diff options
author | Colin Watson <cjwatson@debian.org> | 2022-01-30 15:03:39 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2022-01-30 15:03:40 +0000 |
commit | 43aa5a2b077fafa7b5239302d6e41f42830bf6ac (patch) | |
tree | ac58ae008d16b9fe9b02bd4b05ec81ca27de26c0 /lib/sandbox.c | |
parent | b3f2788945722093b3c9e95eb4905395a634d9f5 (diff) |
Simplify static analysis of fatal errors
The usual idiom for fatal error reporting in man-db is `error (FATAL,
...)` (there are a few cases using different exit codes, but they're
less common). Unfortunately, there's no easy way to tell the compiler
that this call doesn't return, because `error (0, ...)` *does* return.
As a result, some call sites required extra work to give the compiler
this information, which can sometimes make a difference to static
analysis.
To simplify this, add a new `fatal` helper function which always exits
`FATAL` (i.e. 2) and never returns. This is declared with `_Noreturn`
so that the compiler can straightforwardly know what's going on.
* bootstrap.conf (gnulib_modules): Add verror.
(XGETTEXT_OPTIONS): Add --flag=fatal:2:c-format.
* lib/fatal.c, lib/fatal.h: New files.
* lib/Makefile.am (libman_la_SOURCES): Add fatal.c and fatal.h.
* src/tests/Makefile.am (AM_CPPFLAGS): Add -I$(top_srcdir)/lib.
(get_mtime_LDADD): Add $(top_builddir)/lib/libman.la.
* lib/pathsearch.c (pathsearch, directory_on_path): Use fatal.
* lib/sandbox.c (can_load_seccomp, make_seccomp_filter, _sandbox_load):
Likewise.
* lib/security.c (gripe_set_euid): Likewise.
* lib/xregcomp.c (xregcomp): Likewise.
* libdb/db_lookup.c (gripe_corrupt_data, dblookup_pattern): Likewise.
* libdb/db_ver.c (dbver_wr): Likewise.
* src/accessdb.c (main): Likewise.
* src/catman.c (parse_for_sec): Likewise.
* src/check_mandirs.c (chown_if_possible): Likewise.
* src/man-recode.c (recode): Likewise.
* src/man.c (open_cat_stream, format_display, gripe_converting_name):
Likewise.
* src/manconv.c (add_output): Likewise.
* src/manp.c (add_dir_to_path_list): Likewise.
* src/tests/get-mtime.c (main): Likewise.
* src/whatis.c (do_apropos): Likewise.
* src/zsoelim.l (<so>\"?[^ \t\n\"]+\"?): Likewise.
* libdb/db_lookup.c (gripe_corrupt_data, gripe_replace_key): Declare as
_Noreturn.
* src/accessdb.c (main): Remove now-unnecessary assertion.
* src/man.c (gripe_converting_name): Remove now-unnecessary abort.
Diffstat (limited to 'lib/sandbox.c')
-rw-r--r-- | lib/sandbox.c | 13 |
1 files changed, 6 insertions, 7 deletions
diff --git a/lib/sandbox.c b/lib/sandbox.c index 798e6d77..bfda5e30 100644 --- a/lib/sandbox.c +++ b/lib/sandbox.c @@ -64,13 +64,13 @@ #endif /* HAVE_LIBSECCOMP */ #include "attribute.h" -#include "error.h" #include "xalloc.h" #include "xstrndup.h" #include "manconfig.h" #include "debug.h" +#include "fatal.h" #include "sandbox.h" struct man_sandbox { @@ -194,7 +194,7 @@ static bool can_load_seccomp (void) if (nr == __NR_SCMP_ERROR) \ break; \ if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, nr, 0) < 0) \ - error (FATAL, errno, "can't add seccomp rule"); \ + fatal (errno, "can't add seccomp rule"); \ } while (0) #define SC_ALLOW_PERMISSIVE(name) \ @@ -209,7 +209,7 @@ static bool can_load_seccomp (void) if (nr == __NR_SCMP_ERROR) \ break; \ if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, nr, 1, cmp1) < 0) \ - error (FATAL, errno, "can't add seccomp rule"); \ + fatal (errno, "can't add seccomp rule"); \ } while (0) #define SC_ALLOW_ARG_2(name, cmp1, cmp2) \ @@ -219,7 +219,7 @@ static bool can_load_seccomp (void) break; \ if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, nr, \ 2, cmp1, cmp2) < 0) \ - error (FATAL, errno, "can't add seccomp rule"); \ + fatal (errno, "can't add seccomp rule"); \ } while (0) /* Create a seccomp filter. @@ -247,7 +247,7 @@ static scmp_filter_ctx make_seccomp_filter (int permissive) debug ("initialising seccomp filter (permissive: %d)\n", permissive); ctx = seccomp_init (SCMP_ACT_ERRNO (ENOSYS)); if (!ctx) - error (FATAL, errno, "can't initialise seccomp filter"); + fatal (errno, "can't initialise seccomp filter"); /* Allow sibling architectures for x86, since people sometimes mix * and match architectures there for performance reasons. @@ -621,8 +621,7 @@ static void _sandbox_load (man_sandbox *sandbox, int permissive) { /* Don't try this again. */ seccomp_filter_unavailable = 1; } else - error (FATAL, errno, - "can't load seccomp filter"); + fatal (errno, "can't load seccomp filter"); } } } |