diff options
author | netblue30 <netblue30@protonmail.com> | 2021-01-24 11:49:48 -0500 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2021-01-24 11:49:48 -0500 |
commit | ec29c6acad2370c5aed10c94b431d7bf6e421a90 (patch) | |
tree | b8f38ac91f99c723016d5d01c651a4cadb2d3124 | |
parent | Update vmware.profile (#3913) (diff) | |
download | firejail-ec29c6acad2370c5aed10c94b431d7bf6e421a90.tar.gz firejail-ec29c6acad2370c5aed10c94b431d7bf6e421a90.tar.zst firejail-ec29c6acad2370c5aed10c94b431d7bf6e421a90.zip |
profstats
-rw-r--r-- | README.md | 42 | ||||
-rw-r--r-- | src/profstats/main.c | 20 |
2 files changed, 42 insertions, 20 deletions
@@ -170,27 +170,29 @@ $ ./profstats *.profile | |||
170 | Warning: multiple caps in transmission-daemon.profile | 170 | Warning: multiple caps in transmission-daemon.profile |
171 | 171 | ||
172 | Stats: | 172 | Stats: |
173 | profiles 1031 | 173 | profiles 1064 |
174 | include local profile 1031 (include profile-name.local) | 174 | include local profile 1064 (include profile-name.local) |
175 | include globals 1031 (include globals.local) | 175 | include globals 1064 (include globals.local) |
176 | blacklist ~/.ssh 1007 (include disable-common.inc) | 176 | blacklist ~/.ssh 959 (include disable-common.inc) |
177 | seccomp 976 | 177 | seccomp 975 |
178 | capabilities 1030 | 178 | capabilities 1063 |
179 | noexec 901 (include disable-exec.inc) | 179 | noexec 944 (include disable-exec.inc) |
180 | memory-deny-write-execute 221 | 180 | memory-deny-write-execute 229 |
181 | apparmor 555 | 181 | apparmor 605 |
182 | private-bin 544 | 182 | private-bin 564 |
183 | private-dev 897 | 183 | private-dev 932 |
184 | private-etc 435 | 184 | private-etc 462 |
185 | private-tmp 785 | 185 | private-tmp 823 |
186 | whitelist home directory 474 | 186 | whitelist home directory 502 |
187 | whitelist var 699 (include whitelist-var-common.inc) | 187 | whitelist var 744 (include whitelist-var-common.inc) |
188 | whitelist run/user 336 (include whitelist-runuser-common.inc | 188 | whitelist run/user 461 (include whitelist-runuser-common.inc |
189 | or blacklist ${RUNUSER}) | 189 | or blacklist ${RUNUSER}) |
190 | whitelist usr/share 359 (include whitelist-usr-share-common.inc | 190 | whitelist usr/share 451 (include whitelist-usr-share-common.inc |
191 | net none 333 | 191 | net none 345 |
192 | dbus-user none 523 | 192 | dbus-user none 564 |
193 | dbus-system none 632 | 193 | dbus-user filter 85 |
194 | dbus-system none 696 | ||
195 | dbus-system filter 7 | ||
194 | ``` | 196 | ``` |
195 | 197 | ||
196 | ### New profiles: | 198 | ### New profiles: |
diff --git a/src/profstats/main.c b/src/profstats/main.c index 4c1221464..1380c87f7 100644 --- a/src/profstats/main.c +++ b/src/profstats/main.c | |||
@@ -30,6 +30,8 @@ static int cnt_seccomp = 0; | |||
30 | static int cnt_caps = 0; | 30 | static int cnt_caps = 0; |
31 | static int cnt_dbus_system_none = 0; | 31 | static int cnt_dbus_system_none = 0; |
32 | static int cnt_dbus_user_none = 0; | 32 | static int cnt_dbus_user_none = 0; |
33 | static int cnt_dbus_system_filter = 0; | ||
34 | static int cnt_dbus_user_filter = 0; | ||
33 | static int cnt_dotlocal = 0; | 35 | static int cnt_dotlocal = 0; |
34 | static int cnt_globalsdotlocal = 0; | 36 | static int cnt_globalsdotlocal = 0; |
35 | static int cnt_netnone = 0; | 37 | static int cnt_netnone = 0; |
@@ -152,8 +154,12 @@ void process_file(const char *fname) { | |||
152 | cnt_privateetc++; | 154 | cnt_privateetc++; |
153 | else if (strncmp(ptr, "dbus-system none", 16) == 0) | 155 | else if (strncmp(ptr, "dbus-system none", 16) == 0) |
154 | cnt_dbus_system_none++; | 156 | cnt_dbus_system_none++; |
157 | else if (strncmp(ptr, "dbus-system", 11) == 0) | ||
158 | cnt_dbus_system_filter++; | ||
155 | else if (strncmp(ptr, "dbus-user none", 14) == 0) | 159 | else if (strncmp(ptr, "dbus-user none", 14) == 0) |
156 | cnt_dbus_user_none++; | 160 | cnt_dbus_user_none++; |
161 | else if (strncmp(ptr, "dbus-user", 9) == 0) | ||
162 | cnt_dbus_user_filter++; | ||
157 | else if (strncmp(ptr, "include ", 8) == 0) { | 163 | else if (strncmp(ptr, "include ", 8) == 0) { |
158 | // not processing .local files | 164 | // not processing .local files |
159 | if (strstr(ptr, ".local")) { | 165 | if (strstr(ptr, ".local")) { |
@@ -257,7 +263,9 @@ int main(int argc, char **argv) { | |||
257 | int whitelistrunuser = cnt_whitelistrunuser; | 263 | int whitelistrunuser = cnt_whitelistrunuser; |
258 | int whitelistusrshare = cnt_whitelistusrshare; | 264 | int whitelistusrshare = cnt_whitelistusrshare; |
259 | int dbussystemnone = cnt_dbus_system_none; | 265 | int dbussystemnone = cnt_dbus_system_none; |
266 | int dbussystemfilter = cnt_dbus_system_filter; | ||
260 | int dbususernone = cnt_dbus_user_none; | 267 | int dbususernone = cnt_dbus_user_none; |
268 | int dbususerfilter = cnt_dbus_user_filter; | ||
261 | int ssh = cnt_ssh; | 269 | int ssh = cnt_ssh; |
262 | int mdwx = cnt_mdwx; | 270 | int mdwx = cnt_mdwx; |
263 | 271 | ||
@@ -278,6 +286,16 @@ int main(int argc, char **argv) { | |||
278 | cnt_globalsdotlocal = globalsdotlocal + 1; | 286 | cnt_globalsdotlocal = globalsdotlocal + 1; |
279 | if (cnt_whitelistrunuser > (whitelistrunuser + 1)) | 287 | if (cnt_whitelistrunuser > (whitelistrunuser + 1)) |
280 | cnt_whitelistrunuser = whitelistrunuser + 1; | 288 | cnt_whitelistrunuser = whitelistrunuser + 1; |
289 | if (cnt_seccomp > (seccomp + 1)) | ||
290 | cnt_seccomp = seccomp + 1; | ||
291 | if (cnt_dbus_user_none > (dbususernone + 1)) | ||
292 | cnt_dbus_user_none = dbususernone + 1; | ||
293 | if (cnt_dbus_user_filter > (dbususerfilter + 1)) | ||
294 | cnt_dbus_user_filter = dbususerfilter + 1; | ||
295 | if (cnt_dbus_system_none > (dbussystemnone + 1)) | ||
296 | cnt_dbus_system_none = dbussystemnone + 1; | ||
297 | if (cnt_dbus_system_filter > (dbussystemfilter + 1)) | ||
298 | cnt_dbus_system_filter = dbussystemfilter + 1; | ||
281 | 299 | ||
282 | if (arg_dbus_system_none && dbussystemnone == cnt_dbus_system_none) | 300 | if (arg_dbus_system_none && dbussystemnone == cnt_dbus_system_none) |
283 | printf("No dbus-system none found in %s\n", argv[i]); | 301 | printf("No dbus-system none found in %s\n", argv[i]); |
@@ -337,7 +355,9 @@ int main(int argc, char **argv) { | |||
337 | printf(" whitelist usr/share\t\t%d (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare); | 355 | printf(" whitelist usr/share\t\t%d (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare); |
338 | printf(" net none\t\t\t%d\n", cnt_netnone); | 356 | printf(" net none\t\t\t%d\n", cnt_netnone); |
339 | printf(" dbus-user none \t\t%d\n", cnt_dbus_user_none); | 357 | printf(" dbus-user none \t\t%d\n", cnt_dbus_user_none); |
358 | printf(" dbus-user filter \t\t%d\n", cnt_dbus_user_filter); | ||
340 | printf(" dbus-system none \t\t%d\n", cnt_dbus_system_none); | 359 | printf(" dbus-system none \t\t%d\n", cnt_dbus_system_none); |
360 | printf(" dbus-system filter \t\t%d\n", cnt_dbus_system_filter); | ||
341 | printf("\n"); | 361 | printf("\n"); |
342 | return 0; | 362 | return 0; |
343 | } | 363 | } |