From 05e9768345dc3660974d2eecb0b5134d17b20434 Mon Sep 17 00:00:00 2001 From: startx2017 Date: Thu, 13 Apr 2017 08:20:08 -0400 Subject: redirect all warnings to fwarning function and control the output with --quiet --- src/firejail/appimage.c | 5 ++--- src/firejail/cgroup.c | 2 +- src/firejail/cpu.c | 16 +++++--------- src/firejail/firejail.h | 2 ++ src/firejail/fs.c | 21 +++++++++--------- src/firejail/fs_bin.c | 2 +- src/firejail/fs_dev.c | 4 ++-- src/firejail/fs_etc.c | 5 ++--- src/firejail/fs_home.c | 2 +- src/firejail/fs_mkdir.c | 4 ++-- src/firejail/fs_var.c | 8 +++---- src/firejail/fs_whitelist.c | 5 ++--- src/firejail/join.c | 2 +- src/firejail/main.c | 24 +++++++------------- src/firejail/netns.c | 2 +- src/firejail/network.c | 2 +- src/firejail/network_main.c | 2 +- src/firejail/no_sandbox.c | 11 +++++----- src/firejail/profile.c | 6 ++--- src/firejail/protocol.c | 4 ++-- src/firejail/restrict_users.c | 6 ++--- src/firejail/sandbox.c | 51 ++++++++++++++++++++----------------------- src/firejail/seccomp.c | 2 +- src/firejail/util.c | 31 +++++++++++++++++--------- 24 files changed, 104 insertions(+), 115 deletions(-) (limited to 'src') diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 980c80bd9..e14de3c27 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c @@ -155,15 +155,14 @@ void appimage_clear(void) { break; } if (rv == -1 && errno == EBUSY) { - if (!arg_quiet) - printf("Warning: EBUSY error trying to unmount %s\n", mntdir); + fwarning("EBUSY error trying to unmount %s\n", mntdir); sleep(2); continue; } // rv = -1 if (!arg_quiet) { - printf("Warning: error trying to unmount %s\n", mntdir); + fwarning("error trying to unmount %s\n", mntdir); perror("umount"); } } diff --git a/src/firejail/cgroup.c b/src/firejail/cgroup.c index 143180bfb..6ceb647ff 100644 --- a/src/firejail/cgroup.c +++ b/src/firejail/cgroup.c @@ -63,7 +63,7 @@ void load_cgroup(const char *fname) { return; } errout: - fprintf(stderr, "Warning: cannot load control group\n"); + fwarning("cannot load control group\n"); if (fp) fclose(fp); } diff --git a/src/firejail/cpu.c b/src/firejail/cpu.c index 7a3e056c1..9c0214502 100644 --- a/src/firejail/cpu.c +++ b/src/firejail/cpu.c @@ -100,7 +100,7 @@ void load_cpu(const char *fname) { fclose(fp); } else - fprintf(stderr, "Warning: cannot load cpu affinity mask\n"); + fwarning("cannot load cpu affinity mask\n"); } void set_cpu_affinity(void) { @@ -115,20 +115,14 @@ void set_cpu_affinity(void) { CPU_SET(i, &mask); } - if (sched_setaffinity(0, sizeof(mask), &mask) == -1) { - fprintf(stderr, "Warning: cannot set cpu affinity\n"); - fprintf(stderr, " "); - perror("sched_setaffinity"); - } + if (sched_setaffinity(0, sizeof(mask), &mask) == -1) + fwarning("cannot set cpu affinity\n"); // verify cpu affinity cpu_set_t mask2; CPU_ZERO(&mask2); - if (sched_getaffinity(0, sizeof(mask2), &mask2) == -1) { - fprintf(stderr, "Warning: cannot verify cpu affinity\n"); - fprintf(stderr, " "); - perror("sched_getaffinity"); - } + if (sched_getaffinity(0, sizeof(mask2), &mask2) == -1) + fwarning("cannot verify cpu affinity\n"); else if (arg_debug) { if (CPU_EQUAL(&mask, &mask2)) printf("CPU affinity set\n"); diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 7258dd2f8..8831d07f0 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -21,6 +21,7 @@ #define FIREJAIL_H #include "../include/common.h" #include "../include/euid_common.h" +#include // debug restricted shell //#define DEBUG_RESTRICTED_SHELL @@ -446,6 +447,7 @@ int arp_check(const char *dev, uint32_t destaddr, uint32_t srcaddr); uint32_t arp_assign(const char *dev, Bridge *br); // util.c +void fwarning(char* fmt, ...); void drop_privs(int nogroups); int mkpath_as_root(const char* path); void extract_command_name(int index, char **argv); diff --git a/src/firejail/fs.c b/src/firejail/fs.c index f6aba7048..fa66da617 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -97,7 +97,7 @@ static void disable_file(OPERATION op, const char *filename) { return; if (stat(fname, &s) == -1) { if (arg_debug) - printf("Warning: %s does not exist, skipping...\n", fname); + fwarning("%s does not exist, skipping...\n", fname); free(fname); return; } @@ -108,8 +108,7 @@ static void disable_file(OPERATION op, const char *filename) { if ((strcmp(fname, "/bin") == 0 || strcmp(fname, "/usr/bin") == 0) && is_link(filename) && S_ISDIR(s.st_mode)) { - if (!arg_quiet) - fprintf(stderr, "Warning: %s directory link was not blacklisted\n", filename); + fwarning("%s directory link was not blacklisted\n", filename); } else { if (arg_debug) { @@ -175,7 +174,7 @@ static void disable_file(OPERATION op, const char *filename) { fs_logger2("tmpfs", fname); } else - printf("Warning: %s is not a directory; cannot mount a tmpfs on top of it.\n", fname); + fwarning("%s is not a directory; cannot mount a tmpfs on top of it.\n", fname); } else assert(0); @@ -444,8 +443,7 @@ static void fs_rdwr(const char *dir) { // if the file is outside /home directory, allow only root user uid_t u = getuid(); if (u != 0 && s.st_uid != u) { - if (!arg_quiet) - fprintf(stderr, "Warning: you are not allowed to change %s to read-write\n", dir); + fwarning("you are not allowed to change %s to read-write\n", dir); return; } @@ -501,9 +499,9 @@ void fs_proc_sys_dev_boot(void) { if (arg_debug) printf("Remounting /sys directory\n"); if (umount2("/sys", MNT_DETACH) < 0) - fprintf(stderr, "Warning: failed to unmount /sys\n"); + fwarning("failed to unmount /sys\n"); if (mount("sysfs", "/sys", "sysfs", MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL) < 0) - fprintf(stderr, "Warning: failed to mount /sys\n"); + fwarning("failed to mount /sys\n"); else fs_logger("remount /sys"); @@ -913,7 +911,8 @@ void fs_overlayfs(void) { // issue #263 end code //*************************** } - printf("OverlayFS configured in %s directory\n", basedir); + if (!arg_quiet) + printf("OverlayFS configured in %s directory\n", basedir); // mount-bind dev directory if (arg_debug) @@ -943,7 +942,7 @@ void fs_overlayfs(void) { if (asprintf(&x11, "%s/tmp/.X11-unix", oroot) == -1) errExit("asprintf"); if (mount("/tmp/.X11-unix", x11, NULL, MS_BIND|MS_REC, NULL) < 0) - fprintf(stderr, "Warning: cannot mount /tmp/.X11-unix in overlay\n"); + fwarning("cannot mount /tmp/.X11-unix in overlay\n"); else fs_logger("whitelist /tmp/.X11-unix"); free(x11); @@ -1172,7 +1171,7 @@ void fs_chroot(const char *rootdir) { exit(1); } if (copy_file("/etc/resolv.conf", fname, 0, 0, 0644) == -1) // root needed - fprintf(stderr, "Warning: /etc/resolv.conf not initialized\n"); + fwarning("/etc/resolv.conf not initialized\n"); } // chroot into the new directory diff --git a/src/firejail/fs_bin.c b/src/firejail/fs_bin.c index 73edd2ef9..c572bec88 100644 --- a/src/firejail/fs_bin.c +++ b/src/firejail/fs_bin.c @@ -86,7 +86,7 @@ static char *check_dir_or_file(const char *name) { if (!fname) { if (arg_debug) - fprintf(stderr, "Warning: file %s not found\n", name); + fwarning("file %s not found\n", name); return NULL; } diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index fd21e7515..20fcf56e7 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c @@ -72,7 +72,7 @@ static void deventry_mount(void) { struct stat s; if (stat(dev[i].run_fname, &s) == -1) { if (arg_debug) - printf("Warning: cannot stat %s file\n", dev[i].run_fname); + fwarning("cannot stat %s file\n", dev[i].run_fname); i++; continue; } @@ -254,7 +254,7 @@ void fs_dev_shm(void) { free(lnk); } else { - fprintf(stderr, "Warning: /dev/shm not mounted\n"); + fwarning("/dev/shm not mounted\n"); dbg_test_dir("/dev/shm"); } diff --git a/src/firejail/fs_etc.c b/src/firejail/fs_etc.c index 69c422f1d..59700dd9b 100644 --- a/src/firejail/fs_etc.c +++ b/src/firejail/fs_etc.c @@ -81,7 +81,7 @@ static int check_dir_or_file(const char *fname) { struct stat s; if (stat(fname, &s) == -1) { if (arg_debug) - printf("Warning: file %s not found.\n", fname); + fwarning("file %s not found.\n", fname); return 0; } @@ -109,8 +109,7 @@ static void duplicate(const char *fname, const char *private_dir, const char *pr if (asprintf(&src, "%s/%s", private_dir, fname) == -1) errExit("asprintf"); if (check_dir_or_file(src) == 0) { - if (!arg_quiet) - fprintf(stderr, "Warning: skipping %s for private %s\n", fname, private_dir); + fwarning("skipping %s for private %s\n", fname, private_dir); free(src); return; } diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 3364ef797..d24f19da7 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -119,7 +119,7 @@ static int store_xauthority(void) { struct stat s; if (stat(src, &s) == 0) { if (is_link(src)) { - fprintf(stderr, "Warning: invalid .Xauthority file\n"); + fwarning("invalid .Xauthority file\n"); return 0; } diff --git a/src/firejail/fs_mkdir.c b/src/firejail/fs_mkdir.c index f90b7df60..4397f0721 100644 --- a/src/firejail/fs_mkdir.c +++ b/src/firejail/fs_mkdir.c @@ -39,11 +39,11 @@ static void mkdir_recursive(char *path) { if (stat(subdir, &s) == -1) { /* coverity[toctou] */ if (mkdir(subdir, 0700) == -1) { - fprintf(stderr, "Warning: cannot create %s directory\n", subdir); + fwarning("cannot create %s directory\n", subdir); return; } } else if (!S_ISDIR(s.st_mode)) { - fprintf(stderr, "Warning: '%s' exists, but is no directory\n", subdir); + fwarning("'%s exists, but is not a directory\n", subdir); return; } if (chdir(subdir)) { diff --git a/src/firejail/fs_var.c b/src/firejail/fs_var.c index bbea3b392..426ef48bf 100644 --- a/src/firejail/fs_var.c +++ b/src/firejail/fs_var.c @@ -143,7 +143,7 @@ void fs_var_log(void) { fs_logger("touch /var/log/btmp"); } else - fprintf(stderr, "Warning: cannot hide /var/log directory\n"); + fwarning("cannot hide /var/log directory\n"); } void fs_var_lib(void) { @@ -269,7 +269,7 @@ void fs_var_lock(void) { fs_logger("tmpfs /var/lock"); } else { - fprintf(stderr, "Warning: /var/lock not mounted\n"); + fwarning("/var/lock not mounted\n"); dbg_test_dir("/var/lock"); } } @@ -287,7 +287,7 @@ void fs_var_tmp(void) { } } else { - fprintf(stderr, "Warning: /var/tmp not mounted\n"); + fwarning("/var/tmp not mounted\n"); dbg_test_dir("/var/tmp"); } } @@ -300,7 +300,7 @@ void fs_var_utmp(void) { if (stat(UTMP_FILE, &s) == 0) utmp_group = s.st_gid; else { - fprintf(stderr, "Warning: cannot find /var/run/utmp\n"); + fwarning("cannot find /var/run/utmp\n"); return; } diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index 43a9269ff..407192200 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -352,7 +352,7 @@ void fs_whitelist(void) { dataptr = (nowhitelist_flag)? entry->data + 12: entry->data + 10; } else { - if (!nowhitelist_flag) { + if (!nowhitelist_flag && !arg_quiet) { fprintf(stderr, "***\n"); fprintf(stderr, "*** Warning: cannot whitelist Downloads directory\n"); fprintf(stderr, "*** \tAny file saved will be lost when the sandbox is closed.\n"); @@ -438,8 +438,7 @@ void fs_whitelist(void) { if (strncmp(new_name, cfg.homedir, strlen(cfg.homedir)) == 0) { // whitelisting home directory is disabled if --private option is present if (arg_private) { - if (!arg_quiet) - printf("Warning: \"%s\" disabled by --private\n", entry->data); + fwarning("\"%s\" disabled by --private\n", entry->data); *entry->data = '\0'; continue; diff --git a/src/firejail/join.c b/src/firejail/join.c index a4b16ff8d..2f6f070e0 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c @@ -308,7 +308,7 @@ void join(pid_t pid, int argc, char **argv, int index) { int rv = nice(cfg.nice); (void) rv; if (errno) { - fprintf(stderr, "Warning: cannot set nice value\n"); + fwarning("cannot set nice value\n"); errno = 0; } } diff --git a/src/firejail/main.c b/src/firejail/main.c index 216488287..4357ddaa4 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -272,8 +272,7 @@ void check_user_namespace(void) { return; errout: - if (!arg_quiet || arg_debug) - fprintf(stderr, "Warning: noroot option is not available\n"); + fwarning("noroot option is not available\n"); arg_noroot = 0; } @@ -1074,8 +1073,7 @@ int main(int argc, char **argv) { else if (strncmp(argv[i], "--protocol=", 11) == 0) { if (checkcfg(CFG_SECCOMP)) { if (cfg.protocol) { - if (!arg_quiet) - fprintf(stderr, "Warning: a protocol list is present, the new list \"%s\" will not be installed\n", argv[i] + 11); + fwarning("a protocol list is present, the new list \"%s\" will not be installed\n", argv[i] + 11); } else { // store list @@ -1708,8 +1706,7 @@ int main(int argc, char **argv) { errExit("strdup"); if (net_get_if_addr(intf->dev, &intf->ip, &intf->mask, intf->mac, &intf->mtu)) { - if (!arg_quiet || arg_debug) - fprintf(stderr, "Warning: interface %s is not configured\n", intf->dev); + fwarning("interface %s is not configured\n", intf->dev); } intf->configured = 1; } @@ -2186,8 +2183,7 @@ int main(int argc, char **argv) { // check trace configuration if (arg_trace && arg_tracelog) { - if (!arg_quiet || arg_debug) - fprintf(stderr, "Warning: --trace and --tracelog are mutually exclusive; --tracelog disabled\n"); + fwarning("--trace and --tracelog are mutually exclusive; --tracelog disabled\n"); } // check user namespace (--noroot) options @@ -2273,12 +2269,10 @@ int main(int argc, char **argv) { // use default.profile as the default if (!custom_profile && !arg_noprofile) { if (cfg.chrootdir) { - if (!arg_quiet || arg_debug) - fprintf(stderr, "Warning: default profile disabled by --chroot option\n"); + fwarning("default profile disabled by --chroot option\n"); } else if (arg_overlay) { - if (!arg_quiet || arg_debug) - fprintf(stderr, "Warning: default profile disabled by --overlay option\n"); + fwarning("default profile disabled by --overlay option\n"); } else { // try to load a default profile @@ -2346,13 +2340,11 @@ int main(int argc, char **argv) { errExit("pipe"); if (arg_noroot && arg_overlay) { - if (!arg_quiet || arg_debug) - fprintf(stderr, "Warning: --overlay and --noroot are mutually exclusive, noroot disabled\n"); + fwarning("--overlay and --noroot are mutually exclusive, noroot disabled\n"); arg_noroot = 0; } else if (arg_noroot && cfg.chrootdir) { - if (!arg_quiet || arg_debug) - fprintf(stderr, "Warning: --chroot and --noroot are mutually exclusive, noroot disabled\n"); + fwarning("--chroot and --noroot are mutually exclusive, noroot disabled\n"); arg_noroot = 0; } diff --git a/src/firejail/netns.c b/src/firejail/netns.c index 477d56b3d..fdd108652 100644 --- a/src/firejail/netns.c +++ b/src/firejail/netns.c @@ -103,7 +103,7 @@ void netns_mounts(const char *nsname) { asprintf(&etc_name, "/etc/%s", entry->d_name) < 0) errExit("asprintf"); if (mount(netns_name, etc_name, "none", MS_BIND, 0) < 0) { - fprintf(stderr, "Warning: bind %s -> %s failed: %s\n", + fwarning("bind %s -> %s failed: %s\n", netns_name, etc_name, strerror(errno)); } free(netns_name); diff --git a/src/firejail/network.c b/src/firejail/network.c index 673c607ca..44fc4f68f 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c @@ -75,7 +75,7 @@ void net_set_mtu(const char *ifname, int mtu) { strncpy(ifr.ifr_name, ifname, IFNAMSIZ); ifr.ifr_mtu = mtu; if (ioctl(s, SIOCSIFMTU, (caddr_t)&ifr) != 0) - fprintf(stderr, "Warning: cannot set mtu for interface %s\n", ifname); + fwarning("cannot set mtu for interface %s\n", ifname); close(s); } diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index 924a94091..3450bceea 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c @@ -59,7 +59,7 @@ void net_configure_bridge(Bridge *br, char *dev_name) { // allow unconfigured interfaces if (net_get_if_addr(br->dev, &br->ip, &br->mask, br->mac, &br->mtu)) { - fprintf(stderr, "Warning: the network interface %s is not configured\n", br->dev); + fwarning("the network interface %s is not configured\n", br->dev); br->configured = 1; br->arg_ip_none = 1; return; diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 7cca6b291..ecbc5d1d0 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c @@ -118,7 +118,7 @@ int check_kernel_procs(void) { /* coverity[toctou] */ FILE *fp = fopen(fname, "r"); if (!fp) { - fprintf(stderr, "Warning: cannot open %s\n", fname); + fwarning("cannot open %s\n", fname); free(fname); continue; } @@ -126,7 +126,7 @@ int check_kernel_procs(void) { // read file char buf[100]; if (fgets(buf, 10, fp) == NULL) { - fprintf(stderr, "Warning: cannot read %s\n", fname); + fwarning("cannot read %s\n", fname); fclose(fp); free(fname); continue; @@ -171,7 +171,7 @@ void run_no_sandbox(int argc, char **argv) { strcmp(argv[i], "--zsh") == 0 || strcmp(argv[i], "--shell=none") == 0 || strncmp(argv[i], "--shell=", 8) == 0) - fprintf(stderr, "Warning: shell-related command line options are disregarded - using SHELL environment variable\n"); + fwarning("shell-related command line options are disregarded - using SHELL environment variable\n"); } // use $SHELL to get shell used in sandbox @@ -225,9 +225,8 @@ void run_no_sandbox(int argc, char **argv) { command = cfg.shell; else command = argv[prog_index]; - if (!arg_quiet) - fprintf(stderr, "Warning: an existing sandbox was detected. " - "%s will run without any additional sandboxing features\n", command); + fwarning("an existing sandbox was detected. " + "%s will run without any additional sandboxing features\n", command); arg_quiet = 1; start_application(); diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 53fa38845..172aff121 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -64,8 +64,7 @@ int profile_find(const char *name, const char *dir) { //*************************************************** static void warning_feature_disabled(const char *feature) { - if (!arg_quiet) - fprintf(stderr, "Warning: %s feature is disabled in Firejail configuration file\n", feature); + fwarning("%s feature is disabled in Firejail configuration file\n", feature); } @@ -513,8 +512,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { #ifdef HAVE_SECCOMP if (checkcfg(CFG_SECCOMP)) { if (cfg.protocol) { - if (!arg_quiet) - fprintf(stderr, "Warning: a protocol list is present, the new list \"%s\" will not be installed\n", ptr + 9); + fwarning("a protocol list is present, the new list \"%s\" will not be installed\n", ptr + 9); return 0; } diff --git a/src/firejail/protocol.c b/src/firejail/protocol.c index 382d469f1..098c9fb16 100644 --- a/src/firejail/protocol.c +++ b/src/firejail/protocol.c @@ -107,8 +107,8 @@ void protocol_print_filter(pid_t pid) { printf("%s\n", cfg.protocol); exit(0); #else - fprintf(stderr, "Warning: --protocol not supported on this platform\n"); - return; + fwarning("--protocol not supported on this platform\n"); + return; #endif } diff --git a/src/firejail/restrict_users.c b/src/firejail/restrict_users.c index f759e7333..086af48b0 100644 --- a/src/firejail/restrict_users.c +++ b/src/firejail/restrict_users.c @@ -69,7 +69,7 @@ static void sanitize_home(void) { struct stat s; if (stat(cfg.homedir, &s) == -1) { // cannot find home directory, just return - fprintf(stderr, "Warning: cannot find home directory\n"); + fwarning("cannot find home directory\n"); return; } @@ -194,7 +194,7 @@ static void sanitize_passwd(void) { return; errout: - fprintf(stderr, "Warning: failed to clean up /etc/passwd\n"); + fwarning("failed to clean up /etc/passwd\n"); if (fpin) fclose(fpin); if (fpout) @@ -322,7 +322,7 @@ static void sanitize_group(void) { return; errout: - fprintf(stderr, "Warning: failed to clean up /etc/group\n"); + fwarning("failed to clean up /etc/group\n"); if (fpin) fclose(fpin); if (fpout) diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 6cb1aca28..35ca4ff2d 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -391,8 +391,8 @@ static void enforce_filters(void) { } // disable all capabilities - if ((arg_caps_default_filter || arg_caps_list) && !arg_quiet) - fprintf(stderr, "Warning: all capabilities disabled for a regular user in chroot\n"); + if (arg_caps_default_filter || arg_caps_list) + fwarning("all capabilities disabled for a regular user in chroot\n"); arg_caps_drop_all = 1; // drop all supplementary groups; /etc/group file inside chroot @@ -525,8 +525,7 @@ int sandbox(void* sandbox_arg) { if (cfg.defaultgw) { // set the default route if (net_add_route(0, 0, cfg.defaultgw)) { - if (!arg_quiet) - fprintf(stderr, "Warning: cannot configure default route\n"); + fwarning("cannot configure default route\n"); gw_cfg_failed = 1; } } @@ -655,17 +654,17 @@ int sandbox(void* sandbox_arg) { if (arg_private) { if (cfg.home_private) { // --private= if (cfg.chrootdir) - fprintf(stderr, "Warning: private=directory feature is disabled in chroot\n"); + fwarning("private=directory feature is disabled in chroot\n"); else if (arg_overlay) - fprintf(stderr, "Warning: private=directory feature is disabled in overlay\n"); + fwarning("private=directory feature is disabled in overlay\n"); else fs_private_homedir(); } else if (cfg.home_private_keep) { // --private-home= if (cfg.chrootdir) - fprintf(stderr, "Warning: private-home= feature is disabled in chroot\n"); + fwarning("private-home= feature is disabled in chroot\n"); else if (arg_overlay) - fprintf(stderr, "Warning: private-home= feature is disabled in overlay\n"); + fwarning("private-home= feature is disabled in overlay\n"); else fs_private_home_list(); } @@ -675,18 +674,18 @@ int sandbox(void* sandbox_arg) { if (arg_private_dev) { if (cfg.chrootdir) - fprintf(stderr, "Warning: private-dev feature is disabled in chroot\n"); + fwarning("private-dev feature is disabled in chroot\n"); else if (arg_overlay) - fprintf(stderr, "Warning: private-dev feature is disabled in overlay\n"); + fwarning("private-dev feature is disabled in overlay\n"); else fs_private_dev(); } if (arg_private_etc) { if (cfg.chrootdir) - fprintf(stderr, "Warning: private-etc feature is disabled in chroot\n"); + fwarning("private-etc feature is disabled in chroot\n"); else if (arg_overlay) - fprintf(stderr, "Warning: private-etc feature is disabled in overlay\n"); + fwarning("private-etc feature is disabled in overlay\n"); else { fs_private_dir_list("/etc", RUN_ETC_DIR, cfg.etc_private_keep); // create /etc/ld.so.preload file again @@ -697,9 +696,9 @@ int sandbox(void* sandbox_arg) { if (arg_private_opt) { if (cfg.chrootdir) - fprintf(stderr, "Warning: private-opt feature is disabled in chroot\n"); + fwarning("private-opt feature is disabled in chroot\n"); else if (arg_overlay) - fprintf(stderr, "Warning: private-opt feature is disabled in overlay\n"); + fwarning("private-opt feature is disabled in overlay\n"); else { fs_private_dir_list("/opt", RUN_OPT_DIR, cfg.opt_private_keep); } @@ -707,9 +706,9 @@ int sandbox(void* sandbox_arg) { if (arg_private_srv) { if (cfg.chrootdir) - fprintf(stderr, "Warning: private-srv feature is disabled in chroot\n"); + fwarning("private-srv feature is disabled in chroot\n"); else if (arg_overlay) - fprintf(stderr, "Warning: private-srv feature is disabled in overlay\n"); + fwarning("private-srv feature is disabled in overlay\n"); else { fs_private_dir_list("/srv", RUN_SRV_DIR, cfg.srv_private_keep); } @@ -717,9 +716,9 @@ int sandbox(void* sandbox_arg) { if (arg_private_bin) { if (cfg.chrootdir) - fprintf(stderr, "Warning: private-bin feature is disabled in chroot\n"); + fwarning("private-bin feature is disabled in chroot\n"); else if (arg_overlay) - fprintf(stderr, "Warning: private-bin feature is disabled in overlay\n"); + fwarning("private-bin feature is disabled in overlay\n"); else { // for --x11=xorg we need to add xauth command if (arg_x11_xorg) { @@ -736,9 +735,9 @@ int sandbox(void* sandbox_arg) { if (arg_private_tmp) { if (cfg.chrootdir) - fprintf(stderr, "Warning: private-tmp feature is disabled in chroot\n"); + fwarning("private-tmp feature is disabled in chroot\n"); else if (arg_overlay) - fprintf(stderr, "Warning: private-tmp feature is disabled in overlay\n"); + fwarning("private-tmp feature is disabled in overlay\n"); else { // private-tmp is implemented as a whitelist EUID_USER(); @@ -794,9 +793,9 @@ int sandbox(void* sandbox_arg) { //**************************** // apply all whitelist commands ... if (cfg.chrootdir) - fprintf(stderr, "Warning: whitelist feature is disabled in chroot\n"); + fwarning("whitelist feature is disabled in chroot\n"); else if (arg_overlay) - fprintf(stderr, "Warning: whitelist feature is disabled in overlay\n"); + fwarning("whitelist feature is disabled in overlay\n"); else fs_whitelist(); @@ -873,8 +872,7 @@ int sandbox(void* sandbox_arg) { int rv = nice(cfg.nice); (void) rv; if (errno) { - if (!arg_quiet) - fprintf(stderr, "Warning: cannot set nice value\n"); + fwarning("cannot set nice value\n"); errno = 0; } } @@ -930,8 +928,7 @@ int sandbox(void* sandbox_arg) { if (arg_noroot) { int rv = unshare(CLONE_NEWUSER); if (rv == -1) { - if (!arg_quiet) - fprintf(stderr, "Warning: cannot create a new user namespace, going forward without it...\n"); + fwarning("cannot create a new user namespace, going forward without it...\n"); drop_privs(arg_nogroups); arg_noroot = 0; } @@ -963,7 +960,7 @@ int sandbox(void* sandbox_arg) { int no_new_privs = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); if(no_new_privs != 0 && !arg_quiet) - fprintf(stderr, "Warning: NO_NEW_PRIVS disabled, it requires a Linux kernel version 3.5 or newer.\n"); + fwarning("NO_NEW_PRIVS disabled, it requires a Linux kernel version 3.5 or newer.\n"); else if (arg_debug) printf("NO_NEW_PRIVS set\n"); } diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index ee10f3abf..17930c0e8 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -90,7 +90,7 @@ int seccomp_load(const char *fname) { .filter = filter, }; if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { - fprintf(stderr, "Warning: seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); + fwarning("seccomp disabled, it requires a Linux kernel version 3.5 or newer.\n"); return 1; } diff --git a/src/firejail/util.c b/src/firejail/util.c index 901ea87db..bb612516b 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -59,14 +59,14 @@ void drop_privs(int nogroups) { } if (rv == -1) { - fprintf(stderr, "Warning: cannot extract supplementary group list, dropping them\n"); + fwarning("cannot extract supplementary group list, dropping them\n"); if (setgroups(0, NULL) < 0) errExit("setgroups"); } else { rv = setgroups(ngroups, groups); if (rv) { - fprintf(stderr, "Warning: cannot set supplementary group list, dropping them\n"); + fwarning("cannot set supplementary group list, dropping them\n"); if (setgroups(0, NULL) < 0) errExit("setgroups"); } @@ -115,6 +115,18 @@ int mkpath_as_root(const char* path) { return 0; } +void fwarning(char* fmt, ...) { +printf("arg_quiet %d\n", arg_quiet); + if (arg_quiet) + return; + + va_list args; + va_start(args,fmt); + fprintf(stderr, "Warning: "); + vfprintf(stderr, fmt, args); + va_end(args); +} + void logsignal(int s) { if (!arg_debug) @@ -197,14 +209,14 @@ int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, m // open source int src = open(srcname, O_RDONLY); if (src < 0) { - fprintf(stderr, "Warning: cannot open source file %s, file not copied\n", srcname); + fwarning("cannot open source file %s, file not copied\n", srcname); return -1; } // open destination int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); if (dst < 0) { - fprintf(stderr, "Warning: cannot open destination file %s, file not copied\n", destname); + fwarning("cannot open destination file %s, file not copied\n", destname); close(src); return -1; } @@ -233,7 +245,7 @@ void copy_file_as_user(const char *srcname, const char *destname, uid_t uid, gid // copy, set permissions and ownership int rv = copy_file(srcname, destname, uid, gid, mode); // already a regular user if (rv) - fprintf(stderr, "Warning: cannot copy %s\n", srcname); + fwarning("cannot copy %s\n", srcname); #ifdef HAVE_GCOV __gcov_flush(); #endif @@ -247,7 +259,7 @@ void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_ // open destination int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); if (dst < 0) { - fprintf(stderr, "Warning: cannot open destination file %s, file not copied\n", destname); + fwarning("cannot open destination file %s, file not copied\n", destname); return; } @@ -260,10 +272,10 @@ void copy_file_from_user_to_root(const char *srcname, const char *destname, uid_ int src = open(srcname, O_RDONLY); if (src < 0) { - fprintf(stderr, "Warning: cannot open source file %s, file not copied\n", srcname); + fwarning("cannot open source file %s, file not copied\n", srcname); } else { if (copy_file_by_fd(src, dst)) { - fprintf(stderr, "Warning: cannot copy %s\n", srcname); + fwarning("cannot copy %s\n", srcname); } close(src); } @@ -794,8 +806,7 @@ void flush_stdin(void) { int cnt = 0; int rv = ioctl(STDIN_FILENO, FIONREAD, &cnt); if (rv == 0 && cnt) { - if (!arg_quiet) - printf("Warning: removing %d bytes from stdin\n", cnt); + fwarning("removing %d bytes from stdin\n", cnt); rv = ioctl(STDIN_FILENO, TCFLSH, TCIFLUSH); (void) rv; } -- cgit v1.2.3-70-g09d2