diff options
Diffstat (limited to 'src')
33 files changed, 142 insertions, 142 deletions
diff --git a/src/fbuilder/build_bin.c b/src/fbuilder/build_bin.c index fb92fb630..b69e089c3 100644 --- a/src/fbuilder/build_bin.c +++ b/src/fbuilder/build_bin.c | |||
@@ -23,21 +23,21 @@ static FileDB *bin_out = NULL; | |||
23 | 23 | ||
24 | static void process_bin(const char *fname) { | 24 | static void process_bin(const char *fname) { |
25 | assert(fname); | 25 | assert(fname); |
26 | 26 | ||
27 | // process trace file | 27 | // process trace file |
28 | FILE *fp = fopen(fname, "r"); | 28 | FILE *fp = fopen(fname, "r"); |
29 | if (!fp) { | 29 | if (!fp) { |
30 | fprintf(stderr, "Error: cannot open %s\n", fname); | 30 | fprintf(stderr, "Error: cannot open %s\n", fname); |
31 | exit(1); | 31 | exit(1); |
32 | } | 32 | } |
33 | 33 | ||
34 | char buf[MAX_BUF]; | 34 | char buf[MAX_BUF]; |
35 | while (fgets(buf, MAX_BUF, fp)) { | 35 | while (fgets(buf, MAX_BUF, fp)) { |
36 | // remove \n | 36 | // remove \n |
37 | char *ptr = strchr(buf, '\n'); | 37 | char *ptr = strchr(buf, '\n'); |
38 | if (ptr) | 38 | if (ptr) |
39 | *ptr = '\0'; | 39 | *ptr = '\0'; |
40 | 40 | ||
41 | // parse line: 4:galculator:access /etc/fonts/conf.d:0 | 41 | // parse line: 4:galculator:access /etc/fonts/conf.d:0 |
42 | // number followed by : | 42 | // number followed by : |
43 | ptr = buf; | 43 | ptr = buf; |
@@ -89,7 +89,7 @@ static void process_bin(const char *fname) { | |||
89 | 89 | ||
90 | bin_out = filedb_add(bin_out, ptr); | 90 | bin_out = filedb_add(bin_out, ptr); |
91 | } | 91 | } |
92 | 92 | ||
93 | fclose(fp); | 93 | fclose(fp); |
94 | } | 94 | } |
95 | 95 | ||
@@ -97,10 +97,10 @@ static void process_bin(const char *fname) { | |||
97 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 | 97 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 |
98 | void build_bin(const char *fname, FILE *fp) { | 98 | void build_bin(const char *fname, FILE *fp) { |
99 | assert(fname); | 99 | assert(fname); |
100 | 100 | ||
101 | // run fname | 101 | // run fname |
102 | process_bin(fname); | 102 | process_bin(fname); |
103 | 103 | ||
104 | // run all the rest | 104 | // run all the rest |
105 | struct stat s; | 105 | struct stat s; |
106 | int i; | 106 | int i; |
diff --git a/src/fbuilder/build_fs.c b/src/fbuilder/build_fs.c index f1a27a35a..3f685623e 100644 --- a/src/fbuilder/build_fs.c +++ b/src/fbuilder/build_fs.c | |||
@@ -25,23 +25,23 @@ static void process_file(const char *fname, const char *dir, void (*callback)(ch | |||
25 | assert(fname); | 25 | assert(fname); |
26 | assert(dir); | 26 | assert(dir); |
27 | assert(callback); | 27 | assert(callback); |
28 | 28 | ||
29 | int dir_len = strlen(dir); | 29 | int dir_len = strlen(dir); |
30 | 30 | ||
31 | // process trace file | 31 | // process trace file |
32 | FILE *fp = fopen(fname, "r"); | 32 | FILE *fp = fopen(fname, "r"); |
33 | if (!fp) { | 33 | if (!fp) { |
34 | fprintf(stderr, "Error: cannot open %s\n", fname); | 34 | fprintf(stderr, "Error: cannot open %s\n", fname); |
35 | exit(1); | 35 | exit(1); |
36 | } | 36 | } |
37 | 37 | ||
38 | char buf[MAX_BUF]; | 38 | char buf[MAX_BUF]; |
39 | while (fgets(buf, MAX_BUF, fp)) { | 39 | while (fgets(buf, MAX_BUF, fp)) { |
40 | // remove \n | 40 | // remove \n |
41 | char *ptr = strchr(buf, '\n'); | 41 | char *ptr = strchr(buf, '\n'); |
42 | if (ptr) | 42 | if (ptr) |
43 | *ptr = '\0'; | 43 | *ptr = '\0'; |
44 | 44 | ||
45 | // parse line: 4:galculator:access /etc/fonts/conf.d:0 | 45 | // parse line: 4:galculator:access /etc/fonts/conf.d:0 |
46 | // number followed by : | 46 | // number followed by : |
47 | ptr = buf; | 47 | ptr = buf; |
@@ -78,10 +78,10 @@ static void process_file(const char *fname, const char *dir, void (*callback)(ch | |||
78 | if (!ptr2) | 78 | if (!ptr2) |
79 | continue; | 79 | continue; |
80 | *ptr2 = '\0'; | 80 | *ptr2 = '\0'; |
81 | 81 | ||
82 | callback(ptr); | 82 | callback(ptr); |
83 | } | 83 | } |
84 | 84 | ||
85 | fclose(fp); | 85 | fclose(fp); |
86 | } | 86 | } |
87 | 87 | ||
@@ -90,10 +90,10 @@ static void process_files(const char *fname, const char *dir, void (*callback)(c | |||
90 | assert(fname); | 90 | assert(fname); |
91 | assert(dir); | 91 | assert(dir); |
92 | assert(callback); | 92 | assert(callback); |
93 | 93 | ||
94 | // run fname | 94 | // run fname |
95 | process_file(fname, dir, callback); | 95 | process_file(fname, dir, callback); |
96 | 96 | ||
97 | // run all the rest | 97 | // run all the rest |
98 | struct stat s; | 98 | struct stat s; |
99 | int i; | 99 | int i; |
@@ -127,9 +127,9 @@ static void etc_callback(char *ptr) { | |||
127 | 127 | ||
128 | void build_etc(const char *fname, FILE *fp) { | 128 | void build_etc(const char *fname, FILE *fp) { |
129 | assert(fname); | 129 | assert(fname); |
130 | 130 | ||
131 | process_files(fname, "/etc", etc_callback); | 131 | process_files(fname, "/etc", etc_callback); |
132 | 132 | ||
133 | fprintf(fp, "private-etc "); | 133 | fprintf(fp, "private-etc "); |
134 | if (etc_out == NULL) | 134 | if (etc_out == NULL) |
135 | fprintf(fp, "none\n"); | 135 | fprintf(fp, "none\n"); |
@@ -140,7 +140,7 @@ void build_etc(const char *fname, FILE *fp) { | |||
140 | ptr = ptr->next; | 140 | ptr = ptr->next; |
141 | } | 141 | } |
142 | fprintf(fp, "\n"); | 142 | fprintf(fp, "\n"); |
143 | } | 143 | } |
144 | } | 144 | } |
145 | 145 | ||
146 | //******************************************* | 146 | //******************************************* |
@@ -164,7 +164,7 @@ void build_var(const char *fname, FILE *fp) { | |||
164 | assert(fname); | 164 | assert(fname); |
165 | 165 | ||
166 | process_files(fname, "/var", var_callback); | 166 | process_files(fname, "/var", var_callback); |
167 | 167 | ||
168 | if (var_out == NULL) | 168 | if (var_out == NULL) |
169 | fprintf(fp, "blacklist /var\n"); | 169 | fprintf(fp, "blacklist /var\n"); |
170 | else | 170 | else |
@@ -218,9 +218,9 @@ static void tmp_callback(char *ptr) { | |||
218 | 218 | ||
219 | void build_tmp(const char *fname, FILE *fp) { | 219 | void build_tmp(const char *fname, FILE *fp) { |
220 | assert(fname); | 220 | assert(fname); |
221 | 221 | ||
222 | process_files(fname, "/tmp", tmp_callback); | 222 | process_files(fname, "/tmp", tmp_callback); |
223 | 223 | ||
224 | if (tmp_out == NULL) | 224 | if (tmp_out == NULL) |
225 | fprintf(fp, "private-tmp\n"); | 225 | fprintf(fp, "private-tmp\n"); |
226 | else { | 226 | else { |
@@ -247,7 +247,7 @@ static char *dev_skip[] = { | |||
247 | "/dev/random", | 247 | "/dev/random", |
248 | "/dev/urandom", | 248 | "/dev/urandom", |
249 | "/dev/tty", | 249 | "/dev/tty", |
250 | "/dev/snd", | 250 | "/dev/snd", |
251 | "/dev/dri", | 251 | "/dev/dri", |
252 | "/dev/pts", | 252 | "/dev/pts", |
253 | "/dev/nvidia0", | 253 | "/dev/nvidia0", |
@@ -296,9 +296,9 @@ static void dev_callback(char *ptr) { | |||
296 | 296 | ||
297 | void build_dev(const char *fname, FILE *fp) { | 297 | void build_dev(const char *fname, FILE *fp) { |
298 | assert(fname); | 298 | assert(fname); |
299 | 299 | ||
300 | process_files(fname, "/dev", dev_callback); | 300 | process_files(fname, "/dev", dev_callback); |
301 | 301 | ||
302 | if (dev_out == NULL) | 302 | if (dev_out == NULL) |
303 | fprintf(fp, "private-dev\n"); | 303 | fprintf(fp, "private-dev\n"); |
304 | else { | 304 | else { |
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c index 9bbd2c258..18bf5d702 100644 --- a/src/fbuilder/build_home.c +++ b/src/fbuilder/build_home.c | |||
@@ -29,7 +29,7 @@ static void load_whitelist_common(void) { | |||
29 | fprintf(stderr, "Error: cannot open whitelist-common.inc\n"); | 29 | fprintf(stderr, "Error: cannot open whitelist-common.inc\n"); |
30 | exit(1); | 30 | exit(1); |
31 | } | 31 | } |
32 | 32 | ||
33 | char buf[MAX_BUF]; | 33 | char buf[MAX_BUF]; |
34 | while (fgets(buf, MAX_BUF, fp)) { | 34 | while (fgets(buf, MAX_BUF, fp)) { |
35 | if (strncmp(buf, "whitelist ~/", 12) != 0) | 35 | if (strncmp(buf, "whitelist ~/", 12) != 0) |
@@ -39,33 +39,33 @@ static void load_whitelist_common(void) { | |||
39 | if (!ptr) | 39 | if (!ptr) |
40 | continue; | 40 | continue; |
41 | *ptr = '\0'; | 41 | *ptr = '\0'; |
42 | 42 | ||
43 | // add the file to skip list | 43 | // add the file to skip list |
44 | db_skip = filedb_add(db_skip, fn); | 44 | db_skip = filedb_add(db_skip, fn); |
45 | } | 45 | } |
46 | 46 | ||
47 | fclose(fp); | 47 | fclose(fp); |
48 | } | 48 | } |
49 | 49 | ||
50 | void process_home(const char *fname, char *home, int home_len) { | 50 | void process_home(const char *fname, char *home, int home_len) { |
51 | assert(fname); | 51 | assert(fname); |
52 | assert(home); | 52 | assert(home); |
53 | assert(home_len); | 53 | assert(home_len); |
54 | 54 | ||
55 | // process trace file | 55 | // process trace file |
56 | FILE *fp = fopen(fname, "r"); | 56 | FILE *fp = fopen(fname, "r"); |
57 | if (!fp) { | 57 | if (!fp) { |
58 | fprintf(stderr, "Error: cannot open %s\n", fname); | 58 | fprintf(stderr, "Error: cannot open %s\n", fname); |
59 | exit(1); | 59 | exit(1); |
60 | } | 60 | } |
61 | 61 | ||
62 | char buf[MAX_BUF]; | 62 | char buf[MAX_BUF]; |
63 | while (fgets(buf, MAX_BUF, fp)) { | 63 | while (fgets(buf, MAX_BUF, fp)) { |
64 | // remove \n | 64 | // remove \n |
65 | char *ptr = strchr(buf, '\n'); | 65 | char *ptr = strchr(buf, '\n'); |
66 | if (ptr) | 66 | if (ptr) |
67 | *ptr = '\0'; | 67 | *ptr = '\0'; |
68 | 68 | ||
69 | // parse line: 4:galculator:access /etc/fonts/conf.d:0 | 69 | // parse line: 4:galculator:access /etc/fonts/conf.d:0 |
70 | // number followed by : | 70 | // number followed by : |
71 | ptr = buf; | 71 | ptr = buf; |
@@ -107,8 +107,8 @@ void process_home(const char *fname, char *home, int home_len) { | |||
107 | if (strcmp(ptr, home) == 0) | 107 | if (strcmp(ptr, home) == 0) |
108 | continue; | 108 | continue; |
109 | ptr += home_len + 1; | 109 | ptr += home_len + 1; |
110 | 110 | ||
111 | // skip files handled automatically by firejail | 111 | // skip files handled automatically by firejail |
112 | if (strcmp(ptr, ".Xauthority") == 0 || | 112 | if (strcmp(ptr, ".Xauthority") == 0 || |
113 | strcmp(ptr, ".Xdefaults-debian") == 0 || | 113 | strcmp(ptr, ".Xdefaults-debian") == 0 || |
114 | strncmp(ptr, ".config/pulse/", 13) == 0 || | 114 | strncmp(ptr, ".config/pulse/", 13) == 0 || |
@@ -116,8 +116,8 @@ void process_home(const char *fname, char *home, int home_len) { | |||
116 | strncmp(ptr, ".bash_hist", 10) == 0 || | 116 | strncmp(ptr, ".bash_hist", 10) == 0 || |
117 | strcmp(ptr, ".bashrc") == 0) | 117 | strcmp(ptr, ".bashrc") == 0) |
118 | continue; | 118 | continue; |
119 | 119 | ||
120 | 120 | ||
121 | // try to find the relevant directory for this file | 121 | // try to find the relevant directory for this file |
122 | char *dir = extract_dir(ptr); | 122 | char *dir = extract_dir(ptr); |
123 | char *toadd = (dir)? dir: ptr; | 123 | char *toadd = (dir)? dir: ptr; |
@@ -160,7 +160,7 @@ void process_home(const char *fname, char *home, int home_len) { | |||
160 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 | 160 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 |
161 | void build_home(const char *fname, FILE *fp) { | 161 | void build_home(const char *fname, FILE *fp) { |
162 | assert(fname); | 162 | assert(fname); |
163 | 163 | ||
164 | // load whitelist common | 164 | // load whitelist common |
165 | load_whitelist_common(); | 165 | load_whitelist_common(); |
166 | 166 | ||
@@ -172,10 +172,10 @@ void build_home(const char *fname, FILE *fp) { | |||
172 | if (!home) | 172 | if (!home) |
173 | errExit("getpwuid"); | 173 | errExit("getpwuid"); |
174 | int home_len = strlen(home); | 174 | int home_len = strlen(home); |
175 | 175 | ||
176 | // run fname | 176 | // run fname |
177 | process_home(fname, home, home_len); | 177 | process_home(fname, home, home_len); |
178 | 178 | ||
179 | // run all the rest | 179 | // run all the rest |
180 | struct stat s; | 180 | struct stat s; |
181 | int i; | 181 | int i; |
@@ -187,7 +187,7 @@ void build_home(const char *fname, FILE *fp) { | |||
187 | process_home(newname, home, home_len); | 187 | process_home(newname, home, home_len); |
188 | free(newname); | 188 | free(newname); |
189 | } | 189 | } |
190 | 190 | ||
191 | // print the out list if any | 191 | // print the out list if any |
192 | if (db_out) { | 192 | if (db_out) { |
193 | filedb_print(db_out, "whitelist ~/", fp); | 193 | filedb_print(db_out, "whitelist ~/", fp); |
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index de9f79232..5fead41c5 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -43,7 +43,7 @@ static char *cmdlist[] = { | |||
43 | static void clear_tmp_files(void) { | 43 | static void clear_tmp_files(void) { |
44 | unlink(STRACE_OUTPUT); | 44 | unlink(STRACE_OUTPUT); |
45 | unlink(TRACE_OUTPUT); | 45 | unlink(TRACE_OUTPUT); |
46 | 46 | ||
47 | // run all the rest | 47 | // run all the rest |
48 | int i; | 48 | int i; |
49 | for (i = 1; i <= 5; i++) { | 49 | for (i = 1; i <= 5; i++) { |
@@ -62,22 +62,22 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
62 | fprintf(stderr, "Error: application name missing\n"); | 62 | fprintf(stderr, "Error: application name missing\n"); |
63 | exit(1); | 63 | exit(1); |
64 | } | 64 | } |
65 | 65 | ||
66 | // clean /tmp files | 66 | // clean /tmp files |
67 | clear_tmp_files(); | 67 | clear_tmp_files(); |
68 | 68 | ||
69 | // detect strace | 69 | // detect strace |
70 | int have_strace = 0; | 70 | int have_strace = 0; |
71 | if (access("/usr/bin/strace", X_OK) == 0) | 71 | if (access("/usr/bin/strace", X_OK) == 0) |
72 | have_strace = 1; | 72 | have_strace = 1; |
73 | 73 | ||
74 | // calculate command length | 74 | // calculate command length |
75 | unsigned len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1; | 75 | unsigned len = (int) sizeof(cmdlist) / sizeof(char*) + argc - index + 1; |
76 | if (arg_debug) | 76 | if (arg_debug) |
77 | printf("command len %d + %d + 1\n", (int) (sizeof(cmdlist) / sizeof(char*)), argc - index); | 77 | printf("command len %d + %d + 1\n", (int) (sizeof(cmdlist) / sizeof(char*)), argc - index); |
78 | char *cmd[len]; | 78 | char *cmd[len]; |
79 | cmd[0] = cmdlist[0]; // explicit assignemnt to clean scan-build error | 79 | cmd[0] = cmdlist[0]; // explicit assignemnt to clean scan-build error |
80 | 80 | ||
81 | // build command | 81 | // build command |
82 | unsigned i = 0; | 82 | unsigned i = 0; |
83 | for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) { | 83 | for (i = 0; i < (int) sizeof(cmdlist) / sizeof(char*); i++) { |
@@ -97,7 +97,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
97 | for (i = 0; i < len; i++) | 97 | for (i = 0; i < len; i++) |
98 | printf("\t%s\n", cmd[i]); | 98 | printf("\t%s\n", cmd[i]); |
99 | } | 99 | } |
100 | 100 | ||
101 | // fork and execute | 101 | // fork and execute |
102 | pid_t child = fork(); | 102 | pid_t child = fork(); |
103 | if (child == -1) | 103 | if (child == -1) |
@@ -108,7 +108,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
108 | (void) rv; | 108 | (void) rv; |
109 | errExit("execv"); | 109 | errExit("execv"); |
110 | } | 110 | } |
111 | 111 | ||
112 | // wait for all processes to finish | 112 | // wait for all processes to finish |
113 | int status; | 113 | int status; |
114 | if (waitpid(child, &status, 0) != child) | 114 | if (waitpid(child, &status, 0) != child) |
@@ -122,18 +122,18 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
122 | fprintf(fp, "# Persistent global definitions\n"); | 122 | fprintf(fp, "# Persistent global definitions\n"); |
123 | fprintf(fp, "# include /etc/firejail/globals.local\n"); | 123 | fprintf(fp, "# include /etc/firejail/globals.local\n"); |
124 | fprintf(fp, "\n"); | 124 | fprintf(fp, "\n"); |
125 | 125 | ||
126 | fprintf(fp, "### basic blacklisting\n"); | 126 | fprintf(fp, "### basic blacklisting\n"); |
127 | fprintf(fp, "include /etc/firejail/disable-common.inc\n"); | 127 | fprintf(fp, "include /etc/firejail/disable-common.inc\n"); |
128 | fprintf(fp, "# include /etc/firejail/disable-devel.inc\n"); | 128 | fprintf(fp, "# include /etc/firejail/disable-devel.inc\n"); |
129 | fprintf(fp, "include /etc/firejail/disable-passwdmgr.inc\n"); | 129 | fprintf(fp, "include /etc/firejail/disable-passwdmgr.inc\n"); |
130 | fprintf(fp, "# include /etc/firejail/disable-programs.inc\n"); | 130 | fprintf(fp, "# include /etc/firejail/disable-programs.inc\n"); |
131 | fprintf(fp, "\n"); | 131 | fprintf(fp, "\n"); |
132 | 132 | ||
133 | fprintf(fp, "### home directory whitelisting\n"); | 133 | fprintf(fp, "### home directory whitelisting\n"); |
134 | build_home(TRACE_OUTPUT, fp); | 134 | build_home(TRACE_OUTPUT, fp); |
135 | fprintf(fp, "\n"); | 135 | fprintf(fp, "\n"); |
136 | 136 | ||
137 | fprintf(fp, "### filesystem\n"); | 137 | fprintf(fp, "### filesystem\n"); |
138 | build_tmp(TRACE_OUTPUT, fp); | 138 | build_tmp(TRACE_OUTPUT, fp); |
139 | build_dev(TRACE_OUTPUT, fp); | 139 | build_dev(TRACE_OUTPUT, fp); |
@@ -158,7 +158,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
158 | fprintf(fp, "### network\n"); | 158 | fprintf(fp, "### network\n"); |
159 | build_protocol(TRACE_OUTPUT, fp); | 159 | build_protocol(TRACE_OUTPUT, fp); |
160 | fprintf(fp, "\n"); | 160 | fprintf(fp, "\n"); |
161 | 161 | ||
162 | fprintf(fp, "### environment\n"); | 162 | fprintf(fp, "### environment\n"); |
163 | fprintf(fp, "shell none\n"); | 163 | fprintf(fp, "shell none\n"); |
164 | 164 | ||
diff --git a/src/fbuilder/build_seccomp.c b/src/fbuilder/build_seccomp.c index 63f37e34a..85190f0f2 100644 --- a/src/fbuilder/build_seccomp.c +++ b/src/fbuilder/build_seccomp.c | |||
@@ -23,13 +23,13 @@ | |||
23 | void build_seccomp(const char *fname, FILE *fp) { | 23 | void build_seccomp(const char *fname, FILE *fp) { |
24 | assert(fname); | 24 | assert(fname); |
25 | assert(fp); | 25 | assert(fp); |
26 | 26 | ||
27 | FILE *fp2 = fopen(fname, "r"); | 27 | FILE *fp2 = fopen(fname, "r"); |
28 | if (!fp2) { | 28 | if (!fp2) { |
29 | fprintf(stderr, "Error: cannot open %s\n", fname); | 29 | fprintf(stderr, "Error: cannot open %s\n", fname); |
30 | exit(1); | 30 | exit(1); |
31 | } | 31 | } |
32 | 32 | ||
33 | char buf[MAX_BUF]; | 33 | char buf[MAX_BUF]; |
34 | int line = 1; | 34 | int line = 1; |
35 | int position = 0; | 35 | int position = 0; |
@@ -39,7 +39,7 @@ void build_seccomp(const char *fname, FILE *fp) { | |||
39 | char *ptr = strchr(buf, '\n'); | 39 | char *ptr = strchr(buf, '\n'); |
40 | if (ptr) | 40 | if (ptr) |
41 | *ptr = '\0'; | 41 | *ptr = '\0'; |
42 | 42 | ||
43 | // first line: | 43 | // first line: |
44 | //% time seconds usecs/call calls errors syscall | 44 | //% time seconds usecs/call calls errors syscall |
45 | if (line == 1) { | 45 | if (line == 1) { |
@@ -61,7 +61,7 @@ void build_seccomp(const char *fname, FILE *fp) { | |||
61 | // get out on the next "----" line | 61 | // get out on the next "----" line |
62 | if (*buf == '-') | 62 | if (*buf == '-') |
63 | break; | 63 | break; |
64 | 64 | ||
65 | if (line == 3) | 65 | if (line == 3) |
66 | fprintf(fp, "# seccomp.keep %s", buf + position); | 66 | fprintf(fp, "# seccomp.keep %s", buf + position); |
67 | else | 67 | else |
@@ -89,21 +89,21 @@ int netlink = 0; | |||
89 | int packet = 0; | 89 | int packet = 0; |
90 | static void process_protocol(const char *fname) { | 90 | static void process_protocol(const char *fname) { |
91 | assert(fname); | 91 | assert(fname); |
92 | 92 | ||
93 | // process trace file | 93 | // process trace file |
94 | FILE *fp = fopen(fname, "r"); | 94 | FILE *fp = fopen(fname, "r"); |
95 | if (!fp) { | 95 | if (!fp) { |
96 | fprintf(stderr, "Error: cannot open %s\n", fname); | 96 | fprintf(stderr, "Error: cannot open %s\n", fname); |
97 | exit(1); | 97 | exit(1); |
98 | } | 98 | } |
99 | 99 | ||
100 | char buf[MAX_BUF]; | 100 | char buf[MAX_BUF]; |
101 | while (fgets(buf, MAX_BUF, fp)) { | 101 | while (fgets(buf, MAX_BUF, fp)) { |
102 | // remove \n | 102 | // remove \n |
103 | char *ptr = strchr(buf, '\n'); | 103 | char *ptr = strchr(buf, '\n'); |
104 | if (ptr) | 104 | if (ptr) |
105 | *ptr = '\0'; | 105 | *ptr = '\0'; |
106 | 106 | ||
107 | // parse line: 4:galculator:access /etc/fonts/conf.d:0 | 107 | // parse line: 4:galculator:access /etc/fonts/conf.d:0 |
108 | // number followed by : | 108 | // number followed by : |
109 | ptr = buf; | 109 | ptr = buf; |
@@ -136,7 +136,7 @@ static void process_protocol(const char *fname) { | |||
136 | else if (strncmp(ptr, "AF_PACKET ", 9) == 0) | 136 | else if (strncmp(ptr, "AF_PACKET ", 9) == 0) |
137 | packet = 1; | 137 | packet = 1; |
138 | } | 138 | } |
139 | 139 | ||
140 | fclose(fp); | 140 | fclose(fp); |
141 | } | 141 | } |
142 | 142 | ||
@@ -144,10 +144,10 @@ static void process_protocol(const char *fname) { | |||
144 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 | 144 | // process fname, fname.1, fname.2, fname.3, fname.4, fname.5 |
145 | void build_protocol(const char *fname, FILE *fp) { | 145 | void build_protocol(const char *fname, FILE *fp) { |
146 | assert(fname); | 146 | assert(fname); |
147 | 147 | ||
148 | // run fname | 148 | // run fname |
149 | process_protocol(fname); | 149 | process_protocol(fname); |
150 | 150 | ||
151 | // run all the rest | 151 | // run all the rest |
152 | struct stat s; | 152 | struct stat s; |
153 | int i; | 153 | int i; |
@@ -159,7 +159,7 @@ void build_protocol(const char *fname, FILE *fp) { | |||
159 | process_protocol(newname); | 159 | process_protocol(newname); |
160 | free(newname); | 160 | free(newname); |
161 | } | 161 | } |
162 | 162 | ||
163 | int net = 0; | 163 | int net = 0; |
164 | if (unix_s || inet || inet6 || netlink || packet) { | 164 | if (unix_s || inet || inet6 || netlink || packet) { |
165 | fprintf(fp, "protocol "); | 165 | fprintf(fp, "protocol "); |
diff --git a/src/fbuilder/fbuilder.h b/src/fbuilder/fbuilder.h index 81dc951ec..711167704 100644 --- a/src/fbuilder/fbuilder.h +++ b/src/fbuilder/fbuilder.h | |||
@@ -25,7 +25,7 @@ | |||
25 | #include <pwd.h> | 25 | #include <pwd.h> |
26 | #include <sys/types.h> | 26 | #include <sys/types.h> |
27 | #include <sys/stat.h> | 27 | #include <sys/stat.h> |
28 | 28 | ||
29 | 29 | ||
30 | #define MAX_BUF 4096 | 30 | #define MAX_BUF 4096 |
31 | // main.c | 31 | // main.c |
diff --git a/src/fbuilder/filedb.c b/src/fbuilder/filedb.c index b7162c2d6..6b57954d3 100644 --- a/src/fbuilder/filedb.c +++ b/src/fbuilder/filedb.c | |||
@@ -24,14 +24,14 @@ FileDB *filedb_find(FileDB *head, const char *fname) { | |||
24 | FileDB *ptr = head; | 24 | FileDB *ptr = head; |
25 | int found = 0; | 25 | int found = 0; |
26 | int len = strlen(fname); | 26 | int len = strlen(fname); |
27 | 27 | ||
28 | while (ptr) { | 28 | while (ptr) { |
29 | // exact name | 29 | // exact name |
30 | if (strcmp(fname, ptr->fname) == 0) { | 30 | if (strcmp(fname, ptr->fname) == 0) { |
31 | found = 1; | 31 | found = 1; |
32 | break; | 32 | break; |
33 | } | 33 | } |
34 | 34 | ||
35 | // parent directory in the list | 35 | // parent directory in the list |
36 | if (len > ptr->len && | 36 | if (len > ptr->len && |
37 | fname[ptr->len] == '/' && | 37 | fname[ptr->len] == '/' && |
@@ -42,10 +42,10 @@ FileDB *filedb_find(FileDB *head, const char *fname) { | |||
42 | 42 | ||
43 | ptr = ptr->next; | 43 | ptr = ptr->next; |
44 | } | 44 | } |
45 | 45 | ||
46 | if (found) | 46 | if (found) |
47 | return ptr; | 47 | return ptr; |
48 | 48 | ||
49 | return NULL; | 49 | return NULL; |
50 | } | 50 | } |
51 | 51 | ||
@@ -55,7 +55,7 @@ FileDB *filedb_add(FileDB *head, const char *fname) { | |||
55 | // don't add it if it is already there or if the parent directory is already in the list | 55 | // don't add it if it is already there or if the parent directory is already in the list |
56 | if (filedb_find(head, fname)) | 56 | if (filedb_find(head, fname)) |
57 | return head; | 57 | return head; |
58 | 58 | ||
59 | // add a new entry | 59 | // add a new entry |
60 | FileDB *entry = malloc(sizeof(FileDB)); | 60 | FileDB *entry = malloc(sizeof(FileDB)); |
61 | if (!entry) | 61 | if (!entry) |
diff --git a/src/fbuilder/main.c b/src/fbuilder/main.c index 1b997ccdb..697b53700 100644 --- a/src/fbuilder/main.c +++ b/src/fbuilder/main.c | |||
@@ -40,7 +40,7 @@ printf("\n"); | |||
40 | int prog_index = 0; | 40 | int prog_index = 0; |
41 | FILE *fp = stdout; | 41 | FILE *fp = stdout; |
42 | int prof_file = 0; | 42 | int prof_file = 0; |
43 | 43 | ||
44 | // parse arguments and extract program index | 44 | // parse arguments and extract program index |
45 | for (i = 1; i < argc; i++) { | 45 | for (i = 1; i < argc; i++) { |
46 | if (strcmp(argv[i], "-h") == 0 || strcmp(argv[i], "--help") == 0 || strcmp(argv[i], "-?") ==0) { | 46 | if (strcmp(argv[i], "-h") == 0 || strcmp(argv[i], "--help") == 0 || strcmp(argv[i], "-?") ==0) { |
@@ -57,7 +57,7 @@ printf("\n"); | |||
57 | fprintf(stderr, "Error fbuild: --build=profile-name is not supported for root user.\n"); | 57 | fprintf(stderr, "Error fbuild: --build=profile-name is not supported for root user.\n"); |
58 | exit(1); | 58 | exit(1); |
59 | } | 59 | } |
60 | 60 | ||
61 | // check file access | 61 | // check file access |
62 | fp = fopen(argv[i] + 8, "w"); | 62 | fp = fopen(argv[i] + 8, "w"); |
63 | if (!fp) { | 63 | if (!fp) { |
@@ -77,7 +77,7 @@ printf("\n"); | |||
77 | break; | 77 | break; |
78 | } | 78 | } |
79 | } | 79 | } |
80 | 80 | ||
81 | if (prog_index == 0) { | 81 | if (prog_index == 0) { |
82 | fprintf(stderr, "Error fbuilder: program and arguments required\n"); | 82 | fprintf(stderr, "Error fbuilder: program and arguments required\n"); |
83 | usage(); | 83 | usage(); |
@@ -85,7 +85,7 @@ printf("\n"); | |||
85 | fclose(fp); | 85 | fclose(fp); |
86 | exit(1); | 86 | exit(1); |
87 | } | 87 | } |
88 | 88 | ||
89 | build_profile(argc, argv, prog_index, fp); | 89 | build_profile(argc, argv, prog_index, fp); |
90 | if (prof_file) | 90 | if (prof_file) |
91 | fclose(fp); | 91 | fclose(fp); |
diff --git a/src/fbuilder/utils.c b/src/fbuilder/utils.c index 902290899..c07d2e925 100644 --- a/src/fbuilder/utils.c +++ b/src/fbuilder/utils.c | |||
@@ -56,17 +56,17 @@ char *extract_dir(char *fname) { | |||
56 | assert(fname); | 56 | assert(fname); |
57 | if (is_dir(fname)) | 57 | if (is_dir(fname)) |
58 | return NULL; | 58 | return NULL; |
59 | 59 | ||
60 | char *name = strdup(fname); | 60 | char *name = strdup(fname); |
61 | if (!name) | 61 | if (!name) |
62 | errExit("strdup"); | 62 | errExit("strdup"); |
63 | 63 | ||
64 | char *ptr = strrchr(name, '/'); | 64 | char *ptr = strrchr(name, '/'); |
65 | if (!ptr) { | 65 | if (!ptr) { |
66 | free(name); | 66 | free(name); |
67 | return NULL; | 67 | return NULL; |
68 | } | 68 | } |
69 | *ptr = '\0'; | 69 | *ptr = '\0'; |
70 | 70 | ||
71 | return name; | 71 | return name; |
72 | } | 72 | } |
diff --git a/src/fcopy/main.c b/src/fcopy/main.c index 753d9c0a0..913234702 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c | |||
@@ -122,7 +122,7 @@ void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid, | |||
122 | // if the link is already there, don't create it | 122 | // if the link is already there, don't create it |
123 | struct stat s; | 123 | struct stat s; |
124 | if (stat(linkpath, &s) == 0) | 124 | if (stat(linkpath, &s) == 0) |
125 | return; | 125 | return; |
126 | 126 | ||
127 | char *rp = realpath(target, NULL); | 127 | char *rp = realpath(target, NULL); |
128 | if (rp) { | 128 | if (rp) { |
diff --git a/src/firecfg/desktop_files.c b/src/firecfg/desktop_files.c index c1d456147..2edc4c83b 100644 --- a/src/firecfg/desktop_files.c +++ b/src/firecfg/desktop_files.c | |||
@@ -41,7 +41,7 @@ static int check_profile(const char *name, const char *homedir) { | |||
41 | printf("found %s\n", profname2); | 41 | printf("found %s\n", profname2); |
42 | rv = 1; | 42 | rv = 1; |
43 | } | 43 | } |
44 | 44 | ||
45 | free(profname1); | 45 | free(profname1); |
46 | free(profname2); | 46 | free(profname2); |
47 | return rv; | 47 | return rv; |
@@ -58,11 +58,11 @@ static int have_profile(const char *filename, const char *homedir) { | |||
58 | 58 | ||
59 | // we get strange names here, such as .org.gnom.gedit.desktop, com.uploadedlobster.peek.desktop, | 59 | // we get strange names here, such as .org.gnom.gedit.desktop, com.uploadedlobster.peek.desktop, |
60 | // or io.github.Pithos.desktop; extract the word before .desktop | 60 | // or io.github.Pithos.desktop; extract the word before .desktop |
61 | 61 | ||
62 | char *tmpfname = strdup(filename); | 62 | char *tmpfname = strdup(filename); |
63 | if (!tmpfname) | 63 | if (!tmpfname) |
64 | errExit("strdup"); | 64 | errExit("strdup"); |
65 | 65 | ||
66 | // check .desktop extension | 66 | // check .desktop extension |
67 | int len = strlen(tmpfname); | 67 | int len = strlen(tmpfname); |
68 | if (len <= 8) | 68 | if (len <= 8) |
@@ -70,14 +70,14 @@ static int have_profile(const char *filename, const char *homedir) { | |||
70 | if (strcmp(tmpfname + len - 8, ".desktop")) | 70 | if (strcmp(tmpfname + len - 8, ".desktop")) |
71 | return 0; | 71 | return 0; |
72 | tmpfname[len - 8] = '\0'; | 72 | tmpfname[len - 8] = '\0'; |
73 | 73 | ||
74 | // extract last word | 74 | // extract last word |
75 | char *last_word = strrchr(tmpfname, '.'); | 75 | char *last_word = strrchr(tmpfname, '.'); |
76 | if (last_word) | 76 | if (last_word) |
77 | last_word++; | 77 | last_word++; |
78 | else | 78 | else |
79 | last_word = tmpfname; | 79 | last_word = tmpfname; |
80 | 80 | ||
81 | // try lowercase | 81 | // try lowercase |
82 | last_word[0] = tolower(last_word[0]); | 82 | last_word[0] = tolower(last_word[0]); |
83 | int rv = check_profile(last_word, homedir); | 83 | int rv = check_profile(last_word, homedir); |
@@ -85,7 +85,7 @@ static int have_profile(const char *filename, const char *homedir) { | |||
85 | free(tmpfname); | 85 | free(tmpfname); |
86 | return rv; | 86 | return rv; |
87 | } | 87 | } |
88 | 88 | ||
89 | // try uppercase | 89 | // try uppercase |
90 | last_word[0] = toupper(last_word[0]); | 90 | last_word[0] = toupper(last_word[0]); |
91 | rv = check_profile(last_word, homedir); | 91 | rv = check_profile(last_word, homedir); |
@@ -228,12 +228,12 @@ void fix_desktop_files(char *homedir) { | |||
228 | } | 228 | } |
229 | } | 229 | } |
230 | } | 230 | } |
231 | 231 | ||
232 | if (change_exec == NULL && change_dbus == 0) { | 232 | if (change_exec == NULL && change_dbus == 0) { |
233 | munmap(buf, sb.st_size + 1); | 233 | munmap(buf, sb.st_size + 1); |
234 | continue; | 234 | continue; |
235 | } | 235 | } |
236 | 236 | ||
237 | munmap(buf, sb.st_size + 1); | 237 | munmap(buf, sb.st_size + 1); |
238 | 238 | ||
239 | //**************************************************** | 239 | //**************************************************** |
@@ -247,13 +247,13 @@ void fix_desktop_files(char *homedir) { | |||
247 | printf(" %s skipped: file exists\n", filename); | 247 | printf(" %s skipped: file exists\n", filename); |
248 | continue; | 248 | continue; |
249 | } | 249 | } |
250 | 250 | ||
251 | FILE *fpin = fopen(filename, "r"); | 251 | FILE *fpin = fopen(filename, "r"); |
252 | if (!fpin) { | 252 | if (!fpin) { |
253 | fprintf(stderr, "Error: cannot open /usr/share/applications/%s\n", filename); | 253 | fprintf(stderr, "Error: cannot open /usr/share/applications/%s\n", filename); |
254 | continue; | 254 | continue; |
255 | } | 255 | } |
256 | 256 | ||
257 | FILE *fpout = fopen(outname, "w"); | 257 | FILE *fpout = fopen(outname, "w"); |
258 | if (!fpout) { | 258 | if (!fpout) { |
259 | fprintf(stderr, "Error: cannot open ~/.local/share/applications/%s\n", outname); | 259 | fprintf(stderr, "Error: cannot open ~/.local/share/applications/%s\n", outname); |
@@ -277,9 +277,9 @@ void fix_desktop_files(char *homedir) { | |||
277 | fprintf(fpout, "Exec=%s\n", change_exec); | 277 | fprintf(fpout, "Exec=%s\n", change_exec); |
278 | } | 278 | } |
279 | else | 279 | else |
280 | fprintf(fpout, "%s", fbuf); | 280 | fprintf(fpout, "%s", fbuf); |
281 | } | 281 | } |
282 | 282 | ||
283 | if (change_exec) | 283 | if (change_exec) |
284 | free(change_exec); | 284 | free(change_exec); |
285 | fclose(fpin); | 285 | fclose(fpin); |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 2fedb2f81..f101a8457 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -364,7 +364,7 @@ int checkcfg(int val) { | |||
364 | } | 364 | } |
365 | else | 365 | else |
366 | goto errout; | 366 | goto errout; |
367 | 367 | ||
368 | free(ptr); | 368 | free(ptr); |
369 | } | 369 | } |
370 | 370 | ||
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 653a656b3..4d99b70bd 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -605,7 +605,7 @@ void fs_proc_sys_dev_boot(void) { | |||
605 | // disable various ipc sockets in /run/user | 605 | // disable various ipc sockets in /run/user |
606 | if (!arg_writable_run_user) { | 606 | if (!arg_writable_run_user) { |
607 | struct stat s; | 607 | struct stat s; |
608 | 608 | ||
609 | char *fname; | 609 | char *fname; |
610 | if (asprintf(&fname, "/run/user/%d", getuid()) == -1) | 610 | if (asprintf(&fname, "/run/user/%d", getuid()) == -1) |
611 | errExit("asprintf"); | 611 | errExit("asprintf"); |
@@ -619,7 +619,7 @@ void fs_proc_sys_dev_boot(void) { | |||
619 | if (stat(fnamegpg, &s) == 0) | 619 | if (stat(fnamegpg, &s) == 0) |
620 | disable_file(BLACKLIST_FILE, fnamegpg); | 620 | disable_file(BLACKLIST_FILE, fnamegpg); |
621 | free(fnamegpg); | 621 | free(fnamegpg); |
622 | 622 | ||
623 | // disable /run/user/{uid}/systemd | 623 | // disable /run/user/{uid}/systemd |
624 | char *fnamesysd; | 624 | char *fnamesysd; |
625 | if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) | 625 | if (asprintf(&fnamesysd, "/run/user/%d/systemd", getuid()) == -1) |
diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 9e19ac8d7..dc8423071 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c | |||
@@ -136,7 +136,7 @@ static int valid_full_path_file(const char *name) { | |||
136 | 136 | ||
137 | static void report_duplication(const char *fname) { | 137 | static void report_duplication(const char *fname) { |
138 | // report the file on all bin paths | 138 | // report the file on all bin paths |
139 | int i = 0; | 139 | int i = 0; |
140 | while (paths[i]) { | 140 | while (paths[i]) { |
141 | char *p; | 141 | char *p; |
142 | if (asprintf(&p, "%s/%s", paths[i], fname) == -1) | 142 | if (asprintf(&p, "%s/%s", paths[i], fname) == -1) |
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index d839a0786..523f319ed 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -84,14 +84,14 @@ static void deventry_mount(void) { | |||
84 | while (dev[i].dev_fname != NULL) { | 84 | while (dev[i].dev_fname != NULL) { |
85 | struct stat s; | 85 | struct stat s; |
86 | if (stat(dev[i].run_fname, &s) == 0) { | 86 | if (stat(dev[i].run_fname, &s) == 0) { |
87 | 87 | ||
88 | // check device type and subsystem configuration | 88 | // check device type and subsystem configuration |
89 | if ((dev[i].type == DEV_SOUND && arg_nosound == 0) || | 89 | if ((dev[i].type == DEV_SOUND && arg_nosound == 0) || |
90 | (dev[i].type == DEV_3D && arg_no3d == 0) || | 90 | (dev[i].type == DEV_3D && arg_no3d == 0) || |
91 | (dev[i].type == DEV_VIDEO && arg_novideo == 0) || | 91 | (dev[i].type == DEV_VIDEO && arg_novideo == 0) || |
92 | (dev[i].type == DEV_TV && arg_notv == 0) || | 92 | (dev[i].type == DEV_TV && arg_notv == 0) || |
93 | (dev[i].type == DEV_DVD && arg_nodvd == 0)) { | 93 | (dev[i].type == DEV_DVD && arg_nodvd == 0)) { |
94 | 94 | ||
95 | int dir = is_dir(dev[i].run_fname); | 95 | int dir = is_dir(dev[i].run_fname); |
96 | if (arg_debug) | 96 | if (arg_debug) |
97 | printf("mounting %s %s\n", dev[i].run_fname, (dir)? "directory": "file"); | 97 | printf("mounting %s %s\n", dev[i].run_fname, (dir)? "directory": "file"); |
@@ -113,7 +113,7 @@ static void deventry_mount(void) { | |||
113 | fclose(fp); | 113 | fclose(fp); |
114 | } | 114 | } |
115 | } | 115 | } |
116 | 116 | ||
117 | if (mount(dev[i].run_fname, dev[i].dev_fname, NULL, MS_BIND|MS_REC, NULL) < 0) | 117 | if (mount(dev[i].run_fname, dev[i].dev_fname, NULL, MS_BIND|MS_REC, NULL) < 0) |
118 | errExit("mounting dev file"); | 118 | errExit("mounting dev file"); |
119 | fs_logger2("whitelist", dev[i].dev_fname); | 119 | fs_logger2("whitelist", dev[i].dev_fname); |
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c index 46ee22bf3..4cb8ed1c2 100644 --- a/src/firejail/fs_lib.c +++ b/src/firejail/fs_lib.c | |||
@@ -46,7 +46,7 @@ static void report_duplication(const char *full_path) { | |||
46 | char *fname = strrchr(full_path, '/'); | 46 | char *fname = strrchr(full_path, '/'); |
47 | if (fname && *(++fname) != '\0') { | 47 | if (fname && *(++fname) != '\0') { |
48 | // report the file on all bin paths | 48 | // report the file on all bin paths |
49 | int i = 0; | 49 | int i = 0; |
50 | while (lib_paths[i]) { | 50 | while (lib_paths[i]) { |
51 | char *p; | 51 | char *p; |
52 | if (asprintf(&p, "%s/%s", lib_paths[i], fname) == -1) | 52 | if (asprintf(&p, "%s/%s", lib_paths[i], fname) == -1) |
@@ -91,7 +91,7 @@ void fslib_duplicate(const char *full_path) { | |||
91 | return; | 91 | return; |
92 | } | 92 | } |
93 | free(name); | 93 | free(name); |
94 | 94 | ||
95 | if (arg_debug || arg_debug_private_lib) | 95 | if (arg_debug || arg_debug_private_lib) |
96 | printf("copying %s to private %s\n", full_path, dest_dir); | 96 | printf("copying %s to private %s\n", full_path, dest_dir); |
97 | 97 | ||
diff --git a/src/firejail/fs_lib2.c b/src/firejail/fs_lib2.c index e5c6bdaed..4e49730f4 100644 --- a/src/firejail/fs_lib2.c +++ b/src/firejail/fs_lib2.c | |||
@@ -88,7 +88,7 @@ static void stdc(const char *dirname) { | |||
88 | continue; | 88 | continue; |
89 | if (strcmp(entry->d_name, "..") == 0) | 89 | if (strcmp(entry->d_name, "..") == 0) |
90 | continue; | 90 | continue; |
91 | 91 | ||
92 | if (find_libc_list(entry->d_name)) { | 92 | if (find_libc_list(entry->d_name)) { |
93 | char *fname; | 93 | char *fname; |
94 | if (asprintf(&fname, "%s/%s", dirname, entry->d_name) == -1) | 94 | if (asprintf(&fname, "%s/%s", dirname, entry->d_name) == -1) |
@@ -105,7 +105,7 @@ void fslib_install_stdc(void) { | |||
105 | // install standard C libraries | 105 | // install standard C libraries |
106 | struct stat s; | 106 | struct stat s; |
107 | char *stdclib = "/lib64"; // CentOS, Fedora, Arch | 107 | char *stdclib = "/lib64"; // CentOS, Fedora, Arch |
108 | 108 | ||
109 | if (stat("/lib/x86_64-linux-gnu", &s) == 0) { // Debian & friends | 109 | if (stat("/lib/x86_64-linux-gnu", &s) == 0) { // Debian & friends |
110 | mkdir_attr(RUN_LIB_DIR "/x86_64-linux-gnu", 0755, 0, 0); | 110 | mkdir_attr(RUN_LIB_DIR "/x86_64-linux-gnu", 0755, 0, 0); |
111 | stdclib = "/lib/x86_64-linux-gnu"; | 111 | stdclib = "/lib/x86_64-linux-gnu"; |
@@ -219,13 +219,13 @@ SysLib syslibs[] = { | |||
219 | "" // message | 219 | "" // message |
220 | } | 220 | } |
221 | }; | 221 | }; |
222 | 222 | ||
223 | void fslib_install_system(void) { | 223 | void fslib_install_system(void) { |
224 | // look for installed libraries | 224 | // look for installed libraries |
225 | DIR *dir = opendir(RUN_LIB_DIR "/x86_64-linux-gnu"); | 225 | DIR *dir = opendir(RUN_LIB_DIR "/x86_64-linux-gnu"); |
226 | if (!dir) | 226 | if (!dir) |
227 | dir = opendir(RUN_LIB_DIR); | 227 | dir = opendir(RUN_LIB_DIR); |
228 | 228 | ||
229 | if (dir) { | 229 | if (dir) { |
230 | struct dirent *entry; | 230 | struct dirent *entry; |
231 | while ((entry = readdir(dir)) != NULL) { | 231 | while ((entry = readdir(dir)) != NULL) { |
@@ -238,12 +238,12 @@ void fslib_install_system(void) { | |||
238 | while (ptr->library) { | 238 | while (ptr->library) { |
239 | if (ptr->len == 0) | 239 | if (ptr->len == 0) |
240 | ptr->len = strlen(ptr->library); | 240 | ptr->len = strlen(ptr->library); |
241 | 241 | ||
242 | if (strncmp(entry->d_name, ptr->library, ptr->len) == 0) { | 242 | if (strncmp(entry->d_name, ptr->library, ptr->len) == 0) { |
243 | ptr->found = 1; | 243 | ptr->found = 1; |
244 | break; | 244 | break; |
245 | } | 245 | } |
246 | 246 | ||
247 | ptr++; | 247 | ptr++; |
248 | } | 248 | } |
249 | 249 | ||
@@ -281,7 +281,7 @@ void fslib_install_system(void) { | |||
281 | } | 281 | } |
282 | } | 282 | } |
283 | free(name); | 283 | free(name); |
284 | 284 | ||
285 | if (*ptr->dir2 != '\0') { | 285 | if (*ptr->dir2 != '\0') { |
286 | // Debian & friends | 286 | // Debian & friends |
287 | if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir2) == -1) | 287 | if (asprintf(&name, "/usr/lib/x86_64-linux-gnu/%s", ptr->dir2) == -1) |
@@ -302,7 +302,7 @@ void fslib_install_system(void) { | |||
302 | } | 302 | } |
303 | free(name); | 303 | free(name); |
304 | } | 304 | } |
305 | 305 | ||
306 | if (!arg_quiet) | 306 | if (!arg_quiet) |
307 | fprintf(stderr, "%s installed in %0.2f ms\n", ptr->message, timetrace_end()); | 307 | fprintf(stderr, "%s installed in %0.2f ms\n", ptr->message, timetrace_end()); |
308 | } | 308 | } |
diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 7928aaf3d..da796f60f 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c | |||
@@ -275,7 +275,7 @@ static void whitelist_path(ProfileEntry *entry) { | |||
275 | } | 275 | } |
276 | 276 | ||
277 | // check if the file exists | 277 | // check if the file exists |
278 | assert(wfile); | 278 | assert(wfile); |
279 | struct stat s; | 279 | struct stat s; |
280 | if (stat(wfile, &s) == 0) { | 280 | if (stat(wfile, &s) == 0) { |
281 | if (arg_debug || arg_debug_whitelists) | 281 | if (arg_debug || arg_debug_whitelists) |
diff --git a/src/firejail/join.c b/src/firejail/join.c index 9f52d4565..4ce690737 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c | |||
@@ -279,7 +279,7 @@ void join(pid_t pid, int argc, char **argv, int index) { | |||
279 | if (child == 0) { | 279 | if (child == 0) { |
280 | // drop discretionary access control capabilities for root sandboxes | 280 | // drop discretionary access control capabilities for root sandboxes |
281 | caps_drop_dac_override(); | 281 | caps_drop_dac_override(); |
282 | 282 | ||
283 | // chroot into /proc/PID/root directory | 283 | // chroot into /proc/PID/root directory |
284 | char *rootdir; | 284 | char *rootdir; |
285 | if (asprintf(&rootdir, "/proc/%d/root", pid) == -1) | 285 | if (asprintf(&rootdir, "/proc/%d/root", pid) == -1) |
diff --git a/src/firejail/main.c b/src/firejail/main.c index d6b0a230e..df758e11e 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -506,7 +506,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
506 | printf("%s", buf); | 506 | printf("%s", buf); |
507 | fclose(fp); | 507 | fclose(fp); |
508 | exit(0); | 508 | exit(0); |
509 | 509 | ||
510 | } | 510 | } |
511 | else if (strncmp(argv[i], "--cpu.print=", 12) == 0) { | 511 | else if (strncmp(argv[i], "--cpu.print=", 12) == 0) { |
512 | // join sandbox by pid or by name | 512 | // join sandbox by pid or by name |
@@ -882,7 +882,7 @@ static void run_builder(int argc, char **argv) { | |||
882 | if (setuid(getuid()) < 0) | 882 | if (setuid(getuid()) < 0) |
883 | errExit("setuid/getuid"); | 883 | errExit("setuid/getuid"); |
884 | assert(getenv("LD_PRELOAD") == NULL); | 884 | assert(getenv("LD_PRELOAD") == NULL); |
885 | 885 | ||
886 | argv[0] = LIBDIR "/firejail/fbuilder"; | 886 | argv[0] = LIBDIR "/firejail/fbuilder"; |
887 | execvp(argv[0], argv); | 887 | execvp(argv[0], argv); |
888 | 888 | ||
@@ -950,7 +950,7 @@ int main(int argc, char **argv) { | |||
950 | // profile builder | 950 | // profile builder |
951 | if (check_arg(argc, argv, "--build", 0)) // supports both --build and --build=filename | 951 | if (check_arg(argc, argv, "--build", 0)) // supports both --build and --build=filename |
952 | run_builder(argc, argv); // this function will not return | 952 | run_builder(argc, argv); // this function will not return |
953 | 953 | ||
954 | // check argv[0] symlink wrapper if this is not a login shell | 954 | // check argv[0] symlink wrapper if this is not a login shell |
955 | if (*argv[0] != '-') | 955 | if (*argv[0] != '-') |
956 | run_symlink(argc, argv); // if symlink detected, this function will not return | 956 | run_symlink(argc, argv); // if symlink detected, this function will not return |
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index 91f1274bd..2719db958 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c | |||
@@ -262,14 +262,14 @@ void net_dns_print(pid_t pid) { | |||
262 | caps_drop_all(); | 262 | caps_drop_all(); |
263 | if (chdir("/") < 0) | 263 | if (chdir("/") < 0) |
264 | errExit("chdir"); | 264 | errExit("chdir"); |
265 | 265 | ||
266 | // access /etc/resolv.conf | 266 | // access /etc/resolv.conf |
267 | FILE *fp = fopen("/etc/resolv.conf", "r"); | 267 | FILE *fp = fopen("/etc/resolv.conf", "r"); |
268 | if (!fp) { | 268 | if (!fp) { |
269 | fprintf(stderr, "Error: cannot access /etc/resolv.conf\n"); | 269 | fprintf(stderr, "Error: cannot access /etc/resolv.conf\n"); |
270 | exit(1); | 270 | exit(1); |
271 | } | 271 | } |
272 | 272 | ||
273 | char buf[MAXBUF]; | 273 | char buf[MAXBUF]; |
274 | while (fgets(buf, MAXBUF, fp)) | 274 | while (fgets(buf, MAXBUF, fp)) |
275 | printf("%s", buf); | 275 | printf("%s", buf); |
diff --git a/src/firejail/output.c b/src/firejail/output.c index 4f68b8ca3..7d73f1ef2 100644 --- a/src/firejail/output.c +++ b/src/firejail/output.c | |||
@@ -28,7 +28,7 @@ void check_output(int argc, char **argv) { | |||
28 | int i; | 28 | int i; |
29 | int outindex = 0; | 29 | int outindex = 0; |
30 | int enable_stderr = 0; | 30 | int enable_stderr = 0; |
31 | 31 | ||
32 | for (i = 1; i < argc; i++) { | 32 | for (i = 1; i < argc; i++) { |
33 | if (strncmp(argv[i], "--output=", 9) == 0) { | 33 | if (strncmp(argv[i], "--output=", 9) == 0) { |
34 | outindex = i; | 34 | outindex = i; |
@@ -90,7 +90,7 @@ void check_output(int argc, char **argv) { | |||
90 | continue; | 90 | continue; |
91 | ptr += sprintf(ptr, "%s ", argv[i]); | 91 | ptr += sprintf(ptr, "%s ", argv[i]); |
92 | } | 92 | } |
93 | 93 | ||
94 | if (enable_stderr) | 94 | if (enable_stderr) |
95 | sprintf(ptr, "2>&1 | %s/firejail/ftee %s", LIBDIR, outfile); | 95 | sprintf(ptr, "2>&1 | %s/firejail/ftee %s", LIBDIR, outfile); |
96 | else | 96 | else |
diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index 5039c6238..6826d830f 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c | |||
@@ -146,7 +146,7 @@ void preproc_clean_run(void) { | |||
146 | pid %= max_pids; | 146 | pid %= max_pids; |
147 | if (end == entry->d_name || *end) | 147 | if (end == entry->d_name || *end) |
148 | continue; | 148 | continue; |
149 | 149 | ||
150 | if (pid < start_pid) | 150 | if (pid < start_pid) |
151 | continue; | 151 | continue; |
152 | pidarr[pid] = 1; | 152 | pidarr[pid] = 1; |
@@ -169,7 +169,7 @@ void preproc_clean_run(void) { | |||
169 | pid %= max_pids; | 169 | pid %= max_pids; |
170 | if (end == entry->d_name || *end) | 170 | if (end == entry->d_name || *end) |
171 | continue; | 171 | continue; |
172 | 172 | ||
173 | if (pid < start_pid) | 173 | if (pid < start_pid) |
174 | continue; | 174 | continue; |
175 | if (pidarr[pid] == 0) | 175 | if (pidarr[pid] == 0) |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index c8bbff3fb..7d97842df 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1062,12 +1062,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1062 | 1062 | ||
1063 | return 0; | 1063 | return 0; |
1064 | } | 1064 | } |
1065 | 1065 | ||
1066 | if (strncmp(ptr, "timeout ", 8) == 0) { | 1066 | if (strncmp(ptr, "timeout ", 8) == 0) { |
1067 | cfg.timeout = extract_timeout(ptr +8); | 1067 | cfg.timeout = extract_timeout(ptr +8); |
1068 | return 0; | 1068 | return 0; |
1069 | } | 1069 | } |
1070 | 1070 | ||
1071 | if (strncmp(ptr, "join-or-start ", 14) == 0) { | 1071 | if (strncmp(ptr, "join-or-start ", 14) == 0) { |
1072 | // try to join by name only | 1072 | // try to join by name only |
1073 | pid_t pid; | 1073 | pid_t pid; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index b413407bd..8754f05bb 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -105,7 +105,7 @@ static void set_caps(void) { | |||
105 | caps_keep_list(arg_caps_list); | 105 | caps_keep_list(arg_caps_list); |
106 | else if (arg_caps_default_filter) | 106 | else if (arg_caps_default_filter) |
107 | caps_default_filter(); | 107 | caps_default_filter(); |
108 | 108 | ||
109 | // drop discretionary access control capabilities for root sandboxes | 109 | // drop discretionary access control capabilities for root sandboxes |
110 | // if caps.keep, the user has to set it manually in the list | 110 | // if caps.keep, the user has to set it manually in the list |
111 | if (!arg_caps_keep) | 111 | if (!arg_caps_keep) |
diff --git a/src/firejail/util.c b/src/firejail/util.c index fde180e49..0d703a1b6 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -763,7 +763,7 @@ void invalid_filename(const char *fname, int globbing) { | |||
763 | return; | 763 | return; |
764 | 764 | ||
765 | int len = strlen(ptr); | 765 | int len = strlen(ptr); |
766 | 766 | ||
767 | if (globbing) { | 767 | if (globbing) { |
768 | // file globbing ('*?[]') is allowed | 768 | // file globbing ('*?[]') is allowed |
769 | if (strcspn(ptr, "\\&!\"'<>%^(){};,") != (size_t)len) { | 769 | if (strcspn(ptr, "\\&!\"'<>%^(){};,") != (size_t)len) { |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index d41f46d93..18617e75f 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -1043,7 +1043,7 @@ void x11_start_xpra(int argc, char **argv) { | |||
1043 | char *display_str; | 1043 | char *display_str; |
1044 | if (asprintf(&display_str, ":%d", display) == -1) | 1044 | if (asprintf(&display_str, ":%d", display) == -1) |
1045 | errExit("asprintf"); | 1045 | errExit("asprintf"); |
1046 | 1046 | ||
1047 | if (checkcfg(CFG_XPRA_ATTACH)) | 1047 | if (checkcfg(CFG_XPRA_ATTACH)) |
1048 | x11_start_xpra_new(argc, argv, display_str); | 1048 | x11_start_xpra_new(argc, argv, display_str); |
1049 | else | 1049 | else |
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index 1f3fdd578..6f7356729 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c | |||
@@ -56,15 +56,15 @@ static void my_handler(int s){ | |||
56 | // return -1 if not found | 56 | // return -1 if not found |
57 | // | 57 | // |
58 | // Example: | 58 | // Example: |
59 | //14776:netblue:/usr/bin/firejail /usr/bin/transmission-qt | 59 | //14776:netblue:/usr/bin/firejail /usr/bin/transmission-qt |
60 | // 14777:netblue:/usr/bin/firejail /usr/bin/transmission-qt | 60 | // 14777:netblue:/usr/bin/firejail /usr/bin/transmission-qt |
61 | // 14792:netblue:/usr/bin/transmission-qt | 61 | // 14792:netblue:/usr/bin/transmission-qt |
62 | // We need 14792, the first real sandboxed process | 62 | // We need 14792, the first real sandboxed process |
63 | int find_child(int id) { | 63 | int find_child(int id) { |
64 | int i; | 64 | int i; |
65 | int first_child = -1; | 65 | int first_child = -1; |
66 | 66 | ||
67 | // find the first child | 67 | // find the first child |
68 | for (i = 0; i < max_pids; i++) { | 68 | for (i = 0; i < max_pids; i++) { |
69 | if (pids[i].level == 2 && pids[i].parent == id) { | 69 | if (pids[i].level == 2 && pids[i].parent == id) { |
70 | first_child = i; | 70 | first_child = i; |
@@ -74,13 +74,13 @@ int find_child(int id) { | |||
74 | 74 | ||
75 | if (first_child == -1) | 75 | if (first_child == -1) |
76 | return -1; | 76 | return -1; |
77 | 77 | ||
78 | // find the second child | 78 | // find the second child |
79 | for (i = 0; i < max_pids; i++) { | 79 | for (i = 0; i < max_pids; i++) { |
80 | if (pids[i].level == 3 && pids[i].parent == first_child) | 80 | if (pids[i].level == 3 && pids[i].parent == first_child) |
81 | return i; | 81 | return i; |
82 | } | 82 | } |
83 | 83 | ||
84 | return -1; | 84 | return -1; |
85 | } | 85 | } |
86 | 86 | ||
diff --git a/src/fldd/main.c b/src/fldd/main.c index 8e5b2bcb5..4439c6509 100644 --- a/src/fldd/main.c +++ b/src/fldd/main.c | |||
@@ -115,7 +115,7 @@ static void copy_libs_for_exe(const char *exe) { | |||
115 | fprintf(stderr, "Warning fldd: cannot open %s, skipping...\n", exe); | 115 | fprintf(stderr, "Warning fldd: cannot open %s, skipping...\n", exe); |
116 | return; | 116 | return; |
117 | } | 117 | } |
118 | 118 | ||
119 | struct stat s; | 119 | struct stat s; |
120 | char *base = NULL, *end; | 120 | char *base = NULL, *end; |
121 | if (fstat(f, &s) == -1) | 121 | if (fstat(f, &s) == -1) |
@@ -217,7 +217,7 @@ static void copy_libs_for_exe(const char *exe) { | |||
217 | close: | 217 | close: |
218 | if (base) | 218 | if (base) |
219 | munmap(base, s.st_size); | 219 | munmap(base, s.st_size); |
220 | 220 | ||
221 | close(f); | 221 | close(f); |
222 | } | 222 | } |
223 | 223 | ||
@@ -335,7 +335,7 @@ printf("\n"); | |||
335 | usage(); | 335 | usage(); |
336 | return 0; | 336 | return 0; |
337 | } | 337 | } |
338 | 338 | ||
339 | int fd = STDOUT_FILENO; | 339 | int fd = STDOUT_FILENO; |
340 | // attempt to open the file | 340 | // attempt to open the file |
341 | if (argc == 3) { | 341 | if (argc == 3) { |
diff --git a/src/fnetfilter/main.c b/src/fnetfilter/main.c index 723c1ac32..d6ed502b8 100644 --- a/src/fnetfilter/main.c +++ b/src/fnetfilter/main.c | |||
@@ -181,7 +181,7 @@ printf("\n"); | |||
181 | } | 181 | } |
182 | 182 | ||
183 | char *destfile = (argc == 3)? argv[2]: argv[1]; | 183 | char *destfile = (argc == 3)? argv[2]: argv[1]; |
184 | char *command = (argc == 3)? argv[1]: NULL; | 184 | char *command = (argc == 3)? argv[1]: NULL; |
185 | //printf("command %s\n", command); | 185 | //printf("command %s\n", command); |
186 | //printf("destfile %s\n", destfile); | 186 | //printf("destfile %s\n", destfile); |
187 | // destfile is a real filename | 187 | // destfile is a real filename |
@@ -208,6 +208,6 @@ printf("\n"); | |||
208 | else | 208 | else |
209 | copy(command, destfile); | 209 | copy(command, destfile); |
210 | } | 210 | } |
211 | 211 | ||
212 | return 0; | 212 | return 0; |
213 | } | 213 | } |
diff --git a/src/fseccomp/seccomp.c b/src/fseccomp/seccomp.c index ef7dd5c54..028cd76a9 100644 --- a/src/fseccomp/seccomp.c +++ b/src/fseccomp/seccomp.c | |||
@@ -165,7 +165,7 @@ void seccomp_default_drop(const char *fname1, const char *fname2, char *list, in | |||
165 | 165 | ||
166 | void seccomp_keep(const char *fname1, const char *fname2, char *list) { | 166 | void seccomp_keep(const char *fname1, const char *fname2, char *list) { |
167 | (void) fname2; | 167 | (void) fname2; |
168 | 168 | ||
169 | // open file for pre-exec filter | 169 | // open file for pre-exec filter |
170 | int fd = open(fname1, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); | 170 | int fd = open(fname1, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
171 | if (fd < 0) { | 171 | if (fd < 0) { |
diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c index e8df2bda5..ffc65e7c3 100644 --- a/src/fseccomp/seccomp_print.c +++ b/src/fseccomp/seccomp_print.c | |||
@@ -68,7 +68,7 @@ static int detect_filter_type(void) { | |||
68 | assert(filter); | 68 | assert(filter); |
69 | 69 | ||
70 | printf("SECCOMP Filter\n"); | 70 | printf("SECCOMP Filter\n"); |
71 | 71 | ||
72 | // testing for main seccomp filter, protocol, mdwe - platform architecture | 72 | // testing for main seccomp filter, protocol, mdwe - platform architecture |
73 | const struct sock_filter start_main[] = { | 73 | const struct sock_filter start_main[] = { |
74 | VALIDATE_ARCHITECTURE, | 74 | VALIDATE_ARCHITECTURE, |
@@ -79,7 +79,7 @@ static int detect_filter_type(void) { | |||
79 | EXAMINE_SYSCALL | 79 | EXAMINE_SYSCALL |
80 | #endif | 80 | #endif |
81 | }; | 81 | }; |
82 | 82 | ||
83 | if (memcmp(&start_main[0], filter, sizeof(start_main)) == 0) { | 83 | if (memcmp(&start_main[0], filter, sizeof(start_main)) == 0) { |
84 | printf(" VALIDATE_ARCHITECTURE\n"); | 84 | printf(" VALIDATE_ARCHITECTURE\n"); |
85 | printf(" EXAMINE_SYSCALL\n"); | 85 | printf(" EXAMINE_SYSCALL\n"); |
@@ -88,26 +88,26 @@ static int detect_filter_type(void) { | |||
88 | #endif | 88 | #endif |
89 | return sizeof(start_main) / sizeof(struct sock_filter); | 89 | return sizeof(start_main) / sizeof(struct sock_filter); |
90 | } | 90 | } |
91 | 91 | ||
92 | 92 | ||
93 | // testing for secondary 64 bit filter | 93 | // testing for secondary 64 bit filter |
94 | const struct sock_filter start_secondary_64[] = { | 94 | const struct sock_filter start_secondary_64[] = { |
95 | VALIDATE_ARCHITECTURE_64, | 95 | VALIDATE_ARCHITECTURE_64, |
96 | EXAMINE_SYSCALL, | 96 | EXAMINE_SYSCALL, |
97 | }; | 97 | }; |
98 | 98 | ||
99 | if (memcmp(&start_secondary_64[0], filter, sizeof(start_secondary_64)) == 0) { | 99 | if (memcmp(&start_secondary_64[0], filter, sizeof(start_secondary_64)) == 0) { |
100 | printf(" VALIDATE_ARCHITECTURE_64\n"); | 100 | printf(" VALIDATE_ARCHITECTURE_64\n"); |
101 | printf(" EXAMINE_SYSCALL\n"); | 101 | printf(" EXAMINE_SYSCALL\n"); |
102 | return sizeof(start_secondary_64) / sizeof(struct sock_filter); | 102 | return sizeof(start_secondary_64) / sizeof(struct sock_filter); |
103 | } | 103 | } |
104 | 104 | ||
105 | // testing for secondary 32 bit filter | 105 | // testing for secondary 32 bit filter |
106 | const struct sock_filter start_secondary_32[] = { | 106 | const struct sock_filter start_secondary_32[] = { |
107 | VALIDATE_ARCHITECTURE_32, | 107 | VALIDATE_ARCHITECTURE_32, |
108 | EXAMINE_SYSCALL, | 108 | EXAMINE_SYSCALL, |
109 | }; | 109 | }; |
110 | 110 | ||
111 | if (memcmp(&start_secondary_32[0], filter, sizeof(start_secondary_32)) == 0) { | 111 | if (memcmp(&start_secondary_32[0], filter, sizeof(start_secondary_32)) == 0) { |
112 | printf(" VALIDATE_ARCHITECTURE_32\n"); | 112 | printf(" VALIDATE_ARCHITECTURE_32\n"); |
113 | printf(" EXAMINE_SYSCALL\n"); | 113 | printf(" EXAMINE_SYSCALL\n"); |
@@ -132,7 +132,7 @@ static int detect_filter_type(void) { | |||
132 | #endif | 132 | #endif |
133 | return sizeof(start_secondary_block) / sizeof(struct sock_filter); | 133 | return sizeof(start_secondary_block) / sizeof(struct sock_filter); |
134 | } | 134 | } |
135 | 135 | ||
136 | return 0; // filter unrecognized | 136 | return 0; // filter unrecognized |
137 | } | 137 | } |
138 | 138 | ||
@@ -146,7 +146,7 @@ void filter_print(const char *fname) { | |||
146 | printf("Invalid seccomp filter %s\n", fname); | 146 | printf("Invalid seccomp filter %s\n", fname); |
147 | return; | 147 | return; |
148 | } | 148 | } |
149 | 149 | ||
150 | // loop trough the rest of commands | 150 | // loop trough the rest of commands |
151 | while (i < filter_cnt) { | 151 | while (i < filter_cnt) { |
152 | // minimal parsing! | 152 | // minimal parsing! |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index d9000fd5e..927c5e309 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -859,7 +859,7 @@ be created and configured using "ip netns". | |||
859 | .TP | 859 | .TP |
860 | \fB\-\-netfilter | 860 | \fB\-\-netfilter |
861 | Enable a default firewall if a new network namespace is created inside the sandbox. | 861 | Enable a default firewall if a new network namespace is created inside the sandbox. |
862 | This option has no effect for sandboxes using the system network namespace. | 862 | This option has no effect for sandboxes using the system network namespace. |
863 | .br | 863 | .br |
864 | 864 | ||
865 | .br | 865 | .br |
@@ -970,7 +970,7 @@ $ firejail --netfilter.print=browser | |||
970 | \fB\-\-netfilter6=filename | 970 | \fB\-\-netfilter6=filename |
971 | Enable the IPv6 firewall specified by filename if a new network namespace is created inside the sandbox. | 971 | Enable the IPv6 firewall specified by filename if a new network namespace is created inside the sandbox. |
972 | This option has no effect for sandboxes using the system network namespace. | 972 | This option has no effect for sandboxes using the system network namespace. |
973 | Please use the regular iptables-save/iptables-restore format for the filter file. | 973 | Please use the regular iptables-save/iptables-restore format for the filter file. |
974 | 974 | ||
975 | .TP | 975 | .TP |
976 | \fB\-\-netfilter6.print=name|pid | 976 | \fB\-\-netfilter6.print=name|pid |