aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/common.mk.in37
-rw-r--r--src/faudit/Makefile.in19
-rw-r--r--src/fbuilder/Makefile.in35
-rw-r--r--src/fcopy/Makefile.in35
-rw-r--r--src/firecfg/Makefile.in32
-rw-r--r--src/firecfg/firecfg.config9
-rw-r--r--src/firejail/Makefile.in37
-rw-r--r--src/firejail/checkcfg.c9
-rw-r--r--src/firejail/dbus.c63
-rw-r--r--src/firejail/firejail.h7
-rw-r--r--src/firejail/fs_dev.c20
-rw-r--r--src/firejail/main.c5
-rw-r--r--src/firejail/profile.c6
-rw-r--r--src/firejail/pulseaudio.c37
-rw-r--r--src/firejail/run_files.c30
-rw-r--r--src/firejail/sandbox.c7
-rw-r--r--src/firejail/usage.c4
-rw-r--r--src/firejail/util.c31
-rw-r--r--src/firemon/Makefile.in21
-rw-r--r--src/fldd/Makefile.in35
-rw-r--r--src/fnet/Makefile.in35
-rw-r--r--src/fnetfilter/Makefile.in35
-rw-r--r--src/fsec-optimize/Makefile.in35
-rw-r--r--src/fsec-print/Makefile.in35
-rw-r--r--src/fsec-print/print.c2
-rw-r--r--src/fseccomp/Makefile.in35
-rw-r--r--src/ftee/Makefile.in19
-rw-r--r--src/lib/Makefile.in17
-rw-r--r--src/lib/pid.c10
-rw-r--r--src/man/firejail.txt11
30 files changed, 261 insertions, 452 deletions
diff --git a/src/common.mk.in b/src/common.mk.in
new file mode 100644
index 000000000..1d4dbe304
--- /dev/null
+++ b/src/common.mk.in
@@ -0,0 +1,37 @@
1# common definitions for all makefiles
2
3CC=@CC@
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_WHITELIST=@HAVE_WHITELIST@
21HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
22HAVE_APPARMOR=@HAVE_APPARMOR@
23HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
24HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
25HAVE_GCOV=@HAVE_GCOV@
26HAVE_GIT_INSTALL=@HAVE_GIT_INSTALL@
27
28H_FILE_LIST = $(sort $(wildcard *.[h]))
29C_FILE_LIST = $(sort $(wildcard *.c))
30OBJS = $(C_FILE_LIST:.c=.o)
31BINOBJS = $(foreach file, $(OBJS), $file)
32
33CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) $(HAVE_GIT_INSTALL) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
34LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
35EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
36EXTRA_CFLAGS +=@EXTRA_CFLAGS@
37
diff --git a/src/faudit/Makefile.in b/src/faudit/Makefile.in
index a3b505c39..26df0fe51 100644
--- a/src/faudit/Makefile.in
+++ b/src/faudit/Makefile.in
@@ -1,25 +1,14 @@
1all: faudit 1all: faudit
2 2
3CC=@CC@ 3include ../common.mk
4PREFIX=@prefix@
5VERSION=@PACKAGE_VERSION@
6NAME=@PACKAGE_NAME@
7HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
8
9H_FILE_LIST = $(sort $(wildcard *.[h]))
10C_FILE_LIST = $(sort $(wildcard *.c))
11OBJS = $(C_FILE_LIST:.c=.o)
12BINOBJS = $(foreach file, $(OBJS), $file)
13CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(PREFIX)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
14LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
15 4
16%.o : %.c $(H_FILE_LIST) 5%.o : %.c $(H_FILE_LIST)
17 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
18 7
19faudit: $(OBJS) 8faudit: $(OBJS)
20 $(CC) $(LDFLAGS) -o $@ $(OBJS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
21 10
22clean:; rm -f *.o faudit 11clean:; rm -f *.o faudit *.gcov *.gcda *.gcno
23 12
24distclean: clean 13distclean: clean
25 rm -fr Makefile 14 rm -fr Makefile
diff --git a/src/fbuilder/Makefile.in b/src/fbuilder/Makefile.in
index dd8e2ce6e..7a606c872 100644
--- a/src/fbuilder/Makefile.in
+++ b/src/fbuilder/Makefile.in
@@ -1,40 +1,9 @@
1all: fbuilder 1all: fbuilder
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_WHITELIST=@HAVE_WHITELIST@
21HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
22HAVE_APPARMOR=@HAVE_APPARMOR@
23HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
24HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
25EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
26HAVE_GCOV=@HAVE_GCOV@
27EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
28
29H_FILE_LIST = $(sort $(wildcard *.[h]))
30C_FILE_LIST = $(sort $(wildcard *.c))
31OBJS = $(C_FILE_LIST:.c=.o)
32BINOBJS = $(foreach file, $(OBJS), $file)
33CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
34LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
35 4
36%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
37 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
38 7
39fbuilder: $(OBJS) 8fbuilder: $(OBJS)
40 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
diff --git a/src/fcopy/Makefile.in b/src/fcopy/Makefile.in
index ad08f543e..c9e7d87ab 100644
--- a/src/fcopy/Makefile.in
+++ b/src/fcopy/Makefile.in
@@ -1,40 +1,9 @@
1all: fcopy 1all: fcopy
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_WHITELIST=@HAVE_WHITELIST@
21HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
22HAVE_APPARMOR=@HAVE_APPARMOR@
23HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
24HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
25EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
26HAVE_GCOV=@HAVE_GCOV@
27EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
28
29H_FILE_LIST = $(sort $(wildcard *.[h]))
30C_FILE_LIST = $(sort $(wildcard *.c))
31OBJS = $(C_FILE_LIST:.c=.o)
32BINOBJS = $(foreach file, $(OBJS), $file)
33CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
34LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
35 4
36%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
37 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
38 7
39fcopy: $(OBJS) 8fcopy: $(OBJS)
40 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
diff --git a/src/firecfg/Makefile.in b/src/firecfg/Makefile.in
index 0b2b03275..b6dbb039d 100644
--- a/src/firecfg/Makefile.in
+++ b/src/firecfg/Makefile.in
@@ -1,40 +1,14 @@
1all: firecfg 1all: firecfg
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_GCOV=@HAVE_GCOV@
21EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
22
23
24H_FILE_LIST = $(sort $(wildcard *.[h]))
25C_FILE_LIST = $(sort $(wildcard *.c))
26OBJS = $(C_FILE_LIST:.c=.o)
27BINOBJS = $(foreach file, $(OBJS), $file)
28CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_SECCOMP) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
29LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
30 4
31%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/libnetlink.h ../include/pid.h
32 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
33 7
34firecfg: $(OBJS) ../lib/common.o 8firecfg: $(OBJS) ../lib/common.o
35 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o $(LIBS) $(EXTRA_LDFLAGS)
36 10
37clean:; rm -f *.o firecfg firecfg.1 firecfg.1.gz *.gcov *.gcda *.gcno 11clean:; rm -f *.o firecfg *.gcov *.gcda *.gcno
38 12
39distclean: clean 13distclean: clean
40 rm -fr Makefile 14 rm -fr Makefile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index e29f95886..1f56e2532 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -16,6 +16,7 @@ VirtualBox
16Wire 16Wire
17Xephyr 17Xephyr
18abrowser 18abrowser
19akonadi_control
19akregator 20akregator
20amarok 21amarok
21amule 22amule
@@ -43,6 +44,7 @@ bibletime
43bitlbee 44bitlbee
44bleachbit 45bleachbit
45blender 46blender
47blender-2.8
46bless 48bless
47bluefish 49bluefish
48bnox 50bnox
@@ -108,6 +110,8 @@ eom
108epiphany 110epiphany
109etr 111etr
110evince 112evince
113evince-previewer
114evince-thumbnailer
111evolution 115evolution
112exiftool 116exiftool
113falkon 117falkon
@@ -130,6 +134,7 @@ freshclam
130frozen-bubble 134frozen-bubble
131gajim 135gajim
132galculator 136galculator
137gcloud
133geany 138geany
134geary 139geary
135gedit 140gedit
@@ -150,10 +155,12 @@ gnome-clocks
150gnome-contacts 155gnome-contacts
151gnome-documents 156gnome-documents
152gnome-font-viewer 157gnome-font-viewer
158gnome-logs
153gnome-maps 159gnome-maps
154gnome-mplayer 160gnome-mplayer
155gnome-music 161gnome-music
156gnome-photos 162gnome-photos
163gnome-recipes
157gnome-twitch 164gnome-twitch
158gnome-weather 165gnome-weather
159goobox 166goobox
@@ -258,6 +265,7 @@ musescore
258mutt 265mutt
259natron 266natron
260nautilus 267nautilus
268ncdu
261netsurf 269netsurf
262neverball 270neverball
263nheko 271nheko
@@ -348,6 +356,7 @@ telegram
348telegram-desktop 356telegram-desktop
349terasology 357terasology
350thunderbird 358thunderbird
359thunderbird-beta
351tilp 360tilp
352tor-browser-ar 361tor-browser-ar
353tor-browser-en 362tor-browser-en
diff --git a/src/firejail/Makefile.in b/src/firejail/Makefile.in
index 01cb929e2..9bd2f9c22 100644
--- a/src/firejail/Makefile.in
+++ b/src/firejail/Makefile.in
@@ -1,45 +1,14 @@
1all: firejail 1all: firejail
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_WHITELIST=@HAVE_WHITELIST@
21HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
22HAVE_APPARMOR=@HAVE_APPARMOR@
23HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
24HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
25HAVE_GCOV=@HAVE_GCOV@
26HAVE_GIT_INSTALL=@HAVE_GIT_INSTALL@
27EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
28
29H_FILE_LIST = $(sort $(wildcard *.[h]))
30C_FILE_LIST = $(sort $(wildcard *.c))
31OBJS = $(C_FILE_LIST:.c=.o)
32BINOBJS = $(foreach file, $(OBJS), $file)
33CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) $(HAVE_GIT_INSTALL) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
34LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
35 4
36%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/euid_common.h ../include/pid.h ../include/seccomp.h ../include/syscall.h
37 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
38 7
39firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o 8firejail: $(OBJS) ../lib/libnetlink.o ../lib/common.o ../lib/ldd_utils.o
40 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS)
41 10
42clean:; rm -f *.o firejail firejail.1 firejail.1.gz *.gcov *.gcda *.gcno 11clean:; rm -f *.o firejail *.gcov *.gcda *.gcno
43 12
44distclean: clean 13distclean: clean
45 rm -fr Makefile 14 rm -fr Makefile
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 0d77c199b..20845270e 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -85,6 +85,15 @@ int checkcfg(int val) {
85 else 85 else
86 goto errout; 86 goto errout;
87 } 87 }
88 // dbus
89 else if (strncmp(ptr, "dbus ", 5) == 0) {
90 if (strcmp(ptr + 5, "yes") == 0)
91 cfg_val[CFG_DBUS] = 1;
92 else if (strcmp(ptr + 5, "no") == 0)
93 cfg_val[CFG_DBUS] = 0;
94 else
95 goto errout;
96 }
88 // join 97 // join
89 else if (strncmp(ptr, "join ", 5) == 0) { 98 else if (strncmp(ptr, "join ", 5) == 0) {
90 if (strcmp(ptr + 5, "yes") == 0) 99 if (strcmp(ptr + 5, "yes") == 0)
diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c
new file mode 100644
index 000000000..6c122c6d0
--- /dev/null
+++ b/src/firejail/dbus.c
@@ -0,0 +1,63 @@
1/*
2 * Copyright (C) 2014-2018 Firejail Authors
3 *
4 * This file is part of firejail project
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License along
17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19*/
20#include "firejail.h"
21
22void dbus_session_disable(void) {
23 if (!checkcfg(CFG_DBUS)) {
24 fwarning("D-Bus handling is disabled in Firejail configuration file\n");
25 return;
26 }
27
28 char *path;
29 if (asprintf(&path, "/run/user/%d/bus", getuid()) == -1)
30 errExit("asprintf");
31 char *env_var;
32 if (asprintf(&env_var, "DBUS_SESSION_BUS_ADDRESS=unix:path=%s", path) == -1)
33 errExit("asprintf");
34
35 // set a new environment variable: DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/<UID>/bus
36 if (setenv("DBUS_SESSION_BUS_ADDRESS", env_var, 1) == -1) {
37 fprintf(stderr, "Error: cannot modify DBUS_SESSION_BUS_ADDRESS required by --nodbus\n");
38 exit(1);
39 }
40
41 // blacklist the path
42 disable_file_or_dir(path);
43 free(path);
44 free(env_var);
45
46 // look for a possible abstract unix socket
47
48 // --net=none
49 if (arg_nonetwork)
50 return;
51
52 // --net=eth0
53 if (any_bridge_configured())
54 return;
55
56 // --protocol=unix
57#ifdef HAVE_SECCOMP
58 if (cfg.protocol && !strstr(cfg.protocol, "unix"))
59 return;
60#endif
61
62 fwarning("An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.\n");
63}
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 5af141289..fdb5745cb 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -382,6 +382,7 @@ extern int arg_noprofile; // use default.profile if none other found/specified
382extern int arg_memory_deny_write_execute; // block writable and executable memory 382extern int arg_memory_deny_write_execute; // block writable and executable memory
383extern int arg_notv; // --notv 383extern int arg_notv; // --notv
384extern int arg_nodvd; // --nodvd 384extern int arg_nodvd; // --nodvd
385extern int arg_nodbus; // -nodbus
385 386
386extern int login_shell; 387extern int login_shell;
387extern int parent_to_child_fds[2]; 388extern int parent_to_child_fds[2];
@@ -520,6 +521,8 @@ void create_empty_file_as_root(const char *dir, mode_t mode);
520int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode); 521int set_perms(const char *fname, uid_t uid, gid_t gid, mode_t mode);
521void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid); 522void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid);
522unsigned extract_timeout(const char *str); 523unsigned extract_timeout(const char *str);
524void disable_file_or_dir(const char *fname);
525void disable_file_path(const char *path, const char *file);
523 526
524// fs_var.c 527// fs_var.c
525void fs_var_log(void); // mounting /var/log 528void fs_var_log(void); // mounting /var/log
@@ -741,6 +744,7 @@ enum {
741 CFG_XPRA_ATTACH, 744 CFG_XPRA_ATTACH,
742 CFG_PRIVATE_LIB, 745 CFG_PRIVATE_LIB,
743 CFG_APPARMOR, 746 CFG_APPARMOR,
747 CFG_DBUS,
744 CFG_MAX // this should always be the last entry 748 CFG_MAX // this should always be the last entry
745}; 749};
746extern char *xephyr_screen; 750extern char *xephyr_screen;
@@ -800,4 +804,7 @@ void set_name_run_file(pid_t pid);
800void set_x11_run_file(pid_t pid, int display); 804void set_x11_run_file(pid_t pid, int display);
801void set_profile_run_file(pid_t pid, const char *fname); 805void set_profile_run_file(pid_t pid, const char *fname);
802 806
807// dbus.c
808void dbus_session_disable(void);
809
803#endif 810#endif
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c
index 6eac78d96..152ddf5f7 100644
--- a/src/firejail/fs_dev.c
+++ b/src/firejail/fs_dev.c
@@ -297,26 +297,6 @@ void fs_private_dev(void){
297 } 297 }
298} 298}
299 299
300
301
302static void disable_file_or_dir(const char *fname) {
303 if (arg_debug)
304 printf("disable %s\n", fname);
305 struct stat s;
306 if (stat(fname, &s) != -1) {
307 if (is_dir(fname)) {
308 if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
309 errExit("disable directory");
310 }
311 else {
312 if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
313 errExit("disable file");
314 }
315 }
316 fs_logger2("blacklist", fname);
317
318}
319
320void fs_dev_disable_sound(void) { 300void fs_dev_disable_sound(void) {
321 unsigned i = 0; 301 unsigned i = 0;
322 while (dev[i].dev_fname != NULL) { 302 while (dev[i].dev_fname != NULL) {
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 38db165e8..6dc19abdd 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -120,6 +120,7 @@ int arg_noprofile = 0; // use default.profile if none other found/specified
120int arg_memory_deny_write_execute = 0; // block writable and executable memory 120int arg_memory_deny_write_execute = 0; // block writable and executable memory
121int arg_notv = 0; // --notv 121int arg_notv = 0; // --notv
122int arg_nodvd = 0; // --nodvd 122int arg_nodvd = 0; // --nodvd
123int arg_nodbus = 0; // -nodbus
123int login_shell = 0; 124int login_shell = 0;
124 125
125 126
@@ -1111,7 +1112,7 @@ int main(int argc, char **argv) {
1111 else if (strncmp(argv[i], "--protocol=", 11) == 0) { 1112 else if (strncmp(argv[i], "--protocol=", 11) == 0) {
1112 if (checkcfg(CFG_SECCOMP)) { 1113 if (checkcfg(CFG_SECCOMP)) {
1113 if (cfg.protocol) { 1114 if (cfg.protocol) {
1114 fwarning("a protocol list is present, the new list \"%s\" will not be installed\n", argv[i] + 11); 1115 fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol);
1115 } 1116 }
1116 else { 1117 else {
1117 // store list 1118 // store list
@@ -1734,6 +1735,8 @@ int main(int argc, char **argv) {
1734 arg_notv = 1; 1735 arg_notv = 1;
1735 else if (strcmp(argv[i], "--nodvd") == 0) 1736 else if (strcmp(argv[i], "--nodvd") == 0)
1736 arg_nodvd = 1; 1737 arg_nodvd = 1;
1738 else if (strcmp(argv[i], "--nodbus") == 0)
1739 arg_nodbus = 1;
1737 1740
1738 //************************************* 1741 //*************************************
1739 // network 1742 // network
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 5566b9860..2cb91964a 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -249,6 +249,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
249 arg_no3d = 1; 249 arg_no3d = 1;
250 return 0; 250 return 0;
251 } 251 }
252 else if (strcmp(ptr, "nodbus") == 0) {
253 arg_nodbus = 1;
254 return 0;
255 }
252 else if (strcmp(ptr, "allow-private-blacklist") == 0) { 256 else if (strcmp(ptr, "allow-private-blacklist") == 0) {
253 fmessage("--allow-private-blacklist was deprecated\n"); 257 fmessage("--allow-private-blacklist was deprecated\n");
254 return 0; 258 return 0;
@@ -549,7 +553,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
549#ifdef HAVE_SECCOMP 553#ifdef HAVE_SECCOMP
550 if (checkcfg(CFG_SECCOMP)) { 554 if (checkcfg(CFG_SECCOMP)) {
551 if (cfg.protocol) { 555 if (cfg.protocol) {
552 fwarning("a protocol list is present, the new list \"%s\" will not be installed\n", ptr + 9); 556 fwarning("two protocol lists are present, \"%s\" will be installed\n", cfg.protocol);
553 return 0; 557 return 0;
554 } 558 }
555 559
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index ef674fb4a..9109a6865 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -24,52 +24,24 @@
24#include <dirent.h> 24#include <dirent.h>
25#include <sys/wait.h> 25#include <sys/wait.h>
26 26
27static void disable_file(const char *path, const char *file) {
28 assert(file);
29 assert(path);
30
31 struct stat s;
32 char *fname;
33 if (asprintf(&fname, "%s/%s", path, file) == -1)
34 errExit("asprintf");
35 if (stat(fname, &s) == -1)
36 goto doexit;
37
38 if (arg_debug)
39 printf("Disable%s\n", fname);
40
41 if (S_ISDIR(s.st_mode)) {
42 if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
43 errExit("disable file");
44 }
45 else {
46 if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
47 errExit("disable file");
48 }
49 fs_logger2("blacklist", fname);
50
51doexit:
52 free(fname);
53}
54
55// disable pulseaudio socket 27// disable pulseaudio socket
56void pulseaudio_disable(void) { 28void pulseaudio_disable(void) {
57 if (arg_debug) 29 if (arg_debug)
58 printf("disable pulseaudio\n"); 30 printf("disable pulseaudio\n");
59 // blacklist user config directory 31 // blacklist user config directory
60 disable_file(cfg.homedir, ".config/pulse"); 32 disable_file_path(cfg.homedir, ".config/pulse");
61 33
62 34
63 // blacklist pulseaudio socket in XDG_RUNTIME_DIR 35 // blacklist pulseaudio socket in XDG_RUNTIME_DIR
64 char *name = getenv("XDG_RUNTIME_DIR"); 36 char *name = getenv("XDG_RUNTIME_DIR");
65 if (name) 37 if (name)
66 disable_file(name, "pulse/native"); 38 disable_file_path(name, "pulse/native");
67 39
68 // try the default location anyway 40 // try the default location anyway
69 char *path; 41 char *path;
70 if (asprintf(&path, "/run/user/%d", getuid()) == -1) 42 if (asprintf(&path, "/run/user/%d", getuid()) == -1)
71 errExit("asprintf"); 43 errExit("asprintf");
72 disable_file(path, "pulse/native"); 44 disable_file_path(path, "pulse/native");
73 free(path); 45 free(path);
74 46
75 47
@@ -87,12 +59,11 @@ void pulseaudio_disable(void) {
87 struct dirent *entry; 59 struct dirent *entry;
88 while ((entry = readdir(dir))) { 60 while ((entry = readdir(dir))) {
89 if (strncmp(entry->d_name, "pulse-", 6) == 0) { 61 if (strncmp(entry->d_name, "pulse-", 6) == 0) {
90 disable_file("/tmp", entry->d_name); 62 disable_file_path("/tmp", entry->d_name);
91 } 63 }
92 } 64 }
93 65
94 closedir(dir); 66 closedir(dir);
95
96} 67}
97 68
98 69
diff --git a/src/firejail/run_files.c b/src/firejail/run_files.c
index 57a0e19df..361ad1414 100644
--- a/src/firejail/run_files.c
+++ b/src/firejail/run_files.c
@@ -20,6 +20,7 @@
20 20
21#include "firejail.h" 21#include "firejail.h"
22#include "../include/pid.h" 22#include "../include/pid.h"
23#define BUFLEN 4096
23 24
24static void delete_x11_run_file(pid_t pid) { 25static void delete_x11_run_file(pid_t pid) {
25 char *fname; 26 char *fname;
@@ -74,7 +75,36 @@ void delete_run_files(pid_t pid) {
74 delete_profile_run_file(pid); 75 delete_profile_run_file(pid);
75} 76}
76 77
78static char *newname(char *name) {
79 char *rv;
80 pid_t pid;
81
82 // try the name
83 if (name2pid(name, &pid))
84 return name;
85
86 // try name-1 to 9
87 int i;
88 for (i = 1; i < 10; i++) {
89 if (asprintf(&rv, "%s-%d", name, i) == -1)
90 errExit("asprintf");
91 if (name2pid(rv, &pid)) {
92 fwarning("Sandbox name changed to %s\n", rv);
93 return rv;
94 }
95 free(rv);
96 }
97
98 // return name-pid
99 if (asprintf(&rv, "%s-%d", name, getpid()) == -1)
100 errExit("asprintf");
101 return rv;
102}
103
104
77void set_name_run_file(pid_t pid) { 105void set_name_run_file(pid_t pid) {
106 cfg.name = newname(cfg.name);
107
78 char *fname; 108 char *fname;
79 if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, pid) == -1) 109 if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, pid) == -1)
80 errExit("asprintf"); 110 errExit("asprintf");
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 96b7b267b..75dbc976d 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -838,6 +838,13 @@ int sandbox(void* sandbox_arg) {
838 } 838 }
839 839
840 //**************************** 840 //****************************
841 // Session D-BUS
842 //****************************
843 if (arg_nodbus)
844 dbus_session_disable();
845
846
847 //****************************
841 // hosts and hostname 848 // hosts and hostname
842 //**************************** 849 //****************************
843 if (cfg.hostname) 850 if (cfg.hostname)
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 15b548d20..d0292f524 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -132,7 +132,9 @@ void usage(void) {
132#endif 132#endif
133 printf(" --nice=value - set nice value.\n"); 133 printf(" --nice=value - set nice value.\n");
134 printf(" --no3d - disable 3D hardware acceleration.\n"); 134 printf(" --no3d - disable 3D hardware acceleration.\n");
135 printf(" --noblacklist=filename - disable blacklist for file or directory .\n"); 135 printf(" --noblacklist=filename - disable blacklist for file or directory.\n");
136 printf(" --nodbus - disable D-Bus access.\n");
137 printf(" --nodvd - disable DVD and audio CD devices.\n");
136 printf(" --noexec=filename - remount the file or directory noexec nosuid and nodev.\n"); 138 printf(" --noexec=filename - remount the file or directory noexec nosuid and nodev.\n");
137 printf(" --nogroups - disable supplementary groups.\n"); 139 printf(" --nogroups - disable supplementary groups.\n");
138 printf(" --nonewprivs - sets the NO_NEW_PRIVS prctl.\n"); 140 printf(" --nonewprivs - sets the NO_NEW_PRIVS prctl.\n");
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 0adca5e33..c644f83a8 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -21,6 +21,7 @@
21#include "firejail.h" 21#include "firejail.h"
22#include <ftw.h> 22#include <ftw.h>
23#include <sys/stat.h> 23#include <sys/stat.h>
24#include <sys/mount.h>
24#include <fcntl.h> 25#include <fcntl.h>
25#include <syslog.h> 26#include <syslog.h>
26#include <errno.h> 27#include <errno.h>
@@ -964,3 +965,33 @@ unsigned extract_timeout(const char *str) {
964 965
965 return h * 3600 + m * 60 + s; 966 return h * 3600 + m * 60 + s;
966} 967}
968
969void disable_file_or_dir(const char *fname) {
970 if (arg_debug)
971 printf("blacklist %s\n", fname);
972 struct stat s;
973 if (stat(fname, &s) != -1) {
974 if (is_dir(fname)) {
975 if (mount(RUN_RO_DIR, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
976 errExit("disable directory");
977 }
978 else {
979 if (mount(RUN_RO_FILE, fname, "none", MS_BIND, "mode=400,gid=0") < 0)
980 errExit("disable file");
981 }
982 }
983 fs_logger2("blacklist", fname);
984}
985
986void disable_file_path(const char *path, const char *file) {
987 assert(file);
988 assert(path);
989
990 char *fname;
991 if (asprintf(&fname, "%s/%s", path, file) == -1)
992 errExit("asprintf");
993
994 disable_file_or_dir(fname);
995 free(fname);
996}
997
diff --git a/src/firemon/Makefile.in b/src/firemon/Makefile.in
index 326c305d9..d3ffe5d3f 100644
--- a/src/firemon/Makefile.in
+++ b/src/firemon/Makefile.in
@@ -1,26 +1,9 @@
1all: firemon 1all: firemon
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5VERSION=@PACKAGE_VERSION@
6NAME=@PACKAGE_NAME@
7HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
8HAVE_GCOV=@HAVE_GCOV@
9HAVE_APPARMOR=@HAVE_APPARMOR@
10EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
11
12H_FILE_LIST = $(sort $(wildcard *.[h]))
13C_FILE_LIST = $(sort $(wildcard *.c))
14OBJS = $(C_FILE_LIST:.c=.o)
15BINOBJS = $(foreach file, $(OBJS), $file)
16CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' $(HAVE_APPARMOR) $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
17LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now
18HAVE_GCOV=@HAVE_GCOV@
19EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
20
21 4
22%.o : %.c $(H_FILE_LIST) 5%.o : %.c $(H_FILE_LIST)
23 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
24 7
25firemon: $(OBJS) ../lib/common.o ../lib/pid.o 8firemon: $(OBJS) ../lib/common.o ../lib/pid.o
26 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/common.o ../lib/pid.o $(LIBS) $(EXTRA_LDFLAGS)
diff --git a/src/fldd/Makefile.in b/src/fldd/Makefile.in
index e2bf4b787..5af37cfbd 100644
--- a/src/fldd/Makefile.in
+++ b/src/fldd/Makefile.in
@@ -1,40 +1,9 @@
1all: fldd 1all: fldd
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_WHITELIST=@HAVE_WHITELIST@
21HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
22HAVE_APPARMOR=@HAVE_APPARMOR@
23HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
24HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
25EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
26HAVE_GCOV=@HAVE_GCOV@
27EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
28
29H_FILE_LIST = $(sort $(wildcard *.[h]))
30C_FILE_LIST = $(sort $(wildcard *.c))
31OBJS = $(C_FILE_LIST:.c=.o)
32BINOBJS = $(foreach file, $(OBJS), $file)
33CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
34LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
35 4
36%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h ../include/ldd_utils.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h ../include/ldd_utils.h
37 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
38 7
39fldd: $(OBJS) ../lib/ldd_utils.o 8fldd: $(OBJS) ../lib/ldd_utils.o
40 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/ldd_utils.o $(LIBS) $(EXTRA_LDFLAGS)
diff --git a/src/fnet/Makefile.in b/src/fnet/Makefile.in
index 3288e6354..06b3981a9 100644
--- a/src/fnet/Makefile.in
+++ b/src/fnet/Makefile.in
@@ -1,40 +1,9 @@
1all: fnet 1all: fnet
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_WHITELIST=@HAVE_WHITELIST@
21HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
22HAVE_APPARMOR=@HAVE_APPARMOR@
23HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
24HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
25EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
26HAVE_GCOV=@HAVE_GCOV@
27EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
28
29H_FILE_LIST = $(sort $(wildcard *.[h]))
30C_FILE_LIST = $(sort $(wildcard *.c))
31OBJS = $(C_FILE_LIST:.c=.o)
32BINOBJS = $(foreach file, $(OBJS), $file)
33CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
34LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
35 4
36%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/libnetlink.h
37 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
38 7
39fnet: $(OBJS) ../lib/libnetlink.o 8fnet: $(OBJS) ../lib/libnetlink.o
40 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) ../lib/libnetlink.o $(LIBS) $(EXTRA_LDFLAGS)
diff --git a/src/fnetfilter/Makefile.in b/src/fnetfilter/Makefile.in
index 1063737e1..2e263cc2b 100644
--- a/src/fnetfilter/Makefile.in
+++ b/src/fnetfilter/Makefile.in
@@ -1,40 +1,9 @@
1all: fnetfilter 1all: fnetfilter
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_WHITELIST=@HAVE_WHITELIST@
21HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
22HAVE_APPARMOR=@HAVE_APPARMOR@
23HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
24HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
25EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
26HAVE_GCOV=@HAVE_GCOV@
27EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
28
29H_FILE_LIST = $(sort $(wildcard *.[h]))
30C_FILE_LIST = $(sort $(wildcard *.c))
31OBJS = $(C_FILE_LIST:.c=.o)
32BINOBJS = $(foreach file, $(OBJS), $file)
33CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
34LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
35 4
36%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
37 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
38 7
39fnetfilter: $(OBJS) 8fnetfilter: $(OBJS)
40 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
diff --git a/src/fsec-optimize/Makefile.in b/src/fsec-optimize/Makefile.in
index 6ddbfc075..e5e14a6a6 100644
--- a/src/fsec-optimize/Makefile.in
+++ b/src/fsec-optimize/Makefile.in
@@ -1,40 +1,9 @@
1all: fsec-optimize 1all: fsec-optimize
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_WHITELIST=@HAVE_WHITELIST@
21HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
22HAVE_APPARMOR=@HAVE_APPARMOR@
23HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
24HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
25EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
26HAVE_GCOV=@HAVE_GCOV@
27EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
28
29H_FILE_LIST = $(sort $(wildcard *.[h]))
30C_FILE_LIST = $(sort $(wildcard *.c))
31OBJS = $(C_FILE_LIST:.c=.o)
32BINOBJS = $(foreach file, $(OBJS), $file)
33CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
34LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
35 4
36%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h
37 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
38 7
39fsec-optimize: $(OBJS) ../lib/libnetlink.o 8fsec-optimize: $(OBJS) ../lib/libnetlink.o
40 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
diff --git a/src/fsec-print/Makefile.in b/src/fsec-print/Makefile.in
index 5d23382f7..3db4406f4 100644
--- a/src/fsec-print/Makefile.in
+++ b/src/fsec-print/Makefile.in
@@ -1,40 +1,9 @@
1all: fsec-print 1all: fsec-print
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_WHITELIST=@HAVE_WHITELIST@
21HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
22HAVE_APPARMOR=@HAVE_APPARMOR@
23HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
24HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
25EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
26HAVE_GCOV=@HAVE_GCOV@
27EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
28
29H_FILE_LIST = $(sort $(wildcard *.[h]))
30C_FILE_LIST = $(sort $(wildcard *.c))
31OBJS = $(C_FILE_LIST:.c=.o)
32BINOBJS = $(foreach file, $(OBJS), $file)
33CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
34LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
35 4
36%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/seccomp.h ../include/syscall.h
37 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
38 7
39fsec-print: $(OBJS) ../lib/libnetlink.o 8fsec-print: $(OBJS) ../lib/libnetlink.o
40 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
diff --git a/src/fsec-print/print.c b/src/fsec-print/print.c
index e3b53c44c..faf59aa35 100644
--- a/src/fsec-print/print.c
+++ b/src/fsec-print/print.c
@@ -269,7 +269,7 @@ static void bpf_decode_args(const struct sock_filter *bpf, unsigned int line) {
269 native_arch = (ARCH_NR == ARCH_64)? 1: 0; 269 native_arch = (ARCH_NR == ARCH_64)? 1: 0;
270 } 270 }
271 else if (bpf->k == X32_SYSCALL_BIT) 271 else if (bpf->k == X32_SYSCALL_BIT)
272 printf("X32_ABI true:%.4x (false %.4x)", 272 printf("X32_ABI %.4x (false %.4x)",
273 (line + 1) + bpf->jt, 273 (line + 1) + bpf->jt,
274 (line + 1) + bpf->jf); 274 (line + 1) + bpf->jf);
275 else if (name) 275 else if (name)
diff --git a/src/fseccomp/Makefile.in b/src/fseccomp/Makefile.in
index df4343d36..2c99096bb 100644
--- a/src/fseccomp/Makefile.in
+++ b/src/fseccomp/Makefile.in
@@ -1,40 +1,9 @@
1all: fseccomp 1all: fseccomp
2 2
3CC=@CC@ 3include ../common.mk
4prefix=@prefix@
5exec_prefix=@exec_prefix@
6libdir=@libdir@
7sysconfdir=@sysconfdir@
8
9VERSION=@PACKAGE_VERSION@
10NAME=@PACKAGE_NAME@
11HAVE_SECCOMP_H=@HAVE_SECCOMP_H@
12HAVE_SECCOMP=@HAVE_SECCOMP@
13HAVE_CHROOT=@HAVE_CHROOT@
14HAVE_BIND=@HAVE_BIND@
15HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
16HAVE_NETWORK=@HAVE_NETWORK@
17HAVE_USERNS=@HAVE_USERNS@
18HAVE_X11=@HAVE_X11@
19HAVE_FILE_TRANSFER=@HAVE_FILE_TRANSFER@
20HAVE_WHITELIST=@HAVE_WHITELIST@
21HAVE_GLOBALCFG=@HAVE_GLOBALCFG@
22HAVE_APPARMOR=@HAVE_APPARMOR@
23HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
24HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
25EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
26HAVE_GCOV=@HAVE_GCOV@
27EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
28
29H_FILE_LIST = $(sort $(wildcard *.[h]))
30C_FILE_LIST = $(sort $(wildcard *.c))
31OBJS = $(C_FILE_LIST:.c=.o)
32BINOBJS = $(foreach file, $(OBJS), $file)
33CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' -DLIBDIR='"$(libdir)"' $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_OVERLAYFS) $(HAVE_SECCOMP) $(HAVE_GLOBALCFG) $(HAVE_SECCOMP_H) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_BIND) $(HAVE_FILE_TRANSFER) $(HAVE_WHITELIST) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
34LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
35 4
36%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h 5%.o : %.c $(H_FILE_LIST) ../include/common.h ../include/syscall.h
37 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
38 7
39fseccomp: $(OBJS) 8fseccomp: $(OBJS)
40 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
diff --git a/src/ftee/Makefile.in b/src/ftee/Makefile.in
index fd39f0cb7..d3b92362c 100644
--- a/src/ftee/Makefile.in
+++ b/src/ftee/Makefile.in
@@ -1,25 +1,12 @@
1all: ftee 1all: ftee
2 2
3CC=@CC@ 3include ../common.mk
4PREFIX=@prefix@
5VERSION=@PACKAGE_VERSION@
6NAME=@PACKAGE_NAME@
7HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
8HAVE_GCOV=@HAVE_GCOV@
9EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
10
11H_FILE_LIST = $(sort $(wildcard *.[h]))
12C_FILE_LIST = $(sort $(wildcard *.c))
13OBJS = $(C_FILE_LIST:.c=.o)
14BINOBJS = $(foreach file, $(OBJS), $file)
15CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' $(HAVE_GCOV) -DPREFIX='"$(PREFIX)"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security
16LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now -lpthread
17 4
18%.o : %.c $(H_FILE_LIST) 5%.o : %.c $(H_FILE_LIST)
19 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
20 7
21ftee: $(OBJS) 8ftee: $(OBJS)
22 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(EXTRA_LDFLAGS) 9 $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
23 10
24clean:; rm -f *.o ftee *.gcov *.gcda *.gcno 11clean:; rm -f *.o ftee *.gcov *.gcda *.gcno
25 12
diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in
index a49e56ad2..a744b8d80 100644
--- a/src/lib/Makefile.in
+++ b/src/lib/Makefile.in
@@ -1,22 +1,9 @@
1CC=@CC@ 1include ../common.mk
2PREFIX=@prefix@
3VERSION=@PACKAGE_VERSION@
4NAME=@PACKAGE_NAME@
5HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@
6HAVE_GCOV=@HAVE_GCOV@
7EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@
8
9H_FILE_LIST = $(sort $(wildcard *.[h]))
10C_FILE_LIST = $(sort $(wildcard *.c))
11OBJS = $(C_FILE_LIST:.c=.o)
12BINOBJS = $(foreach file, $(OBJS), $file)
13CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DLIBDIR='"$(libdir)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security
14LDFLAGS:=-pic -Wl,-z,relro -Wl,-z,now
15 2
16all: $(OBJS) 3all: $(OBJS)
17 4
18%.o : %.c $(H_FILE_LIST) 5%.o : %.c $(H_FILE_LIST)
19 $(CC) $(CFLAGS) $(INCLUDE) -c $< -o $@ 6 $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
20 7
21clean:; rm -f $(OBJS) *.gcov *.gcda *.gcno 8clean:; rm -f $(OBJS) *.gcov *.gcda *.gcno
22 9
diff --git a/src/lib/pid.c b/src/lib/pid.c
index f138efc8c..3c804716d 100644
--- a/src/lib/pid.c
+++ b/src/lib/pid.c
@@ -188,10 +188,11 @@ static void print_elem(unsigned index, int nowrap) {
188 uid_t uid = pids[index].uid; 188 uid_t uid = pids[index].uid;
189 char *cmd = pid_proc_cmdline(index); 189 char *cmd = pid_proc_cmdline(index);
190 char *user = pid_get_user_name(uid); 190 char *user = pid_get_user_name(uid);
191 char *allocated = user; 191 char *user_allocated = user;
192 192
193 // extract sandbox name - pid == index 193 // extract sandbox name - pid == index
194 char *sandbox_name = ""; 194 char *sandbox_name = "";
195 char *sandbox_name_allocated = NULL;
195 char *fname; 196 char *fname;
196 if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, index) == -1) 197 if (asprintf(&fname, "%s/%d", RUN_FIREJAIL_NAME_DIR, index) == -1)
197 errExit("asprintf"); 198 errExit("asprintf");
@@ -202,6 +203,7 @@ static void print_elem(unsigned index, int nowrap) {
202 sandbox_name = malloc(s.st_size + 1); 203 sandbox_name = malloc(s.st_size + 1);
203 if (!sandbox_name) 204 if (!sandbox_name)
204 errExit("malloc"); 205 errExit("malloc");
206 sandbox_name_allocated = sandbox_name;
205 char *rv = fgets(sandbox_name, s.st_size + 1, fp); 207 char *rv = fgets(sandbox_name, s.st_size + 1, fp);
206 if (!rv) 208 if (!rv)
207 *sandbox_name = '\0'; 209 *sandbox_name = '\0';
@@ -241,8 +243,10 @@ static void print_elem(unsigned index, int nowrap) {
241 else 243 else
242 printf("%s%u:\n", indent, index); 244 printf("%s%u:\n", indent, index);
243 } 245 }
244 if (allocated) 246 if (user_allocated)
245 free(allocated); 247 free(user_allocated);
248 if (sandbox_name_allocated)
249 free(sandbox_name_allocated);
246} 250}
247 251
248// recursivity!!! 252// recursivity!!!
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 34e4102f6..f080c8c7b 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1064,6 +1064,17 @@ $ nc dict.org 2628
1064220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64 1064220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64
1065.br 1065.br
1066.TP 1066.TP
1067\fB\-\-nodbus
1068Disable D-Bus access. Only the regular UNIX socket is handled by this command. To
1069disable the abstract socket you would need to request a new network namespace using
1070\-\-net command. Another option is to remove unix from \-\-protocol set.
1071.br
1072
1073.br
1074Example:
1075.br
1076$ firejail \-\-nodbus \-\-net=none
1077.TP
1067\fB\-\-nodvd 1078\fB\-\-nodvd
1068Disable DVD and audio CD devices. 1079Disable DVD and audio CD devices.
1069.br 1080.br
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-05 17:10:34 +0000