diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/bandwidth.c | 14 | ||||
-rw-r--r-- | src/firejail/cgroup.c | 17 | ||||
-rw-r--r-- | src/firejail/env.c | 3 | ||||
-rw-r--r-- | src/firejail/fs.c | 22 | ||||
-rw-r--r-- | src/firejail/fs_home.c | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 1 | ||||
-rw-r--r-- | src/firejail/no_sandbox.c | 1 |
7 files changed, 37 insertions, 22 deletions
diff --git a/src/firejail/bandwidth.c b/src/firejail/bandwidth.c index 4010de4b3..d949c1965 100644 --- a/src/firejail/bandwidth.c +++ b/src/firejail/bandwidth.c | |||
@@ -260,15 +260,19 @@ void shm_write_bandwidth_file(pid_t pid) { | |||
260 | if (fp) { | 260 | if (fp) { |
261 | IFBW *ptr = ifbw; | 261 | IFBW *ptr = ifbw; |
262 | while (ptr) { | 262 | while (ptr) { |
263 | fprintf(fp, "%s\n", ptr->txt); | 263 | if (fprintf(fp, "%s\n", ptr->txt) < 0) |
264 | goto errout; | ||
264 | ptr = ptr->next; | 265 | ptr = ptr->next; |
265 | } | 266 | } |
266 | fclose(fp); | 267 | fclose(fp); |
267 | } | 268 | } |
268 | else { | 269 | else |
269 | fprintf(stderr, "Error: cannot write bandwidht file %s\n", fname); | 270 | goto errout; |
270 | exit(1); | 271 | return; |
271 | } | 272 | |
273 | errout: | ||
274 | fprintf(stderr, "Error: cannot write bandwidht file %s\n", fname); | ||
275 | exit(1); | ||
272 | } | 276 | } |
273 | 277 | ||
274 | //*********************************** | 278 | //*********************************** |
diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c index 2649d5505..4d64d3fd8 100644 --- a/src/firejail/cgroup.c +++ b/src/firejail/cgroup.c | |||
@@ -34,17 +34,22 @@ void save_cgroup(void) { | |||
34 | if (fp) { | 34 | if (fp) { |
35 | fprintf(fp, "%s", cfg.cgroup); | 35 | fprintf(fp, "%s", cfg.cgroup); |
36 | fflush(0); | 36 | fflush(0); |
37 | fclose(fp); | 37 | if (fclose(fp)) |
38 | goto errout; | ||
38 | if (chown(fname, 0, 0) < 0) | 39 | if (chown(fname, 0, 0) < 0) |
39 | errExit("chown"); | 40 | errExit("chown"); |
40 | } | 41 | } |
41 | else { | 42 | else |
42 | fprintf(stderr, "Error: cannot save cgroup\n"); | 43 | goto errout; |
43 | free(fname); | ||
44 | exit(1); | ||
45 | } | ||
46 | 44 | ||
47 | free(fname); | 45 | free(fname); |
46 | return; | ||
47 | |||
48 | errout: | ||
49 | fprintf(stderr, "Error: cannot save cgroup\n"); | ||
50 | free(fname); | ||
51 | exit(1); | ||
52 | |||
48 | } | 53 | } |
49 | 54 | ||
50 | void load_cgroup(const char *fname) { | 55 | void load_cgroup(const char *fname) { |
diff --git a/src/firejail/env.c b/src/firejail/env.c index b4557e56f..b4f56a9f0 100644 --- a/src/firejail/env.c +++ b/src/firejail/env.c | |||
@@ -72,7 +72,8 @@ void env_apply(void) { | |||
72 | Env *env = envlist; | 72 | Env *env = envlist; |
73 | 73 | ||
74 | while (env) { | 74 | while (env) { |
75 | setenv(env->name, env->value, 1); | 75 | if (setenv(env->name, env->value, 1) < 0) |
76 | errExit("setenv"); | ||
76 | env = env->next; | 77 | env = env->next; |
77 | } | 78 | } |
78 | } | 79 | } |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index e7388a539..755cb9f6e 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -345,18 +345,20 @@ void fs_blacklist(void) { | |||
345 | 345 | ||
346 | // expand path macro - look for the file in /bin, /usr/bin, /sbin and /usr/sbin directories | 346 | // expand path macro - look for the file in /bin, /usr/bin, /sbin and /usr/sbin directories |
347 | // TODO: should we look for more bin paths? | 347 | // TODO: should we look for more bin paths? |
348 | if (strncmp(ptr, "${PATH}", 7) == 0) { | 348 | if (ptr) { |
349 | char *fname = ptr + 7; | 349 | if (strncmp(ptr, "${PATH}", 7) == 0) { |
350 | size_t fname_len = strlen(fname); | 350 | char *fname = ptr + 7; |
351 | char **path, *paths[] = {"/bin", "/sbin", "/usr/bin", "/usr/sbin", NULL}; | 351 | size_t fname_len = strlen(fname); |
352 | for (path = &paths[0]; *path; path++) { | 352 | char **path, *paths[] = {"/bin", "/sbin", "/usr/bin", "/usr/sbin", NULL}; |
353 | char newname[strlen(*path) + fname_len + 1]; | 353 | for (path = &paths[0]; *path; path++) { |
354 | sprintf(newname, "%s%s", *path, fname); | 354 | char newname[strlen(*path) + fname_len + 1]; |
355 | globbing(op, newname, (const char**)noblacklist, noblacklist_c, emptydir, emptyfile); | 355 | sprintf(newname, "%s%s", *path, fname); |
356 | globbing(op, newname, (const char**)noblacklist, noblacklist_c, emptydir, emptyfile); | ||
357 | } | ||
356 | } | 358 | } |
359 | else | ||
360 | globbing(op, ptr, (const char**)noblacklist, noblacklist_c, emptydir, emptyfile); | ||
357 | } | 361 | } |
358 | else | ||
359 | globbing(op, ptr, (const char**)noblacklist, noblacklist_c, emptydir, emptyfile); | ||
360 | 362 | ||
361 | if (new_name) | 363 | if (new_name) |
362 | free(new_name); | 364 | free(new_name); |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 714417867..2df48ffbb 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -377,6 +377,7 @@ static void duplicate(char *name) { | |||
377 | if (system(cmd)) | 377 | if (system(cmd)) |
378 | errExit("system cp -a --parents"); | 378 | errExit("system cp -a --parents"); |
379 | free(cmd); | 379 | free(cmd); |
380 | free(fname); | ||
380 | } | 381 | } |
381 | 382 | ||
382 | 383 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index 60c2a7cec..82d17264a 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -612,6 +612,7 @@ int main(int argc, char **argv) { | |||
612 | errExit("asprintf"); | 612 | errExit("asprintf"); |
613 | struct stat s; | 613 | struct stat s; |
614 | if (stat(dirname, &s) == -1) { | 614 | if (stat(dirname, &s) == -1) { |
615 | /* coverity[toctou] */ | ||
615 | if (mkdir(dirname, S_IRWXU | S_IRWXG | S_IRWXO)) | 616 | if (mkdir(dirname, S_IRWXU | S_IRWXG | S_IRWXO)) |
616 | errExit("mkdir"); | 617 | errExit("mkdir"); |
617 | if (chown(dirname, getuid(), getgid()) < 0) | 618 | if (chown(dirname, getuid(), getgid()) < 0) |
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 04666a69f..6322b81fa 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -52,6 +52,7 @@ int check_kernel_procs(void) { | |||
52 | } | 52 | } |
53 | 53 | ||
54 | // open file | 54 | // open file |
55 | /* coverity[toctou] */ | ||
55 | FILE *fp = fopen(fname, "r"); | 56 | FILE *fp = fopen(fname, "r"); |
56 | if (!fp) { | 57 | if (!fp) { |
57 | fprintf(stderr, "Warning: cannot open %s\n", fname); | 58 | fprintf(stderr, "Warning: cannot open %s\n", fname); |