And improve the comment.
Fixes the following:
$ ./ci/check/profiles/sort-firecfg.config.sh src/firecfg/firecfg.config
sort: -:979: disorder: warzone2100
This amends commit 4422c9358 ("warzone2100 for Debian/Ubuntu -
/usr/bin/warzone2100 is a script calling /usr/bin/warzone2100.real",
2025-08-19).
Simplify the deallocation of `cmd` to make it easier to understand,
which looks like it would fix a potential memory leak of `cmd`:
if (!cmd) {
cmd = pid_proc_cmdline(pid); // alloc
}
if (add_new) {
// ... // no dealloc
}
else if (proc_ev->what == PROC_EVENT_EXIT && pids[pid].level == 1) {
// ... // no dealloc
}
else {
// ...
else {
sprintf(lineptr, " %s\n", cmd);
if (cmd != pids[pid].option.event.cmd) {
free(cmd); // dealloc
}
}
// ...
}
This is a follow-up to commit 5ec00f70c ("fix: avoid cmd double-free in
procevent_monitor", 2025-07-31) / PR #6846.
Relates to #6792.
When checking if a .desktop file is valid, firecfg currently searches
for the first occurrence of `.desktop` in the filename and checks that
it is at the end of the string.
This fails if the filename contains multiple occurrences of `.desktop`,
such as the one for Telegram Desktop, `org.telegram.desktop.desktop`:
$ sudo firecfg
[...]
org.telegram.desktop.desktop skipped (not a .desktop file)
Instead, start the `.desktop` comparison from the last `.` character in
the filename.
This amends commit a9c851ee4 ("firecfg: use ignorelist also for .desktop
files", 2024-01-08) / PR #6153.
Fixes#6865.
Relates to #5245#5876.
Reported-by: @tht2005
Reported-by: @rusty-snake
From @kolAflash[1]:
> The `noinput` setting for Wine prevents Joysticks from being used in
> Wine.
> Use the Wine "control" center for testing: `wine control`.
>
> There you find a `Gamecontroller` program for testing.
Fixes#6866.
Relates to #6707.
[1] https://github.com/netblue30/firejail/issues/6866#issue-3328634575
Suggested-by: @kolAflash
Changes:
* Copy the `build` job from build.yml to `build-gcc` in build-extra.yml
* Remove `--enable-analyzer` in the main build
`-fanalyzer` increases the chance of false positives (compared to using
just the normal warning flags), so leave it just in build-extra to make
it clearer why the main build fails (that is, build errors, normal
warnings or analyzer warnings).
For consistency and simplicity, name the `apt-get install` step just
"install dependencies" in all jobs.
Affected jobs:
* check-c.yml: scan-build
* check-c.yml: cppcheck
Related commits:
* 94e2ce275 ("Create build.yml (#3651)", 2020-10-01)
* 0fa11826b ("build: test build with apparmor and selinux in CI",
2020-10-01)
It looks like it could happen if a line in /etc/firejail/firejail.config
starts with `netfilter-default ` and there is a space or tab right after
that.
$ pacman -Q gcc14 glibc
gcc14 14.3.1+r25+g42e99e057bd7-1
glibc 2.42+r3+gbc13db739377-1
$ ./configure --enable-analyzer CC=gcc-14 >/dev/null &&
make clean >/dev/null && make >/dev/null
[...]
../../src/firejail/checkcfg.c: In function ‘checkcfg’:
../../src/firejail/checkcfg.c:137:40: warning: infinite loop [CWE-835] [-Wanalyzer-infinite-loop]
137 | while (*fname == ' ' || *fname == '\t')
| ^~~~~~
‘checkcfg’: events 1-5
|
| 137 | while (*fname == ' ' || *fname == '\t')
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | | |
| | | (2) if it ever follows ‘true’ branch, it will always do so...
| | (1) infinite loop here
| | (5) ...to here
| 138 | ptr++;
| | ~~~~~
| | |
| | (3) ...to here
| | (4) looping back...
|
[...]
Added on commit 340a6b2ee ("added netfilter-default config option in
/etc/firejail/firejail.config", 2016-07-28).
All other debug messages in procevent.c use the `%s: %d, ` format.
Note that by default this line is not actually compiled (unless
`DEBUG_PRCTL` is defined).
Added on commit d72a43af0 ("firemon fixes", 2016-02-29).
Kind of relates to #6792.
Besides ignoring whitelist-run-user-common.inc itself, also ignore the
lines from the keepassxc comment from firefox-common.profile, to prevent
them from applying whitelisting to `${RUNUSER}`, which could break the
program due to missing xorg/wayland sockets from wruc.
This amends commit b787548b1 ("profiles: browsers: centralize/sync
keepassxc extension comment", 2024-07-14) / PR #6486.
Fixes#6839.
Reported-by: @Gilrain
Reported-by: @rusty-snake
The Debian CI site is apparently used for testing packages before the
official Debian packages are built.
Currently it is only listed in places like #6702, so add it to the main
list to make it easier to find.
Also add links for the Debian Package Tracker and Ubuntu PPA since they
are related.
Relates to #6702#6842.
Changes:
* Use `strace --trace=%file` instead of `| grep open`, so that more
path-related syscalls are traced (rather than just `open*`)
* Always use `strace -f` to ensure that child processes are also traced
* Add an example using firejail + strace for `--private-etc`
* Improve formatting/grammar
* Add references between commands related to strace
Added on commit 9774ab8a3 ("private-etc rework: new man page",
2023-01-25) / issue #6400.
Misc: This was noticed on #6843.
There is a possible execution path in procevent_monitor function,
when allocated memory for cmd may be deallocated twice.
Commit adds check before deallocating memory.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
