Replace almost all debug `printf` calls with `debug_prctl` to reduce the
amount of duplication and `ifdefs`.
Note: There is one debug `printf` call that uses a different message
format, so it is left as is.
Command used to search and replace:
$ perl -0 -pi -e 's/#ifdef DEBUG_PRCTL\n(\s+)printf\("%s: %d, ([^\n]+)", __FUNCTION__, __LINE__([^\n]+)\n#endif/${1}debug_prctl("$2"$3/g; \
s/(debug_prctl\("event[^\n]+)/\t\t\t\t$1\n/g' \
src/firemon/procevent.c
Relates to #6792.
The `--check-level=exhaustive` option was briefly added, then changed to
`--max-ctu-depth=40`, presumably because the version being used in CI
(cppcheck 2.7 on ubuntu-22.04) did not support the former.
The current version in CI (cppcheck 2.13 on ubuntu-24.04) supports that
option, so restore it.
This fixes a flood of `information:` messages (which appear even with
`-q`) in the latest version of cppcheck:
$ cppcheck --version
Cppcheck 2.18.0
$ make cppcheck
cppcheck -q -j 4 --force --error-exitcode=1 --enable=warning,performance \
--max-ctu-depth=40 \
-i src/firejail/checkcfg.c \
-i src/firejail/main.c \
-i src/lib/syscall.c \
.
cppcheck: --max-ctu-depth is being capped at 10. This limitation will be removed in a future Cppcheck version.
src/etc-cleanup/main.c:0:0: information: Limiting analysis of branches. Use --check-level=exhaustive to analyze all branches. [normalCheckLevelMaxBranches]
^
src/fbuilder/build_bin.c:0:0: information: Limiting analysis of branches. Use --check-level=exhaustive to analyze all branches. [normalCheckLevelMaxBranches]
^
src/fbuilder/build_fs.c:0:0: information: Limiting analysis of branches. Use --check-level=exhaustive to analyze all branches. [normalCheckLevelMaxBranches]
^
[...]
This is a follow-up to #6874.
Related commits:
* be3c2a071 ("some problems reported by ccpcheck", 2025-08-17)
* d4881b6bc ("cppcheck cleanup", 2025-08-17)
* ebb368780 ("ci: cppcheck: upgrade ubuntu-22.04 to ubuntu-24.04",
2025-08-20) / PR #6874
And improve the comment.
Fixes the following:
$ ./ci/check/profiles/sort-firecfg.config.sh src/firecfg/firecfg.config
sort: -:979: disorder: warzone2100
This amends commit 4422c9358 ("warzone2100 for Debian/Ubuntu -
/usr/bin/warzone2100 is a script calling /usr/bin/warzone2100.real",
2025-08-19).
Simplify the deallocation of `cmd` to make it easier to understand,
which looks like it would fix a potential memory leak of `cmd`:
if (!cmd) {
cmd = pid_proc_cmdline(pid); // alloc
}
if (add_new) {
// ... // no dealloc
}
else if (proc_ev->what == PROC_EVENT_EXIT && pids[pid].level == 1) {
// ... // no dealloc
}
else {
// ...
else {
sprintf(lineptr, " %s\n", cmd);
if (cmd != pids[pid].option.event.cmd) {
free(cmd); // dealloc
}
}
// ...
}
This is a follow-up to commit 5ec00f70c ("fix: avoid cmd double-free in
procevent_monitor", 2025-07-31) / PR #6846.
Relates to #6792.
When checking if a .desktop file is valid, firecfg currently searches
for the first occurrence of `.desktop` in the filename and checks that
it is at the end of the string.
This fails if the filename contains multiple occurrences of `.desktop`,
such as the one for Telegram Desktop, `org.telegram.desktop.desktop`:
$ sudo firecfg
[...]
org.telegram.desktop.desktop skipped (not a .desktop file)
Instead, start the `.desktop` comparison from the last `.` character in
the filename.
This amends commit a9c851ee4 ("firecfg: use ignorelist also for .desktop
files", 2024-01-08) / PR #6153.
Fixes#6865.
Relates to #5245#5876.
Reported-by: @tht2005
Reported-by: @rusty-snake
From @kolAflash[1]:
> The `noinput` setting for Wine prevents Joysticks from being used in
> Wine.
> Use the Wine "control" center for testing: `wine control`.
>
> There you find a `Gamecontroller` program for testing.
Fixes#6866.
Relates to #6707.
[1] https://github.com/netblue30/firejail/issues/6866#issue-3328634575
Suggested-by: @kolAflash
Changes:
* Copy the `build` job from build.yml to `build-gcc` in build-extra.yml
* Remove `--enable-analyzer` in the main build
`-fanalyzer` increases the chance of false positives (compared to using
just the normal warning flags), so leave it just in build-extra to make
it clearer why the main build fails (that is, build errors, normal
warnings or analyzer warnings).
For consistency and simplicity, name the `apt-get install` step just
"install dependencies" in all jobs.
Affected jobs:
* check-c.yml: scan-build
* check-c.yml: cppcheck
Related commits:
* 94e2ce275 ("Create build.yml (#3651)", 2020-10-01)
* 0fa11826b ("build: test build with apparmor and selinux in CI",
2020-10-01)
It looks like it could happen if a line in /etc/firejail/firejail.config
starts with `netfilter-default ` and there is a space or tab right after
that.
$ pacman -Q gcc14 glibc
gcc14 14.3.1+r25+g42e99e057bd7-1
glibc 2.42+r3+gbc13db739377-1
$ ./configure --enable-analyzer CC=gcc-14 >/dev/null &&
make clean >/dev/null && make >/dev/null
[...]
../../src/firejail/checkcfg.c: In function ‘checkcfg’:
../../src/firejail/checkcfg.c:137:40: warning: infinite loop [CWE-835] [-Wanalyzer-infinite-loop]
137 | while (*fname == ' ' || *fname == '\t')
| ^~~~~~
‘checkcfg’: events 1-5
|
| 137 | while (*fname == ' ' || *fname == '\t')
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | | |
| | | (2) if it ever follows ‘true’ branch, it will always do so...
| | (1) infinite loop here
| | (5) ...to here
| 138 | ptr++;
| | ~~~~~
| | |
| | (3) ...to here
| | (4) looping back...
|
[...]
Added on commit 340a6b2ee ("added netfilter-default config option in
/etc/firejail/firejail.config", 2016-07-28).
All other debug messages in procevent.c use the `%s: %d, ` format.
Note that by default this line is not actually compiled (unless
`DEBUG_PRCTL` is defined).
Added on commit d72a43af0 ("firemon fixes", 2016-02-29).
Kind of relates to #6792.
Besides ignoring whitelist-run-user-common.inc itself, also ignore the
lines from the keepassxc comment from firefox-common.profile, to prevent
them from applying whitelisting to `${RUNUSER}`, which could break the
program due to missing xorg/wayland sockets from wruc.
This amends commit b787548b1 ("profiles: browsers: centralize/sync
keepassxc extension comment", 2024-07-14) / PR #6486.
Fixes#6839.
Reported-by: @Gilrain
Reported-by: @rusty-snake
The Debian CI site is apparently used for testing packages before the
official Debian packages are built.
Currently it is only listed in places like #6702, so add it to the main
list to make it easier to find.
Also add links for the Debian Package Tracker and Ubuntu PPA since they
are related.
Relates to #6702#6842.
Changes:
* Use `strace --trace=%file` instead of `| grep open`, so that more
path-related syscalls are traced (rather than just `open*`)
* Always use `strace -f` to ensure that child processes are also traced
* Add an example using firejail + strace for `--private-etc`
* Improve formatting/grammar
* Add references between commands related to strace
Added on commit 9774ab8a3 ("private-etc rework: new man page",
2023-01-25) / issue #6400.
Misc: This was noticed on #6843.
