Closed: https://github.com/xaionaro/clsync/issues/118

Closed the issue and updated the manpage

@@ -1010,9 +1010,18 @@ static int parse_parameter(ctx_t *ctx_p, uint16_t param_id, char *arg, paramsour
 #ifdef CAPABILITIES_SUPPORT
 # ifdef SECCOMP_SUPPORT
 		case SECURESPLITTING: {
-			ctx_p->flags[CHECK_EXECVP_ARGS]++;
-			ctx_p->flags[SECCOMP_FILTER]++;
-			ctx_p->flags[FORBIDDEVICES]++;
+			if (ctx_p->flags_values_raw[CHECK_EXECVP_ARGS] == NULL)
+				ctx_p->flags[CHECK_EXECVP_ARGS]++;
+
+			if (ctx_p->flags_values_raw[SECCOMP_FILTER] == NULL)
+				ctx_p->flags[SECCOMP_FILTER]++;
+
+			if (ctx_p->flags_values_raw[FORBIDDEVICES] == NULL)
+				ctx_p->flags[FORBIDDEVICES]++;
+
+			if (ctx_p->flags_values_raw[SPLITTING] != NULL)
+				break;
+
 			arg = "process";
 		}
 		case SPLITTING: {
@@ -2156,6 +2165,11 @@ int ctx_check(ctx_t *ctx_p) {
 		}
 	}
 
+	if (ctx_p->flags[CHECK_EXECVP_ARGS] && (ctx_p->flags[MODE] == MODE_DIRECT)) {
+		ret = errno = EINVAL;
+		error("Options --check-execvp-arguments/--secure-splitting cannot be used in conjuction with --mode=direct (see \"man 1 clsync\": --check-execvp-arguments).");
+	}
+
 #if 0
 	if (ctx_p->handlerfpath != NULL)
 		if (access(ctx_p->handlerfpath, X_OK) == -1) {

@@ -1473,6 +1473,8 @@ Is set to "off" by default.
 .B \-\-check\-execvp\-arguments
 .RS
 .B [Requires \-\-splitting=[thread|process]]
+.br
+.B [Blocks \-\-mode=direct]
 
 Enables execvp() arguments recheck in the privileged process (in case of their
 substitution to any exploit-given arguments).
@@ -1482,6 +1484,10 @@ changing of
 .I sync\-handler\-arguments
 and hook file paths.
 
+This option cannot be used in conjuction with
+.BR \-\-mode "=direct"
+due to an arbitrary number of arguments in this mode.
+
 Is not set by default.
 .RE
 
@@ -2544,6 +2550,15 @@ Not described yet.
 clsync -Mrsyncdirect -W/path/to/source_dir -D/path/to/destination_dir
 .RE
 
+.B Syncing 'authorized_keys' files:
+.RS
+mkdir -p /etc/clsync/rules
+.br
+printf "+w^$\n+w^[^/]+$\n+w^[^/]+/.ssh$\n+f^[^/]+/.ssh/authorized_keys$\n-*" > /etc/clsync/rules/authorized_files_only
+.br
+clsync -Mdirect -Scp -W/mnt/master/home/ -D/home -R/etc/clsync/rules/authorized_files_only -- -Pfp --parents %INCLUDE-LIST% %destination-dir%
+.RE
+
 .B Mirroring a directory, but faster:
 .RS
 clsync -w5 -t5 -T5 -Mrsyncdirect -W/path/to/source_dir -D/path/to/destination_dir

@@ -107,6 +107,7 @@
 	SECCOMP_ALLOW_ACCUM_SYSCALL(rt_sigaction),			\
 	SECCOMP_ALLOW_ACCUM_SYSCALL(nanosleep),				\
 	SECCOMP_ALLOW_ACCUM_SYSCALL(shmdt),				\
+	SECCOMP_ALLOW_ACCUM_SYSCALL(clone),		/* for --threading */		\
 
 
 /* Syscalls allowed to non-privileged thread */
@@ -531,19 +532,19 @@ int privileged_execvp_check_arguments(struct pa_options *opts, const char *u_fil
 		argv       = args[a_i].v;
 		isexpanded = args[a_i].isexpanded;
 
-		// Checking the number of arguments
+		debug(8, "Checking the number of arguments: %i <> %i", argc, u_argc);
 		if (argc != u_argc)
 			continue;
 
 		critical_on (!argc);
 
-		// Checking the execution file
+		debug(8, "Checking the execution file: \"%s\" <> \"%s\"; isexpanded == %i", argv[0], u_file, isexpanded[0]);
 		if (pa_strcmp(argv[0], u_file, isexpanded[0])) {
 			debug(1, "The file to be executed didn't match (argv[0] != u_file): \"%s\" != \"%s\"", argv[0], u_file);
 			break;
 		}
 
-		// Checking arguments
+		debug(8, "Checking arguments");
 		i = 1;
 		while (i < argc) {
 			if (pa_strcmp(argv[i], u_argv[i], isexpanded[i])) {