From f82d9344dcef51a7306bbe718369b0015922e4f3 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Sun, 22 Sep 2019 13:18:23 +0200 Subject: various clarifications, minor fixes --- src/firejail/appimage.c | 2 +- src/firejail/mountinfo.c | 10 ++++------ src/firejail/network.c | 2 +- src/firejail/sbox.c | 6 ++++-- src/firejail/util.c | 5 ++--- src/firejail/x11.c | 14 ++++++++++---- src/libtrace/libtrace.c | 20 ++++++++++---------- 7 files changed, 32 insertions(+), 27 deletions(-) (limited to 'src') diff --git a/src/firejail/appimage.c b/src/firejail/appimage.c index 1da765d8f..e886e81da 100644 --- a/src/firejail/appimage.c +++ b/src/firejail/appimage.c @@ -137,7 +137,7 @@ void appimage_set(const char *appimage) { errExit("setenv"); if (size != 0 && setenv("ARGV0", appimage, 1) < 0) errExit("setenv"); - if (setenv("OWD", cfg.cwd, 1) < 0) + if (cfg.cwd && setenv("OWD", cfg.cwd, 1) < 0) errExit("setenv"); // build new command line diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c index 42e160dec..162f5dbec 100644 --- a/src/firejail/mountinfo.c +++ b/src/firejail/mountinfo.c @@ -225,9 +225,9 @@ char **build_mount_array(const int mount_id, const char *path) { exit(1); } do { + parse_line(buf, &mntp); // find mount point with mount id if (!found) { - parse_line(buf, &mntp); if (mntp.mountid == mount_id) { // give up if mount id has been reassigned, // don't remount blacklisted path @@ -236,19 +236,17 @@ char **build_mount_array(const int mount_id, const char *path) { strstr(mntp.fsname, "firejail.ro.file")) break; - rv[0] = strdup(path); - if (rv[0] == NULL) + rv[cnt] = strdup(path); + if (rv[cnt] == NULL) errExit("strdup"); cnt++; found = 1; continue; } - else - continue; + continue; } // from here on add all mount points below path, // don't remount blacklisted paths - parse_line(buf, &mntp); if (strncmp(mntp.dir, path, pathlen) == 0 && mntp.dir[pathlen] == '/' && strstr(mntp.fsname, "firejail.ro.dir") == NULL && diff --git a/src/firejail/network.c b/src/firejail/network.c index 3e6b9d29d..93249a29b 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c @@ -229,7 +229,7 @@ uint32_t network_get_defaultgw(void) { continue; char *ptr = buf; - while (*ptr != ' ' && *ptr != '\t') + while (*ptr != ' ' && *ptr != '\t' && *ptr != '\0') ptr++; while (*ptr == ' ' || *ptr == '\t') ptr++; diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c index a41e32569..e5739ecb5 100644 --- a/src/firejail/sbox.c +++ b/src/firejail/sbox.c @@ -154,13 +154,15 @@ int sbox_run(unsigned filtermask, int num, ...) { fprintf(stderr,"Error: cannot open %s\n", SBOX_STDIN_FILE); exit(1); } - dup2(fd,STDIN_FILENO); + if (dup2(fd, STDIN_FILENO) == -1) + errExit("dup2"); close(fd); } else if ((filtermask & SBOX_ALLOW_STDIN) == 0) { int fd = open("/dev/null",O_RDWR, 0); if (fd != -1) { - dup2(fd, STDIN_FILENO); + if (dup2(fd, STDIN_FILENO) == -1) + errExit("dup2"); close(fd); } else // the user could run the sandbox without /dev/null diff --git a/src/firejail/util.c b/src/firejail/util.c index 918077235..a737f9d47 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c @@ -1276,14 +1276,13 @@ int has_handler(pid_t pid, int signal) { char buf[BUFLEN]; while (fgets(buf, BUFLEN, fp)) { if (strncmp(buf, "SigCgt:", 7) == 0) { - char *ptr = buf + 7; unsigned long long val; - if (sscanf(ptr, "%llx", &val) != 1) { + if (sscanf(buf + 7, "%llx", &val) != 1) { fprintf(stderr, "Error: cannot read /proc file\n"); exit(1); } val >>= (signal - 1); - val &= 1; + val &= 1ULL; fclose(fp); return val; // 1 if process has a handler for the signal, else 0 } diff --git a/src/firejail/x11.c b/src/firejail/x11.c index 49ffc8723..0927593b0 100644 --- a/src/firejail/x11.c +++ b/src/firejail/x11.c @@ -1321,12 +1321,18 @@ void x11_block(void) { } // blacklist sockets - profile_check_line("blacklist /tmp/.X11-unix", 0, NULL); - profile_add(strdup("blacklist /tmp/.X11-unix")); + char *cmd = strdup("blacklist /tmp/.X11-unix"); + if (!cmd) + errExit("strdup"); + profile_check_line(cmd, 0, NULL); + profile_add(cmd); // blacklist .Xauthority - profile_check_line("blacklist ${HOME}/.Xauthority", 0, NULL); - profile_add(strdup("blacklist ${HOME}/.Xauthority")); + cmd = strdup("blacklist ${HOME}/.Xauthority"); + if (!cmd) + errExit("strdup"); + profile_check_line(cmd, 0, NULL); + profile_add(cmd); char *xauthority = getenv("XAUTHORITY"); if (xauthority) { char *line; diff --git a/src/libtrace/libtrace.c b/src/libtrace/libtrace.c index 0c21b9b70..db04ee1ae 100644 --- a/src/libtrace/libtrace.c +++ b/src/libtrace/libtrace.c @@ -56,7 +56,7 @@ static orig_access_t orig_access = NULL; static FILE *ftty = NULL; static pid_t mypid = 0; #define MAXNAME 16 -static char myname[MAXNAME] = {'\0', }; +static char myname[MAXNAME] = "unknown"; static void init(void) __attribute__((constructor)); void init(void) { @@ -84,13 +84,15 @@ void init(void) { // process name char *fname; - if (asprintf(&fname, "/proc/%u/comm", mypid) == -1) - strncpy(myname, "unknown", MAXNAME-1); - - // read file - FILE *fp = orig_fopen(fname, "r"); - if (!fp || fgets(myname, MAXNAME, fp) == NULL) - strncpy(myname, "unknown", MAXNAME-1); + if (asprintf(&fname, "/proc/%u/comm", mypid) != -1) { + FILE *fp = orig_fopen(fname, "r"); + free(fname); + if (fp) { + if (fgets(myname, MAXNAME, fp) == NULL) + strncpy(myname, "unknown", MAXNAME-1); + fclose(fp); + } + } // clean '\n' char *ptr = strchr(myname, '\n'); @@ -98,8 +100,6 @@ void init(void) { *ptr = '\0'; tprintf(ftty, "=== tracelib init() [%d:%s] === \n", mypid, myname); - fclose(fp); - free(fname); } static void fini(void) __attribute__((destructor)); -- cgit v1.2.3-54-g00ecf