diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/Makefile.in | 3 | ||||
-rw-r--r-- | src/firejail/checkcfg.c | 8 | ||||
-rw-r--r-- | src/firejail/fs.c | 3 | ||||
-rw-r--r-- | src/firejail/main.c | 4 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 2 | ||||
-rw-r--r-- | src/firejail/x11.c | 22 | ||||
-rw-r--r-- | src/lib/common.c | 2 |
7 files changed, 31 insertions, 13 deletions
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in index 15253b5ab..f56137308 100644 --- a/src/firejail/Makefile.in +++ b/src/firejail/Makefile.in | |||
@@ -19,13 +19,14 @@ HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@ | |||
19 | HAVE_WHITELIST=@HAVE_WHITELIST@ | 19 | HAVE_WHITELIST=@HAVE_WHITELIST@ |
20 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ | 20 | HAVE_GLOBALCFG=@HAVE_GLOBALCFG@ |
21 | HAVE_APPARMOR=@HAVE_APPARMOR@ | 21 | HAVE_APPARMOR=@HAVE_APPARMOR@ |
22 | HAVE_OVERLAYFS=@HAVE_OVERLAYFS@ | ||
22 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | 23 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ |
23 | 24 | ||
24 | H_FILE_LIST = $(sort $(wildcard *.[h])) | 25 | H_FILE_LIST = $(sort $(wildcard *.[h])) |
25 | C_FILE_LIST = $(sort $(wildcard *.c)) | 26 | C_FILE_LIST = $(sort $(wildcard *.c)) |
26 | OBJS = $(C_FILE_LIST:.c=.o) | 27 | OBJS = $(C_FILE_LIST:.c=.o) |
27 | BINOBJS = $(foreach file, $(OBJS), $file) | 28 | BINOBJS = $(foreach file, $(OBJS), $file) |
28 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_APPARMOR) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | 29 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security |
29 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread | 30 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread |
30 | 31 | ||
31 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h | 32 | %.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h |
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 019b54773..f5ea7439b 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c | |||
@@ -272,6 +272,14 @@ void print_compiletime_support(void) { | |||
272 | #endif | 272 | #endif |
273 | ); | 273 | ); |
274 | 274 | ||
275 | printf("\t- overlayfs support is %s\n", | ||
276 | #ifdef HAVE_OVERLAYFS | ||
277 | "enabled" | ||
278 | #else | ||
279 | "disabled" | ||
280 | #endif | ||
281 | ); | ||
282 | |||
275 | printf("\t- file and directory whitelisting support is %s\n", | 283 | printf("\t- file and directory whitelisting support is %s\n", |
276 | #ifdef HAVE_WHITELIST | 284 | #ifdef HAVE_WHITELIST |
277 | "enabled" | 285 | "enabled" |
diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 63ffa8bff..ddb25c2dd 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c | |||
@@ -815,6 +815,7 @@ void fs_basic_fs(void) { | |||
815 | 815 | ||
816 | 816 | ||
817 | 817 | ||
818 | #ifdef HAVE_OVERLAYFS | ||
818 | char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { | 819 | char *fs_check_overlay_dir(const char *subdirname, int allow_reuse) { |
819 | // create ~/.firejail directory | 820 | // create ~/.firejail directory |
820 | struct stat s; | 821 | struct stat s; |
@@ -1121,7 +1122,7 @@ void fs_overlayfs(void) { | |||
1121 | free(oroot); | 1122 | free(oroot); |
1122 | free(odiff); | 1123 | free(odiff); |
1123 | } | 1124 | } |
1124 | 1125 | #endif | |
1125 | 1126 | ||
1126 | 1127 | ||
1127 | #ifdef HAVE_CHROOT | 1128 | #ifdef HAVE_CHROOT |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 8e18ec724..c366390cc 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -264,6 +264,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
264 | printf("\n"); | 264 | printf("\n"); |
265 | exit(0); | 265 | exit(0); |
266 | } | 266 | } |
267 | #ifdef HAVE_OVERLAYFS | ||
267 | else if (strcmp(argv[i], "--overlay-clean") == 0) { | 268 | else if (strcmp(argv[i], "--overlay-clean") == 0) { |
268 | char *path; | 269 | char *path; |
269 | if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1) | 270 | if (asprintf(&path, "%s/.firejail", cfg.homedir) == -1) |
@@ -281,6 +282,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
281 | } | 282 | } |
282 | exit(0); | 283 | exit(0); |
283 | } | 284 | } |
285 | #endif | ||
284 | #ifdef HAVE_X11 | 286 | #ifdef HAVE_X11 |
285 | else if (strcmp(argv[i], "--x11") == 0) { | 287 | else if (strcmp(argv[i], "--x11") == 0) { |
286 | if (checkcfg(CFG_X11)) { | 288 | if (checkcfg(CFG_X11)) { |
@@ -1279,6 +1281,7 @@ int main(int argc, char **argv) { | |||
1279 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1281 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1280 | profile_add(line); | 1282 | profile_add(line); |
1281 | } | 1283 | } |
1284 | #ifdef HAVE_OVERLAYFS | ||
1282 | else if (strcmp(argv[i], "--overlay") == 0) { | 1285 | else if (strcmp(argv[i], "--overlay") == 0) { |
1283 | if (cfg.chrootdir) { | 1286 | if (cfg.chrootdir) { |
1284 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); | 1287 | fprintf(stderr, "Error: --overlay and --chroot options are mutually exclusive\n"); |
@@ -1353,6 +1356,7 @@ int main(int argc, char **argv) { | |||
1353 | } | 1356 | } |
1354 | arg_overlay = 1; | 1357 | arg_overlay = 1; |
1355 | } | 1358 | } |
1359 | #endif | ||
1356 | else if (strncmp(argv[i], "--profile=", 10) == 0) { | 1360 | else if (strncmp(argv[i], "--profile=", 10) == 0) { |
1357 | if (arg_noprofile) { | 1361 | if (arg_noprofile) { |
1358 | fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n"); | 1362 | fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n"); |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index c40ff1d03..a33c81937 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -500,9 +500,11 @@ int sandbox(void* sandbox_arg) { | |||
500 | } | 500 | } |
501 | else | 501 | else |
502 | #endif | 502 | #endif |
503 | #ifdef HAVE_OVERLAYFS | ||
503 | if (arg_overlay) | 504 | if (arg_overlay) |
504 | fs_overlayfs(); | 505 | fs_overlayfs(); |
505 | else | 506 | else |
507 | #endif | ||
506 | fs_basic_fs(); | 508 | fs_basic_fs(); |
507 | 509 | ||
508 | //**************************** | 510 | //**************************** |
diff --git a/src/firejail/x11.c b/src/firejail/x11.c index ed6fa3741..3d0918b2c 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c | |||
@@ -26,6 +26,7 @@ | |||
26 | #include <stdlib.h> | 26 | #include <stdlib.h> |
27 | #include <dirent.h> | 27 | #include <dirent.h> |
28 | #include <sys/mount.h> | 28 | #include <sys/mount.h> |
29 | #include <sys/wait.h> | ||
29 | 30 | ||
30 | #ifdef HAVE_X11 | 31 | #ifdef HAVE_X11 |
31 | // return 1 if xpra is installed on the system | 32 | // return 1 if xpra is installed on the system |
@@ -163,7 +164,7 @@ void fs_x11(void) { | |||
163 | //$ DISPLAY=:22 firejail --net=eth0 --blacklist=/tmp/.X11-unix/x0 firefox | 164 | //$ DISPLAY=:22 firejail --net=eth0 --blacklist=/tmp/.X11-unix/x0 firefox |
164 | void x11_start_xephyr(int argc, char **argv) { | 165 | void x11_start_xephyr(int argc, char **argv) { |
165 | EUID_ASSERT(); | 166 | EUID_ASSERT(); |
166 | size_t i; | 167 | int i; |
167 | struct stat s; | 168 | struct stat s; |
168 | pid_t jail = 0; | 169 | pid_t jail = 0; |
169 | pid_t server = 0; | 170 | pid_t server = 0; |
@@ -204,12 +205,12 @@ void x11_start_xephyr(int argc, char **argv) { | |||
204 | // parse xephyr_extra_params | 205 | // parse xephyr_extra_params |
205 | // very basic quoting support | 206 | // very basic quoting support |
206 | char *temp = strdup(xephyr_extra_params); | 207 | char *temp = strdup(xephyr_extra_params); |
207 | if (xephyr_extra_params != "") { | 208 | if (*xephyr_extra_params != '\0') { |
208 | if (!temp) | 209 | if (!temp) |
209 | errExit("strdup"); | 210 | errExit("strdup"); |
210 | bool dquote = false; | 211 | bool dquote = false; |
211 | bool squote = false; | 212 | bool squote = false; |
212 | for (i = 0; i < strlen(xephyr_extra_params); i++) { | 213 | for (i = 0; i < (int) strlen(xephyr_extra_params); i++) { |
213 | if (temp[i] == '\"') { | 214 | if (temp[i] == '\"') { |
214 | dquote = !dquote; | 215 | dquote = !dquote; |
215 | if (dquote) temp[i] = '\0'; // replace closing quote by \0 | 216 | if (dquote) temp[i] = '\0'; // replace closing quote by \0 |
@@ -229,7 +230,7 @@ void x11_start_xephyr(int argc, char **argv) { | |||
229 | exit(1); | 230 | exit(1); |
230 | } | 231 | } |
231 | 232 | ||
232 | for (i = 0; i < strlen(xephyr_extra_params)-1; i++) { | 233 | for (i = 0; i < (int) strlen(xephyr_extra_params)-1; i++) { |
233 | if (pos >= (sizeof(server_argv)/sizeof(*server_argv))) { | 234 | if (pos >= (sizeof(server_argv)/sizeof(*server_argv))) { |
234 | fprintf(stderr, "Error: arg count limit exceeded while parsing xephyr_extra_params\n"); | 235 | fprintf(stderr, "Error: arg count limit exceeded while parsing xephyr_extra_params\n"); |
235 | exit(1); | 236 | exit(1); |
@@ -257,7 +258,7 @@ void x11_start_xephyr(int argc, char **argv) { | |||
257 | 258 | ||
258 | // remove --x11 arg | 259 | // remove --x11 arg |
259 | char *jail_argv[argc+2]; | 260 | char *jail_argv[argc+2]; |
260 | size_t j = 0; | 261 | int j = 0; |
261 | for (i = 0; i < argc; i++) { | 262 | for (i = 0; i < argc; i++) { |
262 | if (strcmp(argv[i], "--x11") == 0) | 263 | if (strcmp(argv[i], "--x11") == 0) |
263 | continue; | 264 | continue; |
@@ -359,7 +360,7 @@ void x11_start_xephyr(int argc, char **argv) { | |||
359 | 360 | ||
360 | void x11_start_xpra(int argc, char **argv) { | 361 | void x11_start_xpra(int argc, char **argv) { |
361 | EUID_ASSERT(); | 362 | EUID_ASSERT(); |
362 | size_t i; | 363 | int i; |
363 | struct stat s; | 364 | struct stat s; |
364 | pid_t client = 0; | 365 | pid_t client = 0; |
365 | pid_t server = 0; | 366 | pid_t server = 0; |
@@ -464,7 +465,7 @@ void x11_start_xpra(int argc, char **argv) { | |||
464 | 465 | ||
465 | // build jail command | 466 | // build jail command |
466 | char *firejail_argv[argc+2]; | 467 | char *firejail_argv[argc+2]; |
467 | unsigned pos = 0; | 468 | int pos = 0; |
468 | for (i = 0; i < argc; i++) { | 469 | for (i = 0; i < argc; i++) { |
469 | if (strcmp(argv[i], "--x11") == 0) | 470 | if (strcmp(argv[i], "--x11") == 0) |
470 | continue; | 471 | continue; |
@@ -477,7 +478,7 @@ void x11_start_xpra(int argc, char **argv) { | |||
477 | } | 478 | } |
478 | firejail_argv[pos] = NULL; | 479 | firejail_argv[pos] = NULL; |
479 | 480 | ||
480 | assert(pos < argc+2); | 481 | assert(pos < (argc+2)); |
481 | assert(!firejail_argv[pos]); | 482 | assert(!firejail_argv[pos]); |
482 | 483 | ||
483 | // start jail | 484 | // start jail |
@@ -524,12 +525,13 @@ void x11_start_xpra(int argc, char **argv) { | |||
524 | break; | 525 | break; |
525 | } | 526 | } |
526 | 527 | ||
527 | if (arg_debug) | 528 | if (arg_debug) { |
528 | if (n == 10) | 529 | if (n == 10) |
529 | printf("failed to stop xpra server gratefully\n"); | 530 | printf("failed to stop xpra server gratefully\n"); |
530 | else | 531 | else |
531 | printf("xpra server successfully stoped in %d secs\n", n); | 532 | printf("xpra server successfully stoped in %d secs\n", n); |
532 | 533 | } | |
534 | |||
533 | // kill xpra server and xpra client | 535 | // kill xpra server and xpra client |
534 | kill(client, SIGTERM); | 536 | kill(client, SIGTERM); |
535 | kill(server, SIGTERM); | 537 | kill(server, SIGTERM); |
diff --git a/src/lib/common.c b/src/lib/common.c index fe5c62536..acb6bd3b4 100644 --- a/src/lib/common.c +++ b/src/lib/common.c | |||
@@ -241,7 +241,7 @@ int pid_proc_cmdline_x11(const pid_t pid) { | |||
241 | i++; | 241 | i++; |
242 | if (i >= len) | 242 | if (i >= len) |
243 | break; | 243 | break; |
244 | char *arg = buffer + i; | 244 | char *arg = (char *)buffer + i; |
245 | 245 | ||
246 | // detect the last command line option | 246 | // detect the last command line option |
247 | if (strcmp(arg, "--") == 0) | 247 | if (strcmp(arg, "--") == 0) |