The base-2 units are more accurate, as `--rlimit-as=1K` is equivalent to
`--rlimit-as=1024`, not `--rlimit-as=1000`, for example.
This is a follow-up to #6891.
Relates to #4315.
Changes:
* Remove unrelated `strerror` output from some error messages
* Remove periods from some error messages
* Ensure that the invalid value is in the error message
* Ensure that the full command name is in the error message (instead of
just `rlimit` in some cases)
* Standardize output
* tests: Expect the full command name (and argument in some cases)
Examples:
Before:
$ firejail --quiet --noprofile --rlimit-cpu=-1 /bin/true
Error: invalid rlimit -1
$ firejail --quiet --noprofile --rlimit-nproc=-1 /bin/true
Error: invalid rlimit -1
$ firejail --quiet --noprofile --rlimit-as=-1 /bin/true
Error: invalid rlimit-as. Only use positive numbers and K, M or G suffix.: No such file or directory
After:
$ firejail --quiet --noprofile --rlimit-cpu=-1 /bin/true
Error: invalid rlimit-cpu: -1
$ firejail --quiet --noprofile --rlimit-nproc=-1 /bin/true
Error: invalid rlimit-nproc: -1
$ firejail --quiet --noprofile --rlimit-as=-1 /bin/true
Error: invalid rlimit-as: -1; use only positive numbers and K, M or G suffix
This is a follow-up to #6891.
Relates to #4315.
Note: They are already sorted in the following files:
* contrib/syntax/lists/profile_commands_arg1.list
* src/firejail/usage.c
* src/man/firejail-profile.5.in
* src/man/firejail.1.in
* src/zsh_completion/_firejail.in
* test/environment/rlimit-bad-profile.exp
* test/environment/rlimit-bad.exp
Related commits:
* 137985136 ("Baseline firejail 0.9.28", 2015-08-08)
* caefb7929 ("RLIMIT_AS", 2017-10-13) / PR #1604
* e8685de73 ("implemented --rlimit-cpu - set max CPU time for processes
running in the sandbox; for issue #1614, more to come...", 2017-10-24)
Add the specific rlimit command name to the filename.
Commands used to rename the files:
git mv rlimit-bad1.profile rlimit-bad-fsize.profile
git mv rlimit-bad2.profile rlimit-bad-nofile.profile
git mv rlimit-bad3.profile rlimit-bad-nproc.profile
git mv rlimit-bad4.profile rlimit-bad-sigpending.profile
Added on commit d30ae468d ("testing", 2016-11-19).
For better usability and because the proper suffixes (KiB, MiB and GiB)
are uppercase.
Affected commands:
* `rlimit-as`
* `rlimit-fsize`
Before:
$ firejail --quiet --noprofile --rlimit-as=100m /bin/true
$ firejail --quiet --noprofile --rlimit-as=100M /bin/true
Error: invalid rlimit-as. Only use positive numbers and k, m or g suffix.: No such file or directory
After:
$ firejail --quiet --noprofile --rlimit-as=100m /bin/true
$ firejail --quiet --noprofile --rlimit-as=100M /bin/true
Relates to #4315.
private-bin messes with hashcat's ability to find its installed
files under /usr/share/hashcat/.
novideo makes hashcat unable to access /dev/nvidia* (on some distros?)
Signed-off-by: Hank Leininger <hlein@korelogic.com>
On each profile, ensure that the `blacklist` section is right above the
`include disable` section.
See etc/templates/profile.template.
Misc: This appears to affect about a third of the profiles that contain
`blacklist` entries:
$ git grep -El '^#?blacklist ' -- etc/profile* | wc -l
158
$ git diff --name-only f1381b342 | wc -l
49
Kind of relates to commit 04efbb276 ("profiles: replace x11 socket
blacklist with disable-X11.inc", 2024-03-22) / PR #6286.
Replace almost all debug `printf` calls with `debug_prctl` to reduce the
amount of duplication and `ifdefs`.
Note: There is one debug `printf` call that uses a different message
format, so it is left as is.
Command used to search and replace:
$ perl -0 -pi -e 's/#ifdef DEBUG_PRCTL\n(\s+)printf\("%s: %d, ([^\n]+)", __FUNCTION__, __LINE__([^\n]+)\n#endif/${1}debug_prctl("$2"$3/g; \
s/(debug_prctl\("event[^\n]+)/\t\t\t\t$1\n/g' \
src/firemon/procevent.c
Relates to #6792.
The `--check-level=exhaustive` option was briefly added, then changed to
`--max-ctu-depth=40`, presumably because the version being used in CI
(cppcheck 2.7 on ubuntu-22.04) did not support the former.
The current version in CI (cppcheck 2.13 on ubuntu-24.04) supports that
option, so restore it.
This fixes a flood of `information:` messages (which appear even with
`-q`) in the latest version of cppcheck:
$ cppcheck --version
Cppcheck 2.18.0
$ make cppcheck
cppcheck -q -j 4 --force --error-exitcode=1 --enable=warning,performance \
--max-ctu-depth=40 \
-i src/firejail/checkcfg.c \
-i src/firejail/main.c \
-i src/lib/syscall.c \
.
cppcheck: --max-ctu-depth is being capped at 10. This limitation will be removed in a future Cppcheck version.
src/etc-cleanup/main.c:0:0: information: Limiting analysis of branches. Use --check-level=exhaustive to analyze all branches. [normalCheckLevelMaxBranches]
^
src/fbuilder/build_bin.c:0:0: information: Limiting analysis of branches. Use --check-level=exhaustive to analyze all branches. [normalCheckLevelMaxBranches]
^
src/fbuilder/build_fs.c:0:0: information: Limiting analysis of branches. Use --check-level=exhaustive to analyze all branches. [normalCheckLevelMaxBranches]
^
[...]
This is a follow-up to #6874.
Related commits:
* be3c2a071 ("some problems reported by ccpcheck", 2025-08-17)
* d4881b6bc ("cppcheck cleanup", 2025-08-17)
* ebb368780 ("ci: cppcheck: upgrade ubuntu-22.04 to ubuntu-24.04",
2025-08-20) / PR #6874
