diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/fs_dev.c | 4 | ||||
-rw-r--r-- | src/firejail/fs_home.c | 10 | ||||
-rw-r--r-- | src/firejail/sbox.c | 18 | ||||
-rw-r--r-- | src/libtrace/libtrace.c | 30 |
4 files changed, 31 insertions, 31 deletions
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index bd036908a..d807f527d 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -137,8 +137,8 @@ static void deventry_mount(void) { | |||
137 | } | 137 | } |
138 | 138 | ||
139 | static void create_char_dev(const char *path, mode_t mode, int major, int minor) { | 139 | static void create_char_dev(const char *path, mode_t mode, int major, int minor) { |
140 | dev_t dev = makedev(major, minor); | 140 | dev_t device = makedev(major, minor); |
141 | if (mknod(path, S_IFCHR | mode, dev) == -1) | 141 | if (mknod(path, S_IFCHR | mode, device) == -1) |
142 | goto errexit; | 142 | goto errexit; |
143 | if (chmod(path, mode) < 0) | 143 | if (chmod(path, mode) < 0) |
144 | goto errexit; | 144 | goto errexit; |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 69ad5e2c8..01a807883 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -482,14 +482,14 @@ static void duplicate(char *name) { | |||
482 | } | 482 | } |
483 | else if (S_ISDIR(s.st_mode)) { | 483 | else if (S_ISDIR(s.st_mode)) { |
484 | // create the directory in RUN_HOME_DIR | 484 | // create the directory in RUN_HOME_DIR |
485 | char *name; | 485 | char *path; |
486 | char *ptr = strrchr(fname, '/'); | 486 | char *ptr = strrchr(fname, '/'); |
487 | ptr++; | 487 | ptr++; |
488 | if (asprintf(&name, "%s/%s", RUN_HOME_DIR, ptr) == -1) | 488 | if (asprintf(&path, "%s/%s", RUN_HOME_DIR, ptr) == -1) |
489 | errExit("asprintf"); | 489 | errExit("asprintf"); |
490 | mkdir_attr(name, 0755, getuid(), getgid()); | 490 | mkdir_attr(path, 0755, getuid(), getgid()); |
491 | sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FCOPY, fname, name); | 491 | sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FCOPY, fname, path); |
492 | free(name); | 492 | free(path); |
493 | } | 493 | } |
494 | else | 494 | else |
495 | sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FCOPY, fname, RUN_HOME_DIR); | 495 | sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FCOPY, fname, RUN_HOME_DIR); |
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index f387d25fa..a41e32569 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c | |||
@@ -104,7 +104,7 @@ static struct sock_fprog prog = { | |||
104 | .filter = filter, | 104 | .filter = filter, |
105 | }; | 105 | }; |
106 | 106 | ||
107 | int sbox_run(unsigned filter, int num, ...) { | 107 | int sbox_run(unsigned filtermask, int num, ...) { |
108 | EUID_ROOT(); | 108 | EUID_ROOT(); |
109 | 109 | ||
110 | int i; | 110 | int i; |
@@ -148,7 +148,7 @@ int sbox_run(unsigned filter, int num, ...) { | |||
148 | if (arg_debug) // --debug is passed as an environment variable | 148 | if (arg_debug) // --debug is passed as an environment variable |
149 | setenv("FIREJAIL_DEBUG", "yes", 1); | 149 | setenv("FIREJAIL_DEBUG", "yes", 1); |
150 | 150 | ||
151 | if (filter & SBOX_STDIN_FROM_FILE) { | 151 | if (filtermask & SBOX_STDIN_FROM_FILE) { |
152 | int fd; | 152 | int fd; |
153 | if((fd = open(SBOX_STDIN_FILE, O_RDONLY)) == -1) { | 153 | if((fd = open(SBOX_STDIN_FILE, O_RDONLY)) == -1) { |
154 | fprintf(stderr,"Error: cannot open %s\n", SBOX_STDIN_FILE); | 154 | fprintf(stderr,"Error: cannot open %s\n", SBOX_STDIN_FILE); |
@@ -157,7 +157,7 @@ int sbox_run(unsigned filter, int num, ...) { | |||
157 | dup2(fd,STDIN_FILENO); | 157 | dup2(fd,STDIN_FILENO); |
158 | close(fd); | 158 | close(fd); |
159 | } | 159 | } |
160 | else if ((filter & SBOX_ALLOW_STDIN) == 0) { | 160 | else if ((filtermask & SBOX_ALLOW_STDIN) == 0) { |
161 | int fd = open("/dev/null",O_RDWR, 0); | 161 | int fd = open("/dev/null",O_RDWR, 0); |
162 | if (fd != -1) { | 162 | if (fd != -1) { |
163 | dup2(fd, STDIN_FILENO); | 163 | dup2(fd, STDIN_FILENO); |
@@ -175,17 +175,17 @@ int sbox_run(unsigned filter, int num, ...) { | |||
175 | umask(027); | 175 | umask(027); |
176 | 176 | ||
177 | // apply filters | 177 | // apply filters |
178 | if (filter & SBOX_CAPS_NONE) { | 178 | if (filtermask & SBOX_CAPS_NONE) { |
179 | caps_drop_all(); | 179 | caps_drop_all(); |
180 | } | 180 | } |
181 | else if (filter & SBOX_CAPS_NETWORK) { | 181 | else if (filtermask & SBOX_CAPS_NETWORK) { |
182 | #ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files | 182 | #ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files |
183 | uint64_t set = ((uint64_t) 1) << CAP_NET_ADMIN; | 183 | uint64_t set = ((uint64_t) 1) << CAP_NET_ADMIN; |
184 | set |= ((uint64_t) 1) << CAP_NET_RAW; | 184 | set |= ((uint64_t) 1) << CAP_NET_RAW; |
185 | caps_set(set); | 185 | caps_set(set); |
186 | #endif | 186 | #endif |
187 | } | 187 | } |
188 | else if (filter & SBOX_CAPS_HIDEPID) { | 188 | else if (filtermask & SBOX_CAPS_HIDEPID) { |
189 | #ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files | 189 | #ifndef HAVE_GCOV // the following filter will prevent GCOV from saving info in .gcda files |
190 | uint64_t set = ((uint64_t) 1) << CAP_SYS_PTRACE; | 190 | uint64_t set = ((uint64_t) 1) << CAP_SYS_PTRACE; |
191 | set |= ((uint64_t) 1) << CAP_SYS_PACCT; | 191 | set |= ((uint64_t) 1) << CAP_SYS_PACCT; |
@@ -193,7 +193,7 @@ int sbox_run(unsigned filter, int num, ...) { | |||
193 | #endif | 193 | #endif |
194 | } | 194 | } |
195 | 195 | ||
196 | if (filter & SBOX_SECCOMP) { | 196 | if (filtermask & SBOX_SECCOMP) { |
197 | if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { | 197 | if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { |
198 | perror("prctl(NO_NEW_PRIVS)"); | 198 | perror("prctl(NO_NEW_PRIVS)"); |
199 | } | 199 | } |
@@ -202,14 +202,14 @@ int sbox_run(unsigned filter, int num, ...) { | |||
202 | } | 202 | } |
203 | } | 203 | } |
204 | 204 | ||
205 | if (filter & SBOX_ROOT) { | 205 | if (filtermask & SBOX_ROOT) { |
206 | // elevate privileges in order to get grsecurity working | 206 | // elevate privileges in order to get grsecurity working |
207 | if (setreuid(0, 0)) | 207 | if (setreuid(0, 0)) |
208 | errExit("setreuid"); | 208 | errExit("setreuid"); |
209 | if (setregid(0, 0)) | 209 | if (setregid(0, 0)) |
210 | errExit("setregid"); | 210 | errExit("setregid"); |
211 | } | 211 | } |
212 | else if (filter & SBOX_USER) | 212 | else if (filtermask & SBOX_USER) |
213 | drop_privs(1); | 213 | drop_privs(1); |
214 | 214 | ||
215 | if (arg[0]) // get rid of scan-build warning | 215 | if (arg[0]) // get rid of scan-build warning |
diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c index 1cab1ed3c..60fdb5470 100644 --- a/src/libtrace/libtrace.c +++ b/src/libtrace/libtrace.c | |||
@@ -402,50 +402,50 @@ int rmdir(const char *pathname) { | |||
402 | } | 402 | } |
403 | 403 | ||
404 | // stat | 404 | // stat |
405 | typedef int (*orig_stat_t)(const char *pathname, struct stat *buf); | 405 | typedef int (*orig_stat_t)(const char *pathname, struct stat *statbuf); |
406 | static orig_stat_t orig_stat = NULL; | 406 | static orig_stat_t orig_stat = NULL; |
407 | int stat(const char *pathname, struct stat *buf) { | 407 | int stat(const char *pathname, struct stat *statbuf) { |
408 | if (!orig_stat) | 408 | if (!orig_stat) |
409 | orig_stat = (orig_stat_t)dlsym(RTLD_NEXT, "stat"); | 409 | orig_stat = (orig_stat_t)dlsym(RTLD_NEXT, "stat"); |
410 | 410 | ||
411 | int rv = orig_stat(pathname, buf); | 411 | int rv = orig_stat(pathname, statbuf); |
412 | fprintf(ftty, "%u:%s:stat %s:%d\n", mypid, myname, pathname, rv); | 412 | fprintf(ftty, "%u:%s:stat %s:%d\n", mypid, myname, pathname, rv); |
413 | return rv; | 413 | return rv; |
414 | } | 414 | } |
415 | 415 | ||
416 | #ifdef __GLIBC__ | 416 | #ifdef __GLIBC__ |
417 | typedef int (*orig_stat64_t)(const char *pathname, struct stat64 *buf); | 417 | typedef int (*orig_stat64_t)(const char *pathname, struct stat64 *statbuf); |
418 | static orig_stat64_t orig_stat64 = NULL; | 418 | static orig_stat64_t orig_stat64 = NULL; |
419 | int stat64(const char *pathname, struct stat64 *buf) { | 419 | int stat64(const char *pathname, struct stat64 *statbuf) { |
420 | if (!orig_stat64) | 420 | if (!orig_stat64) |
421 | orig_stat64 = (orig_stat64_t)dlsym(RTLD_NEXT, "stat64"); | 421 | orig_stat64 = (orig_stat64_t)dlsym(RTLD_NEXT, "stat64"); |
422 | 422 | ||
423 | int rv = orig_stat64(pathname, buf); | 423 | int rv = orig_stat64(pathname, statbuf); |
424 | fprintf(ftty, "%u:%s:stat64 %s:%d\n", mypid, myname, pathname, rv); | 424 | fprintf(ftty, "%u:%s:stat64 %s:%d\n", mypid, myname, pathname, rv); |
425 | return rv; | 425 | return rv; |
426 | } | 426 | } |
427 | #endif /* __GLIBC__ */ | 427 | #endif /* __GLIBC__ */ |
428 | 428 | ||
429 | // lstat | 429 | // lstat |
430 | typedef int (*orig_lstat_t)(const char *pathname, struct stat *buf); | 430 | typedef int (*orig_lstat_t)(const char *pathname, struct stat *statbuf); |
431 | static orig_lstat_t orig_lstat = NULL; | 431 | static orig_lstat_t orig_lstat = NULL; |
432 | int lstat(const char *pathname, struct stat *buf) { | 432 | int lstat(const char *pathname, struct stat *statbuf) { |
433 | if (!orig_lstat) | 433 | if (!orig_lstat) |
434 | orig_lstat = (orig_lstat_t)dlsym(RTLD_NEXT, "lstat"); | 434 | orig_lstat = (orig_lstat_t)dlsym(RTLD_NEXT, "lstat"); |
435 | 435 | ||
436 | int rv = orig_lstat(pathname, buf); | 436 | int rv = orig_lstat(pathname, statbuf); |
437 | fprintf(ftty, "%u:%s:lstat %s:%d\n", mypid, myname, pathname, rv); | 437 | fprintf(ftty, "%u:%s:lstat %s:%d\n", mypid, myname, pathname, rv); |
438 | return rv; | 438 | return rv; |
439 | } | 439 | } |
440 | 440 | ||
441 | #ifdef __GLIBC__ | 441 | #ifdef __GLIBC__ |
442 | typedef int (*orig_lstat64_t)(const char *pathname, struct stat64 *buf); | 442 | typedef int (*orig_lstat64_t)(const char *pathname, struct stat64 *statbuf); |
443 | static orig_lstat64_t orig_lstat64 = NULL; | 443 | static orig_lstat64_t orig_lstat64 = NULL; |
444 | int lstat64(const char *pathname, struct stat64 *buf) { | 444 | int lstat64(const char *pathname, struct stat64 *statbuf) { |
445 | if (!orig_lstat64) | 445 | if (!orig_lstat64) |
446 | orig_lstat64 = (orig_lstat64_t)dlsym(RTLD_NEXT, "lstat64"); | 446 | orig_lstat64 = (orig_lstat64_t)dlsym(RTLD_NEXT, "lstat64"); |
447 | 447 | ||
448 | int rv = orig_lstat64(pathname, buf); | 448 | int rv = orig_lstat64(pathname, statbuf); |
449 | fprintf(ftty, "%u:%s:lstat64 %s:%d\n", mypid, myname, pathname, rv); | 449 | fprintf(ftty, "%u:%s:lstat64 %s:%d\n", mypid, myname, pathname, rv); |
450 | return rv; | 450 | return rv; |
451 | } | 451 | } |
@@ -492,13 +492,13 @@ int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) { | |||
492 | // socket | 492 | // socket |
493 | typedef int (*orig_socket_t)(int domain, int type, int protocol); | 493 | typedef int (*orig_socket_t)(int domain, int type, int protocol); |
494 | static orig_socket_t orig_socket = NULL; | 494 | static orig_socket_t orig_socket = NULL; |
495 | static char buf[1024]; | 495 | static char socketbuf[1024]; |
496 | int socket(int domain, int type, int protocol) { | 496 | int socket(int domain, int type, int protocol) { |
497 | if (!orig_socket) | 497 | if (!orig_socket) |
498 | orig_socket = (orig_socket_t)dlsym(RTLD_NEXT, "socket"); | 498 | orig_socket = (orig_socket_t)dlsym(RTLD_NEXT, "socket"); |
499 | 499 | ||
500 | int rv = orig_socket(domain, type, protocol); | 500 | int rv = orig_socket(domain, type, protocol); |
501 | char *ptr = buf; | 501 | char *ptr = socketbuf; |
502 | ptr += sprintf(ptr, "%u:%s:socket ", mypid, myname); | 502 | ptr += sprintf(ptr, "%u:%s:socket ", mypid, myname); |
503 | char *str = translate(socket_domain, domain); | 503 | char *str = translate(socket_domain, domain); |
504 | if (str == NULL) | 504 | if (str == NULL) |
@@ -529,7 +529,7 @@ int socket(int domain, int type, int protocol) { | |||
529 | sprintf(ptr, "%s", str); | 529 | sprintf(ptr, "%s", str); |
530 | } | 530 | } |
531 | 531 | ||
532 | fprintf(ftty, "%s:%d\n", buf, rv); | 532 | fprintf(ftty, "%s:%d\n", socketbuf, rv); |
533 | return rv; | 533 | return rv; |
534 | } | 534 | } |
535 | 535 | ||