From a26a25db063bcf174dc5c01688b7fd04228a77d8 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Sun, 20 Jan 2019 19:07:43 +0100 Subject: cleanup, minor improvements --- src/firejail/fs.c | 7 +++---- src/firejail/fs_whitelist.c | 1 - src/firejail/join.c | 3 +-- src/firejail/mountinfo.c | 3 +-- src/firejail/sandbox.c | 2 +- src/firejail/util.c | 5 +---- 6 files changed, 7 insertions(+), 14 deletions(-) diff --git a/src/firejail/fs.c b/src/firejail/fs.c index ce2b1a8bc..184875f58 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -35,7 +35,7 @@ //#define TEST_NO_BLACKLIST_MATCHING -static int mount_warning = 0; // remember if warning was printed already +static int mount_warning = 0; static void fs_rdwr(const char *dir); static void fs_rdwr_rec(const char *dir); @@ -468,12 +468,11 @@ void fs_tmpfs(const char *dir, unsigned check_owner) { char *options; if (asprintf(&options, "mode=%o,uid=%u,gid=%u", s.st_mode & 07777, s.st_uid, s.st_gid) == -1) errExit("asprintf"); - // preserve some mount flags + // preserve mount flags, but remove read-only flag struct statvfs buf; if (fstatvfs(fd, &buf) == -1) errExit("fstatvfs"); - unsigned long flags = buf.f_flag & // remove read-only flag - (MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_MANDLOCK|MS_STRICTATIME|MS_NODIRATIME|MS_RELATIME|MS_NOATIME); + unsigned long flags = buf.f_flag & ~(MS_RDONLY|MS_BIND); // mount via the symbolic link in /proc/self/fd char *proc; if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 829636b9c..74b9449be 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -119,7 +119,6 @@ static int mkpath(const char* path, mode_t mode) { static void whitelist_path(ProfileEntry *entry) { assert(entry); const char *path = entry->data + 10; - assert(path); const char *fname; char *wfile = NULL; diff --git a/src/firejail/join.c b/src/firejail/join.c index d05a4a465..60980fb2e 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c @@ -31,7 +31,6 @@ static int apply_caps = 0; static uint64_t caps = 0; -static int apply_seccomp = 0; static unsigned display = 0; #define BUFLEN 4096 @@ -321,7 +320,7 @@ void join(pid_t pid, int argc, char **argv, int index) { EUID_ROOT(); // in user mode set caps seccomp, cpu, cgroup, etc if (getuid() != 0) { - extract_nonewprivs(pid); // redundant on Linux >= 4.10; duplicated in function extract_caps_seccomp + extract_nonewprivs(pid); // redundant on Linux >= 4.10; duplicated in function extract_caps extract_caps(pid); extract_cpu(pid); extract_cgroup(pid); diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c index c89845ace..02c28cc5e 100644 --- a/src/firejail/mountinfo.c +++ b/src/firejail/mountinfo.c @@ -199,8 +199,7 @@ int get_mount_id(const char *path) { return -2; } -// Check /proc/self/mountinfo if path has any submounts (or if path would have submounts -// if it was made a mount point). +// Check /proc/self/mountinfo if path contains any mounts points. // Returns an array that can be iterated over for recursive remounting. char **build_mount_array(const int mount_id, const char *path) { assert(path); diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index ba9a36250..735bab684 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -1178,7 +1178,7 @@ int sandbox(void* sandbox_arg) { // drop privileges, fork the application and monitor it //**************************************** drop_privs(arg_nogroups); - prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the child in case the parent died + prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); // kill the sandbox in case the parent died pid_t app_pid = fork(); if (app_pid == -1) errExit("fork"); diff --git a/src/firejail/util.c b/src/firejail/util.c index f1c4f7059..b1fba4226 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -454,7 +454,6 @@ void trim_trailing_slash_or_dot(char *path) { assert(path); char *end = strchr(path, '\0'); - assert(end); if ((end - path) > 1) { end--; while (*end == '/' || @@ -941,9 +940,7 @@ int remove_overlay_directory(void) { // wait for the child to finish waitpid(child, NULL, 0); // check if ~/.firejail was deleted - if (stat(path, &s) == -1) - return 0; - else + if (stat(path, &s) == 0) return 1; } return 0; -- cgit v1.2.3-70-g09d2