profstats: track dbus-system none

author: netblue30 <netblue30@yahoo.com> 2020-09-08 08:21:05 -0400
committer: netblue30 <netblue30@yahoo.com> 2020-09-08 08:21:05 -0400
commit: aee833f8bbc958d71f78d55ba677a419b970aa05 (patch)
tree: 399b278ec726ddd0133f698a4dc91d4dc5a3e20a
parent: fix #3625 -- hedgewars crashes without access to liblua (diff)
download: firejail-aee833f8bbc958d71f78d55ba677a419b970aa05.tar.gz
firejail-aee833f8bbc958d71f78d55ba677a419b970aa05.tar.zst
firejail-aee833f8bbc958d71f78d55ba677a419b970aa05.zip
3 files changed, 40 insertions, 23 deletions
diff --git a/README.md b/README.md
index 8d113bae8..914aaab49 100644
--- a/README.md
+++ b/README.md
@@ -160,33 +160,33 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 ### Profile Statistics
-A small tool to print profile statistics. Compile as usual and run:
+A small tool to print profile statistics. Compile as usual and run in /etc/profiles:
 `````
-$ make
-$ cd etc
 $ ./profstats *.profile
-    profiles                    966
+Warning: multiple caps in transmission-daemon.profile
-    include local profile       966   (include profile-name.local)
-    include globals             966   (include globals.local)
+Stats:
-    blacklist ~/.ssh            951   (include disable-common.inc)
+    profiles                    1025
-    seccomp                     908
+    include local profile       1025   (include profile-name.local)
-    capabilities                965
+    include globals             1025   (include globals.local)
-    noexec                      830   (include disable-exec.inc)
+    blacklist ~/.ssh            1001   (include disable-common.inc)
-    memory-deny-write-execute   214
+    seccomp                     971
-    apparmor                    488
+    capabilities                1024
-    private-bin                 483
+    noexec                      895   (include disable-exec.inc)
-    private-dev                 829
+    memory-deny-write-execute   217
-    private-etc                 366
+    apparmor                    546
-    private-tmp                 726
+    private-bin                 537
-    whitelist var               638   (include whitelist-var-common.inc)
+    private-dev                 893
-    whitelist run/user          282   (include whitelist-runuser-common.inc
+    private-etc                 426
+    private-tmp                 780
+    whitelist var               691   (include whitelist-var-common.inc)
+    whitelist run/user          329   (include whitelist-runuser-common.inc
                                        or blacklist ${RUNUSER})
-    whitelist usr/share         275   (include whitelist-usr-share-common.inc
+    whitelist usr/share         349   (include whitelist-usr-share-common.inc
-    net none                    313
+    net none                    329
+    dbus-system none            624
 `````
-Run ./profstats -h for help.
 ### New profiles:
 gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et,
diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile
index 45682fc31..88d5d0e1e 100644
--- a/etc/profile-m-z/openarena.profile
+++ b/etc/profile-m-z/openarena.profile
@@ -21,7 +21,7 @@ whitelist ${HOME}/.openarena
 whitelist /usr/share/openarena
 include whitelist-common.inc
 include whitelist-runuser-common.inc
-include whitelist-usr-share-common.in
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 apparmor
diff --git a/src/profstats/main.c b/src/profstats/main.c
index a75ad8e29..194cb210a 100644
--- a/src/profstats/main.c
+++ b/src/profstats/main.c
@@ -28,6 +28,7 @@ static int cnt_profiles = 0;
 static int cnt_apparmor = 0;
 static int cnt_seccomp = 0;
 static int cnt_caps = 0;
+static int cnt_dbus_system_none = 0;
 static int cnt_dotlocal = 0;
 static int cnt_globalsdotlocal = 0;
 static int cnt_netnone = 0;
@@ -57,6 +58,8 @@ static int arg_whitelistrunuser = 0;
 static int arg_whitelistusrshare = 0;
 static int arg_ssh = 0;
 static int arg_mdwx = 0;
+static int arg_dbus_system_none = 0;
 static char *profile = NULL;
@@ -67,6 +70,7 @@ static void usage(void) {
        printf("Options:\n");
        printf("   --apparmor - print profiles without apparmor\n");
        printf("   --caps - print profiles without caps\n");
+        printf("   --dbus-system-none - profiles without  \"dbus-system none\"\n");
        printf("   --ssh - print profiles without \"include disable-common.inc\"\n");
        printf("   --noexec - print profiles without \"include disable-exec.inc\"\n");
        printf("   --private-bin - print profiles without private-bin\n");
@@ -138,6 +142,8 @@ void process_file(const char *fname) {
                        cnt_privatetmp++;
                else if (strncmp(ptr, "private-etc", 11) == 0)
                        cnt_privateetc++;
+                else if (strncmp(ptr, "dbus-system none", 16) == 0)
+                        cnt_dbus_system_none++;
                else if (strncmp(ptr, "include ", 8) == 0) {
                        // not processing .local files
                        if (strstr(ptr, ".local")) {
@@ -148,6 +154,11 @@ void process_file(const char *fname) {
                                        cnt_dotlocal++;
                                continue;
                        }
+                        // clean blanks
+                        char *ptr = buf + 8;
+                        while (*ptr != '\0' && *ptr != ' ' && *ptr != '\t')
+                                ptr++;
+                        *ptr = '\0';
                        process_file(buf + 8);
                }
        }
@@ -197,6 +208,8 @@ int main(int argc, char **argv) {
                        arg_whitelistusrshare = 1;
                else if (strcmp(argv[i], "--ssh") == 0)
                        arg_ssh = 1;
+                else if (strcmp(argv[i], "--dbus-system-none") == 0)
+                        arg_dbus_system_none = 1;
                else if (*argv[i] == '-') {
                        fprintf(stderr, "Error: invalid option %s\n", argv[i]);
                        return 1;
@@ -228,6 +241,7 @@ int main(int argc, char **argv) {
                int whitelistvar = cnt_whitelistvar;
                int whitelistrunuser = cnt_whitelistrunuser;
                int whitelistusrshare = cnt_whitelistusrshare;
+                int dbussystemnone = cnt_dbus_system_none;
                int ssh = cnt_ssh;
                int mdwx = cnt_mdwx;
@@ -249,6 +263,8 @@ int main(int argc, char **argv) {
                if (cnt_whitelistrunuser > (whitelistrunuser + 1))
                        cnt_whitelistrunuser = whitelistrunuser + 1;
+                if (arg_dbus_system_none && dbussystemnone == cnt_dbus_system_none)
+                        printf("No dbus-system none found in %s\n", argv[i]);
                if (arg_apparmor && apparmor == cnt_apparmor)
                        printf("No apparmor found in %s\n", argv[i]);
                if (arg_caps && caps == cnt_caps)
@@ -299,6 +315,7 @@ int main(int argc, char **argv) {
        printf("\t\t\t\t\tor blacklist ${RUNUSER})\n");
        printf("    whitelist usr/share\t\t%d   (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare);
        printf("    net none\t\t\t%d\n", cnt_netnone);
+        printf("    dbus-system none \t\t%d\n", cnt_dbus_system_none);
        printf("\n");
        return 0;
 }
author	netblue30 <netblue30@yahoo.com>	2020-09-08 08:21:05 -0400
committer	netblue30 <netblue30@yahoo.com>	2020-09-08 08:21:05 -0400
commit	aee833f8bbc958d71f78d55ba677a419b970aa05 (patch)
tree	399b278ec726ddd0133f698a4dc91d4dc5a3e20a
parent	fix #3625 -- hedgewars crashes without access to liblua (diff)
download	firejail-aee833f8bbc958d71f78d55ba677a419b970aa05.tar.gz firejail-aee833f8bbc958d71f78d55ba677a419b970aa05.tar.zst firejail-aee833f8bbc958d71f78d55ba677a419b970aa05.zip

diff --git a/README.md b/README.md index 8d113bae8..914aaab49 100644 --- a/README.md +++ b/README.md
@@ -160,33 +160,33 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
160		160
161	### Profile Statistics	161	### Profile Statistics
162		162
163	A small tool to print profile statistics. Compile as usual and run:	163	A small tool to print profile statistics. Compile as usual and run in /etc/profiles:
164	`````	164	`````
165	$ make
166	$ cd etc
167	$ ./profstats *.profile	165	$ ./profstats *.profile
168	profiles 966	166	Warning: multiple caps in transmission-daemon.profile
169	include local profile 966 (include profile-name.local)	167
170	include globals 966 (include globals.local)	168	Stats:
171	blacklist ~/.ssh 951 (include disable-common.inc)	169	profiles 1025
172	seccomp 908	170	include local profile 1025 (include profile-name.local)
173	capabilities 965	171	include globals 1025 (include globals.local)
174	noexec 830 (include disable-exec.inc)	172	blacklist ~/.ssh 1001 (include disable-common.inc)
175	memory-deny-write-execute 214	173	seccomp 971
176	apparmor 488	174	capabilities 1024
177	private-bin 483	175	noexec 895 (include disable-exec.inc)
178	private-dev 829	176	memory-deny-write-execute 217
179	private-etc 366	177	apparmor 546
180	private-tmp 726	178	private-bin 537
181	whitelist var 638 (include whitelist-var-common.inc)	179	private-dev 893
182	whitelist run/user 282 (include whitelist-runuser-common.inc	180	private-etc 426
		181	private-tmp 780
		182	whitelist var 691 (include whitelist-var-common.inc)
		183	whitelist run/user 329 (include whitelist-runuser-common.inc
183	or blacklist ${RUNUSER})	184	or blacklist ${RUNUSER})
184	whitelist usr/share 275 (include whitelist-usr-share-common.inc	185	whitelist usr/share 349 (include whitelist-usr-share-common.inc
185	net none 313	186	net none 329
		187	dbus-system none 624
186	`````	188	`````
187		189
188	Run ./profstats -h for help.
189
190	### New profiles:	190	### New profiles:
191		191
192	gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et,	192	gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et,


diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile index 45682fc31..88d5d0e1e 100644 --- a/etc/profile-m-z/openarena.profile +++ b/etc/profile-m-z/openarena.profile
@@ -21,7 +21,7 @@ whitelist ${HOME}/.openarena
21	whitelist /usr/share/openarena	21	whitelist /usr/share/openarena
22	include whitelist-common.inc	22	include whitelist-common.inc
23	include whitelist-runuser-common.inc	23	include whitelist-runuser-common.inc
24	include whitelist-usr-share-common.in	24	include whitelist-usr-share-common.inc
25	include whitelist-var-common.inc	25	include whitelist-var-common.inc
26		26
27	apparmor	27	apparmor


diff --git a/src/profstats/main.c b/src/profstats/main.c index a75ad8e29..194cb210a 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c
@@ -28,6 +28,7 @@ static int cnt_profiles = 0;
28	static int cnt_apparmor = 0;	28	static int cnt_apparmor = 0;
29	static int cnt_seccomp = 0;	29	static int cnt_seccomp = 0;
30	static int cnt_caps = 0;	30	static int cnt_caps = 0;
		31	static int cnt_dbus_system_none = 0;
31	static int cnt_dotlocal = 0;	32	static int cnt_dotlocal = 0;
32	static int cnt_globalsdotlocal = 0;	33	static int cnt_globalsdotlocal = 0;
33	static int cnt_netnone = 0;	34	static int cnt_netnone = 0;
@@ -57,6 +58,8 @@ static int arg_whitelistrunuser = 0;
57	static int arg_whitelistusrshare = 0;	58	static int arg_whitelistusrshare = 0;
58	static int arg_ssh = 0;	59	static int arg_ssh = 0;
59	static int arg_mdwx = 0;	60	static int arg_mdwx = 0;
		61	static int arg_dbus_system_none = 0;
		62
60		63
61	static char *profile = NULL;	64	static char *profile = NULL;
62		65
@@ -67,6 +70,7 @@ static void usage(void) {
67	printf("Options:\n");	70	printf("Options:\n");
68	printf(" --apparmor - print profiles without apparmor\n");	71	printf(" --apparmor - print profiles without apparmor\n");
69	printf(" --caps - print profiles without caps\n");	72	printf(" --caps - print profiles without caps\n");
		73	printf(" --dbus-system-none - profiles without \"dbus-system none\"\n");
70	printf(" --ssh - print profiles without \"include disable-common.inc\"\n");	74	printf(" --ssh - print profiles without \"include disable-common.inc\"\n");
71	printf(" --noexec - print profiles without \"include disable-exec.inc\"\n");	75	printf(" --noexec - print profiles without \"include disable-exec.inc\"\n");
72	printf(" --private-bin - print profiles without private-bin\n");	76	printf(" --private-bin - print profiles without private-bin\n");
@@ -138,6 +142,8 @@ void process_file(const char *fname) {
138	cnt_privatetmp++;	142	cnt_privatetmp++;
139	else if (strncmp(ptr, "private-etc", 11) == 0)	143	else if (strncmp(ptr, "private-etc", 11) == 0)
140	cnt_privateetc++;	144	cnt_privateetc++;
		145	else if (strncmp(ptr, "dbus-system none", 16) == 0)
		146	cnt_dbus_system_none++;
141	else if (strncmp(ptr, "include ", 8) == 0) {	147	else if (strncmp(ptr, "include ", 8) == 0) {
142	// not processing .local files	148	// not processing .local files
143	if (strstr(ptr, ".local")) {	149	if (strstr(ptr, ".local")) {
@@ -148,6 +154,11 @@ void process_file(const char *fname) {
148	cnt_dotlocal++;	154	cnt_dotlocal++;
149	continue;	155	continue;
150	}	156	}
		157	// clean blanks
		158	char *ptr = buf + 8;
		159	while (ptr != '\0' && ptr != ' ' && *ptr != '\t')
		160	ptr++;
		161	*ptr = '\0';
151	process_file(buf + 8);	162	process_file(buf + 8);
152	}	163	}
153	}	164	}
@@ -197,6 +208,8 @@ int main(int argc, char **argv) {
197	arg_whitelistusrshare = 1;	208	arg_whitelistusrshare = 1;
198	else if (strcmp(argv[i], "--ssh") == 0)	209	else if (strcmp(argv[i], "--ssh") == 0)
199	arg_ssh = 1;	210	arg_ssh = 1;
		211	else if (strcmp(argv[i], "--dbus-system-none") == 0)
		212	arg_dbus_system_none = 1;
200	else if (*argv[i] == '-') {	213	else if (*argv[i] == '-') {
201	fprintf(stderr, "Error: invalid option %s\n", argv[i]);	214	fprintf(stderr, "Error: invalid option %s\n", argv[i]);
202	return 1;	215	return 1;
@@ -228,6 +241,7 @@ int main(int argc, char **argv) {
228	int whitelistvar = cnt_whitelistvar;	241	int whitelistvar = cnt_whitelistvar;
229	int whitelistrunuser = cnt_whitelistrunuser;	242	int whitelistrunuser = cnt_whitelistrunuser;
230	int whitelistusrshare = cnt_whitelistusrshare;	243	int whitelistusrshare = cnt_whitelistusrshare;
		244	int dbussystemnone = cnt_dbus_system_none;
231	int ssh = cnt_ssh;	245	int ssh = cnt_ssh;
232	int mdwx = cnt_mdwx;	246	int mdwx = cnt_mdwx;
233		247
@@ -249,6 +263,8 @@ int main(int argc, char **argv) {
249	if (cnt_whitelistrunuser > (whitelistrunuser + 1))	263	if (cnt_whitelistrunuser > (whitelistrunuser + 1))
250	cnt_whitelistrunuser = whitelistrunuser + 1;	264	cnt_whitelistrunuser = whitelistrunuser + 1;
251		265
		266	if (arg_dbus_system_none && dbussystemnone == cnt_dbus_system_none)
		267	printf("No dbus-system none found in %s\n", argv[i]);
252	if (arg_apparmor && apparmor == cnt_apparmor)	268	if (arg_apparmor && apparmor == cnt_apparmor)
253	printf("No apparmor found in %s\n", argv[i]);	269	printf("No apparmor found in %s\n", argv[i]);
254	if (arg_caps && caps == cnt_caps)	270	if (arg_caps && caps == cnt_caps)
@@ -299,6 +315,7 @@ int main(int argc, char **argv) {
299	printf("\t\t\t\t\tor blacklist ${RUNUSER})\n");	315	printf("\t\t\t\t\tor blacklist ${RUNUSER})\n");
300	printf(" whitelist usr/share\t\t%d (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare);	316	printf(" whitelist usr/share\t\t%d (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare);
301	printf(" net none\t\t\t%d\n", cnt_netnone);	317	printf(" net none\t\t\t%d\n", cnt_netnone);
		318	printf(" dbus-system none \t\t%d\n", cnt_dbus_system_none);
302	printf("\n");	319	printf("\n");
303	return 0;	320	return 0;
304	}	321	}