | 130 | else if (strncmp(buf, "CapBnd:", 7) == 0) { |
131 | char *ptr = buf + 7; | 131 | char *ptr = buf + 7; |
132 | unsigned long long val; | 132 | unsigned long long val; |
133 | sscanf(ptr, "%llx", &val); | 133 | sscanf(ptr, "%llx", &val); |
@@ -149,7 +149,7 @@ static void extract_user_namespace(pid_t pid) { | |||
149 | stat("/proc/self/gid_map", &s3) == 0); | 149 | stat("/proc/self/gid_map", &s3) == 0); |
150 | else | 150 | else |
151 | return; | 151 | return; |
152 | 152 | ||
153 | // read uid map | 153 | // read uid map |
154 | char *uidmap; | 154 | char *uidmap; |
155 | if (asprintf(&uidmap, "/proc/%u/uid_map", pid) == -1) | 155 | if (asprintf(&uidmap, "/proc/%u/uid_map", pid) == -1) |
@@ -215,11 +215,11 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
215 | extract_nogroups(pid); | 215 | extract_nogroups(pid); |
216 | extract_user_namespace(pid); | 216 | extract_user_namespace(pid); |
217 | } | 217 | } |
218 | 218 | ||
219 | // set cgroup | 219 | // set cgroup |
220 | if (cfg.cgroup) // not available for uid 0 | 220 | if (cfg.cgroup) // not available for uid 0 |
221 | set_cgroup(cfg.cgroup); | 221 | set_cgroup(cfg.cgroup); |
222 | 222 | ||
223 | // join namespaces | 223 | // join namespaces |
224 | if (arg_join_network) { | 224 | if (arg_join_network) { |
225 | if (join_namespace(pid, "net")) | 225 | if (join_namespace(pid, "net")) |
@@ -246,14 +246,14 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
246 | char *rootdir; | 246 | char *rootdir; |
247 | if (asprintf(&rootdir, "/proc/%d/root", pid) == -1) | 247 | if (asprintf(&rootdir, "/proc/%d/root", pid) == -1) |
248 | errExit("asprintf"); | 248 | errExit("asprintf"); |
249 | 249 | ||
250 | int rv; | 250 | int rv; |
251 | if (!arg_join_network) { | 251 | if (!arg_join_network) { |
252 | rv = chroot(rootdir); // this will fail for processes in sandboxes not started with --chroot option | 252 | rv = chroot(rootdir); // this will fail for processes in sandboxes not started with --chroot option |
253 | if (rv == 0) | 253 | if (rv == 0) |
254 | printf("changing root to %s\n", rootdir); | 254 | printf("changing root to %s\n", rootdir); |
255 | } | 255 | } |
256 | 256 | ||
257 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died | 257 | prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died |
258 | if (chdir("/") < 0) | 258 | if (chdir("/") < 0) |
259 | errExit("chdir"); | 259 | errExit("chdir"); |
@@ -265,11 +265,11 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
265 | errExit("chdir"); | 265 | errExit("chdir"); |
266 | } | 266 | } |
267 | } | 267 | } |
268 | 268 | ||
269 | // set cpu affinity | 269 | // set cpu affinity |
270 | if (cfg.cpus) // not available for uid 0 | 270 | if (cfg.cpus) // not available for uid 0 |
271 | set_cpu_affinity(); | 271 | set_cpu_affinity(); |
272 | 272 | ||
273 | // set caps filter | 273 | // set caps filter |
274 | if (apply_caps == 1) // not available for uid 0 | 274 | if (apply_caps == 1) // not available for uid 0 |
275 | caps_set(caps); | 275 | caps_set(caps); |
@@ -278,9 +278,9 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
278 | if (getuid() != 0) | 278 | if (getuid() != 0) |
279 | protocol_filter_load(RUN_PROTOCOL_CFG); | 279 | protocol_filter_load(RUN_PROTOCOL_CFG); |
280 | if (cfg.protocol) { // not available for uid 0 | 280 | if (cfg.protocol) { // not available for uid 0 |
281 | seccomp_load(RUN_SECCOMP_PROTOCOL); // install filter | 281 | seccomp_load(RUN_SECCOMP_PROTOCOL); // install filter |
282 | } | 282 | } |
283 | 283 | ||
284 | // set seccomp filter | 284 | // set seccomp filter |
285 | if (apply_seccomp == 1) // not available for uid 0 | 285 | if (apply_seccomp == 1) // not available for uid 0 |
286 | seccomp_load(RUN_SECCOMP_CFG); | 286 | seccomp_load(RUN_SECCOMP_CFG); |
@@ -298,7 +298,7 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
298 | if (apply_caps == 1) // not available for uid 0 | 298 | if (apply_caps == 1) // not available for uid 0 |
299 | caps_set(caps); | 299 | caps_set(caps); |
300 | } | 300 | } |
301 | else | 301 | else |
302 | drop_privs(arg_nogroups); // nogroups not available for uid 0 | 302 | drop_privs(arg_nogroups); // nogroups not available for uid 0 |
303 | 303 | ||
304 | 304 | ||
@@ -349,6 +349,3 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
349 | flush_stdin(); | 349 | flush_stdin(); |
350 | exit(0); | 350 | exit(0); |
351 | } | 351 | } |
352 | |||
353 | |||
354 | |||
diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 7b51ee697..7b994b835 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c | |||
@@ -17,7 +17,7 @@ | |||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | 17 | * with this program; if not, write to the Free Software Foundation, Inc., |
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
19 | */ | 19 | */ |
20 | 20 | ||
21 | #include "firejail.h" | 21 | #include "firejail.h" |
22 | #include <sys/types.h> | 22 | #include <sys/types.h> |
23 | #include <sys/stat.h> | 23 | #include <sys/stat.h> |
@@ -36,7 +36,7 @@ static char *c_uid_name = NULL; | |||
36 | 36 | ||
37 | static void print_file_or_dir(const char *path, const char *fname, int separator) { | 37 | static void print_file_or_dir(const char *path, const char *fname, int separator) { |
38 | assert(fname); | 38 | assert(fname); |
39 | 39 | ||
40 | char *name; | 40 | char *name; |
41 | if (separator) { | 41 | if (separator) { |
42 | if (asprintf(&name, "%s/%s", path, fname) == -1) | 42 | if (asprintf(&name, "%s/%s", path, fname) == -1) |
@@ -46,7 +46,7 @@ static void print_file_or_dir(const char *path, const char *fname, int separator | |||
46 | if (asprintf(&name, "%s%s", path, fname) == -1) | 46 | if (asprintf(&name, "%s%s", path, fname) == -1) |
47 | errExit("asprintf"); | 47 | errExit("asprintf"); |
48 | } | 48 | } |
49 | 49 | ||
50 | struct stat s; | 50 | struct stat s; |
51 | if (stat(name, &s) == -1) { | 51 | if (stat(name, &s) == -1) { |
52 | if (lstat(name, &s) == -1) { | 52 | if (lstat(name, &s) == -1) { |
@@ -78,7 +78,7 @@ static void print_file_or_dir(const char *path, const char *fname, int separator | |||
78 | printf( (s.st_mode & S_IWOTH) ? "w" : "-"); | 78 | printf( (s.st_mode & S_IWOTH) ? "w" : "-"); |
79 | printf( (s.st_mode & S_IXOTH) ? "x" : "-"); | 79 | printf( (s.st_mode & S_IXOTH) ? "x" : "-"); |
80 | printf(" "); | 80 | printf(" "); |
81 | 81 | ||
82 | // user name | 82 | // user name |
83 | char *username; | 83 | char *username; |
84 | int allocated = 0; | 84 | int allocated = 0; |
@@ -100,7 +100,7 @@ static void print_file_or_dir(const char *path, const char *fname, int separator | |||
100 | if (!username) | 100 | if (!username) |
101 | errExit("asprintf"); | 101 | errExit("asprintf"); |
102 | } | 102 | } |
103 | 103 | ||
104 | if (c_uid == 0) { | 104 | if (c_uid == 0) { |
105 | c_uid = s.st_uid; | 105 | c_uid = s.st_uid; |
106 | c_uid_name = strdup(username); | 106 | c_uid_name = strdup(username); |
@@ -108,7 +108,7 @@ static void print_file_or_dir(const char *path, const char *fname, int separator | |||
108 | errExit("asprintf"); | 108 | errExit("asprintf"); |
109 | } | 109 | } |
110 | } | 110 | } |
111 | 111 | ||
112 | // print user name, 8 chars maximum | 112 | // print user name, 8 chars maximum |
113 | int len = strlen(username); | 113 | int len = strlen(username); |
114 | if (len > 8) { | 114 | if (len > 8) { |
@@ -121,7 +121,7 @@ static void print_file_or_dir(const char *path, const char *fname, int separator | |||
121 | printf(" "); | 121 | printf(" "); |
122 | if (allocated) | 122 | if (allocated) |
123 | free(username); | 123 | free(username); |
124 | 124 | ||
125 | 125 | ||
126 | // group name | 126 | // group name |
127 | char *groupname; | 127 | char *groupname; |
@@ -141,7 +141,7 @@ static void print_file_or_dir(const char *path, const char *fname, int separator | |||
141 | errExit("asprintf"); | 141 | errExit("asprintf"); |
142 | } | 142 | } |
143 | } | 143 | } |
144 | 144 | ||
145 | // print grup name, 8 chars maximum | 145 | // print grup name, 8 chars maximum |
146 | len = strlen(groupname); | 146 | len = strlen(groupname); |
147 | if (len > 8) { | 147 | if (len > 8) { |
@@ -159,7 +159,7 @@ static void print_file_or_dir(const char *path, const char *fname, int separator | |||
159 | errExit("asprintf"); | 159 | errExit("asprintf"); |
160 | printf("%11.10s %s\n", sz, fname); | 160 | printf("%11.10s %s\n", sz, fname); |
161 | free(sz); | 161 | free(sz); |
162 | 162 | ||
163 | } | 163 | } |
164 | 164 | ||
165 | static void print_directory(const char *path) { | 165 | static void print_directory(const char *path) { |
@@ -168,7 +168,7 @@ static void print_directory(const char *path) { | |||
168 | if (stat(path, &s) == -1) | 168 | if (stat(path, &s) == -1) |
169 | return; | 169 | return; |
170 | assert(S_ISDIR(s.st_mode)); | 170 | assert(S_ISDIR(s.st_mode)); |
171 | 171 | ||
172 | struct dirent **namelist; | 172 | struct dirent **namelist; |
173 | int i; | 173 | int i; |
174 | int n; | 174 | int n; |
@@ -200,7 +200,7 @@ char *expand_path(const char *path) { | |||
200 | // assume the file is in current working directory | 200 | // assume the file is in current working directory |
201 | if (asprintf(&fname, "%s/%s", cfg.cwd, path) == -1) | 201 | if (asprintf(&fname, "%s/%s", cfg.cwd, path) == -1) |
202 | errExit("asprintf"); | 202 | errExit("asprintf"); |
203 | } | 203 | } |
204 | return fname; | 204 | return fname; |
205 | } | 205 | } |
206 | 206 | ||
@@ -241,7 +241,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
241 | printf("file1 %s\n", fname1); | 241 | printf("file1 %s\n", fname1); |
242 | printf("file2 %s\n", fname2); | 242 | printf("file2 %s\n", fname2); |
243 | } | 243 | } |
244 | 244 | ||
245 | // sandbox root directory | 245 | // sandbox root directory |
246 | char *rootdir; | 246 | char *rootdir; |
247 | if (asprintf(&rootdir, "/proc/%d/root", pid) == -1) | 247 | if (asprintf(&rootdir, "/proc/%d/root", pid) == -1) |
@@ -254,7 +254,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
254 | errExit("chroot"); | 254 | errExit("chroot"); |
255 | if (chdir("/") < 0) | 255 | if (chdir("/") < 0) |
256 | errExit("chdir"); | 256 | errExit("chdir"); |
257 | 257 | ||
258 | // drop privileges | 258 | // drop privileges |
259 | drop_privs(0); | 259 | drop_privs(0); |
260 | 260 | ||
@@ -271,8 +271,8 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
271 | } | 271 | } |
272 | if (arg_debug) | 272 | if (arg_debug) |
273 | printf("realpath %s\n", rp); | 273 | printf("realpath %s\n", rp); |
274 | 274 | ||
275 | 275 | ||
276 | // list directory contents | 276 | // list directory contents |
277 | struct stat s; | 277 | struct stat s; |
278 | if (stat(rp, &s) == -1) { | 278 | if (stat(rp, &s) == -1) { |
@@ -283,7 +283,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
283 | char *dir; | 283 | char *dir; |
284 | if (asprintf(&dir, "%s/", rp) == -1) | 284 | if (asprintf(&dir, "%s/", rp) == -1) |
285 | errExit("asprintf"); | 285 | errExit("asprintf"); |
286 | 286 | ||
287 | print_directory(dir); | 287 | print_directory(dir); |
288 | free(dir); | 288 | free(dir); |
289 | } | 289 | } |
@@ -299,7 +299,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
299 | } | 299 | } |
300 | free(rp); | 300 | free(rp); |
301 | } | 301 | } |
302 | 302 | ||
303 | // get file from sandbox and store it in the current directory | 303 | // get file from sandbox and store it in the current directory |
304 | else if (op == SANDBOX_FS_GET) { | 304 | else if (op == SANDBOX_FS_GET) { |
305 | char *src_fname =fname1; | 305 | char *src_fname =fname1; |
@@ -320,7 +320,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
320 | SET_PERMS_FD(fd, getuid(), getgid(), 0600); | 320 | SET_PERMS_FD(fd, getuid(), getgid(), 0600); |
321 | close(fd); | 321 | close(fd); |
322 | } | 322 | } |
323 | 323 | ||
324 | // copy the source file into the temporary file - we need to chroot | 324 | // copy the source file into the temporary file - we need to chroot |
325 | pid_t child = fork(); | 325 | pid_t child = fork(); |
326 | if (child < 0) | 326 | if (child < 0) |
@@ -331,10 +331,10 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
331 | errExit("chroot"); | 331 | errExit("chroot"); |
332 | if (chdir("/") < 0) | 332 | if (chdir("/") < 0) |
333 | errExit("chdir"); | 333 | errExit("chdir"); |
334 | 334 | ||
335 | // drop privileges | 335 | // drop privileges |
336 | drop_privs(0); | 336 | drop_privs(0); |
337 | 337 | ||
338 | // copy the file | 338 | // copy the file |
339 | if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user | 339 | if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user |
340 | _exit(1); | 340 | _exit(1); |
@@ -352,7 +352,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
352 | unlink(tmp_fname); | 352 | unlink(tmp_fname); |
353 | exit(1); | 353 | exit(1); |
354 | } | 354 | } |
355 | 355 | ||
356 | // copy the temporary file into the destionation file | 356 | // copy the temporary file into the destionation file |
357 | child = fork(); | 357 | child = fork(); |
358 | if (child < 0) | 358 | if (child < 0) |
@@ -360,7 +360,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
360 | if (child == 0) { | 360 | if (child == 0) { |
361 | // drop privileges | 361 | // drop privileges |
362 | drop_privs(0); | 362 | drop_privs(0); |
363 | 363 | ||
364 | // copy the file | 364 | // copy the file |
365 | if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user | 365 | if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user |
366 | _exit(1); | 366 | _exit(1); |
@@ -378,7 +378,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
378 | unlink(tmp_fname); | 378 | unlink(tmp_fname); |
379 | exit(1); | 379 | exit(1); |
380 | } | 380 | } |
381 | 381 | ||
382 | // remove the temporary file | 382 | // remove the temporary file |
383 | unlink(tmp_fname); | 383 | unlink(tmp_fname); |
384 | EUID_USER(); | 384 | EUID_USER(); |
@@ -401,7 +401,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
401 | } | 401 | } |
402 | SET_PERMS_FD(fd, getuid(), getgid(), 0600); | 402 | SET_PERMS_FD(fd, getuid(), getgid(), 0600); |
403 | close(fd); | 403 | close(fd); |
404 | 404 | ||
405 | // copy the source file into the temporary file - we need to chroot | 405 | // copy the source file into the temporary file - we need to chroot |
406 | pid_t child = fork(); | 406 | pid_t child = fork(); |
407 | if (child < 0) | 407 | if (child < 0) |
@@ -409,7 +409,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
409 | if (child == 0) { | 409 | if (child == 0) { |
410 | // drop privileges | 410 | // drop privileges |
411 | drop_privs(0); | 411 | drop_privs(0); |
412 | 412 | ||
413 | // copy the file | 413 | // copy the file |
414 | if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user | 414 | if (copy_file(src_fname, tmp_fname, getuid(), getgid(), 0600)) // already a regular user |
415 | _exit(1); | 415 | _exit(1); |
@@ -427,7 +427,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
427 | unlink(tmp_fname); | 427 | unlink(tmp_fname); |
428 | exit(1); | 428 | exit(1); |
429 | } | 429 | } |
430 | 430 | ||
431 | // copy the temporary file into the destionation file | 431 | // copy the temporary file into the destionation file |
432 | child = fork(); | 432 | child = fork(); |
433 | if (child < 0) | 433 | if (child < 0) |
@@ -438,10 +438,10 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
438 | errExit("chroot"); | 438 | errExit("chroot"); |
439 | if (chdir("/") < 0) | 439 | if (chdir("/") < 0) |
440 | errExit("chdir"); | 440 | errExit("chdir"); |
441 | 441 | ||
442 | // drop privileges | 442 | // drop privileges |
443 | drop_privs(0); | 443 | drop_privs(0); |
444 | 444 | ||
445 | // copy the file | 445 | // copy the file |
446 | if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user | 446 | if (copy_file(tmp_fname, dest_fname, getuid(), getgid(), 0600)) // already a regular user |
447 | _exit(1); | 447 | _exit(1); |
@@ -459,7 +459,7 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | |||
459 | unlink(tmp_fname); | 459 | unlink(tmp_fname); |
460 | exit(1); | 460 | exit(1); |
461 | } | 461 | } |
462 | 462 | ||
463 | // remove the temporary file | 463 | // remove the temporary file |
464 | unlink(tmp_fname); | 464 | unlink(tmp_fname); |
465 | EUID_USER(); | 465 | EUID_USER(); |
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index ea1d45dd7..14b3b54a6 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c | |||
@@ -46,7 +46,7 @@ static char *client_filter = | |||
46 | void check_netfilter_file(const char *fname) { | 46 | void check_netfilter_file(const char *fname) { |
47 | EUID_ASSERT(); | 47 | EUID_ASSERT(); |
48 | invalid_filename(fname); | 48 | invalid_filename(fname); |
49 | 49 | ||
50 | if (is_dir(fname) || is_link(fname) || strstr(fname, "..") || access(fname, R_OK )) { | 50 | if (is_dir(fname) || is_link(fname) || strstr(fname, "..") || access(fname, R_OK )) { |
51 | fprintf(stderr, "Error: invalid network filter file %s\n", fname); | 51 | fprintf(stderr, "Error: invalid network filter file %s\n", fname); |
52 | exit(1); | 52 | exit(1); |
@@ -95,14 +95,14 @@ void netfilter(const char *fname) { | |||
95 | // push filter | 95 | // push filter |
96 | if (arg_debug) | 96 | if (arg_debug) |
97 | printf("Installing network filter:\n%s\n", filter); | 97 | printf("Installing network filter:\n%s\n", filter); |
98 | 98 | ||
99 | // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter | 99 | // first run of iptables on this platform installs a number of kernel modules such as ip_tables, x_tables, iptable_filter |
100 | // we run this command with caps and seccomp disabled in order to allow the loading of these modules | 100 | // we run this command with caps and seccomp disabled in order to allow the loading of these modules |
101 | sbox_run(SBOX_ROOT /* | SBOX_CAPS_NETWORK | SBOX_SECCOMP*/ | SBOX_STDIN_FROM_FILE, 1, iptables_restore); | 101 | sbox_run(SBOX_ROOT /* | SBOX_CAPS_NETWORK | SBOX_SECCOMP*/ | SBOX_STDIN_FROM_FILE, 1, iptables_restore); |
102 | unlink(SBOX_STDIN_FILE); | 102 | unlink(SBOX_STDIN_FILE); |
103 | 103 | ||
104 | // debug | 104 | // debug |
105 | if (arg_debug) | 105 | if (arg_debug) |
106 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-vL"); | 106 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-vL"); |
107 | 107 | ||
108 | if (allocated) | 108 | if (allocated) |
@@ -113,7 +113,7 @@ void netfilter(const char *fname) { | |||
113 | void netfilter6(const char *fname) { | 113 | void netfilter6(const char *fname) { |
114 | if (fname == NULL) | 114 | if (fname == NULL) |
115 | return; | 115 | return; |
116 | 116 | ||
117 | // find iptables command | 117 | // find iptables command |
118 | char *ip6tables = NULL; | 118 | char *ip6tables = NULL; |
119 | char *ip6tables_restore = NULL; | 119 | char *ip6tables_restore = NULL; |
@@ -149,7 +149,7 @@ void netfilter6(const char *fname) { | |||
149 | // we run this command with caps and seccomp disabled in order to allow the loading of these modules | 149 | // we run this command with caps and seccomp disabled in order to allow the loading of these modules |
150 | sbox_run(SBOX_ROOT | /* SBOX_CAPS_NETWORK | SBOX_SECCOMP | */ SBOX_STDIN_FROM_FILE, 1, ip6tables_restore); | 150 | sbox_run(SBOX_ROOT | /* SBOX_CAPS_NETWORK | SBOX_SECCOMP | */ SBOX_STDIN_FROM_FILE, 1, ip6tables_restore); |
151 | unlink(SBOX_STDIN_FILE); | 151 | unlink(SBOX_STDIN_FILE); |
152 | 152 | ||
153 | // debug | 153 | // debug |
154 | if (arg_debug) | 154 | if (arg_debug) |
155 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, ip6tables, "-vL"); | 155 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, ip6tables, "-vL"); |
diff --git a/src/firejail/network.c b/src/firejail/network.c index 44fc4f68f..f7ddef917 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c | |||
@@ -50,8 +50,8 @@ int net_get_mtu(const char *ifname) { | |||
50 | if (arg_debug) | 50 | if (arg_debug) |
51 | printf("MTU of %s is %d.\n", ifname, ifr.ifr_mtu); | 51 | printf("MTU of %s is %d.\n", ifname, ifr.ifr_mtu); |
52 | close(s); | 52 | close(s); |
53 | 53 | ||
54 | 54 | ||
55 | return mtu; | 55 | return mtu; |
56 | } | 56 | } |
57 | 57 | ||
@@ -84,10 +84,10 @@ int net_get_if_addr(const char *bridge, uint32_t *ip, uint32_t *mask, uint8_t ma | |||
84 | assert(bridge); | 84 | assert(bridge); |
85 | assert(ip); | 85 | assert(ip); |
86 | assert(mask); | 86 | assert(mask); |
87 | 87 | ||
88 | if (arg_debug) | 88 | if (arg_debug) |
89 | printf("get interface %s configuration\n", bridge); | 89 | printf("get interface %s configuration\n", bridge); |
90 | 90 | ||
91 | int rv = -1; | 91 | int rv = -1; |
92 | struct ifaddrs *ifaddr, *ifa; | 92 | struct ifaddrs *ifaddr, *ifa; |
93 | 93 | ||
@@ -110,7 +110,7 @@ int net_get_if_addr(const char *bridge, uint32_t *ip, uint32_t *mask, uint8_t ma | |||
110 | net_get_mac(ifa->ifa_name, mac); | 110 | net_get_mac(ifa->ifa_name, mac); |
111 | *mtu = net_get_mtu(bridge); | 111 | *mtu = net_get_mtu(bridge); |
112 | } | 112 | } |
113 | 113 | ||
114 | rv = 0; | 114 | rv = 0; |
115 | break; | 115 | break; |
116 | } | 116 | } |
@@ -126,9 +126,9 @@ void net_if_up(const char *ifname) { | |||
126 | fprintf(stderr, "Error: invalid network device name %s\n", ifname); | 126 | fprintf(stderr, "Error: invalid network device name %s\n", ifname); |
127 | exit(1); | 127 | exit(1); |
128 | } | 128 | } |
129 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 3, | 129 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 3, |
130 | PATH_FNET, "ifup", ifname); | 130 | PATH_FNET, "ifup", ifname); |
131 | } | 131 | } |
132 | 132 | ||
133 | 133 | ||
134 | // configure interface ipv6 address | 134 | // configure interface ipv6 address |
@@ -138,8 +138,8 @@ void net_if_ip6(const char *ifname, const char *addr6) { | |||
138 | fprintf(stderr, "Error: invalid IPv6 address %s\n", addr6); | 138 | fprintf(stderr, "Error: invalid IPv6 address %s\n", addr6); |
139 | exit(1); | 139 | exit(1); |
140 | } | 140 | } |
141 | 141 | ||
142 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 5, | 142 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 5, |
143 | PATH_FNET, "config", "ipv6", ifname, addr6); | 143 | PATH_FNET, "config", "ipv6", ifname, addr6); |
144 | 144 | ||
145 | } | 145 | } |
@@ -187,19 +187,19 @@ uint32_t network_get_defaultgw(void) { | |||
187 | FILE *fp = fopen("/proc/self/net/route", "r"); | 187 | FILE *fp = fopen("/proc/self/net/route", "r"); |
188 | if (!fp) | 188 | if (!fp) |
189 | errExit("fopen"); | 189 | errExit("fopen"); |
190 | 190 | ||
191 | char buf[BUFSIZE]; | 191 | char buf[BUFSIZE]; |
192 | uint32_t retval = 0; | 192 | uint32_t retval = 0; |
193 | while (fgets(buf, BUFSIZE, fp)) { | 193 | while (fgets(buf, BUFSIZE, fp)) { |
194 | if (strncmp(buf, "Iface", 5) == 0) | 194 | if (strncmp(buf, "Iface", 5) == 0) |
195 | continue; | 195 | continue; |
196 | 196 | ||
197 | char *ptr = buf; | 197 | char *ptr = buf; |
198 | while (*ptr != ' ' && *ptr != '\t') | 198 | while (*ptr != ' ' && *ptr != '\t') |
199 | ptr++; | 199 | ptr++; |
200 | while (*ptr == ' ' || *ptr == '\t') | 200 | while (*ptr == ' ' || *ptr == '\t') |
201 | ptr++; | 201 | ptr++; |
202 | 202 | ||
203 | unsigned dest; | 203 | unsigned dest; |
204 | unsigned gw; | 204 | unsigned gw; |
205 | int rv = sscanf(ptr, "%x %x", &dest, &gw); | 205 | int rv = sscanf(ptr, "%x %x", &dest, &gw); |
@@ -219,9 +219,9 @@ int net_config_mac(const char *ifname, const unsigned char mac[6]) { | |||
219 | mac[0], mac[1], mac[2], mac[3], mac[4], mac[5]) == -1) | 219 | mac[0], mac[1], mac[2], mac[3], mac[4], mac[5]) == -1) |
220 | errExit("asprintf"); | 220 | errExit("asprintf"); |
221 | 221 | ||
222 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 5, | 222 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 5, |
223 | PATH_FNET, "config", "mac", ifname, macstr); | 223 | PATH_FNET, "config", "mac", ifname, macstr); |
224 | 224 | ||
225 | free(macstr); | 225 | free(macstr); |
226 | return 0; | 226 | return 0; |
227 | } | 227 | } |
@@ -237,7 +237,7 @@ int net_get_mac(const char *ifname, unsigned char mac[6]) { | |||
237 | memset(&ifr, 0, sizeof(ifr)); | 237 | memset(&ifr, 0, sizeof(ifr)); |
238 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); | 238 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); |
239 | ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER; | 239 | ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER; |
240 | 240 | ||
241 | if (ioctl(sock, SIOCGIFHWADDR, &ifr) == -1) | 241 | if (ioctl(sock, SIOCGIFHWADDR, &ifr) == -1) |
242 | errExit("ioctl"); | 242 | errExit("ioctl"); |
243 | memcpy(mac, ifr.ifr_hwaddr.sa_data, 6); | 243 | memcpy(mac, ifr.ifr_hwaddr.sa_data, 6); |
@@ -248,7 +248,7 @@ int net_get_mac(const char *ifname, unsigned char mac[6]) { | |||
248 | 248 | ||
249 | void net_config_interface(const char *dev, uint32_t ip, uint32_t mask, int mtu) { | 249 | void net_config_interface(const char *dev, uint32_t ip, uint32_t mask, int mtu) { |
250 | assert(dev); | 250 | assert(dev); |
251 | 251 | ||
252 | char *ipstr; | 252 | char *ipstr; |
253 | if (asprintf(&ipstr, "%llu", (long long unsigned) ip) == -1) | 253 | if (asprintf(&ipstr, "%llu", (long long unsigned) ip) == -1) |
254 | errExit("asprintf"); | 254 | errExit("asprintf"); |
@@ -260,12 +260,11 @@ void net_config_interface(const char *dev, uint32_t ip, uint32_t mask, int mtu) | |||
260 | char *mtustr; | 260 | char *mtustr; |
261 | if (asprintf(&mtustr, "%d", mtu) == -1) | 261 | if (asprintf(&mtustr, "%d", mtu) == -1) |
262 | errExit("asprintf"); | 262 | errExit("asprintf"); |
263 | 263 | ||
264 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 7, | 264 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 7, |
265 | PATH_FNET, "config", "interface", dev, ipstr, maskstr, mtustr); | 265 | PATH_FNET, "config", "interface", dev, ipstr, maskstr, mtustr); |
266 | 266 | ||
267 | free(ipstr); | 267 | free(ipstr); |
268 | free(maskstr); | 268 | free(maskstr); |
269 | free(mtustr); | 269 | free(mtustr); |
270 | } | 270 | } |
271 | |||
diff --git a/src/firejail/network.txt b/src/firejail/network.txt index f6df0f485..75bdc346d 100644 --- a/src/firejail/network.txt +++ b/src/firejail/network.txt | |||
@@ -40,10 +40,10 @@ main() { | |||
40 | else if --ip | 40 | else if --ip |
41 | br = last bridge configured | 41 | br = last bridge configured |
42 | br->ipsandbox = ip address extracted from argv[i] | 42 | br->ipsandbox = ip address extracted from argv[i] |
43 | else if --defaultgw | 43 | else if --defaultgw |
44 | cfg.defaultgw = ip address extracted from argv[i] | 44 | cfg.defaultgw = ip address extracted from argv[i] |
45 | } | 45 | } |
46 | 46 | ||
47 | net_check_cfg(); // check the validity of network configuration so far | 47 | net_check_cfg(); // check the validity of network configuration so far |
48 | 48 | ||
49 | if (any bridge configured) { | 49 | if (any bridge configured) { |
@@ -51,29 +51,29 @@ main() { | |||
51 | for each bridge | 51 | for each bridge |
52 | net_configure_sandbox_ip(br) | 52 | net_configure_sandbox_ip(br) |
53 | } | 53 | } |
54 | 54 | ||
55 | clone (new network namespace if any bridge configured or --net=none) | 55 | clone (new network namespace if any bridge configured or --net=none) |
56 | 56 | ||
57 | if (any bridge configured) { | 57 | if (any bridge configured) { |
58 | for each bridge | 58 | for each bridge |
59 | net_configure_veth_pair | 59 | net_configure_veth_pair |
60 | } | 60 | } |
61 | 61 | ||
62 | notify child init is done | 62 | notify child init is done |
63 | 63 | ||
64 | if (any bridge configured) { | 64 | if (any bridge configured) { |
65 | for each bridge | 65 | for each bridge |
66 | net_bridge_wait_ip | 66 | net_bridge_wait_ip |
67 | unlock /var/lock/firejail.lock file | 67 | unlock /var/lock/firejail.lock file |
68 | } | 68 | } |
69 | 69 | ||
70 | wait on child | 70 | wait on child |
71 | exit | 71 | exit |
72 | } | 72 | } |
73 | 73 | ||
74 | 74 | ||
75 | ****************************************************** | 75 | ****************************************************** |
76 | * macvlan notes | 76 | * macvlan notes |
77 | ****************************************************** | 77 | ****************************************************** |
78 | Configure a macvlan interface | 78 | Configure a macvlan interface |
79 | 79 | ||
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index 3450bceea..1da25dd08 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c | |||
@@ -50,7 +50,7 @@ void net_configure_bridge(Bridge *br, char *dev_name) { | |||
50 | if (asprintf(&newname, "%s-%u", br->devsandbox, getpid()) == -1) | 50 | if (asprintf(&newname, "%s-%u", br->devsandbox, getpid()) == -1) |
51 | errExit("asprintf"); | 51 | errExit("asprintf"); |
52 | br->devsandbox = newname; | 52 | br->devsandbox = newname; |
53 | } | 53 | } |
54 | else { | 54 | else { |
55 | fprintf(stderr, "Error: cannot find network device %s\n", br->dev); | 55 | fprintf(stderr, "Error: cannot find network device %s\n", br->dev); |
56 | exit(1); | 56 | exit(1); |
@@ -72,7 +72,7 @@ void net_configure_bridge(Bridge *br, char *dev_name) { | |||
72 | printf("macvlan parent device %s at %d.%d.%d.%d/%d\n", | 72 | printf("macvlan parent device %s at %d.%d.%d.%d/%d\n", |
73 | br->dev, PRINT_IP(br->ip), mask2bits(br->mask)); | 73 | br->dev, PRINT_IP(br->ip), mask2bits(br->mask)); |
74 | } | 74 | } |
75 | 75 | ||
76 | uint32_t range = ~br->mask + 1; // the number of potential addresses | 76 | uint32_t range = ~br->mask + 1; // the number of potential addresses |
77 | // this software is not supported for /31 networks | 77 | // this software is not supported for /31 networks |
78 | if (range < 4) { | 78 | if (range < 4) { |
@@ -127,7 +127,7 @@ void net_configure_veth_pair(Bridge *br, const char *ifname, pid_t child) { | |||
127 | } | 127 | } |
128 | else | 128 | else |
129 | dev = br->veth_name; | 129 | dev = br->veth_name; |
130 | 130 | ||
131 | char *cstr; | 131 | char *cstr; |
132 | if (asprintf(&cstr, "%d", child) == -1) | 132 | if (asprintf(&cstr, "%d", child) == -1) |
133 | errExit("asprintf"); | 133 | errExit("asprintf"); |
@@ -249,7 +249,7 @@ void net_dns_print(pid_t pid) { | |||
249 | } | 249 | } |
250 | free(comm); | 250 | free(comm); |
251 | } | 251 | } |
252 | 252 | ||
253 | char *fname; | 253 | char *fname; |
254 | EUID_ROOT(); | 254 | EUID_ROOT(); |
255 | if (asprintf(&fname, "/proc/%d/root/etc/resolv.conf", pid) == -1) | 255 | if (asprintf(&fname, "/proc/%d/root/etc/resolv.conf", pid) == -1) |
@@ -261,7 +261,7 @@ void net_dns_print(pid_t pid) { | |||
261 | fprintf(stderr, "Error: cannot access /etc/resolv.conf\n"); | 261 | fprintf(stderr, "Error: cannot access /etc/resolv.conf\n"); |
262 | exit(1); | 262 | exit(1); |
263 | } | 263 | } |
264 | 264 | ||
265 | char buf[MAXBUF]; | 265 | char buf[MAXBUF]; |
266 | while (fgets(buf, MAXBUF, fp)) | 266 | while (fgets(buf, MAXBUF, fp)) |
267 | printf("%s", buf); | 267 | printf("%s", buf); |
@@ -284,21 +284,21 @@ void network_main(pid_t child) { | |||
284 | else | 284 | else |
285 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr); | 285 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge0.devsandbox, cfg.bridge0.dev, cstr); |
286 | } | 286 | } |
287 | 287 | ||
288 | if (cfg.bridge1.configured) { | 288 | if (cfg.bridge1.configured) { |
289 | if (cfg.bridge1.macvlan == 0) | 289 | if (cfg.bridge1.macvlan == 0) |
290 | net_configure_veth_pair(&cfg.bridge1, "eth1", child); | 290 | net_configure_veth_pair(&cfg.bridge1, "eth1", child); |
291 | else | 291 | else |
292 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr); | 292 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge1.devsandbox, cfg.bridge1.dev, cstr); |
293 | } | 293 | } |
294 | 294 | ||
295 | if (cfg.bridge2.configured) { | 295 | if (cfg.bridge2.configured) { |
296 | if (cfg.bridge2.macvlan == 0) | 296 | if (cfg.bridge2.macvlan == 0) |
297 | net_configure_veth_pair(&cfg.bridge2, "eth2", child); | 297 | net_configure_veth_pair(&cfg.bridge2, "eth2", child); |
298 | else | 298 | else |
299 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr); | 299 | sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 6, PATH_FNET, "create", "macvlan", cfg.bridge2.devsandbox, cfg.bridge2.dev, cstr); |
300 | } | 300 | } |
301 | 301 | ||
302 | if (cfg.bridge3.configured) { | 302 | if (cfg.bridge3.configured) { |
303 | if (cfg.bridge3.macvlan == 0) | 303 | if (cfg.bridge3.macvlan == 0) |
304 | net_configure_veth_pair(&cfg.bridge3, "eth3", child); | 304 | net_configure_veth_pair(&cfg.bridge3, "eth3", child); |
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 05f5abe2a..b37c5abf7 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -39,12 +39,12 @@ int is_container(const char *str) { | |||
39 | // returns 1 if we are running under LXC | 39 | // returns 1 if we are running under LXC |
40 | int check_namespace_virt(void) { | 40 | int check_namespace_virt(void) { |
41 | EUID_ASSERT(); | 41 | EUID_ASSERT(); |
42 | 42 | ||
43 | // check container environment variable | 43 | // check container environment variable |
44 | char *str = getenv("container"); | 44 | char *str = getenv("container"); |
45 | if (str && is_container(str)) | 45 | if (str && is_container(str)) |
46 | return 1; | 46 | return 1; |
47 | 47 | ||
48 | // check PID 1 container environment variable | 48 | // check PID 1 container environment variable |
49 | EUID_ROOT(); | 49 | EUID_ROOT(); |
50 | FILE *fp = fopen("/proc/1/environ", "r"); | 50 | FILE *fp = fopen("/proc/1/environ", "r"); |
@@ -62,7 +62,7 @@ int check_namespace_virt(void) { | |||
62 | break; | 62 | break; |
63 | } | 63 | } |
64 | buf[i] = '\0'; | 64 | buf[i] = '\0'; |
65 | 65 | ||
66 | // check env var name | 66 | // check env var name |
67 | if (strncmp(buf, "container=", 10) == 0) { | 67 | if (strncmp(buf, "container=", 10) == 0) { |
68 | // found it | 68 | // found it |
@@ -74,10 +74,10 @@ int check_namespace_virt(void) { | |||
74 | } | 74 | } |
75 | // printf("i %d c %d, buf #%s#\n", i, c, buf); | 75 | // printf("i %d c %d, buf #%s#\n", i, c, buf); |
76 | } | 76 | } |
77 | 77 | ||
78 | fclose(fp); | 78 | fclose(fp); |
79 | } | 79 | } |
80 | 80 | ||
81 | EUID_USER(); | 81 | EUID_USER(); |
82 | return 0; | 82 | return 0; |
83 | } | 83 | } |
@@ -104,7 +104,7 @@ int check_kernel_procs(void) { | |||
104 | 104 | ||
105 | // look at the first 10 processes | 105 | // look at the first 10 processes |
106 | // if a kernel process is found, return 1 | 106 | // if a kernel process is found, return 1 |
107 | for (i = 1; i <= 10; i++) { | 107 | for (i = 1; i <= 10; i++) { |
108 | struct stat s; | 108 | struct stat s; |
109 | char *fname; | 109 | char *fname; |
110 | if (asprintf(&fname, "/proc/%d/comm", i) == -1) | 110 | if (asprintf(&fname, "/proc/%d/comm", i) == -1) |
@@ -113,7 +113,7 @@ int check_kernel_procs(void) { | |||
113 | free(fname); | 113 | free(fname); |
114 | continue; | 114 | continue; |
115 | } | 115 | } |
116 | 116 | ||
117 | // open file | 117 | // open file |
118 | /* coverity[toctou] */ | 118 | /* coverity[toctou] */ |
119 | FILE *fp = fopen(fname, "r"); | 119 | FILE *fp = fopen(fname, "r"); |
@@ -122,7 +122,7 @@ int check_kernel_procs(void) { | |||
122 | free(fname); | 122 | free(fname); |
123 | continue; | 123 | continue; |
124 | } | 124 | } |
125 | 125 | ||
126 | // read file | 126 | // read file |
127 | char buf[100]; | 127 | char buf[100]; |
128 | if (fgets(buf, 10, fp) == NULL) { | 128 | if (fgets(buf, 10, fp) == NULL) { |
@@ -135,7 +135,7 @@ int check_kernel_procs(void) { | |||
135 | char *ptr; | 135 | char *ptr; |
136 | if ((ptr = strchr(buf, '\n')) != NULL) | 136 | if ((ptr = strchr(buf, '\n')) != NULL) |
137 | *ptr = '\0'; | 137 | *ptr = '\0'; |
138 | 138 | ||
139 | // check process name against the kernel list | 139 | // check process name against the kernel list |
140 | int j = 0; | 140 | int j = 0; |
141 | while (kern_proc[j] != NULL) { | 141 | while (kern_proc[j] != NULL) { |
@@ -148,7 +148,7 @@ int check_kernel_procs(void) { | |||
148 | } | 148 | } |
149 | j++; | 149 | j++; |
150 | } | 150 | } |
151 | 151 | ||
152 | fclose(fp); | 152 | fclose(fp); |
153 | free(fname); | 153 | free(fname); |
154 | } | 154 | } |
diff --git a/src/firejail/output.c b/src/firejail/output.c index cea4f4e28..9fb4ad6b1 100644 --- a/src/firejail/output.c +++ b/src/firejail/output.c | |||
@@ -24,7 +24,7 @@ | |||
24 | 24 | ||
25 | void check_output(int argc, char **argv) { | 25 | void check_output(int argc, char **argv) { |
26 | EUID_ASSERT(); | 26 | EUID_ASSERT(); |
27 | 27 | ||
28 | int i; | 28 | int i; |
29 | int outindex = 0; | 29 | int outindex = 0; |
30 | 30 | ||
@@ -49,7 +49,7 @@ void check_output(int argc, char **argv) { | |||
49 | fprintf(stderr, "Error: invalid output file. Links, directories and files with \"..\" are not allowed.\n"); | 49 | fprintf(stderr, "Error: invalid output file. Links, directories and files with \"..\" are not allowed.\n"); |
50 | exit(1); | 50 | exit(1); |
51 | } | 51 | } |
52 | 52 | ||
53 | struct stat s; | 53 | struct stat s; |
54 | if (stat(outfile, &s) == 0) { | 54 | if (stat(outfile, &s) == 0) { |
55 | // check permissions | 55 | // check permissions |
@@ -57,7 +57,7 @@ void check_output(int argc, char **argv) { | |||
57 | fprintf(stderr, "Error: the output file needs to be owned by the current user.\n"); | 57 | fprintf(stderr, "Error: the output file needs to be owned by the current user.\n"); |
58 | exit(1); | 58 | exit(1); |
59 | } | 59 | } |
60 | 60 | ||
61 | // check hard links | 61 | // check hard links |
62 | if (s.st_nlink != 1) { | 62 | if (s.st_nlink != 1) { |
63 | fprintf(stderr, "Error: no hard links allowed.\n"); | 63 | fprintf(stderr, "Error: no hard links allowed.\n"); |
@@ -71,11 +71,11 @@ void check_output(int argc, char **argv) { | |||
71 | len += strlen(argv[i]) + 1; // + ' ' | 71 | len += strlen(argv[i]) + 1; // + ' ' |
72 | } | 72 | } |
73 | len += 100 + strlen(LIBDIR) + strlen(outfile); // tee command | 73 | len += 100 + strlen(LIBDIR) + strlen(outfile); // tee command |
74 | 74 | ||
75 | char *cmd = malloc(len + 1); // + '\0' | 75 | char *cmd = malloc(len + 1); // + '\0' |
76 | if (!cmd) | 76 | if (!cmd) |
77 | errExit("malloc"); | 77 | errExit("malloc"); |
78 | 78 | ||
79 | char *ptr = cmd; | 79 | char *ptr = cmd; |
80 | for (i = 0; i < argc; i++) { | 80 | for (i = 0; i < argc; i++) { |
81 | if (strncmp(argv[i], "--output=", 9) == 0) | 81 | if (strncmp(argv[i], "--output=", 9) == 0) |
@@ -91,7 +91,7 @@ void check_output(int argc, char **argv) { | |||
91 | a[2] = cmd; | 91 | a[2] = cmd; |
92 | a[3] = NULL; | 92 | a[3] = NULL; |
93 | 93 | ||
94 | execvp(a[0], a); | 94 | execvp(a[0], a); |
95 | 95 | ||
96 | perror("execvp"); | 96 | perror("execvp"); |
97 | exit(1); | 97 | exit(1); |
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index b834e6275..ef93368bf 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -35,27 +35,27 @@ void preproc_build_firejail_dir(void) { | |||
35 | if (stat(RUN_FIREJAIL_DIR, &s)) { | 35 | if (stat(RUN_FIREJAIL_DIR, &s)) { |
36 | create_empty_dir_as_root(RUN_FIREJAIL_DIR, 0755); | 36 | create_empty_dir_as_root(RUN_FIREJAIL_DIR, 0755); |
37 | } | 37 | } |
38 | 38 | ||
39 | if (stat(RUN_FIREJAIL_NETWORK_DIR, &s)) { | 39 | if (stat(RUN_FIREJAIL_NETWORK_DIR, &s)) { |
40 | create_empty_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755); | 40 | create_empty_dir_as_root(RUN_FIREJAIL_NETWORK_DIR, 0755); |
41 | } | 41 | } |
42 | 42 | ||
43 | if (stat(RUN_FIREJAIL_BANDWIDTH_DIR, &s)) { | 43 | if (stat(RUN_FIREJAIL_BANDWIDTH_DIR, &s)) { |
44 | create_empty_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755); | 44 | create_empty_dir_as_root(RUN_FIREJAIL_BANDWIDTH_DIR, 0755); |
45 | } | 45 | } |
46 | 46 | ||
47 | if (stat(RUN_FIREJAIL_NAME_DIR, &s)) { | 47 | if (stat(RUN_FIREJAIL_NAME_DIR, &s)) { |
48 | create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755); | 48 | create_empty_dir_as_root(RUN_FIREJAIL_NAME_DIR, 0755); |
49 | } | 49 | } |
50 | 50 | ||
51 | if (stat(RUN_FIREJAIL_X11_DIR, &s)) { | 51 | if (stat(RUN_FIREJAIL_X11_DIR, &s)) { |
52 | create_empty_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755); | 52 | create_empty_dir_as_root(RUN_FIREJAIL_X11_DIR, 0755); |
53 | } | 53 | } |
54 | 54 | ||
55 | if (stat(RUN_FIREJAIL_APPIMAGE_DIR, &s)) { | 55 | if (stat(RUN_FIREJAIL_APPIMAGE_DIR, &s)) { |
56 | create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755); | 56 | create_empty_dir_as_root(RUN_FIREJAIL_APPIMAGE_DIR, 0755); |
57 | } | 57 | } |
58 | 58 | ||
59 | if (stat(RUN_MNT_DIR, &s)) { | 59 | if (stat(RUN_MNT_DIR, &s)) { |
60 | create_empty_dir_as_root(RUN_MNT_DIR, 0755); | 60 | create_empty_dir_as_root(RUN_MNT_DIR, 0755); |
61 | } | 61 | } |
@@ -74,7 +74,7 @@ void preproc_mount_mnt_dir(void) { | |||
74 | errExit("mounting /run/firejail/mnt"); | 74 | errExit("mounting /run/firejail/mnt"); |
75 | tmpfs_mounted = 1; | 75 | tmpfs_mounted = 1; |
76 | fs_logger2("tmpfs", RUN_MNT_DIR); | 76 | fs_logger2("tmpfs", RUN_MNT_DIR); |
77 | 77 | ||
78 | //copy defaultl seccomp files | 78 | //copy defaultl seccomp files |
79 | copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644); // root needed | 79 | copy_file(PATH_SECCOMP_I386, RUN_SECCOMP_I386, getuid(), getgid(), 0644); // root needed |
80 | copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644); // root needed | 80 | copy_file(PATH_SECCOMP_AMD64, RUN_SECCOMP_AMD64, getuid(), getgid(), 0644); // root needed |
@@ -82,7 +82,7 @@ void preproc_mount_mnt_dir(void) { | |||
82 | copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed | 82 | copy_file(PATH_SECCOMP_DEFAULT_DEBUG, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed |
83 | else | 83 | else |
84 | copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed | 84 | copy_file(PATH_SECCOMP_DEFAULT, RUN_SECCOMP_CFG, getuid(), getgid(), 0644); // root needed |
85 | 85 | ||
86 | // as root, create an empty RUN_SECCOMP_PROTOCOL file | 86 | // as root, create an empty RUN_SECCOMP_PROTOCOL file |
87 | create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644); | 87 | create_empty_file_as_root(RUN_SECCOMP_PROTOCOL, 0644); |
88 | if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644)) | 88 | if (set_perms(RUN_SECCOMP_PROTOCOL, getuid(), getgid(), 0644)) |
diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index 098c9fb16..9524d6617 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c | |||
@@ -34,7 +34,7 @@ void protocol_filter_save(void) { | |||
34 | 34 | ||
35 | void protocol_filter_load(const char *fname) { | 35 | void protocol_filter_load(const char *fname) { |
36 | assert(fname); | 36 | assert(fname); |
37 | 37 | ||
38 | // read protocol filter configuration from PROTOCOL_CFG | 38 | // read protocol filter configuration from PROTOCOL_CFG |
39 | FILE *fp = fopen(fname, "r"); | 39 | FILE *fp = fopen(fname, "r"); |
40 | if (!fp) | 40 | if (!fp) |
@@ -48,7 +48,7 @@ void protocol_filter_load(const char *fname) { | |||
48 | return; | 48 | return; |
49 | } | 49 | } |
50 | fclose(fp); | 50 | fclose(fp); |
51 | 51 | ||
52 | char *ptr = strchr(buf, '\n'); | 52 | char *ptr = strchr(buf, '\n'); |
53 | if (ptr) | 53 | if (ptr) |
54 | *ptr = '\0'; | 54 | *ptr = '\0'; |
@@ -61,7 +61,7 @@ void protocol_filter_load(const char *fname) { | |||
61 | // --protocol.print | 61 | // --protocol.print |
62 | void protocol_print_filter(pid_t pid) { | 62 | void protocol_print_filter(pid_t pid) { |
63 | EUID_ASSERT(); | 63 | EUID_ASSERT(); |
64 | 64 | ||
65 | (void) pid; | 65 | (void) pid; |
66 | #ifdef SYS_socket | 66 | #ifdef SYS_socket |
67 | // if the pid is that of a firejail process, use the pid of the first child process | 67 | // if the pid is that of a firejail process, use the pid of the first child process |
@@ -109,7 +109,7 @@ void protocol_print_filter(pid_t pid) { | |||
109 | #else | 109 | #else |
110 | fwarning("--protocol not supported on this platform\n"); | 110 | fwarning("--protocol not supported on this platform\n"); |
111 | return; | 111 | return; |
112 | #endif | 112 | #endif |
113 | } | 113 | } |
114 | 114 | ||
115 | 115 | ||
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index ead5dd361..246ba8fd8 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -27,17 +27,17 @@ | |||
27 | static void disable_file(const char *path, const char *file) { | 27 | static void disable_file(const char *path, const char *file) { |
28 | assert(file); | 28 | assert(file); |
29 | assert(path); | 29 | assert(path); |
30 | 30 | ||
31 | struct stat s; | 31 | struct stat s; |
32 | char *fname; | 32 | char *fname; |
33 | if (asprintf(&fname, "%s/%s", path, file) == -1) | 33 | if (asprintf(&fname, "%s/%s", path, file) == -1) |
34 | errExit("asprintf"); | 34 | errExit("asprintf"); |
35 | if (stat(fname, &s) == -1) | 35 | if (stat(fname, &s) == -1) |
36 | goto doexit; | 36 | goto doexit; |
37 | 37 | ||
38 | if (arg_debug) | 38 | if (arg_debug) |
39 | printf("Disable%s\n", fname); | 39 | printf("Disable%s\n", fname); |
40 | 40 | ||
41 | if (S_ISDIR(s.st_mode)) { | 41 | if (S_ISDIR(s.st_mode)) { |
42 | if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) | 42 | if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0) |
43 | errExit("disable file"); | 43 | errExit("disable file"); |
@@ -71,7 +71,7 @@ void pulseaudio_disable(void) { | |||
71 | errExit("asprintf"); | 71 | errExit("asprintf"); |
72 | disable_file(path, "pulse/native"); | 72 | disable_file(path, "pulse/native"); |
73 | free(path); | 73 | free(path); |
74 | 74 | ||
75 | 75 | ||
76 | 76 | ||
77 | // blacklist any pulse* file in /tmp directory | 77 | // blacklist any pulse* file in /tmp directory |
@@ -99,11 +99,11 @@ void pulseaudio_disable(void) { | |||
99 | // disable shm in pulseaudio | 99 | // disable shm in pulseaudio |
100 | void pulseaudio_init(void) { | 100 | void pulseaudio_init(void) { |
101 | struct stat s; | 101 | struct stat s; |
102 | 102 | ||
103 | // do we have pulseaudio in the system? | 103 | // do we have pulseaudio in the system? |
104 | if (stat("/etc/pulse/client.conf", &s) == -1) | 104 | if (stat("/etc/pulse/client.conf", &s) == -1) |
105 | return; | 105 | return; |
106 | 106 | ||
107 | // create the new user pulseaudio directory | 107 | // create the new user pulseaudio directory |
108 | int rv = mkdir(RUN_PULSE_DIR, 0700); | 108 | int rv = mkdir(RUN_PULSE_DIR, 0700); |
109 | (void) rv; // in --chroot mode the directory can already be there | 109 | (void) rv; // in --chroot mode the directory can already be there |
@@ -134,7 +134,7 @@ void pulseaudio_init(void) { | |||
134 | if (child == 0) { | 134 | if (child == 0) { |
135 | // drop privileges | 135 | // drop privileges |
136 | drop_privs(0); | 136 | drop_privs(0); |
137 | 137 | ||
138 | int rv = mkdir(dir1, 0755); | 138 | int rv = mkdir(dir1, 0755); |
139 | if (rv == 0) { | 139 | if (rv == 0) { |
140 | if (set_perms(dir1, getuid(), getgid(), 0755)) | 140 | if (set_perms(dir1, getuid(), getgid(), 0755)) |
@@ -156,7 +156,7 @@ void pulseaudio_init(void) { | |||
156 | } | 156 | } |
157 | } | 157 | } |
158 | free(dir1); | 158 | free(dir1); |
159 | 159 | ||
160 | if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1) | 160 | if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1) |
161 | errExit("asprintf"); | 161 | errExit("asprintf"); |
162 | if (stat(dir1, &s) == -1) { | 162 | if (stat(dir1, &s) == -1) { |
@@ -166,7 +166,7 @@ void pulseaudio_init(void) { | |||
166 | if (child == 0) { | 166 | if (child == 0) { |
167 | // drop privileges | 167 | // drop privileges |
168 | drop_privs(0); | 168 | drop_privs(0); |
169 | 169 | ||
170 | int rv = mkdir(dir1, 0700); | 170 | int rv = mkdir(dir1, 0700); |
171 | if (rv == 0) { | 171 | if (rv == 0) { |
172 | if (set_perms(dir1, getuid(), getgid(), 0700)) | 172 | if (set_perms(dir1, getuid(), getgid(), 0700)) |
@@ -188,8 +188,8 @@ void pulseaudio_init(void) { | |||
188 | } | 188 | } |
189 | } | 189 | } |
190 | free(dir1); | 190 | free(dir1); |
191 | 191 | ||
192 | 192 | ||
193 | // if we have ~/.config/pulse mount the new directory, else set environment variable | 193 | // if we have ~/.config/pulse mount the new directory, else set environment variable |
194 | char *homeusercfg; | 194 | char *homeusercfg; |
195 | if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1) | 195 | if (asprintf(&homeusercfg, "%s/.config/pulse", cfg.homedir) == -1) |
@@ -204,7 +204,7 @@ void pulseaudio_init(void) { | |||
204 | if (setenv("PULSE_CLIENTCONFIG", pulsecfg, 1) < 0) | 204 | if (setenv("PULSE_CLIENTCONFIG", pulsecfg, 1) < 0) |
205 | errExit("setenv"); | 205 | errExit("setenv"); |
206 | } | 206 | } |
207 | 207 | ||
208 | free(pulsecfg); | 208 | free(pulsecfg); |
209 | free(homeusercfg); | 209 | free(homeusercfg); |
210 | } | 210 | } |
diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index 086af48b0..87ee513af 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c | |||
@@ -56,23 +56,23 @@ static USER_LIST *ulist_find(const char *user) { | |||
56 | return ptr; | 56 | return ptr; |
57 | ptr = ptr->next; | 57 | ptr = ptr->next; |
58 | } | 58 | } |
59 | 59 | ||
60 | return NULL; | 60 | return NULL; |
61 | } | 61 | } |
62 | 62 | ||
63 | static void sanitize_home(void) { | 63 | static void sanitize_home(void) { |
64 | assert(getuid() != 0); // this code works only for regular users | 64 | assert(getuid() != 0); // this code works only for regular users |
65 | 65 | ||
66 | if (arg_debug) | 66 | if (arg_debug) |
67 | printf("Cleaning /home directory\n"); | 67 | printf("Cleaning /home directory\n"); |
68 | 68 | ||
69 | struct stat s; | 69 | struct stat s; |
70 | if (stat(cfg.homedir, &s) == -1) { | 70 | if (stat(cfg.homedir, &s) == -1) { |
71 | // cannot find home directory, just return | 71 | // cannot find home directory, just return |
72 | fwarning("cannot find home directory\n"); | 72 | fwarning("cannot find home directory\n"); |
73 | return; | 73 | return; |
74 | } | 74 | } |
75 | 75 | ||
76 | if (mkdir(RUN_WHITELIST_HOME_DIR, 0755) == -1) | 76 | if (mkdir(RUN_WHITELIST_HOME_DIR, 0755) == -1) |
77 | errExit("mkdir"); | 77 | errExit("mkdir"); |
78 | 78 | ||
@@ -93,7 +93,7 @@ static void sanitize_home(void) { | |||
93 | errExit("mkdir"); | 93 | errExit("mkdir"); |
94 | } | 94 | } |
95 | fs_logger2("mkdir", cfg.homedir); | 95 | fs_logger2("mkdir", cfg.homedir); |
96 | 96 | ||
97 | // set mode and ownership | 97 | // set mode and ownership |
98 | if (set_perms(cfg.homedir, s.st_uid, s.st_gid, s.st_mode)) | 98 | if (set_perms(cfg.homedir, s.st_uid, s.st_gid, s.st_mode)) |
99 | errExit("set_perms"); | 99 | errExit("set_perms"); |
@@ -108,7 +108,7 @@ static void sanitize_home(void) { | |||
108 | fs_logger2("tmpfs", RUN_WHITELIST_HOME_DIR); | 108 | fs_logger2("tmpfs", RUN_WHITELIST_HOME_DIR); |
109 | if (!arg_private) | 109 | if (!arg_private) |
110 | fs_logger2("whitelist", cfg.homedir); | 110 | fs_logger2("whitelist", cfg.homedir); |
111 | 111 | ||
112 | } | 112 | } |
113 | 113 | ||
114 | static void sanitize_passwd(void) { | 114 | static void sanitize_passwd(void) { |
@@ -133,7 +133,7 @@ static void sanitize_passwd(void) { | |||
133 | fpout = fopen(RUN_PASSWD_FILE, "w"); | 133 | fpout = fopen(RUN_PASSWD_FILE, "w"); |
134 | if (!fpout) | 134 | if (!fpout) |
135 | goto errout; | 135 | goto errout; |
136 | 136 | ||
137 | // read the file line by line | 137 | // read the file line by line |
138 | char buf[MAXBUF]; | 138 | char buf[MAXBUF]; |
139 | uid_t myuid = getuid(); | 139 | uid_t myuid = getuid(); |
@@ -141,12 +141,12 @@ static void sanitize_passwd(void) { | |||
141 | // comments and empty lines | 141 | // comments and empty lines |
142 | if (*buf == '\0' || *buf == '#') | 142 | if (*buf == '\0' || *buf == '#') |
143 | continue; | 143 | continue; |
144 | 144 | ||
145 | // sample line: | 145 | // sample line: |
146 | // www-data:x:33:33:www-data:/var/www:/bin/sh | 146 | // www-data:x:33:33:www-data:/var/www:/bin/sh |
147 | // drop lines with uid > 1000 and not the current user | 147 | // drop lines with uid > 1000 and not the current user |
148 | char *ptr = buf; | 148 | char *ptr = buf; |
149 | 149 | ||
150 | // advance to uid | 150 | // advance to uid |
151 | while (*ptr != ':' && *ptr != '\0') | 151 | while (*ptr != ':' && *ptr != '\0') |
152 | ptr++; | 152 | ptr++; |
@@ -190,9 +190,9 @@ static void sanitize_passwd(void) { | |||
190 | if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0) | 190 | if (mount(RUN_PASSWD_FILE, "/etc/passwd", "none", MS_BIND, "mode=400,gid=0") < 0) |
191 | errExit("mount"); | 191 | errExit("mount"); |
192 | fs_logger("create /etc/passwd"); | 192 | fs_logger("create /etc/passwd"); |
193 | 193 | ||
194 | return; | 194 | return; |
195 | 195 | ||
196 | errout: | 196 | errout: |
197 | fwarning("failed to clean up /etc/passwd\n"); | 197 | fwarning("failed to clean up /etc/passwd\n"); |
198 | if (fpin) | 198 | if (fpin) |
@@ -206,7 +206,7 @@ static int copy_line(FILE *fpout, char *buf, char *ptr) { | |||
206 | // fpout: GROUP_FILE | 206 | // fpout: GROUP_FILE |
207 | // buf: pulse:x:115:netblue,bingo | 207 | // buf: pulse:x:115:netblue,bingo |
208 | // ptr: 115:neblue,bingo | 208 | // ptr: 115:neblue,bingo |
209 | 209 | ||
210 | while (*ptr != ':' && *ptr != '\0') | 210 | while (*ptr != ':' && *ptr != '\0') |
211 | ptr++; | 211 | ptr++; |
212 | if (*ptr == '\0') | 212 | if (*ptr == '\0') |
@@ -217,7 +217,7 @@ static int copy_line(FILE *fpout, char *buf, char *ptr) { | |||
217 | fprintf(fpout, "%s", buf); | 217 | fprintf(fpout, "%s", buf); |
218 | return 0; | 218 | return 0; |
219 | } | 219 | } |
220 | 220 | ||
221 | // print what we have so far | 221 | // print what we have so far |
222 | char tmp = *ptr; | 222 | char tmp = *ptr; |
223 | *ptr = '\0'; | 223 | *ptr = '\0'; |
@@ -266,7 +266,7 @@ static void sanitize_group(void) { | |||
266 | fpout = fopen(RUN_GROUP_FILE, "w"); | 266 | fpout = fopen(RUN_GROUP_FILE, "w"); |
267 | if (!fpout) | 267 | if (!fpout) |
268 | goto errout; | 268 | goto errout; |
269 | 269 | ||
270 | // read the file line by line | 270 | // read the file line by line |
271 | char buf[MAXBUF]; | 271 | char buf[MAXBUF]; |
272 | gid_t mygid = getgid(); | 272 | gid_t mygid = getgid(); |
@@ -274,12 +274,12 @@ static void sanitize_group(void) { | |||
274 | // comments and empty lines | 274 | // comments and empty lines |
275 | if (*buf == '\0' || *buf == '#') | 275 | if (*buf == '\0' || *buf == '#') |
276 | continue; | 276 | continue; |
277 | 277 | ||
278 | // sample line: | 278 | // sample line: |
279 | // pulse:x:115:netblue,bingo | 279 | // pulse:x:115:netblue,bingo |
280 | // drop lines with uid > 1000 and not the current user group | 280 | // drop lines with uid > 1000 and not the current user group |
281 | char *ptr = buf; | 281 | char *ptr = buf; |
282 | 282 | ||
283 | // advance to uid | 283 | // advance to uid |
284 | while (*ptr != ':' && *ptr != '\0') | 284 | while (*ptr != ':' && *ptr != '\0') |
285 | ptr++; | 285 | ptr++; |
@@ -318,9 +318,9 @@ static void sanitize_group(void) { | |||
318 | if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0) | 318 | if (mount(RUN_GROUP_FILE, "/etc/group", "none", MS_BIND, "mode=400,gid=0") < 0) |
319 | errExit("mount"); | 319 | errExit("mount"); |
320 | fs_logger("create /etc/group"); | 320 | fs_logger("create /etc/group"); |
321 | 321 | ||
322 | return; | 322 | return; |
323 | 323 | ||
324 | errout: | 324 | errout: |
325 | fwarning("failed to clean up /etc/group\n"); | 325 | fwarning("failed to clean up /etc/group\n"); |
326 | if (fpin) | 326 | if (fpin) |
@@ -332,7 +332,7 @@ errout: | |||
332 | void restrict_users(void) { | 332 | void restrict_users(void) { |
333 | if (arg_allusers) | 333 | if (arg_allusers) |
334 | return; | 334 | return; |
335 | 335 | ||
336 | // only in user mode | 336 | // only in user mode |
337 | if (getuid()) { | 337 | if (getuid()) { |
338 | if (strncmp(cfg.homedir, "/home/", 6) == 0) { | 338 | if (strncmp(cfg.homedir, "/home/", 6) == 0) { |
diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c index 9919c4656..d09a2c7e5 100644 --- a/src/firejail/restricted_shell.c +++ b/src/firejail/restricted_shell.c | |||
@@ -44,7 +44,7 @@ int restricted_shell(const char *user) { | |||
44 | 44 | ||
45 | // remove empty spaces at the beginning of the line | 45 | // remove empty spaces at the beginning of the line |
46 | char *ptr = buf; | 46 | char *ptr = buf; |
47 | while (*ptr == ' ' || *ptr == '\t') { | 47 | while (*ptr == ' ' || *ptr == '\t') { |
48 | ptr++; | 48 | ptr++; |
49 | } | 49 | } |
50 | if (*ptr == '\n' || *ptr == '#') | 50 | if (*ptr == '\n' || *ptr == '#') |
@@ -53,7 +53,7 @@ int restricted_shell(const char *user) { | |||
53 | // | 53 | // |
54 | // parse line | 54 | // parse line |
55 | // | 55 | // |
56 | 56 | ||
57 | // extract users | 57 | // extract users |
58 | char *usr = ptr; | 58 | char *usr = ptr; |
59 | char *args = strchr(usr, ':'); | 59 | char *args = strchr(usr, ':'); |
@@ -61,13 +61,13 @@ int restricted_shell(const char *user) { | |||
61 | fprintf(stderr, "Error: users.conf line %d\n", lineno); | 61 | fprintf(stderr, "Error: users.conf line %d\n", lineno); |
62 | exit(1); | 62 | exit(1); |
63 | } | 63 | } |
64 | 64 | ||
65 | *args = '\0'; | 65 | *args = '\0'; |
66 | args++; | 66 | args++; |
67 | ptr = strchr(args, '\n'); | 67 | ptr = strchr(args, '\n'); |
68 | if (ptr) | 68 | if (ptr) |
69 | *ptr = '\0'; | 69 | *ptr = '\0'; |
70 | 70 | ||
71 | // extract firejail command line arguments | 71 | // extract firejail command line arguments |
72 | char *ptr2 = args; | 72 | char *ptr2 = args; |
73 | int found = 0; | 73 | int found = 0; |
@@ -81,7 +81,7 @@ int restricted_shell(const char *user) { | |||
81 | // if nothing follows, continue | 81 | // if nothing follows, continue |
82 | if (!found) | 82 | if (!found) |
83 | continue; | 83 | continue; |
84 | 84 | ||
85 | // user name globbing | 85 | // user name globbing |
86 | if (fnmatch(usr, user, 0) == 0) { | 86 | if (fnmatch(usr, user, 0) == 0) { |
87 | // process program arguments | 87 | // process program arguments |
@@ -102,8 +102,8 @@ int restricted_shell(const char *user) { | |||
102 | fclose(fp); | 102 | fclose(fp); |
103 | } | 103 | } |
104 | EUID_USER();} | 104 | EUID_USER();} |
105 | #endif | 105 | #endif |
106 | 106 | ||
107 | if (*ptr != '\0') { | 107 | if (*ptr != '\0') { |
108 | // go to the end of the word | 108 | // go to the end of the word |
109 | while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0') | 109 | while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0') |
@@ -128,6 +128,5 @@ int restricted_shell(const char *user) { | |||
128 | } | 128 | } |
129 | fclose(fp); | 129 | fclose(fp); |
130 | 130 | ||
131 | return 0; | 131 | return 0; |
132 | } | 132 | } |
133 | |||
diff --git a/src/firejail/rlimit.c b/src/firejail/rlimit.c index bf63bae38..99127673e 100644 --- a/src/firejail/rlimit.c +++ b/src/firejail/rlimit.c | |||
@@ -47,7 +47,7 @@ void set_rlimits(void) { | |||
47 | if (arg_debug) | 47 | if (arg_debug) |
48 | printf("Config rlimit: number of processes %llu\n", cfg.rlimit_nproc); | 48 | printf("Config rlimit: number of processes %llu\n", cfg.rlimit_nproc); |
49 | } | 49 | } |
50 | 50 | ||
51 | if (arg_rlimit_fsize) { | 51 | if (arg_rlimit_fsize) { |
52 | rl.rlim_cur = (rlim_t) cfg.rlimit_fsize; | 52 | rl.rlim_cur = (rlim_t) cfg.rlimit_fsize; |
53 | rl.rlim_max = (rlim_t) cfg.rlimit_fsize; | 53 | rl.rlim_max = (rlim_t) cfg.rlimit_fsize; |
@@ -59,7 +59,7 @@ void set_rlimits(void) { | |||
59 | if (arg_debug) | 59 | if (arg_debug) |
60 | printf("Config rlimit: maximum file size %llu\n", cfg.rlimit_fsize); | 60 | printf("Config rlimit: maximum file size %llu\n", cfg.rlimit_fsize); |
61 | } | 61 | } |
62 | 62 | ||
63 | if (arg_rlimit_sigpending) { | 63 | if (arg_rlimit_sigpending) { |
64 | rl.rlim_cur = (rlim_t) cfg.rlimit_sigpending; | 64 | rl.rlim_cur = (rlim_t) cfg.rlimit_sigpending; |
65 | rl.rlim_max = (rlim_t) cfg.rlimit_sigpending; | 65 | rl.rlim_max = (rlim_t) cfg.rlimit_sigpending; |
diff --git a/src/firejail/run_symlink.c b/src/firejail/run_symlink.c index 57f04485b..a9298a33f 100644 --- a/src/firejail/run_symlink.c +++ b/src/firejail/run_symlink.c | |||
@@ -24,7 +24,7 @@ | |||
24 | 24 | ||
25 | void run_symlink(int argc, char **argv) { | 25 | void run_symlink(int argc, char **argv) { |
26 | EUID_ASSERT(); | 26 | EUID_ASSERT(); |
27 | 27 | ||
28 | char *program = strrchr(argv[0], '/'); | 28 | char *program = strrchr(argv[0], '/'); |
29 | if (program) | 29 | if (program) |
30 | program += 1; | 30 | program += 1; |
@@ -40,7 +40,7 @@ void run_symlink(int argc, char **argv) { | |||
40 | fprintf(stderr, "Error: PATH environment variable not set\n"); | 40 | fprintf(stderr, "Error: PATH environment variable not set\n"); |
41 | exit(1); | 41 | exit(1); |
42 | } | 42 | } |
43 | 43 | ||
44 | char *path = strdup(p); | 44 | char *path = strdup(p); |
45 | if (!path) | 45 | if (!path) |
46 | errExit("strdup"); | 46 | errExit("strdup"); |
@@ -105,8 +105,8 @@ void run_symlink(int argc, char **argv) { | |||
105 | a[i + 2] = argv[i + 1]; | 105 | a[i + 2] = argv[i + 1]; |
106 | } | 106 | } |
107 | a[i + 2] = NULL; | 107 | a[i + 2] = NULL; |
108 | assert(getenv("LD_PRELOAD") == NULL); | 108 | assert(getenv("LD_PRELOAD") == NULL); |
109 | execvp(a[0], a); | 109 | execvp(a[0], a); |
110 | 110 | ||
111 | perror("execvp"); | 111 | perror("execvp"); |
112 | exit(1); | 112 | exit(1); |
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index 9640ef9ed..6cd58d78e 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -39,28 +39,28 @@ static struct sock_filter filter[] = { | |||
39 | #endif | 39 | #endif |
40 | 40 | ||
41 | // syscall list | 41 | // syscall list |
42 | #ifdef SYS_mount | 42 | #ifdef SYS_mount |
43 | BLACKLIST(SYS_mount), // mount/unmount filesystems | 43 | BLACKLIST(SYS_mount), // mount/unmount filesystems |
44 | #endif | 44 | #endif |
45 | #ifdef SYS_umount2 | 45 | #ifdef SYS_umount2 |
46 | BLACKLIST(SYS_umount2), | 46 | BLACKLIST(SYS_umount2), |
47 | #endif | 47 | #endif |
48 | #ifdef SYS_ptrace | 48 | #ifdef SYS_ptrace |
49 | BLACKLIST(SYS_ptrace), // trace processes | 49 | BLACKLIST(SYS_ptrace), // trace processes |
50 | #endif | 50 | #endif |
51 | #ifdef SYS_kexec_file_load | 51 | #ifdef SYS_kexec_file_load |
52 | BLACKLIST(SYS_kexec_file_load), | 52 | BLACKLIST(SYS_kexec_file_load), |
53 | #endif | 53 | #endif |
54 | #ifdef SYS_kexec_load | 54 | #ifdef SYS_kexec_load |
55 | BLACKLIST(SYS_kexec_load), // loading a different kernel | 55 | BLACKLIST(SYS_kexec_load), // loading a different kernel |
56 | #endif | 56 | #endif |
57 | #ifdef SYS_name_to_handle_at | 57 | #ifdef SYS_name_to_handle_at |
58 | BLACKLIST(SYS_name_to_handle_at), | 58 | BLACKLIST(SYS_name_to_handle_at), |
59 | #endif | 59 | #endif |
60 | #ifdef SYS_open_by_handle_at | 60 | #ifdef SYS_open_by_handle_at |
61 | BLACKLIST(SYS_open_by_handle_at), // open by handle | 61 | BLACKLIST(SYS_open_by_handle_at), // open by handle |
62 | #endif | 62 | #endif |
63 | #ifdef SYS_init_module | 63 | #ifdef SYS_init_module |
64 | BLACKLIST(SYS_init_module), // kernel module handling | 64 | BLACKLIST(SYS_init_module), // kernel module handling |
65 | #endif | 65 | #endif |
66 | #ifdef SYS_finit_module // introduced in 2013 | 66 | #ifdef SYS_finit_module // introduced in 2013 |
@@ -69,31 +69,31 @@ static struct sock_filter filter[] = { | |||
69 | #ifdef SYS_create_module | 69 | #ifdef SYS_create_module |
70 | BLACKLIST(SYS_create_module), | 70 | BLACKLIST(SYS_create_module), |
71 | #endif | 71 | #endif |
72 | #ifdef SYS_delete_module | 72 | #ifdef SYS_delete_module |
73 | BLACKLIST(SYS_delete_module), | 73 | BLACKLIST(SYS_delete_module), |
74 | #endif | 74 | #endif |
75 | #ifdef SYS_iopl | 75 | #ifdef SYS_iopl |
76 | BLACKLIST(SYS_iopl), // io permissions | 76 | BLACKLIST(SYS_iopl), // io permissions |
77 | #endif | 77 | #endif |
78 | #ifdef SYS_ioperm | 78 | #ifdef SYS_ioperm |
79 | BLACKLIST(SYS_ioperm), | 79 | BLACKLIST(SYS_ioperm), |
80 | #endif | 80 | #endif |
81 | #ifdef SYS_iopl | 81 | #ifdef SYS_iopl |
82 | BLACKLIST(SYS_iopl), // io permissions | 82 | BLACKLIST(SYS_iopl), // io permissions |
83 | #endif | 83 | #endif |
84 | #ifdef SYS_ioprio_set | 84 | #ifdef SYS_ioprio_set |
85 | BLACKLIST(SYS_ioprio_set), | 85 | BLACKLIST(SYS_ioprio_set), |
86 | #endif | 86 | #endif |
87 | #ifdef SYS_ni_syscall // new io permissions call on arm devices | 87 | #ifdef SYS_ni_syscall // new io permissions call on arm devices |
88 | BLACKLIST(SYS_ni_syscall), | 88 | BLACKLIST(SYS_ni_syscall), |
89 | #endif | 89 | #endif |
90 | #ifdef SYS_swapon | 90 | #ifdef SYS_swapon |
91 | BLACKLIST(SYS_swapon), // swap on/off | 91 | BLACKLIST(SYS_swapon), // swap on/off |
92 | #endif | 92 | #endif |
93 | #ifdef SYS_swapoff | 93 | #ifdef SYS_swapoff |
94 | BLACKLIST(SYS_swapoff), | 94 | BLACKLIST(SYS_swapoff), |
95 | #endif | 95 | #endif |
96 | #ifdef SYS_syslog | 96 | #ifdef SYS_syslog |
97 | BLACKLIST(SYS_syslog), // kernel printk control | 97 | BLACKLIST(SYS_syslog), // kernel printk control |
98 | #endif | 98 | #endif |
99 | RETURN_ALLOW | 99 | RETURN_ALLOW |
@@ -113,7 +113,7 @@ typedef struct sbox_config { | |||
113 | 113 | ||
114 | int sbox_run(unsigned filter, int num, ...) { | 114 | int sbox_run(unsigned filter, int num, ...) { |
115 | EUID_ROOT(); | 115 | EUID_ROOT(); |
116 | 116 | ||
117 | int i; | 117 | int i; |
118 | va_list valist; | 118 | va_list valist; |
119 | va_start(valist, num); | 119 | va_start(valist, num); |
@@ -124,7 +124,7 @@ int sbox_run(unsigned filter, int num, ...) { | |||
124 | arg[i] = va_arg(valist, char*); | 124 | arg[i] = va_arg(valist, char*); |
125 | arg[i] = NULL; | 125 | arg[i] = NULL; |
126 | va_end(valist); | 126 | va_end(valist); |
127 | 127 | ||
128 | if (arg_debug) { | 128 | if (arg_debug) { |
129 | printf("sbox run: "); | 129 | printf("sbox run: "); |
130 | for (i = 0; i <= num; i++) | 130 | for (i = 0; i <= num; i++) |
@@ -138,7 +138,7 @@ int sbox_run(unsigned filter, int num, ...) { | |||
138 | if (child == 0) { | 138 | if (child == 0) { |
139 | // clean the new process | 139 | // clean the new process |
140 | clearenv(); | 140 | clearenv(); |
141 | 141 | ||
142 | if (filter & SBOX_STDIN_FROM_FILE) { | 142 | if (filter & SBOX_STDIN_FROM_FILE) { |
143 | int fd; | 143 | int fd; |
144 | if((fd = open(SBOX_STDIN_FILE, O_RDONLY)) == -1) { | 144 | if((fd = open(SBOX_STDIN_FILE, O_RDONLY)) == -1) { |
@@ -154,7 +154,7 @@ int sbox_run(unsigned filter, int num, ...) { | |||
154 | else // the user could run the sandbox without /dev/null | 154 | else // the user could run the sandbox without /dev/null |
155 | close(STDIN_FILENO); | 155 | close(STDIN_FILENO); |
156 | } | 156 | } |
157 | 157 | ||
158 | // close all other file descriptors | 158 | // close all other file descriptors |
159 | int max = 20; // getdtablesize() is overkill for a firejail process | 159 | int max = 20; // getdtablesize() is overkill for a firejail process |
160 | for (i = 3; i < max; i++) | 160 | for (i = 3; i < max; i++) |
@@ -163,10 +163,10 @@ int sbox_run(unsigned filter, int num, ...) { | |||
163 | if (arg_debug) { | 163 | if (arg_debug) { |
164 | printf("sbox file descriptors:\n"); | 164 | printf("sbox file descriptors:\n"); |
165 | int rv = system("ls -l /proc/self/fd"); | 165 | int rv = system("ls -l /proc/self/fd"); |
166 | (void) rv; | 166 | (void) rv; |
167 | } | 167 | } |
168 | 168 | ||
169 | umask(027); | 169 | umask(027); |
170 | 170 | ||
171 | // apply filters | 171 | // apply filters |
172 | if (filter & SBOX_CAPS_NONE) { | 172 | if (filter & SBOX_CAPS_NONE) { |
@@ -178,7 +178,7 @@ int sbox_run(unsigned filter, int num, ...) { | |||
178 | set |= ((uint64_t) 1) << CAP_NET_RAW; | 178 | set |= ((uint64_t) 1) << CAP_NET_RAW; |
179 | caps_set(set); | 179 | caps_set(set); |
180 | #endif | 180 | #endif |
181 | } | 181 | } |
182 | 182 | ||
183 | if (filter & SBOX_SECCOMP) { | 183 | if (filter & SBOX_SECCOMP) { |
184 | if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { | 184 | if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { |
@@ -200,11 +200,11 @@ int sbox_run(unsigned filter, int num, ...) { | |||
200 | drop_privs(1); | 200 | drop_privs(1); |
201 | 201 | ||
202 | clearenv(); | 202 | clearenv(); |
203 | 203 | ||
204 | // --quiet is passed as an environment variable | 204 | // --quiet is passed as an environment variable |
205 | if (arg_quiet) | 205 | if (arg_quiet) |
206 | setenv("FIREJAIL_QUIET", "yes", 1); | 206 | setenv("FIREJAIL_QUIET", "yes", 1); |
207 | 207 | ||
208 | if (arg[0]) // get rid of scan-build warning | 208 | if (arg[0]) // get rid of scan-build warning |
209 | execvp(arg[0], arg); | 209 | execvp(arg[0], arg); |
210 | else | 210 | else |
@@ -221,6 +221,6 @@ int sbox_run(unsigned filter, int num, ...) { | |||
221 | fprintf(stderr, "Error: failed to run %s\n", arg[0]); | 221 | fprintf(stderr, "Error: failed to run %s\n", arg[0]); |
222 | exit(1); | 222 | exit(1); |
223 | } | 223 | } |
224 | 224 | ||
225 | return status; | 225 | return status; |
226 | } | 226 | } |
diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index 4ede003e3..72a5874f8 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c | |||
@@ -30,13 +30,13 @@ char *seccomp_check_list(const char *str) { | |||
30 | fprintf(stderr, "Error: empty syscall lists are not allowed\n"); | 30 | fprintf(stderr, "Error: empty syscall lists are not allowed\n"); |
31 | exit(1); | 31 | exit(1); |
32 | } | 32 | } |
33 | 33 | ||
34 | int len = strlen(str) + 1; | 34 | int len = strlen(str) + 1; |
35 | char *rv = malloc(len); | 35 | char *rv = malloc(len); |
36 | if (!rv) | 36 | if (!rv) |
37 | errExit("malloc"); | 37 | errExit("malloc"); |
38 | memset(rv, 0, len); | 38 | memset(rv, 0, len); |
39 | 39 | ||
40 | const char *ptr1 = str; | 40 | const char *ptr1 = str; |
41 | char *ptr2 = rv; | 41 | char *ptr2 = rv; |
42 | while (*ptr1 != '\0') { | 42 | while (*ptr1 != '\0') { |
@@ -47,14 +47,14 @@ char *seccomp_check_list(const char *str) { | |||
47 | exit(1); | 47 | exit(1); |
48 | } | 48 | } |
49 | } | 49 | } |
50 | 50 | ||
51 | return rv; | 51 | return rv; |
52 | } | 52 | } |
53 | 53 | ||
54 | 54 | ||
55 | int seccomp_load(const char *fname) { | 55 | int seccomp_load(const char *fname) { |
56 | assert(fname); | 56 | assert(fname); |
57 | 57 | ||
58 | // open filter file | 58 | // open filter file |
59 | int fd = open(fname, O_RDONLY); | 59 | int fd = open(fname, O_RDONLY); |
60 | if (fd == -1) | 60 | if (fd == -1) |
@@ -82,7 +82,7 @@ int seccomp_load(const char *fname) { | |||
82 | goto errexit; | 82 | goto errexit; |
83 | rd += rv; | 83 | rd += rv; |
84 | } | 84 | } |
85 | 85 | ||
86 | // close file | 86 | // close file |
87 | close(fd); | 87 | close(fd); |
88 | 88 | ||
@@ -97,9 +97,9 @@ int seccomp_load(const char *fname) { | |||
97 | err_printed = 1; | 97 | err_printed = 1; |
98 | return 1; | 98 | return 1; |
99 | } | 99 | } |
100 | 100 | ||
101 | return 0; | 101 | return 0; |
102 | 102 | ||
103 | errexit: | 103 | errexit: |
104 | fprintf(stderr, "Error: cannot read %s\n", fname); | 104 | fprintf(stderr, "Error: cannot read %s\n", fname); |
105 | exit(1); | 105 | exit(1); |
@@ -142,7 +142,7 @@ int seccomp_filter_drop(int enforce_seccomp) { | |||
142 | #endif | 142 | #endif |
143 | if (arg_debug) | 143 | if (arg_debug) |
144 | printf("Build default+drop seccomp filter\n"); | 144 | printf("Build default+drop seccomp filter\n"); |
145 | 145 | ||
146 | // build the seccomp filter as a regular user | 146 | // build the seccomp filter as a regular user |
147 | int rv; | 147 | int rv; |
148 | if (arg_allow_debuggers) | 148 | if (arg_allow_debuggers) |
@@ -154,7 +154,7 @@ int seccomp_filter_drop(int enforce_seccomp) { | |||
154 | if (rv) | 154 | if (rv) |
155 | exit(rv); | 155 | exit(rv); |
156 | } | 156 | } |
157 | 157 | ||
158 | // drop list without defaults - secondary filters are not installed | 158 | // drop list without defaults - secondary filters are not installed |
159 | else if (cfg.seccomp_list == NULL && cfg.seccomp_list_drop) { | 159 | else if (cfg.seccomp_list == NULL && cfg.seccomp_list_drop) { |
160 | if (arg_debug) | 160 | if (arg_debug) |
@@ -175,7 +175,7 @@ int seccomp_filter_drop(int enforce_seccomp) { | |||
175 | else { | 175 | else { |
176 | assert(0); | 176 | assert(0); |
177 | } | 177 | } |
178 | 178 | ||
179 | // load the filter | 179 | // load the filter |
180 | if (seccomp_load(RUN_SECCOMP_CFG) == 0) { | 180 | if (seccomp_load(RUN_SECCOMP_CFG) == 0) { |
181 | if (arg_debug) | 181 | if (arg_debug) |
@@ -185,7 +185,7 @@ int seccomp_filter_drop(int enforce_seccomp) { | |||
185 | fprintf(stderr, "Error: a seccomp-enabled Linux kernel is required, exiting...\n"); | 185 | fprintf(stderr, "Error: a seccomp-enabled Linux kernel is required, exiting...\n"); |
186 | exit(1); | 186 | exit(1); |
187 | } | 187 | } |
188 | 188 | ||
189 | if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) | 189 | if (arg_debug && access(PATH_FSECCOMP, X_OK) == 0) |
190 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, | 190 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 3, |
191 | PATH_FSECCOMP, "print", RUN_SECCOMP_CFG); | 191 | PATH_FSECCOMP, "print", RUN_SECCOMP_CFG); |
@@ -197,14 +197,14 @@ int seccomp_filter_drop(int enforce_seccomp) { | |||
197 | int seccomp_filter_keep(void) { | 197 | int seccomp_filter_keep(void) { |
198 | if (arg_debug) | 198 | if (arg_debug) |
199 | printf("Build drop seccomp filter\n"); | 199 | printf("Build drop seccomp filter\n"); |
200 | 200 | ||
201 | // build the seccomp filter as a regular user | 201 | // build the seccomp filter as a regular user |
202 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, | 202 | sbox_run(SBOX_USER | SBOX_CAPS_NONE | SBOX_SECCOMP, 4, |
203 | PATH_FSECCOMP, "keep", RUN_SECCOMP_CFG, cfg.seccomp_list_keep); | 203 | PATH_FSECCOMP, "keep", RUN_SECCOMP_CFG, cfg.seccomp_list_keep); |
204 | if (arg_debug) | 204 | if (arg_debug) |
205 | printf("seccomp filter configured\n"); | 205 | printf("seccomp filter configured\n"); |
206 | 206 | ||
207 | 207 | ||
208 | return seccomp_load(RUN_SECCOMP_CFG); | 208 | return seccomp_load(RUN_SECCOMP_CFG); |
209 | } | 209 | } |
210 | 210 | ||
@@ -255,4 +255,3 @@ void seccomp_print_filter(pid_t pid) { | |||
255 | } | 255 | } |
256 | 256 | ||
257 | #endif // HAVE_SECCOMP | 257 | #endif // HAVE_SECCOMP |
258 | |||
diff --git a/src/firejail/shutdown.c b/src/firejail/shutdown.c index 3c150738b..f187960d5 100644 --- a/src/firejail/shutdown.c +++ b/src/firejail/shutdown.c | |||
@@ -25,7 +25,7 @@ | |||
25 | 25 | ||
26 | void shut(pid_t pid) { | 26 | void shut(pid_t pid) { |
27 | EUID_ASSERT(); | 27 | EUID_ASSERT(); |
28 | 28 | ||
29 | pid_t parent = pid; | 29 | pid_t parent = pid; |
30 | // if the pid is that of a firejail process, use the pid of a child process inside the sandbox | 30 | // if the pid is that of a firejail process, use the pid of a child process inside the sandbox |
31 | EUID_ROOT(); | 31 | EUID_ROOT(); |
@@ -57,11 +57,11 @@ void shut(pid_t pid) { | |||
57 | exit(1); | 57 | exit(1); |
58 | } | 58 | } |
59 | } | 59 | } |
60 | 60 | ||
61 | EUID_ROOT(); | 61 | EUID_ROOT(); |
62 | printf("Sending SIGTERM to %u\n", pid); | 62 | printf("Sending SIGTERM to %u\n", pid); |
63 | kill(pid, SIGTERM); | 63 | kill(pid, SIGTERM); |
64 | 64 | ||
65 | // wait for not more than 10 seconds | 65 | // wait for not more than 10 seconds |
66 | sleep(2); | 66 | sleep(2); |
67 | int monsec = 8; | 67 | int monsec = 8; |
@@ -76,7 +76,7 @@ void shut(pid_t pid) { | |||
76 | killdone = 1; | 76 | killdone = 1; |
77 | break; | 77 | break; |
78 | } | 78 | } |
79 | 79 | ||
80 | char c; | 80 | char c; |
81 | size_t count = fread(&c, 1, 1, fp); | 81 | size_t count = fread(&c, 1, 1, fp); |
82 | fclose(fp); | 82 | fclose(fp); |
@@ -102,6 +102,6 @@ void shut(pid_t pid) { | |||
102 | kill(parent, SIGKILL); | 102 | kill(parent, SIGKILL); |
103 | } | 103 | } |
104 | } | 104 | } |
105 | 105 | ||
106 | clear_run_files(parent); | 106 | clear_run_files(parent); |
107 | } | 107 | } |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 54f83dccf..acbc19234 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -118,7 +118,7 @@ int mkpath_as_root(const char* path) { | |||
118 | void fwarning(char* fmt, ...) { | 118 | void fwarning(char* fmt, ...) { |
119 | if (arg_quiet) | 119 | if (arg_quiet) |
120 | return; | 120 | return; |
121 | 121 | ||
122 | va_list args; | 122 | va_list args; |
123 | va_start(args,fmt); | 123 | va_start(args,fmt); |
124 | fprintf(stderr, "Warning: "); | 124 | fprintf(stderr, "Warning: "); |
@@ -786,7 +786,7 @@ static int remove_callback(const char *fpath, const struct stat *sb, int typefla | |||
786 | (void) sb; | 786 | (void) sb; |
787 | (void) typeflag; | 787 | (void) typeflag; |
788 | (void) ftwbuf; | 788 | (void) ftwbuf; |
789 | 789 | ||
790 | int rv = remove(fpath); | 790 | int rv = remove(fpath); |
791 | if (rv) | 791 | if (rv) |
792 | perror(fpath); | 792 | perror(fpath); |
@@ -816,7 +816,7 @@ void create_empty_dir_as_root(const char *dir, mode_t mode) { | |||
816 | assert(dir); | 816 | assert(dir); |
817 | mode &= 07777; | 817 | mode &= 07777; |
818 | struct stat s; | 818 | struct stat s; |
819 | 819 | ||
820 | if (stat(dir, &s)) { | 820 | if (stat(dir, &s)) { |
821 | if (arg_debug) | 821 | if (arg_debug) |
822 | printf("Creating empty %s directory\n", dir); | 822 | printf("Creating empty %s directory\n", dir); |
@@ -862,7 +862,7 @@ int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode) { | |||
862 | void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) { | 862 | void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) { |
863 | assert(fname); | 863 | assert(fname); |
864 | mode &= 07777; | 864 | mode &= 07777; |
865 | #if 0 | 865 | #if 0 |
866 | printf("fname %s, uid %d, gid %d, mode %x - ", fname, uid, gid, (unsigned) mode); | 866 | printf("fname %s, uid %d, gid %d, mode %x - ", fname, uid, gid, (unsigned) mode); |
867 | if (S_ISLNK(mode)) | 867 | if (S_ISLNK(mode)) |
868 | printf("l"); | 868 | printf("l"); |
@@ -886,7 +886,7 @@ void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) { | |||
886 | printf( (mode & S_IWOTH) ? "w" : "-"); | 886 | printf( (mode & S_IWOTH) ? "w" : "-"); |
887 | printf( (mode & S_IXOTH) ? "x" : "-"); | 887 | printf( (mode & S_IXOTH) ? "x" : "-"); |
888 | printf("\n"); | 888 | printf("\n"); |
889 | #endif | 889 | #endif |
890 | if (mkdir(fname, mode) == -1 || | 890 | if (mkdir(fname, mode) == -1 || |
891 | chmod(fname, mode) == -1 || | 891 | chmod(fname, mode) == -1 || |
892 | chown(fname, uid, gid)) { | 892 | chown(fname, uid, gid)) { |
@@ -899,7 +899,7 @@ void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) { | |||
899 | 899 | ||
900 | char *read_text_file_or_exit(const char *fname) { | 900 | char *read_text_file_or_exit(const char *fname) { |
901 | assert(fname); | 901 | assert(fname); |
902 | 902 | ||
903 | // open file | 903 | // open file |
904 | int fd = open(fname, O_RDONLY); | 904 | int fd = open(fname, O_RDONLY); |
905 | if (fd == -1) { | 905 | if (fd == -1) { |
@@ -912,7 +912,7 @@ char *read_text_file_or_exit(const char *fname) { | |||
912 | goto errexit; | 912 | goto errexit; |
913 | if (lseek(fd, 0 , SEEK_SET) == -1) | 913 | if (lseek(fd, 0 , SEEK_SET) == -1) |
914 | goto errexit; | 914 | goto errexit; |
915 | 915 | ||
916 | // allocate memory | 916 | // allocate memory |
917 | char *data = malloc(size + 1); // + '\0' | 917 | char *data = malloc(size + 1); // + '\0' |
918 | if (data == NULL) | 918 | if (data == NULL) |
@@ -928,11 +928,11 @@ char *read_text_file_or_exit(const char *fname) { | |||
928 | } | 928 | } |
929 | rd += rv; | 929 | rd += rv; |
930 | } | 930 | } |
931 | 931 | ||
932 | // close file | 932 | // close file |
933 | close(fd); | 933 | close(fd); |
934 | return data; | 934 | return data; |
935 | 935 | ||
936 | errexit: | 936 | errexit: |
937 | close(fd); | 937 | close(fd); |
938 | fprintf(stderr, "Error: cannot read %s\n", fname); | 938 | fprintf(stderr, "Error: cannot read %s\n", fname); |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index f1d45adef..5ce156603 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -639,7 +639,7 @@ void x11_start_xpra(int argc, char **argv) { | |||
639 | 639 | ||
640 | // build the start command | 640 | // build the start command |
641 | char *server_argv[256] = { // rest initialyzed to NULL | 641 | char *server_argv[256] = { // rest initialyzed to NULL |
642 | "xpra", "start", display_str, "--no-daemon", | 642 | "xpra", "start", display_str, "--no-daemon", |
643 | }; | 643 | }; |
644 | unsigned pos = 0; | 644 | unsigned pos = 0; |
645 | while (server_argv[pos] != NULL) pos++; | 645 | while (server_argv[pos] != NULL) pos++; |
@@ -696,7 +696,7 @@ void x11_start_xpra(int argc, char **argv) { | |||
696 | // no overrun | 696 | // no overrun |
697 | assert(pos < (sizeof(server_argv)/sizeof(*server_argv))); | 697 | assert(pos < (sizeof(server_argv)/sizeof(*server_argv))); |
698 | assert(server_argv[pos-1] == NULL); // last element is null | 698 | assert(server_argv[pos-1] == NULL); // last element is null |
699 | 699 | ||
700 | if (arg_debug) { | 700 | if (arg_debug) { |
701 | size_t i = 0; | 701 | size_t i = 0; |
702 | printf("\n*** Starting xpra server: "); | 702 | printf("\n*** Starting xpra server: "); |
@@ -820,7 +820,7 @@ void x11_start_xpra(int argc, char **argv) { | |||
820 | printf("Xpra server pid %d, xpra client pid %d, jail %d\n", server, client, jail); | 820 | printf("Xpra server pid %d, xpra client pid %d, jail %d\n", server, client, jail); |
821 | 821 | ||
822 | sleep(1); // adding a delay in order to let the server start | 822 | sleep(1); // adding a delay in order to let the server start |
823 | 823 | ||
824 | // wait for jail or server to end | 824 | // wait for jail or server to end |
825 | while (1) { | 825 | while (1) { |
826 | pid_t pid = wait(NULL); | 826 | pid_t pid = wait(NULL); |
diff --git a/src/firemon/Makefile.in b/src/firemon/Makefile.in index efc48b212..a7a97cf5a 100644 --- a/src/firemon/Makefile.in +++ b/src/firemon/Makefile.in | |||
@@ -12,7 +12,7 @@ C_FILE_LIST = $(sort $(wildcard *.c)) | |||
12 | OBJS = $(C_FILE_LIST:.c=.o) | 12 | OBJS = $(C_FILE_LIST:.c=.o) |
13 | BINOBJS = $(foreach file, $(OBJS), $file) | 13 | BINOBJS = $(foreach file, $(OBJS), $file) |
14 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | 14 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security |
15 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now | 15 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now |
16 | HAVE_GCOV=@HAVE_GCOV@ | 16 | HAVE_GCOV=@HAVE_GCOV@ |
17 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | 17 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ |
18 | 18 | ||
@@ -27,4 +27,3 @@ clean:; rm -f *.o firemon *.gcov *.gcda *.gcno | |||
27 | 27 | ||
28 | distclean: clean | 28 | distclean: clean |
29 | rm -fr Makefile | 29 | rm -fr Makefile |
30 | |||
diff --git a/src/firemon/arp.c b/src/firemon/arp.c index d30983e4a..51a699273 100644 --- a/src/firemon/arp.c +++ b/src/firemon/arp.c | |||
@@ -24,7 +24,7 @@ static void print_arp(const char *fname) { | |||
24 | FILE *fp = fopen(fname, "r"); | 24 | FILE *fp = fopen(fname, "r"); |
25 | if (!fp) | 25 | if (!fp) |
26 | return; | 26 | return; |
27 | 27 | ||
28 | printf(" ARP Table:\n"); | 28 | printf(" ARP Table:\n"); |
29 | char buf[MAXBUF]; | 29 | char buf[MAXBUF]; |
30 | while (fgets(buf, MAXBUF, fp)) { | 30 | while (fgets(buf, MAXBUF, fp)) { |
@@ -54,7 +54,7 @@ static void print_arp(const char *fname) { | |||
54 | int rv = sscanf(start, "%s %s %s %s %s %s\n", ip, type, flags, mac, mask, device); | 54 | int rv = sscanf(start, "%s %s %s %s %s %s\n", ip, type, flags, mac, mask, device); |
55 | if (rv != 6) | 55 | if (rv != 6) |
56 | continue; | 56 | continue; |
57 | 57 | ||
58 | // destination ip | 58 | // destination ip |
59 | unsigned a, b, c, d; | 59 | unsigned a, b, c, d; |
60 | if (sscanf(ip, "%u.%u.%u.%u", &a, &b, &c, &d) != 4 || a > 255 || b > 255 || c > 255 || d > 255) | 60 | if (sscanf(ip, "%u.%u.%u.%u", &a, &b, &c, &d) != 4 || a > 255 || b > 255 || c > 255 || d > 255) |
@@ -67,14 +67,14 @@ static void print_arp(const char *fname) { | |||
67 | printf(" %d.%d.%d.%d dev %s lladdr %s REACHABLE\n", | 67 | printf(" %d.%d.%d.%d dev %s lladdr %s REACHABLE\n", |
68 | PRINT_IP(destip), device, mac); | 68 | PRINT_IP(destip), device, mac); |
69 | } | 69 | } |
70 | 70 | ||
71 | fclose(fp); | 71 | fclose(fp); |
72 | 72 | ||
73 | } | 73 | } |
74 | 74 | ||
75 | void arp(pid_t pid, int print_procs) { | 75 | void arp(pid_t pid, int print_procs) { |
76 | pid_read(pid); | 76 | pid_read(pid); |
77 | 77 | ||
78 | // print processes | 78 | // print processes |
79 | int i; | 79 | int i; |
80 | for (i = 0; i < max_pids; i++) { | 80 | for (i = 0; i < max_pids; i++) { |
@@ -93,5 +93,3 @@ void arp(pid_t pid, int print_procs) { | |||
93 | } | 93 | } |
94 | printf("\n"); | 94 | printf("\n"); |
95 | } | 95 | } |
96 | |||
97 | |||
diff --git a/src/firemon/caps.c b/src/firemon/caps.c index a13b784a2..4a18833d0 100644 --- a/src/firemon/caps.c +++ b/src/firemon/caps.c | |||
@@ -32,7 +32,7 @@ static void print_caps(int pid) { | |||
32 | free(file); | 32 | free(file); |
33 | return; | 33 | return; |
34 | } | 34 | } |
35 | 35 | ||
36 | char buf[MAXBUF]; | 36 | char buf[MAXBUF]; |
37 | while (fgets(buf, MAXBUF, fp)) { | 37 | while (fgets(buf, MAXBUF, fp)) { |
38 | if (strncmp(buf, "CapBnd:", 7) == 0) { | 38 | if (strncmp(buf, "CapBnd:", 7) == 0) { |
@@ -44,10 +44,10 @@ static void print_caps(int pid) { | |||
44 | fclose(fp); | 44 | fclose(fp); |
45 | free(file); | 45 | free(file); |
46 | } | 46 | } |
47 | 47 | ||
48 | void caps(pid_t pid, int print_procs) { | 48 | void caps(pid_t pid, int print_procs) { |
49 | pid_read(pid); // include all processes | 49 | pid_read(pid); // include all processes |
50 | 50 | ||
51 | // print processes | 51 | // print processes |
52 | int i; | 52 | int i; |
53 | for (i = 0; i < max_pids; i++) { | 53 | for (i = 0; i < max_pids; i++) { |
@@ -61,4 +61,3 @@ void caps(pid_t pid, int print_procs) { | |||
61 | } | 61 | } |
62 | printf("\n"); | 62 | printf("\n"); |
63 | } | 63 | } |
64 | |||
diff --git a/src/firemon/cgroup.c b/src/firemon/cgroup.c index 48427210b..41afa41fd 100644 --- a/src/firemon/cgroup.c +++ b/src/firemon/cgroup.c | |||
@@ -33,7 +33,7 @@ static void print_cgroup(int pid) { | |||
33 | free(file); | 33 | free(file); |
34 | return; | 34 | return; |
35 | } | 35 | } |
36 | 36 | ||
37 | char buf[MAXBUF]; | 37 | char buf[MAXBUF]; |
38 | if (fgets(buf, MAXBUF, fp)) { | 38 | if (fgets(buf, MAXBUF, fp)) { |
39 | printf(" %s", buf); | 39 | printf(" %s", buf); |
@@ -43,10 +43,10 @@ static void print_cgroup(int pid) { | |||
43 | fclose(fp); | 43 | fclose(fp); |
44 | free(file); | 44 | free(file); |
45 | } | 45 | } |
46 | 46 | ||
47 | void cgroup(pid_t pid, int print_procs) { | 47 | void cgroup(pid_t pid, int print_procs) { |
48 | pid_read(pid); | 48 | pid_read(pid); |
49 | 49 | ||
50 | // print processes | 50 | // print processes |
51 | int i; | 51 | int i; |
52 | for (i = 0; i < max_pids; i++) { | 52 | for (i = 0; i < max_pids; i++) { |
@@ -60,4 +60,3 @@ void cgroup(pid_t pid, int print_procs) { | |||
60 | } | 60 | } |
61 | printf("\n"); | 61 | printf("\n"); |
62 | } | 62 | } |
63 | |||
diff --git a/src/firemon/cpu.c b/src/firemon/cpu.c index 2a6979573..7d31cd44d 100644 --- a/src/firemon/cpu.c +++ b/src/firemon/cpu.c | |||
@@ -33,7 +33,7 @@ static void print_cpu(int pid) { | |||
33 | free(file); | 33 | free(file); |
34 | return; | 34 | return; |
35 | } | 35 | } |
36 | 36 | ||
37 | char buf[MAXBUF]; | 37 | char buf[MAXBUF]; |
38 | while (fgets(buf, MAXBUF, fp)) { | 38 | while (fgets(buf, MAXBUF, fp)) { |
39 | if (strncmp(buf, "Cpus_allowed_list:", 18) == 0) { | 39 | if (strncmp(buf, "Cpus_allowed_list:", 18) == 0) { |
@@ -45,10 +45,10 @@ static void print_cpu(int pid) { | |||
45 | fclose(fp); | 45 | fclose(fp); |
46 | free(file); | 46 | free(file); |
47 | } | 47 | } |
48 | 48 | ||
49 | void cpu(pid_t pid, int print_procs) { | 49 | void cpu(pid_t pid, int print_procs) { |
50 | pid_read(pid); | 50 | pid_read(pid); |
51 | 51 | ||
52 | // print processes | 52 | // print processes |
53 | int i; | 53 | int i; |
54 | for (i = 0; i < max_pids; i++) { | 54 | for (i = 0; i < max_pids; i++) { |
@@ -62,4 +62,3 @@ void cpu(pid_t pid, int print_procs) { | |||
62 | } | 62 | } |
63 | printf("\n"); | 63 | printf("\n"); |
64 | } | 64 | } |
65 | |||
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index da5cc2d97..aaeffdbd2 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c | |||
@@ -24,7 +24,7 @@ | |||
24 | #include <sys/prctl.h> | 24 | #include <sys/prctl.h> |
25 | #include <grp.h> | 25 | #include <grp.h> |
26 | #include <sys/stat.h> | 26 | #include <sys/stat.h> |
27 | 27 | ||
28 | static int arg_route = 0; | 28 | static int arg_route = 0; |
29 | static int arg_arp = 0; | 29 | static int arg_arp = 0; |
30 | static int arg_tree = 0; | 30 | static int arg_tree = 0; |
@@ -49,7 +49,7 @@ static void my_handler(int s){ | |||
49 | 49 | ||
50 | if (terminal_set) | 50 | if (terminal_set) |
51 | tcsetattr(0, TCSANOW, &tlocal); | 51 | tcsetattr(0, TCSANOW, &tlocal); |
52 | exit(0); | 52 | exit(0); |
53 | } | 53 | } |
54 | 54 | ||
55 | // find the first child process for the specified pid | 55 | // find the first child process for the specified pid |
@@ -60,7 +60,7 @@ int find_child(int id) { | |||
60 | if (pids[i].level == 2 && pids[i].parent == id) | 60 | if (pids[i].level == 2 && pids[i].parent == id) |
61 | return i; | 61 | return i; |
62 | } | 62 | } |
63 | 63 | ||
64 | return -1; | 64 | return -1; |
65 | } | 65 | } |
66 | 66 | ||
@@ -118,7 +118,7 @@ int main(int argc, char **argv) { | |||
118 | printf("firemon version %s\n\n", VERSION); | 118 | printf("firemon version %s\n\n", VERSION); |
119 | return 0; | 119 | return 0; |
120 | } | 120 | } |
121 | 121 | ||
122 | // options without a pid argument | 122 | // options without a pid argument |
123 | else if (strcmp(argv[i], "--top") == 0) | 123 | else if (strcmp(argv[i], "--top") == 0) |
124 | arg_top = 1; | 124 | arg_top = 1; |
@@ -131,7 +131,7 @@ int main(int argc, char **argv) { | |||
131 | if (getuid() != 0 && stat("/proc/sys/kernel/grsecurity", &s) == 0) { | 131 | if (getuid() != 0 && stat("/proc/sys/kernel/grsecurity", &s) == 0) { |
132 | fprintf(stderr, "Error: this feature is not available on Grsecurity systems\n"); | 132 | fprintf(stderr, "Error: this feature is not available on Grsecurity systems\n"); |
133 | exit(1); | 133 | exit(1); |
134 | } | 134 | } |
135 | arg_netstats = 1; | 135 | arg_netstats = 1; |
136 | } | 136 | } |
137 | 137 | ||
@@ -166,17 +166,17 @@ int main(int argc, char **argv) { | |||
166 | return 1; | 166 | return 1; |
167 | } | 167 | } |
168 | } | 168 | } |
169 | 169 | ||
170 | // etc | 170 | // etc |
171 | else if (strcmp(argv[i], "--nowrap") == 0) | 171 | else if (strcmp(argv[i], "--nowrap") == 0) |
172 | arg_nowrap = 1; | 172 | arg_nowrap = 1; |
173 | 173 | ||
174 | // invalid option | 174 | // invalid option |
175 | else if (*argv[i] == '-') { | 175 | else if (*argv[i] == '-') { |
176 | fprintf(stderr, "Error: invalid option\n"); | 176 | fprintf(stderr, "Error: invalid option\n"); |
177 | return 1; | 177 | return 1; |
178 | } | 178 | } |
179 | 179 | ||
180 | // PID argument | 180 | // PID argument |
181 | else { | 181 | else { |
182 | // this should be a pid number | 182 | // this should be a pid number |
@@ -199,9 +199,9 @@ int main(int argc, char **argv) { | |||
199 | fprintf(stderr, "Error: /proc is mounted hidepid, you would need to be root to run this command\n"); | 199 | fprintf(stderr, "Error: /proc is mounted hidepid, you would need to be root to run this command\n"); |
200 | exit(1); | 200 | exit(1); |
201 | } | 201 | } |
202 | 202 | ||
203 | if (arg_top) { | 203 | if (arg_top) { |
204 | top(); | 204 | top(); |
205 | return 0; | 205 | return 0; |
206 | } | 206 | } |
207 | if (arg_list) { | 207 | if (arg_list) { |
@@ -210,9 +210,9 @@ int main(int argc, char **argv) { | |||
210 | } | 210 | } |
211 | if (arg_netstats) { | 211 | if (arg_netstats) { |
212 | netstats(); | 212 | netstats(); |
213 | return 0; | 213 | return 0; |
214 | } | 214 | } |
215 | 215 | ||
216 | // cumulative options | 216 | // cumulative options |
217 | int print_procs = 1; | 217 | int print_procs = 1; |
218 | if (arg_tree) { | 218 | if (arg_tree) { |
@@ -251,9 +251,9 @@ int main(int argc, char **argv) { | |||
251 | arp((pid_t) pid, print_procs); | 251 | arp((pid_t) pid, print_procs); |
252 | print_procs = 0; | 252 | print_procs = 0; |
253 | } | 253 | } |
254 | 254 | ||
255 | if (print_procs) | 255 | if (print_procs) |
256 | procevent((pid_t) pid); | 256 | procevent((pid_t) pid); |
257 | 257 | ||
258 | return 0; | 258 | return 0; |
259 | } | 259 | } |
diff --git a/src/firemon/interface.c b/src/firemon/interface.c index 77dd1f277..44374ed60 100644 --- a/src/firemon/interface.c +++ b/src/firemon/interface.c | |||
@@ -64,13 +64,13 @@ static void net_ifprint(void) { | |||
64 | memset(&ifr, 0, sizeof(ifr)); | 64 | memset(&ifr, 0, sizeof(ifr)); |
65 | strncpy(ifr.ifr_name, ifa->ifa_name, IFNAMSIZ); | 65 | strncpy(ifr.ifr_name, ifa->ifa_name, IFNAMSIZ); |
66 | int rv = ioctl (fd, SIOCGIFHWADDR, &ifr); | 66 | int rv = ioctl (fd, SIOCGIFHWADDR, &ifr); |
67 | 67 | ||
68 | if (rv == 0) | 68 | if (rv == 0) |
69 | printf(" %s UP, %02x:%02x:%02x:%02x:%02x:%02x\n", | 69 | printf(" %s UP, %02x:%02x:%02x:%02x:%02x:%02x\n", |
70 | ifa->ifa_name, PRINT_MAC((unsigned char *) &ifr.ifr_hwaddr.sa_data)); | 70 | ifa->ifa_name, PRINT_MAC((unsigned char *) &ifr.ifr_hwaddr.sa_data)); |
71 | else | 71 | else |
72 | printf(" %s UP\n", ifa->ifa_name); | 72 | printf(" %s UP\n", ifa->ifa_name); |
73 | 73 | ||
74 | printf(" tx/rx: %u/%u packets, %u/%u bytes\n", | 74 | printf(" tx/rx: %u/%u packets, %u/%u bytes\n", |
75 | stats->tx_packets, stats->rx_packets, | 75 | stats->tx_packets, stats->rx_packets, |
76 | stats->tx_bytes, stats->rx_bytes); | 76 | stats->tx_bytes, stats->rx_bytes); |
@@ -78,7 +78,7 @@ static void net_ifprint(void) { | |||
78 | } | 78 | } |
79 | else | 79 | else |
80 | printf(" %s DOWN\n", ifa->ifa_name); | 80 | printf(" %s DOWN\n", ifa->ifa_name); |
81 | } | 81 | } |
82 | } | 82 | } |
83 | 83 | ||
84 | 84 | ||
@@ -139,7 +139,7 @@ static void print_sandbox(pid_t pid) { | |||
139 | pid_t child = fork(); | 139 | pid_t child = fork(); |
140 | if (child == -1) | 140 | if (child == -1) |
141 | return; | 141 | return; |
142 | 142 | ||
143 | if (child == 0) { | 143 | if (child == 0) { |
144 | int rv = join_namespace(pid, "net"); | 144 | int rv = join_namespace(pid, "net"); |
145 | if (rv) | 145 | if (rv) |
@@ -150,14 +150,14 @@ static void print_sandbox(pid_t pid) { | |||
150 | #endif | 150 | #endif |
151 | _exit(0); | 151 | _exit(0); |
152 | } | 152 | } |
153 | 153 | ||
154 | // wait for the child to finish | 154 | // wait for the child to finish |
155 | waitpid(child, NULL, 0); | 155 | waitpid(child, NULL, 0); |
156 | } | 156 | } |
157 | 157 | ||
158 | void interface(pid_t pid, int print_procs) { | 158 | void interface(pid_t pid, int print_procs) { |
159 | pid_read(pid); // a pid of 0 will include all processes | 159 | pid_read(pid); // a pid of 0 will include all processes |
160 | 160 | ||
161 | // print processes | 161 | // print processes |
162 | int i; | 162 | int i; |
163 | for (i = 0; i < max_pids; i++) { | 163 | for (i = 0; i < max_pids; i++) { |
@@ -172,4 +172,3 @@ void interface(pid_t pid, int print_procs) { | |||
172 | } | 172 | } |
173 | printf("\n"); | 173 | printf("\n"); |
174 | } | 174 | } |
175 | |||
diff --git a/src/firemon/list.c b/src/firemon/list.c index 2152df31f..708b66ae4 100644 --- a/src/firemon/list.c +++ b/src/firemon/list.c | |||
@@ -21,7 +21,7 @@ | |||
21 | 21 | ||
22 | void list(void) { | 22 | void list(void) { |
23 | pid_read(0); // include all processes | 23 | pid_read(0); // include all processes |
24 | 24 | ||
25 | // print processes | 25 | // print processes |
26 | int i; | 26 | int i; |
27 | for (i = 0; i < max_pids; i++) { | 27 | for (i = 0; i < max_pids; i++) { |
@@ -29,4 +29,3 @@ void list(void) { | |||
29 | pid_print_list(i, arg_nowrap); | 29 | pid_print_list(i, arg_nowrap); |
30 | } | 30 | } |
31 | } | 31 | } |
32 | |||
diff --git a/src/firemon/netstats.c b/src/firemon/netstats.c index 8d78b094b..c5e8a242c 100644 --- a/src/firemon/netstats.c +++ b/src/firemon/netstats.c | |||
@@ -35,7 +35,7 @@ static char *get_header(void) { | |||
35 | if (asprintf(&rv, "%-5.5s %-9.9s %-10.10s %-10.10s %s", | 35 | if (asprintf(&rv, "%-5.5s %-9.9s %-10.10s %-10.10s %s", |
36 | "PID", "User", "RX(KB/s)", "TX(KB/s)", "Command") == -1) | 36 | "PID", "User", "RX(KB/s)", "TX(KB/s)", "Command") == -1) |
37 | errExit("asprintf"); | 37 | errExit("asprintf"); |
38 | 38 | ||
39 | return rv; | 39 | return rv; |
40 | } | 40 | } |
41 | 41 | ||
@@ -59,7 +59,7 @@ void get_stats(int parent) { | |||
59 | free(fname); | 59 | free(fname); |
60 | goto errexit; | 60 | goto errexit; |
61 | } | 61 | } |
62 | 62 | ||
63 | char buf[MAXBUF]; | 63 | char buf[MAXBUF]; |
64 | long long unsigned rx = 0; | 64 | long long unsigned rx = 0; |
65 | long long unsigned tx = 0; | 65 | long long unsigned tx = 0; |
@@ -68,19 +68,19 @@ void get_stats(int parent) { | |||
68 | continue; | 68 | continue; |
69 | if (strncmp(buf, " face", 5) == 0) | 69 | if (strncmp(buf, " face", 5) == 0) |
70 | continue; | 70 | continue; |
71 | 71 | ||
72 | char *ptr = buf; | 72 | char *ptr = buf; |
73 | while (*ptr != '\0' && *ptr != ':') { | 73 | while (*ptr != '\0' && *ptr != ':') { |
74 | ptr++; | 74 | ptr++; |
75 | } | 75 | } |
76 | 76 | ||
77 | if (*ptr == '\0') { | 77 | if (*ptr == '\0') { |
78 | fclose(fp); | 78 | fclose(fp); |
79 | free(fname); | 79 | free(fname); |
80 | goto errexit; | 80 | goto errexit; |
81 | } | 81 | } |
82 | ptr++; | 82 | ptr++; |
83 | 83 | ||
84 | long long unsigned rxval; | 84 | long long unsigned rxval; |
85 | long long unsigned txval; | 85 | long long unsigned txval; |
86 | unsigned a, b, c, d, e, f, g; | 86 | unsigned a, b, c, d, e, f, g; |
@@ -101,7 +101,7 @@ void get_stats(int parent) { | |||
101 | fclose(fp); | 101 | fclose(fp); |
102 | return; | 102 | return; |
103 | 103 | ||
104 | errexit: | 104 | errexit: |
105 | pids[parent].rx = 0; | 105 | pids[parent].rx = 0; |
106 | pids[parent].tx = 0; | 106 | pids[parent].tx = 0; |
107 | pids[parent].rx_delta = 0; | 107 | pids[parent].rx_delta = 0; |
@@ -121,7 +121,7 @@ static void print_proc(int index, int itv, int col) { | |||
121 | } | 121 | } |
122 | else | 122 | else |
123 | ptrcmd = cmd; | 123 | ptrcmd = cmd; |
124 | 124 | ||
125 | // check network namespace | 125 | // check network namespace |
126 | char *name; | 126 | char *name; |
127 | if (asprintf(&name, "/run/firejail/network/%d-netmap", index) == -1) | 127 | if (asprintf(&name, "/run/firejail/network/%d-netmap", index) == -1) |
@@ -145,35 +145,35 @@ static void print_proc(int index, int itv, int col) { | |||
145 | ptruser = user; | 145 | ptruser = user; |
146 | else | 146 | else |
147 | ptruser = ""; | 147 | ptruser = ""; |
148 | 148 | ||
149 | 149 | ||
150 | float rx_kbps = ((float) pids[index].rx_delta / 1000) / itv; | 150 | float rx_kbps = ((float) pids[index].rx_delta / 1000) / itv; |
151 | char ptrrx[15]; | 151 | char ptrrx[15]; |
152 | sprintf(ptrrx, "%.03f", rx_kbps); | 152 | sprintf(ptrrx, "%.03f", rx_kbps); |
153 | 153 | ||
154 | float tx_kbps = ((float) pids[index].tx_delta / 1000) / itv; | 154 | float tx_kbps = ((float) pids[index].tx_delta / 1000) / itv; |
155 | char ptrtx[15]; | 155 | char ptrtx[15]; |
156 | sprintf(ptrtx, "%.03f", tx_kbps); | 156 | sprintf(ptrtx, "%.03f", tx_kbps); |
157 | 157 | ||
158 | char buf[1024 + 1]; | 158 | char buf[1024 + 1]; |
159 | snprintf(buf, 1024, "%-5.5s %-9.9s %-10.10s %-10.10s %s", | 159 | snprintf(buf, 1024, "%-5.5s %-9.9s %-10.10s %-10.10s %s", |
160 | pidstr, ptruser, ptrrx, ptrtx, ptrcmd); | 160 | pidstr, ptruser, ptrrx, ptrtx, ptrcmd); |
161 | if (col < 1024) | 161 | if (col < 1024) |
162 | buf[col] = '\0'; | 162 | buf[col] = '\0'; |
163 | printf("%s\n", buf); | 163 | printf("%s\n", buf); |
164 | 164 | ||
165 | if (cmd) | 165 | if (cmd) |
166 | free(cmd); | 166 | free(cmd); |
167 | if (user) | 167 | if (user) |
168 | free(user); | 168 | free(user); |
169 | 169 | ||
170 | } | 170 | } |
171 | 171 | ||
172 | void netstats(void) { | 172 | void netstats(void) { |
173 | pid_read(0); // include all processes | 173 | pid_read(0); // include all processes |
174 | 174 | ||
175 | printf("Displaying network statistics only for sandboxes using a new network namespace.\n"); | 175 | printf("Displaying network statistics only for sandboxes using a new network namespace.\n"); |
176 | 176 | ||
177 | // print processes | 177 | // print processes |
178 | while (1) { | 178 | while (1) { |
179 | // set pid table | 179 | // set pid table |
@@ -186,10 +186,10 @@ void netstats(void) { | |||
186 | if (pids[i].level == 1) | 186 | if (pids[i].level == 1) |
187 | get_stats(i); | 187 | get_stats(i); |
188 | } | 188 | } |
189 | 189 | ||
190 | // wait 5 seconds | 190 | // wait 5 seconds |
191 | firemon_sleep(itv); | 191 | firemon_sleep(itv); |
192 | 192 | ||
193 | // grab screen size | 193 | // grab screen size |
194 | struct winsize sz; | 194 | struct winsize sz; |
195 | int row = 24; | 195 | int row = 24; |
@@ -198,7 +198,7 @@ void netstats(void) { | |||
198 | col = sz.ws_col; | 198 | col = sz.ws_col; |
199 | row = sz.ws_row; | 199 | row = sz.ws_row; |
200 | } | 200 | } |
201 | 201 | ||
202 | // start printing | 202 | // start printing |
203 | firemon_clrscr(); | 203 | firemon_clrscr(); |
204 | char *header = get_header(); | 204 | char *header = get_header(); |
@@ -221,4 +221,3 @@ void netstats(void) { | |||
221 | #endif | 221 | #endif |
222 | } | 222 | } |
223 | } | 223 | } |
224 | |||
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index 378bdefe9..d6afed93a 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c | |||
@@ -40,12 +40,12 @@ static int pid_is_firejail(pid_t pid) { | |||
40 | printf("%s: %d, pid %d\n", __FUNCTION__, __LINE__, pid); | 40 | printf("%s: %d, pid %d\n", __FUNCTION__, __LINE__, pid); |
41 | #endif | 41 | #endif |
42 | uid_t rv = 0; | 42 | uid_t rv = 0; |
43 | 43 | ||
44 | // open /proc/self/comm | 44 | // open /proc/self/comm |
45 | char *file; | 45 | char *file; |
46 | if (asprintf(&file, "/proc/%u/comm", pid) == -1) | 46 | if (asprintf(&file, "/proc/%u/comm", pid) == -1) |
47 | errExit("asprintf"); | 47 | errExit("asprintf"); |
48 | 48 | ||
49 | FILE *fp = fopen(file, "r"); | 49 | FILE *fp = fopen(file, "r"); |
50 | if (!fp) { | 50 | if (!fp) { |
51 | free(file); | 51 | free(file); |
@@ -58,7 +58,7 @@ static int pid_is_firejail(pid_t pid) { | |||
58 | if (strncmp(buf, "firejail", 8) == 0) | 58 | if (strncmp(buf, "firejail", 8) == 0) |
59 | rv = 1; | 59 | rv = 1; |
60 | } | 60 | } |
61 | 61 | ||
62 | #ifdef DEBUG_PRCTL | 62 | #ifdef DEBUG_PRCTL |
63 | printf("%s: %d, comm %s, rv %d\n", __FUNCTION__, __LINE__, buf, rv); | 63 | printf("%s: %d, comm %s, rv %d\n", __FUNCTION__, __LINE__, buf, rv); |
64 | #endif | 64 | #endif |
@@ -76,7 +76,7 @@ static int pid_is_firejail(pid_t pid) { | |||
76 | goto doexit; | 76 | goto doexit; |
77 | } | 77 | } |
78 | free(fname); | 78 | free(fname); |
79 | 79 | ||
80 | // read file | 80 | // read file |
81 | #define BUFLEN 4096 | 81 | #define BUFLEN 4096 |
82 | unsigned char buffer[BUFLEN]; | 82 | unsigned char buffer[BUFLEN]; |
@@ -90,16 +90,16 @@ static int pid_is_firejail(pid_t pid) { | |||
90 | } | 90 | } |
91 | buffer[len] = '\0'; | 91 | buffer[len] = '\0'; |
92 | close(fd); | 92 | close(fd); |
93 | 93 | ||
94 | // list of firejail arguments that don't trigger sandbox creation | 94 | // list of firejail arguments that don't trigger sandbox creation |
95 | // the initial -- is not included | 95 | // the initial -- is not included |
96 | char *exclude_args[] = { | 96 | char *exclude_args[] = { |
97 | "ls", "list", "tree", "x11", "help", "version", "top", "netstats", "debug-syscalls", | 97 | "ls", "list", "tree", "x11", "help", "version", "top", "netstats", "debug-syscalls", |
98 | "debug-errnos", "debug-protocols", "protocol.print", "debug.caps", | 98 | "debug-errnos", "debug-protocols", "protocol.print", "debug.caps", |
99 | "shutdown", "bandwidth", "caps.print", "cpu.print", "debug-caps", | 99 | "shutdown", "bandwidth", "caps.print", "cpu.print", "debug-caps", |
100 | "fs.print", "get", "overlay-clean", NULL | 100 | "fs.print", "get", "overlay-clean", NULL |
101 | }; | 101 | }; |
102 | 102 | ||
103 | int i; | 103 | int i; |
104 | char *start; | 104 | char *start; |
105 | int first = 1; | 105 | int first = 1; |
@@ -114,30 +114,30 @@ static int pid_is_firejail(pid_t pid) { | |||
114 | if (strncmp(start, "--", 2) != 0) | 114 | if (strncmp(start, "--", 2) != 0) |
115 | break; | 115 | break; |
116 | start += 2; | 116 | start += 2; |
117 | 117 | ||
118 | // clan starting with = | 118 | // clan starting with = |
119 | char *ptr = strchr(start, '='); | 119 | char *ptr = strchr(start, '='); |
120 | if (ptr) | 120 | if (ptr) |
121 | *ptr = '\0'; | 121 | *ptr = '\0'; |
122 | 122 | ||
123 | // look into exclude list | 123 | // look into exclude list |
124 | int j = 0; | 124 | int j = 0; |
125 | while (exclude_args[j] != NULL) { | 125 | while (exclude_args[j] != NULL) { |
126 | if (strcmp(start, exclude_args[j]) == 0) { | 126 | if (strcmp(start, exclude_args[j]) == 0) { |
127 | rv = 0; | 127 | rv = 0; |
128 | #ifdef DEBUG_PRCTL | 128 | #ifdef DEBUG_PRCTL |
129 | printf("start=#%s#, ptr=#%s#, flip rv %d\n", start, ptr, rv); | 129 | printf("start=#%s#, ptr=#%s#, flip rv %d\n", start, ptr, rv); |
130 | #endif | 130 | #endif |
131 | break; | 131 | break; |
132 | } | 132 | } |
133 | j++; | 133 | j++; |
134 | } | 134 | } |
135 | 135 | ||
136 | start = (char *) buffer + i + 1; | 136 | start = (char *) buffer + i + 1; |
137 | } | 137 | } |
138 | } | 138 | } |
139 | 139 | ||
140 | doexit: | 140 | doexit: |
141 | fclose(fp); | 141 | fclose(fp); |
142 | free(file); | 142 | free(file); |
143 | #ifdef DEBUG_PRCTL | 143 | #ifdef DEBUG_PRCTL |
@@ -187,7 +187,7 @@ static int procevent_netlink_setup(void) { | |||
187 | 187 | ||
188 | if (writev(sock, iov, 3) == -1) | 188 | if (writev(sock, iov, 3) == -1) |
189 | goto errexit; | 189 | goto errexit; |
190 | 190 | ||
191 | return sock; | 191 | return sock; |
192 | errexit: | 192 | errexit: |
193 | fprintf(stderr, "Error: netlink socket problem\n"); | 193 | fprintf(stderr, "Error: netlink socket problem\n"); |
@@ -209,29 +209,29 @@ static int procevent_monitor(const int sock, pid_t mypid) { | |||
209 | __gcov_flush(); | 209 | __gcov_flush(); |
210 | #endif | 210 | #endif |
211 | 211 | ||
212 | #define BUFFSIZE 4096 | 212 | #define BUFFSIZE 4096 |
213 | char __attribute__ ((aligned(NLMSG_ALIGNTO)))buf[BUFFSIZE]; | 213 | char __attribute__ ((aligned(NLMSG_ALIGNTO)))buf[BUFFSIZE]; |
214 | 214 | ||
215 | fd_set readfds; | 215 | fd_set readfds; |
216 | int max; | 216 | int max; |
217 | FD_ZERO(&readfds); | 217 | FD_ZERO(&readfds); |
218 | FD_SET(sock, &readfds); | 218 | FD_SET(sock, &readfds); |
219 | max = sock; | 219 | max = sock; |
220 | max++; | 220 | max++; |
221 | 221 | ||
222 | int rv = select(max, &readfds, NULL, NULL, &tv); | 222 | int rv = select(max, &readfds, NULL, NULL, &tv); |
223 | if (rv == -1) { | 223 | if (rv == -1) { |
224 | fprintf(stderr, "recv: %s\n", strerror(errno)); | 224 | fprintf(stderr, "recv: %s\n", strerror(errno)); |
225 | return -1; | 225 | return -1; |
226 | } | 226 | } |
227 | 227 | ||
228 | // timeout | 228 | // timeout |
229 | if (rv == 0) { | 229 | if (rv == 0) { |
230 | tv.tv_sec = 30; | 230 | tv.tv_sec = 30; |
231 | tv.tv_usec = 0; | 231 | tv.tv_usec = 0; |
232 | continue; | 232 | continue; |
233 | } | 233 | } |
234 | 234 | ||
235 | 235 | ||
236 | if ((len = recv(sock, buf, sizeof(buf), 0)) == 0) { | 236 | if ((len = recv(sock, buf, sizeof(buf), 0)) == 0) { |
237 | return 0; | 237 | return 0; |
@@ -304,7 +304,7 @@ static int procevent_monitor(const int sock, pid_t mypid) { | |||
304 | } | 304 | } |
305 | sprintf(lineptr, " exec"); | 305 | sprintf(lineptr, " exec"); |
306 | break; | 306 | break; |
307 | 307 | ||
308 | case PROC_EVENT_EXIT: | 308 | case PROC_EVENT_EXIT: |
309 | if (proc_ev->event_data.exit.process_pid != | 309 | if (proc_ev->event_data.exit.process_pid != |
310 | proc_ev->event_data.exit.process_tgid) | 310 | proc_ev->event_data.exit.process_tgid) |
@@ -317,7 +317,7 @@ static int procevent_monitor(const int sock, pid_t mypid) { | |||
317 | remove_pid = 1; | 317 | remove_pid = 1; |
318 | sprintf(lineptr, " exit"); | 318 | sprintf(lineptr, " exit"); |
319 | break; | 319 | break; |
320 | 320 | ||
321 | case PROC_EVENT_UID: | 321 | case PROC_EVENT_UID: |
322 | pid = proc_ev->event_data.id.process_tgid; | 322 | pid = proc_ev->event_data.id.process_tgid; |
323 | #ifdef DEBUG_PRCTL | 323 | #ifdef DEBUG_PRCTL |
@@ -363,11 +363,11 @@ static int procevent_monitor(const int sock, pid_t mypid) { | |||
363 | continue; | 363 | continue; |
364 | } | 364 | } |
365 | } | 365 | } |
366 | 366 | ||
367 | lineptr += strlen(lineptr); | 367 | lineptr += strlen(lineptr); |
368 | sprintf(lineptr, " %u", pid); | 368 | sprintf(lineptr, " %u", pid); |
369 | lineptr += strlen(lineptr); | 369 | lineptr += strlen(lineptr); |
370 | 370 | ||
371 | char *user = pids[pid].user; | 371 | char *user = pids[pid].user; |
372 | if (!user) | 372 | if (!user) |
373 | user = pid_get_user_name(pids[pid].uid); | 373 | user = pid_get_user_name(pids[pid].uid); |
@@ -376,7 +376,7 @@ static int procevent_monitor(const int sock, pid_t mypid) { | |||
376 | sprintf(lineptr, " (%s)", user); | 376 | sprintf(lineptr, " (%s)", user); |
377 | lineptr += strlen(lineptr); | 377 | lineptr += strlen(lineptr); |
378 | } | 378 | } |
379 | 379 | ||
380 | 380 | ||
381 | int sandbox_closed = 0; // exit sandbox flag | 381 | int sandbox_closed = 0; // exit sandbox flag |
382 | char *cmd = pids[pid].cmd; | 382 | char *cmd = pids[pid].cmd; |
@@ -409,11 +409,11 @@ static int procevent_monitor(const int sock, pid_t mypid) { | |||
409 | lineptr += strlen(lineptr); | 409 | lineptr += strlen(lineptr); |
410 | } | 410 | } |
411 | (void) lineptr; | 411 | (void) lineptr; |
412 | 412 | ||
413 | // print the event | 413 | // print the event |
414 | printf("%s", line); | 414 | printf("%s", line); |
415 | fflush(0); | 415 | fflush(0); |
416 | 416 | ||
417 | // unflag pid for exit events | 417 | // unflag pid for exit events |
418 | if (remove_pid) { | 418 | if (remove_pid) { |
419 | if (pids[pid].user) | 419 | if (pids[pid].user) |
@@ -433,15 +433,15 @@ static int procevent_monitor(const int sock, pid_t mypid) { | |||
433 | else | 433 | else |
434 | printf("\tchild %u\n", child); | 434 | printf("\tchild %u\n", child); |
435 | } | 435 | } |
436 | 436 | ||
437 | // on uid events the uid is changing | 437 | // on uid events the uid is changing |
438 | if (proc_ev->what == PROC_EVENT_UID) { | 438 | if (proc_ev->what == PROC_EVENT_UID) { |
439 | if (pids[pid].user) | 439 | if (pids[pid].user) |
440 | free(pids[pid].user); | 440 | free(pids[pid].user); |
441 | pids[pid].user = 0; | 441 | pids[pid].user = 0; |
442 | pids[pid].uid = pid_get_uid(pid); | 442 | pids[pid].uid = pid_get_uid(pid); |
443 | } | 443 | } |
444 | 444 | ||
445 | if (sandbox_closed) | 445 | if (sandbox_closed) |
446 | exit(0); | 446 | exit(0); |
447 | } | 447 | } |
diff --git a/src/firemon/route.c b/src/firemon/route.c index 145daa152..f083ada0b 100644 --- a/src/firemon/route.c +++ b/src/firemon/route.c | |||
@@ -36,7 +36,7 @@ static IfList *list_find(uint32_t ip, uint32_t mask) { | |||
36 | return ptr; | 36 | return ptr; |
37 | ptr = ptr->next; | 37 | ptr = ptr->next; |
38 | } | 38 | } |
39 | 39 | ||
40 | return NULL; | 40 | return NULL; |
41 | } | 41 | } |
42 | 42 | ||
@@ -47,15 +47,15 @@ static void extract_if(const char *fname) { | |||
47 | free(ifs); | 47 | free(ifs); |
48 | ifs = tmp; | 48 | ifs = tmp; |
49 | } | 49 | } |
50 | assert(ifs == NULL); | 50 | assert(ifs == NULL); |
51 | 51 | ||
52 | FILE *fp = fopen(fname, "r"); | 52 | FILE *fp = fopen(fname, "r"); |
53 | if (!fp) | 53 | if (!fp) |
54 | return; | 54 | return; |
55 | 55 | ||
56 | char buf[MAXBUF]; | 56 | char buf[MAXBUF]; |
57 | int state = 0; // 0 -wait for Local | 57 | int state = 0; // 0 -wait for Local |
58 | // | 58 | // |
59 | while (fgets(buf, MAXBUF, fp)) { | 59 | while (fgets(buf, MAXBUF, fp)) { |
60 | // remove blanks, \n | 60 | // remove blanks, \n |
61 | char *ptr = buf; | 61 | char *ptr = buf; |
@@ -67,7 +67,7 @@ static void extract_if(const char *fname) { | |||
67 | ptr = strchr(ptr, '\n'); | 67 | ptr = strchr(ptr, '\n'); |
68 | if (ptr) | 68 | if (ptr) |
69 | *ptr = '\0'; | 69 | *ptr = '\0'; |
70 | 70 | ||
71 | if (state == 0) { | 71 | if (state == 0) { |
72 | if (strncmp(buf, "Local:", 6) == 0) { | 72 | if (strncmp(buf, "Local:", 6) == 0) { |
73 | state = 1; | 73 | state = 1; |
@@ -105,7 +105,7 @@ static void extract_if(const char *fname) { | |||
105 | } | 105 | } |
106 | } | 106 | } |
107 | } | 107 | } |
108 | 108 | ||
109 | fclose(fp); | 109 | fclose(fp); |
110 | 110 | ||
111 | 111 | ||
@@ -115,7 +115,7 @@ static void print_route(const char *fname) { | |||
115 | FILE *fp = fopen(fname, "r"); | 115 | FILE *fp = fopen(fname, "r"); |
116 | if (!fp) | 116 | if (!fp) |
117 | return; | 117 | return; |
118 | 118 | ||
119 | printf(" Route table:\n"); | 119 | printf(" Route table:\n"); |
120 | char buf[MAXBUF]; | 120 | char buf[MAXBUF]; |
121 | while (fgets(buf, MAXBUF, fp)) { | 121 | while (fgets(buf, MAXBUF, fp)) { |
@@ -147,7 +147,7 @@ static void print_route(const char *fname) { | |||
147 | int rv = sscanf(start, "%s %s %s %s %s %s %s %s\n", ifname, destination, gateway, flags, refcnt, use, metric, mask); | 147 | int rv = sscanf(start, "%s %s %s %s %s %s %s %s\n", ifname, destination, gateway, flags, refcnt, use, metric, mask); |
148 | if (rv != 8) | 148 | if (rv != 8) |
149 | continue; | 149 | continue; |
150 | 150 | ||
151 | // destination ip | 151 | // destination ip |
152 | uint32_t destip; | 152 | uint32_t destip; |
153 | sscanf(destination, "%x", &destip); | 153 | sscanf(destination, "%x", &destip); |
@@ -158,7 +158,7 @@ static void print_route(const char *fname) { | |||
158 | uint32_t gw; | 158 | uint32_t gw; |
159 | sscanf(gateway, "%x", &gw); | 159 | sscanf(gateway, "%x", &gw); |
160 | gw = ntohl(gw); | 160 | gw = ntohl(gw); |
161 | 161 | ||
162 | // printf("#%s# #%s# #%s# #%s# #%s# #%s# #%s# #%s#\n", ifname, destination, gateway, flags, refcnt, use, metric, mask); | 162 | // printf("#%s# #%s# #%s# #%s# #%s# #%s# #%s# #%s#\n", ifname, destination, gateway, flags, refcnt, use, metric, mask); |
163 | if (gw != 0) | 163 | if (gw != 0) |
164 | printf(" %u.%u.%u.%u/%u via %u.%u.%u.%u, dev %s, metric %s\n", | 164 | printf(" %u.%u.%u.%u/%u via %u.%u.%u.%u, dev %s, metric %s\n", |
@@ -176,14 +176,14 @@ static void print_route(const char *fname) { | |||
176 | } | 176 | } |
177 | } | 177 | } |
178 | } | 178 | } |
179 | 179 | ||
180 | fclose(fp); | 180 | fclose(fp); |
181 | 181 | ||
182 | } | 182 | } |
183 | 183 | ||
184 | void route(pid_t pid, int print_procs) { | 184 | void route(pid_t pid, int print_procs) { |
185 | pid_read(pid); | 185 | pid_read(pid); |
186 | 186 | ||
187 | // print processes | 187 | // print processes |
188 | int i; | 188 | int i; |
189 | for (i = 0; i < max_pids; i++) { | 189 | for (i = 0; i < max_pids; i++) { |
@@ -207,5 +207,3 @@ void route(pid_t pid, int print_procs) { | |||
207 | } | 207 | } |
208 | printf("\n"); | 208 | printf("\n"); |
209 | } | 209 | } |
210 | |||
211 | |||
diff --git a/src/firemon/seccomp.c b/src/firemon/seccomp.c index e530fa1c3..73d962fc9 100644 --- a/src/firemon/seccomp.c +++ b/src/firemon/seccomp.c | |||
@@ -31,7 +31,7 @@ static void print_seccomp(int pid) { | |||
31 | free(file); | 31 | free(file); |
32 | return; | 32 | return; |
33 | } | 33 | } |
34 | 34 | ||
35 | char buf[MAXBUF]; | 35 | char buf[MAXBUF]; |
36 | while (fgets(buf, MAXBUF, fp)) { | 36 | while (fgets(buf, MAXBUF, fp)) { |
37 | if (strncmp(buf, "Seccomp:", 8) == 0) { | 37 | if (strncmp(buf, "Seccomp:", 8) == 0) { |
@@ -43,10 +43,10 @@ static void print_seccomp(int pid) { | |||
43 | fclose(fp); | 43 | fclose(fp); |
44 | free(file); | 44 | free(file); |
45 | } | 45 | } |
46 | 46 | ||
47 | void seccomp(pid_t pid, int print_procs) { | 47 | void seccomp(pid_t pid, int print_procs) { |
48 | pid_read(pid); // include all processes | 48 | pid_read(pid); // include all processes |
49 | 49 | ||
50 | // print processes | 50 | // print processes |
51 | int i; | 51 | int i; |
52 | for (i = 0; i < max_pids; i++) { | 52 | for (i = 0; i < max_pids; i++) { |
@@ -60,4 +60,3 @@ void seccomp(pid_t pid, int print_procs) { | |||
60 | } | 60 | } |
61 | printf("\n"); | 61 | printf("\n"); |
62 | } | 62 | } |
63 | |||
diff --git a/src/firemon/top.c b/src/firemon/top.c index 081f04eba..fc6e6289e 100644 --- a/src/firemon/top.c +++ b/src/firemon/top.c | |||
@@ -23,7 +23,7 @@ | |||
23 | #include <sys/types.h> | 23 | #include <sys/types.h> |
24 | #include <sys/stat.h> | 24 | #include <sys/stat.h> |
25 | #include <unistd.h> | 25 | #include <unistd.h> |
26 | 26 | ||
27 | static unsigned pgs_rss = 0; | 27 | static unsigned pgs_rss = 0; |
28 | static unsigned pgs_shared = 0; | 28 | static unsigned pgs_shared = 0; |
29 | static unsigned clocktick = 0; | 29 | static unsigned clocktick = 0; |
@@ -40,7 +40,7 @@ static char *get_user_name(uid_t uid) { | |||
40 | } | 40 | } |
41 | else if (uid == cached_uid) | 41 | else if (uid == cached_uid) |
42 | return strdup(cached_user_name); | 42 | return strdup(cached_user_name); |
43 | else | 43 | else |
44 | return pid_get_user_name(uid); | 44 | return pid_get_user_name(uid); |
45 | } | 45 | } |
46 | 46 | ||
@@ -49,7 +49,7 @@ static char *get_header(void) { | |||
49 | if (asprintf(&rv, "%-5.5s %-9.9s %-8.8s %-8.8s %-5.5s %-4.4s %-9.9s %s", | 49 | if (asprintf(&rv, "%-5.5s %-9.9s %-8.8s %-8.8s %-5.5s %-4.4s %-9.9s %s", |
50 | "PID", "User", "RES(KiB)", "SHR(KiB)", "CPU%", "Prcs", "Uptime", "Command") == -1) | 50 | "PID", "User", "RES(KiB)", "SHR(KiB)", "CPU%", "Prcs", "Uptime", "Command") == -1) |
51 | errExit("asprintf"); | 51 | errExit("asprintf"); |
52 | 52 | ||
53 | return rv; | 53 | return rv; |
54 | } | 54 | } |
55 | 55 | ||
@@ -66,7 +66,7 @@ static char *print_top(unsigned index, unsigned parent, unsigned *utime, unsigne | |||
66 | struct stat s; | 66 | struct stat s; |
67 | if (stat(procdir, &s) == -1) | 67 | if (stat(procdir, &s) == -1) |
68 | return NULL; | 68 | return NULL; |
69 | 69 | ||
70 | if (pids[index].level == 1) { | 70 | if (pids[index].level == 1) { |
71 | pgs_rss = 0; | 71 | pgs_rss = 0; |
72 | pgs_shared = 0; | 72 | pgs_shared = 0; |
@@ -74,7 +74,7 @@ static char *print_top(unsigned index, unsigned parent, unsigned *utime, unsigne | |||
74 | *stime = 0; | 74 | *stime = 0; |
75 | *cnt = 0; | 75 | *cnt = 0; |
76 | } | 76 | } |
77 | 77 | ||
78 | (*cnt)++; | 78 | (*cnt)++; |
79 | pid_getmem(index, &pgs_rss, &pgs_shared); | 79 | pid_getmem(index, &pgs_rss, &pgs_shared); |
80 | unsigned utmp; | 80 | unsigned utmp; |
@@ -82,8 +82,8 @@ static char *print_top(unsigned index, unsigned parent, unsigned *utime, unsigne | |||
82 | pid_get_cpu_time(index, &utmp, &stmp); | 82 | pid_get_cpu_time(index, &utmp, &stmp); |
83 | *utime += utmp; | 83 | *utime += utmp; |
84 | *stime += stmp; | 84 | *stime += stmp; |
85 | 85 | ||
86 | 86 | ||
87 | int i; | 87 | int i; |
88 | for (i = index + 1; i < max_pids; i++) { | 88 | for (i = index + 1; i < max_pids; i++) { |
89 | if (pids[i].parent == (pid_t)index) | 89 | if (pids[i].parent == (pid_t)index) |
@@ -108,7 +108,7 @@ static char *print_top(unsigned index, unsigned parent, unsigned *utime, unsigne | |||
108 | ptrcmd = cmd + 9; | 108 | ptrcmd = cmd + 9; |
109 | else | 109 | else |
110 | ptrcmd = cmd; | 110 | ptrcmd = cmd; |
111 | 111 | ||
112 | // user | 112 | // user |
113 | char *user = get_user_name(pids[index].uid); | 113 | char *user = get_user_name(pids[index].uid); |
114 | char *ptruser; | 114 | char *ptruser; |
@@ -116,7 +116,7 @@ static char *print_top(unsigned index, unsigned parent, unsigned *utime, unsigne | |||
116 | ptruser = user; | 116 | ptruser = user; |
117 | else | 117 | else |
118 | ptruser = ""; | 118 | ptruser = ""; |
119 | 119 | ||
120 | // memory | 120 | // memory |
121 | if (pgsz == 0) | 121 | if (pgsz == 0) |
122 | pgsz = getpagesize(); | 122 | pgsz = getpagesize(); |
@@ -124,7 +124,7 @@ static char *print_top(unsigned index, unsigned parent, unsigned *utime, unsigne | |||
124 | snprintf(rss, 10, "%u", pgs_rss * pgsz / 1024); | 124 | snprintf(rss, 10, "%u", pgs_rss * pgsz / 1024); |
125 | char shared[10]; | 125 | char shared[10]; |
126 | snprintf(shared, 10, "%u", pgs_shared * pgsz / 1024); | 126 | snprintf(shared, 10, "%u", pgs_shared * pgsz / 1024); |
127 | 127 | ||
128 | // uptime | 128 | // uptime |
129 | unsigned long long uptime = pid_get_start_time(index); | 129 | unsigned long long uptime = pid_get_start_time(index); |
130 | if (clocktick == 0) | 130 | if (clocktick == 0) |
@@ -140,7 +140,7 @@ static char *print_top(unsigned index, unsigned parent, unsigned *utime, unsigne | |||
140 | unsigned hour = uptime; | 140 | unsigned hour = uptime; |
141 | char uptime_str[50]; | 141 | char uptime_str[50]; |
142 | snprintf(uptime_str, 50, "%02u:%02u:%02u", hour, min, sec); | 142 | snprintf(uptime_str, 50, "%02u:%02u:%02u", hour, min, sec); |
143 | 143 | ||
144 | // cpu | 144 | // cpu |
145 | itv *= clocktick; | 145 | itv *= clocktick; |
146 | float ud = (float) (*utime - pids[index].utime) / itv * 100; | 146 | float ud = (float) (*utime - pids[index].utime) / itv * 100; |
@@ -153,18 +153,18 @@ static char *print_top(unsigned index, unsigned parent, unsigned *utime, unsigne | |||
153 | // process count | 153 | // process count |
154 | char prcs_str[10]; | 154 | char prcs_str[10]; |
155 | snprintf(prcs_str, 10, "%d", *cnt); | 155 | snprintf(prcs_str, 10, "%d", *cnt); |
156 | 156 | ||
157 | if (asprintf(&rv, "%-5.5s %-9.9s %-8.8s %-8.8s %-5.5s %-4.4s %-9.9s %s", | 157 | if (asprintf(&rv, "%-5.5s %-9.9s %-8.8s %-8.8s %-5.5s %-4.4s %-9.9s %s", |
158 | pidstr, ptruser, rss, shared, cpu_str, prcs_str, uptime_str, ptrcmd) == -1) | 158 | pidstr, ptruser, rss, shared, cpu_str, prcs_str, uptime_str, ptrcmd) == -1) |
159 | errExit("asprintf"); | 159 | errExit("asprintf"); |
160 | 160 | ||
161 | if (cmd) | 161 | if (cmd) |
162 | free(cmd); | 162 | free(cmd); |
163 | if (user) | 163 | if (user) |
164 | free(user); | 164 | free(user); |
165 | 165 | ||
166 | } | 166 | } |
167 | 167 | ||
168 | return rv; | 168 | return rv; |
169 | } | 169 | } |
170 | 170 | ||
@@ -174,7 +174,7 @@ typedef struct node_t { | |||
174 | char *line; | 174 | char *line; |
175 | float cpu; | 175 | float cpu; |
176 | } Node; | 176 | } Node; |
177 | 177 | ||
178 | static Node *head = NULL; | 178 | static Node *head = NULL; |
179 | 179 | ||
180 | static void head_clear(void) { | 180 | static void head_clear(void) { |
@@ -186,7 +186,7 @@ static void head_clear(void) { | |||
186 | free(ptr); | 186 | free(ptr); |
187 | ptr = next; | 187 | ptr = next; |
188 | } | 188 | } |
189 | 189 | ||
190 | head = NULL; | 190 | head = NULL; |
191 | } | 191 | } |
192 | 192 | ||
@@ -198,14 +198,14 @@ static void head_add(float cpu, char *line) { | |||
198 | node->line = line; | 198 | node->line = line; |
199 | node->cpu = cpu; | 199 | node->cpu = cpu; |
200 | node->next = NULL; | 200 | node->next = NULL; |
201 | 201 | ||
202 | // insert in first list position | 202 | // insert in first list position |
203 | if (head == NULL || head->cpu < cpu) { | 203 | if (head == NULL || head->cpu < cpu) { |
204 | node->next = head; | 204 | node->next = head; |
205 | head = node; | 205 | head = node; |
206 | return; | 206 | return; |
207 | } | 207 | } |
208 | 208 | ||
209 | // insert in the right place | 209 | // insert in the right place |
210 | Node *ptr = head; | 210 | Node *ptr = head; |
211 | while (1) { | 211 | while (1) { |
@@ -215,14 +215,14 @@ static void head_add(float cpu, char *line) { | |||
215 | ptr->next = node; | 215 | ptr->next = node; |
216 | return; | 216 | return; |
217 | } | 217 | } |
218 | 218 | ||
219 | // current position | 219 | // current position |
220 | if (current->cpu < cpu) { | 220 | if (current->cpu < cpu) { |
221 | ptr->next = node; | 221 | ptr->next = node; |
222 | node->next = current; | 222 | node->next = current; |
223 | return; | 223 | return; |
224 | } | 224 | } |
225 | 225 | ||
226 | ptr = current; | 226 | ptr = current; |
227 | } | 227 | } |
228 | } | 228 | } |
@@ -233,10 +233,10 @@ void head_print(int col, int row) { | |||
233 | while (ptr) { | 233 | while (ptr) { |
234 | if (current >= row) | 234 | if (current >= row) |
235 | break; | 235 | break; |
236 | 236 | ||
237 | if (strlen(ptr->line) > (size_t)col) | 237 | if (strlen(ptr->line) > (size_t)col) |
238 | ptr->line[col] = '\0'; | 238 | ptr->line[col] = '\0'; |
239 | 239 | ||
240 | if (ptr->next == NULL || current == (row - 1)) { | 240 | if (ptr->next == NULL || current == (row - 1)) { |
241 | printf("%s", ptr->line); | 241 | printf("%s", ptr->line); |
242 | fflush(0); | 242 | fflush(0); |
@@ -253,7 +253,7 @@ void top(void) { | |||
253 | while (1) { | 253 | while (1) { |
254 | // clear linked list | 254 | // clear linked list |
255 | head_clear(); | 255 | head_clear(); |
256 | 256 | ||
257 | // set pid table | 257 | // set pid table |
258 | int i; | 258 | int i; |
259 | int itv = 1; // 1 second interval | 259 | int itv = 1; // 1 second interval |
@@ -266,10 +266,10 @@ void top(void) { | |||
266 | if (pids[i].level == 1) | 266 | if (pids[i].level == 1) |
267 | pid_store_cpu(i, 0, &utime, &stime); | 267 | pid_store_cpu(i, 0, &utime, &stime); |
268 | } | 268 | } |
269 | 269 | ||
270 | // wait 1 second | 270 | // wait 1 second |
271 | firemon_sleep(itv); | 271 | firemon_sleep(itv); |
272 | 272 | ||
273 | // grab screen size | 273 | // grab screen size |
274 | struct winsize sz; | 274 | struct winsize sz; |
275 | int row = 24; | 275 | int row = 24; |
@@ -288,7 +288,7 @@ void top(void) { | |||
288 | if (row > 0) | 288 | if (row > 0) |
289 | row--; | 289 | row--; |
290 | free(header); | 290 | free(header); |
291 | 291 | ||
292 | // find system uptime | 292 | // find system uptime |
293 | FILE *fp = fopen("/proc/uptime", "r"); | 293 | FILE *fp = fopen("/proc/uptime", "r"); |
294 | if (fp) { | 294 | if (fp) { |
@@ -315,4 +315,3 @@ void top(void) { | |||
315 | #endif | 315 | #endif |
316 | } | 316 | } |
317 | } | 317 | } |
318 | |||
diff --git a/src/firemon/tree.c b/src/firemon/tree.c index 3fdcc4d37..99f68c262 100644 --- a/src/firemon/tree.c +++ b/src/firemon/tree.c | |||
@@ -21,7 +21,7 @@ | |||
21 | 21 | ||
22 | void tree(pid_t pid) { | 22 | void tree(pid_t pid) { |
23 | pid_read(pid); | 23 | pid_read(pid); |
24 | 24 | ||
25 | // print processes | 25 | // print processes |
26 | int i; | 26 | int i; |
27 | for (i = 0; i < max_pids; i++) { | 27 | for (i = 0; i < max_pids; i++) { |
@@ -30,4 +30,3 @@ void tree(pid_t pid) { | |||
30 | } | 30 | } |
31 | printf("\n"); | 31 | printf("\n"); |
32 | } | 32 | } |
33 | |||
diff --git a/src/firemon/x11.c b/src/firemon/x11.c index c923c8ef8..7e331795f 100644 --- a/src/firemon/x11.c +++ b/src/firemon/x11.c | |||
@@ -21,17 +21,17 @@ | |||
21 | #include <sys/types.h> | 21 | #include <sys/types.h> |
22 | #include <sys/stat.h> | 22 | #include <sys/stat.h> |
23 | #include <unistd.h> | 23 | #include <unistd.h> |
24 | 24 | ||
25 | void x11(pid_t pid, int print_procs) { | 25 | void x11(pid_t pid, int print_procs) { |
26 | pid_read(pid); | 26 | pid_read(pid); |
27 | 27 | ||
28 | // print processes | 28 | // print processes |
29 | int i; | 29 | int i; |
30 | for (i = 0; i < max_pids; i++) { | 30 | for (i = 0; i < max_pids; i++) { |
31 | if (pids[i].level == 1) { | 31 | if (pids[i].level == 1) { |
32 | if (print_procs || pid == 0) | 32 | if (print_procs || pid == 0) |
33 | pid_print_list(i, arg_nowrap); | 33 | pid_print_list(i, arg_nowrap); |
34 | 34 | ||
35 | char *x11file; | 35 | char *x11file; |
36 | // todo: use macro from src/firejail/firejail.h for /run/firejail/x11 directory | 36 | // todo: use macro from src/firejail/firejail.h for /run/firejail/x11 directory |
37 | if (asprintf(&x11file, "/run/firejail/x11/%d", i) == -1) | 37 | if (asprintf(&x11file, "/run/firejail/x11/%d", i) == -1) |
@@ -53,4 +53,3 @@ void x11(pid_t pid, int print_procs) { | |||
53 | } | 53 | } |
54 | printf("\n"); | 54 | printf("\n"); |
55 | } | 55 | } |
56 | |||
diff --git a/src/floader/README.md b/src/floader/README.md index d437763a7..c1e14b2a6 100644 --- a/src/floader/README.md +++ b/src/floader/README.md | |||
@@ -5,5 +5,3 @@ READ ME | |||
5 | * Add comma separated process names to ~/.loader.conf | 5 | * Add comma separated process names to ~/.loader.conf |
6 | * export LD_PRELOAD=<path>./loader.so (ideally to .bashrc) | 6 | * export LD_PRELOAD=<path>./loader.so (ideally to .bashrc) |
7 | * Run any application within shell | 7 | * Run any application within shell |
8 | |||
9 | |||
diff --git a/src/floader/loader.c b/src/floader/loader.c index 0970794e9..6b9f92f18 100644 --- a/src/floader/loader.c +++ b/src/floader/loader.c | |||
@@ -1,13 +1,13 @@ | |||
1 | /* | 1 | /* |
2 | * Copyright (C) 2017 Madura A. (madura.x86@gmail.com) | 2 | * Copyright (C) 2017 Madura A. (madura.x86@gmail.com) |
3 | * | 3 | * |
4 | */ | 4 | */ |
5 | #include <sys/types.h> | 5 | #include <sys/types.h> |
6 | #include <sys/stat.h> | 6 | #include <sys/stat.h> |
7 | #include <sys/mman.h> | 7 | #include <sys/mman.h> |
8 | #include <fcntl.h> | 8 | #include <fcntl.h> |
9 | #include <unistd.h> | 9 | #include <unistd.h> |
10 | 10 | ||
11 | #include <string.h> | 11 | #include <string.h> |
12 | #include <stdio.h> | 12 | #include <stdio.h> |
13 | #include <stdlib.h> | 13 | #include <stdlib.h> |
@@ -35,7 +35,7 @@ void remove_trailing_spaces(char *str) | |||
35 | { | 35 | { |
36 | str++; | 36 | str++; |
37 | } | 37 | } |
38 | 38 | ||
39 | while (*str != '\0') | 39 | while (*str != '\0') |
40 | { | 40 | { |
41 | *str = '\0'; | 41 | *str = '\0'; |
@@ -70,7 +70,7 @@ void make_args() | |||
70 | { | 70 | { |
71 | if (cmdline[cI] == '\0') | 71 | if (cmdline[cI] == '\0') |
72 | { | 72 | { |
73 | args[argI]= argstart; | 73 | args[argI]= argstart; |
74 | argstart = &cmdline[cI+1]; | 74 | argstart = &cmdline[cI+1]; |
75 | argI++; | 75 | argI++; |
76 | if (*argstart == '\0') | 76 | if (*argstart == '\0') |
@@ -89,11 +89,11 @@ void loader_main() | |||
89 | snprintf(confFile, 255, "%s/.loader.conf", getenv("HOME")); | 89 | snprintf(confFile, 255, "%s/.loader.conf", getenv("HOME")); |
90 | 90 | ||
91 | struct stat confFileStat; | 91 | struct stat confFileStat; |
92 | 92 | ||
93 | stat(confFile, &confFileStat); | 93 | stat(confFile, &confFileStat); |
94 | 94 | ||
95 | int confFd = open(confFile, O_RDONLY); | 95 | int confFd = open(confFile, O_RDONLY); |
96 | 96 | ||
97 | if (confFd == -1) | 97 | if (confFd == -1) |
98 | { | 98 | { |
99 | close(confFd); | 99 | close(confFd); |
@@ -111,7 +111,7 @@ void loader_main() | |||
111 | close(confFd); | 111 | close(confFd); |
112 | return; | 112 | return; |
113 | } | 113 | } |
114 | 114 | ||
115 | close(confFd); | 115 | close(confFd); |
116 | size_t fI = 0; | 116 | size_t fI = 0; |
117 | int matchId = 0; | 117 | int matchId = 0; |
@@ -123,17 +123,17 @@ void loader_main() | |||
123 | { | 123 | { |
124 | names[matchId] = &conf[fI+1]; | 124 | names[matchId] = &conf[fI+1]; |
125 | conf[fI] = '\0'; | 125 | conf[fI] = '\0'; |
126 | 126 | ||
127 | matchId++; | 127 | matchId++; |
128 | } | 128 | } |
129 | } | 129 | } |
130 | 130 | ||
131 | remove_trailing_spaces(names[matchId-1]); | 131 | remove_trailing_spaces(names[matchId-1]); |
132 | 132 | ||
133 | read_cmdline(); | 133 | read_cmdline(); |
134 | 134 | ||
135 | make_args(); | 135 | make_args(); |
136 | 136 | ||
137 | #ifdef DEBUG | 137 | #ifdef DEBUG |
138 | int xarg=0; | 138 | int xarg=0; |
139 | while (args[xarg] != NULL) | 139 | while (args[xarg] != NULL) |
@@ -144,18 +144,18 @@ void loader_main() | |||
144 | #endif | 144 | #endif |
145 | 145 | ||
146 | int x; | 146 | int x; |
147 | 147 | ||
148 | for (x = 0;x<matchId;x++) | 148 | for (x = 0;x<matchId;x++) |
149 | { | 149 | { |
150 | DBG("%s\n",names[x]); | 150 | DBG("%s\n",names[x]); |
151 | if (strstr(args[0], names[x]) != NULL) | 151 | if (strstr(args[0], names[x]) != NULL) |
152 | { | 152 | { |
153 | DBG("highjack!\n"); | 153 | DBG("highjack!\n"); |
154 | 154 | ||
155 | free(conf); | 155 | free(conf); |
156 | 156 | ||
157 | execvp(loader, args ); | 157 | execvp(loader, args ); |
158 | } | 158 | } |
159 | } | 159 | } |
160 | 160 | ||
161 | } | 161 | } |
diff --git a/src/floader/makefile b/src/floader/makefile index 0de6a3138..eeb96571d 100644 --- a/src/floader/makefile +++ b/src/floader/makefile | |||
@@ -3,5 +3,3 @@ all: | |||
3 | 3 | ||
4 | debug: | 4 | debug: |
5 | gcc -ggdb -shared -DDEBUG -fPIC loader.c -o loader.so | 5 | gcc -ggdb -shared -DDEBUG -fPIC loader.c -o loader.so |
6 | |||
7 | |||
diff --git a/src/fnet/Makefile.in b/src/fnet/Makefile.in index 32f08882a..5932737ce 100644 --- a/src/fnet/Makefile.in +++ b/src/fnet/Makefile.in | |||
@@ -42,4 +42,3 @@ clean:; rm -f *.o fnet *.gcov *.gcda *.gcno | |||
42 | 42 | ||
43 | distclean: clean | 43 | distclean: clean |
44 | rm -fr Makefile | 44 | rm -fr Makefile |
45 | |||
diff --git a/src/fnet/arp.c b/src/fnet/arp.c index a7f0a603a..4736f3509 100644 --- a/src/fnet/arp.c +++ b/src/fnet/arp.c | |||
@@ -48,12 +48,12 @@ void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) { | |||
48 | 48 | ||
49 | // printf("Scanning interface %s (%d.%d.%d.%d/%d)\n", | 49 | // printf("Scanning interface %s (%d.%d.%d.%d/%d)\n", |
50 | // dev, PRINT_IP(ifip & ifmask), mask2bits(ifmask)); | 50 | // dev, PRINT_IP(ifip & ifmask), mask2bits(ifmask)); |
51 | 51 | ||
52 | if (strlen(dev) > IFNAMSIZ) { | 52 | if (strlen(dev) > IFNAMSIZ) { |
53 | fprintf(stderr, "Error: invalid network device name %s\n", dev); | 53 | fprintf(stderr, "Error: invalid network device name %s\n", dev); |
54 | exit(1); | 54 | exit(1); |
55 | } | 55 | } |
56 | 56 | ||
57 | // find interface mac address | 57 | // find interface mac address |
58 | int sock; | 58 | int sock; |
59 | if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) | 59 | if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) |
@@ -70,7 +70,7 @@ void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) { | |||
70 | // open layer2 socket | 70 | // open layer2 socket |
71 | if ((sock = socket(PF_PACKET, SOCK_RAW, htons (ETH_P_ALL))) < 0) | 71 | if ((sock = socket(PF_PACKET, SOCK_RAW, htons (ETH_P_ALL))) < 0) |
72 | errExit("socket"); | 72 | errExit("socket"); |
73 | 73 | ||
74 | // try all possible ip addresses in ascending order | 74 | // try all possible ip addresses in ascending order |
75 | uint32_t range = ~ifmask + 1; // the number of potential addresses | 75 | uint32_t range = ~ifmask + 1; // the number of potential addresses |
76 | // this software is not supported for /31 networks | 76 | // this software is not supported for /31 networks |
@@ -90,7 +90,7 @@ void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) { | |||
90 | struct timeval ts; | 90 | struct timeval ts; |
91 | ts.tv_sec = 2; // 2 seconds receive timeout | 91 | ts.tv_sec = 2; // 2 seconds receive timeout |
92 | ts.tv_usec = 0; | 92 | ts.tv_usec = 0; |
93 | 93 | ||
94 | while (1) { | 94 | while (1) { |
95 | fd_set rfds; | 95 | fd_set rfds; |
96 | FD_ZERO(&rfds); | 96 | FD_ZERO(&rfds); |
@@ -101,21 +101,21 @@ void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) { | |||
101 | int maxfd = sock; | 101 | int maxfd = sock; |
102 | 102 | ||
103 | uint8_t frame[ETH_FRAME_LEN]; // includes eht header, vlan, and crc | 103 | uint8_t frame[ETH_FRAME_LEN]; // includes eht header, vlan, and crc |
104 | memset(frame, 0, ETH_FRAME_LEN); | 104 | memset(frame, 0, ETH_FRAME_LEN); |
105 | 105 | ||
106 | int nready; | 106 | int nready; |
107 | if (dest < last) | 107 | if (dest < last) |
108 | nready = select(maxfd + 1, &rfds, &wfds, (fd_set *) 0, NULL); | 108 | nready = select(maxfd + 1, &rfds, &wfds, (fd_set *) 0, NULL); |
109 | else | 109 | else |
110 | nready = select(maxfd + 1, &rfds, (fd_set *) 0, (fd_set *) 0, &ts); | 110 | nready = select(maxfd + 1, &rfds, (fd_set *) 0, (fd_set *) 0, &ts); |
111 | 111 | ||
112 | if (nready < 0) | 112 | if (nready < 0) |
113 | errExit("select"); | 113 | errExit("select"); |
114 | 114 | ||
115 | if (nready == 0) { // timeout | 115 | if (nready == 0) { // timeout |
116 | break; | 116 | break; |
117 | } | 117 | } |
118 | 118 | ||
119 | if (FD_ISSET(sock, &wfds) && dest < last) { | 119 | if (FD_ISSET(sock, &wfds) && dest < last) { |
120 | // configure layer2 socket address information | 120 | // configure layer2 socket address information |
121 | struct sockaddr_ll addr; | 121 | struct sockaddr_ll addr; |
@@ -125,7 +125,7 @@ void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) { | |||
125 | addr.sll_family = AF_PACKET; | 125 | addr.sll_family = AF_PACKET; |
126 | memcpy (addr.sll_addr, mac, 6); | 126 | memcpy (addr.sll_addr, mac, 6); |
127 | addr.sll_halen = htons(6); | 127 | addr.sll_halen = htons(6); |
128 | 128 | ||
129 | // build the arp packet header | 129 | // build the arp packet header |
130 | ArpHdr hdr; | 130 | ArpHdr hdr; |
131 | memset(&hdr, 0, sizeof(hdr)); | 131 | memset(&hdr, 0, sizeof(hdr)); |
@@ -138,7 +138,7 @@ void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) { | |||
138 | memcpy(hdr.sender_ip, (uint8_t *)&src, 4); | 138 | memcpy(hdr.sender_ip, (uint8_t *)&src, 4); |
139 | uint32_t dst = htonl(dest); | 139 | uint32_t dst = htonl(dest); |
140 | memcpy(hdr.target_ip, (uint8_t *)&dst, 4); | 140 | memcpy(hdr.target_ip, (uint8_t *)&dst, 4); |
141 | 141 | ||
142 | // build ethernet frame | 142 | // build ethernet frame |
143 | uint8_t frame[ETH_FRAME_LEN]; // includes eht header, vlan, and crc | 143 | uint8_t frame[ETH_FRAME_LEN]; // includes eht header, vlan, and crc |
144 | memset(frame, 0, sizeof(frame)); | 144 | memset(frame, 0, sizeof(frame)); |
@@ -147,16 +147,16 @@ void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) { | |||
147 | frame[12] = ETH_P_ARP / 256; | 147 | frame[12] = ETH_P_ARP / 256; |
148 | frame[13] = ETH_P_ARP % 256; | 148 | frame[13] = ETH_P_ARP % 256; |
149 | memcpy (frame + 14, &hdr, sizeof(hdr)); | 149 | memcpy (frame + 14, &hdr, sizeof(hdr)); |
150 | 150 | ||
151 | // send packet | 151 | // send packet |
152 | int len; | 152 | int len; |
153 | if ((len = sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr))) <= 0) | 153 | if ((len = sendto (sock, frame, 14 + sizeof(ArpHdr), 0, (struct sockaddr *) &addr, sizeof (addr))) <= 0) |
154 | errExit("send"); | 154 | errExit("send"); |
155 | //printf("send %d bytes to %d.%d.%d.%d\n", len, PRINT_IP(dest)); | 155 | //printf("send %d bytes to %d.%d.%d.%d\n", len, PRINT_IP(dest)); |
156 | fflush(0); | 156 | fflush(0); |
157 | dest++; | 157 | dest++; |
158 | } | 158 | } |
159 | 159 | ||
160 | if (FD_ISSET(sock, &rfds)) { | 160 | if (FD_ISSET(sock, &rfds)) { |
161 | // read the incoming packet | 161 | // read the incoming packet |
162 | int len = recvfrom(sock, frame, ETH_FRAME_LEN, 0, NULL, NULL); | 162 | int len = recvfrom(sock, frame, ETH_FRAME_LEN, 0, NULL, NULL); |
@@ -185,24 +185,21 @@ void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) { | |||
185 | continue; | 185 | continue; |
186 | memcpy(&ip, hdr.sender_ip, 4); | 186 | memcpy(&ip, hdr.sender_ip, 4); |
187 | ip = ntohl(ip); | 187 | ip = ntohl(ip); |
188 | 188 | ||
189 | if (ip == last_ip) // filter duplicates | 189 | if (ip == last_ip) // filter duplicates |
190 | continue; | 190 | continue; |
191 | last_ip = ip; | 191 | last_ip = ip; |
192 | 192 | ||
193 | // printing | 193 | // printing |
194 | if (header_printed == 0) { | 194 | if (header_printed == 0) { |
195 | printf(" Network scan:\n"); | 195 | printf(" Network scan:\n"); |
196 | header_printed = 1; | 196 | header_printed = 1; |
197 | } | 197 | } |
198 | printf(" %02x:%02x:%02x:%02x:%02x:%02x\t%d.%d.%d.%d\n", | 198 | printf(" %02x:%02x:%02x:%02x:%02x:%02x\t%d.%d.%d.%d\n", |
199 | PRINT_MAC(hdr.sender_mac), PRINT_IP(ip)); | 199 | PRINT_MAC(hdr.sender_mac), PRINT_IP(ip)); |
200 | } | 200 | } |
201 | } | 201 | } |
202 | } | 202 | } |
203 | 203 | ||
204 | close(sock); | 204 | close(sock); |
205 | } | 205 | } |
206 | |||
207 | |||
208 | |||
diff --git a/src/fnet/interface.c b/src/fnet/interface.c index 33ad766ec..8c1fd6ca4 100644 --- a/src/fnet/interface.c +++ b/src/fnet/interface.c | |||
@@ -40,7 +40,7 @@ static void check_if_name(const char *ifname) { | |||
40 | void net_bridge_add_interface(const char *bridge, const char *dev) { | 40 | void net_bridge_add_interface(const char *bridge, const char *dev) { |
41 | check_if_name(bridge); | 41 | check_if_name(bridge); |
42 | check_if_name(dev); | 42 | check_if_name(dev); |
43 | 43 | ||
44 | // somehow adding the interface to the bridge resets MTU on bridge device!!! | 44 | // somehow adding the interface to the bridge resets MTU on bridge device!!! |
45 | // workaround: restore MTU on the bridge device | 45 | // workaround: restore MTU on the bridge device |
46 | // todo: put a real fix in | 46 | // todo: put a real fix in |
@@ -82,7 +82,7 @@ void net_bridge_add_interface(const char *bridge, const char *dev) { | |||
82 | // bring interface up | 82 | // bring interface up |
83 | void net_if_up(const char *ifname) { | 83 | void net_if_up(const char *ifname) { |
84 | check_if_name(ifname); | 84 | check_if_name(ifname); |
85 | 85 | ||
86 | int sock = socket(AF_INET,SOCK_DGRAM,0); | 86 | int sock = socket(AF_INET,SOCK_DGRAM,0); |
87 | if (sock < 0) | 87 | if (sock < 0) |
88 | errExit("socket"); | 88 | errExit("socket"); |
@@ -139,8 +139,8 @@ int net_get_mtu(const char *ifname) { | |||
139 | if (ioctl(s, SIOCGIFMTU, (caddr_t)&ifr) == 0) | 139 | if (ioctl(s, SIOCGIFMTU, (caddr_t)&ifr) == 0) |
140 | mtu = ifr.ifr_mtu; | 140 | mtu = ifr.ifr_mtu; |
141 | close(s); | 141 | close(s); |
142 | 142 | ||
143 | 143 | ||
144 | return mtu; | 144 | return mtu; |
145 | } | 145 | } |
146 | 146 | ||
@@ -197,7 +197,7 @@ void net_ifprint(int scan) { | |||
197 | sprintf(ipstr, "%d.%d.%d.%d", PRINT_IP(ip)); | 197 | sprintf(ipstr, "%d.%d.%d.%d", PRINT_IP(ip)); |
198 | char maskstr[30]; | 198 | char maskstr[30]; |
199 | sprintf(maskstr, "%d.%d.%d.%d", PRINT_IP(mask)); | 199 | sprintf(maskstr, "%d.%d.%d.%d", PRINT_IP(mask)); |
200 | 200 | ||
201 | // mac address | 201 | // mac address |
202 | unsigned char mac[6]; | 202 | unsigned char mac[6]; |
203 | net_get_mac(ifa->ifa_name, mac); | 203 | net_get_mac(ifa->ifa_name, mac); |
@@ -207,7 +207,7 @@ void net_ifprint(int scan) { | |||
207 | else | 207 | else |
208 | sprintf(macstr, "%02x:%02x:%02x:%02x:%02x:%02x", PRINT_MAC(mac)); | 208 | sprintf(macstr, "%02x:%02x:%02x:%02x:%02x:%02x", PRINT_MAC(mac)); |
209 | 209 | ||
210 | 210 | ||
211 | printf("%-17.17s%-19.19s%-17.17s%-17.17s%-6.6s\n", | 211 | printf("%-17.17s%-19.19s%-17.17s%-17.17s%-6.6s\n", |
212 | ifa->ifa_name, macstr, ipstr, maskstr, status); | 212 | ifa->ifa_name, macstr, ipstr, maskstr, status); |
213 | 213 | ||
@@ -240,7 +240,7 @@ int net_get_mac(const char *ifname, unsigned char mac[6]) { | |||
240 | memset(&ifr, 0, sizeof(ifr)); | 240 | memset(&ifr, 0, sizeof(ifr)); |
241 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); | 241 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); |
242 | ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER; | 242 | ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER; |
243 | 243 | ||
244 | if (ioctl(sock, SIOCGIFHWADDR, &ifr) == -1) | 244 | if (ioctl(sock, SIOCGIFHWADDR, &ifr) == -1) |
245 | errExit("ioctl"); | 245 | errExit("ioctl"); |
246 | memcpy(mac, ifr.ifr_hwaddr.sa_data, 6); | 246 | memcpy(mac, ifr.ifr_hwaddr.sa_data, 6); |
@@ -262,7 +262,7 @@ void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) { | |||
262 | ifr.ifr_addr.sa_family = AF_INET; | 262 | ifr.ifr_addr.sa_family = AF_INET; |
263 | 263 | ||
264 | ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(ip); | 264 | ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(ip); |
265 | if (ioctl( sock, SIOCSIFADDR, &ifr ) < 0) | 265 | if (ioctl( sock, SIOCSIFADDR, &ifr ) < 0) |
266 | errExit("ioctl"); | 266 | errExit("ioctl"); |
267 | 267 | ||
268 | if (ip != 0) { | 268 | if (ip != 0) { |
@@ -270,7 +270,7 @@ void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) { | |||
270 | if (ioctl( sock, SIOCSIFNETMASK, &ifr ) < 0) | 270 | if (ioctl( sock, SIOCSIFNETMASK, &ifr ) < 0) |
271 | errExit("ioctl"); | 271 | errExit("ioctl"); |
272 | } | 272 | } |
273 | 273 | ||
274 | // configure mtu | 274 | // configure mtu |
275 | if (mtu > 0) { | 275 | if (mtu > 0) { |
276 | ifr.ifr_mtu = mtu; | 276 | ifr.ifr_mtu = mtu; |
@@ -295,7 +295,7 @@ int net_if_mac(const char *ifname, const unsigned char mac[6]) { | |||
295 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); | 295 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ); |
296 | ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER; | 296 | ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER; |
297 | memcpy(ifr.ifr_hwaddr.sa_data, mac, 6); | 297 | memcpy(ifr.ifr_hwaddr.sa_data, mac, 6); |
298 | 298 | ||
299 | if (ioctl(sock, SIOCSIFHWADDR, &ifr) == -1) | 299 | if (ioctl(sock, SIOCSIFHWADDR, &ifr) == -1) |
300 | errExit("ioctl"); | 300 | errExit("ioctl"); |
301 | close(sock); | 301 | close(sock); |
@@ -315,7 +315,7 @@ void net_if_ip6(const char *ifname, const char *addr6) { | |||
315 | fprintf(stderr, "Error fnet: invalid IPv6 address %s\n", addr6); | 315 | fprintf(stderr, "Error fnet: invalid IPv6 address %s\n", addr6); |
316 | exit(1); | 316 | exit(1); |
317 | } | 317 | } |
318 | 318 | ||
319 | // extract prefix | 319 | // extract prefix |
320 | unsigned long prefix; | 320 | unsigned long prefix; |
321 | char *ptr; | 321 | char *ptr; |
@@ -367,6 +367,6 @@ void net_if_ip6(const char *ifname, const char *addr6) { | |||
367 | perror("ioctl SIOCSIFADDR"); | 367 | perror("ioctl SIOCSIFADDR"); |
368 | exit(1); | 368 | exit(1); |
369 | } | 369 | } |
370 | 370 | ||
371 | close(sock); | 371 | close(sock); |
372 | } | 372 | } |
diff --git a/src/fnet/main.c b/src/fnet/main.c index 0c55f3141..f44760b5c 100644 --- a/src/fnet/main.c +++ b/src/fnet/main.c | |||
@@ -41,7 +41,7 @@ int i; | |||
41 | for (i = 0; i < argc; i++) | 41 | for (i = 0; i < argc; i++) |
42 | printf("*%s* ", argv[i]); | 42 | printf("*%s* ", argv[i]); |
43 | printf("\n"); | 43 | printf("\n"); |
44 | } | 44 | } |
45 | #endif | 45 | #endif |
46 | if (argc < 2) { | 46 | if (argc < 2) { |
47 | usage(); | 47 | usage(); |
@@ -51,7 +51,7 @@ printf("\n"); | |||
51 | char *quiet = getenv("FIREJAIL_QUIET"); | 51 | char *quiet = getenv("FIREJAIL_QUIET"); |
52 | if (quiet && strcmp(quiet, "yes") == 0) | 52 | if (quiet && strcmp(quiet, "yes") == 0) |
53 | arg_quiet = 1; | 53 | arg_quiet = 1; |
54 | 54 | ||
55 | if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) { | 55 | if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) { |
56 | usage(); | 56 | usage(); |
57 | return 0; | 57 | return 0; |
diff --git a/src/fnet/veth.c b/src/fnet/veth.c index 86d9d5190..d37c93a19 100644 --- a/src/fnet/veth.c +++ b/src/fnet/veth.c | |||
@@ -1,16 +1,16 @@ | |||
1 | /* code based on iproute2 ip/iplink.c, modified to be included in firejail project | 1 | /* code based on iproute2 ip/iplink.c, modified to be included in firejail project |
2 | * | 2 | * |
3 | * Original source code: | 3 | * Original source code: |
4 | * | 4 | * |
5 | * Information: | 5 | * Information: |
6 | * http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2 | 6 | * http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2 |
7 | * | 7 | * |
8 | * Download: | 8 | * Download: |
9 | * http://www.kernel.org/pub/linux/utils/net/iproute2/ | 9 | * http://www.kernel.org/pub/linux/utils/net/iproute2/ |
10 | * | 10 | * |
11 | * Repository: | 11 | * Repository: |
12 | * git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git | 12 | * git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git |
13 | * | 13 | * |
14 | * License: GPL v2 | 14 | * License: GPL v2 |
15 | * | 15 | * |
16 | * Original copyright header | 16 | * Original copyright header |
@@ -112,7 +112,7 @@ int net_create_veth(const char *dev, const char *nsdev, unsigned pid) { | |||
112 | exit(2); | 112 | exit(2); |
113 | 113 | ||
114 | rtnl_close(&rth); | 114 | rtnl_close(&rth); |
115 | 115 | ||
116 | return 0; | 116 | return 0; |
117 | } | 117 | } |
118 | 118 | ||
@@ -134,13 +134,13 @@ int net_create_macvlan(const char *dev, const char *parent, unsigned pid) { | |||
134 | req.n.nlmsg_flags = NLM_F_REQUEST|NLM_F_CREATE|NLM_F_EXCL; | 134 | req.n.nlmsg_flags = NLM_F_REQUEST|NLM_F_CREATE|NLM_F_EXCL; |
135 | req.n.nlmsg_type = RTM_NEWLINK; | 135 | req.n.nlmsg_type = RTM_NEWLINK; |
136 | req.i.ifi_family = 0; | 136 | req.i.ifi_family = 0; |
137 | 137 | ||
138 | // find parent ifindex | 138 | // find parent ifindex |
139 | int parent_ifindex = if_nametoindex(parent); | 139 | int parent_ifindex = if_nametoindex(parent); |
140 | if (parent_ifindex <= 0) { | 140 | if (parent_ifindex <= 0) { |
141 | fprintf(stderr, "Error: cannot find network device %s\n", parent); | 141 | fprintf(stderr, "Error: cannot find network device %s\n", parent); |
142 | exit(1); | 142 | exit(1); |
143 | } | 143 | } |
144 | 144 | ||
145 | // add parent | 145 | // add parent |
146 | addattr_l(&req.n, sizeof(req), IFLA_LINK, &parent_ifindex, 4); | 146 | addattr_l(&req.n, sizeof(req), IFLA_LINK, &parent_ifindex, 4); |
@@ -148,7 +148,7 @@ int net_create_macvlan(const char *dev, const char *parent, unsigned pid) { | |||
148 | // add new interface name | 148 | // add new interface name |
149 | len = strlen(dev) + 1; | 149 | len = strlen(dev) + 1; |
150 | addattr_l(&req.n, sizeof(req), IFLA_IFNAME, dev, len); | 150 | addattr_l(&req.n, sizeof(req), IFLA_IFNAME, dev, len); |
151 | 151 | ||
152 | // place the interface in child namespace | 152 | // place the interface in child namespace |
153 | addattr_l (&req.n, sizeof(req), IFLA_NET_NS_PID, &pid, 4); | 153 | addattr_l (&req.n, sizeof(req), IFLA_NET_NS_PID, &pid, 4); |
154 | 154 | ||
@@ -176,7 +176,7 @@ int net_create_macvlan(const char *dev, const char *parent, unsigned pid) { | |||
176 | exit(2); | 176 | exit(2); |
177 | 177 | ||
178 | rtnl_close(&rth); | 178 | rtnl_close(&rth); |
179 | 179 | ||
180 | return 0; | 180 | return 0; |
181 | } | 181 | } |
182 | 182 | ||
@@ -197,7 +197,7 @@ int net_move_interface(const char *dev, unsigned pid) { | |||
197 | req.n.nlmsg_flags = NLM_F_REQUEST; | 197 | req.n.nlmsg_flags = NLM_F_REQUEST; |
198 | req.n.nlmsg_type = RTM_NEWLINK; | 198 | req.n.nlmsg_type = RTM_NEWLINK; |
199 | req.i.ifi_family = 0; | 199 | req.i.ifi_family = 0; |
200 | 200 | ||
201 | // find ifindex | 201 | // find ifindex |
202 | int ifindex = if_nametoindex(dev); | 202 | int ifindex = if_nametoindex(dev); |
203 | if (ifindex <= 0) { | 203 | if (ifindex <= 0) { |
@@ -205,7 +205,7 @@ int net_move_interface(const char *dev, unsigned pid) { | |||
205 | exit(1); | 205 | exit(1); |
206 | } | 206 | } |
207 | req.i.ifi_index = ifindex; | 207 | req.i.ifi_index = ifindex; |
208 | 208 | ||
209 | // place the interface in child namespace | 209 | // place the interface in child namespace |
210 | addattr_l (&req.n, sizeof(req), IFLA_NET_NS_PID, &pid, 4); | 210 | addattr_l (&req.n, sizeof(req), IFLA_NET_NS_PID, &pid, 4); |
211 | 211 | ||
@@ -214,7 +214,7 @@ int net_move_interface(const char *dev, unsigned pid) { | |||
214 | exit(2); | 214 | exit(2); |
215 | 215 | ||
216 | rtnl_close(&rth); | 216 | rtnl_close(&rth); |
217 | 217 | ||
218 | return 0; | 218 | return 0; |
219 | } | 219 | } |
220 | 220 | ||
@@ -233,4 +233,4 @@ int main(int argc, char **argv) { | |||
233 | 233 | ||
234 | return 0; | 234 | return 0; |
235 | } | 235 | } |
236 | */ \ No newline at end of file | 236 | */ |
diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in index 04c46f128..13025fbca 100644 --- a/src/fseccomp/Makefile.in +++ b/src/fseccomp/Makefile.in | |||
@@ -42,4 +42,3 @@ clean:; rm -f *.o fseccomp *.gcov *.gcda *.gcno | |||
42 | 42 | ||
43 | distclean: clean | 43 | distclean: clean |
44 | rm -fr Makefile | 44 | rm -fr Makefile |
45 | |||
diff --git a/src/fseccomp/errno.c b/src/fseccomp/errno.c index 3e92a1f9d..e5cd4e226 100644 --- a/src/fseccomp/errno.c +++ b/src/fseccomp/errno.c | |||
@@ -167,7 +167,7 @@ static ErrnoEntry errnolist[] = { | |||
167 | {"ENOTSUP", ENOTSUP}, | 167 | {"ENOTSUP", ENOTSUP}, |
168 | #ifdef ENOATTR | 168 | #ifdef ENOATTR |
169 | {"ENOATTR", ENOATTR}, | 169 | {"ENOATTR", ENOATTR}, |
170 | #endif | 170 | #endif |
171 | }; | 171 | }; |
172 | 172 | ||
173 | int errno_find_name(const char *name) { | 173 | int errno_find_name(const char *name) { |
diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index 7e0239a5f..e322b5bbb 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c | |||
@@ -46,7 +46,7 @@ int i; | |||
46 | for (i = 0; i < argc; i++) | 46 | for (i = 0; i < argc; i++) |
47 | printf("*%s* ", argv[i]); | 47 | printf("*%s* ", argv[i]); |
48 | printf("\n"); | 48 | printf("\n"); |
49 | } | 49 | } |
50 | #endif | 50 | #endif |
51 | if (argc < 2) { | 51 | if (argc < 2) { |
52 | usage(); | 52 | usage(); |
@@ -56,7 +56,7 @@ printf("\n"); | |||
56 | char *quiet = getenv("FIREJAIL_QUIET"); | 56 | char *quiet = getenv("FIREJAIL_QUIET"); |
57 | if (quiet && strcmp(quiet, "yes") == 0) | 57 | if (quiet && strcmp(quiet, "yes") == 0) |
58 | arg_quiet = 1; | 58 | arg_quiet = 1; |
59 | 59 | ||
60 | if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) { | 60 | if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) { |
61 | usage(); | 61 | usage(); |
62 | return 0; | 62 | return 0; |
@@ -71,7 +71,7 @@ printf("\n"); | |||
71 | protocol_build_filter(argv[3], argv[4]); | 71 | protocol_build_filter(argv[3], argv[4]); |
72 | else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "64") == 0) | 72 | else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "64") == 0) |
73 | seccomp_secondary_64(argv[3]); | 73 | seccomp_secondary_64(argv[3]); |
74 | else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "32") == 0) | 74 | else if (argc == 4 && strcmp(argv[1], "secondary") == 0 && strcmp(argv[2], "32") == 0) |
75 | seccomp_secondary_32(argv[3]); | 75 | seccomp_secondary_32(argv[3]); |
76 | else if (argc == 3 && strcmp(argv[1], "default") == 0) | 76 | else if (argc == 3 && strcmp(argv[1], "default") == 0) |
77 | seccomp_default(argv[2], 0); | 77 | seccomp_default(argv[2], 0); |
@@ -95,4 +95,4 @@ printf("\n"); | |||
95 | } | 95 | } |
96 | 96 | ||
97 | return 0; | 97 | return 0; |
98 | } \ No newline at end of file | 98 | } |
diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c index 4a0fadb3c..43bc3d562 100644 --- a/src/fseccomp/protocol.c +++ b/src/fseccomp/protocol.c | |||
@@ -87,7 +87,7 @@ static struct sock_filter *find_protocol_domain(const char *p) { | |||
87 | } | 87 | } |
88 | 88 | ||
89 | return NULL; | 89 | return NULL; |
90 | } | 90 | } |
91 | #endif | 91 | #endif |
92 | 92 | ||
93 | void protocol_print(void) { | 93 | void protocol_print(void) { |
@@ -119,7 +119,7 @@ void protocol_build_filter(const char *prlist, const char *fname) { | |||
119 | struct sock_filter filter[32]; // big enough | 119 | struct sock_filter filter[32]; // big enough |
120 | memset(&filter[0], 0, sizeof(filter)); | 120 | memset(&filter[0], 0, sizeof(filter)); |
121 | uint8_t *ptr = (uint8_t *) &filter[0]; | 121 | uint8_t *ptr = (uint8_t *) &filter[0]; |
122 | 122 | ||
123 | // header | 123 | // header |
124 | struct sock_filter filter_start[] = { | 124 | struct sock_filter filter_start[] = { |
125 | VALIDATE_ARCHITECTURE, | 125 | VALIDATE_ARCHITECTURE, |
@@ -153,7 +153,7 @@ printf("whitelist_len %u, struct sock_filter len %u\n", whitelist_len, (unsigned | |||
153 | char *token = strtok(tmplist, ","); | 153 | char *token = strtok(tmplist, ","); |
154 | if (!token) | 154 | if (!token) |
155 | errExit("strtok"); | 155 | errExit("strtok"); |
156 | 156 | ||
157 | while (token) { | 157 | while (token) { |
158 | struct sock_filter *domain = find_protocol_domain(token); | 158 | struct sock_filter *domain = find_protocol_domain(token); |
159 | if (domain == NULL) { | 159 | if (domain == NULL) { |
@@ -179,7 +179,7 @@ printf("entries %u\n", (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (uns | |||
179 | #endif | 179 | #endif |
180 | 180 | ||
181 | 181 | ||
182 | } | 182 | } |
183 | free(tmplist); | 183 | free(tmplist); |
184 | 184 | ||
185 | // add end of filter | 185 | // add end of filter |
@@ -201,14 +201,14 @@ printf("entries %u\n", (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (uns | |||
201 | } | 201 | } |
202 | printf("\n"); | 202 | printf("\n"); |
203 | } | 203 | } |
204 | #endif | 204 | #endif |
205 | // save filter to file | 205 | // save filter to file |
206 | int dst = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); | 206 | int dst = open(fname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
207 | if (dst < 0) { | 207 | if (dst < 0) { |
208 | fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname); | 208 | fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname); |
209 | exit(1); | 209 | exit(1); |
210 | } | 210 | } |
211 | 211 | ||
212 | int size = (int) ((uintptr_t) ptr - (uintptr_t) (filter)); | 212 | int size = (int) ((uintptr_t) ptr - (uintptr_t) (filter)); |
213 | int written = 0; | 213 | int written = 0; |
214 | while (written < size) { | 214 | while (written < size) { |
@@ -220,5 +220,5 @@ printf("entries %u\n", (unsigned) ((uint64_t) ptr - (uint64_t) (filter)) / (uns | |||
220 | written += rv; | 220 | written += rv; |
221 | } | 221 | } |
222 | close(dst); | 222 | close(dst); |
223 | #endif // SYS_socket | 223 | #endif // SYS_socket |
224 | } | 224 | } |
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index 25a151a78..c12edfd90 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
@@ -257,7 +257,7 @@ void seccomp_default(const char *fname, int allow_debuggers) { | |||
257 | filter_init(fd); | 257 | filter_init(fd); |
258 | add_default_list(fd, allow_debuggers); | 258 | add_default_list(fd, allow_debuggers); |
259 | filter_end_blacklist(fd); | 259 | filter_end_blacklist(fd); |
260 | 260 | ||
261 | // close file | 261 | // close file |
262 | close(fd); | 262 | close(fd); |
263 | } | 263 | } |
@@ -281,7 +281,7 @@ void seccomp_drop(const char *fname, char *list, int allow_debuggers) { | |||
281 | exit(1); | 281 | exit(1); |
282 | } | 282 | } |
283 | filter_end_blacklist(fd); | 283 | filter_end_blacklist(fd); |
284 | 284 | ||
285 | // close file | 285 | // close file |
286 | close(fd); | 286 | close(fd); |
287 | } | 287 | } |
@@ -305,7 +305,7 @@ void seccomp_default_drop(const char *fname, char *list, int allow_debuggers) { | |||
305 | exit(1); | 305 | exit(1); |
306 | } | 306 | } |
307 | filter_end_blacklist(fd); | 307 | filter_end_blacklist(fd); |
308 | 308 | ||
309 | // close file | 309 | // close file |
310 | close(fd); | 310 | close(fd); |
311 | } | 311 | } |
@@ -326,15 +326,14 @@ void seccomp_keep(const char *fname, char *list) { | |||
326 | filter_add_whitelist(fd, SYS_setgroups, 0); | 326 | filter_add_whitelist(fd, SYS_setgroups, 0); |
327 | filter_add_whitelist(fd, SYS_dup, 0); | 327 | filter_add_whitelist(fd, SYS_dup, 0); |
328 | filter_add_whitelist(fd, SYS_prctl, 0); | 328 | filter_add_whitelist(fd, SYS_prctl, 0); |
329 | 329 | ||
330 | if (syscall_check_list(list, filter_add_whitelist, fd, 0)) { | 330 | if (syscall_check_list(list, filter_add_whitelist, fd, 0)) { |
331 | fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); | 331 | fprintf(stderr, "Error fseccomp: cannot build seccomp filter\n"); |
332 | exit(1); | 332 | exit(1); |
333 | } | 333 | } |
334 | 334 | ||
335 | filter_end_whitelist(fd); | 335 | filter_end_whitelist(fd); |
336 | 336 | ||
337 | // close file | 337 | // close file |
338 | close(fd); | 338 | close(fd); |
339 | } | 339 | } |
340 | |||
diff --git a/src/fseccomp/seccomp_file.c b/src/fseccomp/seccomp_file.c index d706b3359..c1e8d406f 100644 --- a/src/fseccomp/seccomp_file.c +++ b/src/fseccomp/seccomp_file.c | |||
@@ -24,7 +24,7 @@ | |||
24 | static void write_to_file(int fd, void *data, int size) { | 24 | static void write_to_file(int fd, void *data, int size) { |
25 | assert(data); | 25 | assert(data); |
26 | assert(size); | 26 | assert(size); |
27 | 27 | ||
28 | int written = 0; | 28 | int written = 0; |
29 | while (written < size) { | 29 | while (written < size) { |
30 | int rv = write(fd, (unsigned char *) data + written, size - written); | 30 | int rv = write(fd, (unsigned char *) data + written, size - written); |
@@ -69,7 +69,7 @@ void filter_init(int fd) { | |||
69 | 69 | ||
70 | void filter_add_whitelist(int fd, int syscall, int arg) { | 70 | void filter_add_whitelist(int fd, int syscall, int arg) { |
71 | (void) arg; | 71 | (void) arg; |
72 | 72 | ||
73 | struct sock_filter filter[] = { | 73 | struct sock_filter filter[] = { |
74 | WHITELIST(syscall) | 74 | WHITELIST(syscall) |
75 | }; | 75 | }; |
@@ -78,7 +78,7 @@ void filter_add_whitelist(int fd, int syscall, int arg) { | |||
78 | 78 | ||
79 | void filter_add_blacklist(int fd, int syscall, int arg) { | 79 | void filter_add_blacklist(int fd, int syscall, int arg) { |
80 | (void) arg; | 80 | (void) arg; |
81 | 81 | ||
82 | struct sock_filter filter[] = { | 82 | struct sock_filter filter[] = { |
83 | BLACKLIST(syscall) | 83 | BLACKLIST(syscall) |
84 | }; | 84 | }; |
@@ -105,4 +105,3 @@ void filter_end_whitelist(int fd) { | |||
105 | }; | 105 | }; |
106 | write_to_file(fd, filter, sizeof(filter)); | 106 | write_to_file(fd, filter, sizeof(filter)); |
107 | } | 107 | } |
108 | |||
diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c index d18f2efa5..67555e554 100644 --- a/src/fseccomp/seccomp_print.c +++ b/src/fseccomp/seccomp_print.c | |||
@@ -26,7 +26,7 @@ static int filter_cnt = 0; | |||
26 | 26 | ||
27 | static void load_seccomp(const char *fname) { | 27 | static void load_seccomp(const char *fname) { |
28 | assert(fname); | 28 | assert(fname); |
29 | 29 | ||
30 | // open filter file | 30 | // open filter file |
31 | int fd = open(fname, O_RDONLY); | 31 | int fd = open(fname, O_RDONLY); |
32 | if (fd == -1) | 32 | if (fd == -1) |
@@ -40,7 +40,7 @@ static void load_seccomp(const char *fname) { | |||
40 | goto errexit; | 40 | goto errexit; |
41 | unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter); | 41 | unsigned short entries = (unsigned short) size / (unsigned short) sizeof(struct sock_filter); |
42 | filter_cnt = entries; | 42 | filter_cnt = entries; |
43 | 43 | ||
44 | // read filter | 44 | // read filter |
45 | filter = malloc(size); | 45 | filter = malloc(size); |
46 | if (filter == NULL) | 46 | if (filter == NULL) |
@@ -53,7 +53,7 @@ static void load_seccomp(const char *fname) { | |||
53 | goto errexit; | 53 | goto errexit; |
54 | rd += rv; | 54 | rd += rv; |
55 | } | 55 | } |
56 | 56 | ||
57 | // close file | 57 | // close file |
58 | close(fd); | 58 | close(fd); |
59 | return; | 59 | return; |
@@ -67,7 +67,7 @@ errexit: | |||
67 | void filter_print(const char *fname) { | 67 | void filter_print(const char *fname) { |
68 | assert(fname); | 68 | assert(fname); |
69 | load_seccomp(fname); | 69 | load_seccomp(fname); |
70 | 70 | ||
71 | // start filter | 71 | // start filter |
72 | struct sock_filter start[] = { | 72 | struct sock_filter start[] = { |
73 | VALIDATE_ARCHITECTURE, | 73 | VALIDATE_ARCHITECTURE, |
@@ -86,7 +86,7 @@ void filter_print(const char *fname) { | |||
86 | printf("Invalid seccomp filter %s\n", fname); | 86 | printf("Invalid seccomp filter %s\n", fname); |
87 | return; | 87 | return; |
88 | } | 88 | } |
89 | 89 | ||
90 | // loop trough blacklists | 90 | // loop trough blacklists |
91 | int i = 4; | 91 | int i = 4; |
92 | while (i < filter_cnt) { | 92 | while (i < filter_cnt) { |
diff --git a/src/fseccomp/seccomp_secondary.c b/src/fseccomp/seccomp_secondary.c index 79c85eb75..8270b7018 100644 --- a/src/fseccomp/seccomp_secondary.c +++ b/src/fseccomp/seccomp_secondary.c | |||
@@ -28,7 +28,7 @@ void seccomp_secondary_64(const char *fname) { | |||
28 | EXAMINE_SYSCALL, | 28 | EXAMINE_SYSCALL, |
29 | BLACKLIST(165), // mount | 29 | BLACKLIST(165), // mount |
30 | BLACKLIST(166), // umount2 | 30 | BLACKLIST(166), // umount2 |
31 | // todo: implement --allow-debuggers | 31 | // todo: implement --allow-debuggers |
32 | BLACKLIST(101), // ptrace | 32 | BLACKLIST(101), // ptrace |
33 | BLACKLIST(246), // kexec_load | 33 | BLACKLIST(246), // kexec_load |
34 | BLACKLIST(304), // open_by_handle_at | 34 | BLACKLIST(304), // open_by_handle_at |
@@ -77,7 +77,7 @@ void seccomp_secondary_64(const char *fname) { | |||
77 | BLACKLIST(169), // reboot | 77 | BLACKLIST(169), // reboot |
78 | BLACKLIST(180), // nfsservctl | 78 | BLACKLIST(180), // nfsservctl |
79 | BLACKLIST(177), // get_kernel_syms | 79 | BLACKLIST(177), // get_kernel_syms |
80 | 80 | ||
81 | RETURN_ALLOW | 81 | RETURN_ALLOW |
82 | }; | 82 | }; |
83 | 83 | ||
@@ -87,7 +87,7 @@ void seccomp_secondary_64(const char *fname) { | |||
87 | fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname); | 87 | fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname); |
88 | exit(1); | 88 | exit(1); |
89 | } | 89 | } |
90 | 90 | ||
91 | int size = (int) sizeof(filter); | 91 | int size = (int) sizeof(filter); |
92 | int written = 0; | 92 | int written = 0; |
93 | while (written < size) { | 93 | while (written < size) { |
@@ -109,7 +109,7 @@ void seccomp_secondary_32(const char *fname) { | |||
109 | EXAMINE_SYSCALL, | 109 | EXAMINE_SYSCALL, |
110 | BLACKLIST(21), // mount | 110 | BLACKLIST(21), // mount |
111 | BLACKLIST(52), // umount2 | 111 | BLACKLIST(52), // umount2 |
112 | // todo: implement --allow-debuggers | 112 | // todo: implement --allow-debuggers |
113 | BLACKLIST(26), // ptrace | 113 | BLACKLIST(26), // ptrace |
114 | BLACKLIST(283), // kexec_load | 114 | BLACKLIST(283), // kexec_load |
115 | BLACKLIST(341), // name_to_handle_at | 115 | BLACKLIST(341), // name_to_handle_at |
@@ -157,7 +157,7 @@ void seccomp_secondary_32(const char *fname) { | |||
157 | BLACKLIST(88), // reboot | 157 | BLACKLIST(88), // reboot |
158 | BLACKLIST(169), // nfsservctl | 158 | BLACKLIST(169), // nfsservctl |
159 | BLACKLIST(130), // get_kernel_syms | 159 | BLACKLIST(130), // get_kernel_syms |
160 | 160 | ||
161 | RETURN_ALLOW | 161 | RETURN_ALLOW |
162 | }; | 162 | }; |
163 | 163 | ||
@@ -167,7 +167,7 @@ void seccomp_secondary_32(const char *fname) { | |||
167 | fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname); | 167 | fprintf(stderr, "Error fseccomp: cannot open %s file\n", fname); |
168 | exit(1); | 168 | exit(1); |
169 | } | 169 | } |
170 | 170 | ||
171 | int size = (int) sizeof(filter); | 171 | int size = (int) sizeof(filter); |
172 | int written = 0; | 172 | int written = 0; |
173 | while (written < size) { | 173 | while (written < size) { |
@@ -180,4 +180,3 @@ void seccomp_secondary_32(const char *fname) { | |||
180 | } | 180 | } |
181 | close(dst); | 181 | close(dst); |
182 | } | 182 | } |
183 | |||
diff --git a/src/fseccomp/syscall.c b/src/fseccomp/syscall.c index b86c1c489..0a86dade0 100644 --- a/src/fseccomp/syscall.c +++ b/src/fseccomp/syscall.c | |||
@@ -43,7 +43,7 @@ int syscall_find_name(const char *name) { | |||
43 | if (strcmp(name, syslist[i].name) == 0) | 43 | if (strcmp(name, syslist[i].name) == 0) |
44 | return syslist[i].nr; | 44 | return syslist[i].nr; |
45 | } | 45 | } |
46 | 46 | ||
47 | return -1; | 47 | return -1; |
48 | } | 48 | } |
49 | 49 | ||
@@ -54,7 +54,7 @@ char *syscall_find_nr(int nr) { | |||
54 | if (nr == syslist[i].nr) | 54 | if (nr == syslist[i].nr) |
55 | return syslist[i].name; | 55 | return syslist[i].name; |
56 | } | 56 | } |
57 | 57 | ||
58 | return "unknown"; | 58 | return "unknown"; |
59 | } | 59 | } |
60 | 60 | ||
@@ -75,7 +75,7 @@ static void syscall_process_name(const char *name, int *syscall_nr, int *error_n | |||
75 | if (strlen(name) == 0) | 75 | if (strlen(name) == 0) |
76 | goto error; | 76 | goto error; |
77 | *error_nr = -1; | 77 | *error_nr = -1; |
78 | 78 | ||
79 | // syntax check | 79 | // syntax check |
80 | char *str = strdup(name); | 80 | char *str = strdup(name); |
81 | if (!str) | 81 | if (!str) |
@@ -101,7 +101,7 @@ static void syscall_process_name(const char *name, int *syscall_nr, int *error_n | |||
101 | 101 | ||
102 | free(str); | 102 | free(str); |
103 | return; | 103 | return; |
104 | 104 | ||
105 | error: | 105 | error: |
106 | fprintf(stderr, "Error fseccomp: invalid syscall list entry %s\n", name); | 106 | fprintf(stderr, "Error fseccomp: invalid syscall list entry %s\n", name); |
107 | exit(1); | 107 | exit(1); |
@@ -142,7 +142,7 @@ int syscall_check_list(const char *slist, void (*callback)(int fd, int syscall, | |||
142 | } | 142 | } |
143 | ptr = strtok(NULL, ","); | 143 | ptr = strtok(NULL, ","); |
144 | } | 144 | } |
145 | 145 | ||
146 | free(str); | 146 | free(str); |
147 | return 0; | 147 | return 0; |
148 | } | 148 | } |
diff --git a/src/fshaper/fshaper.sh b/src/fshaper/fshaper.sh index 4045fd5a4..470137895 100755 --- a/src/fshaper/fshaper.sh +++ b/src/fshaper/fshaper.sh | |||
@@ -19,13 +19,13 @@ if [ "$1" = "--clear" ]; then | |||
19 | usage | 19 | usage |
20 | exit | 20 | exit |
21 | fi | 21 | fi |
22 | 22 | ||
23 | DEV=$2 | 23 | DEV=$2 |
24 | echo "Removing bandwith limits" | 24 | echo "Removing bandwith limits" |
25 | /sbin/tc qdisc del dev $DEV root 2> /dev/null > /dev/null | 25 | /sbin/tc qdisc del dev $DEV root 2> /dev/null > /dev/null |
26 | /sbin/tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null | 26 | /sbin/tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null |
27 | exit | 27 | exit |
28 | 28 | ||
29 | fi | 29 | fi |
30 | 30 | ||
31 | if [ "$1" = "--set" ]; then | 31 | if [ "$1" = "--set" ]; then |
@@ -38,22 +38,22 @@ if [ "$1" = "--set" ]; then | |||
38 | usage | 38 | usage |
39 | exit | 39 | exit |
40 | fi | 40 | fi |
41 | 41 | ||
42 | DEV=$2 | 42 | DEV=$2 |
43 | echo "Configuring interface $DEV " | 43 | echo "Configuring interface $DEV " |
44 | 44 | ||
45 | IN=$3 | 45 | IN=$3 |
46 | IN=$((${IN} * 8)) | 46 | IN=$((${IN} * 8)) |
47 | echo "Download speed ${IN}kbps" | 47 | echo "Download speed ${IN}kbps" |
48 | 48 | ||
49 | OUT=$4 | 49 | OUT=$4 |
50 | OUT=$((${OUT} * 8)) | 50 | OUT=$((${OUT} * 8)) |
51 | echo "Upload speed ${OUT}kbps" | 51 | echo "Upload speed ${OUT}kbps" |
52 | 52 | ||
53 | echo "cleaning limits" | 53 | echo "cleaning limits" |
54 | /sbin/tc qdisc del dev $DEV root 2> /dev/null > /dev/null | 54 | /sbin/tc qdisc del dev $DEV root 2> /dev/null > /dev/null |
55 | /sbin/tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null | 55 | /sbin/tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null |
56 | 56 | ||
57 | echo "configuring tc ingress" | 57 | echo "configuring tc ingress" |
58 | /sbin/tc qdisc add dev $DEV handle ffff: ingress #2> /dev/null > /dev/null | 58 | /sbin/tc qdisc add dev $DEV handle ffff: ingress #2> /dev/null > /dev/null |
59 | /sbin/tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \ | 59 | /sbin/tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \ |
@@ -63,7 +63,7 @@ if [ "$1" = "--set" ]; then | |||
63 | /sbin/tc qdisc add dev $DEV root tbf rate ${OUT}kbit latency 25ms burst 10k #2> /dev/null > /dev/null | 63 | /sbin/tc qdisc add dev $DEV root tbf rate ${OUT}kbit latency 25ms burst 10k #2> /dev/null > /dev/null |
64 | exit | 64 | exit |
65 | fi | 65 | fi |
66 | 66 | ||
67 | echo "Error: missing parameters" | 67 | echo "Error: missing parameters" |
68 | usage | 68 | usage |
69 | exit 1 | 69 | exit 1 |
diff --git a/src/ftee/Makefile.in b/src/ftee/Makefile.in index ad508cadd..0f14a7bd4 100644 --- a/src/ftee/Makefile.in +++ b/src/ftee/Makefile.in | |||
@@ -24,4 +24,3 @@ clean:; rm -f *.o ftee *.gcov *.gcda *.gcno | |||
24 | 24 | ||
25 | distclean: clean | 25 | distclean: clean |
26 | rm -fr Makefile | 26 | rm -fr Makefile |
27 | |||
diff --git a/src/ftee/ftee.h b/src/ftee/ftee.h index b663f1f38..5070cf12e 100644 --- a/src/ftee/ftee.h +++ b/src/ftee/ftee.h | |||
@@ -21,4 +21,4 @@ | |||
21 | #define FTEE_H | 21 | #define FTEE_H |
22 | #include "../include/common.h" | 22 | #include "../include/common.h" |
23 | 23 | ||
24 | #endif \ No newline at end of file | 24 | #endif |
diff --git a/src/ftee/main.c b/src/ftee/main.c index d425be07c..2628a77c5 100644 --- a/src/ftee/main.c +++ b/src/ftee/main.c | |||
@@ -47,7 +47,7 @@ static void log_rotate(const char *fname) { | |||
47 | strcpy(name1, fname); | 47 | strcpy(name1, fname); |
48 | strcpy(name2, fname); | 48 | strcpy(name2, fname); |
49 | fflush(0); | 49 | fflush(0); |
50 | 50 | ||
51 | // delete filename.5 | 51 | // delete filename.5 |
52 | sprintf(name1 + index, ".5"); | 52 | sprintf(name1 + index, ".5"); |
53 | if (stat(name1, &s) == 0) { | 53 | if (stat(name1, &s) == 0) { |
@@ -55,7 +55,7 @@ static void log_rotate(const char *fname) { | |||
55 | if (rv == -1) | 55 | if (rv == -1) |
56 | perror("unlink"); | 56 | perror("unlink"); |
57 | } | 57 | } |
58 | 58 | ||
59 | // move files 1 to 4 down one position | 59 | // move files 1 to 4 down one position |
60 | sprintf(name2 + index, ".4"); | 60 | sprintf(name2 + index, ".4"); |
61 | if (stat(name2, &s) == 0) { | 61 | if (stat(name2, &s) == 0) { |
@@ -96,14 +96,14 @@ static void log_rotate(const char *fname) { | |||
96 | if (rv == -1) | 96 | if (rv == -1) |
97 | perror("rename"); | 97 | perror("rename"); |
98 | } | 98 | } |
99 | 99 | ||
100 | free(name1); | 100 | free(name1); |
101 | free(name2); | 101 | free(name2); |
102 | } | 102 | } |
103 | 103 | ||
104 | static void log_write(const unsigned char *str, int len, const char *fname) { | 104 | static void log_write(const unsigned char *str, int len, const char *fname) { |
105 | assert(fname); | 105 | assert(fname); |
106 | 106 | ||
107 | if (out_fp == NULL) { | 107 | if (out_fp == NULL) { |
108 | out_fp = fopen(fname, "w"); | 108 | out_fp = fopen(fname, "w"); |
109 | if (!out_fp) { | 109 | if (!out_fp) { |
@@ -112,7 +112,7 @@ static void log_write(const unsigned char *str, int len, const char *fname) { | |||
112 | } | 112 | } |
113 | out_cnt = 0; | 113 | out_cnt = 0; |
114 | } | 114 | } |
115 | 115 | ||
116 | // rotate files | 116 | // rotate files |
117 | out_cnt += len; | 117 | out_cnt += len; |
118 | if (out_cnt >= out_max) { | 118 | if (out_cnt >= out_max) { |
@@ -127,9 +127,9 @@ static void log_write(const unsigned char *str, int len, const char *fname) { | |||
127 | exit(1); | 127 | exit(1); |
128 | } | 128 | } |
129 | out_cnt = len; | 129 | out_cnt = len; |
130 | } | 130 | } |
131 | 131 | ||
132 | fwrite(str, len, 1, out_fp); | 132 | fwrite(str, len, 1, out_fp); |
133 | fflush(0); | 133 | fflush(0); |
134 | } | 134 | } |
135 | 135 | ||
@@ -139,7 +139,7 @@ static int is_dir(const char *fname) { | |||
139 | assert(fname); | 139 | assert(fname); |
140 | if (*fname == '\0') | 140 | if (*fname == '\0') |
141 | return 0; | 141 | return 0; |
142 | 142 | ||
143 | // if fname doesn't end in '/', add one | 143 | // if fname doesn't end in '/', add one |
144 | int rv; | 144 | int rv; |
145 | struct stat s; | 145 | struct stat s; |
@@ -150,14 +150,14 @@ static int is_dir(const char *fname) { | |||
150 | if (asprintf(&tmp, "%s/", fname) == -1) { | 150 | if (asprintf(&tmp, "%s/", fname) == -1) { |
151 | fprintf(stderr, "Error: cannot allocate memory, %s:%d\n", __FILE__, __LINE__); | 151 | fprintf(stderr, "Error: cannot allocate memory, %s:%d\n", __FILE__, __LINE__); |
152 | exit(1); | 152 | exit(1); |
153 | } | 153 | } |
154 | rv = stat(tmp, &s); | 154 | rv = stat(tmp, &s); |
155 | free(tmp); | 155 | free(tmp); |
156 | } | 156 | } |
157 | 157 | ||
158 | if (rv == -1) | 158 | if (rv == -1) |
159 | return 0; | 159 | return 0; |
160 | 160 | ||
161 | if (S_ISDIR(s.st_mode)) | 161 | if (S_ISDIR(s.st_mode)) |
162 | return 1; | 162 | return 1; |
163 | 163 | ||
@@ -199,13 +199,13 @@ int main(int argc, char **argv) { | |||
199 | // do not accept directories, links, and files with ".." | 199 | // do not accept directories, links, and files with ".." |
200 | if (strstr(fname, "..") || is_link(fname) || is_dir(fname)) | 200 | if (strstr(fname, "..") || is_link(fname) || is_dir(fname)) |
201 | goto errexit; | 201 | goto errexit; |
202 | 202 | ||
203 | struct stat s; | 203 | struct stat s; |
204 | if (stat(fname, &s) == 0) { | 204 | if (stat(fname, &s) == 0) { |
205 | // check permissions | 205 | // check permissions |
206 | if (s.st_uid != getuid() || s.st_gid != getgid()) | 206 | if (s.st_uid != getuid() || s.st_gid != getgid()) |
207 | goto errexit; | 207 | goto errexit; |
208 | 208 | ||
209 | // check hard links | 209 | // check hard links |
210 | if (s.st_nlink != 1) | 210 | if (s.st_nlink != 1) |
211 | goto errexit; | 211 | goto errexit; |
@@ -229,11 +229,11 @@ int main(int argc, char **argv) { | |||
229 | continue; | 229 | continue; |
230 | if (n <= 0) | 230 | if (n <= 0) |
231 | break; | 231 | break; |
232 | 232 | ||
233 | fwrite(buf, n, 1, stdout); | 233 | fwrite(buf, n, 1, stdout); |
234 | log_write(buf, n, fname); | 234 | log_write(buf, n, fname); |
235 | } | 235 | } |
236 | 236 | ||
237 | log_close(); | 237 | log_close(); |
238 | return 0; | 238 | return 0; |
239 | 239 | ||
diff --git a/src/include/common.h b/src/include/common.h index 7067ae68c..5a5ff67d1 100644 --- a/src/include/common.h +++ b/src/include/common.h | |||
@@ -64,7 +64,7 @@ static inline int atoip(const char *str, uint32_t *ip) { | |||
64 | 64 | ||
65 | if (sscanf(str, "%u.%u.%u.%u", &a, &b, &c, &d) != 4 || a > 255 || b > 255 || c > 255 || d > 255) | 65 | if (sscanf(str, "%u.%u.%u.%u", &a, &b, &c, &d) != 4 || a > 255 || b > 255 || c > 255 || d > 255) |
66 | return 1; | 66 | return 1; |
67 | 67 | ||
68 | *ip = a * 0x1000000 + b * 0x10000 + c * 0x100 + d; | 68 | *ip = a * 0x1000000 + b * 0x10000 + c * 0x100 + d; |
69 | return 0; | 69 | return 0; |
70 | } | 70 | } |
@@ -91,7 +91,7 @@ static inline int atomac(char *str, unsigned char macAddr[6]) { | |||
91 | for (i = 0; i < 6; i++) { | 91 | for (i = 0; i < 6; i++) { |
92 | if (mac[i] > 0xff) | 92 | if (mac[i] > 0xff) |
93 | return 1; | 93 | return 1; |
94 | 94 | ||
95 | macAddr[i] = (unsigned char) mac[i]; | 95 | macAddr[i] = (unsigned char) mac[i]; |
96 | } | 96 | } |
97 | 97 | ||
@@ -105,16 +105,16 @@ static inline int mac_not_zero(const unsigned char mac[6]) { | |||
105 | if (mac[i] != 0) | 105 | if (mac[i] != 0) |
106 | return 1; | 106 | return 1; |
107 | } | 107 | } |
108 | 108 | ||
109 | return 0; | 109 | return 0; |
110 | } | 110 | } |
111 | 111 | ||
112 | // rtdsc timestamp on x86-64/amd64 processors | 112 | // rtdsc timestamp on x86-64/amd64 processors |
113 | static inline unsigned long long getticks(void) { | 113 | static inline unsigned long long getticks(void) { |
114 | #if defined(__x86_64__) | 114 | #if defined(__x86_64__) |
115 | unsigned a, d; | 115 | unsigned a, d; |
116 | asm volatile("rdtsc" : "=a" (a), "=d" (d)); | 116 | asm volatile("rdtsc" : "=a" (a), "=d" (d)); |
117 | return ((unsigned long long)a) | (((unsigned long long)d) << 32); | 117 | return ((unsigned long long)a) | (((unsigned long long)d) << 32); |
118 | #elif defined(__i386__) | 118 | #elif defined(__i386__) |
119 | unsigned long long ret; | 119 | unsigned long long ret; |
120 | __asm__ __volatile__("rdtsc" : "=A" (ret)); | 120 | __asm__ __volatile__("rdtsc" : "=A" (ret)); |
diff --git a/src/include/libnetlink.h b/src/include/libnetlink.h index 7ff5d01b6..01fd2675d 100644 --- a/src/include/libnetlink.h +++ b/src/include/libnetlink.h | |||
@@ -1,16 +1,16 @@ | |||
1 | /* file extracted from iproute2 software package | 1 | /* file extracted from iproute2 software package |
2 | * | 2 | * |
3 | * Original source code: | 3 | * Original source code: |
4 | * | 4 | * |
5 | * Information: | 5 | * Information: |
6 | * http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2 | 6 | * http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2 |
7 | * | 7 | * |
8 | * Download: | 8 | * Download: |
9 | * http://www.kernel.org/pub/linux/utils/net/iproute2/ | 9 | * http://www.kernel.org/pub/linux/utils/net/iproute2/ |
10 | * | 10 | * |
11 | * Repository: | 11 | * Repository: |
12 | * git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git | 12 | * git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git |
13 | * | 13 | * |
14 | * License: GPL v2 | 14 | * License: GPL v2 |
15 | */ | 15 | */ |
16 | 16 | ||
@@ -161,4 +161,3 @@ extern int rtnl_from_file(FILE *, rtnl_filter_t handler, | |||
161 | #endif | 161 | #endif |
162 | 162 | ||
163 | #endif /* __LIBNETLINK_H__ */ | 163 | #endif /* __LIBNETLINK_H__ */ |
164 | |||
diff --git a/src/include/syscall.h b/src/include/syscall.h index 8852fcbd5..df9a03ffb 100644 --- a/src/include/syscall.h +++ b/src/include/syscall.h | |||
@@ -5144,4 +5144,3 @@ | |||
5144 | #endif | 5144 | #endif |
5145 | #endif | 5145 | #endif |
5146 | //#endif | 5146 | //#endif |
5147 | |||
diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in index 5549aca11..06ba3fee9 100644 --- a/src/lib/Makefile.in +++ b/src/lib/Makefile.in | |||
@@ -10,7 +10,7 @@ C_FILE_LIST = $(sort $(wildcard *.c)) | |||
10 | OBJS = $(C_FILE_LIST:.c=.o) | 10 | OBJS = $(C_FILE_LIST:.c=.o) |
11 | BINOBJS = $(foreach file, $(OBJS), $file) | 11 | BINOBJS = $(foreach file, $(OBJS), $file) |
12 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security | 12 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security |
13 | LDFLAGS:=-pic -Wl,-z,relro -Wl,-z,now | 13 | LDFLAGS:=-pic -Wl,-z,relro -Wl,-z,now |
14 | 14 | ||
15 | all: $(OBJS) | 15 | all: $(OBJS) |
16 | 16 | ||
diff --git a/src/lib/common.c b/src/lib/common.c index 6f2cebf12..98cb48abf 100644 --- a/src/lib/common.c +++ b/src/lib/common.c | |||
@@ -37,7 +37,7 @@ int join_namespace(pid_t pid, char *type) { | |||
37 | char *path; | 37 | char *path; |
38 | if (asprintf(&path, "/proc/%u/ns/%s", pid, type) == -1) | 38 | if (asprintf(&path, "/proc/%u/ns/%s", pid, type) == -1) |
39 | errExit("asprintf"); | 39 | errExit("asprintf"); |
40 | 40 | ||
41 | int fd = open(path, O_RDONLY); | 41 | int fd = open(path, O_RDONLY); |
42 | if (fd < 0) | 42 | if (fd < 0) |
43 | goto errout; | 43 | goto errout; |
@@ -55,14 +55,14 @@ errout: | |||
55 | free(path); | 55 | free(path); |
56 | fprintf(stderr, "Error: cannot join namespace %s\\n", type); | 56 | fprintf(stderr, "Error: cannot join namespace %s\\n", type); |
57 | return -1; | 57 | return -1; |
58 | 58 | ||
59 | } | 59 | } |
60 | 60 | ||
61 | // return 1 if error | 61 | // return 1 if error |
62 | // this function requires root access - todo: fix it! | 62 | // this function requires root access - todo: fix it! |
63 | int name2pid(const char *name, pid_t *pid) { | 63 | int name2pid(const char *name, pid_t *pid) { |
64 | pid_t parent = getpid(); | 64 | pid_t parent = getpid(); |
65 | 65 | ||
66 | DIR *dir; | 66 | DIR *dir; |
67 | if (!(dir = opendir("/proc"))) { | 67 | if (!(dir = opendir("/proc"))) { |
68 | // sleep 2 seconds and try again | 68 | // sleep 2 seconds and try again |
@@ -72,7 +72,7 @@ int name2pid(const char *name, pid_t *pid) { | |||
72 | exit(1); | 72 | exit(1); |
73 | } | 73 | } |
74 | } | 74 | } |
75 | 75 | ||
76 | struct dirent *entry; | 76 | struct dirent *entry; |
77 | char *end; | 77 | char *end; |
78 | while ((entry = readdir(dir))) { | 78 | while ((entry = readdir(dir))) { |
@@ -91,7 +91,7 @@ int name2pid(const char *name, pid_t *pid) { | |||
91 | } | 91 | } |
92 | free(comm); | 92 | free(comm); |
93 | } | 93 | } |
94 | 94 | ||
95 | // look for the sandbox name in /run/firejail/name/<PID> | 95 | // look for the sandbox name in /run/firejail/name/<PID> |
96 | // todo: use RUN_FIREJAIL_NAME_DIR define from src/firejail/firejail.h | 96 | // todo: use RUN_FIREJAIL_NAME_DIR define from src/firejail/firejail.h |
97 | char *fname; | 97 | char *fname; |
@@ -249,10 +249,10 @@ int pid_proc_cmdline_x11_xpra_xephyr(const pid_t pid) { | |||
249 | break; | 249 | break; |
250 | if (strncmp(arg, "--", 2) != 0) | 250 | if (strncmp(arg, "--", 2) != 0) |
251 | break; | 251 | break; |
252 | 252 | ||
253 | if (strcmp(arg, "--x11=xorg") == 0) | 253 | if (strcmp(arg, "--x11=xorg") == 0) |
254 | return 0; | 254 | return 0; |
255 | 255 | ||
256 | // check x11 xpra or xephyr | 256 | // check x11 xpra or xephyr |
257 | if (strncmp(arg, "--x11", 5) == 0) | 257 | if (strncmp(arg, "--x11", 5) == 0) |
258 | return 1; | 258 | return 1; |
@@ -267,7 +267,7 @@ int pid_hidepid(void) { | |||
267 | FILE *fp = fopen("/proc/mounts", "r"); | 267 | FILE *fp = fopen("/proc/mounts", "r"); |
268 | if (!fp) | 268 | if (!fp) |
269 | return 1; | 269 | return 1; |
270 | 270 | ||
271 | char buf[BUFLEN]; | 271 | char buf[BUFLEN]; |
272 | while (fgets(buf, BUFLEN, fp)) { | 272 | while (fgets(buf, BUFLEN, fp)) { |
273 | if (strstr(buf, "proc /proc proc")) { | 273 | if (strstr(buf, "proc /proc proc")) { |
@@ -278,10 +278,7 @@ int pid_hidepid(void) { | |||
278 | return 0; | 278 | return 0; |
279 | } | 279 | } |
280 | } | 280 | } |
281 | 281 | ||
282 | fclose(fp); | 282 | fclose(fp); |
283 | return 0; | 283 | return 0; |
284 | } | 284 | } |
285 | |||
286 | |||
287 | |||
diff --git a/src/lib/libnetlink.c b/src/lib/libnetlink.c index 417ef2c5f..d2975bd57 100644 --- a/src/lib/libnetlink.c +++ b/src/lib/libnetlink.c | |||
@@ -1,16 +1,16 @@ | |||
1 | /* file extracted from iproute2 software package | 1 | /* file extracted from iproute2 software package |
2 | * | 2 | * |
3 | * Original source code: | 3 | * Original source code: |
4 | * | 4 | * |
5 | * Information: | 5 | * Information: |
6 | * http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2 | 6 | * http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2 |
7 | * | 7 | * |
8 | * Download: | 8 | * Download: |
9 | * http://www.kernel.org/pub/linux/utils/net/iproute2/ | 9 | * http://www.kernel.org/pub/linux/utils/net/iproute2/ |
10 | * | 10 | * |
11 | * Repository: | 11 | * Repository: |
12 | * git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git | 12 | * git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git |
13 | * | 13 | * |
14 | * License: GPL v2 | 14 | * License: GPL v2 |
15 | * | 15 | * |
16 | * Original copyright header | 16 | * Original copyright header |
@@ -166,7 +166,7 @@ int rtnl_send_check(struct rtnl_handle *rth, const void *buf, int len) | |||
166 | struct nlmsgerr *err = (struct nlmsgerr*)NLMSG_DATA(h); | 166 | struct nlmsgerr *err = (struct nlmsgerr*)NLMSG_DATA(h); |
167 | if (h->nlmsg_len < NLMSG_LENGTH(sizeof(struct nlmsgerr))) | 167 | if (h->nlmsg_len < NLMSG_LENGTH(sizeof(struct nlmsgerr))) |
168 | fprintf(stderr, "ERROR truncated\n"); | 168 | fprintf(stderr, "ERROR truncated\n"); |
169 | else | 169 | else |
170 | errno = -err->error; | 170 | errno = -err->error; |
171 | return -1; | 171 | return -1; |
172 | } | 172 | } |
@@ -600,7 +600,7 @@ if (type == IFLA_LINK) { | |||
600 | for (i = 0; i < alen; i++) | 600 | for (i = 0; i < alen; i++) |
601 | printf("%02x, ", *((unsigned char *)data + i)); | 601 | printf("%02x, ", *((unsigned char *)data + i)); |
602 | printf("\n"); | 602 | printf("\n"); |
603 | } | 603 | } |
604 | else if (type == IFLA_IFNAME) { | 604 | else if (type == IFLA_IFNAME) { |
605 | printf("IFLA_IFNAME\n"); | 605 | printf("IFLA_IFNAME\n"); |
606 | printf("\tdata - #%s#\n", data); | 606 | printf("\tdata - #%s#\n", data); |
@@ -615,8 +615,8 @@ else if (type == IFLA_ADDRESS) { | |||
615 | printf("\n"); | 615 | printf("\n"); |
616 | } | 616 | } |
617 | else if (type == IFLA_BROADCAST) printf("IFLA_BROADCAST or IFLA_INFO_DATA\n"); | 617 | else if (type == IFLA_BROADCAST) printf("IFLA_BROADCAST or IFLA_INFO_DATA\n"); |
618 | 618 | ||
619 | printf("\tdata length: %d\n", alen); | 619 | printf("\tdata length: %d\n", alen); |
620 | #endif | 620 | #endif |
621 | 621 | ||
622 | int len = RTA_LENGTH(alen); | 622 | int len = RTA_LENGTH(alen); |
diff --git a/src/lib/pid.c b/src/lib/pid.c index 7ae5a8d3e..ed1e7b375 100644 --- a/src/lib/pid.c +++ b/src/lib/pid.c | |||
@@ -24,7 +24,7 @@ | |||
24 | #include <pwd.h> | 24 | #include <pwd.h> |
25 | #include <sys/ioctl.h> | 25 | #include <sys/ioctl.h> |
26 | #include <dirent.h> | 26 | #include <dirent.h> |
27 | 27 | ||
28 | #define PIDS_BUFLEN 4096 | 28 | #define PIDS_BUFLEN 4096 |
29 | //Process pids[max_pids]; | 29 | //Process pids[max_pids]; |
30 | Process *pids = NULL; | 30 | Process *pids = NULL; |
@@ -36,14 +36,14 @@ void pid_getmem(unsigned pid, unsigned *rss, unsigned *shared) { | |||
36 | char *file; | 36 | char *file; |
37 | if (asprintf(&file, "/proc/%u/statm", pid) == -1) | 37 | if (asprintf(&file, "/proc/%u/statm", pid) == -1) |
38 | errExit("asprintf"); | 38 | errExit("asprintf"); |
39 | 39 | ||
40 | FILE *fp = fopen(file, "r"); | 40 | FILE *fp = fopen(file, "r"); |
41 | if (!fp) { | 41 | if (!fp) { |
42 | free(file); | 42 | free(file); |
43 | return; | 43 | return; |
44 | } | 44 | } |
45 | free(file); | 45 | free(file); |
46 | 46 | ||
47 | unsigned a, b, c; | 47 | unsigned a, b, c; |
48 | if (3 != fscanf(fp, "%u %u %u", &a, &b, &c)) { | 48 | if (3 != fscanf(fp, "%u %u %u", &a, &b, &c)) { |
49 | fclose(fp); | 49 | fclose(fp); |
@@ -67,7 +67,7 @@ void pid_get_cpu_time(unsigned pid, unsigned *utime, unsigned *stime) { | |||
67 | return; | 67 | return; |
68 | } | 68 | } |
69 | free(file); | 69 | free(file); |
70 | 70 | ||
71 | char line[PIDS_BUFLEN]; | 71 | char line[PIDS_BUFLEN]; |
72 | if (fgets(line, PIDS_BUFLEN - 1, fp)) { | 72 | if (fgets(line, PIDS_BUFLEN - 1, fp)) { |
73 | char *ptr = line; | 73 | char *ptr = line; |
@@ -84,7 +84,7 @@ void pid_get_cpu_time(unsigned pid, unsigned *utime, unsigned *stime) { | |||
84 | goto myexit; | 84 | goto myexit; |
85 | } | 85 | } |
86 | 86 | ||
87 | myexit: | 87 | myexit: |
88 | fclose(fp); | 88 | fclose(fp); |
89 | } | 89 | } |
90 | 90 | ||
@@ -100,7 +100,7 @@ unsigned long long pid_get_start_time(unsigned pid) { | |||
100 | return 0; | 100 | return 0; |
101 | } | 101 | } |
102 | free(file); | 102 | free(file); |
103 | 103 | ||
104 | char line[PIDS_BUFLEN]; | 104 | char line[PIDS_BUFLEN]; |
105 | unsigned long long retval = 0; | 105 | unsigned long long retval = 0; |
106 | if (fgets(line, PIDS_BUFLEN - 1, fp)) { | 106 | if (fgets(line, PIDS_BUFLEN - 1, fp)) { |
@@ -117,7 +117,7 @@ unsigned long long pid_get_start_time(unsigned pid) { | |||
117 | if (1 != sscanf(ptr, "%llu", &retval)) | 117 | if (1 != sscanf(ptr, "%llu", &retval)) |
118 | goto myexit; | 118 | goto myexit; |
119 | } | 119 | } |
120 | 120 | ||
121 | myexit: | 121 | myexit: |
122 | fclose(fp); | 122 | fclose(fp); |
123 | return retval; | 123 | return retval; |
@@ -154,12 +154,12 @@ uid_t pid_get_uid(pid_t pid) { | |||
154 | } | 154 | } |
155 | if (*ptr == '\0') | 155 | if (*ptr == '\0') |
156 | goto doexit; | 156 | goto doexit; |
157 | 157 | ||
158 | rv = atoi(ptr); | 158 | rv = atoi(ptr); |
159 | break; // break regardless! | 159 | break; // break regardless! |
160 | } | 160 | } |
161 | } | 161 | } |
162 | doexit: | 162 | doexit: |
163 | fclose(fp); | 163 | fclose(fp); |
164 | free(file); | 164 | free(file); |
165 | return rv; | 165 | return rv; |
@@ -187,7 +187,7 @@ static void print_elem(unsigned index, int nowrap) { | |||
187 | if (user ==NULL) | 187 | if (user ==NULL) |
188 | user = ""; | 188 | user = ""; |
189 | if (cmd) { | 189 | if (cmd) { |
190 | if (col < 4 || nowrap) | 190 | if (col < 4 || nowrap) |
191 | printf("%s%u:%s:%s\n", indent, index, user, cmd); | 191 | printf("%s%u:%s:%s\n", indent, index, user, cmd); |
192 | else { | 192 | else { |
193 | char *out; | 193 | char *out; |
@@ -201,7 +201,7 @@ static void print_elem(unsigned index, int nowrap) { | |||
201 | printf("%s", out); | 201 | printf("%s", out); |
202 | free(out); | 202 | free(out); |
203 | } | 203 | } |
204 | 204 | ||
205 | free(cmd); | 205 | free(cmd); |
206 | } | 206 | } |
207 | else { | 207 | else { |
@@ -220,7 +220,7 @@ void pid_print_tree(unsigned index, unsigned parent, int nowrap) { | |||
220 | 220 | ||
221 | // Remove unused parameter warning | 221 | // Remove unused parameter warning |
222 | (void)parent; | 222 | (void)parent; |
223 | 223 | ||
224 | unsigned i; | 224 | unsigned i; |
225 | for (i = index + 1; i < (unsigned)max_pids; i++) { | 225 | for (i = index + 1; i < (unsigned)max_pids; i++) { |
226 | if (pids[i].parent == (pid_t)index) | 226 | if (pids[i].parent == (pid_t)index) |
@@ -246,13 +246,13 @@ void pid_store_cpu(unsigned index, unsigned parent, unsigned *utime, unsigned *s | |||
246 | 246 | ||
247 | // Remove unused parameter warning | 247 | // Remove unused parameter warning |
248 | (void)parent; | 248 | (void)parent; |
249 | 249 | ||
250 | unsigned utmp = 0; | 250 | unsigned utmp = 0; |
251 | unsigned stmp = 0; | 251 | unsigned stmp = 0; |
252 | pid_get_cpu_time(index, &utmp, &stmp); | 252 | pid_get_cpu_time(index, &utmp, &stmp); |
253 | *utime += utmp; | 253 | *utime += utmp; |
254 | *stime += stmp; | 254 | *stime += stmp; |
255 | 255 | ||
256 | unsigned i; | 256 | unsigned i; |
257 | for (i = index + 1; i < (unsigned)max_pids; i++) { | 257 | for (i = index + 1; i < (unsigned)max_pids; i++) { |
258 | if (pids[i].parent == (pid_t)index) | 258 | if (pids[i].parent == (pid_t)index) |
@@ -293,7 +293,7 @@ void pid_read(pid_t mon_pid) { | |||
293 | exit(1); | 293 | exit(1); |
294 | } | 294 | } |
295 | } | 295 | } |
296 | 296 | ||
297 | pid_t child = -1; | 297 | pid_t child = -1; |
298 | struct dirent *entry; | 298 | struct dirent *entry; |
299 | char *end; | 299 | char *end; |
@@ -308,7 +308,7 @@ void pid_read(pid_t mon_pid) { | |||
308 | // skip PID 1 just in case we run a sandbox-in-sandbox | 308 | // skip PID 1 just in case we run a sandbox-in-sandbox |
309 | if (pid == 1) | 309 | if (pid == 1) |
310 | continue; | 310 | continue; |
311 | 311 | ||
312 | // open stat file | 312 | // open stat file |
313 | char *file; | 313 | char *file; |
314 | if (asprintf(&file, "/proc/%u/status", pid) == -1) | 314 | if (asprintf(&file, "/proc/%u/status", pid) == -1) |
diff --git a/src/libtrace/Makefile.in b/src/libtrace/Makefile.in index 9de0b40eb..93416cac6 100644 --- a/src/libtrace/Makefile.in +++ b/src/libtrace/Makefile.in | |||
@@ -8,7 +8,7 @@ C_FILE_LIST = $(sort $(wildcard *.c)) | |||
8 | OBJS = $(C_FILE_LIST:.c=.o) | 8 | OBJS = $(C_FILE_LIST:.c=.o) |
9 | BINOBJS = $(foreach file, $(OBJS), $file) | 9 | BINOBJS = $(foreach file, $(OBJS), $file) |
10 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security | 10 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security |
11 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now | 11 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now |
12 | 12 | ||
13 | all: libtrace.so | 13 | all: libtrace.so |
14 | 14 | ||
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c index 1be89052c..5cdb254a3 100644 --- a/src/libtrace/libtrace.c +++ b/src/libtrace/libtrace.c | |||
@@ -57,7 +57,7 @@ static char *name(void) { | |||
57 | if (!nameinit) { | 57 | if (!nameinit) { |
58 | // initialize the name of the process based on /proc/PID/comm | 58 | // initialize the name of the process based on /proc/PID/comm |
59 | memset(myname, 0, MAXNAME); | 59 | memset(myname, 0, MAXNAME); |
60 | 60 | ||
61 | pid_t p = pid(); | 61 | pid_t p = pid(); |
62 | char *fname; | 62 | char *fname; |
63 | if (asprintf(&fname, "/proc/%u/comm", p) == -1) | 63 | if (asprintf(&fname, "/proc/%u/comm", p) == -1) |
@@ -74,17 +74,17 @@ static char *name(void) { | |||
74 | free(fname); | 74 | free(fname); |
75 | return "unknown"; | 75 | return "unknown"; |
76 | } | 76 | } |
77 | 77 | ||
78 | // clean '\n' | 78 | // clean '\n' |
79 | char *ptr = strchr(myname, '\n'); | 79 | char *ptr = strchr(myname, '\n'); |
80 | if (ptr) | 80 | if (ptr) |
81 | *ptr = '\0'; | 81 | *ptr = '\0'; |
82 | 82 | ||
83 | fclose(fp); | 83 | fclose(fp); |
84 | free(fname); | 84 | free(fname); |
85 | nameinit = 1; | 85 | nameinit = 1; |
86 | } | 86 | } |
87 | 87 | ||
88 | return myname; | 88 | return myname; |
89 | } | 89 | } |
90 | 90 | ||
@@ -99,20 +99,20 @@ typedef struct { | |||
99 | static XTable socket_type[] = { | 99 | static XTable socket_type[] = { |
100 | #ifdef SOCK_STREAM | 100 | #ifdef SOCK_STREAM |
101 | { SOCK_STREAM, "SOCK_STREAM" }, | 101 | { SOCK_STREAM, "SOCK_STREAM" }, |
102 | #endif | 102 | #endif |
103 | #ifdef SOCK_DGRAM | 103 | #ifdef SOCK_DGRAM |
104 | { SOCK_DGRAM, "SOCK_DGRAM" }, | 104 | { SOCK_DGRAM, "SOCK_DGRAM" }, |
105 | #endif | 105 | #endif |
106 | #ifdef SOCK_RAW | 106 | #ifdef SOCK_RAW |
107 | { SOCK_RAW, "SOCK_RAW" }, | 107 | { SOCK_RAW, "SOCK_RAW" }, |
108 | #endif | 108 | #endif |
109 | #ifdef SOCK_RDM | 109 | #ifdef SOCK_RDM |
110 | { SOCK_RDM, "SOCK_RDM" }, | 110 | { SOCK_RDM, "SOCK_RDM" }, |
111 | #endif | 111 | #endif |
112 | #ifdef SOCK_SEQPACKET | 112 | #ifdef SOCK_SEQPACKET |
113 | { SOCK_SEQPACKET, "SOCK_SEQPACKET" }, | 113 | { SOCK_SEQPACKET, "SOCK_SEQPACKET" }, |
114 | #endif | 114 | #endif |
115 | #ifdef SOCK_DCCP | 115 | #ifdef SOCK_DCCP |
116 | { SOCK_DCCP, "SOCK_DCCP" }, | 116 | { SOCK_DCCP, "SOCK_DCCP" }, |
117 | #endif | 117 | #endif |
118 | { 0, NULL} // NULL terminated | 118 | { 0, NULL} // NULL terminated |
@@ -198,7 +198,7 @@ static XTable socket_protocol[] = { | |||
198 | #ifdef IPPROTO_AH | 198 | #ifdef IPPROTO_AH |
199 | { IPPROTO_AH, "IPPROTO_AH" }, | 199 | { IPPROTO_AH, "IPPROTO_AH" }, |
200 | #endif | 200 | #endif |
201 | #ifdef IPPROTO_BEETPH | 201 | #ifdef IPPROTO_BEETPH |
202 | { IPPROTO_BEETPH, "IPPROTO_BEETPH" }, | 202 | { IPPROTO_BEETPH, "IPPROTO_BEETPH" }, |
203 | #endif | 203 | #endif |
204 | #ifdef IPPROTO_PIM | 204 | #ifdef IPPROTO_PIM |
@@ -225,7 +225,7 @@ static char *translate(XTable *table, int val) { | |||
225 | return table->name; | 225 | return table->name; |
226 | table++; | 226 | table++; |
227 | } | 227 | } |
228 | 228 | ||
229 | return NULL; | 229 | return NULL; |
230 | } | 230 | } |
231 | 231 | ||
@@ -262,7 +262,7 @@ static orig_open_t orig_open = NULL; | |||
262 | int open(const char *pathname, int flags, mode_t mode) { | 262 | int open(const char *pathname, int flags, mode_t mode) { |
263 | if (!orig_open) | 263 | if (!orig_open) |
264 | orig_open = (orig_open_t)dlsym(RTLD_NEXT, "open"); | 264 | orig_open = (orig_open_t)dlsym(RTLD_NEXT, "open"); |
265 | 265 | ||
266 | int rv = orig_open(pathname, flags, mode); | 266 | int rv = orig_open(pathname, flags, mode); |
267 | printf("%u:%s:open %s:%d\n", pid(), name(), pathname, rv); | 267 | printf("%u:%s:open %s:%d\n", pid(), name(), pathname, rv); |
268 | return rv; | 268 | return rv; |
@@ -273,7 +273,7 @@ static orig_open64_t orig_open64 = NULL; | |||
273 | int open64(const char *pathname, int flags, mode_t mode) { | 273 | int open64(const char *pathname, int flags, mode_t mode) { |
274 | if (!orig_open64) | 274 | if (!orig_open64) |
275 | orig_open64 = (orig_open64_t)dlsym(RTLD_NEXT, "open64"); | 275 | orig_open64 = (orig_open64_t)dlsym(RTLD_NEXT, "open64"); |
276 | 276 | ||
277 | int rv = orig_open64(pathname, flags, mode); | 277 | int rv = orig_open64(pathname, flags, mode); |
278 | printf("%u:%s:open64 %s:%d\n", pid(), name(), pathname, rv); | 278 | printf("%u:%s:open64 %s:%d\n", pid(), name(), pathname, rv); |
279 | return rv; | 279 | return rv; |
@@ -285,7 +285,7 @@ static orig_openat_t orig_openat = NULL; | |||
285 | int openat(int dirfd, const char *pathname, int flags, mode_t mode) { | 285 | int openat(int dirfd, const char *pathname, int flags, mode_t mode) { |
286 | if (!orig_openat) | 286 | if (!orig_openat) |
287 | orig_openat = (orig_openat_t)dlsym(RTLD_NEXT, "openat"); | 287 | orig_openat = (orig_openat_t)dlsym(RTLD_NEXT, "openat"); |
288 | 288 | ||
289 | int rv = orig_openat(dirfd, pathname, flags, mode); | 289 | int rv = orig_openat(dirfd, pathname, flags, mode); |
290 | printf("%u:%s:openat %s:%d\n", pid(), name(), pathname, rv); | 290 | printf("%u:%s:openat %s:%d\n", pid(), name(), pathname, rv); |
291 | return rv; | 291 | return rv; |
@@ -296,7 +296,7 @@ static orig_openat64_t orig_openat64 = NULL; | |||
296 | int openat64(int dirfd, const char *pathname, int flags, mode_t mode) { | 296 | int openat64(int dirfd, const char *pathname, int flags, mode_t mode) { |
297 | if (!orig_openat64) | 297 | if (!orig_openat64) |
298 | orig_openat64 = (orig_openat64_t)dlsym(RTLD_NEXT, "openat64"); | 298 | orig_openat64 = (orig_openat64_t)dlsym(RTLD_NEXT, "openat64"); |
299 | 299 | ||
300 | int rv = orig_openat64(dirfd, pathname, flags, mode); | 300 | int rv = orig_openat64(dirfd, pathname, flags, mode); |
301 | printf("%u:%s:openat64 %s:%d\n", pid(), name(), pathname, rv); | 301 | printf("%u:%s:openat64 %s:%d\n", pid(), name(), pathname, rv); |
302 | return rv; | 302 | return rv; |
@@ -307,7 +307,7 @@ int openat64(int dirfd, const char *pathname, int flags, mode_t mode) { | |||
307 | FILE *fopen(const char *pathname, const char *mode) { | 307 | FILE *fopen(const char *pathname, const char *mode) { |
308 | if (!orig_fopen) | 308 | if (!orig_fopen) |
309 | orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen"); | 309 | orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen"); |
310 | 310 | ||
311 | FILE *rv = orig_fopen(pathname, mode); | 311 | FILE *rv = orig_fopen(pathname, mode); |
312 | printf("%u:%s:fopen %s:%p\n", pid(), name(), pathname, rv); | 312 | printf("%u:%s:fopen %s:%p\n", pid(), name(), pathname, rv); |
313 | return rv; | 313 | return rv; |
@@ -317,7 +317,7 @@ FILE *fopen(const char *pathname, const char *mode) { | |||
317 | FILE *fopen64(const char *pathname, const char *mode) { | 317 | FILE *fopen64(const char *pathname, const char *mode) { |
318 | if (!orig_fopen64) | 318 | if (!orig_fopen64) |
319 | orig_fopen64 = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen64"); | 319 | orig_fopen64 = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen64"); |
320 | 320 | ||
321 | FILE *rv = orig_fopen64(pathname, mode); | 321 | FILE *rv = orig_fopen64(pathname, mode); |
322 | printf("%u:%s:fopen64 %s:%p\n", pid(), name(), pathname, rv); | 322 | printf("%u:%s:fopen64 %s:%p\n", pid(), name(), pathname, rv); |
323 | return rv; | 323 | return rv; |
@@ -331,7 +331,7 @@ static orig_freopen_t orig_freopen = NULL; | |||
331 | FILE *freopen(const char *pathname, const char *mode, FILE *stream) { | 331 | FILE *freopen(const char *pathname, const char *mode, FILE *stream) { |
332 | if (!orig_freopen) | 332 | if (!orig_freopen) |
333 | orig_freopen = (orig_freopen_t)dlsym(RTLD_NEXT, "freopen"); | 333 | orig_freopen = (orig_freopen_t)dlsym(RTLD_NEXT, "freopen"); |
334 | 334 | ||
335 | FILE *rv = orig_freopen(pathname, mode, stream); | 335 | FILE *rv = orig_freopen(pathname, mode, stream); |
336 | printf("%u:%s:freopen %s:%p\n", pid(), name(), pathname, rv); | 336 | printf("%u:%s:freopen %s:%p\n", pid(), name(), pathname, rv); |
337 | return rv; | 337 | return rv; |
@@ -343,7 +343,7 @@ static orig_freopen64_t orig_freopen64 = NULL; | |||
343 | FILE *freopen64(const char *pathname, const char *mode, FILE *stream) { | 343 | FILE *freopen64(const char *pathname, const char *mode, FILE *stream) { |
344 | if (!orig_freopen64) | 344 | if (!orig_freopen64) |
345 | orig_freopen64 = (orig_freopen64_t)dlsym(RTLD_NEXT, "freopen64"); | 345 | orig_freopen64 = (orig_freopen64_t)dlsym(RTLD_NEXT, "freopen64"); |
346 | 346 | ||
347 | FILE *rv = orig_freopen64(pathname, mode, stream); | 347 | FILE *rv = orig_freopen64(pathname, mode, stream); |
348 | printf("%u:%s:freopen64 %s:%p\n", pid(), name(), pathname, rv); | 348 | printf("%u:%s:freopen64 %s:%p\n", pid(), name(), pathname, rv); |
349 | return rv; | 349 | return rv; |
@@ -356,7 +356,7 @@ static orig_unlink_t orig_unlink = NULL; | |||
356 | int unlink(const char *pathname) { | 356 | int unlink(const char *pathname) { |
357 | if (!orig_unlink) | 357 | if (!orig_unlink) |
358 | orig_unlink = (orig_unlink_t)dlsym(RTLD_NEXT, "unlink"); | 358 | orig_unlink = (orig_unlink_t)dlsym(RTLD_NEXT, "unlink"); |
359 | 359 | ||
360 | int rv = orig_unlink(pathname); | 360 | int rv = orig_unlink(pathname); |
361 | printf("%u:%s:unlink %s:%d\n", pid(), name(), pathname, rv); | 361 | printf("%u:%s:unlink %s:%d\n", pid(), name(), pathname, rv); |
362 | return rv; | 362 | return rv; |
@@ -367,7 +367,7 @@ static orig_unlinkat_t orig_unlinkat = NULL; | |||
367 | int unlinkat(int dirfd, const char *pathname, int flags) { | 367 | int unlinkat(int dirfd, const char *pathname, int flags) { |
368 | if (!orig_unlinkat) | 368 | if (!orig_unlinkat) |
369 | orig_unlinkat = (orig_unlinkat_t)dlsym(RTLD_NEXT, "unlinkat"); | 369 | orig_unlinkat = (orig_unlinkat_t)dlsym(RTLD_NEXT, "unlinkat"); |
370 | 370 | ||
371 | int rv = orig_unlinkat(dirfd, pathname, flags); | 371 | int rv = orig_unlinkat(dirfd, pathname, flags); |
372 | printf("%u:%s:unlinkat %s:%d\n", pid(), name(), pathname, rv); | 372 | printf("%u:%s:unlinkat %s:%d\n", pid(), name(), pathname, rv); |
373 | return rv; | 373 | return rv; |
@@ -379,7 +379,7 @@ static orig_mkdir_t orig_mkdir = NULL; | |||
379 | int mkdir(const char *pathname, mode_t mode) { | 379 | int mkdir(const char *pathname, mode_t mode) { |
380 | if (!orig_mkdir) | 380 | if (!orig_mkdir) |
381 | orig_mkdir = (orig_mkdir_t)dlsym(RTLD_NEXT, "mkdir"); | 381 | orig_mkdir = (orig_mkdir_t)dlsym(RTLD_NEXT, "mkdir"); |
382 | 382 | ||
383 | int rv = orig_mkdir(pathname, mode); | 383 | int rv = orig_mkdir(pathname, mode); |
384 | printf("%u:%s:mkdir %s:%d\n", pid(), name(), pathname, rv); | 384 | printf("%u:%s:mkdir %s:%d\n", pid(), name(), pathname, rv); |
385 | return rv; | 385 | return rv; |
@@ -390,7 +390,7 @@ static orig_mkdirat_t orig_mkdirat = NULL; | |||
390 | int mkdirat(int dirfd, const char *pathname, mode_t mode) { | 390 | int mkdirat(int dirfd, const char *pathname, mode_t mode) { |
391 | if (!orig_mkdirat) | 391 | if (!orig_mkdirat) |
392 | orig_mkdirat = (orig_mkdirat_t)dlsym(RTLD_NEXT, "mkdirat"); | 392 | orig_mkdirat = (orig_mkdirat_t)dlsym(RTLD_NEXT, "mkdirat"); |
393 | 393 | ||
394 | int rv = orig_mkdirat(dirfd, pathname, mode); | 394 | int rv = orig_mkdirat(dirfd, pathname, mode); |
395 | printf("%u:%s:mkdirat %s:%d\n", pid(), name(), pathname, rv); | 395 | printf("%u:%s:mkdirat %s:%d\n", pid(), name(), pathname, rv); |
396 | return rv; | 396 | return rv; |
@@ -401,7 +401,7 @@ static orig_rmdir_t orig_rmdir = NULL; | |||
401 | int rmdir(const char *pathname) { | 401 | int rmdir(const char *pathname) { |
402 | if (!orig_rmdir) | 402 | if (!orig_rmdir) |
403 | orig_rmdir = (orig_rmdir_t)dlsym(RTLD_NEXT, "rmdir"); | 403 | orig_rmdir = (orig_rmdir_t)dlsym(RTLD_NEXT, "rmdir"); |
404 | 404 | ||
405 | int rv = orig_rmdir(pathname); | 405 | int rv = orig_rmdir(pathname); |
406 | printf("%u:%s:rmdir %s:%d\n", pid(), name(), pathname, rv); | 406 | printf("%u:%s:rmdir %s:%d\n", pid(), name(), pathname, rv); |
407 | return rv; | 407 | return rv; |
@@ -413,7 +413,7 @@ static orig_stat_t orig_stat = NULL; | |||
413 | int stat(const char *pathname, struct stat *buf) { | 413 | int stat(const char *pathname, struct stat *buf) { |
414 | if (!orig_stat) | 414 | if (!orig_stat) |
415 | orig_stat = (orig_stat_t)dlsym(RTLD_NEXT, "stat"); | 415 | orig_stat = (orig_stat_t)dlsym(RTLD_NEXT, "stat"); |
416 | 416 | ||
417 | int rv = orig_stat(pathname, buf); | 417 | int rv = orig_stat(pathname, buf); |
418 | printf("%u:%s:stat %s:%d\n", pid(), name(), pathname, rv); | 418 | printf("%u:%s:stat %s:%d\n", pid(), name(), pathname, rv); |
419 | return rv; | 419 | return rv; |
@@ -425,7 +425,7 @@ static orig_stat64_t orig_stat64 = NULL; | |||
425 | int stat64(const char *pathname, struct stat64 *buf) { | 425 | int stat64(const char *pathname, struct stat64 *buf) { |
426 | if (!orig_stat64) | 426 | if (!orig_stat64) |
427 | orig_stat64 = (orig_stat64_t)dlsym(RTLD_NEXT, "stat64"); | 427 | orig_stat64 = (orig_stat64_t)dlsym(RTLD_NEXT, "stat64"); |
428 | 428 | ||
429 | int rv = orig_stat64(pathname, buf); | 429 | int rv = orig_stat64(pathname, buf); |
430 | printf("%u:%s:stat64 %s:%d\n", pid(), name(), pathname, rv); | 430 | printf("%u:%s:stat64 %s:%d\n", pid(), name(), pathname, rv); |
431 | return rv; | 431 | return rv; |
@@ -463,7 +463,7 @@ static orig_opendir_t orig_opendir = NULL; | |||
463 | DIR *opendir(const char *pathname) { | 463 | DIR *opendir(const char *pathname) { |
464 | if (!orig_opendir) | 464 | if (!orig_opendir) |
465 | orig_opendir = (orig_opendir_t)dlsym(RTLD_NEXT, "opendir"); | 465 | orig_opendir = (orig_opendir_t)dlsym(RTLD_NEXT, "opendir"); |
466 | 466 | ||
467 | DIR *rv = orig_opendir(pathname); | 467 | DIR *rv = orig_opendir(pathname); |
468 | printf("%u:%s:opendir %s:%p\n", pid(), name(), pathname, rv); | 468 | printf("%u:%s:opendir %s:%p\n", pid(), name(), pathname, rv); |
469 | return rv; | 469 | return rv; |
@@ -475,7 +475,7 @@ static orig_access_t orig_access = NULL; | |||
475 | int access(const char *pathname, int mode) { | 475 | int access(const char *pathname, int mode) { |
476 | if (!orig_access) | 476 | if (!orig_access) |
477 | orig_access = (orig_access_t)dlsym(RTLD_NEXT, "access"); | 477 | orig_access = (orig_access_t)dlsym(RTLD_NEXT, "access"); |
478 | 478 | ||
479 | int rv = orig_access(pathname, mode); | 479 | int rv = orig_access(pathname, mode); |
480 | printf("%u:%s:access %s:%d\n", pid(), name(), pathname, rv); | 480 | printf("%u:%s:access %s:%d\n", pid(), name(), pathname, rv); |
481 | return rv; | 481 | return rv; |
@@ -488,7 +488,7 @@ static orig_connect_t orig_connect = NULL; | |||
488 | int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) { | 488 | int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) { |
489 | if (!orig_connect) | 489 | if (!orig_connect) |
490 | orig_connect = (orig_connect_t)dlsym(RTLD_NEXT, "connect"); | 490 | orig_connect = (orig_connect_t)dlsym(RTLD_NEXT, "connect"); |
491 | 491 | ||
492 | int rv = orig_connect(sockfd, addr, addrlen); | 492 | int rv = orig_connect(sockfd, addr, addrlen); |
493 | print_sockaddr(sockfd, "connect", addr, rv); | 493 | print_sockaddr(sockfd, "connect", addr, rv); |
494 | 494 | ||
@@ -502,7 +502,7 @@ static char buf[1024]; | |||
502 | int socket(int domain, int type, int protocol) { | 502 | int socket(int domain, int type, int protocol) { |
503 | if (!orig_socket) | 503 | if (!orig_socket) |
504 | orig_socket = (orig_socket_t)dlsym(RTLD_NEXT, "socket"); | 504 | orig_socket = (orig_socket_t)dlsym(RTLD_NEXT, "socket"); |
505 | 505 | ||
506 | int rv = orig_socket(domain, type, protocol); | 506 | int rv = orig_socket(domain, type, protocol); |
507 | char *ptr = buf; | 507 | char *ptr = buf; |
508 | ptr += sprintf(ptr, "%u:%s:socket ", pid(), name()); | 508 | ptr += sprintf(ptr, "%u:%s:socket ", pid(), name()); |
@@ -545,7 +545,7 @@ static orig_bind_t orig_bind = NULL; | |||
545 | int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen) { | 545 | int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen) { |
546 | if (!orig_bind) | 546 | if (!orig_bind) |
547 | orig_bind = (orig_bind_t)dlsym(RTLD_NEXT, "bind"); | 547 | orig_bind = (orig_bind_t)dlsym(RTLD_NEXT, "bind"); |
548 | 548 | ||
549 | int rv = orig_bind(sockfd, addr, addrlen); | 549 | int rv = orig_bind(sockfd, addr, addrlen); |
550 | print_sockaddr(sockfd, "bind", addr, rv); | 550 | print_sockaddr(sockfd, "bind", addr, rv); |
551 | 551 | ||
@@ -558,7 +558,7 @@ static orig_accept_t orig_accept = NULL; | |||
558 | int accept(int sockfd, struct sockaddr *addr, socklen_t addrlen) { | 558 | int accept(int sockfd, struct sockaddr *addr, socklen_t addrlen) { |
559 | if (!orig_accept) | 559 | if (!orig_accept) |
560 | orig_accept = (orig_accept_t)dlsym(RTLD_NEXT, "accept"); | 560 | orig_accept = (orig_accept_t)dlsym(RTLD_NEXT, "accept"); |
561 | 561 | ||
562 | int rv = orig_accept(sockfd, addr, addrlen); | 562 | int rv = orig_accept(sockfd, addr, addrlen); |
563 | print_sockaddr(sockfd, "accept", addr, rv); | 563 | print_sockaddr(sockfd, "accept", addr, rv); |
564 | 564 | ||
@@ -571,7 +571,7 @@ static orig_system_t orig_system = NULL; | |||
571 | int system(const char *command) { | 571 | int system(const char *command) { |
572 | if (!orig_system) | 572 | if (!orig_system) |
573 | orig_system = (orig_system_t)dlsym(RTLD_NEXT, "system"); | 573 | orig_system = (orig_system_t)dlsym(RTLD_NEXT, "system"); |
574 | 574 | ||
575 | int rv = orig_system(command); | 575 | int rv = orig_system(command); |
576 | printf("%u:%s:system %s:%d\n", pid(), name(), command, rv); | 576 | printf("%u:%s:system %s:%d\n", pid(), name(), command, rv); |
577 | 577 | ||
@@ -583,7 +583,7 @@ static orig_setuid_t orig_setuid = NULL; | |||
583 | int setuid(uid_t uid) { | 583 | int setuid(uid_t uid) { |
584 | if (!orig_setuid) | 584 | if (!orig_setuid) |
585 | orig_setuid = (orig_setuid_t)dlsym(RTLD_NEXT, "setuid"); | 585 | orig_setuid = (orig_setuid_t)dlsym(RTLD_NEXT, "setuid"); |
586 | 586 | ||
587 | int rv = orig_setuid(uid); | 587 | int rv = orig_setuid(uid); |
588 | printf("%u:%s:setuid %d:%d\n", pid(), name(), uid, rv); | 588 | printf("%u:%s:setuid %d:%d\n", pid(), name(), uid, rv); |
589 | 589 | ||
@@ -595,7 +595,7 @@ static orig_setgid_t orig_setgid = NULL; | |||
595 | int setgid(gid_t gid) { | 595 | int setgid(gid_t gid) { |
596 | if (!orig_setgid) | 596 | if (!orig_setgid) |
597 | orig_setgid = (orig_setgid_t)dlsym(RTLD_NEXT, "setgid"); | 597 | orig_setgid = (orig_setgid_t)dlsym(RTLD_NEXT, "setgid"); |
598 | 598 | ||
599 | int rv = orig_setgid(gid); | 599 | int rv = orig_setgid(gid); |
600 | printf("%u:%s:setgid %d:%d\n", pid(), name(), gid, rv); | 600 | printf("%u:%s:setgid %d:%d\n", pid(), name(), gid, rv); |
601 | 601 | ||
@@ -607,7 +607,7 @@ static orig_setfsuid_t orig_setfsuid = NULL; | |||
607 | int setfsuid(uid_t uid) { | 607 | int setfsuid(uid_t uid) { |
608 | if (!orig_setfsuid) | 608 | if (!orig_setfsuid) |
609 | orig_setfsuid = (orig_setfsuid_t)dlsym(RTLD_NEXT, "setfsuid"); | 609 | orig_setfsuid = (orig_setfsuid_t)dlsym(RTLD_NEXT, "setfsuid"); |
610 | 610 | ||
611 | int rv = orig_setfsuid(uid); | 611 | int rv = orig_setfsuid(uid); |
612 | printf("%u:%s:setfsuid %d:%d\n", pid(), name(), uid, rv); | 612 | printf("%u:%s:setfsuid %d:%d\n", pid(), name(), uid, rv); |
613 | 613 | ||
@@ -619,7 +619,7 @@ static orig_setfsgid_t orig_setfsgid = NULL; | |||
619 | int setfsgid(gid_t gid) { | 619 | int setfsgid(gid_t gid) { |
620 | if (!orig_setfsgid) | 620 | if (!orig_setfsgid) |
621 | orig_setfsgid = (orig_setfsgid_t)dlsym(RTLD_NEXT, "setfsgid"); | 621 | orig_setfsgid = (orig_setfsgid_t)dlsym(RTLD_NEXT, "setfsgid"); |
622 | 622 | ||
623 | int rv = orig_setfsgid(gid); | 623 | int rv = orig_setfsgid(gid); |
624 | printf("%u:%s:setfsgid %d:%d\n", pid(), name(), gid, rv); | 624 | printf("%u:%s:setfsgid %d:%d\n", pid(), name(), gid, rv); |
625 | 625 | ||
@@ -631,7 +631,7 @@ static orig_setreuid_t orig_setreuid = NULL; | |||
631 | int setreuid(uid_t ruid, uid_t euid) { | 631 | int setreuid(uid_t ruid, uid_t euid) { |
632 | if (!orig_setreuid) | 632 | if (!orig_setreuid) |
633 | orig_setreuid = (orig_setreuid_t)dlsym(RTLD_NEXT, "setreuid"); | 633 | orig_setreuid = (orig_setreuid_t)dlsym(RTLD_NEXT, "setreuid"); |
634 | 634 | ||
635 | int rv = orig_setreuid(ruid, euid); | 635 | int rv = orig_setreuid(ruid, euid); |
636 | printf("%u:%s:setreuid %d %d:%d\n", pid(), name(), ruid, euid, rv); | 636 | printf("%u:%s:setreuid %d %d:%d\n", pid(), name(), ruid, euid, rv); |
637 | 637 | ||
@@ -643,7 +643,7 @@ static orig_setregid_t orig_setregid = NULL; | |||
643 | int setregid(gid_t rgid, gid_t egid) { | 643 | int setregid(gid_t rgid, gid_t egid) { |
644 | if (!orig_setregid) | 644 | if (!orig_setregid) |
645 | orig_setregid = (orig_setregid_t)dlsym(RTLD_NEXT, "setregid"); | 645 | orig_setregid = (orig_setregid_t)dlsym(RTLD_NEXT, "setregid"); |
646 | 646 | ||
647 | int rv = orig_setregid(rgid, egid); | 647 | int rv = orig_setregid(rgid, egid); |
648 | printf("%u:%s:setregid %d %d:%d\n", pid(), name(), rgid, egid, rv); | 648 | printf("%u:%s:setregid %d %d:%d\n", pid(), name(), rgid, egid, rv); |
649 | 649 | ||
@@ -655,7 +655,7 @@ static orig_setresuid_t orig_setresuid = NULL; | |||
655 | int setresuid(uid_t ruid, uid_t euid, uid_t suid) { | 655 | int setresuid(uid_t ruid, uid_t euid, uid_t suid) { |
656 | if (!orig_setresuid) | 656 | if (!orig_setresuid) |
657 | orig_setresuid = (orig_setresuid_t)dlsym(RTLD_NEXT, "setresuid"); | 657 | orig_setresuid = (orig_setresuid_t)dlsym(RTLD_NEXT, "setresuid"); |
658 | 658 | ||
659 | int rv = orig_setresuid(ruid, euid, suid); | 659 | int rv = orig_setresuid(ruid, euid, suid); |
660 | printf("%u:%s:setresuid %d %d %d:%d\n", pid(), name(), ruid, euid, suid, rv); | 660 | printf("%u:%s:setresuid %d %d %d:%d\n", pid(), name(), ruid, euid, suid, rv); |
661 | 661 | ||
@@ -667,7 +667,7 @@ static orig_setresgid_t orig_setresgid = NULL; | |||
667 | int setresgid(gid_t rgid, gid_t egid, gid_t sgid) { | 667 | int setresgid(gid_t rgid, gid_t egid, gid_t sgid) { |
668 | if (!orig_setresgid) | 668 | if (!orig_setresgid) |
669 | orig_setresgid = (orig_setresgid_t)dlsym(RTLD_NEXT, "setresgid"); | 669 | orig_setresgid = (orig_setresgid_t)dlsym(RTLD_NEXT, "setresgid"); |
670 | 670 | ||
671 | int rv = orig_setresgid(rgid, egid, sgid); | 671 | int rv = orig_setresgid(rgid, egid, sgid); |
672 | printf("%u:%s:setresgid %d %d %d:%d\n", pid(), name(), rgid, egid, sgid, rv); | 672 | printf("%u:%s:setresgid %d %d %d:%d\n", pid(), name(), rgid, egid, sgid, rv); |
673 | 673 | ||
diff --git a/src/libtracelog/Makefile.in b/src/libtracelog/Makefile.in index 5c199d338..7ce5e4c41 100644 --- a/src/libtracelog/Makefile.in +++ b/src/libtracelog/Makefile.in | |||
@@ -8,7 +8,7 @@ C_FILE_LIST = $(sort $(wildcard *.c)) | |||
8 | OBJS = $(C_FILE_LIST:.c=.o) | 8 | OBJS = $(C_FILE_LIST:.c=.o) |
9 | BINOBJS = $(foreach file, $(OBJS), $file) | 9 | BINOBJS = $(foreach file, $(OBJS), $file) |
10 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security | 10 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security |
11 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now | 11 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now |
12 | 12 | ||
13 | all: libtracelog.so | 13 | all: libtracelog.so |
14 | 14 | ||
diff --git a/src/libtracelog/libtracelog.c b/src/libtracelog/libtracelog.c index abacb7115..dc68b0620 100644 --- a/src/libtracelog/libtracelog.c +++ b/src/libtracelog/libtracelog.c | |||
@@ -52,7 +52,7 @@ typedef struct list_elem_t { | |||
52 | #define HMASK 0x0ff | 52 | #define HMASK 0x0ff |
53 | ListElem *storage[HMASK + 1]; | 53 | ListElem *storage[HMASK + 1]; |
54 | 54 | ||
55 | // djb2 | 55 | // djb2 |
56 | static inline uint32_t hash(const char *str) { | 56 | static inline uint32_t hash(const char *str) { |
57 | uint32_t hash = 5381; | 57 | uint32_t hash = 5381; |
58 | int c; | 58 | int c; |
@@ -70,10 +70,10 @@ static void storage_add(const char *str) { | |||
70 | if (!str) { | 70 | if (!str) { |
71 | #ifdef DEBUG | 71 | #ifdef DEBUG |
72 | printf("null pointer passed to storage_add\n"); | 72 | printf("null pointer passed to storage_add\n"); |
73 | #endif | 73 | #endif |
74 | return; | 74 | return; |
75 | } | 75 | } |
76 | 76 | ||
77 | ListElem *ptr = malloc(sizeof(ListElem)); | 77 | ListElem *ptr = malloc(sizeof(ListElem)); |
78 | if (!ptr) { | 78 | if (!ptr) { |
79 | fprintf(stderr, "Error: cannot allocate memory\n"); | 79 | fprintf(stderr, "Error: cannot allocate memory\n"); |
@@ -85,7 +85,7 @@ static void storage_add(const char *str) { | |||
85 | free(ptr); | 85 | free(ptr); |
86 | return; | 86 | return; |
87 | } | 87 | } |
88 | 88 | ||
89 | // insert it into the hash table | 89 | // insert it into the hash table |
90 | uint32_t h = hash(ptr->path); | 90 | uint32_t h = hash(ptr->path); |
91 | ptr->next = storage[h]; | 91 | ptr->next = storage[h]; |
@@ -147,11 +147,11 @@ static char *storage_find(const char *str) { | |||
147 | } | 147 | } |
148 | ptr = ptr->next; | 148 | ptr = ptr->next; |
149 | } | 149 | } |
150 | 150 | ||
151 | if (allocated) | 151 | if (allocated) |
152 | free((char *) tofind); | 152 | free((char *) tofind); |
153 | #ifdef DEBUG | 153 | #ifdef DEBUG |
154 | printf("storage not found\n"); | 154 | printf("storage not found\n"); |
155 | #endif | 155 | #endif |
156 | return NULL; | 156 | return NULL; |
157 | } | 157 | } |
@@ -168,7 +168,7 @@ static char *sandbox_name_str = NULL; | |||
168 | static void load_blacklist(void) { | 168 | static void load_blacklist(void) { |
169 | if (blacklist_loaded) | 169 | if (blacklist_loaded) |
170 | return; | 170 | return; |
171 | 171 | ||
172 | // open filesystem log | 172 | // open filesystem log |
173 | if (!orig_fopen) | 173 | if (!orig_fopen) |
174 | orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen"); | 174 | orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen"); |
@@ -204,7 +204,7 @@ static void load_blacklist(void) { | |||
204 | } | 204 | } |
205 | fclose(fp); | 205 | fclose(fp); |
206 | blacklist_loaded = 1; | 206 | blacklist_loaded = 1; |
207 | #ifdef DEBUG | 207 | #ifdef DEBUG |
208 | printf("Monitoring %d blacklists\n", cnt); | 208 | printf("Monitoring %d blacklists\n", cnt); |
209 | { | 209 | { |
210 | int i; | 210 | int i; |
@@ -215,7 +215,7 @@ static void load_blacklist(void) { | |||
215 | cnt++; | 215 | cnt++; |
216 | ptr = ptr->next; | 216 | ptr = ptr->next; |
217 | } | 217 | } |
218 | 218 | ||
219 | if ((i % 16) == 0) | 219 | if ((i % 16) == 0) |
220 | printf("\n"); | 220 | printf("\n"); |
221 | printf("%02d ", cnt); | 221 | printf("%02d ", cnt); |
@@ -232,8 +232,8 @@ static void sendlog(const char *name, const char *call, const char *path) { | |||
232 | printf("null pointer passed to sendlog\n"); | 232 | printf("null pointer passed to sendlog\n"); |
233 | #endif | 233 | #endif |
234 | return; | 234 | return; |
235 | } | 235 | } |
236 | 236 | ||
237 | openlog ("firejail", LOG_CONS | LOG_PID | LOG_NDELAY, LOG_LOCAL1); | 237 | openlog ("firejail", LOG_CONS | LOG_PID | LOG_NDELAY, LOG_LOCAL1); |
238 | if (sandbox_pid_str && sandbox_name_str) | 238 | if (sandbox_pid_str && sandbox_name_str) |
239 | syslog (LOG_INFO, "blacklist violation - sandbox %s, name %s, exe %s, syscall %s, path %s", | 239 | syslog (LOG_INFO, "blacklist violation - sandbox %s, name %s, exe %s, syscall %s, path %s", |
@@ -266,10 +266,10 @@ static char myname[MAXNAME]; | |||
266 | static int nameinit = 0; | 266 | static int nameinit = 0; |
267 | static char *name(void) { | 267 | static char *name(void) { |
268 | if (!nameinit) { | 268 | if (!nameinit) { |
269 | 269 | ||
270 | // initialize the name of the process based on /proc/PID/comm | 270 | // initialize the name of the process based on /proc/PID/comm |
271 | memset(myname, 0, MAXNAME); | 271 | memset(myname, 0, MAXNAME); |
272 | 272 | ||
273 | pid_t p = pid(); | 273 | pid_t p = pid(); |
274 | char *fname; | 274 | char *fname; |
275 | if (asprintf(&fname, "/proc/%u/comm", p) == -1) | 275 | if (asprintf(&fname, "/proc/%u/comm", p) == -1) |
@@ -286,17 +286,17 @@ static char *name(void) { | |||
286 | free(fname); | 286 | free(fname); |
287 | return "unknown"; | 287 | return "unknown"; |
288 | } | 288 | } |
289 | 289 | ||
290 | // clean '\n' | 290 | // clean '\n' |
291 | char *ptr = strchr(myname, '\n'); | 291 | char *ptr = strchr(myname, '\n'); |
292 | if (ptr) | 292 | if (ptr) |
293 | *ptr = '\0'; | 293 | *ptr = '\0'; |
294 | 294 | ||
295 | fclose(fp); | 295 | fclose(fp); |
296 | free(fname); | 296 | free(fname); |
297 | nameinit = 1; | 297 | nameinit = 1; |
298 | } | 298 | } |
299 | 299 | ||
300 | return myname; | 300 | return myname; |
301 | } | 301 | } |
302 | 302 | ||
@@ -313,10 +313,10 @@ int open(const char *pathname, int flags, mode_t mode) { | |||
313 | #endif | 313 | #endif |
314 | if (!orig_open) | 314 | if (!orig_open) |
315 | orig_open = (orig_open_t)dlsym(RTLD_NEXT, "open"); | 315 | orig_open = (orig_open_t)dlsym(RTLD_NEXT, "open"); |
316 | 316 | ||
317 | if (!blacklist_loaded) | 317 | if (!blacklist_loaded) |
318 | load_blacklist(); | 318 | load_blacklist(); |
319 | 319 | ||
320 | if (storage_find(pathname)) | 320 | if (storage_find(pathname)) |
321 | sendlog(name(), __FUNCTION__, pathname); | 321 | sendlog(name(), __FUNCTION__, pathname); |
322 | int rv = orig_open(pathname, flags, mode); | 322 | int rv = orig_open(pathname, flags, mode); |
@@ -337,7 +337,7 @@ int open64(const char *pathname, int flags, mode_t mode) { | |||
337 | orig_open64 = (orig_open64_t)dlsym(RTLD_NEXT, "open64"); | 337 | orig_open64 = (orig_open64_t)dlsym(RTLD_NEXT, "open64"); |
338 | if (!blacklist_loaded) | 338 | if (!blacklist_loaded) |
339 | load_blacklist(); | 339 | load_blacklist(); |
340 | 340 | ||
341 | if (storage_find(pathname)) | 341 | if (storage_find(pathname)) |
342 | sendlog(name(), __FUNCTION__, pathname); | 342 | sendlog(name(), __FUNCTION__, pathname); |
343 | int rv = orig_open64(pathname, flags, mode); | 343 | int rv = orig_open64(pathname, flags, mode); |
@@ -357,7 +357,7 @@ int openat(int dirfd, const char *pathname, int flags, mode_t mode) { | |||
357 | orig_openat = (orig_openat_t)dlsym(RTLD_NEXT, "openat"); | 357 | orig_openat = (orig_openat_t)dlsym(RTLD_NEXT, "openat"); |
358 | if (!blacklist_loaded) | 358 | if (!blacklist_loaded) |
359 | load_blacklist(); | 359 | load_blacklist(); |
360 | 360 | ||
361 | if (storage_find(pathname)) | 361 | if (storage_find(pathname)) |
362 | sendlog(name(), __FUNCTION__, pathname); | 362 | sendlog(name(), __FUNCTION__, pathname); |
363 | int rv = orig_openat(dirfd, pathname, flags, mode); | 363 | int rv = orig_openat(dirfd, pathname, flags, mode); |
@@ -374,7 +374,7 @@ int openat64(int dirfd, const char *pathname, int flags, mode_t mode) { | |||
374 | orig_openat64 = (orig_openat64_t)dlsym(RTLD_NEXT, "openat64"); | 374 | orig_openat64 = (orig_openat64_t)dlsym(RTLD_NEXT, "openat64"); |
375 | if (!blacklist_loaded) | 375 | if (!blacklist_loaded) |
376 | load_blacklist(); | 376 | load_blacklist(); |
377 | 377 | ||
378 | if (storage_find(pathname)) | 378 | if (storage_find(pathname)) |
379 | sendlog(name(), __FUNCTION__, pathname); | 379 | sendlog(name(), __FUNCTION__, pathname); |
380 | int rv = orig_openat64(dirfd, pathname, flags, mode); | 380 | int rv = orig_openat64(dirfd, pathname, flags, mode); |
@@ -391,7 +391,7 @@ FILE *fopen(const char *pathname, const char *mode) { | |||
391 | orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen"); | 391 | orig_fopen = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen"); |
392 | if (!blacklist_loaded) | 392 | if (!blacklist_loaded) |
393 | load_blacklist(); | 393 | load_blacklist(); |
394 | 394 | ||
395 | if (storage_find(pathname)) | 395 | if (storage_find(pathname)) |
396 | sendlog(name(), __FUNCTION__, pathname); | 396 | sendlog(name(), __FUNCTION__, pathname); |
397 | FILE *rv = orig_fopen(pathname, mode); | 397 | FILE *rv = orig_fopen(pathname, mode); |
@@ -407,7 +407,7 @@ FILE *fopen64(const char *pathname, const char *mode) { | |||
407 | orig_fopen64 = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen64"); | 407 | orig_fopen64 = (orig_fopen_t)dlsym(RTLD_NEXT, "fopen64"); |
408 | if (!blacklist_loaded) | 408 | if (!blacklist_loaded) |
409 | load_blacklist(); | 409 | load_blacklist(); |
410 | 410 | ||
411 | if (storage_find(pathname)) | 411 | if (storage_find(pathname)) |
412 | sendlog(name(), __FUNCTION__, pathname); | 412 | sendlog(name(), __FUNCTION__, pathname); |
413 | FILE *rv = orig_fopen64(pathname, mode); | 413 | FILE *rv = orig_fopen64(pathname, mode); |
@@ -427,7 +427,7 @@ FILE *freopen(const char *pathname, const char *mode, FILE *stream) { | |||
427 | orig_freopen = (orig_freopen_t)dlsym(RTLD_NEXT, "freopen"); | 427 | orig_freopen = (orig_freopen_t)dlsym(RTLD_NEXT, "freopen"); |
428 | if (!blacklist_loaded) | 428 | if (!blacklist_loaded) |
429 | load_blacklist(); | 429 | load_blacklist(); |
430 | 430 | ||
431 | if (storage_find(pathname)) | 431 | if (storage_find(pathname)) |
432 | sendlog(name(), __FUNCTION__, pathname); | 432 | sendlog(name(), __FUNCTION__, pathname); |
433 | FILE *rv = orig_freopen(pathname, mode, stream); | 433 | FILE *rv = orig_freopen(pathname, mode, stream); |
@@ -445,7 +445,7 @@ FILE *freopen64(const char *pathname, const char *mode, FILE *stream) { | |||
445 | orig_freopen64 = (orig_freopen64_t)dlsym(RTLD_NEXT, "freopen64"); | 445 | orig_freopen64 = (orig_freopen64_t)dlsym(RTLD_NEXT, "freopen64"); |
446 | if (!blacklist_loaded) | 446 | if (!blacklist_loaded) |
447 | load_blacklist(); | 447 | load_blacklist(); |
448 | 448 | ||
449 | if (storage_find(pathname)) | 449 | if (storage_find(pathname)) |
450 | sendlog(name(), __FUNCTION__, pathname); | 450 | sendlog(name(), __FUNCTION__, pathname); |
451 | FILE *rv = orig_freopen64(pathname, mode, stream); | 451 | FILE *rv = orig_freopen64(pathname, mode, stream); |
@@ -464,7 +464,7 @@ int unlink(const char *pathname) { | |||
464 | orig_unlink = (orig_unlink_t)dlsym(RTLD_NEXT, "unlink"); | 464 | orig_unlink = (orig_unlink_t)dlsym(RTLD_NEXT, "unlink"); |
465 | if (!blacklist_loaded) | 465 | if (!blacklist_loaded) |
466 | load_blacklist(); | 466 | load_blacklist(); |
467 | 467 | ||
468 | if (storage_find(pathname)) | 468 | if (storage_find(pathname)) |
469 | sendlog(name(), __FUNCTION__, pathname); | 469 | sendlog(name(), __FUNCTION__, pathname); |
470 | int rv = orig_unlink(pathname); | 470 | int rv = orig_unlink(pathname); |
@@ -481,7 +481,7 @@ int unlinkat(int dirfd, const char *pathname, int flags) { | |||
481 | orig_unlinkat = (orig_unlinkat_t)dlsym(RTLD_NEXT, "unlinkat"); | 481 | orig_unlinkat = (orig_unlinkat_t)dlsym(RTLD_NEXT, "unlinkat"); |
482 | if (!blacklist_loaded) | 482 | if (!blacklist_loaded) |
483 | load_blacklist(); | 483 | load_blacklist(); |
484 | 484 | ||
485 | if (storage_find(pathname)) | 485 | if (storage_find(pathname)) |
486 | sendlog(name(), __FUNCTION__, pathname); | 486 | sendlog(name(), __FUNCTION__, pathname); |
487 | int rv = orig_unlinkat(dirfd, pathname, flags); | 487 | int rv = orig_unlinkat(dirfd, pathname, flags); |
@@ -499,7 +499,7 @@ int mkdir(const char *pathname, mode_t mode) { | |||
499 | orig_mkdir = (orig_mkdir_t)dlsym(RTLD_NEXT, "mkdir"); | 499 | orig_mkdir = (orig_mkdir_t)dlsym(RTLD_NEXT, "mkdir"); |
500 | if (!blacklist_loaded) | 500 | if (!blacklist_loaded) |
501 | load_blacklist(); | 501 | load_blacklist(); |
502 | 502 | ||
503 | if (storage_find(pathname)) | 503 | if (storage_find(pathname)) |
504 | sendlog(name(), __FUNCTION__, pathname); | 504 | sendlog(name(), __FUNCTION__, pathname); |
505 | int rv = orig_mkdir(pathname, mode); | 505 | int rv = orig_mkdir(pathname, mode); |
@@ -516,7 +516,7 @@ int mkdirat(int dirfd, const char *pathname, mode_t mode) { | |||
516 | orig_mkdirat = (orig_mkdirat_t)dlsym(RTLD_NEXT, "mkdirat"); | 516 | orig_mkdirat = (orig_mkdirat_t)dlsym(RTLD_NEXT, "mkdirat"); |
517 | if (!blacklist_loaded) | 517 | if (!blacklist_loaded) |
518 | load_blacklist(); | 518 | load_blacklist(); |
519 | 519 | ||
520 | if (storage_find(pathname)) | 520 | if (storage_find(pathname)) |
521 | sendlog(name(), __FUNCTION__, pathname); | 521 | sendlog(name(), __FUNCTION__, pathname); |
522 | int rv = orig_mkdirat(dirfd, pathname, mode); | 522 | int rv = orig_mkdirat(dirfd, pathname, mode); |
@@ -533,7 +533,7 @@ int rmdir(const char *pathname) { | |||
533 | orig_rmdir = (orig_rmdir_t)dlsym(RTLD_NEXT, "rmdir"); | 533 | orig_rmdir = (orig_rmdir_t)dlsym(RTLD_NEXT, "rmdir"); |
534 | if (!blacklist_loaded) | 534 | if (!blacklist_loaded) |
535 | load_blacklist(); | 535 | load_blacklist(); |
536 | 536 | ||
537 | if (storage_find(pathname)) | 537 | if (storage_find(pathname)) |
538 | sendlog(name(), __FUNCTION__, pathname); | 538 | sendlog(name(), __FUNCTION__, pathname); |
539 | int rv = orig_rmdir(pathname); | 539 | int rv = orig_rmdir(pathname); |
@@ -551,7 +551,7 @@ int stat(const char *pathname, struct stat *buf) { | |||
551 | orig_stat = (orig_stat_t)dlsym(RTLD_NEXT, "stat"); | 551 | orig_stat = (orig_stat_t)dlsym(RTLD_NEXT, "stat"); |
552 | if (!blacklist_loaded) | 552 | if (!blacklist_loaded) |
553 | load_blacklist(); | 553 | load_blacklist(); |
554 | 554 | ||
555 | if (storage_find(pathname)) | 555 | if (storage_find(pathname)) |
556 | sendlog(name(), __FUNCTION__, pathname); | 556 | sendlog(name(), __FUNCTION__, pathname); |
557 | int rv = orig_stat(pathname, buf); | 557 | int rv = orig_stat(pathname, buf); |
@@ -569,7 +569,7 @@ int stat64(const char *pathname, struct stat64 *buf) { | |||
569 | orig_stat64 = (orig_stat64_t)dlsym(RTLD_NEXT, "stat64"); | 569 | orig_stat64 = (orig_stat64_t)dlsym(RTLD_NEXT, "stat64"); |
570 | if (!blacklist_loaded) | 570 | if (!blacklist_loaded) |
571 | load_blacklist(); | 571 | load_blacklist(); |
572 | 572 | ||
573 | if (storage_find(pathname)) | 573 | if (storage_find(pathname)) |
574 | sendlog(name(), __FUNCTION__, pathname); | 574 | sendlog(name(), __FUNCTION__, pathname); |
575 | int rv = orig_stat64(pathname, buf); | 575 | int rv = orig_stat64(pathname, buf); |
@@ -587,7 +587,7 @@ int lstat(const char *pathname, struct stat *buf) { | |||
587 | orig_lstat = (orig_lstat_t)dlsym(RTLD_NEXT, "lstat"); | 587 | orig_lstat = (orig_lstat_t)dlsym(RTLD_NEXT, "lstat"); |
588 | if (!blacklist_loaded) | 588 | if (!blacklist_loaded) |
589 | load_blacklist(); | 589 | load_blacklist(); |
590 | 590 | ||
591 | if (storage_find(pathname)) | 591 | if (storage_find(pathname)) |
592 | sendlog(name(), __FUNCTION__, pathname); | 592 | sendlog(name(), __FUNCTION__, pathname); |
593 | int rv = orig_lstat(pathname, buf); | 593 | int rv = orig_lstat(pathname, buf); |
@@ -605,7 +605,7 @@ int lstat64(const char *pathname, struct stat64 *buf) { | |||
605 | orig_lstat64 = (orig_lstat64_t)dlsym(RTLD_NEXT, "lstat64"); | 605 | orig_lstat64 = (orig_lstat64_t)dlsym(RTLD_NEXT, "lstat64"); |
606 | if (!blacklist_loaded) | 606 | if (!blacklist_loaded) |
607 | load_blacklist(); | 607 | load_blacklist(); |
608 | 608 | ||
609 | if (storage_find(pathname)) | 609 | if (storage_find(pathname)) |
610 | sendlog(name(), __FUNCTION__, pathname); | 610 | sendlog(name(), __FUNCTION__, pathname); |
611 | int rv = orig_lstat64(pathname, buf); | 611 | int rv = orig_lstat64(pathname, buf); |
@@ -624,7 +624,7 @@ int access(const char *pathname, int mode) { | |||
624 | orig_access = (orig_access_t)dlsym(RTLD_NEXT, "access"); | 624 | orig_access = (orig_access_t)dlsym(RTLD_NEXT, "access"); |
625 | if (!blacklist_loaded) | 625 | if (!blacklist_loaded) |
626 | load_blacklist(); | 626 | load_blacklist(); |
627 | 627 | ||
628 | if (storage_find(pathname)) | 628 | if (storage_find(pathname)) |
629 | sendlog(name(), __FUNCTION__, pathname); | 629 | sendlog(name(), __FUNCTION__, pathname); |
630 | int rv = orig_access(pathname, mode); | 630 | int rv = orig_access(pathname, mode); |
@@ -642,7 +642,7 @@ DIR *opendir(const char *pathname) { | |||
642 | orig_opendir = (orig_opendir_t)dlsym(RTLD_NEXT, "opendir"); | 642 | orig_opendir = (orig_opendir_t)dlsym(RTLD_NEXT, "opendir"); |
643 | if (!blacklist_loaded) | 643 | if (!blacklist_loaded) |
644 | load_blacklist(); | 644 | load_blacklist(); |
645 | 645 | ||
646 | if (storage_find(pathname)) | 646 | if (storage_find(pathname)) |
647 | sendlog(name(), __FUNCTION__, pathname); | 647 | sendlog(name(), __FUNCTION__, pathname); |
648 | DIR *rv = orig_opendir(pathname); | 648 | DIR *rv = orig_opendir(pathname); |
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt index 8cb9bcb3e..f99704579 100644 --- a/src/man/firecfg.txt +++ b/src/man/firecfg.txt | |||
@@ -4,7 +4,7 @@ Firecfg \- Desktop integration utility for Firejail software. | |||
4 | .SH SYNOPSIS | 4 | .SH SYNOPSIS |
5 | firecfg [OPTIONS] | 5 | firecfg [OPTIONS] |
6 | .SH DESCRIPTION | 6 | .SH DESCRIPTION |
7 | Firecfg is the desktop integration utility for Firejail sandbox. | 7 | Firecfg is the desktop integration utility for Firejail sandbox. |
8 | It allows the user to sandbox applications automatically by | 8 | It allows the user to sandbox applications automatically by |
9 | clicking on desktop manager icons and menus. | 9 | clicking on desktop manager icons and menus. |
10 | 10 | ||
@@ -102,5 +102,3 @@ Homepage: http://firejail.wordpress.com | |||
102 | \&\flfiremon\fR\|(1), | 102 | \&\flfiremon\fR\|(1), |
103 | \&\flfirejail-profile\fR\|(5), | 103 | \&\flfirejail-profile\fR\|(5), |
104 | \&\flfirejail-login\fR\|(5) | 104 | \&\flfirejail-login\fR\|(5) |
105 | |||
106 | |||
diff --git a/src/man/firejail-login.txt b/src/man/firejail-login.txt index 796179d0b..cb192b450 100644 --- a/src/man/firejail-login.txt +++ b/src/man/firejail-login.txt | |||
@@ -38,5 +38,3 @@ Homepage: http://firejail.wordpress.com | |||
38 | \&\flfiremon\fR\|(1), | 38 | \&\flfiremon\fR\|(1), |
39 | \&\flfirecfg\fR\|(1), | 39 | \&\flfirecfg\fR\|(1), |
40 | \&\flfirejail-profile\fR\|(5) | 40 | \&\flfirejail-profile\fR\|(5) |
41 | |||
42 | |||
diff --git a/src/man/firemon.txt b/src/man/firemon.txt index ecb626fc6..957a224c6 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt | |||
@@ -112,5 +112,3 @@ Homepage: http://firejail.wordpress.com | |||
112 | \&\flfirecfg\fR\|(1), | 112 | \&\flfirecfg\fR\|(1), |
113 | \&\flfirejail-profile\fR\|(5), | 113 | \&\flfirejail-profile\fR\|(5), |
114 | \&\flfirejail-login\fR\|(5) | 114 | \&\flfirejail-login\fR\|(5) |
115 | |||
116 | |||
diff --git a/src/tools/extract_caps.c b/src/tools/extract_caps.c index 66d86e1a6..b33fdf61f 100644 --- a/src/tools/extract_caps.c +++ b/src/tools/extract_caps.c | |||
@@ -29,14 +29,14 @@ int main(int argc, char **argv) { | |||
29 | printf("usage: %s /usr/include/linux/capability.h\n", argv[0]); | 29 | printf("usage: %s /usr/include/linux/capability.h\n", argv[0]); |
30 | return 1; | 30 | return 1; |
31 | } | 31 | } |
32 | 32 | ||
33 | //open file | 33 | //open file |
34 | FILE *fp = fopen(argv[1], "r"); | 34 | FILE *fp = fopen(argv[1], "r"); |
35 | if (!fp) { | 35 | if (!fp) { |
36 | fprintf(stderr, "Error: cannot open file\n"); | 36 | fprintf(stderr, "Error: cannot open file\n"); |
37 | return 1; | 37 | return 1; |
38 | } | 38 | } |
39 | 39 | ||
40 | // read file | 40 | // read file |
41 | char buf[BUFMAX]; | 41 | char buf[BUFMAX]; |
42 | while (fgets(buf, BUFMAX, fp)) { | 42 | while (fgets(buf, BUFMAX, fp)) { |
@@ -47,12 +47,12 @@ int main(int argc, char **argv) { | |||
47 | char *end = strchr(start, '\n'); | 47 | char *end = strchr(start, '\n'); |
48 | if (end) | 48 | if (end) |
49 | *end = '\0'; | 49 | *end = '\0'; |
50 | 50 | ||
51 | // parsing | 51 | // parsing |
52 | if (strncmp(start, "#define CAP_", 12) == 0) { | 52 | if (strncmp(start, "#define CAP_", 12) == 0) { |
53 | if (strstr(start, "CAP_LAST_CAP")) | 53 | if (strstr(start, "CAP_LAST_CAP")) |
54 | break; | 54 | break; |
55 | 55 | ||
56 | char *ptr1 = start + 8; | 56 | char *ptr1 = start + 8; |
57 | char *ptr2 = ptr1; | 57 | char *ptr2 = ptr1; |
58 | while (*ptr2 == ' ' || *ptr2 == '\t') | 58 | while (*ptr2 == ' ' || *ptr2 == '\t') |
@@ -60,7 +60,7 @@ int main(int argc, char **argv) { | |||
60 | while (*ptr2 != ' ' && *ptr2 != '\t') | 60 | while (*ptr2 != ' ' && *ptr2 != '\t') |
61 | ptr2++; | 61 | ptr2++; |
62 | *ptr2 = '\0'; | 62 | *ptr2 = '\0'; |
63 | 63 | ||
64 | ptr2 = strdup(ptr1); | 64 | ptr2 = strdup(ptr1); |
65 | assert(ptr2); | 65 | assert(ptr2); |
66 | ptr2 += 4; | 66 | ptr2 += 4; |
@@ -69,14 +69,14 @@ int main(int argc, char **argv) { | |||
69 | *ptr3 = tolower(*ptr3); | 69 | *ptr3 = tolower(*ptr3); |
70 | ptr3++; | 70 | ptr3++; |
71 | } | 71 | } |
72 | 72 | ||
73 | 73 | ||
74 | printf("#ifdef %s\n", ptr1); | 74 | printf("#ifdef %s\n", ptr1); |
75 | printf("\t{\"%s\", %s },\n", ptr2, ptr1); | 75 | printf("\t{\"%s\", %s },\n", ptr2, ptr1); |
76 | printf("#endif\n"); | 76 | printf("#endif\n"); |
77 | 77 | ||
78 | } | 78 | } |
79 | 79 | ||
80 | } | 80 | } |
81 | fclose(fp); | 81 | fclose(fp); |
82 | return 0; | 82 | return 0; |
diff --git a/src/tools/extract_syscalls.c b/src/tools/extract_syscalls.c index 9af24b8cd..4dad0d2b6 100644 --- a/src/tools/extract_syscalls.c +++ b/src/tools/extract_syscalls.c | |||
@@ -28,14 +28,14 @@ int main(int argc, char **argv) { | |||
28 | printf("usage: %s /usr/include/x86_64-linux-gnu/bits/syscall.h\n", argv[0]); | 28 | printf("usage: %s /usr/include/x86_64-linux-gnu/bits/syscall.h\n", argv[0]); |
29 | return 1; | 29 | return 1; |
30 | } | 30 | } |
31 | 31 | ||
32 | //open file | 32 | //open file |
33 | FILE *fp = fopen(argv[1], "r"); | 33 | FILE *fp = fopen(argv[1], "r"); |
34 | if (!fp) { | 34 | if (!fp) { |
35 | fprintf(stderr, "Error: cannot open file\n"); | 35 | fprintf(stderr, "Error: cannot open file\n"); |
36 | return 1; | 36 | return 1; |
37 | } | 37 | } |
38 | 38 | ||
39 | // read file | 39 | // read file |
40 | char buf[BUFMAX]; | 40 | char buf[BUFMAX]; |
41 | while (fgets(buf, BUFMAX, fp)) { | 41 | while (fgets(buf, BUFMAX, fp)) { |
@@ -46,7 +46,7 @@ int main(int argc, char **argv) { | |||
46 | char *end = strchr(start, '\n'); | 46 | char *end = strchr(start, '\n'); |
47 | if (end) | 47 | if (end) |
48 | *end = '\0'; | 48 | *end = '\0'; |
49 | 49 | ||
50 | // parsing | 50 | // parsing |
51 | if (strncmp(start, "# error", 7) == 0) | 51 | if (strncmp(start, "# error", 7) == 0) |
52 | continue; | 52 | continue; |
@@ -66,7 +66,7 @@ int main(int argc, char **argv) { | |||
66 | return 1; | 66 | return 1; |
67 | } | 67 | } |
68 | *(ptr2 - 1) = '\0'; | 68 | *(ptr2 - 1) = '\0'; |
69 | 69 | ||
70 | char *ptr3 = ptr1; | 70 | char *ptr3 = ptr1; |
71 | while (*ptr3 != ' ' && *ptr3 != '\t' && *ptr3 != '\0') | 71 | while (*ptr3 != ' ' && *ptr3 != '\t' && *ptr3 != '\0') |
72 | ptr3++; | 72 | ptr3++; |
@@ -75,17 +75,17 @@ int main(int argc, char **argv) { | |||
75 | while (*ptr3 != ' ' && *ptr3 != '\t' && *ptr3 != '\0') | 75 | while (*ptr3 != ' ' && *ptr3 != '\t' && *ptr3 != '\0') |
76 | ptr3++; | 76 | ptr3++; |
77 | *ptr3 = '\0'; | 77 | *ptr3 = '\0'; |
78 | 78 | ||
79 | ptr3 = ptr1; | 79 | ptr3 = ptr1; |
80 | while (*ptr3 != '_') | 80 | while (*ptr3 != '_') |
81 | ptr3++; | 81 | ptr3++; |
82 | ptr3++; | 82 | ptr3++; |
83 | 83 | ||
84 | printf("#ifdef %s\n", ptr1); | 84 | printf("#ifdef %s\n", ptr1); |
85 | printf("#ifdef %s\n", ptr2); | 85 | printf("#ifdef %s\n", ptr2); |
86 | printf("\t{\"%s\", %s},\n", ptr3, ptr2); | 86 | printf("\t{\"%s\", %s},\n", ptr3, ptr2); |
87 | printf("#endif\n"); | 87 | printf("#endif\n"); |
88 | printf("#endif\n"); | 88 | printf("#endif\n"); |
89 | } | 89 | } |
90 | } | 90 | } |
91 | fclose(fp); | 91 | fclose(fp); |
diff --git a/src/tools/mkcoverit.sh b/src/tools/mkcoverit.sh index 65b06f9fa..d4a68e397 100755 --- a/src/tools/mkcoverit.sh +++ b/src/tools/mkcoverit.sh | |||
@@ -29,7 +29,7 @@ then | |||
29 | pwd | 29 | pwd |
30 | ./configure --prefix=/usr | 30 | ./configure --prefix=/usr |
31 | cd .. | 31 | cd .. |
32 | 32 | ||
33 | else | 33 | else |
34 | echo "Error: firetools source archive missing" | 34 | echo "Error: firetools source archive missing" |
35 | exit 1 | 35 | exit 1 |
diff --git a/src/tools/rvtest.c b/src/tools/rvtest.c index d108672d2..3432ab9b4 100644 --- a/src/tools/rvtest.c +++ b/src/tools/rvtest.c | |||
@@ -64,7 +64,7 @@ int main(int argc, char **argv) { | |||
64 | // open test file | 64 | // open test file |
65 | char *fname = argv[1]; | 65 | char *fname = argv[1]; |
66 | FILE *fp = fopen(fname, "r"); | 66 | FILE *fp = fopen(fname, "r"); |
67 | 67 | ||
68 | // read test file | 68 | // read test file |
69 | char buf[MAXBUF]; | 69 | char buf[MAXBUF]; |
70 | int line = 0; | 70 | int line = 0; |
@@ -80,22 +80,22 @@ int main(int argc, char **argv) { | |||
80 | *ptr ='\0'; | 80 | *ptr ='\0'; |
81 | if (*start == '\0') | 81 | if (*start == '\0') |
82 | continue; | 82 | continue; |
83 | 83 | ||
84 | // skip comments | 84 | // skip comments |
85 | if (*start == '#') | 85 | if (*start == '#') |
86 | continue; | 86 | continue; |
87 | ptr = strchr(start, '#'); | 87 | ptr = strchr(start, '#'); |
88 | if (ptr) | 88 | if (ptr) |
89 | *ptr = '\0'; | 89 | *ptr = '\0'; |
90 | 90 | ||
91 | // extract exit status | 91 | // extract exit status |
92 | int status; | 92 | int status; |
93 | int rv = sscanf(start, "%d\n", &status); | 93 | int rv = sscanf(start, "%d\n", &status); |
94 | if (rv != 1) { | 94 | if (rv != 1) { |
95 | fprintf(stderr, "Error: invalid line %d in %s\n", line, fname); | 95 | fprintf(stderr, "Error: invalid line %d in %s\n", line, fname); |
96 | exit(1); | 96 | exit(1); |
97 | } | 97 | } |
98 | 98 | ||
99 | // extract command | 99 | // extract command |
100 | char *cmd = strchr(start, ' '); | 100 | char *cmd = strchr(start, ' '); |
101 | if (!cmd) { | 101 | if (!cmd) { |
@@ -124,21 +124,21 @@ int main(int argc, char **argv) { | |||
124 | // parent | 124 | // parent |
125 | else { | 125 | else { |
126 | int exit_status; | 126 | int exit_status; |
127 | 127 | ||
128 | alarm(TIMEOUT); | 128 | alarm(TIMEOUT); |
129 | pid = waitpid(pid, &exit_status, 0); | 129 | pid = waitpid(pid, &exit_status, 0); |
130 | if (pid == -1) { | 130 | if (pid == -1) { |
131 | perror("waitpid"); | 131 | perror("waitpid"); |
132 | exit(1); | 132 | exit(1); |
133 | } | 133 | } |
134 | 134 | ||
135 | if (WEXITSTATUS(exit_status) != status) | 135 | if (WEXITSTATUS(exit_status) != status) |
136 | printf("ERROR TESTING: %s\n", cmd); | 136 | printf("ERROR TESTING: %s\n", cmd); |
137 | } | 137 | } |
138 | 138 | ||
139 | fflush(0); | 139 | fflush(0); |
140 | } | 140 | } |
141 | fclose(fp); | 141 | fclose(fp); |
142 | 142 | ||
143 | return 0; | 143 | return 0; |
144 | } \ No newline at end of file | 144 | } |
diff --git a/src/tools/unixsocket.c b/src/tools/unixsocket.c index 88475ea3e..c4302eed3 100644 --- a/src/tools/unixsocket.c +++ b/src/tools/unixsocket.c | |||
@@ -1,5 +1,5 @@ | |||
1 | #include <stdio.h> | 1 | #include <stdio.h> |
2 | #include <sys/types.h> | 2 | #include <sys/types.h> |
3 | #include <sys/socket.h> | 3 | #include <sys/socket.h> |
4 | #include <sys/un.h> | 4 | #include <sys/un.h> |
5 | 5 | ||
@@ -21,7 +21,7 @@ int main(void) { | |||
21 | fprintf(stderr, "Error: cannot connect to socket\n"); | 21 | fprintf(stderr, "Error: cannot connect to socket\n"); |
22 | return 1; | 22 | return 1; |
23 | } | 23 | } |
24 | 24 | ||
25 | printf("connected to %s\n", socketpath); | 25 | printf("connected to %s\n", socketpath); |
26 | close(s); | 26 | close(s); |
27 | 27 | ||