diff options
author | netblue30 <netblue30@yahoo.com> | 2018-01-24 08:48:50 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2018-01-24 08:48:50 -0500 |
commit | 5ebebb1211364a4d7164ad30d021adabf5374d32 (patch) | |
tree | adcd26d88b059d25e058e19c56dd496c811e1690 | |
parent | apparmor support for --overlay sandboxes (diff) | |
download | firejail-5ebebb1211364a4d7164ad30d021adabf5374d32.tar.gz firejail-5ebebb1211364a4d7164ad30d021adabf5374d32.tar.zst firejail-5ebebb1211364a4d7164ad30d021adabf5374d32.zip |
added firejail --apparmor.print and firemon --apparmor
-rw-r--r-- | src/firejail/main.c | 10 | ||||
-rw-r--r-- | src/firejail/usage.c | 1 | ||||
-rw-r--r-- | src/firemon/Makefile.in | 3 | ||||
-rw-r--r-- | src/firemon/apparmor.c | 62 | ||||
-rw-r--r-- | src/firemon/firemon.c | 10 | ||||
-rw-r--r-- | src/firemon/firemon.h | 3 | ||||
-rw-r--r-- | src/firemon/usage.c | 1 | ||||
-rw-r--r-- | src/man/firejail.txt | 15 | ||||
-rw-r--r-- | src/man/firemon.txt | 3 |
9 files changed, 106 insertions, 2 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index 9cd89d42c..00e3729d0 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -511,6 +511,16 @@ static void run_cmd_and_exit(int i, int argc, char **argv) { | |||
511 | cpu_print_filter(pid); | 511 | cpu_print_filter(pid); |
512 | exit(0); | 512 | exit(0); |
513 | } | 513 | } |
514 | else if (strncmp(argv[i], "--apparmor.print=", 12) == 0) { | ||
515 | // join sandbox by pid or by name | ||
516 | pid_t pid = read_pid(argv[i] + 17); | ||
517 | char *pidstr; | ||
518 | if (asprintf(&pidstr, "%u", pid) == -1) | ||
519 | errExit("asprintf"); | ||
520 | sbox_run(SBOX_USER| SBOX_CAPS_NONE | SBOX_SECCOMP, 3, PATH_FIREMON, "--apparmor", pidstr); | ||
521 | free(pidstr); | ||
522 | exit(0); | ||
523 | } | ||
514 | else if (strncmp(argv[i], "--caps.print=", 13) == 0) { | 524 | else if (strncmp(argv[i], "--caps.print=", 13) == 0) { |
515 | // join sandbox by pid or by name | 525 | // join sandbox by pid or by name |
516 | pid_t pid = read_pid(argv[i] + 13); | 526 | pid_t pid = read_pid(argv[i] + 13); |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 1106a4389..15b548d20 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -34,6 +34,7 @@ void usage(void) { | |||
34 | printf("\thome directories.\n"); | 34 | printf("\thome directories.\n"); |
35 | printf(" --allusers - all user home directories are visible inside the sandbox.\n"); | 35 | printf(" --allusers - all user home directories are visible inside the sandbox.\n"); |
36 | printf(" --apparmor - enable AppArmor confinement.\n"); | 36 | printf(" --apparmor - enable AppArmor confinement.\n"); |
37 | printf(" --apparmor.print=name|pid - print apparmor status.\n"); | ||
37 | printf(" --appimage - sandbox an AppImage application.\n"); | 38 | printf(" --appimage - sandbox an AppImage application.\n"); |
38 | printf(" --audit[=test-program] - audit the sandbox.\n"); | 39 | printf(" --audit[=test-program] - audit the sandbox.\n"); |
39 | #ifdef HAVE_NETWORK | 40 | #ifdef HAVE_NETWORK |
diff --git a/src/firemon/Makefile.in b/src/firemon/Makefile.in index c24bae9ff..326c305d9 100644 --- a/src/firemon/Makefile.in +++ b/src/firemon/Makefile.in | |||
@@ -6,13 +6,14 @@ VERSION=@PACKAGE_VERSION@ | |||
6 | NAME=@PACKAGE_NAME@ | 6 | NAME=@PACKAGE_NAME@ |
7 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ | 7 | HAVE_FATAL_WARNINGS=@HAVE_FATAL_WARNINGS@ |
8 | HAVE_GCOV=@HAVE_GCOV@ | 8 | HAVE_GCOV=@HAVE_GCOV@ |
9 | HAVE_APPARMOR=@HAVE_APPARMOR@ | ||
9 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | 10 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ |
10 | 11 | ||
11 | H_FILE_LIST = $(sort $(wildcard *.[h])) | 12 | H_FILE_LIST = $(sort $(wildcard *.[h])) |
12 | C_FILE_LIST = $(sort $(wildcard *.c)) | 13 | C_FILE_LIST = $(sort $(wildcard *.c)) |
13 | OBJS = $(C_FILE_LIST:.c=.o) | 14 | OBJS = $(C_FILE_LIST:.c=.o) |
14 | BINOBJS = $(foreach file, $(OBJS), $file) | 15 | BINOBJS = $(foreach file, $(OBJS), $file) |
15 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security | 16 | CFLAGS += -ggdb $(HAVE_FATAL_WARNINGS) -O2 -DVERSION='"$(VERSION)"' -DPREFIX='"$(prefix)"' $(HAVE_APPARMOR) $(HAVE_GCOV) -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -pie -Wformat -Wformat-security |
16 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now | 17 | LDFLAGS += -pie -Wl,-z,relro -Wl,-z,now |
17 | HAVE_GCOV=@HAVE_GCOV@ | 18 | HAVE_GCOV=@HAVE_GCOV@ |
18 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | 19 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ |
diff --git a/src/firemon/apparmor.c b/src/firemon/apparmor.c new file mode 100644 index 000000000..0fe287e8f --- /dev/null +++ b/src/firemon/apparmor.c | |||
@@ -0,0 +1,62 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2018 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include "firemon.h" | ||
21 | #include <sys/apparmor.h> | ||
22 | |||
23 | #ifdef HAVE_APPARMOR | ||
24 | static void print_apparmor(int pid) { | ||
25 | char *label = NULL; | ||
26 | char *mode = NULL; | ||
27 | int rv = aa_gettaskcon(pid, &label, &mode); | ||
28 | if (rv != -1) { | ||
29 | printf(" AppArmor: "); | ||
30 | if (label) | ||
31 | printf("%s ", label); | ||
32 | if (mode) | ||
33 | printf("%s", mode); | ||
34 | printf("\n"); | ||
35 | } | ||
36 | } | ||
37 | |||
38 | void apparmor(pid_t pid, int print_procs) { | ||
39 | pid_read(pid); | ||
40 | |||
41 | // print processes | ||
42 | int i; | ||
43 | for (i = 0; i < max_pids; i++) { | ||
44 | if (pids[i].level == 1) { | ||
45 | if (print_procs || pid == 0) | ||
46 | pid_print_list(i, arg_nowrap); | ||
47 | int child = find_child(i); | ||
48 | if (child != -1) | ||
49 | print_apparmor(child); | ||
50 | } | ||
51 | } | ||
52 | printf("\n"); | ||
53 | } | ||
54 | |||
55 | #else | ||
56 | |||
57 | void apparmor(pid_t pid, int print_procs) { | ||
58 | (void) pid; | ||
59 | (void) print_procs; | ||
60 | printf("AppArmor support not available\n"); | ||
61 | } | ||
62 | #endif | ||
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c index 44e2b8687..54f0c5fc9 100644 --- a/src/firemon/firemon.c +++ b/src/firemon/firemon.c | |||
@@ -37,6 +37,7 @@ static int arg_x11 = 0; | |||
37 | static int arg_top = 0; | 37 | static int arg_top = 0; |
38 | static int arg_list = 0; | 38 | static int arg_list = 0; |
39 | static int arg_netstats = 0; | 39 | static int arg_netstats = 0; |
40 | static int arg_apparmor = 0; | ||
40 | int arg_nowrap = 0; | 41 | int arg_nowrap = 0; |
41 | 42 | ||
42 | static struct termios tlocal; // startup terminal setting | 43 | static struct termios tlocal; // startup terminal setting |
@@ -178,6 +179,8 @@ int main(int argc, char **argv) { | |||
178 | arg_route = 1; | 179 | arg_route = 1; |
179 | else if (strcmp(argv[i], "--arp") == 0) | 180 | else if (strcmp(argv[i], "--arp") == 0) |
180 | arg_arp = 1; | 181 | arg_arp = 1; |
182 | else if (strcmp(argv[i], "--apparmor") == 0) | ||
183 | arg_apparmor = 1; | ||
181 | 184 | ||
182 | else if (strncmp(argv[i], "--name=", 7) == 0) { | 185 | else if (strncmp(argv[i], "--name=", 7) == 0) { |
183 | char *name = argv[i] + 7; | 186 | char *name = argv[i] + 7; |
@@ -238,7 +241,7 @@ int main(int argc, char **argv) { | |||
238 | } | 241 | } |
239 | 242 | ||
240 | // if --name requested without other options, print all data | 243 | // if --name requested without other options, print all data |
241 | if (pid && !arg_cpu && !arg_seccomp && !arg_caps && | 244 | if (pid && !arg_cpu && !arg_seccomp && !arg_caps && !arg_apparmor && |
242 | !arg_cgroup && !arg_x11 && !arg_interface && !arg_route && !arg_arp) { | 245 | !arg_cgroup && !arg_x11 && !arg_interface && !arg_route && !arg_arp) { |
243 | arg_tree = 1; | 246 | arg_tree = 1; |
244 | arg_cpu = 1; | 247 | arg_cpu = 1; |
@@ -249,6 +252,7 @@ int main(int argc, char **argv) { | |||
249 | arg_interface = 1; | 252 | arg_interface = 1; |
250 | arg_route = 1; | 253 | arg_route = 1; |
251 | arg_arp = 1; | 254 | arg_arp = 1; |
255 | arg_apparmor = 1; | ||
252 | } | 256 | } |
253 | 257 | ||
254 | // cumulative options | 258 | // cumulative options |
@@ -265,6 +269,10 @@ int main(int argc, char **argv) { | |||
265 | caps((pid_t) pid, print_procs); | 269 | caps((pid_t) pid, print_procs); |
266 | print_procs = 0; | 270 | print_procs = 0; |
267 | } | 271 | } |
272 | if (arg_apparmor) { | ||
273 | apparmor((pid_t) pid, print_procs); | ||
274 | print_procs = 0; | ||
275 | } | ||
268 | if (arg_cgroup) { | 276 | if (arg_cgroup) { |
269 | cgroup((pid_t) pid, print_procs); | 277 | cgroup((pid_t) pid, print_procs); |
270 | print_procs = 0; | 278 | print_procs = 0; |
diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h index a03aa85e5..2e0466638 100644 --- a/src/firemon/firemon.h +++ b/src/firemon/firemon.h | |||
@@ -83,4 +83,7 @@ void netstats(void); | |||
83 | // x11.c | 83 | // x11.c |
84 | void x11(pid_t pid, int print_procs); | 84 | void x11(pid_t pid, int print_procs); |
85 | 85 | ||
86 | //apparmor.c | ||
87 | void apparmor(pid_t pid, int print_procs); | ||
88 | |||
86 | #endif | 89 | #endif |
diff --git a/src/firemon/usage.c b/src/firemon/usage.c index 9d3babf55..617f4dacd 100644 --- a/src/firemon/usage.c +++ b/src/firemon/usage.c | |||
@@ -27,6 +27,7 @@ void usage(void) { | |||
27 | printf("are also being monitored. On Grsecurity systems only root user\n"); | 27 | printf("are also being monitored. On Grsecurity systems only root user\n"); |
28 | printf("can run this program.\n\n"); | 28 | printf("can run this program.\n\n"); |
29 | printf("Options:\n"); | 29 | printf("Options:\n"); |
30 | printf("\t--apparmor - print AppArmor confinement status for each sandbox.\n\n"); | ||
30 | printf("\t--arp - print ARP table for each sandbox.\n\n"); | 31 | printf("\t--arp - print ARP table for each sandbox.\n\n"); |
31 | printf("\t--caps - print capabilities configuration for each sandbox.\n\n"); | 32 | printf("\t--caps - print capabilities configuration for each sandbox.\n\n"); |
32 | printf("\t--cgroup - print control group information for each sandbox.\n\n"); | 33 | printf("\t--cgroup - print control group information for each sandbox.\n\n"); |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 1a769176c..8704e53b3 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -111,6 +111,21 @@ $ firejail --appimage krita-3.0-x86_64.appimage | |||
111 | $ firejail --appimage --private krita-3.0-x86_64.appimage | 111 | $ firejail --appimage --private krita-3.0-x86_64.appimage |
112 | .br | 112 | .br |
113 | $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage | 113 | $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage |
114 | |||
115 | .TP | ||
116 | \fB\-\-apparmor.print=name|pid | ||
117 | Print the AppArmor confinement status for the sandbox identified by name or by PID. | ||
118 | .br | ||
119 | |||
120 | .br | ||
121 | Example: | ||
122 | .br | ||
123 | $ firejail \-\-apparmor.print=browser | ||
124 | .br | ||
125 | 5074:netblue:/usr/bin/firejail /usr/bin/firefox-esr | ||
126 | .br | ||
127 | AppArmor: firejail-default enforce | ||
128 | |||
114 | .TP | 129 | .TP |
115 | \fB\-\-audit | 130 | \fB\-\-audit |
116 | Audit the sandbox, see \fBAUDIT\fR section for more details. | 131 | Audit the sandbox, see \fBAUDIT\fR section for more details. |
diff --git a/src/man/firemon.txt b/src/man/firemon.txt index 957a224c6..4827bbbeb 100644 --- a/src/man/firemon.txt +++ b/src/man/firemon.txt | |||
@@ -10,6 +10,9 @@ these processes are also being monitored. On Grsecurity systems only root user | |||
10 | can run this program. | 10 | can run this program. |
11 | .SH OPTIONS | 11 | .SH OPTIONS |
12 | .TP | 12 | .TP |
13 | \fB\-\-apparmor | ||
14 | Print AppArmor confinement status for each sandbox. | ||
15 | .TP | ||
13 | \fB\-\-arp | 16 | \fB\-\-arp |
14 | Print ARP table for each sandbox. | 17 | Print ARP table for each sandbox. |
15 | .TP | 18 | .TP |