aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@protonmail.com>2021-01-24 11:49:48 -0500
committerLibravatar netblue30 <netblue30@protonmail.com>2021-01-24 11:49:48 -0500
commitec29c6acad2370c5aed10c94b431d7bf6e421a90 (patch)
treeb8f38ac91f99c723016d5d01c651a4cadb2d3124
parentUpdate vmware.profile (#3913) (diff)
downloadfirejail-ec29c6acad2370c5aed10c94b431d7bf6e421a90.tar.gz
firejail-ec29c6acad2370c5aed10c94b431d7bf6e421a90.tar.zst
firejail-ec29c6acad2370c5aed10c94b431d7bf6e421a90.zip
profstats
Diffstat
-rw-r--r--README.md42
-rw-r--r--src/profstats/main.c20
2 files changed, 42 insertions, 20 deletions
diff --git a/README.md b/README.md
index 9d4545e55..ff5427ebd 100644
--- a/README.md
+++ b/README.md
@@ -170,27 +170,29 @@ $ ./profstats *.profile
170Warning: multiple caps in transmission-daemon.profile 170Warning: multiple caps in transmission-daemon.profile
171 171
172Stats: 172Stats:
173 profiles 1031 173 profiles 1064
174 include local profile 1031 (include profile-name.local) 174 include local profile 1064 (include profile-name.local)
175 include globals 1031 (include globals.local) 175 include globals 1064 (include globals.local)
176 blacklist ~/.ssh 1007 (include disable-common.inc) 176 blacklist ~/.ssh 959 (include disable-common.inc)
177 seccomp 976 177 seccomp 975
178 capabilities 1030 178 capabilities 1063
179 noexec 901 (include disable-exec.inc) 179 noexec 944 (include disable-exec.inc)
180 memory-deny-write-execute 221 180 memory-deny-write-execute 229
181 apparmor 555 181 apparmor 605
182 private-bin 544 182 private-bin 564
183 private-dev 897 183 private-dev 932
184 private-etc 435 184 private-etc 462
185 private-tmp 785 185 private-tmp 823
186 whitelist home directory 474 186 whitelist home directory 502
187 whitelist var 699 (include whitelist-var-common.inc) 187 whitelist var 744 (include whitelist-var-common.inc)
188 whitelist run/user 336 (include whitelist-runuser-common.inc 188 whitelist run/user 461 (include whitelist-runuser-common.inc
189 or blacklist ${RUNUSER}) 189 or blacklist ${RUNUSER})
190 whitelist usr/share 359 (include whitelist-usr-share-common.inc 190 whitelist usr/share 451 (include whitelist-usr-share-common.inc
191 net none 333 191 net none 345
192 dbus-user none 523 192 dbus-user none 564
193 dbus-system none 632 193 dbus-user filter 85
194 dbus-system none 696
195 dbus-system filter 7
194``` 196```
195 197
196### New profiles: 198### New profiles:
diff --git a/src/profstats/main.c b/src/profstats/main.c
index 4c1221464..1380c87f7 100644
--- a/src/profstats/main.c
+++ b/src/profstats/main.c
@@ -30,6 +30,8 @@ static int cnt_seccomp = 0;
30static int cnt_caps = 0; 30static int cnt_caps = 0;
31static int cnt_dbus_system_none = 0; 31static int cnt_dbus_system_none = 0;
32static int cnt_dbus_user_none = 0; 32static int cnt_dbus_user_none = 0;
33static int cnt_dbus_system_filter = 0;
34static int cnt_dbus_user_filter = 0;
33static int cnt_dotlocal = 0; 35static int cnt_dotlocal = 0;
34static int cnt_globalsdotlocal = 0; 36static int cnt_globalsdotlocal = 0;
35static int cnt_netnone = 0; 37static int cnt_netnone = 0;
@@ -152,8 +154,12 @@ void process_file(const char *fname) {
152 cnt_privateetc++; 154 cnt_privateetc++;
153 else if (strncmp(ptr, "dbus-system none", 16) == 0) 155 else if (strncmp(ptr, "dbus-system none", 16) == 0)
154 cnt_dbus_system_none++; 156 cnt_dbus_system_none++;
157 else if (strncmp(ptr, "dbus-system", 11) == 0)
158 cnt_dbus_system_filter++;
155 else if (strncmp(ptr, "dbus-user none", 14) == 0) 159 else if (strncmp(ptr, "dbus-user none", 14) == 0)
156 cnt_dbus_user_none++; 160 cnt_dbus_user_none++;
161 else if (strncmp(ptr, "dbus-user", 9) == 0)
162 cnt_dbus_user_filter++;
157 else if (strncmp(ptr, "include ", 8) == 0) { 163 else if (strncmp(ptr, "include ", 8) == 0) {
158 // not processing .local files 164 // not processing .local files
159 if (strstr(ptr, ".local")) { 165 if (strstr(ptr, ".local")) {
@@ -257,7 +263,9 @@ int main(int argc, char **argv) {
257 int whitelistrunuser = cnt_whitelistrunuser; 263 int whitelistrunuser = cnt_whitelistrunuser;
258 int whitelistusrshare = cnt_whitelistusrshare; 264 int whitelistusrshare = cnt_whitelistusrshare;
259 int dbussystemnone = cnt_dbus_system_none; 265 int dbussystemnone = cnt_dbus_system_none;
266 int dbussystemfilter = cnt_dbus_system_filter;
260 int dbususernone = cnt_dbus_user_none; 267 int dbususernone = cnt_dbus_user_none;
268 int dbususerfilter = cnt_dbus_user_filter;
261 int ssh = cnt_ssh; 269 int ssh = cnt_ssh;
262 int mdwx = cnt_mdwx; 270 int mdwx = cnt_mdwx;
263 271
@@ -278,6 +286,16 @@ int main(int argc, char **argv) {
278 cnt_globalsdotlocal = globalsdotlocal + 1; 286 cnt_globalsdotlocal = globalsdotlocal + 1;
279 if (cnt_whitelistrunuser > (whitelistrunuser + 1)) 287 if (cnt_whitelistrunuser > (whitelistrunuser + 1))
280 cnt_whitelistrunuser = whitelistrunuser + 1; 288 cnt_whitelistrunuser = whitelistrunuser + 1;
289 if (cnt_seccomp > (seccomp + 1))
290 cnt_seccomp = seccomp + 1;
291 if (cnt_dbus_user_none > (dbususernone + 1))
292 cnt_dbus_user_none = dbususernone + 1;
293 if (cnt_dbus_user_filter > (dbususerfilter + 1))
294 cnt_dbus_user_filter = dbususerfilter + 1;
295 if (cnt_dbus_system_none > (dbussystemnone + 1))
296 cnt_dbus_system_none = dbussystemnone + 1;
297 if (cnt_dbus_system_filter > (dbussystemfilter + 1))
298 cnt_dbus_system_filter = dbussystemfilter + 1;
281 299
282 if (arg_dbus_system_none && dbussystemnone == cnt_dbus_system_none) 300 if (arg_dbus_system_none && dbussystemnone == cnt_dbus_system_none)
283 printf("No dbus-system none found in %s\n", argv[i]); 301 printf("No dbus-system none found in %s\n", argv[i]);
@@ -337,7 +355,9 @@ int main(int argc, char **argv) {
337 printf(" whitelist usr/share\t\t%d (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare); 355 printf(" whitelist usr/share\t\t%d (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare);
338 printf(" net none\t\t\t%d\n", cnt_netnone); 356 printf(" net none\t\t\t%d\n", cnt_netnone);
339 printf(" dbus-user none \t\t%d\n", cnt_dbus_user_none); 357 printf(" dbus-user none \t\t%d\n", cnt_dbus_user_none);
358 printf(" dbus-user filter \t\t%d\n", cnt_dbus_user_filter);
340 printf(" dbus-system none \t\t%d\n", cnt_dbus_system_none); 359 printf(" dbus-system none \t\t%d\n", cnt_dbus_system_none);
360 printf(" dbus-system filter \t\t%d\n", cnt_dbus_system_filter);
341 printf("\n"); 361 printf("\n");
342 return 0; 362 return 0;
343} 363}
generated by cgit v1.2.3-54-g00ecf (git 2.45.0) at 2024-05-09 03:38:45 +0000