Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gcc -fanalyzer warnings (GCC 11) #4274

Closed
rusty-snake opened this issue May 13, 2021 · 7 comments · Fixed by #4300
Closed

gcc -fanalyzer warnings (GCC 11) #4274

rusty-snake opened this issue May 13, 2021 · 7 comments · Fixed by #4300

Comments

@rusty-snake
Copy link
Collaborator

rusty-snake commented May 13, 2021
edited by smitsohu

full log 
$ cat /etc/os-release
NAME=Fedora
VERSION="34 (Workstation Edition)"
ID=fedora
VERSION_ID=34
VERSION_CODENAME=""
PLATFORM_ID="platform:f34"
PRETTY_NAME="Fedora 34 (Workstation Edition)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:34"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/34/system-administrators-guide/"
SUPPORT_URL="https://fedoraproject.org/wiki/Communicating_and_getting_help"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=34
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=34
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"
VARIANT="Workstation Edition"
VARIANT_ID=workstation
$ gcc --version
gcc (GCC) 11.1.1 20210428 (Red Hat 11.1.1-1)
Copyright (C) 2021 Free Software Foundation, Inc.
Dies ist freie Software; die Kopierbedingungen stehen in den Quellen. Es
gibt KEINE Garantie; auch nicht für MARKTGÄNGIGKEIT oder FÜR SPEZIELLE ZWECKE.

$ git clone --depth=1 https://github.com/netblue30/firejail.git
Klone nach 'firejail' ...
remote: Enumerating objects: 1896, done.
remote: Counting objects: 100% (1896/1896), done.
remote: Compressing objects: 100% (1164/1164), done.
remote: Total 1896 (delta 1195), reused 885 (delta 683), pack-reused 0
Empfange Objekte: 100% (1896/1896), 1.27 MiB | 514.00 KiB/s, fertig.
Löse Unterschiede auf: 100% (1195/1195), fertig.
$ cd firejail
$ alias en_US-locale
en_US-locale='LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8'
$ en_US-locale ./configure --enable-analyzer
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for a BSD-compatible install... /usr/bin/install -c
checking for ranlib... ranlib
checking whether C compiler accepts -mindirect-branch=thunk... yes
checking whether C compiler accepts -mretpoline... no
checking whether C compiler accepts -fstack-clash-protection... yes
checking whether C compiler accepts -fstack-protector-strong... yes
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for gawk... yes
checking for main in -lpthread... yes
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking pthread.h usability... yes
checking pthread.h presence... yes
checking for pthread.h... yes
checking linux/seccomp.h usability... yes
checking linux/seccomp.h presence... yes
checking for linux/seccomp.h... yes
configure: creating ./config.status
config.status: creating mkdeb.sh
config.status: creating Makefile
config.status: creating src/common.mk
config.status: creating src/lib/Makefile
config.status: creating src/fcopy/Makefile
config.status: creating src/fnet/Makefile
config.status: creating src/firejail/Makefile
config.status: creating src/fnetfilter/Makefile
config.status: creating src/firemon/Makefile
config.status: creating src/libtrace/Makefile
config.status: creating src/libtracelog/Makefile
config.status: creating src/firecfg/Makefile
config.status: creating src/fbuilder/Makefile
config.status: creating src/fsec-print/Makefile
config.status: creating src/ftee/Makefile
config.status: creating src/fseccomp/Makefile
config.status: creating src/fldd/Makefile
config.status: creating src/libpostexecseccomp/Makefile
config.status: creating src/fsec-optimize/Makefile
config.status: creating src/profstats/Makefile
config.status: creating src/man/Makefile
config.status: creating src/zsh_completion/Makefile
config.status: creating src/bash_completion/Makefile
config.status: creating test/Makefile
config.status: creating src/jailtest/Makefile

Configuration options:
   prefix: /usr/local
   sysconfdir: ${prefix}/etc
   apparmor: 
   SELinux labeling support: 
   global config: -DHAVE_GLOBALCFG
   chroot: -DHAVE_CHROOT
   network: -DHAVE_NETWORK
   user namespace: -DHAVE_USERNS
   X11 sandboxing support: -DHAVE_X11
   whitelisting: -DHAVE_WHITELIST
   private home support: -DHAVE_PRIVATE_HOME
   file transfer support: -DHAVE_FILE_TRANSFER
   overlayfs support: 
   DBUS proxy support: -DHAVE_DBUSPROXY
   allow tmpfs as regular user: -DHAVE_USERTMPFS
   enable --ouput logging: -DHAVE_OUTPUT
   Manpage support: -DHAVE_MAN
   firetunnel support: -DHAVE_FIRETUNNEL
   busybox workaround: no
   Spectre compiler patch: yes
   EXTRA_LDFLAGS: 
   EXTRA_CFLAGS:  -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer
   fatal warnings: 
   Gcov instrumentation: 
   Install contrib scripts: yes
   Install as a SUID executable: yes
   LTS: 
   Always enforce filters: 

$ en_US-locale make
make -C src/lib
make[1]: Entering directory '/tmp/firejail/src/lib'
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c common.c -o common.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c errno.c -o errno.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c firejail_user.c -o firejail_user.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c ldd_utils.c -o ldd_utils.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c libnetlink.c -o libnetlink.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c pid.c -o pid.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c syscall.c -o syscall.o
make[1]: Leaving directory '/tmp/firejail/src/lib'
make -C src/man
make[1]: Entering directory '/tmp/firejail/src/man'
gawk -f ./preproc.awk --  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   < firecfg.txt > firecfg.man
gawk -f ./preproc.awk --  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   < firejail.txt > firejail.man
gawk -f ./preproc.awk --  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   < firejail-login.txt > firejail-login.man
gawk -f ./preproc.awk --  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   < firejail-users.txt > firejail-users.man
gawk -f ./preproc.awk --  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   < firejail-profile.txt > firejail-profile.man
gawk -f ./preproc.awk --  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   < firemon.txt > firemon.man
gawk -f ./preproc.awk --  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   < jailtest.txt > jailtest.man
make[1]: Leaving directory '/tmp/firejail/src/man'
make -C src/zsh_completion
make[1]: Entering directory '/tmp/firejail/src/zsh_completion'
gawk -f ../man/preproc.awk --  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   < _firejail.in > _firejail.tmp
sed "s|_SYSCONFDIR_|/usr/local/etc|" < _firejail.tmp > _firejail
rm _firejail.tmp
make[1]: Leaving directory '/tmp/firejail/src/zsh_completion'
make -C src/bash_completion
make[1]: Entering directory '/tmp/firejail/src/bash_completion'
gawk -f ../man/preproc.awk --  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   < firejail.bash_completion.in > firejail.bash_completion.tmp
sed "s|_SYSCONFDIR_|/usr/local/etc|" < firejail.bash_completion.tmp > firejail.bash_completion
rm firejail.bash_completion.tmp
make[1]: Leaving directory '/tmp/firejail/src/bash_completion'
make -C src/firecfg/
make[1]: Entering directory '/tmp/firejail/src/firecfg'
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c desktop_files.c -o desktop_files.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c main.c -o main.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c sound.c -o sound.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c util.c -o util.o
gcc  -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o firecfg desktop_files.o main.o sound.o util.o ../lib/common.o ../lib/firejail_user.o  
make[1]: Leaving directory '/tmp/firejail/src/firecfg'
make -C src/firejail/
make[1]: Entering directory '/tmp/firejail/src/firejail'
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c appimage.c -o appimage.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c appimage_size.c -o appimage_size.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c arp.c -o arp.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c bandwidth.c -o bandwidth.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c caps.c -o caps.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c cgroup.c -o cgroup.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c checkcfg.c -o checkcfg.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c chroot.c -o chroot.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c cmdline.c -o cmdline.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c cpu.c -o cpu.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c dbus.c -o dbus.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c dhcp.c -o dhcp.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c env.c -o env.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c fs.c -o fs.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c fs_bin.c -o fs_bin.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c fs_dev.c -o fs_dev.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c fs_etc.c -o fs_etc.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c fs_home.c -o fs_home.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c fs_hostname.c -o fs_hostname.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c fs_lib.c -o fs_lib.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c fs_lib2.c -o fs_lib2.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c fs_logger.c -o fs_logger.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c fs_mkdir.c -o fs_mkdir.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c fs_trace.c -o fs_trace.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c fs_var.c -o fs_var.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c fs_whitelist.c -o fs_whitelist.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c join.c -o join.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c ls.c -o ls.o
ls.c: In function ‘expand_path’:
ls.c:273:16: warning: leak of ‘strdup(path)’ [CWE-401] [-Wanalyzer-malloc-leak]
  273 |         return fname;
      |                ^~~~~
  ‘sandboxfs’: event 1
    |
    |  276 | void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
    |      |      ^~~~~~~~~
    |      |      |
    |      |      (1) entry to ‘sandboxfs’
    |
  ‘sandboxfs’: event 2
    |
    |  278 |         assert(path1);
    |      |         ^~~~~~
    |      |         |
    |      |         (2) following ‘true’ branch (when ‘path1’ is non-NULL)...
    |
  ‘sandboxfs’: events 3-4
    |
    |  281 |         pid = switch_to_child(pid);
    |      |         ^~~
    |      |         |
    |      |         (3) ...to here
    |......
    |  287 |         char *fname1 = expand_path(path1);
    |      |                        ~~~~~~~~~~~~~~~~~~
    |      |                        |
    |      |                        (4) calling ‘expand_path’ from ‘sandboxfs’
    |
    +--> ‘expand_path’: events 5-8
           |
           |  253 | char *expand_path(const char *path) {
           |      |       ^~~~~~~~~~~
           |      |       |
           |      |       (5) entry to ‘expand_path’
           |......
           |  256 |                 fname = strdup(path);
           |      |                         ~~~~~~~~~~~~
           |      |                         |
           |      |                         (6) allocated here
           |  257 |                 if (!fname)
           |      |                    ~
           |      |                    |
           |      |                    (7) assuming ‘fname’ is non-NULL
           |      |                    (8) following ‘false’ branch...
           |
         ‘expand_path’: event 9
           |
           |../include/common.h:39:28:
           |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
           |      |                            ^
           |      |                            |
           |      |                            (9) ...to here
ls.c:271:25: note: in expansion of macro ‘errExit’
           |  271 |                         errExit("asprintf");
           |      |                         ^~~~~~~
           |
    <------+
    |
  ‘sandboxfs’: events 10-13
    |
    |  287 |         char *fname1 = expand_path(path1);
    |      |                        ^~~~~~~~~~~~~~~~~~
    |      |                        |
    |      |                        (10) returning to ‘sandboxfs’ from ‘expand_path’
    |  288 |         char *fname2 = NULL;
    |  289 |         if (path2 != NULL) {
    |      |            ~            
    |      |            |
    |      |            (11) following ‘true’ branch (when ‘path2’ is non-NULL)...
    |  290 |                 fname2 = expand_path(path2);
    |      |                 ~~~~~~   ~~~~~~~~~~~~~~~~~~
    |      |                 |        |
    |      |                 |        (13) calling ‘expand_path’ from ‘sandboxfs’
    |      |                 (12) ...to here
    |
    +--> ‘expand_path’: events 14-15
           |
           |  253 | char *expand_path(const char *path) {
           |      |       ^~~~~~~~~~~
           |      |       |
           |      |       (14) entry to ‘expand_path’
           |......
           |  257 |                 if (!fname)
           |      |                    ~
           |      |                    |
           |      |                    (15) following ‘false’ branch...
           |
         ‘expand_path’: event 16
           |
           |../include/common.h:39:28:
           |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
           |      |                            ^
           |      |                            |
           |      |                            (16) ...to here
ls.c:271:25: note: in expansion of macro ‘errExit’
           |  271 |                         errExit("asprintf");
           |      |                         ^~~~~~~
           |
         ‘expand_path’: event 17
           |
           |  273 |         return fname;
           |      |                ^~~~~
           |      |                |
           |      |                (17) ‘strdup(path)’ leaks here; was allocated at (6)
           |
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c macros.c -o macros.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c main.c -o main.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c mountinfo.c -o mountinfo.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c netfilter.c -o netfilter.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c netns.c -o netns.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c network.c -o network.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c network_main.c -o network_main.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c no_sandbox.c -o no_sandbox.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c output.c -o output.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c paths.c -o paths.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c preproc.c -o preproc.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c profile.c -o profile.o
In function ‘profile_check_conditional’:
profile.c:239:28: warning: leak of ‘ptr’ [CWE-401] [-Wanalyzer-malloc-leak]
  239 |                         if (profile_check_line(ptr, lineno, fname))
      |                            ^
  ‘profile_check_conditional’: events 1-2
    |
    |  188 | int profile_check_conditional(char *ptr, int lineno, const char *fname) {
    |      |     ^~~~~~~~~~~~~~~~~~~~~~~~~
    |      |     |
    |      |     (1) entry to ‘profile_check_conditional’
    |......
    |  191 |         if (*ptr++ != '?')
    |      |            ~
    |      |            |
    |      |            (2) following ‘false’ branch...
    |
  ‘profile_check_conditional’: event 3
    |
    |cc1:
    | (3): ...to here
    |
  ‘profile_check_conditional’: events 4-14
    |
    |  195 |         while (cond->name) {
    |      |                ^~~~
    |      |                |
    |      |                (4) following ‘true’ branch...
    |  196 |                 // continue if not this conditional
    |  197 |                 if (strncmp(ptr, cond->name, strlen(cond->name)) != 0) {
    |      |                 ~~
    |      |                 |
    |      |                 (5) ...to here
    |......
    |  205 |                 if (*ptr++ != ':') {
    |      |                    ~
    |      |                    |
    |      |                    (6) following ‘false’ branch...
    |......
    |  210 |                 if (*ptr == '\0') {
    |      |                 ~~ ~
    |      |                 |  |
    |      |                 |  (8) following ‘false’ branch...
    |      |                 (7) ...to here
    |......
    |  215 |                 if (*ptr == ' ')
    |      |                 ~~
    |      |                 |
    |      |                 (9) ...to here
    |......
    |  220 |                 if (value) {
    |      |                    ~
    |      |                    |
    |      |                    (10) following ‘true’ branch (when ‘value != 0’)...
    |  221 |                         // move ptr to start of profile line
    |  222 |                         ptr = strdup(ptr);
    |      |                         ~~~   ~~~~~~~~~~~
    |      |                         |     |
    |      |                         |     (12) allocated here
    |      |                         (11) ...to here
    |  223 |                         if (!ptr)
    |      |                            ~
    |      |                            |
    |      |                            (13) assuming ‘ptr’ is non-NULL
    |      |                            (14) following ‘false’ branch (when ‘ptr’ is non-NULL)...
    |
  ‘profile_check_conditional’: event 15
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (15) ...to here
profile.c:224:33: note: in expansion of macro ‘errExit’
    |  224 |                                 errExit("strdup");
    |      |                                 ^~~~~~~
    |
  ‘profile_check_conditional’: events 16-22
    |
    |  228 |                         if ((strncmp(ptr, "quiet", 5) == 0) ||
    |      |                            ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                            |                                |
    |      |                            |                                (18) following ‘false’ branch...
    |      |                            (16) following ‘false’ branch...
    |  229 |                             (strncmp(ptr, "include", 7) == 0)) {
    |      |                             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                              |
    |      |                              (17) ...to here
    |......
    |  234 |                         free(tmp);
    |      |                         ~~~~
    |      |                         |
    |      |                         (19) ...to here
    |......
    |  237 |                         if (arg_debug)
    |      |                            ~
    |      |                            |
    |      |                            (20) following ‘false’ branch...
    |  238 |                                 printf("conditional %s, %s\n", cond->name, ptr);
    |      |                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                                 |
    |      |                                 (21) ...to here
    |  239 |                         if (profile_check_line(ptr, lineno, fname))
    |      |                             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                             |
    |      |                             (22) calling ‘profile_check_line’ from ‘profile_check_conditional’
    |
    +--> ‘profile_check_line’: events 23-24
           |
           |  270 | int profile_check_line(char *ptr, int lineno, const char *fname) {
           |      |     ^~~~~~~~~~~~~~~~~~
           |      |     |
           |      |     (23) entry to ‘profile_check_line’
           |......
           |  274 |         if (profile_check_conditional(ptr, lineno, fname) == 0)
           |      |             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           |      |             |
           |      |             (24) calling ‘profile_check_conditional’ from ‘profile_check_line’
           |
           +--> ‘profile_check_conditional’: events 25-26
                  |
                  |  188 | int profile_check_conditional(char *ptr, int lineno, const char *fname) {
                  |      |     ^~~~~~~~~~~~~~~~~~~~~~~~~
                  |      |     |
                  |      |     (25) entry to ‘profile_check_conditional’
                  |......
                  |  191 |         if (*ptr++ != '?')
                  |      |            ~
                  |      |            |
                  |      |            (26) following ‘false’ branch...
                  |
                ‘profile_check_conditional’: event 27
                  |
                  |cc1:
                  | (27): ...to here
                  |
                ‘profile_check_conditional’: events 28-34
                  |
                  |  195 |         while (cond->name) {
                  |      |                ^~~~
                  |      |                |
                  |      |                (28) following ‘true’ branch...
                  |  196 |                 // continue if not this conditional
                  |  197 |                 if (strncmp(ptr, cond->name, strlen(cond->name)) != 0) {
                  |      |                 ~~
                  |      |                 |
                  |      |                 (29) ...to here
                  |......
                  |  205 |                 if (*ptr++ != ':') {
                  |      |                    ~
                  |      |                    |
                  |      |                    (30) following ‘false’ branch...
                  |......
                  |  210 |                 if (*ptr == '\0') {
                  |      |                 ~~ ~
                  |      |                 |  |
                  |      |                 |  (32) following ‘false’ branch...
                  |      |                 (31) ...to here
                  |......
                  |  215 |                 if (*ptr == ' ')
                  |      |                 ~~
                  |      |                 |
                  |      |                 (33) ...to here
                  |......
                  |  220 |                 if (value) {
                  |      |                    ~
                  |      |                    |
                  |      |                    (34) following ‘false’ branch (when ‘value == 0’)...
                  |
                ‘profile_check_conditional’: event 35
                  |
                  |cc1:
                  | (35): ...to here
                  |
           <------+
           |
         ‘profile_check_line’: events 36-37
           |
           |  274 |         if (profile_check_conditional(ptr, lineno, fname) == 0)
           |      |            ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           |      |            ||
           |      |            |(36) returning to ‘profile_check_line’ from ‘profile_check_conditional’
           |      |            (37) following ‘true’ branch...
           |
         ‘profile_check_line’: event 38
           |
           |cc1:
           | (38): ...to here
           |
    <------+
    |
  ‘profile_check_conditional’: events 39-40
    |
    |  239 |                         if (profile_check_line(ptr, lineno, fname))
    |      |                            ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                            ||
    |      |                            |(39) returning to ‘profile_check_conditional’ from ‘profile_check_line’
    |      |                            (40) following ‘false’ branch...
    |
  ‘profile_check_conditional’: event 41
    |
    |cc1:
    | (41): ...to here
    |
  ‘profile_check_conditional’: event 42
    |
    |  239 |                         if (profile_check_line(ptr, lineno, fname))
    |      |                            ^
    |      |                            |
    |      |                            (42) ‘ptr’ leaks here; was allocated at (12)
    |
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c protocol.c -o protocol.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c pulseaudio.c -o pulseaudio.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c restrict_users.c -o restrict_users.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c restricted_shell.c -o restricted_shell.o
In function ‘restricted_shell’:
restricted_shell.c:123:42: warning: leak of ‘strdup(ptr)’ [CWE-401] [-Wanalyzer-malloc-leak]
  123 |                                 return i + 1;
      |                                        ~~^~~
  ‘restricted_shell’: event 1
    |
    |   29 |         assert(user);
    |      |         ^~~~~~
    |      |         |
    |      |         (1) following ‘true’ branch (when ‘user’ is non-NULL)...
    |
  ‘restricted_shell’: events 2-3
    |
    |   32 |         char *fname;
    |      |         ^~~~
    |      |         |
    |      |         (2) ...to here
    |   33 |         if (asprintf(&fname, "%s/login.users", SYSCONFDIR) == -1)
    |      |            ~
    |      |            |
    |      |            (3) following ‘false’ branch...
    |
  ‘restricted_shell’: event 4
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (4) ...to here
restricted_shell.c:34:17: note: in expansion of macro ‘errExit’
    |   34 |                 errExit("asprintf");
    |      |                 ^~~~~~~
    |
  ‘restricted_shell’: event 5
    |
    |   37 |         if (fp == NULL)
    |      |            ^
    |      |            |
    |      |            (5) following ‘false’ branch (when ‘fp’ is non-NULL)...
    |
  ‘restricted_shell’: event 6
    |
    |cc1:
    | (6): ...to here
    |
  ‘restricted_shell’: events 7-10
    |
    |   42 |         while (fgets(buf, MAX_READ, fp)) {
    |      |                ^~~~~
    |      |                |
    |      |                (7) following ‘true’ branch...
    |   43 |                 lineno++;
    |      |                 ~~~~~~
    |      |                 |
    |      |                 (8) ...to here
    |......
    |   60 |                 if (args == NULL) {
    |      |                    ~
    |      |                    |
    |      |                    (9) following ‘false’ branch (when ‘args’ is non-NULL)...
    |......
    |   65 |                 *args = '\0';
    |      |                 ~
    |      |                 |
    |      |                 (10) ...to here
    |
  ‘restricted_shell’: event 11
    |
    |   92 |                         for (i = 1; i < MAX_ARGS; i++) {
    |
  ‘restricted_shell’: event 12
    |
    |cc1:
    | (12): ...to here
    |
  ‘restricted_shell’: event 13
    |
    |  107 |                                 if (*ptr != '\0') {
    |      |                                    ^
    |      |                                    |
    |      |                                    (13) following ‘true’ branch...
    |
  ‘restricted_shell’: event 14
    |
    |cc1:
    | (14): ...to here
    |
  ‘restricted_shell’: events 15-17
    |
    |  112 |                                         fullargv[i] = strdup(fullargv[i]);
    |      |                                                       ^~~~~~~~~~~~~~~~~~~
    |      |                                                       |
    |      |                                                       (15) allocated here
    |  113 |                                         if (fullargv[i] == NULL)
    |      |                                            ~           
    |      |                                            |
    |      |                                            (16) assuming ‘strdup(ptr)’ is non-NULL
    |      |                                            (17) following ‘false’ branch...
    |
  ‘restricted_shell’: event 18
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (18) ...to here
restricted_shell.c:114:49: note: in expansion of macro ‘errExit’
    |  114 |                                                 errExit("strdup");
    |      |                                                 ^~~~~~~
    |
  ‘restricted_shell’: event 19
    |
    |  123 |                                 return i + 1;
    |      |                                        ~~^~~
    |      |                                          |
    |      |                                          (19) ‘strdup(ptr)’ leaks here; was allocated at (15)
    |
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c rlimit.c -o rlimit.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c run_files.c -o run_files.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c run_symlink.c -o run_symlink.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c sandbox.c -o sandbox.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c sbox.c -o sbox.o
sbox.c: In function ‘sbox_run’:
sbox.c:254:24: warning: dereference of possibly-NULL ‘arg’ [CWE-690] [-Wanalyzer-possible-null-dereference]
  254 |                 arg[i] = va_arg(valist, char *);
      |                        ^
  ‘sbox_run’: events 1-3
    |
    |  251 |         char **arg = malloc((num + 1) * sizeof(char *));
    |      |                      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                      |
    |      |                      (1) this call could return NULL
    |  252 |         int i;
    |  253 |         for (i = 0; i < num; i++)
    |      |                     ~~~~~~~
    |      |                       |
    |      |                       (2) following ‘true’ branch (when ‘i < num’)...
    |  254 |                 arg[i] = va_arg(valist, char *);
    |      |                 ~~~   
    |      |                 |
    |      |                 (3) ...to here
    |
  ‘sbox_run’: event 4
    |
    |  254 |                 arg[i] = va_arg(valist, char *);
    |      |                        ^
    |      |                        |
    |      |                        (4) ‘arg + (long unsigned int)i * 8’ could be NULL: unchecked value from (1)
    |
sbox.c:255:16: warning: dereference of possibly-NULL ‘arg’ [CWE-690] [-Wanalyzer-possible-null-dereference]
  255 |         arg[i] = NULL;
      |                ^
  ‘sbox_run’: events 1-3
    |
    |  251 |         char **arg = malloc((num + 1) * sizeof(char *));
    |      |                      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                      |
    |      |                      (1) this call could return NULL
    |  252 |         int i;
    |  253 |         for (i = 0; i < num; i++)
    |      |                     ~~~~~~~
    |      |                       |
    |      |                       (2) following ‘false’ branch (when ‘i >= num’)...
    |  254 |                 arg[i] = va_arg(valist, char *);
    |  255 |         arg[i] = NULL;
    |      |         ~~~           
    |      |         |
    |      |         (3) ...to here
    |
  ‘sbox_run’: event 4
    |
    |  255 |         arg[i] = NULL;
    |      |                ^
    |      |                |
    |      |                (4) ‘arg + (long unsigned int)i * 8’ could be NULL: unchecked value from (1)
    |
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c seccomp.c -o seccomp.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c selinux.c -o selinux.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c shutdown.c -o shutdown.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c usage.c -o usage.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c util.c -o util.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c x11.c -o x11.o
gcc  -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o firejail appimage.o appimage_size.o arp.o bandwidth.o caps.o cgroup.o checkcfg.o chroot.o cmdline.o cpu.o dbus.o dhcp.o env.o fs.o fs_bin.o fs_dev.o fs_etc.o fs_home.o fs_hostname.o fs_lib.o fs_lib2.o fs_logger.o fs_mkdir.o fs_trace.o fs_var.o fs_whitelist.o join.o ls.o macros.o main.o mountinfo.o netfilter.o netns.o network.o network_main.o no_sandbox.o output.o paths.o preproc.o profile.o protocol.o pulseaudio.o restrict_users.o restricted_shell.o rlimit.o run_files.o run_symlink.o sandbox.o sbox.o seccomp.o selinux.o shutdown.o usage.o util.o x11.o ../lib/common.o ../lib/ldd_utils.o ../lib/firejail_user.o ../lib/errno.o ../lib/syscall.o  
make[1]: Leaving directory '/tmp/firejail/src/firejail'
make -C src/firemon/
make[1]: Entering directory '/tmp/firejail/src/firemon'
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c apparmor.c -o apparmor.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c arp.c -o arp.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c caps.c -o caps.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c cgroup.c -o cgroup.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c cpu.c -o cpu.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c firemon.c -o firemon.o
firemon.c: In function ‘my_handler’:
firemon.c:55:9: warning: call to ‘exit’ from within signal handler [CWE-479] [-Wanalyzer-unsafe-call-within-signal-handler]
   55 |         exit(0);
      |         ^~~~~~~
  ‘main’: events 1-2
    |
    |  134 | int main(int argc, char **argv) {
    |      |     ^~~~
    |      |     |
    |      |     (1) entry to ‘main’
    |......
    |  139 |         signal (SIGINT, my_handler);
    |      |         ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |         |
    |      |         (2) registering ‘my_handler’ as signal handler
    |
  event 3
    |
    |cc1:
    | (3): later on, when the signal is delivered to the process
    |
    +--> ‘my_handler’: events 4-5
           |
           |   49 | static void my_handler(int s){
           |      |             ^~~~~~~~~~
           |      |             |
           |      |             (4) entry to ‘my_handler’
           |......
           |   55 |         exit(0);
           |      |         ~~~~~~~
           |      |         |
           |      |         (5) call to ‘exit’ from within signal handler
           |
firemon.c:55:9: note: ‘_exit’ is a possible signal-safe alternative for ‘exit’
   55 |         exit(0);
      |         ^~~~~~~
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c interface.c -o interface.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c list.c -o list.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c netstats.c -o netstats.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c procevent.c -o procevent.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c route.c -o route.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c seccomp.c -o seccomp.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c top.c -o top.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c tree.c -o tree.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c usage.c -o usage.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c x11.c -o x11.o
gcc  -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o firemon apparmor.o arp.o caps.o cgroup.o cpu.o firemon.o interface.o list.o netstats.o procevent.o route.o seccomp.o top.o tree.o usage.o x11.o ../lib/common.o ../lib/pid.o  
make[1]: Leaving directory '/tmp/firejail/src/firemon'
make -C src/profstats/
make[1]: Entering directory '/tmp/firejail/src/profstats'
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c main.c -o main.o
gcc  -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o profstats main.o  
make[1]: Leaving directory '/tmp/firejail/src/profstats'
make -C src/jailtest/
make[1]: Entering directory '/tmp/firejail/src/jailtest'
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c access.c -o access.o
In file included from jailtest.h:23,
                 from access.c:20:
In function ‘access_setup’:
../include/common.h:39:28: warning: leak of ‘dname’ [CWE-401] [-Wanalyzer-malloc-leak]
   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
      |                            ^
access.c:93:17: note: in expansion of macro ‘errExit’
   93 |                 errExit("strdup");
      |                 ^~~~~~~
  ‘access_setup’: event 1
    |
    |   35 |         assert(directory);
    |      |         ^~~~~~
    |      |         |
    |      |         (1) following ‘true’ branch (when ‘directory’ is non-NULL)...
    |
  ‘access_setup’: event 2
    |
    |   36 |         assert(user_home_dir);
    |      |         ^~~~~~
    |      |         |
    |      |         (2) ...to here
    |
  ‘access_setup’: event 3
    |
    |   36 |         assert(user_home_dir);
    |      |         ^~~~~~
    |      |         |
    |      |         (3) following ‘true’ branch...
    |
  ‘access_setup’: events 4-7
    |
    |   38 |         if (files_cnt >= MAX_TEST_FILES) {
    |      |         ^~ ~
    |      |         |  |
    |      |         |  (5) following ‘false’ branch...
    |      |         (4) ...to here
    |......
    |   43 |         char *fname = strdup(directory);
    |      |         ~~~~
    |      |         |
    |      |         (6) ...to here
    |   44 |         if (!fname)
    |      |            ~
    |      |            |
    |      |            (7) following ‘false’ branch...
    |
  ‘access_setup’: event 8
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (8) ...to here
access.c:45:17: note: in expansion of macro ‘errExit’
    |   45 |                 errExit("strdup");
    |      |                 ^~~~~~~
    |
  ‘access_setup’: event 9
    |
    |   46 |         if (strncmp(fname, "~/", 2) == 0) {
    |      |            ^
    |      |            |
    |      |            (9) following ‘false’ branch...
    |
  ‘access_setup’: event 10
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (10) ...to here
access.c:49:25: note: in expansion of macro ‘errExit’
    |   49 |                         errExit("asprintf");
    |      |                         ^~~~~~~
    |
  ‘access_setup’: events 11-17
    |
    |   54 |         if (path == NULL) {
    |      |            ^
    |      |            |
    |      |            (11) following ‘false’ branch...
    |......
    |   60 |         if (strncmp(path, user_home_dir, strlen(user_home_dir)) != 0) {
    |      |         ~~ ~
    |      |         |  |
    |      |         |  (13) following ‘false’ branch...
    |      |         (12) ...to here
    |......
    |   67 |         DIR *dir = opendir(path);
    |      |         ~~~ 
    |      |         |
    |      |         (14) ...to here
    |   68 |         if (!dir) {
    |      |            ~
    |      |            |
    |      |            (15) following ‘false’ branch (when ‘dir’ is non-NULL)...
    |......
    |   73 |         closedir(dir);
    |      |         ~~~~~~~~
    |      |         |
    |      |         (16) ...to here
    |......
    |   77 |         if (asprintf(&test_file, "%s/jailtest-access-%d", path, getpid()) == -1)
    |      |            ~
    |      |            |
    |      |            (17) following ‘false’ branch...
    |
  ‘access_setup’: event 18
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (18) ...to here
access.c:78:17: note: in expansion of macro ‘errExit’
    |   78 |                 errExit("asprintf");
    |      |                 ^~~~~~~
    |
  ‘access_setup’: events 19-21
    |
    |   81 |         if (!fp) {
    |      |            ^
    |      |            |
    |      |            (19) following ‘false’ branch (when ‘fp’ is non-NULL)...
    |......
    |   85 |         fprintf(fp, "this file was created by firetest utility, you can safely delete it\n");
    |      |         ~~~~~~~
    |      |         |
    |      |         (20) ...to here
    |......
    |   88 |         if (rv)
    |      |            ~
    |      |            |
    |      |            (21) following ‘false’ branch (when ‘rv == 0’)...
    |
  ‘access_setup’: event 22
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (22) ...to here
access.c:89:17: note: in expansion of macro ‘errExit’
    |   89 |                 errExit("chown");
    |      |                 ^~~~~~~
    |
  ‘access_setup’: events 23-25
    |
    |   91 |         char *dname = strdup(directory);
    |      |                       ^~~~~~~~~~~~~~~~~
    |      |                       |
    |      |                       (23) allocated here
    |   92 |         if (!dname)
    |      |            ~           
    |      |            |
    |      |            (24) assuming ‘dname’ is non-NULL
    |      |            (25) following ‘false’ branch (when ‘dname’ is non-NULL)...
    |
  ‘access_setup’: event 26
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (26) ...to here
access.c:93:17: note: in expansion of macro ‘errExit’
    |   93 |                 errExit("strdup");
    |      |                 ^~~~~~~
    |
  ‘access_setup’: event 27
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (27) ‘dname’ leaks here; was allocated at (23)
access.c:93:17: note: in expansion of macro ‘errExit’
    |   93 |                 errExit("strdup");
    |      |                 ^~~~~~~
    |
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c apparmor.c -o apparmor.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c main.c -o main.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c noexec.c -o noexec.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c seccomp.c -o seccomp.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c sysfiles.c -o sysfiles.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c utils.c -o utils.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c virtual.c -o virtual.o
gcc  -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o jailtest access.o apparmor.o main.o noexec.o seccomp.o sysfiles.o utils.o virtual.o  ../lib/common.o ../lib/pid.o  
make[1]: Leaving directory '/tmp/firejail/src/jailtest'
make -C src/fbuilder/
make[1]: Entering directory '/tmp/firejail/src/fbuilder'
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c build_bin.c -o build_bin.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c build_fs.c -o build_fs.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c build_home.c -o build_home.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c build_profile.c -o build_profile.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c build_seccomp.c -o build_seccomp.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c filedb.c -o filedb.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c main.c -o main.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c utils.c -o utils.o
gcc  -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o fbuilder build_bin.o build_fs.o build_home.o build_profile.o build_seccomp.o filedb.o main.o utils.o  
make[1]: Leaving directory '/tmp/firejail/src/fbuilder'
make -C src/ftee/
make[1]: Entering directory '/tmp/firejail/src/ftee'
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c main.c -o main.o
gcc  -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o ftee main.o  
make[1]: Leaving directory '/tmp/firejail/src/ftee'
make -C src/fcopy/
make[1]: Entering directory '/tmp/firejail/src/fcopy'
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c main.c -o main.o
gcc  -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o fcopy main.o ../lib/common.o  
make[1]: Leaving directory '/tmp/firejail/src/fcopy'
make -C src/fldd/
make[1]: Entering directory '/tmp/firejail/src/fldd'
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c main.c -o main.o
gcc  -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o fldd main.o ../lib/common.o ../lib/ldd_utils.o  
make[1]: Leaving directory '/tmp/firejail/src/fldd'
make -C src/fnet/
make[1]: Entering directory '/tmp/firejail/src/fnet'
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c arp.c -o arp.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c interface.c -o interface.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c main.c -o main.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c veth.c -o veth.o
gcc  -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o fnet arp.o interface.o main.o veth.o ../lib/common.o ../lib/libnetlink.o  
make[1]: Leaving directory '/tmp/firejail/src/fnet'
make -C src/fnetfilter/
make[1]: Entering directory '/tmp/firejail/src/fnetfilter'
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c main.c -o main.o
gcc  -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o fnetfilter main.o ../lib/common.o  
make[1]: Leaving directory '/tmp/firejail/src/fnetfilter'
make -C src/fsec-optimize/
make[1]: Entering directory '/tmp/firejail/src/fsec-optimize'
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c main.c -o main.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c optimizer.c -o optimizer.o
gcc  -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o fsec-optimize main.o optimizer.o ../lib/common.o ../lib/errno.o  
make[1]: Leaving directory '/tmp/firejail/src/fsec-optimize'
make -C src/fsec-print/
make[1]: Entering directory '/tmp/firejail/src/fsec-print'
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c main.c -o main.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c print.c -o print.o
gcc  -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o fsec-print main.o print.o ../lib/common.o ../lib/errno.o ../lib/syscall.o  
make[1]: Leaving directory '/tmp/firejail/src/fsec-print'
make -C src/fseccomp/
make[1]: Entering directory '/tmp/firejail/src/fseccomp'
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c main.c -o main.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c protocol.c -o protocol.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c seccomp.c -o seccomp.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c seccomp_file.c -o seccomp_file.o
gcc -g -O2 -ggdb  -O2 -DVERSION='"0.9.65"'  -DPREFIX='"/usr/local"' -DSYSCONFDIR='"/usr/local/etc/firejail"' -DLIBDIR='"/usr/local/lib"' -DBINDIR='"/usr/local/bin"'  -DHAVE_OUTPUT -DHAVE_X11 -DHAVE_PRIVATE_HOME   -DHAVE_USERTMPFS -DHAVE_DBUSPROXY -DHAVE_FIRETUNNEL -DHAVE_GLOBALCFG -DHAVE_CHROOT -DHAVE_NETWORK -DHAVE_USERNS -DHAVE_FILE_TRANSFER -DHAVE_WHITELIST   -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong -fanalyzer  -c seccomp_secondary.c -o seccomp_secondary.o
gcc  -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread -o fseccomp main.o protocol.o seccomp.o seccomp_file.o seccomp_secondary.o ../lib/common.o ../lib/errno.o ../lib/syscall.o  
make[1]: Leaving directory '/tmp/firejail/src/fseccomp'
make -C src/libpostexecseccomp/
make[1]: Entering directory '/tmp/firejail/src/libpostexecseccomp'
gcc -ggdb  -O2 -DVERSION='"0.9.65"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security  -c libpostexecseccomp.c -o libpostexecseccomp.o
gcc -pie -fPIE -Wl,-z,relro -Wl,-z,now -shared -fPIC -z relro -o libpostexecseccomp.so libpostexecseccomp.o -ldl
make[1]: Leaving directory '/tmp/firejail/src/libpostexecseccomp'
make -C src/libtrace/
make[1]: Entering directory '/tmp/firejail/src/libtrace'
gcc -ggdb  -O2 -DVERSION='"0.9.65"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security  -c libtrace.c -o libtrace.o
gcc -pie -fPIE -Wl,-z,relro -Wl,-z,now -shared -fPIC -z relro -o libtrace.so libtrace.o -ldl
make[1]: Leaving directory '/tmp/firejail/src/libtrace'
make -C src/libtracelog/
make[1]: Entering directory '/tmp/firejail/src/libtracelog'
gcc -ggdb  -O2 -DVERSION='"0.9.65"' -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIC -Wformat -Wformat-security  -c libtracelog.c -o libtracelog.o
gcc -pie -fPIE -Wl,-z,relro -Wl,-z,now -shared -fPIC -z relro -o libtracelog.so libtracelog.o -ldl
make[1]: Leaving directory '/tmp/firejail/src/libtracelog'
./mkman.sh 0.9.65 src/man/firejail.man firejail.1
./mkman.sh 0.9.65 src/man/firemon.man firemon.1
./mkman.sh 0.9.65 src/man/firecfg.man firecfg.1
./mkman.sh 0.9.65 src/man/firejail-profile.man firejail-profile.5
./mkman.sh 0.9.65 src/man/firejail-login.man firejail-login.5
./mkman.sh 0.9.65 src/man/firejail-users.man firejail-users.5
./mkman.sh 0.9.65 src/man/jailtest.man jailtest.5
src/fseccomp/fseccomp default seccomp
src/fsec-optimize/fsec-optimize seccomp
src/fseccomp/fseccomp default seccomp.debug allow-debuggers
src/fsec-optimize/fsec-optimize seccomp.debug
src/fseccomp/fseccomp secondary 32 seccomp.32
src/fsec-optimize/fsec-optimize seccomp.32
src/fseccomp/fseccomp secondary block seccomp.block_secondary
src/fseccomp/fseccomp memory-deny-write-execute seccomp.mdwx
src/fseccomp/fseccomp memory-deny-write-execute.32 seccomp.mdwx.32
ls.c:273:16: warning: leak of ‘strdup(path)’ [CWE-401] [-Wanalyzer-malloc-leak] 
ls.c: In function ‘expand_path’:
ls.c:273:16: warning: leak of ‘strdup(path)’ [CWE-401] [-Wanalyzer-malloc-leak]
  273 |         return fname;
      |                ^~~~~
  ‘sandboxfs’: event 1
    |
    |  276 | void sandboxfs(int op, pid_t pid, const char *path1, const char *path2) {
    |      |      ^~~~~~~~~
    |      |      |
    |      |      (1) entry to ‘sandboxfs’
    |
  ‘sandboxfs’: event 2
    |
    |  278 |         assert(path1);
    |      |         ^~~~~~
    |      |         |
    |      |         (2) following ‘true’ branch (when ‘path1’ is non-NULL)...
    |
  ‘sandboxfs’: events 3-4
    |
    |  281 |         pid = switch_to_child(pid);
    |      |         ^~~
    |      |         |
    |      |         (3) ...to here
    |......
    |  287 |         char *fname1 = expand_path(path1);
    |      |                        ~~~~~~~~~~~~~~~~~~
    |      |                        |
    |      |                        (4) calling ‘expand_path’ from ‘sandboxfs’
    |
    +--> ‘expand_path’: events 5-8
           |
           |  253 | char *expand_path(const char *path) {
           |      |       ^~~~~~~~~~~
           |      |       |
           |      |       (5) entry to ‘expand_path’
           |......
           |  256 |                 fname = strdup(path);
           |      |                         ~~~~~~~~~~~~
           |      |                         |
           |      |                         (6) allocated here
           |  257 |                 if (!fname)
           |      |                    ~
           |      |                    |
           |      |                    (7) assuming ‘fname’ is non-NULL
           |      |                    (8) following ‘false’ branch...
           |
         ‘expand_path’: event 9
           |
           |../include/common.h:39:28:
           |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
           |      |                            ^
           |      |                            |
           |      |                            (9) ...to here
ls.c:271:25: note: in expansion of macro ‘errExit’
           |  271 |                         errExit("asprintf");
           |      |                         ^~~~~~~
           |
    <------+
    |
  ‘sandboxfs’: events 10-13
    |
    |  287 |         char *fname1 = expand_path(path1);
    |      |                        ^~~~~~~~~~~~~~~~~~
    |      |                        |
    |      |                        (10) returning to ‘sandboxfs’ from ‘expand_path’
    |  288 |         char *fname2 = NULL;
    |  289 |         if (path2 != NULL) {
    |      |            ~            
    |      |            |
    |      |            (11) following ‘true’ branch (when ‘path2’ is non-NULL)...
    |  290 |                 fname2 = expand_path(path2);
    |      |                 ~~~~~~   ~~~~~~~~~~~~~~~~~~
    |      |                 |        |
    |      |                 |        (13) calling ‘expand_path’ from ‘sandboxfs’
    |      |                 (12) ...to here
    |
    +--> ‘expand_path’: events 14-15
           |
           |  253 | char *expand_path(const char *path) {
           |      |       ^~~~~~~~~~~
           |      |       |
           |      |       (14) entry to ‘expand_path’
           |......
           |  257 |                 if (!fname)
           |      |                    ~
           |      |                    |
           |      |                    (15) following ‘false’ branch...
           |
         ‘expand_path’: event 16
           |
           |../include/common.h:39:28:
           |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
           |      |                            ^
           |      |                            |
           |      |                            (16) ...to here
ls.c:271:25: note: in expansion of macro ‘errExit’
           |  271 |                         errExit("asprintf");
           |      |                         ^~~~~~~
           |
         ‘expand_path’: event 17
           |
           |  273 |         return fname;
           |      |                ^~~~~
           |      |                |
           |      |                (17) ‘strdup(path)’ leaks here; was allocated at (6)
           |
profile.c:239:28: warning: leak of ‘ptr’ [CWE-401] [-Wanalyzer-malloc-leak] 
In function ‘profile_check_conditional’:
profile.c:239:28: warning: leak of ‘ptr’ [CWE-401] [-Wanalyzer-malloc-leak]
  239 |                         if (profile_check_line(ptr, lineno, fname))
      |                            ^
  ‘profile_check_conditional’: events 1-2
    |
    |  188 | int profile_check_conditional(char *ptr, int lineno, const char *fname) {
    |      |     ^~~~~~~~~~~~~~~~~~~~~~~~~
    |      |     |
    |      |     (1) entry to ‘profile_check_conditional’
    |......
    |  191 |         if (*ptr++ != '?')
    |      |            ~
    |      |            |
    |      |            (2) following ‘false’ branch...
    |
  ‘profile_check_conditional’: event 3
    |
    |cc1:
    | (3): ...to here
    |
  ‘profile_check_conditional’: events 4-14
    |
    |  195 |         while (cond->name) {
    |      |                ^~~~
    |      |                |
    |      |                (4) following ‘true’ branch...
    |  196 |                 // continue if not this conditional
    |  197 |                 if (strncmp(ptr, cond->name, strlen(cond->name)) != 0) {
    |      |                 ~~
    |      |                 |
    |      |                 (5) ...to here
    |......
    |  205 |                 if (*ptr++ != ':') {
    |      |                    ~
    |      |                    |
    |      |                    (6) following ‘false’ branch...
    |......
    |  210 |                 if (*ptr == '\0') {
    |      |                 ~~ ~
    |      |                 |  |
    |      |                 |  (8) following ‘false’ branch...
    |      |                 (7) ...to here
    |......
    |  215 |                 if (*ptr == ' ')
    |      |                 ~~
    |      |                 |
    |      |                 (9) ...to here
    |......
    |  220 |                 if (value) {
    |      |                    ~
    |      |                    |
    |      |                    (10) following ‘true’ branch (when ‘value != 0’)...
    |  221 |                         // move ptr to start of profile line
    |  222 |                         ptr = strdup(ptr);
    |      |                         ~~~   ~~~~~~~~~~~
    |      |                         |     |
    |      |                         |     (12) allocated here
    |      |                         (11) ...to here
    |  223 |                         if (!ptr)
    |      |                            ~
    |      |                            |
    |      |                            (13) assuming ‘ptr’ is non-NULL
    |      |                            (14) following ‘false’ branch (when ‘ptr’ is non-NULL)...
    |
  ‘profile_check_conditional’: event 15
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (15) ...to here
profile.c:224:33: note: in expansion of macro ‘errExit’
    |  224 |                                 errExit("strdup");
    |      |                                 ^~~~~~~
    |
  ‘profile_check_conditional’: events 16-22
    |
    |  228 |                         if ((strncmp(ptr, "quiet", 5) == 0) ||
    |      |                            ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                            |                                |
    |      |                            |                                (18) following ‘false’ branch...
    |      |                            (16) following ‘false’ branch...
    |  229 |                             (strncmp(ptr, "include", 7) == 0)) {
    |      |                             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                              |
    |      |                              (17) ...to here
    |......
    |  234 |                         free(tmp);
    |      |                         ~~~~
    |      |                         |
    |      |                         (19) ...to here
    |......
    |  237 |                         if (arg_debug)
    |      |                            ~
    |      |                            |
    |      |                            (20) following ‘false’ branch...
    |  238 |                                 printf("conditional %s, %s\n", cond->name, ptr);
    |      |                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                                 |
    |      |                                 (21) ...to here
    |  239 |                         if (profile_check_line(ptr, lineno, fname))
    |      |                             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                             |
    |      |                             (22) calling ‘profile_check_line’ from ‘profile_check_conditional’
    |
    +--> ‘profile_check_line’: events 23-24
           |
           |  270 | int profile_check_line(char *ptr, int lineno, const char *fname) {
           |      |     ^~~~~~~~~~~~~~~~~~
           |      |     |
           |      |     (23) entry to ‘profile_check_line’
           |......
           |  274 |         if (profile_check_conditional(ptr, lineno, fname) == 0)
           |      |             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           |      |             |
           |      |             (24) calling ‘profile_check_conditional’ from ‘profile_check_line’
           |
           +--> ‘profile_check_conditional’: events 25-26
                  |
                  |  188 | int profile_check_conditional(char *ptr, int lineno, const char *fname) {
                  |      |     ^~~~~~~~~~~~~~~~~~~~~~~~~
                  |      |     |
                  |      |     (25) entry to ‘profile_check_conditional’
                  |......
                  |  191 |         if (*ptr++ != '?')
                  |      |            ~
                  |      |            |
                  |      |            (26) following ‘false’ branch...
                  |
                ‘profile_check_conditional’: event 27
                  |
                  |cc1:
                  | (27): ...to here
                  |
                ‘profile_check_conditional’: events 28-34
                  |
                  |  195 |         while (cond->name) {
                  |      |                ^~~~
                  |      |                |
                  |      |                (28) following ‘true’ branch...
                  |  196 |                 // continue if not this conditional
                  |  197 |                 if (strncmp(ptr, cond->name, strlen(cond->name)) != 0) {
                  |      |                 ~~
                  |      |                 |
                  |      |                 (29) ...to here
                  |......
                  |  205 |                 if (*ptr++ != ':') {
                  |      |                    ~
                  |      |                    |
                  |      |                    (30) following ‘false’ branch...
                  |......
                  |  210 |                 if (*ptr == '\0') {
                  |      |                 ~~ ~
                  |      |                 |  |
                  |      |                 |  (32) following ‘false’ branch...
                  |      |                 (31) ...to here
                  |......
                  |  215 |                 if (*ptr == ' ')
                  |      |                 ~~
                  |      |                 |
                  |      |                 (33) ...to here
                  |......
                  |  220 |                 if (value) {
                  |      |                    ~
                  |      |                    |
                  |      |                    (34) following ‘false’ branch (when ‘value == 0’)...
                  |
                ‘profile_check_conditional’: event 35
                  |
                  |cc1:
                  | (35): ...to here
                  |
           <------+
           |
         ‘profile_check_line’: events 36-37
           |
           |  274 |         if (profile_check_conditional(ptr, lineno, fname) == 0)
           |      |            ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           |      |            ||
           |      |            |(36) returning to ‘profile_check_line’ from ‘profile_check_conditional’
           |      |            (37) following ‘true’ branch...
           |
         ‘profile_check_line’: event 38
           |
           |cc1:
           | (38): ...to here
           |
    <------+
    |
  ‘profile_check_conditional’: events 39-40
    |
    |  239 |                         if (profile_check_line(ptr, lineno, fname))
    |      |                            ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                            ||
    |      |                            |(39) returning to ‘profile_check_conditional’ from ‘profile_check_line’
    |      |                            (40) following ‘false’ branch...
    |
  ‘profile_check_conditional’: event 41
    |
    |cc1:
    | (41): ...to here
    |
  ‘profile_check_conditional’: event 42
    |
    |  239 |                         if (profile_check_line(ptr, lineno, fname))
    |      |                            ^
    |      |                            |
    |      |                            (42) ‘ptr’ leaks here; was allocated at (12)
    |
restricted_shell.c:123:42: warning: leak of ‘strdup(ptr)’ [CWE-401] [-Wanalyzer-malloc-leak] 
In function ‘restricted_shell’:
restricted_shell.c:123:42: warning: leak of ‘strdup(ptr)’ [CWE-401] [-Wanalyzer-malloc-leak]
  123 |                                 return i + 1;
      |                                        ~~^~~
  ‘restricted_shell’: event 1
    |
    |   29 |         assert(user);
    |      |         ^~~~~~
    |      |         |
    |      |         (1) following ‘true’ branch (when ‘user’ is non-NULL)...
    |
  ‘restricted_shell’: events 2-3
    |
    |   32 |         char *fname;
    |      |         ^~~~
    |      |         |
    |      |         (2) ...to here
    |   33 |         if (asprintf(&fname, "%s/login.users", SYSCONFDIR) == -1)
    |      |            ~
    |      |            |
    |      |            (3) following ‘false’ branch...
    |
  ‘restricted_shell’: event 4
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (4) ...to here
restricted_shell.c:34:17: note: in expansion of macro ‘errExit’
    |   34 |                 errExit("asprintf");
    |      |                 ^~~~~~~
    |
  ‘restricted_shell’: event 5
    |
    |   37 |         if (fp == NULL)
    |      |            ^
    |      |            |
    |      |            (5) following ‘false’ branch (when ‘fp’ is non-NULL)...
    |
  ‘restricted_shell’: event 6
    |
    |cc1:
    | (6): ...to here
    |
  ‘restricted_shell’: events 7-10
    |
    |   42 |         while (fgets(buf, MAX_READ, fp)) {
    |      |                ^~~~~
    |      |                |
    |      |                (7) following ‘true’ branch...
    |   43 |                 lineno++;
    |      |                 ~~~~~~
    |      |                 |
    |      |                 (8) ...to here
    |......
    |   60 |                 if (args == NULL) {
    |      |                    ~
    |      |                    |
    |      |                    (9) following ‘false’ branch (when ‘args’ is non-NULL)...
    |......
    |   65 |                 *args = '\0';
    |      |                 ~
    |      |                 |
    |      |                 (10) ...to here
    |
  ‘restricted_shell’: event 11
    |
    |   92 |                         for (i = 1; i < MAX_ARGS; i++) {
    |
  ‘restricted_shell’: event 12
    |
    |cc1:
    | (12): ...to here
    |
  ‘restricted_shell’: event 13
    |
    |  107 |                                 if (*ptr != '\0') {
    |      |                                    ^
    |      |                                    |
    |      |                                    (13) following ‘true’ branch...
    |
  ‘restricted_shell’: event 14
    |
    |cc1:
    | (14): ...to here
    |
  ‘restricted_shell’: events 15-17
    |
    |  112 |                                         fullargv[i] = strdup(fullargv[i]);
    |      |                                                       ^~~~~~~~~~~~~~~~~~~
    |      |                                                       |
    |      |                                                       (15) allocated here
    |  113 |                                         if (fullargv[i] == NULL)
    |      |                                            ~           
    |      |                                            |
    |      |                                            (16) assuming ‘strdup(ptr)’ is non-NULL
    |      |                                            (17) following ‘false’ branch...
    |
  ‘restricted_shell’: event 18
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (18) ...to here
restricted_shell.c:114:49: note: in expansion of macro ‘errExit’
    |  114 |                                                 errExit("strdup");
    |      |                                                 ^~~~~~~
    |
  ‘restricted_shell’: event 19
    |
    |  123 |                                 return i + 1;
    |      |                                        ~~^~~
    |      |                                          |
    |      |                                          (19) ‘strdup(ptr)’ leaks here; was allocated at (15)
    |
0783f9fsbox.c:254:24: warning: dereference of possibly-NULL ‘arg’ [CWE-690] [-Wanalyzer-possible-null-dereference] 
sbox.c: In function ‘sbox_run’:
sbox.c:254:24: warning: dereference of possibly-NULL ‘arg’ [CWE-690] [-Wanalyzer-possible-null-dereference]
  254 |                 arg[i] = va_arg(valist, char *);
      |                        ^
  ‘sbox_run’: events 1-3
    |
    |  251 |         char **arg = malloc((num + 1) * sizeof(char *));
    |      |                      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                      |
    |      |                      (1) this call could return NULL
    |  252 |         int i;
    |  253 |         for (i = 0; i < num; i++)
    |      |                     ~~~~~~~
    |      |                       |
    |      |                       (2) following ‘true’ branch (when ‘i < num’)...
    |  254 |                 arg[i] = va_arg(valist, char *);
    |      |                 ~~~   
    |      |                 |
    |      |                 (3) ...to here
    |
  ‘sbox_run’: event 4
    |
    |  254 |                 arg[i] = va_arg(valist, char *);
    |      |                        ^
    |      |                        |
    |      |                        (4) ‘arg + (long unsigned int)i * 8’ could be NULL: unchecked value from (1)
    |
0783f9fsbox.c:255:16: warning: dereference of possibly-NULL ‘arg’ [CWE-690] [-Wanalyzer-possible-null-dereference 
  255 |         arg[i] = NULL;
      |                ^
  ‘sbox_run’: events 1-3
    |
    |  251 |         char **arg = malloc((num + 1) * sizeof(char *));
    |      |                      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |                      |
    |      |                      (1) this call could return NULL
    |  252 |         int i;
    |  253 |         for (i = 0; i < num; i++)
    |      |                     ~~~~~~~
    |      |                       |
    |      |                       (2) following ‘false’ branch (when ‘i >= num’)...
    |  254 |                 arg[i] = va_arg(valist, char *);
    |  255 |         arg[i] = NULL;
    |      |         ~~~           
    |      |         |
    |      |         (3) ...to here
    |
  ‘sbox_run’: event 4
    |
    |  255 |         arg[i] = NULL;
    |      |                ^
    |      |                |
    |      |                (4) ‘arg + (long unsigned int)i * 8’ could be NULL: unchecked value from (1)
    |
57c0c21firemon.c:55:9: warning: call to ‘exit’ from within signal handler [CWE-479] [-Wanalyzer-unsafe-call-within-signal-handler] 
firemon.c: In function ‘my_handler’:
firemon.c:55:9: warning: call to ‘exit’ from within signal handler [CWE-479] [-Wanalyzer-unsafe-call-within-signal-handler]
   55 |         exit(0);
      |         ^~~~~~~
  ‘main’: events 1-2
    |
    |  134 | int main(int argc, char **argv) {
    |      |     ^~~~
    |      |     |
    |      |     (1) entry to ‘main’
    |......
    |  139 |         signal (SIGINT, my_handler);
    |      |         ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |         |
    |      |         (2) registering ‘my_handler’ as signal handler
    |
  event 3
    |
    |cc1:
    | (3): later on, when the signal is delivered to the process
    |
    +--> ‘my_handler’: events 4-5
           |
           |   49 | static void my_handler(int s){
           |      |             ^~~~~~~~~~
           |      |             |
           |      |             (4) entry to ‘my_handler’
           |......
           |   55 |         exit(0);
           |      |         ~~~~~~~
           |      |         |
           |      |         (5) call to ‘exit’ from within signal handler
           |
firemon.c:55:9: note: ‘_exit’ is a possible signal-safe alternative for ‘exit’
   55 |         exit(0);
      |         ^~~~~~~
../include/common.h:39:28: warning: leak of ‘dname’ [CWE-401] [-Wanalyzer-malloc-leak] 
In file included from jailtest.h:23,
                 from access.c:20:
In function ‘access_setup’:
../include/common.h:39:28: warning: leak of ‘dname’ [CWE-401] [-Wanalyzer-malloc-leak]
   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
      |                            ^
access.c:93:17: note: in expansion of macro ‘errExit’
   93 |                 errExit("strdup");
      |                 ^~~~~~~
  ‘access_setup’: event 1
    |
    |   35 |         assert(directory);
    |      |         ^~~~~~
    |      |         |
    |      |         (1) following ‘true’ branch (when ‘directory’ is non-NULL)...
    |
  ‘access_setup’: event 2
    |
    |   36 |         assert(user_home_dir);
    |      |         ^~~~~~
    |      |         |
    |      |         (2) ...to here
    |
  ‘access_setup’: event 3
    |
    |   36 |         assert(user_home_dir);
    |      |         ^~~~~~
    |      |         |
    |      |         (3) following ‘true’ branch...
    |
  ‘access_setup’: events 4-7
    |
    |   38 |         if (files_cnt >= MAX_TEST_FILES) {
    |      |         ^~ ~
    |      |         |  |
    |      |         |  (5) following ‘false’ branch...
    |      |         (4) ...to here
    |......
    |   43 |         char *fname = strdup(directory);
    |      |         ~~~~
    |      |         |
    |      |         (6) ...to here
    |   44 |         if (!fname)
    |      |            ~
    |      |            |
    |      |            (7) following ‘false’ branch...
    |
  ‘access_setup’: event 8
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (8) ...to here
access.c:45:17: note: in expansion of macro ‘errExit’
    |   45 |                 errExit("strdup");
    |      |                 ^~~~~~~
    |
  ‘access_setup’: event 9
    |
    |   46 |         if (strncmp(fname, "~/", 2) == 0) {
    |      |            ^
    |      |            |
    |      |            (9) following ‘false’ branch...
    |
  ‘access_setup’: event 10
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (10) ...to here
access.c:49:25: note: in expansion of macro ‘errExit’
    |   49 |                         errExit("asprintf");
    |      |                         ^~~~~~~
    |
  ‘access_setup’: events 11-17
    |
    |   54 |         if (path == NULL) {
    |      |            ^
    |      |            |
    |      |            (11) following ‘false’ branch...
    |......
    |   60 |         if (strncmp(path, user_home_dir, strlen(user_home_dir)) != 0) {
    |      |         ~~ ~
    |      |         |  |
    |      |         |  (13) following ‘false’ branch...
    |      |         (12) ...to here
    |......
    |   67 |         DIR *dir = opendir(path);
    |      |         ~~~ 
    |      |         |
    |      |         (14) ...to here
    |   68 |         if (!dir) {
    |      |            ~
    |      |            |
    |      |            (15) following ‘false’ branch (when ‘dir’ is non-NULL)...
    |......
    |   73 |         closedir(dir);
    |      |         ~~~~~~~~
    |      |         |
    |      |         (16) ...to here
    |......
    |   77 |         if (asprintf(&test_file, "%s/jailtest-access-%d", path, getpid()) == -1)
    |      |            ~
    |      |            |
    |      |            (17) following ‘false’ branch...
    |
  ‘access_setup’: event 18
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (18) ...to here
access.c:78:17: note: in expansion of macro ‘errExit’
    |   78 |                 errExit("asprintf");
    |      |                 ^~~~~~~
    |
  ‘access_setup’: events 19-21
    |
    |   81 |         if (!fp) {
    |      |            ^
    |      |            |
    |      |            (19) following ‘false’ branch (when ‘fp’ is non-NULL)...
    |......
    |   85 |         fprintf(fp, "this file was created by firetest utility, you can safely delete it\n");
    |      |         ~~~~~~~
    |      |         |
    |      |         (20) ...to here
    |......
    |   88 |         if (rv)
    |      |            ~
    |      |            |
    |      |            (21) following ‘false’ branch (when ‘rv == 0’)...
    |
  ‘access_setup’: event 22
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (22) ...to here
access.c:89:17: note: in expansion of macro ‘errExit’
    |   89 |                 errExit("chown");
    |      |                 ^~~~~~~
    |
  ‘access_setup’: events 23-25
    |
    |   91 |         char *dname = strdup(directory);
    |      |                       ^~~~~~~~~~~~~~~~~
    |      |                       |
    |      |                       (23) allocated here
    |   92 |         if (!dname)
    |      |            ~           
    |      |            |
    |      |            (24) assuming ‘dname’ is non-NULL
    |      |            (25) following ‘false’ branch (when ‘dname’ is non-NULL)...
    |
  ‘access_setup’: event 26
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (26) ...to here
access.c:93:17: note: in expansion of macro ‘errExit’
    |   93 |                 errExit("strdup");
    |      |                 ^~~~~~~
    |
  ‘access_setup’: event 27
    |
    |../include/common.h:39:28:
    |   39 | #define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s: %s:%d %s", msg, __FILE__, __LINE__, __FUNCTION__); perror(msgout); exit(1);} while (0)
    |      |                            ^
    |      |                            |
    |      |                            (27) ‘dname’ leaks here; was allocated at (23)
access.c:93:17: note: in expansion of macro ‘errExit’
    |   93 |                 errExit("strdup");
    |      |                 ^~~~~~~
    |

All these warings make it impossible ATM to make after ./configure with --enable-analyzer and --enable-fatal-warnings.
@reinerh
Copy link
Collaborator

reinerh commented May 13, 2021
edited

Interesting, these have not been caught by clang-analyzer (scan-build).
When these are fixed we should enable it in CI.
Edit: just noticed it is already enabled in CI (build_and_test job).

@reinerh
Copy link
Collaborator

reinerh commented May 13, 2021

Ah, these warnings seem to be newly detected with GCC 11. It builds fine here with GCC 10.

reinerh added a commit that referenced this issue May 13, 2021
@reinerh
check if allocation was successful
0783f9f 
See #4274
smitsohu added a commit that referenced this issue May 16, 2021
@smitsohu
fix firemon signal handler - #4274
57c0c21
@smitsohu
Copy link
Collaborator

smitsohu commented May 16, 2021
edited

Is it only me? My impression is that -Wanalyzer-malloc-leak warnings are still prone to false positives. At first glance only the second memleak (profile.c) looks real.

If there is no way to silence these warnings individually, would it be ok to disable them altogether for the time being?

@reinerh
Copy link
Collaborator

reinerh commented May 16, 2021

@smitsohu I have the same impression. A few days ago I tried to tackle the problem in ls.c, and I was able to "silence" it with this change:

-        fname2 = expand_path(path2);
+        fname2 = strdup(path2);

Though both calls obviously allocate memory...

@glitsj16

This comment has been minimized.

Sign in to view
@reinerh

This comment has been minimized.

Sign in to view
@reinerh reinerh mentioned this issue May 23, 2021
Closed
@reinerh reinerh changed the title gcc -fanalyzer warnings gcc -fanalyzer warnings (GCC 11) May 23, 2021
@reinerh

This comment has been minimized.

Sign in to view
reinerh added a commit that referenced this issue May 23, 2021
@reinerh
CI: build with GCC 11
c7e7df7 
this fixes a new false positive memory leak (#4297), but unfortunately
opens a few new false positives (#4274).
therefore let it ignore memleak checks for now, until the detection
is a bit more stable in GCC.

Fixes: #4274, #4297
@reinerh reinerh mentioned this issue May 23, 2021
Merged
reinerh added a commit that referenced this issue May 23, 2021
@reinerh
CI: build with GCC 11
e96cdfb 
this fixes a new false positive memory leak (#4297), but unfortunately
opens a few new false positives (#4274).
therefore let it ignore memleak checks for now, until the detection
is a bit more stable in GCC.

Fixes: #4274, #4297
reinerh added a commit that referenced this issue May 23, 2021
@reinerh
CI: build with GCC 11
07b85f3 
this fixes a new false positive memory leak (#4297), but unfortunately
opens a few new false positives (#4274).
therefore let it ignore memleak checks for now, until the detection
is a bit more stable in GCC.

Fixes: #4274, #4297
@matu3ba matu3ba mentioned this issue Oct 7, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

CI: build with GCC 11 netblue30/firejail
4 participants
@glitsj16 @reinerh @smitsohu @rusty-snake