[GH-ISSUE #4274] gcc -fanalyzer warnings (GCC 11) #2602

New issue

Closed

opened 2026-05-05 09:16:23 -06:00 by gitea-mirror · 7 comments

gitea-mirror commented 2026-05-05 09:16:23 -06:00

Owner

Copy link

Originally created by @rusty-snake on GitHub (May 13, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4274

full log

$ cat /etc/os-release
NAME=Fedora
VERSION="34 (Workstation Edition)"
ID=fedora
VERSION_ID=34
VERSION_CODENAME=""
PLATFORM_ID="platform:f34"
PRETTY_NAME="Fedora 34 (Workstation Edition)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:34"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/34/system-administrators-guide/"
SUPPORT_URL="https://fedoraproject.org/wiki/Communicating_and_getting_help"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=34
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=34
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"
VARIANT="Workstation Edition"
VARIANT_ID=workstation
$ gcc --version
gcc (GCC) 11.1.1 20210428 (Red Hat 11.1.1-1)
Copyright (C) 2021 Free Software Foundation, Inc.
Dies ist freie Software; die Kopierbedingungen stehen in den Quellen. Es
gibt KEINE Garantie; auch nicht für MARKTGÄNGIGKEIT oder FÜR SPEZIELLE ZWECKE.

$ git clone --depth=1 https://github.com/netblue30/firejail.git
Klone nach 'firejail' ...
remote: Enumerating objects: 1896, done.
remote: Counting objects: 100% (1896/1896), done.
remote: Compressing objects: 100% (1164/1164), done.
remote: Total 1896 (delta 1195), reused 885 (delta 683), pack-reused 0
Empfange Objekte: 100% (1896/1896), 1.27 MiB | 514.00 KiB/s, fertig.
Löse Unterschiede auf: 100% (1195/1195), fertig.
$ cd firejail
$ alias en_US-locale
en_US-locale='LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8'
$ en_US-locale ./configure --enable-analyzer
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for a BSD-compatible install... /usr/bin/install -c
checking for ranlib... ranlib
checking whether C compiler accepts -mindirect-branch=thunk... yes
checking whether C compiler accepts -mretpoline... no
checking whether C compiler accepts -fstack-clash-protection... yes
checking whether C compiler accepts -fstack-protector-strong... yes
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for gawk... yes
checking for main in -lpthread... yes
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking pthread.h usability... yes
checking pthread.h presence... yes
checking for pthread.h... yes
checking linux/seccomp.h usability... yes
checking linux/seccomp.h presence... yes
checking for linux/seccomp.h... yes
configure: creating ./config.status
config.status: creating mkdeb.sh
config.status: creating Makefile
config.status: creating src/common.mk
config.status: creating src/lib/Makefile
config.status: creating src/fcopy/Makefile
config.status: creating src/fnet/Makefile
config.status: creating src/firejail/Makefile
config.status: creating src/fnetfilter/Makefile
config.status: creating src/firemon/Makefile
config.status: creating src/libtrace/Makefile
config.status: creating src/libtracelog/Makefile
config.status: creating src/firecfg/Makefile
config.status: creating src/fbuilder/Makefile
config.status: creating src/fsec-print/Makefile
config.status: creating src/ftee/Makefile
config.status: creating src/fseccomp/Makefile
config.status: creating src/fldd/Makefile
config.status: creating src/libpostexecseccomp/Makefile
config.status: creating src/fsec-optimize/Makefile
config.status: creating src/profstats/Makefile
config.status: creating src/man/Makefile
config.status: creating src/zsh_completion/Makefile
config.status: creating src/bash_completion/Makefile
config.status: creating test/Makefile
config.status: creating src/jailtest/Makefile

Configuration options:
   prefix: /usr/local
   sysconfdir: ${prefix}/etc
   apparmor: 
   SELinux labeling support: 
   global config: -DHAVE_GLOBALCFG
   chroot: -DHAVE_CHROOT
   network: -DHAVE_NETWORK
   user namespace: -DHAVE_USERNS
   X11 sandboxing support: -DHAVE_X11
   whitelisting: -DHAVE_WHITELIST
   private home support: -DHAVE_PRIVATE_HOME
   file transfer support: -DHAVE_FILE_TRANSFER
   overlayfs support: 
   DBUS proxy support: -DHAVE_DBUSPROXY
   allow tmpfs as regular user: -DHAVE_USERTMPFS
   enable --ouput logging: -DHAVE_OUTPUT
   Manpage support: -DHAVE_MAN
   firetunnel support: -DHAVE_FIRETUNNEL
   busybox workaround: no
   Spectre compiler patch: yes
   EXTRA_LDFLAGS: 
   EXTRA_CFLAGS:  -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer
   fatal warnings: 
   Gcov instrumentation: 
   Install contrib scripts: yes
   Install as a SUID executable: yes
   LTS: 
   Always enforce filters: 

$ en_US-locale make
make -C src/lib
make[1]: Entering directory '/tmp/firejail/src/lib'
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c common.c -o common.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c errno.c -o errno.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c firejail_user.c -o firejail_user.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c ldd_utils.c -o ldd_utils.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c libnetlink.c -o libnetlink.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c pid.c -o pid.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c syscall.c -o syscall.o
make[1]: Leaving directory '/tmp/firejail/src/lib'
make -C src/man
make[1]: Entering directory '/tmp/firejail/src/man'
gawk -f ./preproc.awk --  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   < firecfg.txt > firecfg.man
gawk -f ./preproc.awk --  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   < firejail.txt > firejail.man
gawk -f ./preproc.awk --  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   < firejail-login.txt > firejail-login.man
gawk -f ./preproc.awk --  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   < firejail-users.txt > firejail-users.man
gawk -f ./preproc.awk --  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   < firejail-profile.txt > firejail-profile.man
gawk -f ./preproc.awk --  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   < firemon.txt > firemon.man
gawk -f ./preproc.awk --  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   < jailtest.txt > jailtest.man
make[1]: Leaving directory '/tmp/firejail/src/man'
make -C src/zsh_completion
make[1]: Entering directory '/tmp/firejail/src/zsh_completion'
gawk -f ../man/preproc.awk --  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   < _firejail.in > _firejail.tmp
sed "s|_SYSCONFDIR_|/usr/local/etc|" < _firejail.tmp > _firejail
rm _firejail.tmp
make[1]: Leaving directory '/tmp/firejail/src/zsh_completion'
make -C src/bash_completion
make[1]: Entering directory '/tmp/firejail/src/bash_completion'
gawk -f ../man/preproc.awk --  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   < firejail.bash_completion.in > firejail.bash_completion.tmp
sed "s|_SYSCONFDIR_|/usr/local/etc|" < firejail.bash_completion.tmp > firejail.bash_completion
rm firejail.bash_completion.tmp
make[1]: Leaving directory '/tmp/firejail/src/bash_completion'
make -C src/firecfg/
make[1]: Entering directory '/tmp/firejail/src/firecfg'
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c desktop_files.c -o desktop_files.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c main.c -o main.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c sound.c -o sound.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c util.c -o util.o
gcc  -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o firecfg desktop_files.o main.o sound.o util.o ../lib/common.o ../lib/firejail_user.o  
make[1]: Leaving directory '/tmp/firejail/src/firecfg'
make -C src/firejail/
make[1]: Entering directory '/tmp/firejail/src/firejail'
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c appimage.c -o appimage.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c appimage_size.c -o appimage_size.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c arp.c -o arp.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c bandwidth.c -o bandwidth.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c caps.c -o caps.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c cgroup.c -o cgroup.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c checkcfg.c -o checkcfg.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c chroot.c -o chroot.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c cmdline.c -o cmdline.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c cpu.c -o cpu.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c dbus.c -o dbus.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c dhcp.c -o dhcp.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c env.c -o env.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c fs.c -o fs.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c fs_bin.c -o fs_bin.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c fs_dev.c -o fs_dev.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c fs_etc.c -o fs_etc.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c fs_home.c -o fs_home.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c fs_hostname.c -o fs_hostname.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c fs_lib.c -o fs_lib.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c fs_lib2.c -o fs_lib2.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c fs_logger.c -o fs_logger.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c fs_mkdir.c -o fs_mkdir.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c fs_trace.c -o fs_trace.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c fs_var.c -o fs_var.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c fs_whitelist.c -o fs_whitelist.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c join.c -o join.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c ls.c -o ls.o
ls.c: In function ‘expand_path’:
ls.c:273:16: warning: leak of ‘strdup(path)’ [CWE-401] [-Wanalyzer-malloc-leak]
  273 |         return fname;
      |                ^~~~~
  ‘sandboxfs’: event 1
    |
    |  276 | void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
    |      |      ^~~~~~~~~
    |      |      |
    |      |      (1) entry to ‘sandboxfs’
    |
  ‘sandboxfs’: event 2
    |
    |  278 |         assert(path1);
    |      |         ^~~~~~
    |      |         |
    |      |         (2) following ‘true’ branch (when ‘path1’ is non-NULL)...
    |
  ‘sandboxfs’: events 3-4
    |
    |  281 |         pid = switch_to_child(pid);
    |      |         ^~~
    |      |         |
    |      |         (3) ...to here
    |......
    |  287 |         char *fname1 = expand_path(path1);
    |      |                        ~~~~~~~~~~~~~~~~~~
    |      |                        |
    |      |                        (4) calling ‘expand_path’ from ‘sandboxfs’
    |
    +--> ‘expand_path’: events 5-8
           |
           |  253 | char *expand_path(const char *path) {
           |      |       ^~~~~~~~~~~
           |      |       |
           |      |       (5) entry to ‘expand_path’
           |......
           |  256 |                 fname = strdup(path);
           |      |                         ~~~~~~~~~~~~
           |      |                         |
           |      |                         (6) allocated here
           |  257 |                 if (!fname)
           |      |                    ~
           |      |                    |
           |      |                    (7) assuming ‘fname’ is non-NULL
           |      |                    (8) following ‘false’ branch...
           |
         ‘expand_path’: event 9
           |
           |../include/common.h:39:28:
           |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
           |      |                            ^
           |      |                            |
           |      |                            (9) ...to here
ls.c:271:25: note: in expansion of macro ‘errExit’
           |  271 |                         errExit("asprintf");
           |      |                         ^~~~~~~
           |
    <------+
    |
  ‘sandboxfs’: events 10-13
    |
    |  287 |         char *fname1 = expand_path(path1);
    |      |                        ^~~~~~~~~~~~~~~~~~
    |      |                        |
    |      |                        (10) returning to ‘sandboxfs’ from ‘expand_path’
    |  288 |         char *fname2 = NULL;
    |  289 |         if (path2 != NULL) {
    |      |            ~            
    |      |            |
    |      |            (11) following ‘true’ branch (when ‘path2’ is non-NULL)...
    |  290 |                 fname2 = expand_path(path2);
    |      |                 ~~~~~~   ~~~~~~~~~~~~~~~~~~
    |      |                 |        |
    |      |                 |        (13) calling ‘expand_path’ from ‘sandboxfs’
    |      |                 (12) ...to here
    |
    +--> ‘expand_path’: events 14-15
           |
           |  253 | char *expand_path(const char *path) {
           |      |       ^~~~~~~~~~~
           |      |       |
           |      |       (14) entry to ‘expand_path’
           |......
           |  257 |                 if (!fname)
           |      |                    ~
           |      |                    |
           |      |                    (15) following ‘false’ branch...
           |
         ‘expand_path’: event 16
           |
           |../include/common.h:39:28:
           |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
           |      |                            ^
           |      |                            |
           |      |                            (16) ...to here
ls.c:271:25: note: in expansion of macro ‘errExit’
           |  271 |                         errExit("asprintf");
           |      |                         ^~~~~~~
           |
         ‘expand_path’: event 17
           |
           |  273 |         return fname;
           |      |                ^~~~~
           |      |                |
           |      |                (17) ‘strdup(path)’ leaks here; was allocated at (6)
           |
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c macros.c -o macros.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c main.c -o main.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c mountinfo.c -o mountinfo.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c netfilter.c -o netfilter.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c netns.c -o netns.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c network.c -o network.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c network_main.c -o network_main.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c no_sandbox.c -o no_sandbox.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c output.c -o output.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c paths.c -o paths.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c preproc.c -o preproc.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c profile.c -o profile.o
In function ‘profile_check_conditional’:
profile.c:239:28: warning: leak of ‘ptr’ [CWE-401] [-Wanalyzer-malloc-leak]
  239 |                         if (profile_check_line(ptr, lineno, fname))
      |                            ^
  ‘profile_check_conditional’: events 1-2
    |
    |  188 | int profile_check_conditional(char *ptr, int lineno, const char *fname) {
    |      |     ^~~~~~~~~~~~~~~~~~~~~~~~~
    |      |     |
    |      |     (1) entry to ‘profile_check_conditional’
    |......
    |  191 |         if (*ptr++ != '?')
    |      |            ~
    |      |            |
    |      |            (2) following ‘false’ branch...
    |
  ‘profile_check_conditional’: event 3
    |
    |cc1:
    | (3): ...to here
    |
  ‘profile_check_conditional’: events 4-14
    |
    |  195 |         while (cond->name) {
    |      |                ^~~~
    |      |                |
    |      |                (4) following ‘true’ branch...
    |  196 |                 // continue if not this conditional
    |  197 |                 if (strncmp(ptr, cond->name, strlen(cond->name)) != 0) {
    |      |                 ~~
    |      |                 |
    |      |                 (5) ...to here
    |......
    |  205 |                 if (*ptr++ != ':') {
    |      |                    ~
    |      |                    |
    |      |                    (6) following ‘false’ branch...
    |......
    |  210 |                 if (*ptr == '\0') {
    |      |                 ~~ ~
    |      |                 |  |
    |      |                 |  (8) following ‘false’ branch...
    |      |                 (7) ...to here
    |......
    |  215 |                 if (*ptr == ' ')
    |      |                 ~~
    |      |                 |
    |      |                 (9) ...to here
    |......
    |  220 |                 if (value) {
    |      |                    ~
    |      |                    |
    |      |                    (10) following ‘true’ branch (when ‘value != 0’)...
    |  221 |                         // move ptr to start of profile line
    |  222 |                         ptr = strdup(ptr);
    |      |                         ~~~   ~~~~~~~~~~~
    |      |                         |     |
    |      |                         |     (12) allocated here
    |      |                         (11) ...to here
    |  223 |                         if (!ptr)
    |      |                            ~
    |      |                            |
    |      |                            (13) assuming ‘ptr’ is non-NULL
    |      |                            (14) following ‘false’ branch (when ‘ptr’ is non-NULL)...
    |
  ‘profile_check_conditional’: event 15
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (15) ...to here
profile.c:224:33: note: in expansion of macro ‘errExit’
    |  224 |                                 errExit("strdup");
    |      |                                 ^~~~~~~
    |
  ‘profile_check_conditional’: events 16-22
    |
    |  228 |                         if ((strncmp(ptr, "quiet", 5) == 0) ||
    |      |                            ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                            |                                |
    |      |                            |                                (18) following ‘false’ branch...
    |      |                            (16) following ‘false’ branch...
    |  229 |                             (strncmp(ptr, "include", 7) == 0)) {
    |      |                             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                              |
    |      |                              (17) ...to here
    |......
    |  234 |                         free(tmp);
    |      |                         ~~~~
    |      |                         |
    |      |                         (19) ...to here
    |......
    |  237 |                         if (arg_debug)
    |      |                            ~
    |      |                            |
    |      |                            (20) following ‘false’ branch...
    |  238 |                                 printf("conditional %s, %s\n", cond->name, ptr);
    |      |                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                                 |
    |      |                                 (21) ...to here
    |  239 |                         if (profile_check_line(ptr, lineno, fname))
    |      |                             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                             |
    |      |                             (22) calling ‘profile_check_line’ from ‘profile_check_conditional’
    |
    +--> ‘profile_check_line’: events 23-24
           |
           |  270 | int profile_check_line(char *ptr, int lineno, const char *fname) {
           |      |     ^~~~~~~~~~~~~~~~~~
           |      |     |
           |      |     (23) entry to ‘profile_check_line’
           |......
           |  274 |         if (profile_check_conditional(ptr, lineno, fname) == 0)
           |      |             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           |      |             |
           |      |             (24) calling ‘profile_check_conditional’ from ‘profile_check_line’
           |
           +--> ‘profile_check_conditional’: events 25-26
                  |
                  |  188 | int profile_check_conditional(char *ptr, int lineno, const char *fname) {
                  |      |     ^~~~~~~~~~~~~~~~~~~~~~~~~
                  |      |     |
                  |      |     (25) entry to ‘profile_check_conditional’
                  |......
                  |  191 |         if (*ptr++ != '?')
                  |      |            ~
                  |      |            |
                  |      |            (26) following ‘false’ branch...
                  |
                ‘profile_check_conditional’: event 27
                  |
                  |cc1:
                  | (27): ...to here
                  |
                ‘profile_check_conditional’: events 28-34
                  |
                  |  195 |         while (cond->name) {
                  |      |                ^~~~
                  |      |                |
                  |      |                (28) following ‘true’ branch...
                  |  196 |                 // continue if not this conditional
                  |  197 |                 if (strncmp(ptr, cond->name, strlen(cond->name)) != 0) {
                  |      |                 ~~
                  |      |                 |
                  |      |                 (29) ...to here
                  |......
                  |  205 |                 if (*ptr++ != ':') {
                  |      |                    ~
                  |      |                    |
                  |      |                    (30) following ‘false’ branch...
                  |......
                  |  210 |                 if (*ptr == '\0') {
                  |      |                 ~~ ~
                  |      |                 |  |
                  |      |                 |  (32) following ‘false’ branch...
                  |      |                 (31) ...to here
                  |......
                  |  215 |                 if (*ptr == ' ')
                  |      |                 ~~
                  |      |                 |
                  |      |                 (33) ...to here
                  |......
                  |  220 |                 if (value) {
                  |      |                    ~
                  |      |                    |
                  |      |                    (34) following ‘false’ branch (when ‘value == 0’)...
                  |
                ‘profile_check_conditional’: event 35
                  |
                  |cc1:
                  | (35): ...to here
                  |
           <------+
           |
         ‘profile_check_line’: events 36-37
           |
           |  274 |         if (profile_check_conditional(ptr, lineno, fname) == 0)
           |      |            ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           |      |            ||
           |      |            |(36) returning to ‘profile_check_line’ from ‘profile_check_conditional’
           |      |            (37) following ‘true’ branch...
           |
         ‘profile_check_line’: event 38
           |
           |cc1:
           | (38): ...to here
           |
    <------+
    |
  ‘profile_check_conditional’: events 39-40
    |
    |  239 |                         if (profile_check_line(ptr, lineno, fname))
    |      |                            ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                            ||
    |      |                            |(39) returning to ‘profile_check_conditional’ from ‘profile_check_line’
    |      |                            (40) following ‘false’ branch...
    |
  ‘profile_check_conditional’: event 41
    |
    |cc1:
    | (41): ...to here
    |
  ‘profile_check_conditional’: event 42
    |
    |  239 |                         if (profile_check_line(ptr, lineno, fname))
    |      |                            ^
    |      |                            |
    |      |                            (42) ‘ptr’ leaks here; was allocated at (12)
    |
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c protocol.c -o protocol.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c pulseaudio.c -o pulseaudio.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c restrict_users.c -o restrict_users.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c restricted_shell.c -o restricted_shell.o
In function ‘restricted_shell’:
restricted_shell.c:123:42: warning: leak of ‘strdup(ptr)’ [CWE-401] [-Wanalyzer-malloc-leak]
  123 |                                 return i + 1;
      |                                        ~~^~~
  ‘restricted_shell’: event 1
    |
    |   29 |         assert(user);
    |      |         ^~~~~~
    |      |         |
    |      |         (1) following ‘true’ branch (when ‘user’ is non-NULL)...
    |
  ‘restricted_shell’: events 2-3
    |
    |   32 |         char *fname;
    |      |         ^~~~
    |      |         |
    |      |         (2) ...to here
    |   33 |         if (asprintf(&fname, "%s/login.users", SYSCONFDIR) == -1)
    |      |            ~
    |      |            |
    |      |            (3) following ‘false’ branch...
    |
  ‘restricted_shell’: event 4
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (4) ...to here
restricted_shell.c:34:17: note: in expansion of macro ‘errExit’
    |   34 |                 errExit("asprintf");
    |      |                 ^~~~~~~
    |
  ‘restricted_shell’: event 5
    |
    |   37 |         if (fp == NULL)
    |      |            ^
    |      |            |
    |      |            (5) following ‘false’ branch (when ‘fp’ is non-NULL)...
    |
  ‘restricted_shell’: event 6
    |
    |cc1:
    | (6): ...to here
    |
  ‘restricted_shell’: events 7-10
    |
    |   42 |         while (fgets(buf, MAX_READ, fp)) {
    |      |                ^~~~~
    |      |                |
    |      |                (7) following ‘true’ branch...
    |   43 |                 lineno++;
    |      |                 ~~~~~~
    |      |                 |
    |      |                 (8) ...to here
    |......
    |   60 |                 if (args == NULL) {
    |      |                    ~
    |      |                    |
    |      |                    (9) following ‘false’ branch (when ‘args’ is non-NULL)...
    |......
    |   65 |                 *args = '\0';
    |      |                 ~
    |      |                 |
    |      |                 (10) ...to here
    |
  ‘restricted_shell’: event 11
    |
    |   92 |                         for (i = 1; i < MAX_ARGS; i++) {
    |
  ‘restricted_shell’: event 12
    |
    |cc1:
    | (12): ...to here
    |
  ‘restricted_shell’: event 13
    |
    |  107 |                                 if (*ptr != '\0') {
    |      |                                    ^
    |      |                                    |
    |      |                                    (13) following ‘true’ branch...
    |
  ‘restricted_shell’: event 14
    |
    |cc1:
    | (14): ...to here
    |
  ‘restricted_shell’: events 15-17
    |
    |  112 |                                         fullargv[i] = strdup(fullargv[i]);
    |      |                                                       ^~~~~~~~~~~~~~~~~~~
    |      |                                                       |
    |      |                                                       (15) allocated here
    |  113 |                                         if (fullargv[i] == NULL)
    |      |                                            ~           
    |      |                                            |
    |      |                                            (16) assuming ‘strdup(ptr)’ is non-NULL
    |      |                                            (17) following ‘false’ branch...
    |
  ‘restricted_shell’: event 18
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (18) ...to here
restricted_shell.c:114:49: note: in expansion of macro ‘errExit’
    |  114 |                                                 errExit("strdup");
    |      |                                                 ^~~~~~~
    |
  ‘restricted_shell’: event 19
    |
    |  123 |                                 return i + 1;
    |      |                                        ~~^~~
    |      |                                          |
    |      |                                          (19) ‘strdup(ptr)’ leaks here; was allocated at (15)
    |
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c rlimit.c -o rlimit.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c run_files.c -o run_files.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c run_symlink.c -o run_symlink.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c sandbox.c -o sandbox.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c sbox.c -o sbox.o
sbox.c: In function ‘sbox_run’:
sbox.c:254:24: warning: dereference of possibly-NULL ‘arg’ [CWE-690] [-Wanalyzer-possible-null-dereference]
  254 |                 arg[i] = va_arg(valist, char *);
      |                        ^
  ‘sbox_run’: events 1-3
    |
    |  251 |         char **arg = malloc((num + 1) * sizeof(char *));
    |      |                      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                      |
    |      |                      (1) this call could return NULL
    |  252 |         int i;
    |  253 |         for (i = 0; i < num; i++)
    |      |                     ~~~~~~~
    |      |                       |
    |      |                       (2) following ‘true’ branch (when ‘i < num’)...
    |  254 |                 arg[i] = va_arg(valist, char *);
    |      |                 ~~~   
    |      |                 |
    |      |                 (3) ...to here
    |
  ‘sbox_run’: event 4
    |
    |  254 |                 arg[i] = va_arg(valist, char *);
    |      |                        ^
    |      |                        |
    |      |                        (4) ‘arg + (long unsigned int)i * 8’ could be NULL: unchecked value from (1)
    |
sbox.c:255:16: warning: dereference of possibly-NULL ‘arg’ [CWE-690] [-Wanalyzer-possible-null-dereference]
  255 |         arg[i] = NULL;
      |                ^
  ‘sbox_run’: events 1-3
    |
    |  251 |         char **arg = malloc((num + 1) * sizeof(char *));
    |      |                      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                      |
    |      |                      (1) this call could return NULL
    |  252 |         int i;
    |  253 |         for (i = 0; i < num; i++)
    |      |                     ~~~~~~~
    |      |                       |
    |      |                       (2) following ‘false’ branch (when ‘i >= num’)...
    |  254 |                 arg[i] = va_arg(valist, char *);
    |  255 |         arg[i] = NULL;
    |      |         ~~~           
    |      |         |
    |      |         (3) ...to here
    |
  ‘sbox_run’: event 4
    |
    |  255 |         arg[i] = NULL;
    |      |                ^
    |      |                |
    |      |                (4) ‘arg + (long unsigned int)i * 8’ could be NULL: unchecked value from (1)
    |
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c seccomp.c -o seccomp.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c selinux.c -o selinux.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c shutdown.c -o shutdown.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c usage.c -o usage.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c util.c -o util.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c x11.c -o x11.o
gcc  -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o firejail appimage.o appimage_size.o arp.o bandwidth.o caps.o cgroup.o checkcfg.o chroot.o cmdline.o cpu.o dbus.o dhcp.o env.o fs.o fs_bin.o fs_dev.o fs_etc.o fs_home.o fs_hostname.o fs_lib.o fs_lib2.o fs_logger.o fs_mkdir.o fs_trace.o fs_var.o fs_whitelist.o join.o ls.o macros.o main.o mountinfo.o netfilter.o netns.o network.o network_main.o no_sandbox.o output.o paths.o preproc.o profile.o protocol.o pulseaudio.o restrict_users.o restricted_shell.o rlimit.o run_files.o run_symlink.o sandbox.o sbox.o seccomp.o selinux.o shutdown.o usage.o util.o x11.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o ../lib/errno.o ../lib/syscall.o  
make[1]: Leaving directory '/tmp/firejail/src/firejail'
make -C src/firemon/
make[1]: Entering directory '/tmp/firejail/src/firemon'
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c apparmor.c -o apparmor.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c arp.c -o arp.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c caps.c -o caps.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c cgroup.c -o cgroup.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c cpu.c -o cpu.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c firemon.c -o firemon.o
firemon.c: In function ‘my_handler’:
firemon.c:55:9: warning: call to ‘exit’ from within signal handler [CWE-479] [-Wanalyzer-unsafe-call-within-signal-handler]
   55 |         exit(0);
      |         ^~~~~~~
  ‘main’: events 1-2
    |
    |  134 | int main(int argc, char **argv) {
    |      |     ^~~~
    |      |     |
    |      |     (1) entry to ‘main’
    |......
    |  139 |         signal (SIGINT, my_handler);
    |      |         ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |         |
    |      |         (2) registering ‘my_handler’ as signal handler
    |
  event 3
    |
    |cc1:
    | (3): later on, when the signal is delivered to the process
    |
    +--> ‘my_handler’: events 4-5
           |
           |   49 | static void my_handler(int s){
           |      |             ^~~~~~~~~~
           |      |             |
           |      |             (4) entry to ‘my_handler’
           |......
           |   55 |         exit(0);
           |      |         ~~~~~~~
           |      |         |
           |      |         (5) call to ‘exit’ from within signal handler
           |
firemon.c:55:9: note: ‘_exit’ is a possible signal-safe alternative for ‘exit’
   55 |         exit(0);
      |         ^~~~~~~
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c interface.c -o interface.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c list.c -o list.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c netstats.c -o netstats.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c procevent.c -o procevent.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c route.c -o route.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c seccomp.c -o seccomp.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c top.c -o top.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c tree.c -o tree.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c usage.c -o usage.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c x11.c -o x11.o
gcc  -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o firemon apparmor.o arp.o caps.o cgroup.o cpu.o firemon.o interface.o list.o netstats.o procevent.o route.o seccomp.o top.o tree.o usage.o x11.o ../lib/common.o ../lib/pid.o  
make[1]: Leaving directory '/tmp/firejail/src/firemon'
make -C src/profstats/
make[1]: Entering directory '/tmp/firejail/src/profstats'
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c main.c -o main.o
gcc  -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o profstats main.o  
make[1]: Leaving directory '/tmp/firejail/src/profstats'
make -C src/jailtest/
make[1]: Entering directory '/tmp/firejail/src/jailtest'
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c access.c -o access.o
In file included from jailtest.h:23,
                 from access.c:20:
In function ‘access_setup’:
../include/common.h:39:28: warning: leak of ‘dname’ [CWE-401] [-Wanalyzer-malloc-leak]
   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
      |                            ^
access.c:93:17: note: in expansion of macro ‘errExit’
   93 |                 errExit("strdup");
      |                 ^~~~~~~
  ‘access_setup’: event 1
    |
    |   35 |         assert(directory);
    |      |         ^~~~~~
    |      |         |
    |      |         (1) following ‘true’ branch (when ‘directory’ is non-NULL)...
    |
  ‘access_setup’: event 2
    |
    |   36 |         assert(user_home_dir);
    |      |         ^~~~~~
    |      |         |
    |      |         (2) ...to here
    |
  ‘access_setup’: event 3
    |
    |   36 |         assert(user_home_dir);
    |      |         ^~~~~~
    |      |         |
    |      |         (3) following ‘true’ branch...
    |
  ‘access_setup’: events 4-7
    |
    |   38 |         if (files_cnt >= MAX_TEST_FILES) {
    |      |         ^~ ~
    |      |         |  |
    |      |         |  (5) following ‘false’ branch...
    |      |         (4) ...to here
    |......
    |   43 |         char *fname = strdup(directory);
    |      |         ~~~~
    |      |         |
    |      |         (6) ...to here
    |   44 |         if (!fname)
    |      |            ~
    |      |            |
    |      |            (7) following ‘false’ branch...
    |
  ‘access_setup’: event 8
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (8) ...to here
access.c:45:17: note: in expansion of macro ‘errExit’
    |   45 |                 errExit("strdup");
    |      |                 ^~~~~~~
    |
  ‘access_setup’: event 9
    |
    |   46 |         if (strncmp(fname, "~/", 2) == 0) {
    |      |            ^
    |      |            |
    |      |            (9) following ‘false’ branch...
    |
  ‘access_setup’: event 10
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (10) ...to here
access.c:49:25: note: in expansion of macro ‘errExit’
    |   49 |                         errExit("asprintf");
    |      |                         ^~~~~~~
    |
  ‘access_setup’: events 11-17
    |
    |   54 |         if (path == NULL) {
    |      |            ^
    |      |            |
    |      |            (11) following ‘false’ branch...
    |......
    |   60 |         if (strncmp(path, user_home_dir, strlen(user_home_dir)) != 0) {
    |      |         ~~ ~
    |      |         |  |
    |      |         |  (13) following ‘false’ branch...
    |      |         (12) ...to here
    |......
    |   67 |         DIR *dir = opendir(path);
    |      |         ~~~ 
    |      |         |
    |      |         (14) ...to here
    |   68 |         if (!dir) {
    |      |            ~
    |      |            |
    |      |            (15) following ‘false’ branch (when ‘dir’ is non-NULL)...
    |......
    |   73 |         closedir(dir);
    |      |         ~~~~~~~~
    |      |         |
    |      |         (16) ...to here
    |......
    |   77 |         if (asprintf(&test_file, "%s/jailtest-access-%d", path, getpid()) == -1)
    |      |            ~
    |      |            |
    |      |            (17) following ‘false’ branch...
    |
  ‘access_setup’: event 18
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (18) ...to here
access.c:78:17: note: in expansion of macro ‘errExit’
    |   78 |                 errExit("asprintf");
    |      |                 ^~~~~~~
    |
  ‘access_setup’: events 19-21
    |
    |   81 |         if (!fp) {
    |      |            ^
    |      |            |
    |      |            (19) following ‘false’ branch (when ‘fp’ is non-NULL)...
    |......
    |   85 |         fprintf(fp, "this file was created by firetest utility, you can safely delete it\n");
    |      |         ~~~~~~~
    |      |         |
    |      |         (20) ...to here
    |......
    |   88 |         if (rv)
    |      |            ~
    |      |            |
    |      |            (21) following ‘false’ branch (when ‘rv == 0’)...
    |
  ‘access_setup’: event 22
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (22) ...to here
access.c:89:17: note: in expansion of macro ‘errExit’
    |   89 |                 errExit("chown");
    |      |                 ^~~~~~~
    |
  ‘access_setup’: events 23-25
    |
    |   91 |         char *dname = strdup(directory);
    |      |                       ^~~~~~~~~~~~~~~~~
    |      |                       |
    |      |                       (23) allocated here
    |   92 |         if (!dname)
    |      |            ~           
    |      |            |
    |      |            (24) assuming ‘dname’ is non-NULL
    |      |            (25) following ‘false’ branch (when ‘dname’ is non-NULL)...
    |
  ‘access_setup’: event 26
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (26) ...to here
access.c:93:17: note: in expansion of macro ‘errExit’
    |   93 |                 errExit("strdup");
    |      |                 ^~~~~~~
    |
  ‘access_setup’: event 27
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (27) ‘dname’ leaks here; was allocated at (23)
access.c:93:17: note: in expansion of macro ‘errExit’
    |   93 |                 errExit("strdup");
    |      |                 ^~~~~~~
    |
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c apparmor.c -o apparmor.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c main.c -o main.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c noexec.c -o noexec.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c seccomp.c -o seccomp.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c sysfiles.c -o sysfiles.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c utils.c -o utils.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c virtual.c -o virtual.o
gcc  -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o jailtest access.o apparmor.o main.o noexec.o seccomp.o sysfiles.o utils.o virtual.o  ../lib/common.o ../lib/pid.o  
make[1]: Leaving directory '/tmp/firejail/src/jailtest'
make -C src/fbuilder/
make[1]: Entering directory '/tmp/firejail/src/fbuilder'
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c build_bin.c -o build_bin.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c build_fs.c -o build_fs.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c build_home.c -o build_home.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c build_profile.c -o build_profile.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c build_seccomp.c -o build_seccomp.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c filedb.c -o filedb.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c main.c -o main.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c utils.c -o utils.o
gcc  -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o fbuilder build_bin.o build_fs.o build_home.o build_profile.o build_seccomp.o filedb.o main.o utils.o  
make[1]: Leaving directory '/tmp/firejail/src/fbuilder'
make -C src/ftee/
make[1]: Entering directory '/tmp/firejail/src/ftee'
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c main.c -o main.o
gcc  -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o ftee main.o  
make[1]: Leaving directory '/tmp/firejail/src/ftee'
make -C src/fcopy/
make[1]: Entering directory '/tmp/firejail/src/fcopy'
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c main.c -o main.o
gcc  -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o fcopy main.o ../lib/common.o  
make[1]: Leaving directory '/tmp/firejail/src/fcopy'
make -C src/fldd/
make[1]: Entering directory '/tmp/firejail/src/fldd'
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c main.c -o main.o
gcc  -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o fldd main.o ../lib/common.o ../lib/ldd_utils.o  
make[1]: Leaving directory '/tmp/firejail/src/fldd'
make -C src/fnet/
make[1]: Entering directory '/tmp/firejail/src/fnet'
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c arp.c -o arp.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c interface.c -o interface.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c main.c -o main.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c veth.c -o veth.o
gcc  -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o fnet arp.o interface.o main.o veth.o ../lib/common.o ../lib/libnetlink.o  
make[1]: Leaving directory '/tmp/firejail/src/fnet'
make -C src/fnetfilter/
make[1]: Entering directory '/tmp/firejail/src/fnetfilter'
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c main.c -o main.o
gcc  -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o fnetfilter main.o ../lib/common.o  
make[1]: Leaving directory '/tmp/firejail/src/fnetfilter'
make -C src/fsec-optimize/
make[1]: Entering directory '/tmp/firejail/src/fsec-optimize'
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c main.c -o main.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c optimizer.c -o optimizer.o
gcc  -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o fsec-optimize main.o optimizer.o ../lib/common.o ../lib/errno.o  
make[1]: Leaving directory '/tmp/firejail/src/fsec-optimize'
make -C src/fsec-print/
make[1]: Entering directory '/tmp/firejail/src/fsec-print'
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c main.c -o main.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c print.c -o print.o
gcc  -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o fsec-print main.o print.o ../lib/common.o ../lib/errno.o ../lib/syscall.o  
make[1]: Leaving directory '/tmp/firejail/src/fsec-print'
make -C src/fseccomp/
make[1]: Entering directory '/tmp/firejail/src/fseccomp'
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c main.c -o main.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c protocol.c -o protocol.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c seccomp.c -o seccomp.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c seccomp_file.c -o seccomp_file.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c seccomp_secondary.c -o seccomp_secondary.o
gcc  -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o fseccomp main.o protocol.o seccomp.o seccomp_file.o seccomp_secondary.o ../lib/common.o ../lib/errno.o ../lib/syscall.o  
make[1]: Leaving directory '/tmp/firejail/src/fseccomp'
make -C src/libpostexecseccomp/
make[1]: Entering directory '/tmp/firejail/src/libpostexecseccomp'
gcc -ggdb  -O2 -DVERSION='"0.9.65"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security  -c libpostexecseccomp.c -o libpostexecseccomp.o
gcc -pie -fPIE -Wl,-z,relro -Wl,-z,now -shared -fPIC -z relro -o libpostexecseccomp.so libpostexecseccomp.o -ldl
make[1]: Leaving directory '/tmp/firejail/src/libpostexecseccomp'
make -C src/libtrace/
make[1]: Entering directory '/tmp/firejail/src/libtrace'
gcc -ggdb  -O2 -DVERSION='"0.9.65"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security  -c libtrace.c -o libtrace.o
gcc -pie -fPIE -Wl,-z,relro -Wl,-z,now -shared -fPIC -z relro -o libtrace.so libtrace.o -ldl
make[1]: Leaving directory '/tmp/firejail/src/libtrace'
make -C src/libtracelog/
make[1]: Entering directory '/tmp/firejail/src/libtracelog'
gcc -ggdb  -O2 -DVERSION='"0.9.65"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security  -c libtracelog.c -o libtracelog.o
gcc -pie -fPIE -Wl,-z,relro -Wl,-z,now -shared -fPIC -z relro -o libtracelog.so libtracelog.o -ldl
make[1]: Leaving directory '/tmp/firejail/src/libtracelog'
./mkman.sh 0.9.65 src/man/firejail.man firejail.1
./mkman.sh 0.9.65 src/man/firemon.man firemon.1
./mkman.sh 0.9.65 src/man/firecfg.man firecfg.1
./mkman.sh 0.9.65 src/man/firejail-profile.man firejail-profile.5
./mkman.sh 0.9.65 src/man/firejail-login.man firejail-login.5
./mkman.sh 0.9.65 src/man/firejail-users.man firejail-users.5
./mkman.sh 0.9.65 src/man/jailtest.man jailtest.5
src/fseccomp/fseccomp default seccomp
src/fsec-optimize/fsec-optimize seccomp
src/fseccomp/fseccomp default seccomp.debug allow-debuggers
src/fsec-optimize/fsec-optimize seccomp.debug
src/fseccomp/fseccomp secondary 32 seccomp.32
src/fsec-optimize/fsec-optimize seccomp.32
src/fseccomp/fseccomp secondary block seccomp.block_secondary
src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx
src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32

ls.c:273:16: warning: leak of ‘strdup(path)’ [CWE-401] [-Wanalyzer-malloc-leak]

ls.c: In function ‘expand_path’:
ls.c:273:16: warning: leak of ‘strdup(path)’ [CWE-401] [-Wanalyzer-malloc-leak]
  273 |         return fname;
      |                ^~~~~
  ‘sandboxfs’: event 1
    |
    |  276 | void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
    |      |      ^~~~~~~~~
    |      |      |
    |      |      (1) entry to ‘sandboxfs’
    |
  ‘sandboxfs’: event 2
    |
    |  278 |         assert(path1);
    |      |         ^~~~~~
    |      |         |
    |      |         (2) following ‘true’ branch (when ‘path1’ is non-NULL)...
    |
  ‘sandboxfs’: events 3-4
    |
    |  281 |         pid = switch_to_child(pid);
    |      |         ^~~
    |      |         |
    |      |         (3) ...to here
    |......
    |  287 |         char *fname1 = expand_path(path1);
    |      |                        ~~~~~~~~~~~~~~~~~~
    |      |                        |
    |      |                        (4) calling ‘expand_path’ from ‘sandboxfs’
    |
    +--> ‘expand_path’: events 5-8
           |
           |  253 | char *expand_path(const char *path) {
           |      |       ^~~~~~~~~~~
           |      |       |
           |      |       (5) entry to ‘expand_path’
           |......
           |  256 |                 fname = strdup(path);
           |      |                         ~~~~~~~~~~~~
           |      |                         |
           |      |                         (6) allocated here
           |  257 |                 if (!fname)
           |      |                    ~
           |      |                    |
           |      |                    (7) assuming ‘fname’ is non-NULL
           |      |                    (8) following ‘false’ branch...
           |
         ‘expand_path’: event 9
           |
           |../include/common.h:39:28:
           |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
           |      |                            ^
           |      |                            |
           |      |                            (9) ...to here
ls.c:271:25: note: in expansion of macro ‘errExit’
           |  271 |                         errExit("asprintf");
           |      |                         ^~~~~~~
           |
    <------+
    |
  ‘sandboxfs’: events 10-13
    |
    |  287 |         char *fname1 = expand_path(path1);
    |      |                        ^~~~~~~~~~~~~~~~~~
    |      |                        |
    |      |                        (10) returning to ‘sandboxfs’ from ‘expand_path’
    |  288 |         char *fname2 = NULL;
    |  289 |         if (path2 != NULL) {
    |      |            ~            
    |      |            |
    |      |            (11) following ‘true’ branch (when ‘path2’ is non-NULL)...
    |  290 |                 fname2 = expand_path(path2);
    |      |                 ~~~~~~   ~~~~~~~~~~~~~~~~~~
    |      |                 |        |
    |      |                 |        (13) calling ‘expand_path’ from ‘sandboxfs’
    |      |                 (12) ...to here
    |
    +--> ‘expand_path’: events 14-15
           |
           |  253 | char *expand_path(const char *path) {
           |      |       ^~~~~~~~~~~
           |      |       |
           |      |       (14) entry to ‘expand_path’
           |......
           |  257 |                 if (!fname)
           |      |                    ~
           |      |                    |
           |      |                    (15) following ‘false’ branch...
           |
         ‘expand_path’: event 16
           |
           |../include/common.h:39:28:
           |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
           |      |                            ^
           |      |                            |
           |      |                            (16) ...to here
ls.c:271:25: note: in expansion of macro ‘errExit’
           |  271 |                         errExit("asprintf");
           |      |                         ^~~~~~~
           |
         ‘expand_path’: event 17
           |
           |  273 |         return fname;
           |      |                ^~~~~
           |      |                |
           |      |                (17) ‘strdup(path)’ leaks here; was allocated at (6)
           |

profile.c:239:28: warning: leak of ‘ptr’ [CWE-401] [-Wanalyzer-malloc-leak]

In function ‘profile_check_conditional’:
profile.c:239:28: warning: leak of ‘ptr’ [CWE-401] [-Wanalyzer-malloc-leak]
  239 |                         if (profile_check_line(ptr, lineno, fname))
      |                            ^
  ‘profile_check_conditional’: events 1-2
    |
    |  188 | int profile_check_conditional(char *ptr, int lineno, const char *fname) {
    |      |     ^~~~~~~~~~~~~~~~~~~~~~~~~
    |      |     |
    |      |     (1) entry to ‘profile_check_conditional’
    |......
    |  191 |         if (*ptr++ != '?')
    |      |            ~
    |      |            |
    |      |            (2) following ‘false’ branch...
    |
  ‘profile_check_conditional’: event 3
    |
    |cc1:
    | (3): ...to here
    |
  ‘profile_check_conditional’: events 4-14
    |
    |  195 |         while (cond->name) {
    |      |                ^~~~
    |      |                |
    |      |                (4) following ‘true’ branch...
    |  196 |                 // continue if not this conditional
    |  197 |                 if (strncmp(ptr, cond->name, strlen(cond->name)) != 0) {
    |      |                 ~~
    |      |                 |
    |      |                 (5) ...to here
    |......
    |  205 |                 if (*ptr++ != ':') {
    |      |                    ~
    |      |                    |
    |      |                    (6) following ‘false’ branch...
    |......
    |  210 |                 if (*ptr == '\0') {
    |      |                 ~~ ~
    |      |                 |  |
    |      |                 |  (8) following ‘false’ branch...
    |      |                 (7) ...to here
    |......
    |  215 |                 if (*ptr == ' ')
    |      |                 ~~
    |      |                 |
    |      |                 (9) ...to here
    |......
    |  220 |                 if (value) {
    |      |                    ~
    |      |                    |
    |      |                    (10) following ‘true’ branch (when ‘value != 0’)...
    |  221 |                         // move ptr to start of profile line
    |  222 |                         ptr = strdup(ptr);
    |      |                         ~~~   ~~~~~~~~~~~
    |      |                         |     |
    |      |                         |     (12) allocated here
    |      |                         (11) ...to here
    |  223 |                         if (!ptr)
    |      |                            ~
    |      |                            |
    |      |                            (13) assuming ‘ptr’ is non-NULL
    |      |                            (14) following ‘false’ branch (when ‘ptr’ is non-NULL)...
    |
  ‘profile_check_conditional’: event 15
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (15) ...to here
profile.c:224:33: note: in expansion of macro ‘errExit’
    |  224 |                                 errExit("strdup");
    |      |                                 ^~~~~~~
    |
  ‘profile_check_conditional’: events 16-22
    |
    |  228 |                         if ((strncmp(ptr, "quiet", 5) == 0) ||
    |      |                            ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                            |                                |
    |      |                            |                                (18) following ‘false’ branch...
    |      |                            (16) following ‘false’ branch...
    |  229 |                             (strncmp(ptr, "include", 7) == 0)) {
    |      |                             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                              |
    |      |                              (17) ...to here
    |......
    |  234 |                         free(tmp);
    |      |                         ~~~~
    |      |                         |
    |      |                         (19) ...to here
    |......
    |  237 |                         if (arg_debug)
    |      |                            ~
    |      |                            |
    |      |                            (20) following ‘false’ branch...
    |  238 |                                 printf("conditional %s, %s\n", cond->name, ptr);
    |      |                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                                 |
    |      |                                 (21) ...to here
    |  239 |                         if (profile_check_line(ptr, lineno, fname))
    |      |                             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                             |
    |      |                             (22) calling ‘profile_check_line’ from ‘profile_check_conditional’
    |
    +--> ‘profile_check_line’: events 23-24
           |
           |  270 | int profile_check_line(char *ptr, int lineno, const char *fname) {
           |      |     ^~~~~~~~~~~~~~~~~~
           |      |     |
           |      |     (23) entry to ‘profile_check_line’
           |......
           |  274 |         if (profile_check_conditional(ptr, lineno, fname) == 0)
           |      |             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           |      |             |
           |      |             (24) calling ‘profile_check_conditional’ from ‘profile_check_line’
           |
           +--> ‘profile_check_conditional’: events 25-26
                  |
                  |  188 | int profile_check_conditional(char *ptr, int lineno, const char *fname) {
                  |      |     ^~~~~~~~~~~~~~~~~~~~~~~~~
                  |      |     |
                  |      |     (25) entry to ‘profile_check_conditional’
                  |......
                  |  191 |         if (*ptr++ != '?')
                  |      |            ~
                  |      |            |
                  |      |            (26) following ‘false’ branch...
                  |
                ‘profile_check_conditional’: event 27
                  |
                  |cc1:
                  | (27): ...to here
                  |
                ‘profile_check_conditional’: events 28-34
                  |
                  |  195 |         while (cond->name) {
                  |      |                ^~~~
                  |      |                |
                  |      |                (28) following ‘true’ branch...
                  |  196 |                 // continue if not this conditional
                  |  197 |                 if (strncmp(ptr, cond->name, strlen(cond->name)) != 0) {
                  |      |                 ~~
                  |      |                 |
                  |      |                 (29) ...to here
                  |......
                  |  205 |                 if (*ptr++ != ':') {
                  |      |                    ~
                  |      |                    |
                  |      |                    (30) following ‘false’ branch...
                  |......
                  |  210 |                 if (*ptr == '\0') {
                  |      |                 ~~ ~
                  |      |                 |  |
                  |      |                 |  (32) following ‘false’ branch...
                  |      |                 (31) ...to here
                  |......
                  |  215 |                 if (*ptr == ' ')
                  |      |                 ~~
                  |      |                 |
                  |      |                 (33) ...to here
                  |......
                  |  220 |                 if (value) {
                  |      |                    ~
                  |      |                    |
                  |      |                    (34) following ‘false’ branch (when ‘value == 0’)...
                  |
                ‘profile_check_conditional’: event 35
                  |
                  |cc1:
                  | (35): ...to here
                  |
           <------+
           |
         ‘profile_check_line’: events 36-37
           |
           |  274 |         if (profile_check_conditional(ptr, lineno, fname) == 0)
           |      |            ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           |      |            ||
           |      |            |(36) returning to ‘profile_check_line’ from ‘profile_check_conditional’
           |      |            (37) following ‘true’ branch...
           |
         ‘profile_check_line’: event 38
           |
           |cc1:
           | (38): ...to here
           |
    <------+
    |
  ‘profile_check_conditional’: events 39-40
    |
    |  239 |                         if (profile_check_line(ptr, lineno, fname))
    |      |                            ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                            ||
    |      |                            |(39) returning to ‘profile_check_conditional’ from ‘profile_check_line’
    |      |                            (40) following ‘false’ branch...
    |
  ‘profile_check_conditional’: event 41
    |
    |cc1:
    | (41): ...to here
    |
  ‘profile_check_conditional’: event 42
    |
    |  239 |                         if (profile_check_line(ptr, lineno, fname))
    |      |                            ^
    |      |                            |
    |      |                            (42) ‘ptr’ leaks here; was allocated at (12)
    |

restricted_shell.c:123:42: warning: leak of ‘strdup(ptr)’ [CWE-401] [-Wanalyzer-malloc-leak]

In function ‘restricted_shell’:
restricted_shell.c:123:42: warning: leak of ‘strdup(ptr)’ [CWE-401] [-Wanalyzer-malloc-leak]
  123 |                                 return i + 1;
      |                                        ~~^~~
  ‘restricted_shell’: event 1
    |
    |   29 |         assert(user);
    |      |         ^~~~~~
    |      |         |
    |      |         (1) following ‘true’ branch (when ‘user’ is non-NULL)...
    |
  ‘restricted_shell’: events 2-3
    |
    |   32 |         char *fname;
    |      |         ^~~~
    |      |         |
    |      |         (2) ...to here
    |   33 |         if (asprintf(&fname, "%s/login.users", SYSCONFDIR) == -1)
    |      |            ~
    |      |            |
    |      |            (3) following ‘false’ branch...
    |
  ‘restricted_shell’: event 4
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (4) ...to here
restricted_shell.c:34:17: note: in expansion of macro ‘errExit’
    |   34 |                 errExit("asprintf");
    |      |                 ^~~~~~~
    |
  ‘restricted_shell’: event 5
    |
    |   37 |         if (fp == NULL)
    |      |            ^
    |      |            |
    |      |            (5) following ‘false’ branch (when ‘fp’ is non-NULL)...
    |
  ‘restricted_shell’: event 6
    |
    |cc1:
    | (6): ...to here
    |
  ‘restricted_shell’: events 7-10
    |
    |   42 |         while (fgets(buf, MAX_READ, fp)) {
    |      |                ^~~~~
    |      |                |
    |      |                (7) following ‘true’ branch...
    |   43 |                 lineno++;
    |      |                 ~~~~~~
    |      |                 |
    |      |                 (8) ...to here
    |......
    |   60 |                 if (args == NULL) {
    |      |                    ~
    |      |                    |
    |      |                    (9) following ‘false’ branch (when ‘args’ is non-NULL)...
    |......
    |   65 |                 *args = '\0';
    |      |                 ~
    |      |                 |
    |      |                 (10) ...to here
    |
  ‘restricted_shell’: event 11
    |
    |   92 |                         for (i = 1; i < MAX_ARGS; i++) {
    |
  ‘restricted_shell’: event 12
    |
    |cc1:
    | (12): ...to here
    |
  ‘restricted_shell’: event 13
    |
    |  107 |                                 if (*ptr != '\0') {
    |      |                                    ^
    |      |                                    |
    |      |                                    (13) following ‘true’ branch...
    |
  ‘restricted_shell’: event 14
    |
    |cc1:
    | (14): ...to here
    |
  ‘restricted_shell’: events 15-17
    |
    |  112 |                                         fullargv[i] = strdup(fullargv[i]);
    |      |                                                       ^~~~~~~~~~~~~~~~~~~
    |      |                                                       |
    |      |                                                       (15) allocated here
    |  113 |                                         if (fullargv[i] == NULL)
    |      |                                            ~           
    |      |                                            |
    |      |                                            (16) assuming ‘strdup(ptr)’ is non-NULL
    |      |                                            (17) following ‘false’ branch...
    |
  ‘restricted_shell’: event 18
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (18) ...to here
restricted_shell.c:114:49: note: in expansion of macro ‘errExit’
    |  114 |                                                 errExit("strdup");
    |      |                                                 ^~~~~~~
    |
  ‘restricted_shell’: event 19
    |
    |  123 |                                 return i + 1;
    |      |                                        ~~^~~
    |      |                                          |
    |      |                                          (19) ‘strdup(ptr)’ leaks here; was allocated at (15)
    |

0783f9f9ffsbox.c:254:24: warning: dereference of possibly-NULL ‘arg’ [CWE-690] [-Wanalyzer-possible-null-dereference]

sbox.c: In function ‘sbox_run’:
sbox.c:254:24: warning: dereference of possibly-NULL ‘arg’ [CWE-690] [-Wanalyzer-possible-null-dereference]
  254 |                 arg[i] = va_arg(valist, char *);
      |                        ^
  ‘sbox_run’: events 1-3
    |
    |  251 |         char **arg = malloc((num + 1) * sizeof(char *));
    |      |                      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                      |
    |      |                      (1) this call could return NULL
    |  252 |         int i;
    |  253 |         for (i = 0; i < num; i++)
    |      |                     ~~~~~~~
    |      |                       |
    |      |                       (2) following ‘true’ branch (when ‘i < num’)...
    |  254 |                 arg[i] = va_arg(valist, char *);
    |      |                 ~~~   
    |      |                 |
    |      |                 (3) ...to here
    |
  ‘sbox_run’: event 4
    |
    |  254 |                 arg[i] = va_arg(valist, char *);
    |      |                        ^
    |      |                        |
    |      |                        (4) ‘arg + (long unsigned int)i * 8’ could be NULL: unchecked value from (1)
    |

0783f9f9ffsbox.c:255:16: warning: dereference of possibly-NULL ‘arg’ [CWE-690] [-Wanalyzer-possible-null-dereference

  255 |         arg[i] = NULL;
      |                ^
  ‘sbox_run’: events 1-3
    |
    |  251 |         char **arg = malloc((num + 1) * sizeof(char *));
    |      |                      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                      |
    |      |                      (1) this call could return NULL
    |  252 |         int i;
    |  253 |         for (i = 0; i < num; i++)
    |      |                     ~~~~~~~
    |      |                       |
    |      |                       (2) following ‘false’ branch (when ‘i >= num’)...
    |  254 |                 arg[i] = va_arg(valist, char *);
    |  255 |         arg[i] = NULL;
    |      |         ~~~           
    |      |         |
    |      |         (3) ...to here
    |
  ‘sbox_run’: event 4
    |
    |  255 |         arg[i] = NULL;
    |      |                ^
    |      |                |
    |      |                (4) ‘arg + (long unsigned int)i * 8’ could be NULL: unchecked value from (1)
    |

57c0c21e09firemon.c:55:9: warning: call to ‘exit’ from within signal handler [CWE-479] [-Wanalyzer-unsafe-call-within-signal-handler]

firemon.c: In function ‘my_handler’:
firemon.c:55:9: warning: call to ‘exit’ from within signal handler [CWE-479] [-Wanalyzer-unsafe-call-within-signal-handler]
   55 |         exit(0);
      |         ^~~~~~~
  ‘main’: events 1-2
    |
    |  134 | int main(int argc, char **argv) {
    |      |     ^~~~
    |      |     |
    |      |     (1) entry to ‘main’
    |......
    |  139 |         signal (SIGINT, my_handler);
    |      |         ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |         |
    |      |         (2) registering ‘my_handler’ as signal handler
    |
  event 3
    |
    |cc1:
    | (3): later on, when the signal is delivered to the process
    |
    +--> ‘my_handler’: events 4-5
           |
           |   49 | static void my_handler(int s){
           |      |             ^~~~~~~~~~
           |      |             |
           |      |             (4) entry to ‘my_handler’
           |......
           |   55 |         exit(0);
           |      |         ~~~~~~~
           |      |         |
           |      |         (5) call to ‘exit’ from within signal handler
           |
firemon.c:55:9: note: ‘_exit’ is a possible signal-safe alternative for ‘exit’
   55 |         exit(0);
      |         ^~~~~~~

../include/common.h:39:28: warning: leak of ‘dname’ [CWE-401] [-Wanalyzer-malloc-leak]

In file included from jailtest.h:23,
                 from access.c:20:
In function ‘access_setup’:
../include/common.h:39:28: warning: leak of ‘dname’ [CWE-401] [-Wanalyzer-malloc-leak]
   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
      |                            ^
access.c:93:17: note: in expansion of macro ‘errExit’
   93 |                 errExit("strdup");
      |                 ^~~~~~~
  ‘access_setup’: event 1
    |
    |   35 |         assert(directory);
    |      |         ^~~~~~
    |      |         |
    |      |         (1) following ‘true’ branch (when ‘directory’ is non-NULL)...
    |
  ‘access_setup’: event 2
    |
    |   36 |         assert(user_home_dir);
    |      |         ^~~~~~
    |      |         |
    |      |         (2) ...to here
    |
  ‘access_setup’: event 3
    |
    |   36 |         assert(user_home_dir);
    |      |         ^~~~~~
    |      |         |
    |      |         (3) following ‘true’ branch...
    |
  ‘access_setup’: events 4-7
    |
    |   38 |         if (files_cnt >= MAX_TEST_FILES) {
    |      |         ^~ ~
    |      |         |  |
    |      |         |  (5) following ‘false’ branch...
    |      |         (4) ...to here
    |......
    |   43 |         char *fname = strdup(directory);
    |      |         ~~~~
    |      |         |
    |      |         (6) ...to here
    |   44 |         if (!fname)
    |      |            ~
    |      |            |
    |      |            (7) following ‘false’ branch...
    |
  ‘access_setup’: event 8
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (8) ...to here
access.c:45:17: note: in expansion of macro ‘errExit’
    |   45 |                 errExit("strdup");
    |      |                 ^~~~~~~
    |
  ‘access_setup’: event 9
    |
    |   46 |         if (strncmp(fname, "~/", 2) == 0) {
    |      |            ^
    |      |            |
    |      |            (9) following ‘false’ branch...
    |
  ‘access_setup’: event 10
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (10) ...to here
access.c:49:25: note: in expansion of macro ‘errExit’
    |   49 |                         errExit("asprintf");
    |      |                         ^~~~~~~
    |
  ‘access_setup’: events 11-17
    |
    |   54 |         if (path == NULL) {
    |      |            ^
    |      |            |
    |      |            (11) following ‘false’ branch...
    |......
    |   60 |         if (strncmp(path, user_home_dir, strlen(user_home_dir)) != 0) {
    |      |         ~~ ~
    |      |         |  |
    |      |         |  (13) following ‘false’ branch...
    |      |         (12) ...to here
    |......
    |   67 |         DIR *dir = opendir(path);
    |      |         ~~~ 
    |      |         |
    |      |         (14) ...to here
    |   68 |         if (!dir) {
    |      |            ~
    |      |            |
    |      |            (15) following ‘false’ branch (when ‘dir’ is non-NULL)...
    |......
    |   73 |         closedir(dir);
    |      |         ~~~~~~~~
    |      |         |
    |      |         (16) ...to here
    |......
    |   77 |         if (asprintf(&test_file, "%s/jailtest-access-%d", path, getpid()) == -1)
    |      |            ~
    |      |            |
    |      |            (17) following ‘false’ branch...
    |
  ‘access_setup’: event 18
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (18) ...to here
access.c:78:17: note: in expansion of macro ‘errExit’
    |   78 |                 errExit("asprintf");
    |      |                 ^~~~~~~
    |
  ‘access_setup’: events 19-21
    |
    |   81 |         if (!fp) {
    |      |            ^
    |      |            |
    |      |            (19) following ‘false’ branch (when ‘fp’ is non-NULL)...
    |......
    |   85 |         fprintf(fp, "this file was created by firetest utility, you can safely delete it\n");
    |      |         ~~~~~~~
    |      |         |
    |      |         (20) ...to here
    |......
    |   88 |         if (rv)
    |      |            ~
    |      |            |
    |      |            (21) following ‘false’ branch (when ‘rv == 0’)...
    |
  ‘access_setup’: event 22
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (22) ...to here
access.c:89:17: note: in expansion of macro ‘errExit’
    |   89 |                 errExit("chown");
    |      |                 ^~~~~~~
    |
  ‘access_setup’: events 23-25
    |
    |   91 |         char *dname = strdup(directory);
    |      |                       ^~~~~~~~~~~~~~~~~
    |      |                       |
    |      |                       (23) allocated here
    |   92 |         if (!dname)
    |      |            ~           
    |      |            |
    |      |            (24) assuming ‘dname’ is non-NULL
    |      |            (25) following ‘false’ branch (when ‘dname’ is non-NULL)...
    |
  ‘access_setup’: event 26
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (26) ...to here
access.c:93:17: note: in expansion of macro ‘errExit’
    |   93 |                 errExit("strdup");
    |      |                 ^~~~~~~
    |
  ‘access_setup’: event 27
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (27) ‘dname’ leaks here; was allocated at (23)
access.c:93:17: note: in expansion of macro ‘errExit’
    |   93 |                 errExit("strdup");
    |      |                 ^~~~~~~
    |

All these warings make it impossible ATM to make after ./configure with --enable-analyzer and --enable-fatal-warnings.

Originally created by @rusty-snake on GitHub (May 13, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4274 <details> <summary>full log</summary> ``` $ cat /etc/os-release NAME=Fedora VERSION="34 (Workstation Edition)" ID=fedora VERSION_ID=34 VERSION_CODENAME="" PLATFORM_ID="platform:f34" PRETTY_NAME="Fedora 34 (Workstation Edition)" ANSI_COLOR="0;38;2;60;110;180" LOGO=fedora-logo-icon CPE_NAME="cpe:/o:fedoraproject:fedora:34" HOME_URL="https://fedoraproject.org/" DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/34/system-administrators-guide/" SUPPORT_URL="https://fedoraproject.org/wiki/Communicating_and_getting_help" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Fedora" REDHAT_BUGZILLA_PRODUCT_VERSION=34 REDHAT_SUPPORT_PRODUCT="Fedora" REDHAT_SUPPORT_PRODUCT_VERSION=34 PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy" VARIANT="Workstation Edition" VARIANT_ID=workstation $ gcc --version gcc (GCC) 11.1.1 20210428 (Red Hat 11.1.1-1) Copyright (C) 2021 Free Software Foundation, Inc. Dies ist freie Software; die Kopierbedingungen stehen in den Quellen. Es gibt KEINE Garantie; auch nicht für MARKTGÄNGIGKEIT oder FÜR SPEZIELLE ZWECKE. $ git clone --depth=1 https://github.com/netblue30/firejail.git Klone nach 'firejail' ... remote: Enumerating objects: 1896, done. remote: Counting objects: 100% (1896/1896), done. remote: Compressing objects: 100% (1164/1164), done. remote: Total 1896 (delta 1195), reused 885 (delta 683), pack-reused 0 Empfange Objekte: 100% (1896/1896), 1.27 MiB | 514.00 KiB/s, fertig. Löse Unterschiede auf: 100% (1195/1195), fertig. $ cd firejail $ alias en_US-locale en_US-locale='LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8' $ en_US-locale ./configure --enable-analyzer checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking for a BSD-compatible install... /usr/bin/install -c checking for ranlib... ranlib checking whether C compiler accepts -mindirect-branch=thunk... yes checking whether C compiler accepts -mretpoline... no checking whether C compiler accepts -fstack-clash-protection... yes checking whether C compiler accepts -fstack-protector-strong... yes checking for pkg-config... /usr/bin/pkg-config checking pkg-config is at least version 0.9.0... yes checking for gawk... yes checking for main in -lpthread... yes checking how to run the C preprocessor... gcc -E checking for grep that handles long lines and -e... /usr/bin/grep checking for egrep... /usr/bin/grep -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking pthread.h usability... yes checking pthread.h presence... yes checking for pthread.h... yes checking linux/seccomp.h usability... yes checking linux/seccomp.h presence... yes checking for linux/seccomp.h... yes configure: creating ./config.status config.status: creating mkdeb.sh config.status: creating Makefile config.status: creating src/common.mk config.status: creating src/lib/Makefile config.status: creating src/fcopy/Makefile config.status: creating src/fnet/Makefile config.status: creating src/firejail/Makefile config.status: creating src/fnetfilter/Makefile config.status: creating src/firemon/Makefile config.status: creating src/libtrace/Makefile config.status: creating src/libtracelog/Makefile config.status: creating src/firecfg/Makefile config.status: creating src/fbuilder/Makefile config.status: creating src/fsec-print/Makefile config.status: creating src/ftee/Makefile config.status: creating src/fseccomp/Makefile config.status: creating src/fldd/Makefile config.status: creating src/libpostexecseccomp/Makefile config.status: creating src/fsec-optimize/Makefile config.status: creating src/profstats/Makefile config.status: creating src/man/Makefile config.status: creating src/zsh_completion/Makefile config.status: creating src/bash_completion/Makefile config.status: creating test/Makefile config.status: creating src/jailtest/Makefile Configuration options: prefix: /usr/local sysconfdir: ${prefix}/etc apparmor: SELinux labeling support: global config: -DHAVE_GLOBALCFG chroot: -DHAVE_CHROOT network: -DHAVE_NETWORK user namespace: -DHAVE_USERNS X11 sandboxing support: -DHAVE_X11 whitelisting: -DHAVE_WHITELIST private home support: -DHAVE_PRIVATE_HOME file transfer support: -DHAVE_FILE_TRANSFER overlayfs support: DBUS proxy support: -DHAVE_DBUSPROXY allow tmpfs as regular user: -DHAVE_USERTMPFS enable --ouput logging: -DHAVE_OUTPUT Manpage support: -DHAVE_MAN firetunnel support: -DHAVE_FIRETUNNEL busybox workaround: no Spectre compiler patch: yes EXTRA_LDFLAGS: EXTRA_CFLAGS: -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer fatal warnings: Gcov instrumentation: Install contrib scripts: yes Install as a SUID executable: yes LTS: Always enforce filters: $ en_US-locale make make -C src/lib make[1]: Entering directory '/tmp/firejail/src/lib' gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c common.c -o common.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c errno.c -o errno.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c firejail_user.c -o firejail_user.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c ldd_utils.c -o ldd_utils.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c libnetlink.c -o libnetlink.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c pid.c -o pid.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c syscall.c -o syscall.o make[1]: Leaving directory '/tmp/firejail/src/lib' make -C src/man make[1]: Entering directory '/tmp/firejail/src/man' gawk -f ./preproc.awk -- -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST < firecfg.txt > firecfg.man gawk -f ./preproc.awk -- -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST < firejail.txt > firejail.man gawk -f ./preproc.awk -- -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST < firejail-login.txt > firejail-login.man gawk -f ./preproc.awk -- -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST < firejail-users.txt > firejail-users.man gawk -f ./preproc.awk -- -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST < firejail-profile.txt > firejail-profile.man gawk -f ./preproc.awk -- -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST < firemon.txt > firemon.man gawk -f ./preproc.awk -- -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST < jailtest.txt > jailtest.man make[1]: Leaving directory '/tmp/firejail/src/man' make -C src/zsh_completion make[1]: Entering directory '/tmp/firejail/src/zsh_completion' gawk -f ../man/preproc.awk -- -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST < _firejail.in > _firejail.tmp sed "s|_SYSCONFDIR_|/usr/local/etc|" < _firejail.tmp > _firejail rm _firejail.tmp make[1]: Leaving directory '/tmp/firejail/src/zsh_completion' make -C src/bash_completion make[1]: Entering directory '/tmp/firejail/src/bash_completion' gawk -f ../man/preproc.awk -- -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST < firejail.bash_completion.in > firejail.bash_completion.tmp sed "s|_SYSCONFDIR_|/usr/local/etc|" < firejail.bash_completion.tmp > firejail.bash_completion rm firejail.bash_completion.tmp make[1]: Leaving directory '/tmp/firejail/src/bash_completion' make -C src/firecfg/ make[1]: Entering directory '/tmp/firejail/src/firecfg' gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c desktop_files.c -o desktop_files.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c main.c -o main.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c sound.c -o sound.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c util.c -o util.o gcc -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o firecfg desktop_files.o main.o sound.o util.o ../lib/common.o ../lib/firejail_user.o make[1]: Leaving directory '/tmp/firejail/src/firecfg' make -C src/firejail/ make[1]: Entering directory '/tmp/firejail/src/firejail' gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c appimage.c -o appimage.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c appimage_size.c -o appimage_size.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c arp.c -o arp.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c bandwidth.c -o bandwidth.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c caps.c -o caps.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c cgroup.c -o cgroup.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c checkcfg.c -o checkcfg.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c chroot.c -o chroot.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c cmdline.c -o cmdline.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c cpu.c -o cpu.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c dbus.c -o dbus.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c dhcp.c -o dhcp.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c env.c -o env.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c fs.c -o fs.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c fs_bin.c -o fs_bin.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c fs_dev.c -o fs_dev.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c fs_etc.c -o fs_etc.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c fs_home.c -o fs_home.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c fs_hostname.c -o fs_hostname.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c fs_lib.c -o fs_lib.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c fs_lib2.c -o fs_lib2.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c fs_logger.c -o fs_logger.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c fs_mkdir.c -o fs_mkdir.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c fs_trace.c -o fs_trace.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c fs_var.c -o fs_var.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c fs_whitelist.c -o fs_whitelist.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c join.c -o join.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c ls.c -o ls.o ls.c: In function ‘expand_path’: ls.c:273:16: warning: leak of ‘strdup(path)’ [CWE-401] [-Wanalyzer-malloc-leak] 273 | return fname; | ^~~~~ ‘sandboxfs’: event 1 | | 276 | void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | | ^~~~~~~~~ | | | | | (1) entry to ‘sandboxfs’ | ‘sandboxfs’: event 2 | | 278 | assert(path1); | | ^~~~~~ | | | | | (2) following ‘true’ branch (when ‘path1’ is non-NULL)... | ‘sandboxfs’: events 3-4 | | 281 | pid = switch_to_child(pid); | | ^~~ | | | | | (3) ...to here |...... | 287 | char *fname1 = expand_path(path1); | | ~~~~~~~~~~~~~~~~~~ | | | | | (4) calling ‘expand_path’ from ‘sandboxfs’ | +--> ‘expand_path’: events 5-8 | | 253 | char *expand_path(const char *path) { | | ^~~~~~~~~~~ | | | | | (5) entry to ‘expand_path’ |...... | 256 | fname = strdup(path); | | ~~~~~~~~~~~~ | | | | | (6) allocated here | 257 | if (!fname) | | ~ | | | | | (7) assuming ‘fname’ is non-NULL | | (8) following ‘false’ branch... | ‘expand_path’: event 9 | |../include/common.h:39:28: | 39 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) | | ^ | | | | | (9) ...to here ls.c:271:25: note: in expansion of macro ‘errExit’ | 271 | errExit("asprintf"); | | ^~~~~~~ | <------+ | ‘sandboxfs’: events 10-13 | | 287 | char *fname1 = expand_path(path1); | | ^~~~~~~~~~~~~~~~~~ | | | | | (10) returning to ‘sandboxfs’ from ‘expand_path’ | 288 | char *fname2 = NULL; | 289 | if (path2 != NULL) { | | ~ | | | | | (11) following ‘true’ branch (when ‘path2’ is non-NULL)... | 290 | fname2 = expand_path(path2); | | ~~~~~~ ~~~~~~~~~~~~~~~~~~ | | | | | | | (13) calling ‘expand_path’ from ‘sandboxfs’ | | (12) ...to here | +--> ‘expand_path’: events 14-15 | | 253 | char *expand_path(const char *path) { | | ^~~~~~~~~~~ | | | | | (14) entry to ‘expand_path’ |...... | 257 | if (!fname) | | ~ | | | | | (15) following ‘false’ branch... | ‘expand_path’: event 16 | |../include/common.h:39:28: | 39 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) | | ^ | | | | | (16) ...to here ls.c:271:25: note: in expansion of macro ‘errExit’ | 271 | errExit("asprintf"); | | ^~~~~~~ | ‘expand_path’: event 17 | | 273 | return fname; | | ^~~~~ | | | | | (17) ‘strdup(path)’ leaks here; was allocated at (6) | gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c macros.c -o macros.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c main.c -o main.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c mountinfo.c -o mountinfo.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c netfilter.c -o netfilter.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c netns.c -o netns.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c network.c -o network.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c network_main.c -o network_main.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c no_sandbox.c -o no_sandbox.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c output.c -o output.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c paths.c -o paths.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c preproc.c -o preproc.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c profile.c -o profile.o In function ‘profile_check_conditional’: profile.c:239:28: warning: leak of ‘ptr’ [CWE-401] [-Wanalyzer-malloc-leak] 239 | if (profile_check_line(ptr, lineno, fname)) | ^ ‘profile_check_conditional’: events 1-2 | | 188 | int profile_check_conditional(char *ptr, int lineno, const char *fname) { | | ^~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (1) entry to ‘profile_check_conditional’ |...... | 191 | if (*ptr++ != '?') | | ~ | | | | | (2) following ‘false’ branch... | ‘profile_check_conditional’: event 3 | |cc1: | (3): ...to here | ‘profile_check_conditional’: events 4-14 | | 195 | while (cond->name) { | | ^~~~ | | | | | (4) following ‘true’ branch... | 196 | // continue if not this conditional | 197 | if (strncmp(ptr, cond->name, strlen(cond->name)) != 0) { | | ~~ | | | | | (5) ...to here |...... | 205 | if (*ptr++ != ':') { | | ~ | | | | | (6) following ‘false’ branch... |...... | 210 | if (*ptr == '\0') { | | ~~ ~ | | | | | | | (8) following ‘false’ branch... | | (7) ...to here |...... | 215 | if (*ptr == ' ') | | ~~ | | | | | (9) ...to here |...... | 220 | if (value) { | | ~ | | | | | (10) following ‘true’ branch (when ‘value != 0’)... | 221 | // move ptr to start of profile line | 222 | ptr = strdup(ptr); | | ~~~ ~~~~~~~~~~~ | | | | | | | (12) allocated here | | (11) ...to here | 223 | if (!ptr) | | ~ | | | | | (13) assuming ‘ptr’ is non-NULL | | (14) following ‘false’ branch (when ‘ptr’ is non-NULL)... | ‘profile_check_conditional’: event 15 | |../include/common.h:39:28: | 39 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) | | ^ | | | | | (15) ...to here profile.c:224:33: note: in expansion of macro ‘errExit’ | 224 | errExit("strdup"); | | ^~~~~~~ | ‘profile_check_conditional’: events 16-22 | | 228 | if ((strncmp(ptr, "quiet", 5) == 0) || | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (18) following ‘false’ branch... | | (16) following ‘false’ branch... | 229 | (strncmp(ptr, "include", 7) == 0)) { | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (17) ...to here |...... | 234 | free(tmp); | | ~~~~ | | | | | (19) ...to here |...... | 237 | if (arg_debug) | | ~ | | | | | (20) following ‘false’ branch... | 238 | printf("conditional %s, %s\n", cond->name, ptr); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (21) ...to here | 239 | if (profile_check_line(ptr, lineno, fname)) | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (22) calling ‘profile_check_line’ from ‘profile_check_conditional’ | +--> ‘profile_check_line’: events 23-24 | | 270 | int profile_check_line(char *ptr, int lineno, const char *fname) { | | ^~~~~~~~~~~~~~~~~~ | | | | | (23) entry to ‘profile_check_line’ |...... | 274 | if (profile_check_conditional(ptr, lineno, fname) == 0) | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (24) calling ‘profile_check_conditional’ from ‘profile_check_line’ | +--> ‘profile_check_conditional’: events 25-26 | | 188 | int profile_check_conditional(char *ptr, int lineno, const char *fname) { | | ^~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (25) entry to ‘profile_check_conditional’ |...... | 191 | if (*ptr++ != '?') | | ~ | | | | | (26) following ‘false’ branch... | ‘profile_check_conditional’: event 27 | |cc1: | (27): ...to here | ‘profile_check_conditional’: events 28-34 | | 195 | while (cond->name) { | | ^~~~ | | | | | (28) following ‘true’ branch... | 196 | // continue if not this conditional | 197 | if (strncmp(ptr, cond->name, strlen(cond->name)) != 0) { | | ~~ | | | | | (29) ...to here |...... | 205 | if (*ptr++ != ':') { | | ~ | | | | | (30) following ‘false’ branch... |...... | 210 | if (*ptr == '\0') { | | ~~ ~ | | | | | | | (32) following ‘false’ branch... | | (31) ...to here |...... | 215 | if (*ptr == ' ') | | ~~ | | | | | (33) ...to here |...... | 220 | if (value) { | | ~ | | | | | (34) following ‘false’ branch (when ‘value == 0’)... | ‘profile_check_conditional’: event 35 | |cc1: | (35): ...to here | <------+ | ‘profile_check_line’: events 36-37 | | 274 | if (profile_check_conditional(ptr, lineno, fname) == 0) | | ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | || | | |(36) returning to ‘profile_check_line’ from ‘profile_check_conditional’ | | (37) following ‘true’ branch... | ‘profile_check_line’: event 38 | |cc1: | (38): ...to here | <------+ | ‘profile_check_conditional’: events 39-40 | | 239 | if (profile_check_line(ptr, lineno, fname)) | | ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | || | | |(39) returning to ‘profile_check_conditional’ from ‘profile_check_line’ | | (40) following ‘false’ branch... | ‘profile_check_conditional’: event 41 | |cc1: | (41): ...to here | ‘profile_check_conditional’: event 42 | | 239 | if (profile_check_line(ptr, lineno, fname)) | | ^ | | | | | (42) ‘ptr’ leaks here; was allocated at (12) | gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c protocol.c -o protocol.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c pulseaudio.c -o pulseaudio.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c restrict_users.c -o restrict_users.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c restricted_shell.c -o restricted_shell.o In function ‘restricted_shell’: restricted_shell.c:123:42: warning: leak of ‘strdup(ptr)’ [CWE-401] [-Wanalyzer-malloc-leak] 123 | return i + 1; | ~~^~~ ‘restricted_shell’: event 1 | | 29 | assert(user); | | ^~~~~~ | | | | | (1) following ‘true’ branch (when ‘user’ is non-NULL)... | ‘restricted_shell’: events 2-3 | | 32 | char *fname; | | ^~~~ | | | | | (2) ...to here | 33 | if (asprintf(&fname, "%s/login.users", SYSCONFDIR) == -1) | | ~ | | | | | (3) following ‘false’ branch... | ‘restricted_shell’: event 4 | |../include/common.h:39:28: | 39 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) | | ^ | | | | | (4) ...to here restricted_shell.c:34:17: note: in expansion of macro ‘errExit’ | 34 | errExit("asprintf"); | | ^~~~~~~ | ‘restricted_shell’: event 5 | | 37 | if (fp == NULL) | | ^ | | | | | (5) following ‘false’ branch (when ‘fp’ is non-NULL)... | ‘restricted_shell’: event 6 | |cc1: | (6): ...to here | ‘restricted_shell’: events 7-10 | | 42 | while (fgets(buf, MAX_READ, fp)) { | | ^~~~~ | | | | | (7) following ‘true’ branch... | 43 | lineno++; | | ~~~~~~ | | | | | (8) ...to here |...... | 60 | if (args == NULL) { | | ~ | | | | | (9) following ‘false’ branch (when ‘args’ is non-NULL)... |...... | 65 | *args = '\0'; | | ~ | | | | | (10) ...to here | ‘restricted_shell’: event 11 | | 92 | for (i = 1; i < MAX_ARGS; i++) { | ‘restricted_shell’: event 12 | |cc1: | (12): ...to here | ‘restricted_shell’: event 13 | | 107 | if (*ptr != '\0') { | | ^ | | | | | (13) following ‘true’ branch... | ‘restricted_shell’: event 14 | |cc1: | (14): ...to here | ‘restricted_shell’: events 15-17 | | 112 | fullargv[i] = strdup(fullargv[i]); | | ^~~~~~~~~~~~~~~~~~~ | | | | | (15) allocated here | 113 | if (fullargv[i] == NULL) | | ~ | | | | | (16) assuming ‘strdup(ptr)’ is non-NULL | | (17) following ‘false’ branch... | ‘restricted_shell’: event 18 | |../include/common.h:39:28: | 39 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) | | ^ | | | | | (18) ...to here restricted_shell.c:114:49: note: in expansion of macro ‘errExit’ | 114 | errExit("strdup"); | | ^~~~~~~ | ‘restricted_shell’: event 19 | | 123 | return i + 1; | | ~~^~~ | | | | | (19) ‘strdup(ptr)’ leaks here; was allocated at (15) | gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c rlimit.c -o rlimit.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c run_files.c -o run_files.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c run_symlink.c -o run_symlink.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c sandbox.c -o sandbox.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c sbox.c -o sbox.o sbox.c: In function ‘sbox_run’: sbox.c:254:24: warning: dereference of possibly-NULL ‘arg’ [CWE-690] [-Wanalyzer-possible-null-dereference] 254 | arg[i] = va_arg(valist, char *); | ^ ‘sbox_run’: events 1-3 | | 251 | char **arg = malloc((num + 1) * sizeof(char *)); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (1) this call could return NULL | 252 | int i; | 253 | for (i = 0; i < num; i++) | | ~~~~~~~ | | | | | (2) following ‘true’ branch (when ‘i < num’)... | 254 | arg[i] = va_arg(valist, char *); | | ~~~ | | | | | (3) ...to here | ‘sbox_run’: event 4 | | 254 | arg[i] = va_arg(valist, char *); | | ^ | | | | | (4) ‘arg + (long unsigned int)i * 8’ could be NULL: unchecked value from (1) | sbox.c:255:16: warning: dereference of possibly-NULL ‘arg’ [CWE-690] [-Wanalyzer-possible-null-dereference] 255 | arg[i] = NULL; | ^ ‘sbox_run’: events 1-3 | | 251 | char **arg = malloc((num + 1) * sizeof(char *)); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (1) this call could return NULL | 252 | int i; | 253 | for (i = 0; i < num; i++) | | ~~~~~~~ | | | | | (2) following ‘false’ branch (when ‘i >= num’)... | 254 | arg[i] = va_arg(valist, char *); | 255 | arg[i] = NULL; | | ~~~ | | | | | (3) ...to here | ‘sbox_run’: event 4 | | 255 | arg[i] = NULL; | | ^ | | | | | (4) ‘arg + (long unsigned int)i * 8’ could be NULL: unchecked value from (1) | gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c seccomp.c -o seccomp.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c selinux.c -o selinux.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c shutdown.c -o shutdown.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c usage.c -o usage.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c util.c -o util.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c x11.c -o x11.o gcc -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o firejail appimage.o appimage_size.o arp.o bandwidth.o caps.o cgroup.o checkcfg.o chroot.o cmdline.o cpu.o dbus.o dhcp.o env.o fs.o fs_bin.o fs_dev.o fs_etc.o fs_home.o fs_hostname.o fs_lib.o fs_lib2.o fs_logger.o fs_mkdir.o fs_trace.o fs_var.o fs_whitelist.o join.o ls.o macros.o main.o mountinfo.o netfilter.o netns.o network.o network_main.o no_sandbox.o output.o paths.o preproc.o profile.o protocol.o pulseaudio.o restrict_users.o restricted_shell.o rlimit.o run_files.o run_symlink.o sandbox.o sbox.o seccomp.o selinux.o shutdown.o usage.o util.o x11.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o ../lib/errno.o ../lib/syscall.o make[1]: Leaving directory '/tmp/firejail/src/firejail' make -C src/firemon/ make[1]: Entering directory '/tmp/firejail/src/firemon' gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c apparmor.c -o apparmor.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c arp.c -o arp.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c caps.c -o caps.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c cgroup.c -o cgroup.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c cpu.c -o cpu.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c firemon.c -o firemon.o firemon.c: In function ‘my_handler’: firemon.c:55:9: warning: call to ‘exit’ from within signal handler [CWE-479] [-Wanalyzer-unsafe-call-within-signal-handler] 55 | exit(0); | ^~~~~~~ ‘main’: events 1-2 | | 134 | int main(int argc, char **argv) { | | ^~~~ | | | | | (1) entry to ‘main’ |...... | 139 | signal (SIGINT, my_handler); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (2) registering ‘my_handler’ as signal handler | event 3 | |cc1: | (3): later on, when the signal is delivered to the process | +--> ‘my_handler’: events 4-5 | | 49 | static void my_handler(int s){ | | ^~~~~~~~~~ | | | | | (4) entry to ‘my_handler’ |...... | 55 | exit(0); | | ~~~~~~~ | | | | | (5) call to ‘exit’ from within signal handler | firemon.c:55:9: note: ‘_exit’ is a possible signal-safe alternative for ‘exit’ 55 | exit(0); | ^~~~~~~ gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c interface.c -o interface.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c list.c -o list.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c netstats.c -o netstats.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c procevent.c -o procevent.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c route.c -o route.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c seccomp.c -o seccomp.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c top.c -o top.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c tree.c -o tree.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c usage.c -o usage.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c x11.c -o x11.o gcc -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o firemon apparmor.o arp.o caps.o cgroup.o cpu.o firemon.o interface.o list.o netstats.o procevent.o route.o seccomp.o top.o tree.o usage.o x11.o ../lib/common.o ../lib/pid.o make[1]: Leaving directory '/tmp/firejail/src/firemon' make -C src/profstats/ make[1]: Entering directory '/tmp/firejail/src/profstats' gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c main.c -o main.o gcc -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o profstats main.o make[1]: Leaving directory '/tmp/firejail/src/profstats' make -C src/jailtest/ make[1]: Entering directory '/tmp/firejail/src/jailtest' gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c access.c -o access.o In file included from jailtest.h:23, from access.c:20: In function ‘access_setup’: ../include/common.h:39:28: warning: leak of ‘dname’ [CWE-401] [-Wanalyzer-malloc-leak] 39 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) | ^ access.c:93:17: note: in expansion of macro ‘errExit’ 93 | errExit("strdup"); | ^~~~~~~ ‘access_setup’: event 1 | | 35 | assert(directory); | | ^~~~~~ | | | | | (1) following ‘true’ branch (when ‘directory’ is non-NULL)... | ‘access_setup’: event 2 | | 36 | assert(user_home_dir); | | ^~~~~~ | | | | | (2) ...to here | ‘access_setup’: event 3 | | 36 | assert(user_home_dir); | | ^~~~~~ | | | | | (3) following ‘true’ branch... | ‘access_setup’: events 4-7 | | 38 | if (files_cnt >= MAX_TEST_FILES) { | | ^~ ~ | | | | | | | (5) following ‘false’ branch... | | (4) ...to here |...... | 43 | char *fname = strdup(directory); | | ~~~~ | | | | | (6) ...to here | 44 | if (!fname) | | ~ | | | | | (7) following ‘false’ branch... | ‘access_setup’: event 8 | |../include/common.h:39:28: | 39 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) | | ^ | | | | | (8) ...to here access.c:45:17: note: in expansion of macro ‘errExit’ | 45 | errExit("strdup"); | | ^~~~~~~ | ‘access_setup’: event 9 | | 46 | if (strncmp(fname, "~/", 2) == 0) { | | ^ | | | | | (9) following ‘false’ branch... | ‘access_setup’: event 10 | |../include/common.h:39:28: | 39 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) | | ^ | | | | | (10) ...to here access.c:49:25: note: in expansion of macro ‘errExit’ | 49 | errExit("asprintf"); | | ^~~~~~~ | ‘access_setup’: events 11-17 | | 54 | if (path == NULL) { | | ^ | | | | | (11) following ‘false’ branch... |...... | 60 | if (strncmp(path, user_home_dir, strlen(user_home_dir)) != 0) { | | ~~ ~ | | | | | | | (13) following ‘false’ branch... | | (12) ...to here |...... | 67 | DIR *dir = opendir(path); | | ~~~ | | | | | (14) ...to here | 68 | if (!dir) { | | ~ | | | | | (15) following ‘false’ branch (when ‘dir’ is non-NULL)... |...... | 73 | closedir(dir); | | ~~~~~~~~ | | | | | (16) ...to here |...... | 77 | if (asprintf(&test_file, "%s/jailtest-access-%d", path, getpid()) == -1) | | ~ | | | | | (17) following ‘false’ branch... | ‘access_setup’: event 18 | |../include/common.h:39:28: | 39 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) | | ^ | | | | | (18) ...to here access.c:78:17: note: in expansion of macro ‘errExit’ | 78 | errExit("asprintf"); | | ^~~~~~~ | ‘access_setup’: events 19-21 | | 81 | if (!fp) { | | ^ | | | | | (19) following ‘false’ branch (when ‘fp’ is non-NULL)... |...... | 85 | fprintf(fp, "this file was created by firetest utility, you can safely delete it\n"); | | ~~~~~~~ | | | | | (20) ...to here |...... | 88 | if (rv) | | ~ | | | | | (21) following ‘false’ branch (when ‘rv == 0’)... | ‘access_setup’: event 22 | |../include/common.h:39:28: | 39 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) | | ^ | | | | | (22) ...to here access.c:89:17: note: in expansion of macro ‘errExit’ | 89 | errExit("chown"); | | ^~~~~~~ | ‘access_setup’: events 23-25 | | 91 | char *dname = strdup(directory); | | ^~~~~~~~~~~~~~~~~ | | | | | (23) allocated here | 92 | if (!dname) | | ~ | | | | | (24) assuming ‘dname’ is non-NULL | | (25) following ‘false’ branch (when ‘dname’ is non-NULL)... | ‘access_setup’: event 26 | |../include/common.h:39:28: | 39 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) | | ^ | | | | | (26) ...to here access.c:93:17: note: in expansion of macro ‘errExit’ | 93 | errExit("strdup"); | | ^~~~~~~ | ‘access_setup’: event 27 | |../include/common.h:39:28: | 39 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) | | ^ | | | | | (27) ‘dname’ leaks here; was allocated at (23) access.c:93:17: note: in expansion of macro ‘errExit’ | 93 | errExit("strdup"); | | ^~~~~~~ | gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c apparmor.c -o apparmor.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c main.c -o main.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c noexec.c -o noexec.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c seccomp.c -o seccomp.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c sysfiles.c -o sysfiles.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c utils.c -o utils.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c virtual.c -o virtual.o gcc -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o jailtest access.o apparmor.o main.o noexec.o seccomp.o sysfiles.o utils.o virtual.o ../lib/common.o ../lib/pid.o make[1]: Leaving directory '/tmp/firejail/src/jailtest' make -C src/fbuilder/ make[1]: Entering directory '/tmp/firejail/src/fbuilder' gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c build_bin.c -o build_bin.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c build_fs.c -o build_fs.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c build_home.c -o build_home.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c build_profile.c -o build_profile.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c build_seccomp.c -o build_seccomp.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c filedb.c -o filedb.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c main.c -o main.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c utils.c -o utils.o gcc -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o fbuilder build_bin.o build_fs.o build_home.o build_profile.o build_seccomp.o filedb.o main.o utils.o make[1]: Leaving directory '/tmp/firejail/src/fbuilder' make -C src/ftee/ make[1]: Entering directory '/tmp/firejail/src/ftee' gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c main.c -o main.o gcc -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o ftee main.o make[1]: Leaving directory '/tmp/firejail/src/ftee' make -C src/fcopy/ make[1]: Entering directory '/tmp/firejail/src/fcopy' gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c main.c -o main.o gcc -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o fcopy main.o ../lib/common.o make[1]: Leaving directory '/tmp/firejail/src/fcopy' make -C src/fldd/ make[1]: Entering directory '/tmp/firejail/src/fldd' gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c main.c -o main.o gcc -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o fldd main.o ../lib/common.o ../lib/ldd_utils.o make[1]: Leaving directory '/tmp/firejail/src/fldd' make -C src/fnet/ make[1]: Entering directory '/tmp/firejail/src/fnet' gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c arp.c -o arp.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c interface.c -o interface.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c main.c -o main.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c veth.c -o veth.o gcc -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o fnet arp.o interface.o main.o veth.o ../lib/common.o ../lib/libnetlink.o make[1]: Leaving directory '/tmp/firejail/src/fnet' make -C src/fnetfilter/ make[1]: Entering directory '/tmp/firejail/src/fnetfilter' gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c main.c -o main.o gcc -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o fnetfilter main.o ../lib/common.o make[1]: Leaving directory '/tmp/firejail/src/fnetfilter' make -C src/fsec-optimize/ make[1]: Entering directory '/tmp/firejail/src/fsec-optimize' gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c main.c -o main.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c optimizer.c -o optimizer.o gcc -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o fsec-optimize main.o optimizer.o ../lib/common.o ../lib/errno.o make[1]: Leaving directory '/tmp/firejail/src/fsec-optimize' make -C src/fsec-print/ make[1]: Entering directory '/tmp/firejail/src/fsec-print' gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c main.c -o main.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c print.c -o print.o gcc -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o fsec-print main.o print.o ../lib/common.o ../lib/errno.o ../lib/syscall.o make[1]: Leaving directory '/tmp/firejail/src/fsec-print' make -C src/fseccomp/ make[1]: Entering directory '/tmp/firejail/src/fseccomp' gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c main.c -o main.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c protocol.c -o protocol.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c seccomp.c -o seccomp.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c seccomp_file.c -o seccomp_file.o gcc -g -O2 -ggdb -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer -c seccomp_secondary.c -o seccomp_secondary.o gcc -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o fseccomp main.o protocol.o seccomp.o seccomp_file.o seccomp_secondary.o ../lib/common.o ../lib/errno.o ../lib/syscall.o make[1]: Leaving directory '/tmp/firejail/src/fseccomp' make -C src/libpostexecseccomp/ make[1]: Entering directory '/tmp/firejail/src/libpostexecseccomp' gcc -ggdb -O2 -DVERSION='"0.9.65"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security -c libpostexecseccomp.c -o libpostexecseccomp.o gcc -pie -fPIE -Wl,-z,relro -Wl,-z,now -shared -fPIC -z relro -o libpostexecseccomp.so libpostexecseccomp.o -ldl make[1]: Leaving directory '/tmp/firejail/src/libpostexecseccomp' make -C src/libtrace/ make[1]: Entering directory '/tmp/firejail/src/libtrace' gcc -ggdb -O2 -DVERSION='"0.9.65"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security -c libtrace.c -o libtrace.o gcc -pie -fPIE -Wl,-z,relro -Wl,-z,now -shared -fPIC -z relro -o libtrace.so libtrace.o -ldl make[1]: Leaving directory '/tmp/firejail/src/libtrace' make -C src/libtracelog/ make[1]: Entering directory '/tmp/firejail/src/libtracelog' gcc -ggdb -O2 -DVERSION='"0.9.65"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security -c libtracelog.c -o libtracelog.o gcc -pie -fPIE -Wl,-z,relro -Wl,-z,now -shared -fPIC -z relro -o libtracelog.so libtracelog.o -ldl make[1]: Leaving directory '/tmp/firejail/src/libtracelog' ./mkman.sh 0.9.65 src/man/firejail.man firejail.1 ./mkman.sh 0.9.65 src/man/firemon.man firemon.1 ./mkman.sh 0.9.65 src/man/firecfg.man firecfg.1 ./mkman.sh 0.9.65 src/man/firejail-profile.man firejail-profile.5 ./mkman.sh 0.9.65 src/man/firejail-login.man firejail-login.5 ./mkman.sh 0.9.65 src/man/firejail-users.man firejail-users.5 ./mkman.sh 0.9.65 src/man/jailtest.man jailtest.5 src/fseccomp/fseccomp default seccomp src/fsec-optimize/fsec-optimize seccomp src/fseccomp/fseccomp default seccomp.debug allow-debuggers src/fsec-optimize/fsec-optimize seccomp.debug src/fseccomp/fseccomp secondary 32 seccomp.32 src/fsec-optimize/fsec-optimize seccomp.32 src/fseccomp/fseccomp secondary block seccomp.block_secondary src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32 ``` </details> <details> <summary><code>ls.c:273:16: warning: leak of ‘strdup(path)’ [CWE-401] [-Wanalyzer-malloc-leak]</code></summary> ``` ls.c: In function ‘expand_path’: ls.c:273:16: warning: leak of ‘strdup(path)’ [CWE-401] [-Wanalyzer-malloc-leak] 273 | return fname; | ^~~~~ ‘sandboxfs’: event 1 | | 276 | void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) { | | ^~~~~~~~~ | | | | | (1) entry to ‘sandboxfs’ | ‘sandboxfs’: event 2 | | 278 | assert(path1); | | ^~~~~~ | | | | | (2) following ‘true’ branch (when ‘path1’ is non-NULL)... | ‘sandboxfs’: events 3-4 | | 281 | pid = switch_to_child(pid); | | ^~~ | | | | | (3) ...to here |...... | 287 | char *fname1 = expand_path(path1); | | ~~~~~~~~~~~~~~~~~~ | | | | | (4) calling ‘expand_path’ from ‘sandboxfs’ | +--> ‘expand_path’: events 5-8 | | 253 | char *expand_path(const char *path) { | | ^~~~~~~~~~~ | | | | | (5) entry to ‘expand_path’ |...... | 256 | fname = strdup(path); | | ~~~~~~~~~~~~ | | | | | (6) allocated here | 257 | if (!fname) | | ~ | | | | | (7) assuming ‘fname’ is non-NULL | | (8) following ‘false’ branch... | ‘expand_path’: event 9 | |../include/common.h:39:28: | 39 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) | | ^ | | | | | (9) ...to here ls.c:271:25: note: in expansion of macro ‘errExit’ | 271 | errExit("asprintf"); | | ^~~~~~~ | <------+ | ‘sandboxfs’: events 10-13 | | 287 | char *fname1 = expand_path(path1); | | ^~~~~~~~~~~~~~~~~~ | | | | | (10) returning to ‘sandboxfs’ from ‘expand_path’ | 288 | char *fname2 = NULL; | 289 | if (path2 != NULL) { | | ~ | | | | | (11) following ‘true’ branch (when ‘path2’ is non-NULL)... | 290 | fname2 = expand_path(path2); | | ~~~~~~ ~~~~~~~~~~~~~~~~~~ | | | | | | | (13) calling ‘expand_path’ from ‘sandboxfs’ | | (12) ...to here | +--> ‘expand_path’: events 14-15 | | 253 | char *expand_path(const char *path) { | | ^~~~~~~~~~~ | | | | | (14) entry to ‘expand_path’ |...... | 257 | if (!fname) | | ~ | | | | | (15) following ‘false’ branch... | ‘expand_path’: event 16 | |../include/common.h:39:28: | 39 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) | | ^ | | | | | (16) ...to here ls.c:271:25: note: in expansion of macro ‘errExit’ | 271 | errExit("asprintf"); | | ^~~~~~~ | ‘expand_path’: event 17 | | 273 | return fname; | | ^~~~~ | | | | | (17) ‘strdup(path)’ leaks here; was allocated at (6) | ``` </details> <details> <summary><code>profile.c:239:28: warning: leak of ‘ptr’ [CWE-401] [-Wanalyzer-malloc-leak]</code></summary> ``` In function ‘profile_check_conditional’: profile.c:239:28: warning: leak of ‘ptr’ [CWE-401] [-Wanalyzer-malloc-leak] 239 | if (profile_check_line(ptr, lineno, fname)) | ^ ‘profile_check_conditional’: events 1-2 | | 188 | int profile_check_conditional(char *ptr, int lineno, const char *fname) { | | ^~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (1) entry to ‘profile_check_conditional’ |...... | 191 | if (*ptr++ != '?') | | ~ | | | | | (2) following ‘false’ branch... | ‘profile_check_conditional’: event 3 | |cc1: | (3): ...to here | ‘profile_check_conditional’: events 4-14 | | 195 | while (cond->name) { | | ^~~~ | | | | | (4) following ‘true’ branch... | 196 | // continue if not this conditional | 197 | if (strncmp(ptr, cond->name, strlen(cond->name)) != 0) { | | ~~ | | | | | (5) ...to here |...... | 205 | if (*ptr++ != ':') { | | ~ | | | | | (6) following ‘false’ branch... |...... | 210 | if (*ptr == '\0') { | | ~~ ~ | | | | | | | (8) following ‘false’ branch... | | (7) ...to here |...... | 215 | if (*ptr == ' ') | | ~~ | | | | | (9) ...to here |...... | 220 | if (value) { | | ~ | | | | | (10) following ‘true’ branch (when ‘value != 0’)... | 221 | // move ptr to start of profile line | 222 | ptr = strdup(ptr); | | ~~~ ~~~~~~~~~~~ | | | | | | | (12) allocated here | | (11) ...to here | 223 | if (!ptr) | | ~ | | | | | (13) assuming ‘ptr’ is non-NULL | | (14) following ‘false’ branch (when ‘ptr’ is non-NULL)... | ‘profile_check_conditional’: event 15 | |../include/common.h:39:28: | 39 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) | | ^ | | | | | (15) ...to here profile.c:224:33: note: in expansion of macro ‘errExit’ | 224 | errExit("strdup"); | | ^~~~~~~ | ‘profile_check_conditional’: events 16-22 | | 228 | if ((strncmp(ptr, "quiet", 5) == 0) || | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (18) following ‘false’ branch... | | (16) following ‘false’ branch... | 229 | (strncmp(ptr, "include", 7) == 0)) { | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (17) ...to here |...... | 234 | free(tmp); | | ~~~~ | | | | | (19) ...to here |...... | 237 | if (arg_debug) | | ~ | | | | | (20) following ‘false’ branch... | 238 | printf("conditional %s, %s\n", cond->name, ptr); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (21) ...to here | 239 | if (profile_check_line(ptr, lineno, fname)) | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (22) calling ‘profile_check_line’ from ‘profile_check_conditional’ | +--> ‘profile_check_line’: events 23-24 | | 270 | int profile_check_line(char *ptr, int lineno, const char *fname) { | | ^~~~~~~~~~~~~~~~~~ | | | | | (23) entry to ‘profile_check_line’ |...... | 274 | if (profile_check_conditional(ptr, lineno, fname) == 0) | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (24) calling ‘profile_check_conditional’ from ‘profile_check_line’ | +--> ‘profile_check_conditional’: events 25-26 | | 188 | int profile_check_conditional(char *ptr, int lineno, const char *fname) { | | ^~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (25) entry to ‘profile_check_conditional’ |...... | 191 | if (*ptr++ != '?') | | ~ | | | | | (26) following ‘false’ branch... | ‘profile_check_conditional’: event 27 | |cc1: | (27): ...to here | ‘profile_check_conditional’: events 28-34 | | 195 | while (cond->name) { | | ^~~~ | | | | | (28) following ‘true’ branch... | 196 | // continue if not this conditional | 197 | if (strncmp(ptr, cond->name, strlen(cond->name)) != 0) { | | ~~ | | | | | (29) ...to here |...... | 205 | if (*ptr++ != ':') { | | ~ | | | | | (30) following ‘false’ branch... |...... | 210 | if (*ptr == '\0') { | | ~~ ~ | | | | | | | (32) following ‘false’ branch... | | (31) ...to here |...... | 215 | if (*ptr == ' ') | | ~~ | | | | | (33) ...to here |...... | 220 | if (value) { | | ~ | | | | | (34) following ‘false’ branch (when ‘value == 0’)... | ‘profile_check_conditional’: event 35 | |cc1: | (35): ...to here | <------+ | ‘profile_check_line’: events 36-37 | | 274 | if (profile_check_conditional(ptr, lineno, fname) == 0) | | ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | || | | |(36) returning to ‘profile_check_line’ from ‘profile_check_conditional’ | | (37) following ‘true’ branch... | ‘profile_check_line’: event 38 | |cc1: | (38): ...to here | <------+ | ‘profile_check_conditional’: events 39-40 | | 239 | if (profile_check_line(ptr, lineno, fname)) | | ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | || | | |(39) returning to ‘profile_check_conditional’ from ‘profile_check_line’ | | (40) following ‘false’ branch... | ‘profile_check_conditional’: event 41 | |cc1: | (41): ...to here | ‘profile_check_conditional’: event 42 | | 239 | if (profile_check_line(ptr, lineno, fname)) | | ^ | | | | | (42) ‘ptr’ leaks here; was allocated at (12) | ``` </details> <details> <summary><code>restricted_shell.c:123:42: warning: leak of ‘strdup(ptr)’ [CWE-401] [-Wanalyzer-malloc-leak]</code></summary> ``` In function ‘restricted_shell’: restricted_shell.c:123:42: warning: leak of ‘strdup(ptr)’ [CWE-401] [-Wanalyzer-malloc-leak] 123 | return i + 1; | ~~^~~ ‘restricted_shell’: event 1 | | 29 | assert(user); | | ^~~~~~ | | | | | (1) following ‘true’ branch (when ‘user’ is non-NULL)... | ‘restricted_shell’: events 2-3 | | 32 | char *fname; | | ^~~~ | | | | | (2) ...to here | 33 | if (asprintf(&fname, "%s/login.users", SYSCONFDIR) == -1) | | ~ | | | | | (3) following ‘false’ branch... | ‘restricted_shell’: event 4 | |../include/common.h:39:28: | 39 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) | | ^ | | | | | (4) ...to here restricted_shell.c:34:17: note: in expansion of macro ‘errExit’ | 34 | errExit("asprintf"); | | ^~~~~~~ | ‘restricted_shell’: event 5 | | 37 | if (fp == NULL) | | ^ | | | | | (5) following ‘false’ branch (when ‘fp’ is non-NULL)... | ‘restricted_shell’: event 6 | |cc1: | (6): ...to here | ‘restricted_shell’: events 7-10 | | 42 | while (fgets(buf, MAX_READ, fp)) { | | ^~~~~ | | | | | (7) following ‘true’ branch... | 43 | lineno++; | | ~~~~~~ | | | | | (8) ...to here |...... | 60 | if (args == NULL) { | | ~ | | | | | (9) following ‘false’ branch (when ‘args’ is non-NULL)... |...... | 65 | *args = '\0'; | | ~ | | | | | (10) ...to here | ‘restricted_shell’: event 11 | | 92 | for (i = 1; i < MAX_ARGS; i++) { | ‘restricted_shell’: event 12 | |cc1: | (12): ...to here | ‘restricted_shell’: event 13 | | 107 | if (*ptr != '\0') { | | ^ | | | | | (13) following ‘true’ branch... | ‘restricted_shell’: event 14 | |cc1: | (14): ...to here | ‘restricted_shell’: events 15-17 | | 112 | fullargv[i] = strdup(fullargv[i]); | | ^~~~~~~~~~~~~~~~~~~ | | | | | (15) allocated here | 113 | if (fullargv[i] == NULL) | | ~ | | | | | (16) assuming ‘strdup(ptr)’ is non-NULL | | (17) following ‘false’ branch... | ‘restricted_shell’: event 18 | |../include/common.h:39:28: | 39 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) | | ^ | | | | | (18) ...to here restricted_shell.c:114:49: note: in expansion of macro ‘errExit’ | 114 | errExit("strdup"); | | ^~~~~~~ | ‘restricted_shell’: event 19 | | 123 | return i + 1; | | ~~^~~ | | | | | (19) ‘strdup(ptr)’ leaks here; was allocated at (15) | ``` </details> <details> <summary>0783f9f9ff426b33b73a5d34df668a8dadb7cf2e<s><code>sbox.c:254:24: warning: dereference of possibly-NULL ‘arg’ [CWE-690] [-Wanalyzer-possible-null-dereference]</code></s></summary> ``` sbox.c: In function ‘sbox_run’: sbox.c:254:24: warning: dereference of possibly-NULL ‘arg’ [CWE-690] [-Wanalyzer-possible-null-dereference] 254 | arg[i] = va_arg(valist, char *); | ^ ‘sbox_run’: events 1-3 | | 251 | char **arg = malloc((num + 1) * sizeof(char *)); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (1) this call could return NULL | 252 | int i; | 253 | for (i = 0; i < num; i++) | | ~~~~~~~ | | | | | (2) following ‘true’ branch (when ‘i < num’)... | 254 | arg[i] = va_arg(valist, char *); | | ~~~ | | | | | (3) ...to here | ‘sbox_run’: event 4 | | 254 | arg[i] = va_arg(valist, char *); | | ^ | | | | | (4) ‘arg + (long unsigned int)i * 8’ could be NULL: unchecked value from (1) | ``` </details> <details> <summary>0783f9f9ff426b33b73a5d34df668a8dadb7cf2e<s><code>sbox.c:255:16: warning: dereference of possibly-NULL ‘arg’ [CWE-690] [-Wanalyzer-possible-null-dereference</code></s></summary> ``` 255 | arg[i] = NULL; | ^ ‘sbox_run’: events 1-3 | | 251 | char **arg = malloc((num + 1) * sizeof(char *)); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (1) this call could return NULL | 252 | int i; | 253 | for (i = 0; i < num; i++) | | ~~~~~~~ | | | | | (2) following ‘false’ branch (when ‘i >= num’)... | 254 | arg[i] = va_arg(valist, char *); | 255 | arg[i] = NULL; | | ~~~ | | | | | (3) ...to here | ‘sbox_run’: event 4 | | 255 | arg[i] = NULL; | | ^ | | | | | (4) ‘arg + (long unsigned int)i * 8’ could be NULL: unchecked value from (1) | ``` </details> <details> <summary>57c0c21e09f453771694eb33b77a212791c98a71<s><code>firemon.c:55:9: warning: call to ‘exit’ from within signal handler [CWE-479] [-Wanalyzer-unsafe-call-within-signal-handler]</code></s></summary> ``` firemon.c: In function ‘my_handler’: firemon.c:55:9: warning: call to ‘exit’ from within signal handler [CWE-479] [-Wanalyzer-unsafe-call-within-signal-handler] 55 | exit(0); | ^~~~~~~ ‘main’: events 1-2 | | 134 | int main(int argc, char **argv) { | | ^~~~ | | | | | (1) entry to ‘main’ |...... | 139 | signal (SIGINT, my_handler); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (2) registering ‘my_handler’ as signal handler | event 3 | |cc1: | (3): later on, when the signal is delivered to the process | +--> ‘my_handler’: events 4-5 | | 49 | static void my_handler(int s){ | | ^~~~~~~~~~ | | | | | (4) entry to ‘my_handler’ |...... | 55 | exit(0); | | ~~~~~~~ | | | | | (5) call to ‘exit’ from within signal handler | firemon.c:55:9: note: ‘_exit’ is a possible signal-safe alternative for ‘exit’ 55 | exit(0); | ^~~~~~~ ``` </details> <details> <summary><code>../include/common.h:39:28: warning: leak of ‘dname’ [CWE-401] [-Wanalyzer-malloc-leak]</code></summary> ``` In file included from jailtest.h:23, from access.c:20: In function ‘access_setup’: ../include/common.h:39:28: warning: leak of ‘dname’ [CWE-401] [-Wanalyzer-malloc-leak] 39 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) | ^ access.c:93:17: note: in expansion of macro ‘errExit’ 93 | errExit("strdup"); | ^~~~~~~ ‘access_setup’: event 1 | | 35 | assert(directory); | | ^~~~~~ | | | | | (1) following ‘true’ branch (when ‘directory’ is non-NULL)... | ‘access_setup’: event 2 | | 36 | assert(user_home_dir); | | ^~~~~~ | | | | | (2) ...to here | ‘access_setup’: event 3 | | 36 | assert(user_home_dir); | | ^~~~~~ | | | | | (3) following ‘true’ branch... | ‘access_setup’: events 4-7 | | 38 | if (files_cnt >= MAX_TEST_FILES) { | | ^~ ~ | | | | | | | (5) following ‘false’ branch... | | (4) ...to here |...... | 43 | char *fname = strdup(directory); | | ~~~~ | | | | | (6) ...to here | 44 | if (!fname) | | ~ | | | | | (7) following ‘false’ branch... | ‘access_setup’: event 8 | |../include/common.h:39:28: | 39 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) | | ^ | | | | | (8) ...to here access.c:45:17: note: in expansion of macro ‘errExit’ | 45 | errExit("strdup"); | | ^~~~~~~ | ‘access_setup’: event 9 | | 46 | if (strncmp(fname, "~/", 2) == 0) { | | ^ | | | | | (9) following ‘false’ branch... | ‘access_setup’: event 10 | |../include/common.h:39:28: | 39 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) | | ^ | | | | | (10) ...to here access.c:49:25: note: in expansion of macro ‘errExit’ | 49 | errExit("asprintf"); | | ^~~~~~~ | ‘access_setup’: events 11-17 | | 54 | if (path == NULL) { | | ^ | | | | | (11) following ‘false’ branch... |...... | 60 | if (strncmp(path, user_home_dir, strlen(user_home_dir)) != 0) { | | ~~ ~ | | | | | | | (13) following ‘false’ branch... | | (12) ...to here |...... | 67 | DIR *dir = opendir(path); | | ~~~ | | | | | (14) ...to here | 68 | if (!dir) { | | ~ | | | | | (15) following ‘false’ branch (when ‘dir’ is non-NULL)... |...... | 73 | closedir(dir); | | ~~~~~~~~ | | | | | (16) ...to here |...... | 77 | if (asprintf(&test_file, "%s/jailtest-access-%d", path, getpid()) == -1) | | ~ | | | | | (17) following ‘false’ branch... | ‘access_setup’: event 18 | |../include/common.h:39:28: | 39 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) | | ^ | | | | | (18) ...to here access.c:78:17: note: in expansion of macro ‘errExit’ | 78 | errExit("asprintf"); | | ^~~~~~~ | ‘access_setup’: events 19-21 | | 81 | if (!fp) { | | ^ | | | | | (19) following ‘false’ branch (when ‘fp’ is non-NULL)... |...... | 85 | fprintf(fp, "this file was created by firetest utility, you can safely delete it\n"); | | ~~~~~~~ | | | | | (20) ...to here |...... | 88 | if (rv) | | ~ | | | | | (21) following ‘false’ branch (when ‘rv == 0’)... | ‘access_setup’: event 22 | |../include/common.h:39:28: | 39 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) | | ^ | | | | | (22) ...to here access.c:89:17: note: in expansion of macro ‘errExit’ | 89 | errExit("chown"); | | ^~~~~~~ | ‘access_setup’: events 23-25 | | 91 | char *dname = strdup(directory); | | ^~~~~~~~~~~~~~~~~ | | | | | (23) allocated here | 92 | if (!dname) | | ~ | | | | | (24) assuming ‘dname’ is non-NULL | | (25) following ‘false’ branch (when ‘dname’ is non-NULL)... | ‘access_setup’: event 26 | |../include/common.h:39:28: | 39 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) | | ^ | | | | | (26) ...to here access.c:93:17: note: in expansion of macro ‘errExit’ | 93 | errExit("strdup"); | | ^~~~~~~ | ‘access_setup’: event 27 | |../include/common.h:39:28: | 39 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) | | ^ | | | | | (27) ‘dname’ leaks here; was allocated at (23) access.c:93:17: note: in expansion of macro ‘errExit’ | 93 | errExit("strdup"); | | ^~~~~~~ | ``` </details> All these warings make it impossible ATM to `make` after `./configure` with `--enable-analyzer` and `--enable-fatal-warnings`.

gitea-mirror closed this issue 2026-05-05 09:16:24 -06:00

gitea-mirror commented 2026-05-05 09:16:25 -06:00

Author

Owner

Copy link

@reinerh commented on GitHub (May 13, 2021):

Interesting, these have not been caught by clang-analyzer (scan-build).
When these are fixed we should enable it in CI.
Edit: just noticed it is already enabled in CI (build_and_test job).

<!-- gh-comment-id:840410490 --> @reinerh commented on GitHub (May 13, 2021): Interesting, these have not been caught by clang-analyzer (scan-build). When these are fixed we should enable it in CI. Edit: just noticed it is already enabled in CI (build_and_test job).

gitea-mirror commented 2026-05-05 09:16:26 -06:00

Author

Owner

Copy link

@reinerh commented on GitHub (May 13, 2021):

Ah, these warnings seem to be newly detected with GCC 11. It builds fine here with GCC 10.

<!-- gh-comment-id:840849362 --> @reinerh commented on GitHub (May 13, 2021): Ah, these warnings seem to be newly detected with GCC 11. It builds fine here with GCC 10.

gitea-mirror commented 2026-05-05 09:16:27 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (May 16, 2021):

Is it only me? My impression is that -Wanalyzer-malloc-leak warnings are still prone to false positives. At first glance only the second memleak (profile.c) looks real.

If there is no way to silence these warnings individually, would it be ok to disable them altogether for the time being?

<!-- gh-comment-id:841884600 --> @smitsohu commented on GitHub (May 16, 2021): Is it only me? My impression is that `-Wanalyzer-malloc-leak` warnings are still prone to false positives. At first glance only the second memleak (profile.c) looks real. If there is no way to silence these warnings individually, would it be ok to disable them altogether for the time being?

gitea-mirror commented 2026-05-05 09:16:28 -06:00

Author

Owner

Copy link

@reinerh commented on GitHub (May 16, 2021):

@smitsohu I have the same impression. A few days ago I tried to tackle the problem in ls.c, and I was able to "silence" it with this change:

-        fname2 = expand_path(path2);
+        fname2 = strdup(path2);

Though both calls obviously allocate memory...

<!-- gh-comment-id:841885342 --> @reinerh commented on GitHub (May 16, 2021): @smitsohu I have the same impression. A few days ago I tried to tackle the problem in `ls.c`, and I was able to "silence" it with this change: ``` - fname2 = expand_path(path2); + fname2 = strdup(path2); ``` Though both calls obviously allocate memory...

gitea-mirror commented 2026-05-05 09:16:29 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (May 20, 2021):

Are the recent CI build failures like this one for example related to -fanalyzer? If so I'd like to +1 @smitsohu's suggestion.

<!-- gh-comment-id:845366262 --> @ghost commented on GitHub (May 20, 2021): Are the recent CI build failures like [this one](https://github.com/netblue30/firejail/pull/4291/checks?check_run_id=2632791726) for example related to -fanalyzer? If so I'd like to +1 @smitsohu's [suggestion](https://github.com/netblue30/firejail/issues/4274#issuecomment-841884600).

gitea-mirror commented 2026-05-05 09:16:29 -06:00

Author

Owner

Copy link

@reinerh commented on GitHub (May 20, 2021):

@glitsj16 Yes, it's a -fanalyzer regression:

gcc-10 -g -O2 -ggdb -W -Wall -Werror -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/firejail"' -DLIBDIR='"/usr/lib"' -DBINDIR='"/usr/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_APPARMOR  -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -DHAVE_SELINUX -DHAVE_SUID  -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -fstack-clash-protection -fstack-protector-strong -fanalyzer   -c fs_whitelist.c -o fs_whitelist.o
In function ‘tmpfs_topdirs’:
fs_whitelist.c:398:1: error: leak of ‘topdirs’ [CWE-401] [-Werror=analyzer-malloc-leak]
  398 | }
      | ^
  ‘fs_whitelist’: events 1-4
    |
    |  523 | void fs_whitelist(void) {
    |      |      ^~~~~~~~~~~~
    |      |      |
    |      |      (1) entry to ‘fs_whitelist’
    |  524 |  ProfileEntry *entry = cfg.profile;
    |  525 |  if (!entry)
    |      |     ~ 
    |      |     |
    |      |     (2) following ‘false’ branch (when ‘entry’ is non-NULL)...
    |......
    |  528 |  if (asprintf(&runuser, "/run/user/%u", getuid()) == -1)
    |      |  ~~ ~ 
    |      |  |  |
    |      |  |  (4) following ‘false’ branch...
    |      |  (3) ...to here
    |
  ‘fs_whitelist’: event 5
    |
    |../include/common.h:39:164:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                                                                                                                                                                    ^
    |      |                                                                                                                                                                    |
    |      |                                                                                                                                                                    (5) ...to here
           |      |             ^~~~~~~~~~~~~
           |      |             |
           |      |             (42) entry to ‘tmpfs_topdirs’
           |......
           |  315 |  for (i = 0; i < TOP_MAX && topdirs[i].path; i++) {
           |      |  ~~~         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           |      |  |                       |         |
           |      |  |                       |         (44) ...to here
           |      |  |                       (45) following ‘false’ branch...
           |      |  (43) following ‘true’ branch (when ‘i != 64’)...
           |......
           |  390 |  if (tmpfs_home)
           |      |  ~~ ~        
           |      |  |  |
           |      |  |  (47) following ‘false’ branch (when ‘tmpfs_home == 0’)...
           |      |  (46) ...to here
           |......
           |  394 |  if (tmpfs_runuser) {
           |      |  ~~ ~        
           |      |  |  |
           |      |  |  (49) following ‘false’ branch (when ‘tmpfs_runuser == 0’)...
           |      |  (48) ...to here
           |......
           |  398 | }
           |      | ~            
           |      | |
           |      | (50) ...to here
           |
    <------+
    |
  ‘fs_whitelist’: events 51-58
    |
    |  713 |  tmpfs_topdirs(topdirs);
    |      |  ^~~~~~~~~~~~~~~~~~~~~~
    |      |  |
    |      |  (51) returning to ‘fs_whitelist’ from ‘tmpfs_topdirs’
    |......
    |  717 |  while (entry) {
    |      |        ~
    |      |        |
    |      |        (52) following ‘false’ branch (when ‘entry’ is NULL)...
    |......
    |  747 |  free(runuser);
    |      |  ~~~~
    |      |  |
    |      |  (53) ...to here
    |......
    |  750 |  for (i = 0; i < TOP_MAX && topdirs[i].path; i++) {
    |      |  ~~~         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |  |                       |         |
    |      |  |                       |         (55) ...to here
    |      |  |                       (56) following ‘false’ branch...
    |      |  (54) following ‘true’ branch (when ‘i != 64’)...
    |......
    |  754 |  free(topdirs);
    |      |  ~~~~~~~~~~~~~
    |      |  |
    |      |  (57) ...to here
    |      |  (58) ‘nowhitelist’ leaks here; was allocated at (6)
    |
cc1: all warnings being treated as errors

<!-- gh-comment-id:845443507 --> @reinerh commented on GitHub (May 20, 2021): @glitsj16 Yes, it's a -fanalyzer regression: ``` gcc-10 -g -O2 -ggdb -W -Wall -Werror -O2 -DVERSION='"0.9.65"' -DPREFIX='"/usr"' -DSYSCONFDIR='"/etc/firejail"' -DLIBDIR='"/usr/lib"' -DBINDIR='"/usr/bin"' -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME -DHAVE_APPARMOR -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST -DHAVE_SELINUX -DHAVE_SUID -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -fstack-clash-protection -fstack-protector-strong -fanalyzer -c fs_whitelist.c -o fs_whitelist.o In function ‘tmpfs_topdirs’: fs_whitelist.c:398:1: error: leak of ‘topdirs’ [CWE-401] [-Werror=analyzer-malloc-leak] 398 | } | ^ ‘fs_whitelist’: events 1-4 | | 523 | void fs_whitelist(void) { | | ^~~~~~~~~~~~ | | | | | (1) entry to ‘fs_whitelist’ | 524 | ProfileEntry *entry = cfg.profile; | 525 | if (!entry) | | ~ | | | | | (2) following ‘false’ branch (when ‘entry’ is non-NULL)... |...... | 528 | if (asprintf(&runuser, "/run/user/%u", getuid()) == -1) | | ~~ ~ | | | | | | | (4) following ‘false’ branch... | | (3) ...to here | ‘fs_whitelist’: event 5 | |../include/common.h:39:164: | 39 | #define errExit(msg) do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0) | | ^ | | | | | (5) ...to here | | ^~~~~~~~~~~~~ | | | | | (42) entry to ‘tmpfs_topdirs’ |...... | 315 | for (i = 0; i < TOP_MAX && topdirs[i].path; i++) { | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | | | (44) ...to here | | | (45) following ‘false’ branch... | | (43) following ‘true’ branch (when ‘i != 64’)... |...... | 390 | if (tmpfs_home) | | ~~ ~ | | | | | | | (47) following ‘false’ branch (when ‘tmpfs_home == 0’)... | | (46) ...to here |...... | 394 | if (tmpfs_runuser) { | | ~~ ~ | | | | | | | (49) following ‘false’ branch (when ‘tmpfs_runuser == 0’)... | | (48) ...to here |...... | 398 | } | | ~ | | | | | (50) ...to here | <------+ | ‘fs_whitelist’: events 51-58 | | 713 | tmpfs_topdirs(topdirs); | | ^~~~~~~~~~~~~~~~~~~~~~ | | | | | (51) returning to ‘fs_whitelist’ from ‘tmpfs_topdirs’ |...... | 717 | while (entry) { | | ~ | | | | | (52) following ‘false’ branch (when ‘entry’ is NULL)... |...... | 747 | free(runuser); | | ~~~~ | | | | | (53) ...to here |...... | 750 | for (i = 0; i < TOP_MAX && topdirs[i].path; i++) { | | ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | | | (55) ...to here | | | (56) following ‘false’ branch... | | (54) following ‘true’ branch (when ‘i != 64’)... |...... | 754 | free(topdirs); | | ~~~~~~~~~~~~~ | | | | | (57) ...to here | | (58) ‘nowhitelist’ leaks here; was allocated at (6) | cc1: all warnings being treated as errors ```

gitea-mirror commented 2026-05-05 09:16:30 -06:00

Author

Owner

Copy link

@reinerh commented on GitHub (May 23, 2021):

The recent CI failures are false positives in GCC 10 and no longer appear in GCC 11 (see #4297).

<!-- gh-comment-id:846531833 --> @reinerh commented on GitHub (May 23, 2021): The recent CI failures are false positives in GCC 10 and no longer appear in GCC 11 (see #4297).

gitea-mirror referenced this issue 2026-05-05 10:20:09 -06:00

[PR #2602] [MERGED] mount runtime seccomp files read-only #4441

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2602

No description provided.