From 96c920e166b40bbe50f216e294f2efac154a1cb2 Mon Sep 17 00:00:00 2001 From: Fred Barclay Date: Wed, 24 May 2017 14:13:52 -0500 Subject: Remove trailing whitespace from src/ --- src/faudit/Makefile.in | 1 - src/faudit/caps.c | 13 ++++++------- src/faudit/dbus.c | 13 +++++-------- src/faudit/dev.c | 6 +++--- src/faudit/files.c | 12 ++++++------ src/faudit/main.c | 18 +++++++++--------- src/faudit/network.c | 16 ++++++++-------- src/faudit/pid.c | 12 ++++++------ src/faudit/seccomp.c | 20 ++++++++++---------- src/faudit/syscall.c | 6 +++--- src/faudit/x11.c | 4 ++-- 11 files changed, 58 insertions(+), 63 deletions(-) (limited to 'src/faudit') diff --git a/src/faudit/Makefile.in b/src/faudit/Makefile.in index 995a0bf49..ec36ca80c 100644 --- a/src/faudit/Makefile.in +++ b/src/faudit/Makefile.in @@ -22,4 +22,3 @@ clean:; rm -f *.o faudit distclean: clean rm -fr Makefile - diff --git a/src/faudit/caps.c b/src/faudit/caps.c index b200c6792..d4a98676c 100644 --- a/src/faudit/caps.c +++ b/src/faudit/caps.c @@ -26,7 +26,7 @@ static int extract_caps(uint64_t *val) { FILE *fp = fopen("/proc/self/status", "r"); if (!fp) return 1; - + char buf[MAXBUF]; while (fgets(buf, MAXBUF, fp)) { if (strncmp(buf, "CapBnd:\t", 8) == 0) { @@ -47,7 +47,7 @@ static int extract_caps(uint64_t *val) { static int check_capability(uint64_t map, int cap) { int i; uint64_t mask = 1ULL; - + for (i = 0; i < 64; i++, mask <<= 1) { if ((i == cap) && (mask & map)) return 1; @@ -58,22 +58,21 @@ static int check_capability(uint64_t map, int cap) { void caps_test(void) { uint64_t caps_val; - + if (extract_caps(&caps_val)) { printf("SKIP: cannot extract capabilities on this platform.\n"); return; } - + if (caps_val) { printf("BAD: the capability map is %llx, it should be all zero. ", (unsigned long long) caps_val); printf("Use \"firejail --caps.drop=all\" to fix it.\n"); - + if (check_capability(caps_val, CAP_SYS_ADMIN)) printf("UGLY: CAP_SYS_ADMIN is enabled.\n"); if (check_capability(caps_val, CAP_SYS_BOOT)) printf("UGLY: CAP_SYS_BOOT is enabled.\n"); } else - printf("GOOD: all capabilities are disabled.\n"); + printf("GOOD: all capabilities are disabled.\n"); } - diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c index 1b1fbb817..54300c9b8 100644 --- a/src/faudit/dbus.c +++ b/src/faudit/dbus.c @@ -28,7 +28,7 @@ int check_unix(const char *sockfile) { // open socket int sock = socket(AF_UNIX, SOCK_STREAM, 0); - if (sock == -1) + if (sock == -1) return rv; // connect @@ -41,7 +41,7 @@ int check_unix(const char *sockfile) { remote.sun_path[0] = '\0'; if (connect(sock, (struct sockaddr *)&remote, len) == 0) rv = 0; - + close(sock); return rv; } @@ -60,7 +60,7 @@ void dbus_test(void) { *sockfile = '@'; char *ptr = strchr(sockfile, ','); if (ptr) - *ptr = '\0'; + *ptr = '\0'; rv = check_unix(sockfile); *sockfile = '@'; if (rv == 0) @@ -83,13 +83,10 @@ void dbus_test(void) { printf("UGLY: session bus configured for TCP communication.\n"); else printf("GOOD: cannot find a D-Bus socket\n"); - - + + free(bus); } else printf("GOOD: DBUS_SESSION_BUS_ADDRESS environment variable not configured."); } - - - diff --git a/src/faudit/dev.c b/src/faudit/dev.c index 74adbca9c..6bafaf93e 100644 --- a/src/faudit/dev.c +++ b/src/faudit/dev.c @@ -26,19 +26,19 @@ void dev_test(void) { fprintf(stderr, "Error: cannot open /dev directory\n"); return; } - + struct dirent *entry; printf("INFO: files visible in /dev directory: "); int cnt = 0; while ((entry = readdir(dir)) != NULL) { if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) continue; - + printf("%s, ", entry->d_name); cnt++; } printf("\n"); - + if (cnt > 20) printf("MAYBE: /dev directory seems to be fully populated. Use --private-dev or --whitelist to restrict the access.\n"); else diff --git a/src/faudit/files.c b/src/faudit/files.c index 46256f5f0..aa5b3aafb 100644 --- a/src/faudit/files.c +++ b/src/faudit/files.c @@ -26,7 +26,7 @@ static char *homedir = NULL; static void check_home_file(const char *name) { assert(homedir); - + char *fname; if (asprintf(&fname, "%s/%s", homedir, name) == -1) errExit("asprintf"); @@ -37,7 +37,7 @@ static void check_home_file(const char *name) { } else printf("GOOD: I cannot access files in %s directory.\n", fname); - + free(fname); } @@ -47,14 +47,14 @@ void files_test(void) { fprintf(stderr, "Error: cannot retrieve user account information\n"); return; } - + username = strdup(pw->pw_name); if (!username) errExit("strdup"); homedir = strdup(pw->pw_dir); if (!homedir) errExit("strdup"); - + // check access to .ssh directory check_home_file(".ssh"); @@ -66,10 +66,10 @@ void files_test(void) { // check access to Chromium browser directory check_home_file(".config/chromium"); - + // check access to Debian Icedove directory check_home_file(".icedove"); - + // check access to Thunderbird directory check_home_file(".thunderbird"); } diff --git a/src/faudit/main.c b/src/faudit/main.c index 2572bf332..8ab0de5a6 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c @@ -24,19 +24,19 @@ int main(int argc, char **argv) { // make test-arguments helper if (getenv("FIREJAIL_TEST_ARGUMENTS")) { printf("Arguments:\n"); - + int i; for (i = 0; i < argc; i++) { printf("#%s#\n", argv[i]); } - + return 0; } if (argc != 1) { int i; - + for (i = 1; i < argc; i++) { if (strcmp(argv[i], "syscall")) { syscall_helper(argc, argv); @@ -56,16 +56,16 @@ int main(int argc, char **argv) { errExit("strdup"); } printf("INFO: starting %s.\n", prog); - - + + // check pid namespace pid_test(); printf("\n"); - + // check seccomp seccomp_test(); printf("\n"); - + // check capabilities caps_test(); printf("\n"); @@ -73,11 +73,11 @@ int main(int argc, char **argv) { // check some well-known problematic files and directories files_test(); printf("\n"); - + // network network_test(); printf("\n"); - + // dbus dbus_test(); printf("\n"); diff --git a/src/faudit/network.c b/src/faudit/network.c index 67c11e835..797c15ba8 100644 --- a/src/faudit/network.c +++ b/src/faudit/network.c @@ -35,15 +35,15 @@ static void check_ssh(void) { struct sockaddr_in server; server.sin_addr.s_addr = inet_addr("127.0.0.1"); server.sin_family = AF_INET; - server.sin_port = htons(22); - + server.sin_port = htons(22); + if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) printf("GOOD: SSH server not available on localhost.\n"); else { printf("MAYBE: an SSH server is accessible on localhost. "); printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); } - + close(sock); } @@ -59,15 +59,15 @@ static void check_http(void) { struct sockaddr_in server; server.sin_addr.s_addr = inet_addr("127.0.0.1"); server.sin_family = AF_INET; - server.sin_port = htons(80); - + server.sin_port = htons(80); + if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) printf("GOOD: HTTP server not available on localhost.\n"); else { printf("MAYBE: an HTTP server is accessible on localhost. "); printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); } - + close(sock); } @@ -88,12 +88,12 @@ void check_netlink(void) { close(sock); return; } - + close(sock); printf("MAYBE: I can connect to netlink socket. Network utilities such as iproute2 will work fine in the sandbox. "); printf("You can use \"--protocol\" to disable the socket.\n"); } - + void network_test(void) { check_ssh(); check_http(); diff --git a/src/faudit/pid.c b/src/faudit/pid.c index 34f6d1691..0aa2ddd44 100644 --- a/src/faudit/pid.c +++ b/src/faudit/pid.c @@ -32,7 +32,7 @@ void pid_test(void) { // look at the first 10 processes int not_visible = 1; - for (i = 1; i <= 10; i++) { + for (i = 1; i <= 10; i++) { struct stat s; char *fname; if (asprintf(&fname, "/proc/%d/comm", i) == -1) @@ -41,7 +41,7 @@ void pid_test(void) { free(fname); continue; } - + // open file /* coverity[toctou] */ FILE *fp = fopen(fname, "r"); @@ -49,7 +49,7 @@ void pid_test(void) { free(fname); continue; } - + // read file char buf[100]; if (fgets(buf, 10, fp) == NULL) { @@ -63,7 +63,7 @@ void pid_test(void) { char *ptr; if ((ptr = strchr(buf, '\n')) != NULL) *ptr = '\0'; - + // check process name against the kernel list int j = 0; while (kern_proc[j] != NULL) { @@ -76,7 +76,7 @@ void pid_test(void) { } j++; } - + fclose(fp); free(fname); } @@ -86,7 +86,7 @@ void pid_test(void) { printf("BAD: Process %d is not running in a PID namespace.\n", pid); else printf("GOOD: process %d is running in a PID namespace.\n", pid); - + // try to guess the type of container/sandbox char *str = getenv("container"); if (str) diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c index 1c188aa45..2e9665fd9 100644 --- a/src/faudit/seccomp.c +++ b/src/faudit/seccomp.c @@ -24,7 +24,7 @@ static int extract_seccomp(int *val) { FILE *fp = fopen("/proc/self/status", "r"); if (!fp) return 1; - + char buf[MAXBUF]; while (fgets(buf, MAXBUF, fp)) { if (strncmp(buf, "Seccomp:\t", 8) == 0) { @@ -44,12 +44,12 @@ static int extract_seccomp(int *val) { void seccomp_test(void) { int seccomp_status; int rv = extract_seccomp(&seccomp_status); - + if (rv) { printf("INFO: cannot extract seccomp configuration on this platform.\n"); return; } - + if (seccomp_status == 0) { printf("BAD: seccomp disabled. Use \"firejail --seccomp\" to enable it.\n"); } @@ -67,10 +67,10 @@ void seccomp_test(void) { printf("ptrace... "); fflush(0); syscall_run("ptrace"); - + printf("swapon... "); fflush(0); syscall_run("swapon"); - + printf("swapoff... "); fflush(0); syscall_run("swapoff"); @@ -79,20 +79,20 @@ void seccomp_test(void) { printf("delete_module... "); fflush(0); syscall_run("delete_module"); - + printf("chroot... "); fflush(0); syscall_run("chroot"); - + printf("pivot_root... "); fflush(0); syscall_run("pivot_root"); - + #if defined(__i386__) || defined(__x86_64__) printf("iopl... "); fflush(0); syscall_run("iopl"); - + printf("ioperm... "); fflush(0); syscall_run("ioperm"); -#endif +#endif printf("\n"); } else diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c index 40b1ecc84..2925a6c30 100644 --- a/src/faudit/syscall.c +++ b/src/faudit/syscall.c @@ -33,7 +33,7 @@ extern int pivot_root(const char *new_root, const char *put_old); void syscall_helper(int argc, char **argv) { (void) argc; - + if (strcmp(argv[2], "mount") == 0) { int rv = mount(NULL, NULL, NULL, 0, NULL); (void) rv; @@ -87,7 +87,7 @@ void syscall_helper(int argc, char **argv) { void syscall_run(const char *name) { assert(prog); - + pid_t child = fork(); if (child < 0) errExit("fork"); @@ -96,7 +96,7 @@ void syscall_run(const char *name) { perror("execl"); _exit(1); } - + // wait for the child to finish waitpid(child, NULL, 0); } diff --git a/src/faudit/x11.c b/src/faudit/x11.c index 4cf1511a5..f0cc0eed4 100644 --- a/src/faudit/x11.c +++ b/src/faudit/x11.c @@ -29,7 +29,7 @@ void x11_test(void) { if (check_unix("@/tmp/.X11-unix/X0") == 0) printf("MAYBE: X11 socket @/tmp/.X11-unix/X0 is available\n"); - + // check all unix sockets in /tmp/.X11-unix directory DIR *dir; if (!(dir = opendir("/tmp/.X11-unix"))) { @@ -39,7 +39,7 @@ void x11_test(void) { ; } } - + if (dir == NULL) printf("GOOD: cannot open /tmp/.X11-unix directory\n"); else { -- cgit v1.2.3-54-g00ecf