diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/etc-cleanup/main.c | 4 | ||||
-rw-r--r-- | src/fbuilder/build_home.c | 2 | ||||
-rw-r--r-- | src/fbuilder/filedb.c | 4 | ||||
-rw-r--r-- | src/fcopy/main.c | 2 | ||||
-rw-r--r-- | src/firecfg/util.c | 8 | ||||
-rw-r--r-- | src/firejail/appimage_size.c | 2 | ||||
-rw-r--r-- | src/firejail/chroot.c | 2 | ||||
-rw-r--r-- | src/firejail/cpu.c | 12 | ||||
-rw-r--r-- | src/firejail/fs.c | 4 | ||||
-rw-r--r-- | src/firejail/ls.c | 2 | ||||
-rw-r--r-- | src/firejail/macros.c | 6 | ||||
-rw-r--r-- | src/firejail/main.c | 70 | ||||
-rw-r--r-- | src/firejail/network.c | 2 | ||||
-rw-r--r-- | src/firejail/no_sandbox.c | 8 | ||||
-rw-r--r-- | src/firejail/restricted_shell.c | 50 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 24 | ||||
-rw-r--r-- | src/firejail/util.c | 2 | ||||
-rw-r--r-- | src/firemon/procevent.c | 2 | ||||
-rw-r--r-- | src/firemon/top.c | 3 | ||||
-rw-r--r-- | src/fnet/interface.c | 6 | ||||
-rw-r--r-- | src/fnettrace-dns/main.c | 2 | ||||
-rw-r--r-- | src/fseccomp/namespaces.c | 4 | ||||
-rw-r--r-- | src/jailcheck/noexec.c | 2 | ||||
-rw-r--r-- | src/libtrace/libtrace.c | 2 | ||||
-rw-r--r-- | src/profstats/main.c | 10 |
25 files changed, 118 insertions, 117 deletions
diff --git a/src/etc-cleanup/main.c b/src/etc-cleanup/main.c index 1f1a61f88..6c7bea6d6 100644 --- a/src/etc-cleanup/main.c +++ b/src/etc-cleanup/main.c | |||
@@ -231,8 +231,8 @@ int main(int argc, char **argv) { | |||
231 | int i; | 231 | int i; |
232 | for (i = 1; i < argc; i++) { | 232 | for (i = 1; i < argc; i++) { |
233 | if (strcmp(argv[i], "-h") == 0 || | 233 | if (strcmp(argv[i], "-h") == 0 || |
234 | strcmp(argv[i], "-?") == 0 || | 234 | strcmp(argv[i], "-?") == 0 || |
235 | strcmp(argv[i], "--help") == 0) { | 235 | strcmp(argv[i], "--help") == 0) { |
236 | usage(); | 236 | usage(); |
237 | return 0; | 237 | return 0; |
238 | } | 238 | } |
diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c index 6d96b69cc..15c54911b 100644 --- a/src/fbuilder/build_home.c +++ b/src/fbuilder/build_home.c | |||
@@ -110,7 +110,7 @@ void process_home(const char *fname, char *home, int home_len) { | |||
110 | strcmp(toadd, ".cache") == 0) { | 110 | strcmp(toadd, ".cache") == 0) { |
111 | if (dir) | 111 | if (dir) |
112 | free(dir); | 112 | free(dir); |
113 | continue; | 113 | continue; |
114 | } | 114 | } |
115 | 115 | ||
116 | // clean .cache entries | 116 | // clean .cache entries |
diff --git a/src/fbuilder/filedb.c b/src/fbuilder/filedb.c index 4089f3806..5a3b389ae 100644 --- a/src/fbuilder/filedb.c +++ b/src/fbuilder/filedb.c | |||
@@ -38,8 +38,8 @@ FileDB *filedb_find(FileDB *head, const char *fname) { | |||
38 | if (strlen(fname) > ptr->len && | 38 | if (strlen(fname) > ptr->len && |
39 | fname[ptr->len] == '/' && | 39 | fname[ptr->len] == '/' && |
40 | strncmp(ptr->fname, fname, ptr->len) == 0) { | 40 | strncmp(ptr->fname, fname, ptr->len) == 0) { |
41 | found = 1; | 41 | found = 1; |
42 | break; | 42 | break; |
43 | } | 43 | } |
44 | 44 | ||
45 | ptr = ptr->next; | 45 | ptr = ptr->next; |
diff --git a/src/fcopy/main.c b/src/fcopy/main.c index f1deabf2e..da24fb3f7 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c | |||
@@ -236,7 +236,7 @@ void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid, | |||
236 | // if the link is already there, don't create it | 236 | // if the link is already there, don't create it |
237 | struct stat s; | 237 | struct stat s; |
238 | if (lstat(linkpath, &s) == 0) | 238 | if (lstat(linkpath, &s) == 0) |
239 | return; | 239 | return; |
240 | 240 | ||
241 | char *rp = proc_pid_to_self(target); | 241 | char *rp = proc_pid_to_self(target); |
242 | if (rp) { | 242 | if (rp) { |
diff --git a/src/firecfg/util.c b/src/firecfg/util.c index dc24d4e68..4185b52dd 100644 --- a/src/firecfg/util.c +++ b/src/firecfg/util.c | |||
@@ -30,8 +30,8 @@ static int find(const char *program, const char *directory) { | |||
30 | 30 | ||
31 | struct stat s; | 31 | struct stat s; |
32 | if (stat(fname, &s) == 0) { | 32 | if (stat(fname, &s) == 0) { |
33 | if (arg_debug) | 33 | if (arg_debug) |
34 | printf("found %s in directory %s\n", program, directory); | 34 | printf("found %s in directory %s\n", program, directory); |
35 | retval = 1; | 35 | retval = 1; |
36 | } | 36 | } |
37 | 37 | ||
@@ -44,8 +44,8 @@ static int find(const char *program, const char *directory) { | |||
44 | int which(const char *program) { | 44 | int which(const char *program) { |
45 | // check some well-known paths | 45 | // check some well-known paths |
46 | if (find(program, "/bin") || find(program, "/usr/bin") || | 46 | if (find(program, "/bin") || find(program, "/usr/bin") || |
47 | find(program, "/sbin") || find(program, "/usr/sbin") || | 47 | find(program, "/sbin") || find(program, "/usr/sbin") || |
48 | find(program, "/usr/games")) | 48 | find(program, "/usr/games")) |
49 | return 1; | 49 | return 1; |
50 | 50 | ||
51 | // check environment | 51 | // check environment |
diff --git a/src/firejail/appimage_size.c b/src/firejail/appimage_size.c index 6bb530d12..c3f1620bc 100644 --- a/src/firejail/appimage_size.c +++ b/src/firejail/appimage_size.c | |||
@@ -144,7 +144,7 @@ long unsigned int appimage2_size(int fd) { | |||
144 | return 0; | 144 | return 0; |
145 | 145 | ||
146 | if ((ehdr.e_ident[EI_DATA] != ELFDATA2LSB) && | 146 | if ((ehdr.e_ident[EI_DATA] != ELFDATA2LSB) && |
147 | (ehdr.e_ident[EI_DATA] != ELFDATA2MSB)) | 147 | (ehdr.e_ident[EI_DATA] != ELFDATA2MSB)) |
148 | return 0; | 148 | return 0; |
149 | 149 | ||
150 | if(ehdr.e_ident[EI_CLASS] == ELFCLASS32) { | 150 | if(ehdr.e_ident[EI_CLASS] == ELFCLASS32) { |
diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c index fef7eb724..132ac94ba 100644 --- a/src/firejail/chroot.c +++ b/src/firejail/chroot.c | |||
@@ -280,7 +280,7 @@ void fs_chroot(const char *rootdir) { | |||
280 | // fs_dev_shm(); | 280 | // fs_dev_shm(); |
281 | fs_var_lock(); | 281 | fs_var_lock(); |
282 | if (!arg_keep_var_tmp) | 282 | if (!arg_keep_var_tmp) |
283 | fs_var_tmp(); | 283 | fs_var_tmp(); |
284 | if (!arg_writable_var_log) | 284 | if (!arg_writable_var_log) |
285 | fs_var_log(); | 285 | fs_var_log(); |
286 | 286 | ||
diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c index ada76bc76..804d51caa 100644 --- a/src/firejail/cpu.c +++ b/src/firejail/cpu.c | |||
@@ -103,17 +103,17 @@ void set_cpu_affinity(void) { | |||
103 | if (sched_setaffinity(0, sizeof(mask), &mask) == -1) | 103 | if (sched_setaffinity(0, sizeof(mask), &mask) == -1) |
104 | fwarning("cannot set cpu affinity\n"); | 104 | fwarning("cannot set cpu affinity\n"); |
105 | 105 | ||
106 | // verify cpu affinity | 106 | // verify cpu affinity |
107 | cpu_set_t mask2; | 107 | cpu_set_t mask2; |
108 | CPU_ZERO(&mask2); | 108 | CPU_ZERO(&mask2); |
109 | if (sched_getaffinity(0, sizeof(mask2), &mask2) == -1) | 109 | if (sched_getaffinity(0, sizeof(mask2), &mask2) == -1) |
110 | fwarning("cannot verify cpu affinity\n"); | 110 | fwarning("cannot verify cpu affinity\n"); |
111 | else if (arg_debug) { | 111 | else if (arg_debug) { |
112 | if (CPU_EQUAL(&mask, &mask2)) | 112 | if (CPU_EQUAL(&mask, &mask2)) |
113 | printf("CPU affinity set\n"); | 113 | printf("CPU affinity set\n"); |
114 | else | 114 | else |
115 | printf("CPU affinity not set\n"); | 115 | printf("CPU affinity not set\n"); |
116 | } | 116 | } |
117 | } | 117 | } |
118 | 118 | ||
119 | static void print_cpu(ProcessHandle process) { | 119 | static void print_cpu(ProcessHandle process) { |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index d7a2edc3b..182f26e53 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -123,8 +123,8 @@ static void disable_file(OPERATION op, const char *filename) { | |||
123 | if (op == BLACKLIST_FILE || op == BLACKLIST_NOLOG) { | 123 | if (op == BLACKLIST_FILE || op == BLACKLIST_NOLOG) { |
124 | // some distros put all executables under /usr/bin and make /bin a symbolic link | 124 | // some distros put all executables under /usr/bin and make /bin a symbolic link |
125 | if ((strcmp(fname, "/bin") == 0 || strcmp(fname, "/usr/bin") == 0) && | 125 | if ((strcmp(fname, "/bin") == 0 || strcmp(fname, "/usr/bin") == 0) && |
126 | is_link(filename) && | 126 | is_link(filename) && |
127 | S_ISDIR(s.st_mode)) { | 127 | S_ISDIR(s.st_mode)) { |
128 | fwarning("%s directory link was not blacklisted\n", filename); | 128 | fwarning("%s directory link was not blacklisted\n", filename); |
129 | } | 129 | } |
130 | else { | 130 | else { |
diff --git a/src/firejail/ls.c b/src/firejail/ls.c index f2782de35..ea85fabfd 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c | |||
@@ -178,7 +178,7 @@ static void print_directory(const char *path) { | |||
178 | 178 | ||
179 | n = scandir(path, &namelist, 0, alphasort); | 179 | n = scandir(path, &namelist, 0, alphasort); |
180 | if (n < 0) | 180 | if (n < 0) |
181 | errExit("scandir"); | 181 | errExit("scandir"); |
182 | else { | 182 | else { |
183 | for (i = 0; i < n; i++) | 183 | for (i = 0; i < n; i++) |
184 | print_file_or_dir(path, namelist[i]->d_name); | 184 | print_file_or_dir(path, namelist[i]->d_name); |
diff --git a/src/firejail/macros.c b/src/firejail/macros.c index 27bb4227a..af7d02c2a 100644 --- a/src/firejail/macros.c +++ b/src/firejail/macros.c | |||
@@ -38,19 +38,19 @@ Macro macro[] = { | |||
38 | }, | 38 | }, |
39 | 39 | ||
40 | { | 40 | { |
41 | "${MUSIC}", | 41 | "${MUSIC}", |
42 | "XDG_MUSIC_DIR=\"$HOME/", | 42 | "XDG_MUSIC_DIR=\"$HOME/", |
43 | {"Music", "Музыка", "Musique", "Musica", "Música", "Musik"} | 43 | {"Music", "Музыка", "Musique", "Musica", "Música", "Musik"} |
44 | }, | 44 | }, |
45 | 45 | ||
46 | { | 46 | { |
47 | "${VIDEOS}", | 47 | "${VIDEOS}", |
48 | "XDG_VIDEOS_DIR=\"$HOME/", | 48 | "XDG_VIDEOS_DIR=\"$HOME/", |
49 | {"Videos", "Видео", "Vidéos", "Video", "Vídeos"} | 49 | {"Videos", "Видео", "Vidéos", "Video", "Vídeos"} |
50 | }, | 50 | }, |
51 | 51 | ||
52 | { | 52 | { |
53 | "${PICTURES}", | 53 | "${PICTURES}", |
54 | "XDG_PICTURES_DIR=\"$HOME/", | 54 | "XDG_PICTURES_DIR=\"$HOME/", |
55 | {"Pictures", "Изображения", "Photos", "Immagini", "Imágenes", "Imagens", "Bilder"} | 55 | {"Pictures", "Изображения", "Photos", "Immagini", "Imágenes", "Imagens", "Bilder"} |
56 | }, | 56 | }, |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 7a9d3d00d..fac357303 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -52,7 +52,7 @@ | |||
52 | int __clone2(int (*fn)(void *), | 52 | int __clone2(int (*fn)(void *), |
53 | void *child_stack_base, size_t stack_size, | 53 | void *child_stack_base, size_t stack_size, |
54 | int flags, void *arg, ... | 54 | int flags, void *arg, ... |
55 | /* pid_t *ptid, struct user_desc *tls, pid_t *ctid */ ); | 55 | /* pid_t *ptid, struct user_desc *tls, pid_t *ctid */ ); |
56 | #endif | 56 | #endif |
57 | 57 | ||
58 | uid_t firejail_uid = 0; | 58 | uid_t firejail_uid = 0; |
@@ -106,7 +106,7 @@ char *arg_netfilter6_file = NULL; // netfilter6 file | |||
106 | char *arg_netns = NULL; // "ip netns"-created network namespace to use | 106 | char *arg_netns = NULL; // "ip netns"-created network namespace to use |
107 | int arg_doubledash = 0; // double dash | 107 | int arg_doubledash = 0; // double dash |
108 | int arg_private_dev = 0; // private dev directory | 108 | int arg_private_dev = 0; // private dev directory |
109 | int arg_keep_dev_shm = 0; // preserve /dev/shm | 109 | int arg_keep_dev_shm = 0; // preserve /dev/shm |
110 | int arg_private_etc = 0; // private etc directory | 110 | int arg_private_etc = 0; // private etc directory |
111 | int arg_private_opt = 0; // private opt directory | 111 | int arg_private_opt = 0; // private opt directory |
112 | int arg_private_srv = 0; // private srv directory | 112 | int arg_private_srv = 0; // private srv directory |
@@ -129,7 +129,7 @@ int arg_writable_etc = 0; // writable etc | |||
129 | int arg_keep_config_pulse = 0; // disable automatic ~/.config/pulse init | 129 | int arg_keep_config_pulse = 0; // disable automatic ~/.config/pulse init |
130 | int arg_keep_shell_rc = 0; // do not copy shell configuration from /etc/skel | 130 | int arg_keep_shell_rc = 0; // do not copy shell configuration from /etc/skel |
131 | int arg_writable_var = 0; // writable var | 131 | int arg_writable_var = 0; // writable var |
132 | int arg_keep_var_tmp = 0; // don't overwrite /var/tmp | 132 | int arg_keep_var_tmp = 0; // don't overwrite /var/tmp |
133 | int arg_writable_run_user = 0; // writable /run/user | 133 | int arg_writable_run_user = 0; // writable /run/user |
134 | int arg_writable_var_log = 0; // writable /var/log | 134 | int arg_writable_var_log = 0; // writable /var/log |
135 | int arg_appimage = 0; // appimage | 135 | int arg_appimage = 0; // appimage |
@@ -141,7 +141,7 @@ int arg_x11_block = 0; // block X11 | |||
141 | int arg_x11_xorg = 0; // use X11 security extension | 141 | int arg_x11_xorg = 0; // use X11 security extension |
142 | int arg_allusers = 0; // all user home directories visible | 142 | int arg_allusers = 0; // all user home directories visible |
143 | int arg_machineid = 0; // spoof /etc/machine-id | 143 | int arg_machineid = 0; // spoof /etc/machine-id |
144 | int arg_allow_private_blacklist = 0; // blacklist things in private directories | 144 | int arg_allow_private_blacklist = 0; // blacklist things in private directories |
145 | int arg_disable_mnt = 0; // disable /mnt and /media | 145 | int arg_disable_mnt = 0; // disable /mnt and /media |
146 | int arg_noprofile = 0; // use default.profile if none other found/specified | 146 | int arg_noprofile = 0; // use default.profile if none other found/specified |
147 | int arg_memory_deny_write_execute = 0; // block writable and executable memory | 147 | int arg_memory_deny_write_execute = 0; // block writable and executable memory |
@@ -150,7 +150,7 @@ int arg_nodvd = 0; // --nodvd | |||
150 | int arg_nou2f = 0; // --nou2f | 150 | int arg_nou2f = 0; // --nou2f |
151 | int arg_noinput = 0; // --noinput | 151 | int arg_noinput = 0; // --noinput |
152 | int arg_deterministic_exit_code = 0; // always exit with first child's exit status | 152 | int arg_deterministic_exit_code = 0; // always exit with first child's exit status |
153 | int arg_deterministic_shutdown = 0; // shut down the sandbox if first child dies | 153 | int arg_deterministic_shutdown = 0; // shut down the sandbox if first child dies |
154 | int arg_keep_fd_all = 0; // inherit all file descriptors to sandbox | 154 | int arg_keep_fd_all = 0; // inherit all file descriptors to sandbox |
155 | DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user | 155 | DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user |
156 | DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system | 156 | DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system |
@@ -768,11 +768,11 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
768 | exit(1); | 768 | exit(1); |
769 | } | 769 | } |
770 | char *path = argv[i + 1]; | 770 | char *path = argv[i + 1]; |
771 | invalid_filename(path, 0); // no globbing | 771 | invalid_filename(path, 0); // no globbing |
772 | if (strstr(path, "..")) { | 772 | if (strstr(path, "..")) { |
773 | fprintf(stderr, "Error: invalid file name %s\n", path); | 773 | fprintf(stderr, "Error: invalid file name %s\n", path); |
774 | exit(1); | 774 | exit(1); |
775 | } | 775 | } |
776 | 776 | ||
777 | // get file | 777 | // get file |
778 | pid_t pid = require_pid(argv[i] + 6); | 778 | pid_t pid = require_pid(argv[i] + 6); |
@@ -796,17 +796,17 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
796 | exit(1); | 796 | exit(1); |
797 | } | 797 | } |
798 | char *path1 = argv[i + 1]; | 798 | char *path1 = argv[i + 1]; |
799 | invalid_filename(path1, 0); // no globbing | 799 | invalid_filename(path1, 0); // no globbing |
800 | if (strstr(path1, "..")) { | 800 | if (strstr(path1, "..")) { |
801 | fprintf(stderr, "Error: invalid file name %s\n", path1); | 801 | fprintf(stderr, "Error: invalid file name %s\n", path1); |
802 | exit(1); | 802 | exit(1); |
803 | } | 803 | } |
804 | char *path2 = argv[i + 2]; | 804 | char *path2 = argv[i + 2]; |
805 | invalid_filename(path2, 0); // no globbing | 805 | invalid_filename(path2, 0); // no globbing |
806 | if (strstr(path2, "..")) { | 806 | if (strstr(path2, "..")) { |
807 | fprintf(stderr, "Error: invalid file name %s\n", path2); | 807 | fprintf(stderr, "Error: invalid file name %s\n", path2); |
808 | exit(1); | 808 | exit(1); |
809 | } | 809 | } |
810 | 810 | ||
811 | // get file | 811 | // get file |
812 | pid_t pid = require_pid(argv[i] + 6); | 812 | pid_t pid = require_pid(argv[i] + 6); |
@@ -830,15 +830,15 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
830 | exit(1); | 830 | exit(1); |
831 | } | 831 | } |
832 | char *path = argv[i + 1]; | 832 | char *path = argv[i + 1]; |
833 | invalid_filename(path, 0); // no globbing | 833 | invalid_filename(path, 0); // no globbing |
834 | if (strstr(path, "..")) { | 834 | if (strstr(path, "..")) { |
835 | fprintf(stderr, "Error: invalid file name %s\n", path); | 835 | fprintf(stderr, "Error: invalid file name %s\n", path); |
836 | exit(1); | 836 | exit(1); |
837 | } | 837 | } |
838 | 838 | ||
839 | // list directory contents | 839 | // list directory contents |
840 | if (!arg_debug) | 840 | if (!arg_debug) |
841 | arg_quiet = 1; | 841 | arg_quiet = 1; |
842 | pid_t pid = require_pid(argv[i] + 5); | 842 | pid_t pid = require_pid(argv[i] + 5); |
843 | sandboxfs(SANDBOX_FS_LS, pid, path, NULL); | 843 | sandboxfs(SANDBOX_FS_LS, pid, path, NULL); |
844 | exit(0); | 844 | exit(0); |
@@ -867,7 +867,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
867 | 867 | ||
868 | // write file contents to stdout | 868 | // write file contents to stdout |
869 | if (!arg_debug) | 869 | if (!arg_debug) |
870 | arg_quiet = 1; | 870 | arg_quiet = 1; |
871 | pid_t pid = require_pid(argv[i] + 6); | 871 | pid_t pid = require_pid(argv[i] + 6); |
872 | sandboxfs(SANDBOX_FS_CAT, pid, path, NULL); | 872 | sandboxfs(SANDBOX_FS_CAT, pid, path, NULL); |
873 | exit(0); | 873 | exit(0); |
@@ -894,8 +894,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
894 | 894 | ||
895 | } | 895 | } |
896 | else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { | 896 | else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { |
897 | // NOTE: this is first part of option handler, | 897 | // NOTE: this is first part of option handler, sandbox name is |
898 | // sandbox name is set in other part | 898 | // set in other part |
899 | if (checkcfg(CFG_JOIN) || getuid() == 0) { | 899 | if (checkcfg(CFG_JOIN) || getuid() == 0) { |
900 | logargs(argc, argv); | 900 | logargs(argc, argv); |
901 | 901 | ||
@@ -1050,11 +1050,11 @@ static int check_postexec(const char *list) { | |||
1050 | //******************************************* | 1050 | //******************************************* |
1051 | int main(int argc, char **argv, char **envp) { | 1051 | int main(int argc, char **argv, char **envp) { |
1052 | int i; | 1052 | int i; |
1053 | int prog_index = -1; // index in argv where the program command starts | 1053 | int prog_index = -1; // index in argv where the program command starts |
1054 | int lockfd_network = -1; | 1054 | int lockfd_network = -1; |
1055 | int lockfd_directory = -1; | 1055 | int lockfd_directory = -1; |
1056 | int custom_profile = 0; // custom profile loaded | 1056 | int custom_profile = 0; // custom profile loaded |
1057 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) | 1057 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) |
1058 | char **ptr; | 1058 | char **ptr; |
1059 | 1059 | ||
1060 | 1060 | ||
@@ -1983,7 +1983,7 @@ int main(int argc, char **argv, char **envp) { | |||
1983 | arg_writable_var = 1; | 1983 | arg_writable_var = 1; |
1984 | } | 1984 | } |
1985 | else if (strcmp(argv[i], "--keep-var-tmp") == 0) { | 1985 | else if (strcmp(argv[i], "--keep-var-tmp") == 0) { |
1986 | arg_keep_var_tmp = 1; | 1986 | arg_keep_var_tmp = 1; |
1987 | } | 1987 | } |
1988 | else if (strcmp(argv[i], "--writable-run-user") == 0) { | 1988 | else if (strcmp(argv[i], "--writable-run-user") == 0) { |
1989 | arg_writable_run_user = 1; | 1989 | arg_writable_run_user = 1; |
@@ -2818,8 +2818,8 @@ int main(int argc, char **argv, char **envp) { | |||
2818 | } | 2818 | } |
2819 | #endif | 2819 | #endif |
2820 | else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { | 2820 | else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { |
2821 | // NOTE: this is second part of option handler, | 2821 | // NOTE: this is second part of option handler, atempt |
2822 | // atempt to find and join sandbox is done in other one | 2822 | // to find and join sandbox is done in other one |
2823 | 2823 | ||
2824 | // set sandbox name and start normally | 2824 | // set sandbox name and start normally |
2825 | cfg.name = argv[i] + 16; | 2825 | cfg.name = argv[i] + 16; |
diff --git a/src/firejail/network.c b/src/firejail/network.c index 5163035fa..c1adf87cc 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c | |||
@@ -265,7 +265,7 @@ int net_get_mac(const char *ifname, unsigned char mac[6]) { | |||
265 | int sock; | 265 | int sock; |
266 | 266 | ||
267 | if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) | 267 | if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) |
268 | errExit("socket"); | 268 | errExit("socket"); |
269 | 269 | ||
270 | memset(&ifr, 0, sizeof(ifr)); | 270 | memset(&ifr, 0, sizeof(ifr)); |
271 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); | 271 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); |
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 3997d8f86..22ee9dc3c 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -29,10 +29,10 @@ | |||
29 | int is_container(const char *str) { | 29 | int is_container(const char *str) { |
30 | assert(str); | 30 | assert(str); |
31 | if (strcmp(str, "lxc") == 0 || | 31 | if (strcmp(str, "lxc") == 0 || |
32 | strcmp(str, "docker") == 0 || | 32 | strcmp(str, "docker") == 0 || |
33 | strcmp(str, "lxc-libvirt") == 0 || | 33 | strcmp(str, "lxc-libvirt") == 0 || |
34 | strcmp(str, "systemd-nspawn") == 0 || | 34 | strcmp(str, "systemd-nspawn") == 0 || |
35 | strcmp(str, "rkt") == 0) | 35 | strcmp(str, "rkt") == 0) |
36 | return 1; | 36 | return 1; |
37 | return 0; | 37 | return 0; |
38 | } | 38 | } |
diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c index a22e63ab3..79e0bd9df 100644 --- a/src/firejail/restricted_shell.c +++ b/src/firejail/restricted_shell.c | |||
@@ -84,16 +84,16 @@ int restricted_shell(const char *user) { | |||
84 | 84 | ||
85 | // user name globbing | 85 | // user name globbing |
86 | if (fnmatch(usr, user, 0) == 0) { | 86 | if (fnmatch(usr, user, 0) == 0) { |
87 | // process program arguments | 87 | // process program arguments |
88 | 88 | ||
89 | fullargv[0] = "firejail"; | 89 | fullargv[0] = "firejail"; |
90 | int i; | 90 | int i; |
91 | ptr = args; | 91 | ptr = args; |
92 | for (i = 1; i < MAX_ARGS; i++) { | 92 | for (i = 1; i < MAX_ARGS; i++) { |
93 | // skip blanks | 93 | // skip blanks |
94 | while (*ptr == ' ' || *ptr == '\t') | 94 | while (*ptr == ' ' || *ptr == '\t') |
95 | ptr++; | 95 | ptr++; |
96 | fullargv[i] = ptr; | 96 | fullargv[i] = ptr; |
97 | #ifdef DEBUG_RESTRICTED_SHELL | 97 | #ifdef DEBUG_RESTRICTED_SHELL |
98 | {EUID_ROOT(); | 98 | {EUID_ROOT(); |
99 | FILE *fp = fopen("/firelog", "ae"); | 99 | FILE *fp = fopen("/firelog", "ae"); |
@@ -104,23 +104,23 @@ int restricted_shell(const char *user) { | |||
104 | EUID_USER();} | 104 | EUID_USER();} |
105 | #endif | 105 | #endif |
106 | 106 | ||
107 | if (*ptr != '\0') { | 107 | if (*ptr != '\0') { |
108 | // go to the end of the word | 108 | // go to the end of the word |
109 | while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0') | 109 | while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0') |
110 | ptr++; | 110 | ptr++; |
111 | *ptr ='\0'; | 111 | *ptr ='\0'; |
112 | fullargv[i] = strdup(fullargv[i]); | 112 | fullargv[i] = strdup(fullargv[i]); |
113 | if (fullargv[i] == NULL) | 113 | if (fullargv[i] == NULL) |
114 | errExit("strdup"); | 114 | errExit("strdup"); |
115 | ptr++; | 115 | ptr++; |
116 | while (*ptr == ' ' || *ptr == '\t') | 116 | while (*ptr == ' ' || *ptr == '\t') |
117 | ptr++; | 117 | ptr++; |
118 | if (*ptr != '\0') | 118 | if (*ptr != '\0') |
119 | continue; | 119 | continue; |
120 | } | 120 | } |
121 | fullargv[i] = strdup(fullargv[i]); | 121 | fullargv[i] = strdup(fullargv[i]); |
122 | fclose(fp); | 122 | fclose(fp); |
123 | return i + 1; | 123 | return i + 1; |
124 | } | 124 | } |
125 | fprintf(stderr, "Error: too many program arguments in users.conf line %d\n", lineno); | 125 | fprintf(stderr, "Error: too many program arguments in users.conf line %d\n", lineno); |
126 | exit(1); | 126 | exit(1); |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index c4dc0ca78..a4109cc17 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -274,7 +274,7 @@ static void sandbox_if_up(Bridge *br) { | |||
274 | } | 274 | } |
275 | 275 | ||
276 | if (br->ip6sandbox) | 276 | if (br->ip6sandbox) |
277 | net_if_ip6(dev, br->ip6sandbox); | 277 | net_if_ip6(dev, br->ip6sandbox); |
278 | } | 278 | } |
279 | 279 | ||
280 | static void chk_chroot(void) { | 280 | static void chk_chroot(void) { |
@@ -650,12 +650,12 @@ int sandbox(void* sandbox_arg) { | |||
650 | if (arg_debug) | 650 | if (arg_debug) |
651 | printf("Initializing child process\n"); | 651 | printf("Initializing child process\n"); |
652 | 652 | ||
653 | // close each end of the unused pipes | 653 | // close each end of the unused pipes |
654 | close(parent_to_child_fds[1]); | 654 | close(parent_to_child_fds[1]); |
655 | close(child_to_parent_fds[0]); | 655 | close(child_to_parent_fds[0]); |
656 | 656 | ||
657 | // wait for parent to do base setup | 657 | // wait for parent to do base setup |
658 | wait_for_other(parent_to_child_fds[0]); | 658 | wait_for_other(parent_to_child_fds[0]); |
659 | 659 | ||
660 | if (arg_debug && child_pid == 1) | 660 | if (arg_debug && child_pid == 1) |
661 | printf("PID namespace installed\n"); | 661 | printf("PID namespace installed\n"); |
@@ -1259,13 +1259,13 @@ int sandbox(void* sandbox_arg) { | |||
1259 | } | 1259 | } |
1260 | 1260 | ||
1261 | // notify parent that new user namespace has been created so a proper | 1261 | // notify parent that new user namespace has been created so a proper |
1262 | // UID/GID map can be setup | 1262 | // UID/GID map can be setup |
1263 | notify_other(child_to_parent_fds[1]); | 1263 | notify_other(child_to_parent_fds[1]); |
1264 | close(child_to_parent_fds[1]); | 1264 | close(child_to_parent_fds[1]); |
1265 | 1265 | ||
1266 | // wait for parent to finish setting up a proper UID/GID map | 1266 | // wait for parent to finish setting up a proper UID/GID map |
1267 | wait_for_other(parent_to_child_fds[0]); | 1267 | wait_for_other(parent_to_child_fds[0]); |
1268 | close(parent_to_child_fds[0]); | 1268 | close(parent_to_child_fds[0]); |
1269 | 1269 | ||
1270 | // somehow, the new user namespace resets capabilities; | 1270 | // somehow, the new user namespace resets capabilities; |
1271 | // we need to do them again | 1271 | // we need to do them again |
diff --git a/src/firejail/util.c b/src/firejail/util.c index 846c27321..bafcd69ec 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -1101,7 +1101,7 @@ void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) { | |||
1101 | if (mkdir(fname, mode) == -1 || | 1101 | if (mkdir(fname, mode) == -1 || |
1102 | chmod(fname, mode) == -1 || | 1102 | chmod(fname, mode) == -1 || |
1103 | chown(fname, uid, gid)) { | 1103 | chown(fname, uid, gid)) { |
1104 | fprintf(stderr, "Error: failed to create %s directory\n", fname); | 1104 | fprintf(stderr, "Error: failed to create %s directory\n", fname); |
1105 | errExit("mkdir/chmod"); | 1105 | errExit("mkdir/chmod"); |
1106 | } | 1106 | } |
1107 | 1107 | ||
diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index ff4fdda56..77739c1f3 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c | |||
@@ -309,7 +309,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my | |||
309 | #endif | 309 | #endif |
310 | if (proc_ev->event_data.fork.child_pid != | 310 | if (proc_ev->event_data.fork.child_pid != |
311 | proc_ev->event_data.fork.child_tgid) | 311 | proc_ev->event_data.fork.child_tgid) |
312 | continue; // this is a thread, not a process | 312 | continue; // this is a thread, not a process |
313 | pid = proc_ev->event_data.fork.parent_tgid; | 313 | pid = proc_ev->event_data.fork.parent_tgid; |
314 | #ifdef DEBUG_PRCTL | 314 | #ifdef DEBUG_PRCTL |
315 | printf("%s: %d, event fork, pid %d\n", __FUNCTION__, __LINE__, pid); | 315 | printf("%s: %d, event fork, pid %d\n", __FUNCTION__, __LINE__, pid); |
diff --git a/src/firemon/top.c b/src/firemon/top.c index c127e2f56..c70bc9424 100644 --- a/src/firemon/top.c +++ b/src/firemon/top.c | |||
@@ -166,7 +166,8 @@ static char *print_top(unsigned index, unsigned parent, unsigned *utime, unsigne | |||
166 | snprintf(prcs_str, 10, "%d", *cnt); | 166 | snprintf(prcs_str, 10, "%d", *cnt); |
167 | 167 | ||
168 | if (asprintf(&rv, "%-7.7s %-9.9s %-8.8s %-8.8s %-5.5s %-4.4s %-9.9s %s", | 168 | if (asprintf(&rv, "%-7.7s %-9.9s %-8.8s %-8.8s %-5.5s %-4.4s %-9.9s %s", |
169 | pidstr, ptruser, rss, shared, cpu_str, prcs_str, uptime_str, ptrcmd) == -1) | 169 | pidstr, ptruser, rss, shared, cpu_str, prcs_str, |
170 | uptime_str, ptrcmd) == -1) | ||
170 | errExit("asprintf"); | 171 | errExit("asprintf"); |
171 | 172 | ||
172 | if (cmd) | 173 | if (cmd) |
diff --git a/src/fnet/interface.c b/src/fnet/interface.c index aa0981269..873252d40 100644 --- a/src/fnet/interface.c +++ b/src/fnet/interface.c | |||
@@ -57,7 +57,7 @@ void net_bridge_add_interface(const char *bridge, const char *dev) { | |||
57 | 57 | ||
58 | int sock; | 58 | int sock; |
59 | if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) | 59 | if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) |
60 | errExit("socket"); | 60 | errExit("socket"); |
61 | 61 | ||
62 | memset(&ifr, 0, sizeof(ifr)); | 62 | memset(&ifr, 0, sizeof(ifr)); |
63 | strncpy(ifr.ifr_name, bridge, IFNAMSIZ - 1); | 63 | strncpy(ifr.ifr_name, bridge, IFNAMSIZ - 1); |
@@ -237,7 +237,7 @@ int net_get_mac(const char *ifname, unsigned char mac[6]) { | |||
237 | int sock; | 237 | int sock; |
238 | 238 | ||
239 | if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) | 239 | if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) |
240 | errExit("socket"); | 240 | errExit("socket"); |
241 | 241 | ||
242 | memset(&ifr, 0, sizeof(ifr)); | 242 | memset(&ifr, 0, sizeof(ifr)); |
243 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); | 243 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); |
@@ -291,7 +291,7 @@ int net_if_mac(const char *ifname, const unsigned char mac[6]) { | |||
291 | int sock; | 291 | int sock; |
292 | 292 | ||
293 | if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) | 293 | if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) |
294 | errExit("socket"); | 294 | errExit("socket"); |
295 | 295 | ||
296 | memset(&ifr, 0, sizeof(ifr)); | 296 | memset(&ifr, 0, sizeof(ifr)); |
297 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); | 297 | strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); |
diff --git a/src/fnettrace-dns/main.c b/src/fnettrace-dns/main.c index 60738147d..64feec5fe 100644 --- a/src/fnettrace-dns/main.c +++ b/src/fnettrace-dns/main.c | |||
@@ -124,7 +124,7 @@ static void print_date(void) { | |||
124 | 124 | ||
125 | static void run_trace(void) { | 125 | static void run_trace(void) { |
126 | // grab all Ethernet packets and use a custom BPF filter to get only UDP from source port 53 | 126 | // grab all Ethernet packets and use a custom BPF filter to get only UDP from source port 53 |
127 | int s = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); | 127 | int s = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); |
128 | if (s < 0) | 128 | if (s < 0) |
129 | errExit("socket"); | 129 | errExit("socket"); |
130 | custom_bpf(s); | 130 | custom_bpf(s); |
diff --git a/src/fseccomp/namespaces.c b/src/fseccomp/namespaces.c index ffc1dfe4c..e6c63219f 100644 --- a/src/fseccomp/namespaces.c +++ b/src/fseccomp/namespaces.c | |||
@@ -202,8 +202,8 @@ void deny_ns_32(const char *fname, const char *list) { | |||
202 | // 0003: 20 00 00 00000000 ld data.syscall-number | 202 | // 0003: 20 00 00 00000000 ld data.syscall-number |
203 | // 0004: 06 00 00 7fff0000 ret ALLOW | 203 | // 0004: 06 00 00 7fff0000 ret ALLOW |
204 | // | 204 | // |
205 | if (sizeof(filter)) | 205 | if (sizeof(filter)) |
206 | write_to_file(fd, filter, sizeof(filter)); | 206 | write_to_file(fd, filter, sizeof(filter)); |
207 | 207 | ||
208 | filter_end_blacklist(fd); | 208 | filter_end_blacklist(fd); |
209 | 209 | ||
diff --git a/src/jailcheck/noexec.c b/src/jailcheck/noexec.c index a78272591..bfeff9c7f 100644 --- a/src/jailcheck/noexec.c +++ b/src/jailcheck/noexec.c | |||
@@ -76,7 +76,7 @@ void noexec_test(const char *path) { | |||
76 | 76 | ||
77 | if (child == 0) { // child | 77 | if (child == 0) { // child |
78 | // drop privileges | 78 | // drop privileges |
79 | if (setgid(user_gid) != 0) | 79 | if (setgid(user_gid) != 0) |
80 | errExit("setgid"); | 80 | errExit("setgid"); |
81 | if (setuid(user_uid) != 0) | 81 | if (setuid(user_uid) != 0) |
82 | errExit("setuid"); | 82 | errExit("setuid"); |
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c index 97e36e5c9..231e09882 100644 --- a/src/libtrace/libtrace.c +++ b/src/libtrace/libtrace.c | |||
@@ -515,7 +515,7 @@ int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) { | |||
515 | if (!orig_connect) | 515 | if (!orig_connect) |
516 | orig_connect = (orig_connect_t)dlsym(RTLD_NEXT, "connect"); | 516 | orig_connect = (orig_connect_t)dlsym(RTLD_NEXT, "connect"); |
517 | 517 | ||
518 | int rv = orig_connect(sockfd, addr, addrlen); | 518 | int rv = orig_connect(sockfd, addr, addrlen); |
519 | print_sockaddr(sockfd, "connect", addr, rv); | 519 | print_sockaddr(sockfd, "connect", addr, rv); |
520 | 520 | ||
521 | return rv; | 521 | return rv; |
diff --git a/src/profstats/main.c b/src/profstats/main.c index 90a5f405d..491cec736 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c | |||
@@ -166,7 +166,7 @@ static void process_file(char *fname) { | |||
166 | else if (strncmp(ptr, "include whitelist-var-common.inc", 32) == 0) | 166 | else if (strncmp(ptr, "include whitelist-var-common.inc", 32) == 0) |
167 | cnt_whitelistvar++; | 167 | cnt_whitelistvar++; |
168 | else if (strncmp(ptr, "include whitelist-runuser-common.inc", 36) == 0 || | 168 | else if (strncmp(ptr, "include whitelist-runuser-common.inc", 36) == 0 || |
169 | strncmp(ptr, "blacklist ${RUNUSER}", 20) == 0) | 169 | strncmp(ptr, "blacklist ${RUNUSER}", 20) == 0) |
170 | cnt_whitelistrunuser++; | 170 | cnt_whitelistrunuser++; |
171 | else if (strncmp(ptr, "include whitelist-common.inc", 28) == 0) | 171 | else if (strncmp(ptr, "include whitelist-common.inc", 28) == 0) |
172 | cnt_whitelisthome++; | 172 | cnt_whitelisthome++; |
@@ -283,10 +283,10 @@ int main(int argc, char **argv) { | |||
283 | arg_dbus_user_none = 1; | 283 | arg_dbus_user_none = 1; |
284 | else if (*argv[i] == '-') { | 284 | else if (*argv[i] == '-') { |
285 | fprintf(stderr, "Error: invalid option %s\n", argv[i]); | 285 | fprintf(stderr, "Error: invalid option %s\n", argv[i]); |
286 | return 1; | 286 | return 1; |
287 | } | 287 | } |
288 | else | 288 | else |
289 | break; | 289 | break; |
290 | } | 290 | } |
291 | 291 | ||
292 | start = i; | 292 | start = i; |