From 4ea68a4e03592d1c685f760f66eebe3018536416 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 27 Nov 2016 18:10:50 -0500 Subject: cleanup --- src/faudit/syscall.c | 3 ++- src/firejail/checkcfg.c | 9 ++++++--- src/firejail/ls.c | 10 ++++++---- src/firejail/netfilter.c | 8 +++++--- src/firejail/sbox.c | 4 +--- src/firejail/seccomp.c | 2 +- src/firejail/x11.c | 4 +++- src/fseccomp/seccomp_print.c | 2 +- 8 files changed, 25 insertions(+), 17 deletions(-) (limited to 'src') diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c index 3c87305df..4cd2526ba 100644 --- a/src/faudit/syscall.c +++ b/src/faudit/syscall.c @@ -35,7 +35,8 @@ void syscall_helper(int argc, char **argv) { (void) argc; if (strcmp(argv[2], "mount") == 0) { - mount(NULL, NULL, NULL, 0, NULL); + int rv = mount(NULL, NULL, NULL, 0, NULL); + (void) rv; printf("\nUGLY: mount syscall permitted.\n"); } else if (strcmp(argv[2], "umount2") == 0) { diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 974fbb8a3..6565f488a 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -33,6 +33,7 @@ int checkcfg(int val) { assert(val < CFG_MAX); int line = 0; FILE *fp = NULL; + char *ptr; if (!initialized) { // initialize defaults @@ -76,7 +77,7 @@ int checkcfg(int val) { continue; // parse line - char *ptr = line_remove_spaces(buf); + ptr = line_remove_spaces(buf); if (!ptr) continue; @@ -286,8 +287,10 @@ int checkcfg(int val) { return cfg_val[val]; errout: - if (fp) - fclose(fp); + assert(ptr); + free(ptr); + assert(fp); + fclose(fp); fprintf(stderr, "Error: invalid line %d in firejail configuration file\n", line ); exit(1); } diff --git a/src/firejail/ls.c b/src/firejail/ls.c index 4b4ae1de2..77eb35f97 100644 --- a/src/firejail/ls.c +++ b/src/firejail/ls.c @@ -259,11 +259,11 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { drop_privs(0); // check access - /* coverity[toctou] */ if (access(fname1, R_OK) == -1) { fprintf(stderr, "Error: Cannot access %s\n", fname1); exit(1); } + /* coverity[toctou] */ char *rp = realpath(fname1, NULL); if (!rp) { fprintf(stderr, "Error: Cannot access %s\n", fname1); @@ -316,9 +316,11 @@ void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { // create a user-owned temporary file in /run/firejail directory char tmp_fname[] = "/run/firejail/tmpget-XXXXXX"; int fd = mkstemp(tmp_fname); - SET_PERMS_FD(fd, getuid(), getgid(), 0600); - close(fd); - + if (fd != -1) { + SET_PERMS_FD(fd, getuid(), getgid(), 0600); + close(fd); + } + // copy the source file into the temporary file - we need to chroot pid_t child = fork(); if (child < 0) diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c index 0136ab1f8..43f08e45b 100644 --- a/src/firejail/netfilter.c +++ b/src/firejail/netfilter.c @@ -85,12 +85,14 @@ void netfilter(const char *fname) { filter = malloc(size + 1); // + '\0' if (filter == NULL) goto errexit; - memset(&filter[0], 0, sizeof(filter)); + memset(filter, 0, size + 1); int rd = 0; while (rd < size) { int rv = read(fd, (unsigned char *) filter + rd, size - rd); - if (rv == -1) + if (rv == -1) { + close(fd); goto errexit; + } rd += rv; } @@ -207,7 +209,7 @@ void netfilter6(const char *fname) { filter = malloc(size + 1); // + '\0' if (filter == NULL) goto errexit; - memset(&filter[0], 0, sizeof(filter)); + memset(filter, 0, size + 1); int rd = 0; while (rd < size) { int rv = read(fd, (unsigned char *) filter + rd, size - rd); diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index dbfdd445a..65c4e35e9 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c @@ -145,12 +145,10 @@ int sbox_run(unsigned filter, int num, ...) { int fd = open("/dev/null",O_RDWR, 0); if (fd != -1) { dup2 (fd, STDIN_FILENO); - if (fd > 2) - close (fd); + close(fd); } else // the user could run the sandbox without /dev/null close(STDIN_FILENO); - close(fd); } umask(027); diff --git a/src/firejail/seccomp.c b/src/firejail/seccomp.c index dd133b2ba..cdbbe4fdd 100644 --- a/src/firejail/seccomp.c +++ b/src/firejail/seccomp.c @@ -72,7 +72,7 @@ int seccomp_load(const char *fname) { struct sock_filter *filter = malloc(size); if (filter == NULL) goto errexit; - memset(&filter[0], 0, sizeof(filter)); + memset(filter, 0, size); int rd = 0; while (rd < size) { int rv = read(fd, (unsigned char *) filter + rd, size - rd); diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 807f2d5f0..d9b3b23d1 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -252,7 +252,8 @@ void x11_start_xephyr(int argc, char **argv) { } for (i = 0; i < (int) strlen(xephyr_extra_params)-1; i++) { - if (pos >= (sizeof(server_argv)/sizeof(*server_argv))) { +//todo: if working , add a -2 also in 0.9.44-bugfix + if (pos >= (sizeof(server_argv)/sizeof(*server_argv)) - 2) { fprintf(stderr, "Error: arg count limit exceeded while parsing xephyr_extra_params\n"); exit(1); } @@ -716,6 +717,7 @@ void x11_xorg(void) { } if (set_perms(RUN_XAUTHORITY_SEC_FILE, getuid(), getgid(), 0600)) errExit("set_perms"); + /* coverity[toctou] */ unlink(tmpfname); // mount diff --git a/src/fseccomp/seccomp_print.c b/src/fseccomp/seccomp_print.c index af240307c..e22c682dc 100644 --- a/src/fseccomp/seccomp_print.c +++ b/src/fseccomp/seccomp_print.c @@ -45,7 +45,7 @@ static void load_seccomp(const char *fname) { filter = malloc(size); if (filter == NULL) goto errexit; - memset(&filter[0], 0, sizeof(filter)); + memset(filter, 0, size); int rd = 0; while (rd < size) { int rv = read(fd, (unsigned char *) filter + rd, size - rd); -- cgit v1.2.3-54-g00ecf