From 9fa9d088874427ebcf8e45e9334102bd337475be Mon Sep 17 00:00:00 2001 From: NetSysFire <59517351+NetSysFire@users.noreply.github.com> Date: Tue, 7 Feb 2023 11:35:47 +0100 Subject: New profile: parsecd --- etc/inc/disable-programs.inc | 1 + etc/profile-m-z/parsecd.profile | 44 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 etc/profile-m-z/parsecd.profile diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index e2e97f458..2a7e1a898 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -1077,6 +1077,7 @@ blacklist ${HOME}/.ostrichriders blacklist ${HOME}/.paradoxinteractive blacklist ${HOME}/.paradoxlauncher blacklist ${HOME}/.parallelrealities/blobwars +blacklist ${HOME}/.parsec blacklist ${HOME}/.pcsxr blacklist ${HOME}/.penguin-command blacklist ${HOME}/.pine-crash diff --git a/etc/profile-m-z/parsecd.profile b/etc/profile-m-z/parsecd.profile new file mode 100644 index 000000000..398af7f80 --- /dev/null +++ b/etc/profile-m-z/parsecd.profile @@ -0,0 +1,44 @@ +# Firejail profile for Parsec +# Description: Remote desktop application focused on gaming and other 3D applications +# This file is overwritten after every install/update +# Persistent local customizations +include parsecd.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.parsec + +mkdir ${HOME}/.parsec +whitelist ${HOME}/.parsec +whitelist /usr/share/parsec +include whitelist-common.inc +include whitelist-usr-share-common.inc + +# Due to the nature of parsec, the following directives will not work: +# - no3d +# - novideo +# - nosound +# - noinput (it does remote passthrough stuff for gamepads) +# - private-dev (because of the above) +apparmor +caps.drop all +nodvd +nogroups +nonewprivs +notv +nou2f +noroot +# Will fail to start with mty_evdev_create: 'udev_monitor_new_from_netlink' failed without netlink +protocol unix,inet,inet6,netlink +seccomp !tgkill +seccomp.block-secondary + +# Will not start with zenity missing +private-bin parsecd,zenity +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute +restrict-namespaces -- cgit v1.2.3-54-g00ecf From 3812c139a6580113572f68ea1a8fd277d410777c Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 17 Feb 2023 18:25:34 -0300 Subject: Fix EOL at EOF Commands used to search and replace: $ git grep -Ilz '.' | xargs -0 -I '{}' sh -c \ "printf '%s\n' \"\$(cat '{}')\" >'{}'" The above commands ensure that there is exaclty 1 line terminator at EOF (rather than 0 or more than 1) on all non-empty text files. This fixes all of the "new blank line at EOF" errors raised by git: $ git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904..HEAD | grep '^[^+]' | cut -f 3 -d : | LC_ALL=C sort | uniq -c 21 new blank line at EOF. 72 space before tab in indent. 4 trailing whitespace. --- README.md | 2 -- etc/profile-a-l/bibtex.profile | 1 - etc/profile-a-l/latex.profile | 1 - etc/profile-m-z/pdflatex.profile | 1 - etc/profile-m-z/presentations18.profile | 1 - etc/profile-m-z/tex.profile | 1 - etc/profile-m-z/textmaker18.profile | 1 - etc/profile-m-z/textmaker18free.profile | 1 - src/etc-cleanup/main.c | 2 +- src/fids/config | 1 - src/fids/db.c | 1 - src/fids/db_exclude.c | 1 - src/firejail/fs_etc.c | 1 - src/firejail/oom.c | 1 - src/fnettrace-dns/fnettrace_dns.h | 2 +- src/fnettrace-icmp/fnettrace_icmp.h | 2 +- src/fnettrace-sni/fnettrace_sni.h | 2 +- src/fnettrace/fnettrace.h | 2 +- src/fnettrace/hostnames.c | 1 - src/fnettrace/radix.c | 1 - src/fnettrace/radix.h | 2 +- src/jailcheck/apparmor.c | 1 - src/jailcheck/network.c | 3 --- src/jailcheck/utils.c | 1 - test/private-etc/private-etc.sh | 1 - test/private-lib/private-lib.sh | 1 - test/sysutils/sysutils.sh | 1 - 27 files changed, 6 insertions(+), 30 deletions(-) diff --git a/README.md b/README.md index 0f6ca9b08..22e2fa291 100644 --- a/README.md +++ b/README.md @@ -268,5 +268,3 @@ Stats: dbus-system filter 12 ``` - - diff --git a/etc/profile-a-l/bibtex.profile b/etc/profile-a-l/bibtex.profile index e868dcbab..5f12d61f1 100644 --- a/etc/profile-a-l/bibtex.profile +++ b/etc/profile-a-l/bibtex.profile @@ -9,4 +9,3 @@ private-bin bibtex # Redirect include latex-common.profile - diff --git a/etc/profile-a-l/latex.profile b/etc/profile-a-l/latex.profile index 2230dd570..f6e625d35 100644 --- a/etc/profile-a-l/latex.profile +++ b/etc/profile-a-l/latex.profile @@ -9,4 +9,3 @@ private-bin latex # Redirect include latex-common.profile - diff --git a/etc/profile-m-z/pdflatex.profile b/etc/profile-m-z/pdflatex.profile index caf980d4d..ddf6d0990 100644 --- a/etc/profile-m-z/pdflatex.profile +++ b/etc/profile-m-z/pdflatex.profile @@ -9,4 +9,3 @@ private-bin pdflatex # Redirect include latex-common.profile - diff --git a/etc/profile-m-z/presentations18.profile b/etc/profile-m-z/presentations18.profile index 65d684c40..ac844d1af 100644 --- a/etc/profile-m-z/presentations18.profile +++ b/etc/profile-m-z/presentations18.profile @@ -8,4 +8,3 @@ include globals.local # Redirect include softmaker-common.profile - diff --git a/etc/profile-m-z/tex.profile b/etc/profile-m-z/tex.profile index f56c3038e..c850cf5c3 100644 --- a/etc/profile-m-z/tex.profile +++ b/etc/profile-m-z/tex.profile @@ -9,4 +9,3 @@ private-bin tex # Redirect include latex-common.profile - diff --git a/etc/profile-m-z/textmaker18.profile b/etc/profile-m-z/textmaker18.profile index e5a4b6454..8284df791 100644 --- a/etc/profile-m-z/textmaker18.profile +++ b/etc/profile-m-z/textmaker18.profile @@ -8,4 +8,3 @@ include globals.local # Redirect include softmaker-common.profile - diff --git a/etc/profile-m-z/textmaker18free.profile b/etc/profile-m-z/textmaker18free.profile index 0e918bf0a..ad945ca55 100644 --- a/etc/profile-m-z/textmaker18free.profile +++ b/etc/profile-m-z/textmaker18free.profile @@ -8,4 +8,3 @@ include globals.local # Redirect include softmaker-common.profile - diff --git a/src/etc-cleanup/main.c b/src/etc-cleanup/main.c index a51043e66..1f1a61f88 100644 --- a/src/etc-cleanup/main.c +++ b/src/etc-cleanup/main.c @@ -252,4 +252,4 @@ int main(int argc, char **argv) { process_file(argv[i]); return 0; -} \ No newline at end of file +} diff --git a/src/fids/config b/src/fids/config index c18c97260..7828622e8 100644 --- a/src/fids/config +++ b/src/fids/config @@ -13,4 +13,3 @@ /home/netblue/Desktop/*.desktop /home/netblue/.ssh /home/netblue/.gnupg - diff --git a/src/fids/db.c b/src/fids/db.c index 6a21a4e14..7cad11cca 100644 --- a/src/fids/db.c +++ b/src/fids/db.c @@ -155,4 +155,3 @@ errexit: fprintf(stderr, "Error fids: database corrupted\n"); exit(1); } - diff --git a/src/fids/db_exclude.c b/src/fids/db_exclude.c index 18a05209a..aedb95e4f 100644 --- a/src/fids/db_exclude.c +++ b/src/fids/db_exclude.c @@ -53,4 +53,3 @@ int db_exclude_check(const char *fname) { return 0; } - diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 6c4d4c0c6..3b7369ea8 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -402,4 +402,3 @@ void fs_private_dir_list(const char *private_dir, const char *private_run_dir, c fs_private_dir_mount(private_dir, private_run_dir); fmessage("Private %s installed in %0.2f ms\n", private_dir, timetrace_end()); } - diff --git a/src/firejail/oom.c b/src/firejail/oom.c index f4df3538c..482fc0ad0 100644 --- a/src/firejail/oom.c +++ b/src/firejail/oom.c @@ -84,4 +84,3 @@ void oom_set(const char *oom_string) { if (waitpid(child, &status, 0) == -1 ) errExit("waitpid"); } - diff --git a/src/fnettrace-dns/fnettrace_dns.h b/src/fnettrace-dns/fnettrace_dns.h index 6d8a3c211..b8f69e9d7 100644 --- a/src/fnettrace-dns/fnettrace_dns.h +++ b/src/fnettrace-dns/fnettrace_dns.h @@ -31,4 +31,4 @@ #include #include -#endif \ No newline at end of file +#endif diff --git a/src/fnettrace-icmp/fnettrace_icmp.h b/src/fnettrace-icmp/fnettrace_icmp.h index f535106e1..04c449ff2 100644 --- a/src/fnettrace-icmp/fnettrace_icmp.h +++ b/src/fnettrace-icmp/fnettrace_icmp.h @@ -31,4 +31,4 @@ #include #include -#endif \ No newline at end of file +#endif diff --git a/src/fnettrace-sni/fnettrace_sni.h b/src/fnettrace-sni/fnettrace_sni.h index f535106e1..04c449ff2 100644 --- a/src/fnettrace-sni/fnettrace_sni.h +++ b/src/fnettrace-sni/fnettrace_sni.h @@ -31,4 +31,4 @@ #include #include -#endif \ No newline at end of file +#endif diff --git a/src/fnettrace/fnettrace.h b/src/fnettrace/fnettrace.h index d3bc6439e..629b8ce5b 100644 --- a/src/fnettrace/fnettrace.h +++ b/src/fnettrace/fnettrace.h @@ -70,4 +70,4 @@ char* retrieve_hostname(uint32_t ip); // tail.c void tail(const char *logfile); -#endif \ No newline at end of file +#endif diff --git a/src/fnettrace/hostnames.c b/src/fnettrace/hostnames.c index 4f5641dfb..878a67123 100644 --- a/src/fnettrace/hostnames.c +++ b/src/fnettrace/hostnames.c @@ -121,4 +121,3 @@ errexit: fprintf(stderr, "Error: invalid line %d in file %s\n", line, fname); exit(1); } - diff --git a/src/fnettrace/radix.c b/src/fnettrace/radix.c index 97e890bec..a1d510a61 100644 --- a/src/fnettrace/radix.c +++ b/src/fnettrace/radix.c @@ -152,4 +152,3 @@ char *radix_longest_prefix_match(uint32_t ip) { return (rv)? rv->name: NULL; } - diff --git a/src/fnettrace/radix.h b/src/fnettrace/radix.h index 85a75d0d7..d75fe3999 100644 --- a/src/fnettrace/radix.h +++ b/src/fnettrace/radix.h @@ -24,4 +24,4 @@ extern int radix_nodes; char *radix_longest_prefix_match(uint32_t ip); char *radix_add(uint32_t ip, uint32_t mask, char *name); -#endif \ No newline at end of file +#endif diff --git a/src/jailcheck/apparmor.c b/src/jailcheck/apparmor.c index 9b6b72fb7..658928ed5 100644 --- a/src/jailcheck/apparmor.c +++ b/src/jailcheck/apparmor.c @@ -37,4 +37,3 @@ void apparmor_test(pid_t pid) { return; } #endif - diff --git a/src/jailcheck/network.c b/src/jailcheck/network.c index 961a66105..a4d5eeec1 100644 --- a/src/jailcheck/network.c +++ b/src/jailcheck/network.c @@ -52,6 +52,3 @@ void network_test(void) { else printf(" Networking: disabled\n"); } - - - diff --git a/src/jailcheck/utils.c b/src/jailcheck/utils.c index 8460c1bf7..97fe8833b 100644 --- a/src/jailcheck/utils.c +++ b/src/jailcheck/utils.c @@ -99,4 +99,3 @@ int find_child(int id) { // this happens for processes sandboxed with --join return first_child; } - diff --git a/test/private-etc/private-etc.sh b/test/private-etc/private-etc.sh index 8488611b9..c46b684af 100755 --- a/test/private-etc/private-etc.sh +++ b/test/private-etc/private-etc.sh @@ -18,4 +18,3 @@ echo "TESTING: groups (test/private-etc/groups.exp)" echo "TESTING: etc-cleanup (test/private-etc/etc-cleanup.exp)" ./etc-cleanup.exp - diff --git a/test/private-lib/private-lib.sh b/test/private-lib/private-lib.sh index 0ef18b79d..5c67b16c5 100755 --- a/test/private-lib/private-lib.sh +++ b/test/private-lib/private-lib.sh @@ -29,4 +29,3 @@ if [[ $(uname -m) == "x86_64" ]]; then else echo "TESTING SKIP: private-lib test implemented only for x86_64." fi - diff --git a/test/sysutils/sysutils.sh b/test/sysutils/sysutils.sh index 34acca07d..94f0b1f76 100755 --- a/test/sysutils/sysutils.sh +++ b/test/sysutils/sysutils.sh @@ -158,4 +158,3 @@ then else echo "TESTING SKIP: whois not found" fi - -- cgit v1.2.3-54-g00ecf From 452d70cc77ddb308408c4d4da3a81a4b74530b65 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sun, 19 Feb 2023 13:11:10 -0300 Subject: Trim trailing whitespace Commands used to search and replace: $ git grep -Ilz '[[:blank:]]$' | xargs -0 -I '{}' sh -c "printf '%s\n' \"\$(sed -E \ 's/[[:blank:]]+$//' '{}')\" >'{}'" This fixes all of the "trailing whitespace" errors raised by git: $ git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904..HEAD | grep '^[^+]' | cut -f 3 -d : | LC_ALL=C sort | uniq -c 72 space before tab in indent. 4 trailing whitespace. --- .github/ISSUE_TEMPLATE/bug_report.md | 2 +- .github/pull_request_template.md | 4 ++-- etc/profile-m-z/rpcs3.profile | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index c8c6f40bd..53066013d 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -81,7 +81,7 @@ output goes here
Output of LC_ALL=C firejail --debug /path/to/program

- + diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 7cb92a938..3c256dd87 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -1,9 +1,9 @@ If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR. If you submit a PR for new profiles or changing profiles, please do the following: - - The ordering of options follow the rules described in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template). + - The ordering of options follow the rules described in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template). > Hint: The profile-template is very new. If you install firejail with your package manager, it may be missing. In order to follow the latest rules, it is recommended to use the template from the repository. - - Order the arguments of options alphabetically. You can easily do this with [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py). + - Order the arguments of options alphabetically. You can easily do this with [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py). The path to it depends on your distro: | Distro | Path | diff --git a/etc/profile-m-z/rpcs3.profile b/etc/profile-m-z/rpcs3.profile index 186e31b46..405ab818d 100644 --- a/etc/profile-m-z/rpcs3.profile +++ b/etc/profile-m-z/rpcs3.profile @@ -2,7 +2,7 @@ # Description: RPCS3 emulator # This file is overwritten after every install/update # Persistent local customizations -include rpcs3.local +include rpcs3.local # Persistent global definitions include globals.local -- cgit v1.2.3-54-g00ecf From 58c71f8d481750241239b3f2d3e5cd7aaa155a94 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sun, 19 Feb 2023 14:51:09 -0300 Subject: Add .editorconfig with basic rules for all files This should make it easier to avoid whitespace errors, as long as the editor used supports it (either natively or through a plugin). See the editorconfig website for the editors that support it: * https://editorconfig.org Note: All text files appear to already be using LF and UTF-8 (or ASCII): $ git ls-files --eol | grep -v -e '^i/lf w/lf' \ -e 'i/none w/none' -e 'i/-text w/-text' i/ w/ attr/text=auto eol=lf ci/check/profiles/sort.py $ git ls-files -z | xargs -0 file -i -h | sed 's/[^:]*: *//' | grep -v -e 'charset=binary' -e 'charset=us-ascii' | LC_ALL=C sort | uniq -c 1 text/html; charset=utf-8 2 text/plain; charset=utf-8 1 text/x-c; charset=utf-8 --- .editorconfig | 7 +++++++ .gitattributes | 2 ++ 2 files changed, 9 insertions(+) create mode 100644 .editorconfig diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 000000000..f999431de --- /dev/null +++ b/.editorconfig @@ -0,0 +1,7 @@ +root = true + +[*] +charset = utf-8 +end_of_line = lf +insert_final_newline = true +trim_trailing_whitespace = true diff --git a/.gitattributes b/.gitattributes index 6b329f917..e6f32abc0 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1 +1,3 @@ +* text=auto eol=lf + /etc/inc/*.inc linguist-language=text -- cgit v1.2.3-54-g00ecf From 77e9e4938d06c2cfeb9ed7722687c6ee111fef71 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 20 Feb 2023 17:29:02 -0300 Subject: .gitattributes: mark some binary files as such Git currently correctly detects them as binary; the changes are done to avoid depending on the auto-detection and also for documentation. Commands used to list all of the files that git detects as non-text files: $ git ls-files --eol | grep -e 'i/-text' -e 'w/-text' i/-text w/-text attr/text=auto eol=lf etc-fixes/seccomp-join-bug/eecf35c-backports.zip i/-text w/-text attr/text=auto eol=lf test/appimage/Leafpad-0.8.17-x86_64.AppImage i/-text w/-text attr/text=auto eol=lf test/appimage/Leafpad-0.8.18.1.glibc2.4-x86_64.AppImage i/-text w/-text attr/text=auto eol=lf test/filters/memwrexe i/-text w/-text attr/text=auto eol=lf test/filters/memwrexe-32 i/-text w/-text attr/text=auto eol=lf test/filters/namespaces i/-text w/-text attr/text=auto eol=lf test/filters/namespaces-32 Note: The committed seccomp filters do not have a file extension, so ignore them for now. --- .gitattributes | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitattributes b/.gitattributes index e6f32abc0..61bf3bfb7 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,3 +1,6 @@ * text=auto eol=lf +*.AppImage -text +*.zip -text + /etc/inc/*.inc linguist-language=text -- cgit v1.2.3-54-g00ecf From 490051f71494e828f2020257c012c3b28398d852 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sun, 19 Feb 2023 14:26:15 -0300 Subject: Fix space before/after tab in indent This fixes all of the "space before tab in indent" errors raised by git: $ git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904..HEAD | grep '^[^+]' | cut -f 3 -d : | LC_ALL=C sort | uniq -c 72 space before tab in indent. Commands used to find the errors: $ git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904..HEAD $ git grep -In "$(printf '\t') " Note: Unlike "space before tab in indent", the reverse ("space after tab in indent") is not reported by git. That is because spaces could be intentionally used for alignment or line continuation, but in some cases they are being used for indentation together with tabs and in others the formatting is misaligned. The second command was used to help find and fix these other issues. --- README | 2 +- src/etc-cleanup/main.c | 4 +-- src/fbuilder/build_home.c | 2 +- src/fbuilder/filedb.c | 4 +-- src/fcopy/main.c | 2 +- src/firecfg/util.c | 8 ++--- src/firejail/appimage_size.c | 2 +- src/firejail/chroot.c | 2 +- src/firejail/cpu.c | 12 +++---- src/firejail/fs.c | 4 +-- src/firejail/ls.c | 2 +- src/firejail/macros.c | 6 ++-- src/firejail/main.c | 70 ++++++++++++++++++++--------------------- src/firejail/network.c | 2 +- src/firejail/no_sandbox.c | 8 ++--- src/firejail/restricted_shell.c | 50 ++++++++++++++--------------- src/firejail/sandbox.c | 24 +++++++------- src/firejail/util.c | 2 +- src/firemon/procevent.c | 2 +- src/firemon/top.c | 3 +- src/fnet/interface.c | 6 ++-- src/fnettrace-dns/main.c | 2 +- src/fseccomp/namespaces.c | 4 +-- src/jailcheck/noexec.c | 2 +- src/libtrace/libtrace.c | 2 +- src/profstats/main.c | 10 +++--- 26 files changed, 119 insertions(+), 118 deletions(-) diff --git a/README b/README index 86bd8cb63..7750fc049 100644 --- a/README +++ b/README @@ -1079,7 +1079,7 @@ SYN-cook (https://github.com/SYN-cook) startx2017 (https://github.com/startx2017) - syscall list update - updated default seccomp filters - added bpf, clock_settime, personality, process_vm_writev, query_module, - settimeofday, stime, umount, userfaultfd, ustat, vm86, and vm86old + settimeofday, stime, umount, userfaultfd, ustat, vm86, and vm86old - enable/disable join support in /etc/firejail/firejail.config - firecfg fix: create ~/.local/share/applications directory if it doesn't exist - firejail.config cleanup diff --git a/src/etc-cleanup/main.c b/src/etc-cleanup/main.c index 1f1a61f88..6c7bea6d6 100644 --- a/src/etc-cleanup/main.c +++ b/src/etc-cleanup/main.c @@ -231,8 +231,8 @@ int main(int argc, char **argv) { int i; for (i = 1; i < argc; i++) { if (strcmp(argv[i], "-h") == 0 || - strcmp(argv[i], "-?") == 0 || - strcmp(argv[i], "--help") == 0) { + strcmp(argv[i], "-?") == 0 || + strcmp(argv[i], "--help") == 0) { usage(); return 0; } diff --git a/src/fbuilder/build_home.c b/src/fbuilder/build_home.c index 6d96b69cc..15c54911b 100644 --- a/src/fbuilder/build_home.c +++ b/src/fbuilder/build_home.c @@ -110,7 +110,7 @@ void process_home(const char *fname, char *home, int home_len) { strcmp(toadd, ".cache") == 0) { if (dir) free(dir); - continue; + continue; } // clean .cache entries diff --git a/src/fbuilder/filedb.c b/src/fbuilder/filedb.c index 4089f3806..5a3b389ae 100644 --- a/src/fbuilder/filedb.c +++ b/src/fbuilder/filedb.c @@ -38,8 +38,8 @@ FileDB *filedb_find(FileDB *head, const char *fname) { if (strlen(fname) > ptr->len && fname[ptr->len] == '/' && strncmp(ptr->fname, fname, ptr->len) == 0) { - found = 1; - break; + found = 1; + break; } ptr = ptr->next; diff --git a/src/fcopy/main.c b/src/fcopy/main.c index f1deabf2e..da24fb3f7 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c @@ -236,7 +236,7 @@ void copy_link(const char *target, const char *linkpath, mode_t mode, uid_t uid, // if the link is already there, don't create it struct stat s; if (lstat(linkpath, &s) == 0) - return; + return; char *rp = proc_pid_to_self(target); if (rp) { diff --git a/src/firecfg/util.c b/src/firecfg/util.c index dc24d4e68..4185b52dd 100644 --- a/src/firecfg/util.c +++ b/src/firecfg/util.c @@ -30,8 +30,8 @@ static int find(const char *program, const char *directory) { struct stat s; if (stat(fname, &s) == 0) { - if (arg_debug) - printf("found %s in directory %s\n", program, directory); + if (arg_debug) + printf("found %s in directory %s\n", program, directory); retval = 1; } @@ -44,8 +44,8 @@ static int find(const char *program, const char *directory) { int which(const char *program) { // check some well-known paths if (find(program, "/bin") || find(program, "/usr/bin") || - find(program, "/sbin") || find(program, "/usr/sbin") || - find(program, "/usr/games")) + find(program, "/sbin") || find(program, "/usr/sbin") || + find(program, "/usr/games")) return 1; // check environment diff --git a/src/firejail/appimage_size.c b/src/firejail/appimage_size.c index 6bb530d12..c3f1620bc 100644 --- a/src/firejail/appimage_size.c +++ b/src/firejail/appimage_size.c @@ -144,7 +144,7 @@ long unsigned int appimage2_size(int fd) { return 0; if ((ehdr.e_ident[EI_DATA] != ELFDATA2LSB) && - (ehdr.e_ident[EI_DATA] != ELFDATA2MSB)) + (ehdr.e_ident[EI_DATA] != ELFDATA2MSB)) return 0; if(ehdr.e_ident[EI_CLASS] == ELFCLASS32) { diff --git a/src/firejail/chroot.c b/src/firejail/chroot.c index fef7eb724..132ac94ba 100644 --- a/src/firejail/chroot.c +++ b/src/firejail/chroot.c @@ -280,7 +280,7 @@ void fs_chroot(const char *rootdir) { // fs_dev_shm(); fs_var_lock(); if (!arg_keep_var_tmp) - fs_var_tmp(); + fs_var_tmp(); if (!arg_writable_var_log) fs_var_log(); diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c index ada76bc76..804d51caa 100644 --- a/src/firejail/cpu.c +++ b/src/firejail/cpu.c @@ -103,17 +103,17 @@ void set_cpu_affinity(void) { if (sched_setaffinity(0, sizeof(mask), &mask) == -1) fwarning("cannot set cpu affinity\n"); - // verify cpu affinity + // verify cpu affinity cpu_set_t mask2; CPU_ZERO(&mask2); if (sched_getaffinity(0, sizeof(mask2), &mask2) == -1) fwarning("cannot verify cpu affinity\n"); - else if (arg_debug) { - if (CPU_EQUAL(&mask, &mask2)) - printf("CPU affinity set\n"); + else if (arg_debug) { + if (CPU_EQUAL(&mask, &mask2)) + printf("CPU affinity set\n"); else - printf("CPU affinity not set\n"); - } + printf("CPU affinity not set\n"); + } } static void print_cpu(ProcessHandle process) { diff --git a/src/firejail/fs.c b/src/firejail/fs.c index d7a2edc3b..182f26e53 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -123,8 +123,8 @@ static void disable_file(OPERATION op, const char *filename) { if (op == BLACKLIST_FILE || op == BLACKLIST_NOLOG) { // some distros put all executables under /usr/bin and make /bin a symbolic link if ((strcmp(fname, "/bin") == 0 || strcmp(fname, "/usr/bin") == 0) && - is_link(filename) && - S_ISDIR(s.st_mode)) { + is_link(filename) && + S_ISDIR(s.st_mode)) { fwarning("%s directory link was not blacklisted\n", filename); } else { diff --git a/src/firejail/ls.c b/src/firejail/ls.c index f2782de35..ea85fabfd 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c @@ -178,7 +178,7 @@ static void print_directory(const char *path) { n = scandir(path, &namelist, 0, alphasort); if (n < 0) - errExit("scandir"); + errExit("scandir"); else { for (i = 0; i < n; i++) print_file_or_dir(path, namelist[i]->d_name); diff --git a/src/firejail/macros.c b/src/firejail/macros.c index 27bb4227a..af7d02c2a 100644 --- a/src/firejail/macros.c +++ b/src/firejail/macros.c @@ -38,19 +38,19 @@ Macro macro[] = { }, { - "${MUSIC}", + "${MUSIC}", "XDG_MUSIC_DIR=\"$HOME/", {"Music", "Музыка", "Musique", "Musica", "Música", "Musik"} }, { - "${VIDEOS}", + "${VIDEOS}", "XDG_VIDEOS_DIR=\"$HOME/", {"Videos", "Видео", "Vidéos", "Video", "Vídeos"} }, { - "${PICTURES}", + "${PICTURES}", "XDG_PICTURES_DIR=\"$HOME/", {"Pictures", "Изображения", "Photos", "Immagini", "Imágenes", "Imagens", "Bilder"} }, diff --git a/src/firejail/main.c b/src/firejail/main.c index 7a9d3d00d..fac357303 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -52,7 +52,7 @@ int __clone2(int (*fn)(void *), void *child_stack_base, size_t stack_size, int flags, void *arg, ... - /* pid_t *ptid, struct user_desc *tls, pid_t *ctid */ ); + /* pid_t *ptid, struct user_desc *tls, pid_t *ctid */ ); #endif uid_t firejail_uid = 0; @@ -106,7 +106,7 @@ char *arg_netfilter6_file = NULL; // netfilter6 file char *arg_netns = NULL; // "ip netns"-created network namespace to use int arg_doubledash = 0; // double dash int arg_private_dev = 0; // private dev directory -int arg_keep_dev_shm = 0; // preserve /dev/shm +int arg_keep_dev_shm = 0; // preserve /dev/shm int arg_private_etc = 0; // private etc directory int arg_private_opt = 0; // private opt directory int arg_private_srv = 0; // private srv directory @@ -129,7 +129,7 @@ int arg_writable_etc = 0; // writable etc int arg_keep_config_pulse = 0; // disable automatic ~/.config/pulse init int arg_keep_shell_rc = 0; // do not copy shell configuration from /etc/skel int arg_writable_var = 0; // writable var -int arg_keep_var_tmp = 0; // don't overwrite /var/tmp +int arg_keep_var_tmp = 0; // don't overwrite /var/tmp int arg_writable_run_user = 0; // writable /run/user int arg_writable_var_log = 0; // writable /var/log int arg_appimage = 0; // appimage @@ -141,7 +141,7 @@ int arg_x11_block = 0; // block X11 int arg_x11_xorg = 0; // use X11 security extension int arg_allusers = 0; // all user home directories visible int arg_machineid = 0; // spoof /etc/machine-id -int arg_allow_private_blacklist = 0; // blacklist things in private directories +int arg_allow_private_blacklist = 0; // blacklist things in private directories int arg_disable_mnt = 0; // disable /mnt and /media int arg_noprofile = 0; // use default.profile if none other found/specified int arg_memory_deny_write_execute = 0; // block writable and executable memory @@ -150,7 +150,7 @@ int arg_nodvd = 0; // --nodvd int arg_nou2f = 0; // --nou2f int arg_noinput = 0; // --noinput int arg_deterministic_exit_code = 0; // always exit with first child's exit status -int arg_deterministic_shutdown = 0; // shut down the sandbox if first child dies +int arg_deterministic_shutdown = 0; // shut down the sandbox if first child dies int arg_keep_fd_all = 0; // inherit all file descriptors to sandbox DbusPolicy arg_dbus_user = DBUS_POLICY_ALLOW; // --dbus-user DbusPolicy arg_dbus_system = DBUS_POLICY_ALLOW; // --dbus-system @@ -768,11 +768,11 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { exit(1); } char *path = argv[i + 1]; - invalid_filename(path, 0); // no globbing - if (strstr(path, "..")) { - fprintf(stderr, "Error: invalid file name %s\n", path); - exit(1); - } + invalid_filename(path, 0); // no globbing + if (strstr(path, "..")) { + fprintf(stderr, "Error: invalid file name %s\n", path); + exit(1); + } // get file pid_t pid = require_pid(argv[i] + 6); @@ -796,17 +796,17 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { exit(1); } char *path1 = argv[i + 1]; - invalid_filename(path1, 0); // no globbing - if (strstr(path1, "..")) { - fprintf(stderr, "Error: invalid file name %s\n", path1); - exit(1); - } + invalid_filename(path1, 0); // no globbing + if (strstr(path1, "..")) { + fprintf(stderr, "Error: invalid file name %s\n", path1); + exit(1); + } char *path2 = argv[i + 2]; - invalid_filename(path2, 0); // no globbing - if (strstr(path2, "..")) { - fprintf(stderr, "Error: invalid file name %s\n", path2); - exit(1); - } + invalid_filename(path2, 0); // no globbing + if (strstr(path2, "..")) { + fprintf(stderr, "Error: invalid file name %s\n", path2); + exit(1); + } // get file pid_t pid = require_pid(argv[i] + 6); @@ -830,15 +830,15 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { exit(1); } char *path = argv[i + 1]; - invalid_filename(path, 0); // no globbing - if (strstr(path, "..")) { - fprintf(stderr, "Error: invalid file name %s\n", path); - exit(1); - } + invalid_filename(path, 0); // no globbing + if (strstr(path, "..")) { + fprintf(stderr, "Error: invalid file name %s\n", path); + exit(1); + } // list directory contents if (!arg_debug) - arg_quiet = 1; + arg_quiet = 1; pid_t pid = require_pid(argv[i] + 5); sandboxfs(SANDBOX_FS_LS, pid, path, NULL); exit(0); @@ -867,7 +867,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { // write file contents to stdout if (!arg_debug) - arg_quiet = 1; + arg_quiet = 1; pid_t pid = require_pid(argv[i] + 6); sandboxfs(SANDBOX_FS_CAT, pid, path, NULL); exit(0); @@ -894,8 +894,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { } else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { - // NOTE: this is first part of option handler, - // sandbox name is set in other part + // NOTE: this is first part of option handler, sandbox name is + // set in other part if (checkcfg(CFG_JOIN) || getuid() == 0) { logargs(argc, argv); @@ -1050,11 +1050,11 @@ static int check_postexec(const char *list) { //******************************************* int main(int argc, char **argv, char **envp) { int i; - int prog_index = -1; // index in argv where the program command starts + int prog_index = -1; // index in argv where the program command starts int lockfd_network = -1; int lockfd_directory = -1; - int custom_profile = 0; // custom profile loaded - int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) + int custom_profile = 0; // custom profile loaded + int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) char **ptr; @@ -1983,7 +1983,7 @@ int main(int argc, char **argv, char **envp) { arg_writable_var = 1; } else if (strcmp(argv[i], "--keep-var-tmp") == 0) { - arg_keep_var_tmp = 1; + arg_keep_var_tmp = 1; } else if (strcmp(argv[i], "--writable-run-user") == 0) { arg_writable_run_user = 1; @@ -2818,8 +2818,8 @@ int main(int argc, char **argv, char **envp) { } #endif else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { - // NOTE: this is second part of option handler, - // atempt to find and join sandbox is done in other one + // NOTE: this is second part of option handler, atempt + // to find and join sandbox is done in other one // set sandbox name and start normally cfg.name = argv[i] + 16; diff --git a/src/firejail/network.c b/src/firejail/network.c index 5163035fa..c1adf87cc 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c @@ -265,7 +265,7 @@ int net_get_mac(const char *ifname, unsigned char mac[6]) { int sock; if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) - errExit("socket"); + errExit("socket"); memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 3997d8f86..22ee9dc3c 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c @@ -29,10 +29,10 @@ int is_container(const char *str) { assert(str); if (strcmp(str, "lxc") == 0 || - strcmp(str, "docker") == 0 || - strcmp(str, "lxc-libvirt") == 0 || - strcmp(str, "systemd-nspawn") == 0 || - strcmp(str, "rkt") == 0) + strcmp(str, "docker") == 0 || + strcmp(str, "lxc-libvirt") == 0 || + strcmp(str, "systemd-nspawn") == 0 || + strcmp(str, "rkt") == 0) return 1; return 0; } diff --git a/src/firejail/restricted_shell.c b/src/firejail/restricted_shell.c index a22e63ab3..79e0bd9df 100644 --- a/src/firejail/restricted_shell.c +++ b/src/firejail/restricted_shell.c @@ -84,16 +84,16 @@ int restricted_shell(const char *user) { // user name globbing if (fnmatch(usr, user, 0) == 0) { - // process program arguments + // process program arguments - fullargv[0] = "firejail"; - int i; - ptr = args; - for (i = 1; i < MAX_ARGS; i++) { - // skip blanks - while (*ptr == ' ' || *ptr == '\t') - ptr++; - fullargv[i] = ptr; + fullargv[0] = "firejail"; + int i; + ptr = args; + for (i = 1; i < MAX_ARGS; i++) { + // skip blanks + while (*ptr == ' ' || *ptr == '\t') + ptr++; + fullargv[i] = ptr; #ifdef DEBUG_RESTRICTED_SHELL {EUID_ROOT(); FILE *fp = fopen("/firelog", "ae"); @@ -104,23 +104,23 @@ int restricted_shell(const char *user) { EUID_USER();} #endif - if (*ptr != '\0') { - // go to the end of the word - while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0') - ptr++; - *ptr ='\0'; - fullargv[i] = strdup(fullargv[i]); - if (fullargv[i] == NULL) - errExit("strdup"); - ptr++; - while (*ptr == ' ' || *ptr == '\t') - ptr++; - if (*ptr != '\0') - continue; - } - fullargv[i] = strdup(fullargv[i]); + if (*ptr != '\0') { + // go to the end of the word + while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0') + ptr++; + *ptr ='\0'; + fullargv[i] = strdup(fullargv[i]); + if (fullargv[i] == NULL) + errExit("strdup"); + ptr++; + while (*ptr == ' ' || *ptr == '\t') + ptr++; + if (*ptr != '\0') + continue; + } + fullargv[i] = strdup(fullargv[i]); fclose(fp); - return i + 1; + return i + 1; } fprintf(stderr, "Error: too many program arguments in users.conf line %d\n", lineno); exit(1); diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index c4dc0ca78..a4109cc17 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -274,7 +274,7 @@ static void sandbox_if_up(Bridge *br) { } if (br->ip6sandbox) - net_if_ip6(dev, br->ip6sandbox); + net_if_ip6(dev, br->ip6sandbox); } static void chk_chroot(void) { @@ -650,12 +650,12 @@ int sandbox(void* sandbox_arg) { if (arg_debug) printf("Initializing child process\n"); - // close each end of the unused pipes - close(parent_to_child_fds[1]); - close(child_to_parent_fds[0]); + // close each end of the unused pipes + close(parent_to_child_fds[1]); + close(child_to_parent_fds[0]); - // wait for parent to do base setup - wait_for_other(parent_to_child_fds[0]); + // wait for parent to do base setup + wait_for_other(parent_to_child_fds[0]); if (arg_debug && child_pid == 1) printf("PID namespace installed\n"); @@ -1259,13 +1259,13 @@ int sandbox(void* sandbox_arg) { } // notify parent that new user namespace has been created so a proper - // UID/GID map can be setup - notify_other(child_to_parent_fds[1]); - close(child_to_parent_fds[1]); + // UID/GID map can be setup + notify_other(child_to_parent_fds[1]); + close(child_to_parent_fds[1]); - // wait for parent to finish setting up a proper UID/GID map - wait_for_other(parent_to_child_fds[0]); - close(parent_to_child_fds[0]); + // wait for parent to finish setting up a proper UID/GID map + wait_for_other(parent_to_child_fds[0]); + close(parent_to_child_fds[0]); // somehow, the new user namespace resets capabilities; // we need to do them again diff --git a/src/firejail/util.c b/src/firejail/util.c index 846c27321..bafcd69ec 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -1101,7 +1101,7 @@ void mkdir_attr(const char *fname, mode_t mode, uid_t uid, gid_t gid) { if (mkdir(fname, mode) == -1 || chmod(fname, mode) == -1 || chown(fname, uid, gid)) { - fprintf(stderr, "Error: failed to create %s directory\n", fname); + fprintf(stderr, "Error: failed to create %s directory\n", fname); errExit("mkdir/chmod"); } diff --git a/src/firemon/procevent.c b/src/firemon/procevent.c index ff4fdda56..77739c1f3 100644 --- a/src/firemon/procevent.c +++ b/src/firemon/procevent.c @@ -309,7 +309,7 @@ static void __attribute__((noreturn)) procevent_monitor(const int sock, pid_t my #endif if (proc_ev->event_data.fork.child_pid != proc_ev->event_data.fork.child_tgid) - continue; // this is a thread, not a process + continue; // this is a thread, not a process pid = proc_ev->event_data.fork.parent_tgid; #ifdef DEBUG_PRCTL printf("%s: %d, event fork, pid %d\n", __FUNCTION__, __LINE__, pid); diff --git a/src/firemon/top.c b/src/firemon/top.c index c127e2f56..c70bc9424 100644 --- a/src/firemon/top.c +++ b/src/firemon/top.c @@ -166,7 +166,8 @@ static char *print_top(unsigned index, unsigned parent, unsigned *utime, unsigne snprintf(prcs_str, 10, "%d", *cnt); if (asprintf(&rv, "%-7.7s %-9.9s %-8.8s %-8.8s %-5.5s %-4.4s %-9.9s %s", - pidstr, ptruser, rss, shared, cpu_str, prcs_str, uptime_str, ptrcmd) == -1) + pidstr, ptruser, rss, shared, cpu_str, prcs_str, + uptime_str, ptrcmd) == -1) errExit("asprintf"); if (cmd) diff --git a/src/fnet/interface.c b/src/fnet/interface.c index aa0981269..873252d40 100644 --- a/src/fnet/interface.c +++ b/src/fnet/interface.c @@ -57,7 +57,7 @@ void net_bridge_add_interface(const char *bridge, const char *dev) { int sock; if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) - errExit("socket"); + errExit("socket"); memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, bridge, IFNAMSIZ - 1); @@ -237,7 +237,7 @@ int net_get_mac(const char *ifname, unsigned char mac[6]) { int sock; if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) - errExit("socket"); + errExit("socket"); memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); @@ -291,7 +291,7 @@ int net_if_mac(const char *ifname, const unsigned char mac[6]) { int sock; if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) - errExit("socket"); + errExit("socket"); memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); diff --git a/src/fnettrace-dns/main.c b/src/fnettrace-dns/main.c index 60738147d..64feec5fe 100644 --- a/src/fnettrace-dns/main.c +++ b/src/fnettrace-dns/main.c @@ -124,7 +124,7 @@ static void print_date(void) { static void run_trace(void) { // grab all Ethernet packets and use a custom BPF filter to get only UDP from source port 53 - int s = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); + int s = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); if (s < 0) errExit("socket"); custom_bpf(s); diff --git a/src/fseccomp/namespaces.c b/src/fseccomp/namespaces.c index ffc1dfe4c..e6c63219f 100644 --- a/src/fseccomp/namespaces.c +++ b/src/fseccomp/namespaces.c @@ -202,8 +202,8 @@ void deny_ns_32(const char *fname, const char *list) { // 0003: 20 00 00 00000000 ld data.syscall-number // 0004: 06 00 00 7fff0000 ret ALLOW // - if (sizeof(filter)) - write_to_file(fd, filter, sizeof(filter)); + if (sizeof(filter)) + write_to_file(fd, filter, sizeof(filter)); filter_end_blacklist(fd); diff --git a/src/jailcheck/noexec.c b/src/jailcheck/noexec.c index a78272591..bfeff9c7f 100644 --- a/src/jailcheck/noexec.c +++ b/src/jailcheck/noexec.c @@ -76,7 +76,7 @@ void noexec_test(const char *path) { if (child == 0) { // child // drop privileges - if (setgid(user_gid) != 0) + if (setgid(user_gid) != 0) errExit("setgid"); if (setuid(user_uid) != 0) errExit("setuid"); diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c index 97e36e5c9..231e09882 100644 --- a/src/libtrace/libtrace.c +++ b/src/libtrace/libtrace.c @@ -515,7 +515,7 @@ int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen) { if (!orig_connect) orig_connect = (orig_connect_t)dlsym(RTLD_NEXT, "connect"); - int rv = orig_connect(sockfd, addr, addrlen); + int rv = orig_connect(sockfd, addr, addrlen); print_sockaddr(sockfd, "connect", addr, rv); return rv; diff --git a/src/profstats/main.c b/src/profstats/main.c index 90a5f405d..491cec736 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c @@ -166,7 +166,7 @@ static void process_file(char *fname) { else if (strncmp(ptr, "include whitelist-var-common.inc", 32) == 0) cnt_whitelistvar++; else if (strncmp(ptr, "include whitelist-runuser-common.inc", 36) == 0 || - strncmp(ptr, "blacklist ${RUNUSER}", 20) == 0) + strncmp(ptr, "blacklist ${RUNUSER}", 20) == 0) cnt_whitelistrunuser++; else if (strncmp(ptr, "include whitelist-common.inc", 28) == 0) cnt_whitelisthome++; @@ -283,10 +283,10 @@ int main(int argc, char **argv) { arg_dbus_user_none = 1; else if (*argv[i] == '-') { fprintf(stderr, "Error: invalid option %s\n", argv[i]); - return 1; - } - else - break; + return 1; + } + else + break; } start = i; -- cgit v1.2.3-54-g00ecf From f5d8d8cc7af8f8816c47623515babcefceb7e22f Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sun, 19 Feb 2023 14:27:45 -0300 Subject: docs: improve grammar in --join-or-start= comments --- src/firejail/main.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index fac357303..ed31efb6c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -894,8 +894,8 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { } else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { - // NOTE: this is first part of option handler, sandbox name is - // set in other part + // Note: This is the first part of the option handler; the + // sandbox name is set in the other part if (checkcfg(CFG_JOIN) || getuid() == 0) { logargs(argc, argv); @@ -2818,8 +2818,9 @@ int main(int argc, char **argv, char **envp) { } #endif else if (strncmp(argv[i], "--join-or-start=", 16) == 0) { - // NOTE: this is second part of option handler, atempt - // to find and join sandbox is done in other one + // Note: This is the second part of the option handler; + // the attempt to find and join the sandbox is done in + // the other one // set sandbox name and start normally cfg.name = argv[i] + 16; -- cgit v1.2.3-54-g00ecf From 37546800876d977d77cc86d9b307f8cfa714c1dd Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Wed, 1 Feb 2023 04:19:59 -0300 Subject: docs: remove indents on top-level lists and tables And the surrounding paragraphs. Relates to #2784. --- .github/pull_request_template.md | 20 ++++++++++---------- CONTRIBUTING.md | 24 ++++++++++++------------ 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 3c256dd87..80945c8ba 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -1,17 +1,17 @@ If your PR isn't about profiles or you have no idea how to do one of these, skip the following and go ahead with this PR. If you submit a PR for new profiles or changing profiles, please do the following: - - The ordering of options follow the rules described in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template). - > Hint: The profile-template is very new. If you install firejail with your package manager, it may be missing. In order to follow the latest rules, it is recommended to use the template from the repository. - - Order the arguments of options alphabetically. You can easily do this with [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py). - The path to it depends on your distro: +- The ordering of options follow the rules described in [/usr/share/doc/firejail/profile.template](https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template). +> Hint: The profile-template is very new. If you install firejail with your package manager, it may be missing. In order to follow the latest rules, it is recommended to use the template from the repository. +- Order the arguments of options alphabetically. You can easily do this with [sort.py](https://github.com/netblue30/firejail/tree/master/contrib/sort.py). +The path to it depends on your distro: - | Distro | Path | - | ------ | ---- | - | Arch/Fedora | `/usr/lib64/firejail/sort.py` | - | Debian/Ubuntu/Mint | `/usr/lib/x86_64-linux-gnu/firejail/sort.py` | - | local git clone | `contrib/sort.py` | +| Distro | Path | +| ------ | ---- | +| Arch/Fedora | `/usr/lib64/firejail/sort.py` | +| Debian/Ubuntu/Mint | `/usr/lib/x86_64-linux-gnu/firejail/sort.py` | +| local git clone | `contrib/sort.py` | - Note also that the sort.py script exists only since firejail `0.9.61`. +Note also that the sort.py script exists only since firejail `0.9.61`. See also [CONTRIBUTING.md](/CONTRIBUTING.md). diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 97730e533..76d3e709b 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -9,14 +9,14 @@ our [dedicated issue](https://github.com/netblue30/firejail/issues/1139). When submitting a bug report, please provide the following information so that we can handle the report more easily: - - firejail version. If you're not sure, open a terminal and type `firejail --version`. - - Linux distribution (so that we can try to reproduce it, if necessary). - - If you know that the problem did not exist in an earlier version of firejail, please mention it. - - If you are reporting that a program does not work with firejail, please also run firejail with - the `--noprofile` argument. - For example, if `firejail firefox` does not work, please also run `firejail --noprofile firefox` and - let us know if it runs correctly or not. - - You may also try disabling various options provided in `/etc/firejail/` until you find out which one causes problems. It will significantly help to find solution for your issue. +- firejail version. If you're not sure, open a terminal and type `firejail --version`. +- Linux distribution (so that we can try to reproduce it, if necessary). +- If you know that the problem did not exist in an earlier version of firejail, please mention it. +- If you are reporting that a program does not work with firejail, please also run firejail with +the `--noprofile` argument. +For example, if `firejail firefox` does not work, please also run `firejail --noprofile firefox` and +let us know if it runs correctly or not. +- You may also try disabling various options provided in `/etc/firejail/` until you find out which one causes problems. It will significantly help to find solution for your issue. Please note: if you are running Debian, Ubuntu, Linux Mint, or another related distribution and you installed firejail from your distro's repositories, please @@ -36,10 +36,10 @@ If you have already written a profile, please make sure it follows the rules des If you add a new command, here's the checklist: - - [ ] Update manpages: firejail(1) and firejail-profile(5) - - [ ] Update shell completions - - [ ] Update syntax files (run `make syntax` or just `make`) - - [ ] Update --help +- [ ] Update manpages: firejail(1) and firejail-profile(5) +- [ ] Update shell completions +- [ ] Update syntax files (run `make syntax` or just `make`) +- [ ] Update --help # Editing the wiki -- cgit v1.2.3-54-g00ecf From def30f6d1e6cbde702dfcf2150d65bdddc9ac75e Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sun, 19 Feb 2023 17:22:00 -0300 Subject: test/filters/namespaces.c: use tabs for indentation This appears to be the only C file in the repository that uses spaces for indentation. Commands used to check for the above: $ git grep '^ ' -- '*.c' '*.h' Commands used to search and replace: $ f=test/filters/namespaces.c; printf '%s\n' \ "$(sed 's/ /\t/g' "$f")" >"$f" Note: The mmap call was aligned manually. Added on commit 5116c1ced ("testing", 2022-12-24). --- test/filters/namespaces.c | 130 +++++++++++++++++++++++----------------------- 1 file changed, 65 insertions(+), 65 deletions(-) diff --git a/test/filters/namespaces.c b/test/filters/namespaces.c index 06dfa4edf..ecf0fdcd1 100644 --- a/test/filters/namespaces.c +++ b/test/filters/namespaces.c @@ -15,82 +15,82 @@ #define STACK_SIZE 1024 * 1024 static int usage() { - fprintf(stderr, "Usage: namespaces [clone,unshare] [cgroup,ipc,mnt,net,pid,time,user,uts]\n"); - exit(1); + fprintf(stderr, "Usage: namespaces [clone,unshare] [cgroup,ipc,mnt,net,pid,time,user,uts]\n"); + exit(1); } static void die(const char *msg) { - fprintf(stderr, "Error: %s: %s\n", msg, strerror(errno)); - exit(1); + fprintf(stderr, "Error: %s: %s\n", msg, strerror(errno)); + exit(1); } static int ns_flags(const char *list) { - int flags = 0; - - char *dup = strdup(list); - if (!dup) - die("cannot allocate memory"); - - char *token = strtok(dup, ","); - while (token) { - if (strcmp(token, "cgroup") == 0) - flags |= CLONE_NEWCGROUP; - else if (strcmp(token, "ipc") == 0) - flags |= CLONE_NEWIPC; - else if (strcmp(token, "net") == 0) - flags |= CLONE_NEWNET; - else if (strcmp(token, "mnt") == 0) - flags |= CLONE_NEWNS; - else if (strcmp(token, "pid") == 0) - flags |= CLONE_NEWPID; - else if (strcmp(token, "time") == 0) - flags |= CLONE_NEWTIME; - else if (strcmp(token, "user") == 0) - flags |= CLONE_NEWUSER; - else if (strcmp(token, "uts") == 0) - flags |= CLONE_NEWUTS; - else - usage(); - - token = strtok(NULL, ","); - } - - free(dup); - return flags; + int flags = 0; + + char *dup = strdup(list); + if (!dup) + die("cannot allocate memory"); + + char *token = strtok(dup, ","); + while (token) { + if (strcmp(token, "cgroup") == 0) + flags |= CLONE_NEWCGROUP; + else if (strcmp(token, "ipc") == 0) + flags |= CLONE_NEWIPC; + else if (strcmp(token, "net") == 0) + flags |= CLONE_NEWNET; + else if (strcmp(token, "mnt") == 0) + flags |= CLONE_NEWNS; + else if (strcmp(token, "pid") == 0) + flags |= CLONE_NEWPID; + else if (strcmp(token, "time") == 0) + flags |= CLONE_NEWTIME; + else if (strcmp(token, "user") == 0) + flags |= CLONE_NEWUSER; + else if (strcmp(token, "uts") == 0) + flags |= CLONE_NEWUTS; + else + usage(); + + token = strtok(NULL, ","); + } + + free(dup); + return flags; } static int child(void *arg) { - (void) arg; + (void) arg; - fprintf(stderr, "clone successful\n"); - return 0; + fprintf(stderr, "clone successful\n"); + return 0; } int main (int argc, char **argv) { - if (argc != 3) - usage(); - - int flags = ns_flags(argv[2]); - if (getuid() != 0) - flags |= CLONE_NEWUSER; - - if (strcmp(argv[1], "clone") == 0) { - void *stack = mmap(NULL, STACK_SIZE, PROT_READ | PROT_WRITE, - MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); - if (stack == MAP_FAILED) - die("mmap"); - - if (clone(child, stack + STACK_SIZE, flags | SIGCHLD, NULL) < 0) - die("clone"); - } - else if (strcmp(argv[1], "unshare") == 0) { - if (unshare(flags)) - die("unshare"); - - fprintf(stderr, "unshare successful\n"); - } - else - usage(); - - return 0; + if (argc != 3) + usage(); + + int flags = ns_flags(argv[2]); + if (getuid() != 0) + flags |= CLONE_NEWUSER; + + if (strcmp(argv[1], "clone") == 0) { + void *stack = mmap(NULL, STACK_SIZE, PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); + if (stack == MAP_FAILED) + die("mmap"); + + if (clone(child, stack + STACK_SIZE, flags | SIGCHLD, NULL) < 0) + die("clone"); + } + else if (strcmp(argv[1], "unshare") == 0) { + if (unshare(flags)) + die("unshare"); + + fprintf(stderr, "unshare successful\n"); + } + else + usage(); + + return 0; } -- cgit v1.2.3-54-g00ecf From 8c0d4ecbdc79ee226f4a55bb5a0f954acabe722e Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sun, 19 Feb 2023 18:01:24 -0300 Subject: extract_seccomp.c: use "do while" in macro definition To match the common usage; see for example src/firejail/firejail.h. Added on commit 960b4daba ("add tool to dump seccomp filters", 2020-02-17). --- src/tools/extract_seccomp.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/tools/extract_seccomp.c b/src/tools/extract_seccomp.c index 0482dfd88..69e20317a 100644 --- a/src/tools/extract_seccomp.c +++ b/src/tools/extract_seccomp.c @@ -31,10 +31,13 @@ #include #define MAXBUF 1024 -#define errExit(msg) { char msgout[256]; \ - snprintf(msgout, 256, "Error %d: %s", __LINE__, (msg)); \ - perror(msgout); \ - exit(1); } +#define errExit(msg) \ + do { \ + char msgout[256]; \ + snprintf(msgout, 256, "Error %d: %s", __LINE__, (msg)); \ + perror(msgout); \ + exit(1); \ + } while (0); // dump all seccomp filters of a process // for further analysis with fsec-print -- cgit v1.2.3-54-g00ecf From b406b2420a0dda3ea96f19bd8867a9564901f154 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sun, 19 Feb 2023 17:30:42 -0300 Subject: tests: Fix mixed space/tabs indentation Command used to find the errors: $ git grep -I '^ [^*]' -- test/ Misc: All of the affected files were added in 2016. --- test/fs/private-whitelist.exp | 6 +++--- test/network/firemon-route.exp | 2 +- test/profiles/test2.profile | 8 ++++---- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/test/fs/private-whitelist.exp b/test/fs/private-whitelist.exp index eaad5700d..bf95e40dd 100755 --- a/test/fs/private-whitelist.exp +++ b/test/fs/private-whitelist.exp @@ -32,9 +32,9 @@ send -- "ls -a ~ | wc -l\r" expect { timeout {puts "TESTING ERROR 4\n";exit} "3" {puts "3\n"} - "4" {puts "4\n"} - "5" {puts "5\n"} - "6" {puts "6\n"} + "4" {puts "4\n"} + "5" {puts "5\n"} + "6" {puts "6\n"} } sleep 1 diff --git a/test/network/firemon-route.exp b/test/network/firemon-route.exp index 707217eea..69cccfeae 100755 --- a/test/network/firemon-route.exp +++ b/test/network/firemon-route.exp @@ -33,7 +33,7 @@ expect { "0.0.0.0/0 via 192.168.1.1, dev eth0, metric 0" {puts "Debian testing\n";} "0.0.0.0/0 via 192.168.1.1, dev enp0s3, metric 1024" {puts "Centos 7 testing\n";} "0.0.0.0/0 via 192.168.1.1, dev enp0s3, metric 0" {puts "OpenSUSE testing\n";} - "0.0.0.0/0 via 192.168.1.1, dev enp0s3, metric 100" {puts "Arch testing\n";} + "0.0.0.0/0 via 192.168.1.1, dev enp0s3, metric 100" {puts "Arch testing\n";} } expect { timeout {puts "TESTING ERROR 4\n";exit} diff --git a/test/profiles/test2.profile b/test/profiles/test2.profile index 9fbd5219a..9504f5085 100644 --- a/test/profiles/test2.profile +++ b/test/profiles/test2.profile @@ -1,6 +1,6 @@ caps seccomp - private - include test.profile - include test.local - include test25.profile +private +include test.profile +include test.local +include test25.profile -- cgit v1.2.3-54-g00ecf From 6648a1e9688b4cdd971d6c68b568f4fd8b43ce15 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sun, 19 Feb 2023 15:20:57 -0300 Subject: *.sh: use consistent indentation Almost all of the shell scripts in the repository use tabs for indentation (or have no indentation at all): $ git grep -Il '^\t' -- '*.sh' | wc -l 19 $ git grep -Il '^ ' -- '*.sh' | wc -l 5 $ git grep -IL '^[ \t]' -- '*.sh' | wc -l 25 So do the same in the few shell scripts that currently use spaces for indentation. Except for the following file: * platform/rpm/mkrpm.sh Not sure if it's following a packaging-specific scheme, so just fix the one indentation inconsistency in it and otherwise leave it as is for now. Command used to search for shell scripts using spaces for indentation: $ git grep -In '^ ' -- '*.sh' --- contrib/gdb-firejail.sh | 8 ++++---- contrib/syscalls.sh | 34 +++++++++++++++++----------------- platform/rpm/mkrpm.sh | 2 +- 3 files changed, 22 insertions(+), 22 deletions(-) diff --git a/contrib/gdb-firejail.sh b/contrib/gdb-firejail.sh index b00cc65bc..032b031f0 100755 --- a/contrib/gdb-firejail.sh +++ b/contrib/gdb-firejail.sh @@ -13,11 +13,11 @@ set -x # setuid firejail process from the absolute beginning. if [ -z "${1##*/firejail}" ]; then - FIREJAIL=$1 + FIREJAIL=$1 else - # First argument is not named firejail, then add default unless environment - # variable already set. - set -- ${FIREJAIL:=$(command -v firejail)} "$@" + # First argument is not named firejail, then add default unless environment + # variable already set. + set -- ${FIREJAIL:=$(command -v firejail)} "$@" fi bash -c "kill -STOP \$\$; exec \"\$0\" \"\$@\"" "$@" & diff --git a/contrib/syscalls.sh b/contrib/syscalls.sh index 2c5bdf5ec..aece84e72 100755 --- a/contrib/syscalls.sh +++ b/contrib/syscalls.sh @@ -8,22 +8,22 @@ SYSCALLS_OUTPUT_FILE="$(pwd)/syscalls.txt" if [ $# -eq 0 ] then - echo - echo " *** No program specified!!! ***" - echo - echo -e "Make this file executable and execute it as:\\n" - echo -e "\\e[96m syscalls.sh /full/path/to/program\\n" - echo -e "\\e[39mif you saved this script in a directory in your PATH (e.g., in ${HOME}/bin), otherwise as:\\n" - echo -e "\\e[96m ./syscalls.sh /full/path/to/program\\n" - echo -e "\\e[39mUse the full path to the respective program to avoid executing it sandboxed with Firejail\\n(if a Firejail profile for it already exits and 'sudo firecfg' was executed earlier)\\nin order to determine the necessary system calls." - echo - exit 0 + echo + echo " *** No program specified!!! ***" + echo + echo -e "Make this file executable and execute it as:\\n" + echo -e "\\e[96m syscalls.sh /full/path/to/program\\n" + echo -e "\\e[39mif you saved this script in a directory in your PATH (e.g., in ${HOME}/bin), otherwise as:\\n" + echo -e "\\e[96m ./syscalls.sh /full/path/to/program\\n" + echo -e "\\e[39mUse the full path to the respective program to avoid executing it sandboxed with Firejail\\n(if a Firejail profile for it already exits and 'sudo firecfg' was executed earlier)\\nin order to determine the necessary system calls." + echo + exit 0 else - strace -cfo "$STRACE_OUTPUT_FILE" "$@" && awk '{print $NF}' "$STRACE_OUTPUT_FILE" | sed '/syscall\|-\|total/d' | sort -u | awk -vORS=, '{ print $1 }' | sed 's/,$/\n/' > "$SYSCALLS_OUTPUT_FILE" - echo - echo -e "\e[39mThese are the sorted syscalls:\n\e[93m" - cat "$SYSCALLS_OUTPUT_FILE" - echo - echo -e "\e[39mThe sorted syscalls were saved to:\n\e[96m$SYSCALLS_OUTPUT_FILE\n\e[39m" - exit 0 + strace -cfo "$STRACE_OUTPUT_FILE" "$@" && awk '{print $NF}' "$STRACE_OUTPUT_FILE" | sed '/syscall\|-\|total/d' | sort -u | awk -vORS=, '{ print $1 }' | sed 's/,$/\n/' > "$SYSCALLS_OUTPUT_FILE" + echo + echo -e "\e[39mThese are the sorted syscalls:\n\e[93m" + cat "$SYSCALLS_OUTPUT_FILE" + echo + echo -e "\e[39mThe sorted syscalls were saved to:\n\e[96m$SYSCALLS_OUTPUT_FILE\n\e[39m" + exit 0 fi diff --git a/platform/rpm/mkrpm.sh b/platform/rpm/mkrpm.sh index 34104c7b2..d32ccd360 100755 --- a/platform/rpm/mkrpm.sh +++ b/platform/rpm/mkrpm.sh @@ -31,7 +31,7 @@ fi tmpdir=$(mktemp -d) mkdir -p ${tmpdir}/{BUILD,RPMS,SOURCES,SPECS,SRPMS} function cleanup { - rm -rf ${tmpdir} + rm -rf ${tmpdir} } trap cleanup EXIT -- cgit v1.2.3-54-g00ecf From ab1f8af8d0ac1ff8466d8758dc11d06dbfe8df25 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sun, 19 Feb 2023 17:57:48 -0300 Subject: Fix inconsistent leading spaces Changes: * Fix spaces being used for indentation in some lines in C * Remove leading spaces before some goto labels * Remove leading spaces before the start of some multiline comments * Change leading spaces to tabs in some multiline macros * Add missing asterisk to some multiline comments (to match other multiline comments and because they are false positives in the commands below) Note: Leading spaces can be used for alignment (such as in function parameters and function arguments in C) and for line continuation (such as in long commands in shell scripts). However, in the above changes the leading spaces are used for other reasons and do not seem to fit with the style used. Commands used to search for errors: $ git grep -In '^ [^*]' | grep -E -v \ -e '(COPYING|README|RELNOTES|configure(.ac)?):' \ -e '^[^:]+.(md|yml|py):' -e '(bash|zsh)_completion/' \ -e '^contrib/syntax/' -e '^etc/templates/.*\.txt:' -e '^m4/' \ -e '^platform/debian/' -e '^src/man/.*\.txt:' \ -e '.*mkrpm.sh:' -e '.*extract_errnos.sh:' --- src/fbuilder/main.c | 2 +- src/fcopy/main.c | 2 +- src/firejail/appimage_size.c | 3 ++- src/firejail/dbus.c | 2 +- src/firejail/firejail.h | 2 +- src/firejail/main.c | 4 ++-- src/firejail/selinux.c | 2 +- src/fldd/main.c | 6 +++--- src/fnet/fnet.h | 2 +- src/fnet/interface.c | 2 +- src/fnet/main.c | 10 +++++----- src/fnet/veth.c | 4 ++-- src/fnetfilter/main.c | 2 +- src/fsec-optimize/main.c | 2 +- src/fsec-print/main.c | 2 +- src/fseccomp/main.c | 2 +- src/include/gcov_wrapper.h | 4 ++-- src/include/seccomp.h | 24 ++++++++++++------------ src/libtrace/libtrace.c | 10 +++++----- src/profstats/main.c | 2 +- 20 files changed, 45 insertions(+), 44 deletions(-) diff --git a/src/fbuilder/main.c b/src/fbuilder/main.c index ebb273f12..7fdf9af68 100644 --- a/src/fbuilder/main.c +++ b/src/fbuilder/main.c @@ -32,7 +32,7 @@ int main(int argc, char **argv) { system("cat /proc/self/status"); int i; for (i = 0; i < argc; i++) - printf("*%s* ", argv[i]); + printf("*%s* ", argv[i]); printf("\n"); } #endif diff --git a/src/fcopy/main.c b/src/fcopy/main.c index da24fb3f7..ce2efb295 100644 --- a/src/fcopy/main.c +++ b/src/fcopy/main.c @@ -92,7 +92,7 @@ static void selinux_relabel_path(const char *path, const char *inside_path) { printf("Cannot relabel %s: %s\n", path, strerror(errno)); } freecon(fcon); - close: +close: close(fd); #else (void) path; diff --git a/src/firejail/appimage_size.c b/src/firejail/appimage_size.c index c3f1620bc..60c4c0364 100644 --- a/src/firejail/appimage_size.c +++ b/src/firejail/appimage_size.c @@ -17,8 +17,9 @@ * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ + /* - This code borrows heavily from src/libappimage_shared/elf.c in libappimage + * This code borrows heavily from src/libappimage_shared/elf.c in libappimage */ /* Compile with: diff --git a/src/firejail/dbus.c b/src/firejail/dbus.c index a41071305..b2f9fe2d2 100644 --- a/src/firejail/dbus.c +++ b/src/firejail/dbus.c @@ -263,7 +263,7 @@ static char *find_user_socket_by_format(char *format) { if (!S_ISSOCK(s.st_mode)) goto fail; return dbus_user_socket; - fail: +fail: free(dbus_user_socket); return NULL; } diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 30c1b441c..824164c8a 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -266,7 +266,7 @@ static inline int any_ip6_dhcp(void) { } static inline int any_dhcp(void) { - return any_ip_dhcp() || any_ip6_dhcp(); + return any_ip_dhcp() || any_ip6_dhcp(); } extern int arg_private; // mount private /home diff --git a/src/firejail/main.c b/src/firejail/main.c index ed31efb6c..9bd65dda5 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -47,8 +47,8 @@ #endif #ifdef __ia64__ -/* clone(2) has a different interface on ia64, as it needs to know - the size of the stack */ +/* clone(2) has a different interface on ia64, as it needs to know the size of + * the stack */ int __clone2(int (*fn)(void *), void *child_stack_base, size_t stack_size, int flags, void *arg, ... diff --git a/src/firejail/selinux.c b/src/firejail/selinux.c index 5beda294d..08f3b3122 100644 --- a/src/firejail/selinux.c +++ b/src/firejail/selinux.c @@ -78,7 +78,7 @@ void selinux_relabel_path(const char *path, const char *inside_path) } freecon(fcon); - close: +close: close(fd); #else (void) path; diff --git a/src/fldd/main.c b/src/fldd/main.c index 390f7a1bc..4b645b1b3 100644 --- a/src/fldd/main.c +++ b/src/fldd/main.c @@ -193,9 +193,9 @@ static void parse_elf(const char *exe) { } goto close; - error_close: +error_close: perror("copy libs"); - close: +close: if (base) munmap(base, s.st_size); @@ -295,7 +295,7 @@ int main(int argc, char **argv) { //system("cat /proc/self/status"); int i; for (i = 0; i < argc; i++) - printf("*%s* ", argv[i]); + printf("*%s* ", argv[i]); printf("\n"); } #endif diff --git a/src/fnet/fnet.h b/src/fnet/fnet.h index c9d40ec1d..f9b09d7ea 100644 --- a/src/fnet/fnet.h +++ b/src/fnet/fnet.h @@ -1,4 +1,4 @@ - /* +/* * Copyright (C) 2014-2023 Firejail Authors * * This file is part of firejail project diff --git a/src/fnet/interface.c b/src/fnet/interface.c index 873252d40..ca7c744ed 100644 --- a/src/fnet/interface.c +++ b/src/fnet/interface.c @@ -1,4 +1,4 @@ - /* +/* * Copyright (C) 2014-2023 Firejail Authors * * This file is part of firejail project diff --git a/src/fnet/main.c b/src/fnet/main.c index 1c48622a0..96c4f1478 100644 --- a/src/fnet/main.c +++ b/src/fnet/main.c @@ -1,4 +1,4 @@ - /* +/* * Copyright (C) 2014-2023 Firejail Authors * * This file is part of firejail project @@ -47,7 +47,7 @@ static void usage(void) { printf("\tfnet config mac addr\n"); printf("\tfnet config ipv6 dev ip\n"); printf("\tfnet ifup dev\n"); - printf("\tfnet waitll dev\n"); + printf("\tfnet waitll dev\n"); } int main(int argc, char **argv) { @@ -144,9 +144,9 @@ printf("\n"); else if (argc == 5 && strcmp(argv[1], "config") == 0 && strcmp(argv[2], "ipv6") == 0) { net_if_ip6(argv[3], argv[4]); } - else if (argc == 3 && strcmp(argv[1], "waitll") == 0) { - net_if_waitll(argv[2]); - } + else if (argc == 3 && strcmp(argv[1], "waitll") == 0) { + net_if_waitll(argv[2]); + } else { fprintf(stderr, "Error fnet: invalid arguments\n"); return 1; diff --git a/src/fnet/veth.c b/src/fnet/veth.c index 2a23c6bd4..2111cfa56 100644 --- a/src/fnet/veth.c +++ b/src/fnet/veth.c @@ -24,8 +24,8 @@ * * Authors: Alexey Kuznetsov, * - */ - /* +*/ +/* * Copyright (C) 2014-2023 Firejail Authors * * This file is part of firejail project diff --git a/src/fnetfilter/main.c b/src/fnetfilter/main.c index 978d145b3..8c0f6c297 100644 --- a/src/fnetfilter/main.c +++ b/src/fnetfilter/main.c @@ -1,4 +1,4 @@ - /* +/* * Copyright (C) 2014-2023 Firejail Authors * * This file is part of firejail project diff --git a/src/fsec-optimize/main.c b/src/fsec-optimize/main.c index 0a9b7c9b9..0bc521c0d 100644 --- a/src/fsec-optimize/main.c +++ b/src/fsec-optimize/main.c @@ -33,7 +33,7 @@ int main(int argc, char **argv) { //system("cat /proc/self/status"); int i; for (i = 0; i < argc; i++) - printf("*%s* ", argv[i]); + printf("*%s* ", argv[i]); printf("\n"); } #endif diff --git a/src/fsec-print/main.c b/src/fsec-print/main.c index de93f260e..696c6bc0c 100644 --- a/src/fsec-print/main.c +++ b/src/fsec-print/main.c @@ -47,7 +47,7 @@ int main(int argc, char **argv) { //system("cat /proc/self/status"); int i; for (i = 0; i < argc; i++) - printf("*%s* ", argv[i]); + printf("*%s* ", argv[i]); printf("\n"); } #endif diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index 1edbad764..57a5a6d67 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c @@ -58,7 +58,7 @@ int main(int argc, char **argv) { //system("cat /proc/self/status"); int i; for (i = 0; i < argc; i++) - printf("*%s* ", argv[i]); + printf("*%s* ", argv[i]); printf("\n"); } #endif diff --git a/src/include/gcov_wrapper.h b/src/include/gcov_wrapper.h index b56b4e736..7c8f89d59 100644 --- a/src/include/gcov_wrapper.h +++ b/src/include/gcov_wrapper.h @@ -33,8 +33,8 @@ */ #if __GNUC__ > 11 || (__GNUC__ == 11 && __GNUC_MINOR__ >= 1) static void __gcov_flush(void) { - __gcov_dump(); - __gcov_reset(); + __gcov_dump(); + __gcov_reset(); } #endif #else diff --git a/src/include/seccomp.h b/src/include/seccomp.h index ef3fe6c3a..fc07b75ce 100644 --- a/src/include/seccomp.h +++ b/src/include/seccomp.h @@ -194,24 +194,24 @@ #endif #define VALIDATE_ARCHITECTURE \ - BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ - BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ - BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) #define VALIDATE_ARCHITECTURE_KILL \ - BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ - BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ - KILL_OR_RETURN_ERRNO + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ + KILL_OR_RETURN_ERRNO #define VALIDATE_ARCHITECTURE_64 \ - BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ - BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_64, 1, 0), \ - BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_64, 1, 0), \ + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) #define VALIDATE_ARCHITECTURE_32 \ - BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ - BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_32, 1, 0), \ - BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), \ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_32, 1, 0), \ + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) #ifndef X32_SYSCALL_BIT #define X32_SYSCALL_BIT 0x40000000 diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c index 231e09882..25f0cc12e 100644 --- a/src/libtrace/libtrace.c +++ b/src/libtrace/libtrace.c @@ -35,11 +35,11 @@ #include "../include/rundefs.h" #define tprintf(fp, args...) \ - do { \ - if (!fp)\ - init(); \ - fprintf(fp, args); \ - } while(0) + do { \ + if (!fp)\ + init(); \ + fprintf(fp, args); \ + } while(0) // break recursivity on fopen call typedef FILE *(*orig_fopen_t)(const char *pathname, const char *mode); diff --git a/src/profstats/main.c b/src/profstats/main.c index 491cec736..d5e57e7cc 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c @@ -1,4 +1,4 @@ - /* +/* * Copyright (C) 2014-2023 Firejail Authors * * This file is part of firejail project -- cgit v1.2.3-54-g00ecf From 71d7572950e9266fcf54a9278a948f6b88fa495b Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sun, 19 Feb 2023 16:08:54 -0300 Subject: editorconfig: add indentation rules Commands used to list the file extensions used in the project: $ git ls-files | sed -En 's/.*(\.[^.]+)$/\1/p' | LC_ALL=C sort | uniq -c For rules that are more specific to a given directory, put a dedicated .editorconfig file in it. --- .editorconfig | 27 +++++++++++++++++++++++++++ .github/.editorconfig | 3 +++ contrib/syntax/.editorconfig | 7 +++++++ platform/rpm/.editorconfig | 3 +++ src/bash_completion/.editorconfig | 3 +++ src/zsh_completion/.editorconfig | 3 +++ 6 files changed, 46 insertions(+) create mode 100644 .github/.editorconfig create mode 100644 contrib/syntax/.editorconfig create mode 100644 platform/rpm/.editorconfig create mode 100644 src/bash_completion/.editorconfig create mode 100644 src/zsh_completion/.editorconfig diff --git a/.editorconfig b/.editorconfig index f999431de..7d98c1b14 100644 --- a/.editorconfig +++ b/.editorconfig @@ -5,3 +5,30 @@ charset = utf-8 end_of_line = lf insert_final_newline = true trim_trailing_whitespace = true + +# Build +[configure.ac] +indent_size = 8 +indent_style = tab + +[*{.mk,Makefile}{,.in}] +indent_size = 8 +indent_style = tab + +# Source code and scripts +[*.{c,h}{,.in}] +indent_size = 8 +indent_style = tab + +[*.{awk,exp,sh}{,.in}] +indent_size = 8 +indent_style = tab + +[*.py{,.in}] +indent_size = 4 +indent_style = space + +# Misc +[.gitlab-ci.yml] +indent_size = 4 +indent_style = space diff --git a/.github/.editorconfig b/.github/.editorconfig new file mode 100644 index 000000000..eb5c699c5 --- /dev/null +++ b/.github/.editorconfig @@ -0,0 +1,3 @@ +[*.yml] +indent_size = 2 +indent_style = space diff --git a/contrib/syntax/.editorconfig b/contrib/syntax/.editorconfig new file mode 100644 index 000000000..385bf17d5 --- /dev/null +++ b/contrib/syntax/.editorconfig @@ -0,0 +1,7 @@ +[*.lang{,.in}] +indent_size = 2 +indent_style = space + +[*.vim{,.in}] +indent_size = 2 +indent_style = space diff --git a/platform/rpm/.editorconfig b/platform/rpm/.editorconfig new file mode 100644 index 000000000..964dd36dd --- /dev/null +++ b/platform/rpm/.editorconfig @@ -0,0 +1,3 @@ +[*.sh{,.in}] +indent_size = 4 +indent_style = space diff --git a/src/bash_completion/.editorconfig b/src/bash_completion/.editorconfig new file mode 100644 index 000000000..298a13b5e --- /dev/null +++ b/src/bash_completion/.editorconfig @@ -0,0 +1,3 @@ +[*.bash_completion{,.in}] +indent_size = 4 +indent_style = space diff --git a/src/zsh_completion/.editorconfig b/src/zsh_completion/.editorconfig new file mode 100644 index 000000000..15ca952a4 --- /dev/null +++ b/src/zsh_completion/.editorconfig @@ -0,0 +1,3 @@ +[_*{,.in}] +indent_size = 4 +indent_style = space -- cgit v1.2.3-54-g00ecf From 9c90e6ae69e505a7581cdff4b449c0779732100e Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Tue, 21 Feb 2023 11:37:45 -0300 Subject: Print the argument when failing with "too long arguments" Also, s/arguments/argument/ since the message refers to one specific argument. Relates to commit 0d06369a8 ("Make env/arg sanity check failure messages more useful", 2021-11-10) / PR #4676. Relates to #5676. --- src/firejail/main.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/firejail/main.c b/src/firejail/main.c index 7a9d3d00d..54978570e 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1080,7 +1080,8 @@ int main(int argc, char **argv, char **envp) { // sanity check for arguments for (i = 0; i < argc; i++) { if (strlen(argv[i]) >= MAX_ARG_LEN) { - fprintf(stderr, "Error: too long arguments: argv[%d] len (%zu) >= MAX_ARG_LEN (%d)\n", i, strlen(argv[i]), MAX_ARG_LEN); + fprintf(stderr, "Error: too long argument: argv[%d] len (%zu) >= MAX_ARG_LEN (%d): %s\n", + i, strlen(argv[i]), MAX_ARG_LEN, argv[i]); exit(1); } } -- cgit v1.2.3-54-g00ecf From 6202f58ad0b67fcad5db46a070cf40581bc828e4 Mon Sep 17 00:00:00 2001 From: NetSysFire <59517351+NetSysFire@users.noreply.github.com> Date: Fri, 24 Feb 2023 16:24:49 +0100 Subject: parsecd.profile: more white and blacklisting --- etc/profile-m-z/parsecd.profile | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/etc/profile-m-z/parsecd.profile b/etc/profile-m-z/parsecd.profile index 398af7f80..249d475cf 100644 --- a/etc/profile-m-z/parsecd.profile +++ b/etc/profile-m-z/parsecd.profile @@ -7,12 +7,25 @@ include parsecd.local include globals.local noblacklist ${HOME}/.parsec +ignore noexec ${HOME} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-proc.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc mkdir ${HOME}/.parsec whitelist ${HOME}/.parsec whitelist /usr/share/parsec include whitelist-common.inc include whitelist-usr-share-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc +include whitelist-var-common.inc # Due to the nature of parsec, the following directives will not work: # - no3d -- cgit v1.2.3-54-g00ecf