diff options
author | netblue30 <netblue30@yahoo.com> | 2020-03-19 08:28:58 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2020-03-19 08:28:58 -0400 |
commit | 61295cefe491504ed50a2046f6cd9e3786370538 (patch) | |
tree | eead56fd8b0723accf6a72383bde4b3c0866f081 | |
parent | misc fixes (diff) | |
download | firejail-61295cefe491504ed50a2046f6cd9e3786370538.tar.gz firejail-61295cefe491504ed50a2046f6cd9e3786370538.tar.zst firejail-61295cefe491504ed50a2046f6cd9e3786370538.zip |
profile stats
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | Makefile.in | 3 | ||||
-rw-r--r-- | README.md | 23 | ||||
-rwxr-xr-x | configure | 17 | ||||
-rw-r--r-- | configure.ac | 3 | ||||
-rw-r--r-- | src/profstats/Makefile.in | 14 | ||||
-rw-r--r-- | src/profstats/main.c | 240 |
7 files changed, 297 insertions, 4 deletions
diff --git a/.gitignore b/.gitignore index 9995da44c..661370b02 100644 --- a/.gitignore +++ b/.gitignore | |||
@@ -33,6 +33,7 @@ src/fsec-optimize/fsec-optimize | |||
33 | src/fcopy/fcopy | 33 | src/fcopy/fcopy |
34 | src/fldd/fldd | 34 | src/fldd/fldd |
35 | src/fbuilder/fbuilder | 35 | src/fbuilder/fbuilder |
36 | etc/profstats | ||
36 | uids.h | 37 | uids.h |
37 | seccomp | 38 | seccomp |
38 | seccomp.debug | 39 | seccomp.debug |
diff --git a/Makefile.in b/Makefile.in index 0285d8592..f7c94aa09 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -1,6 +1,7 @@ | |||
1 | all: apps man filters | 1 | all: apps man filters |
2 | MYLIBS = src/lib | 2 | MYLIBS = src/lib |
3 | APPS = src/firejail src/firemon src/fsec-print src/fsec-optimize src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp | 3 | APPS = src/firejail src/firemon src/fsec-print src/fsec-optimize src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee \ |
4 | src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp src/profstats | ||
4 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 | 5 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 |
5 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx | 6 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx |
6 | 7 | ||
@@ -149,6 +149,29 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe | |||
149 | 149 | ||
150 | ## Current development version: 0.9.63 | 150 | ## Current development version: 0.9.63 |
151 | 151 | ||
152 | ### Profile Statistics | ||
153 | |||
154 | A small tool to print profile statistics. Compile as usual (the executable is placed in etc directory( and run: | ||
155 | ````` | ||
156 | $ make | ||
157 | $ cd etc | ||
158 | $ ./profstats *.profile | ||
159 | Stats: | ||
160 | profiles 925 | ||
161 | include local profile 925 (include profile-name.local) | ||
162 | include globals 925 (include globals.local) | ||
163 | blacklist ~/.ssh 910 (include disable-common.inc) | ||
164 | seccomp 868 | ||
165 | capabilities 924 | ||
166 | noexec 785 (include disable-exec.inc) | ||
167 | apparmor 426 | ||
168 | private-dev 788 | ||
169 | private-tmp 687 | ||
170 | whitelist var directory 595 (include whitelist-var-common.inc) | ||
171 | net none 274 | ||
172 | |||
173 | Run ./profstats -h for help. | ||
174 | |||
152 | ### New profiles: | 175 | ### New profiles: |
153 | 176 | ||
154 | gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl, muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free, teams, xournal, gnome-screenshot | 177 | gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et, multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl, muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free, teams, xournal, gnome-screenshot |
@@ -683,6 +683,7 @@ infodir | |||
683 | docdir | 683 | docdir |
684 | oldincludedir | 684 | oldincludedir |
685 | includedir | 685 | includedir |
686 | runstatedir | ||
686 | localstatedir | 687 | localstatedir |
687 | sharedstatedir | 688 | sharedstatedir |
688 | sysconfdir | 689 | sysconfdir |
@@ -776,6 +777,7 @@ datadir='${datarootdir}' | |||
776 | sysconfdir='${prefix}/etc' | 777 | sysconfdir='${prefix}/etc' |
777 | sharedstatedir='${prefix}/com' | 778 | sharedstatedir='${prefix}/com' |
778 | localstatedir='${prefix}/var' | 779 | localstatedir='${prefix}/var' |
780 | runstatedir='${localstatedir}/run' | ||
779 | includedir='${prefix}/include' | 781 | includedir='${prefix}/include' |
780 | oldincludedir='/usr/include' | 782 | oldincludedir='/usr/include' |
781 | docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' | 783 | docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' |
@@ -1028,6 +1030,15 @@ do | |||
1028 | | -silent | --silent | --silen | --sile | --sil) | 1030 | | -silent | --silent | --silen | --sile | --sil) |
1029 | silent=yes ;; | 1031 | silent=yes ;; |
1030 | 1032 | ||
1033 | -runstatedir | --runstatedir | --runstatedi | --runstated \ | ||
1034 | | --runstate | --runstat | --runsta | --runst | --runs \ | ||
1035 | | --run | --ru | --r) | ||
1036 | ac_prev=runstatedir ;; | ||
1037 | -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ | ||
1038 | | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ | ||
1039 | | --run=* | --ru=* | --r=*) | ||
1040 | runstatedir=$ac_optarg ;; | ||
1041 | |||
1031 | -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) | 1042 | -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) |
1032 | ac_prev=sbindir ;; | 1043 | ac_prev=sbindir ;; |
1033 | -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ | 1044 | -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ |
@@ -1165,7 +1176,7 @@ fi | |||
1165 | for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ | 1176 | for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ |
1166 | datadir sysconfdir sharedstatedir localstatedir includedir \ | 1177 | datadir sysconfdir sharedstatedir localstatedir includedir \ |
1167 | oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ | 1178 | oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ |
1168 | libdir localedir mandir | 1179 | libdir localedir mandir runstatedir |
1169 | do | 1180 | do |
1170 | eval ac_val=\$$ac_var | 1181 | eval ac_val=\$$ac_var |
1171 | # Remove trailing slashes. | 1182 | # Remove trailing slashes. |
@@ -1318,6 +1329,7 @@ Fine tuning of the installation directories: | |||
1318 | --sysconfdir=DIR read-only single-machine data [PREFIX/etc] | 1329 | --sysconfdir=DIR read-only single-machine data [PREFIX/etc] |
1319 | --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] | 1330 | --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] |
1320 | --localstatedir=DIR modifiable single-machine data [PREFIX/var] | 1331 | --localstatedir=DIR modifiable single-machine data [PREFIX/var] |
1332 | --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] | ||
1321 | --libdir=DIR object code libraries [EPREFIX/lib] | 1333 | --libdir=DIR object code libraries [EPREFIX/lib] |
1322 | --includedir=DIR C header files [PREFIX/include] | 1334 | --includedir=DIR C header files [PREFIX/include] |
1323 | --oldincludedir=DIR C header files for non-gcc [/usr/include] | 1335 | --oldincludedir=DIR C header files for non-gcc [/usr/include] |
@@ -4174,7 +4186,7 @@ if test "$prefix" = /usr; then | |||
4174 | test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc" | 4186 | test "$sysconfdir" = '${prefix}/etc' && sysconfdir="/etc" |
4175 | fi | 4187 | fi |
4176 | 4188 | ||
4177 | ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile" | 4189 | ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile" |
4178 | 4190 | ||
4179 | cat >confcache <<\_ACEOF | 4191 | cat >confcache <<\_ACEOF |
4180 | # This file is a shell script that caches the results of configure | 4192 | # This file is a shell script that caches the results of configure |
@@ -4902,6 +4914,7 @@ do | |||
4902 | "src/fldd/Makefile") CONFIG_FILES="$CONFIG_FILES src/fldd/Makefile" ;; | 4914 | "src/fldd/Makefile") CONFIG_FILES="$CONFIG_FILES src/fldd/Makefile" ;; |
4903 | "src/libpostexecseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpostexecseccomp/Makefile" ;; | 4915 | "src/libpostexecseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpostexecseccomp/Makefile" ;; |
4904 | "src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;; | 4916 | "src/fsec-optimize/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-optimize/Makefile" ;; |
4917 | "src/profstats/Makefile") CONFIG_FILES="$CONFIG_FILES src/profstats/Makefile" ;; | ||
4905 | 4918 | ||
4906 | *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; | 4919 | *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; |
4907 | esac | 4920 | esac |
diff --git a/configure.ac b/configure.ac index 3c9f901cb..8cf170c80 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -206,7 +206,8 @@ fi | |||
206 | 206 | ||
207 | AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \ | 207 | AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \ |
208 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \ | 208 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \ |
209 | src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile) | 209 | src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \ |
210 | src/profstats/Makefile) | ||
210 | 211 | ||
211 | echo | 212 | echo |
212 | echo "Configuration options:" | 213 | echo "Configuration options:" |
diff --git a/src/profstats/Makefile.in b/src/profstats/Makefile.in new file mode 100644 index 000000000..4ada23c23 --- /dev/null +++ b/src/profstats/Makefile.in | |||
@@ -0,0 +1,14 @@ | |||
1 | all: ../../etc/profstats | ||
2 | |||
3 | include ../common.mk | ||
4 | |||
5 | %.o : %.c $(H_FILE_LIST) | ||
6 | $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@ | ||
7 | |||
8 | ../../etc/profstats: $(OBJS) | ||
9 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS) | ||
10 | |||
11 | clean:; rm -fr *.o ../../etc/profstats *.gcov *.gcda *.gcno *.plist | ||
12 | |||
13 | distclean: clean | ||
14 | rm -fr Makefile | ||
diff --git a/src/profstats/main.c b/src/profstats/main.c new file mode 100644 index 000000000..775142643 --- /dev/null +++ b/src/profstats/main.c | |||
@@ -0,0 +1,240 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2020 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | #include <stdio.h> | ||
21 | #include <stdlib.h> | ||
22 | #include <string.h> | ||
23 | #include <assert.h> | ||
24 | |||
25 | #define MAXBUF 2048 | ||
26 | // stats | ||
27 | static int cnt_profiles = 0; | ||
28 | static int cnt_apparmor = 0; | ||
29 | static int cnt_seccomp = 0; | ||
30 | static int cnt_caps = 0; | ||
31 | static int cnt_dotlocal = 0; | ||
32 | static int cnt_globalsdotlocal = 0; | ||
33 | static int cnt_netnone = 0; | ||
34 | static int cnt_noexec = 0; // include disable-exec.inc | ||
35 | static int cnt_privatedev = 0; | ||
36 | static int cnt_privatetmp = 0; | ||
37 | static int cnt_whitelistvar = 0; // include whitelist-var-common.inc | ||
38 | static int cnt_ssh = 0; | ||
39 | |||
40 | static int level = 0; | ||
41 | static int arg_debug = 0; | ||
42 | static int arg_apparmor = 0; | ||
43 | static int arg_caps = 0; | ||
44 | static int arg_seccomp = 0; | ||
45 | static int arg_noexec = 0; | ||
46 | static int arg_privatedev = 0; | ||
47 | static int arg_privatetmp = 0; | ||
48 | static int arg_whitelistvar = 0; | ||
49 | static int arg_ssh = 0; | ||
50 | |||
51 | static void usage(void) { | ||
52 | printf("proftool - print profile statistics\n"); | ||
53 | printf("Usage: proftool [options] file[s]\n"); | ||
54 | printf("Options:\n"); | ||
55 | printf(" --apparmor - print profiles without apparmor\n"); | ||
56 | printf(" --caps - print profiles without caps\n"); | ||
57 | printf(" --ssh - print profiles without \"include disable-common.inc\"\n"); | ||
58 | printf(" --noexec - print profiles without \"include disable-exec.inc\"\n"); | ||
59 | printf(" --private-dev - print profiles without private-dev\n"); | ||
60 | printf(" --private-tmp - print profiles without private-tmp\n"); | ||
61 | printf(" --seccomp - print profiles without seccomp\n"); | ||
62 | printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n"); | ||
63 | printf(" --debug\n"); | ||
64 | printf("\n"); | ||
65 | } | ||
66 | |||
67 | void process_file(const char *fname) { | ||
68 | assert(fname); | ||
69 | |||
70 | if (arg_debug) | ||
71 | printf("processing #%s#\n", fname); | ||
72 | level++; | ||
73 | assert(level < 32); // to do - check in firejail code | ||
74 | |||
75 | FILE *fp = fopen(fname, "r"); | ||
76 | if (!fp) { | ||
77 | fprintf(stderr, "Error: cannot open %s\n", fname); | ||
78 | exit(1); | ||
79 | } | ||
80 | |||
81 | char buf[MAXBUF]; | ||
82 | while (fgets(buf, MAXBUF, fp)) { | ||
83 | char *ptr = strchr(buf, '\n'); | ||
84 | if (ptr) | ||
85 | *ptr = '\0'; | ||
86 | ptr = buf; | ||
87 | |||
88 | while (*ptr == ' ' || *ptr == '\t') | ||
89 | ptr++; | ||
90 | if (*ptr == '\n' || *ptr == '#') | ||
91 | continue; | ||
92 | |||
93 | if (strncmp(ptr, "seccomp", 7) == 0) | ||
94 | cnt_seccomp++; | ||
95 | else if (strncmp(ptr, "caps", 4) == 0) | ||
96 | cnt_caps++; | ||
97 | else if (strncmp(ptr, "include disable-exec.inc", 24) == 0) | ||
98 | cnt_noexec++; | ||
99 | else if (strncmp(ptr, "include whitelist-var-common.inc", 32) == 0) | ||
100 | cnt_whitelistvar++; | ||
101 | else if (strncmp(ptr, "include disable-common.inc", 26) == 0) | ||
102 | cnt_ssh++; | ||
103 | else if (strncmp(ptr, "net none", 8) == 0) | ||
104 | cnt_netnone++; | ||
105 | else if (strncmp(ptr, "apparmor", 8) == 0) | ||
106 | cnt_apparmor++; | ||
107 | else if (strncmp(ptr, "private-dev", 11) == 0) | ||
108 | cnt_privatedev++; | ||
109 | else if (strncmp(ptr, "private-tmp", 11) == 0) | ||
110 | cnt_privatetmp++; | ||
111 | else if (strncmp(ptr, "include ", 8) == 0) { | ||
112 | // not processing .local files | ||
113 | if (strstr(ptr, ".local")) { | ||
114 | //printf("dotlocal %d, level %d - #%s#, redirect #%s#\n", cnt_dotlocal, level, fname, buf + 8); | ||
115 | if (strstr(ptr, "globals.local")) | ||
116 | cnt_globalsdotlocal++; | ||
117 | else | ||
118 | cnt_dotlocal++; | ||
119 | continue; | ||
120 | } | ||
121 | process_file(buf + 8); | ||
122 | } | ||
123 | } | ||
124 | |||
125 | fclose(fp); | ||
126 | level--; | ||
127 | } | ||
128 | |||
129 | int main(int argc, char **argv) { | ||
130 | if (argc <= 1) { | ||
131 | usage(); | ||
132 | return 1; | ||
133 | } | ||
134 | |||
135 | int start = 1; | ||
136 | int i; | ||
137 | for (i = 1; i < argc; i++) { | ||
138 | if (strcmp(argv[i], "--help") == 0) { | ||
139 | usage(); | ||
140 | return 0; | ||
141 | } | ||
142 | else if (strcmp(argv[i], "--debug") == 0) | ||
143 | arg_debug = 1; | ||
144 | else if (strcmp(argv[i], "--apparmor") == 0) | ||
145 | arg_apparmor = 1; | ||
146 | else if (strcmp(argv[i], "--caps") == 0) | ||
147 | arg_caps = 1; | ||
148 | else if (strcmp(argv[i], "--seccomp") == 0) | ||
149 | arg_seccomp = 1; | ||
150 | else if (strcmp(argv[i], "--noexec") == 0) | ||
151 | arg_noexec = 1; | ||
152 | else if (strcmp(argv[i], "--private-dev") == 0) | ||
153 | arg_privatedev = 1; | ||
154 | else if (strcmp(argv[i], "--private-tmp") == 0) | ||
155 | arg_privatetmp = 1; | ||
156 | else if (strcmp(argv[i], "--whitelist-var") == 0) | ||
157 | arg_whitelistvar = 1; | ||
158 | else if (strcmp(argv[i], "--ssh") == 0) | ||
159 | arg_ssh = 1; | ||
160 | else if (*argv[i] == '-') { | ||
161 | fprintf(stderr, "Error: invalid option %s\n", argv[i]); | ||
162 | return 1; | ||
163 | } | ||
164 | else | ||
165 | break; | ||
166 | } | ||
167 | |||
168 | start = i; | ||
169 | if (i == argc) { | ||
170 | fprintf(stderr, "Error: no porfile file specified\n"); | ||
171 | return 1; | ||
172 | } | ||
173 | |||
174 | for (i = start; i < argc; i++) { | ||
175 | cnt_profiles++; | ||
176 | |||
177 | // watch seccomp | ||
178 | int seccomp = cnt_seccomp; | ||
179 | int caps = cnt_caps; | ||
180 | int apparmor = cnt_apparmor; | ||
181 | int noexec = cnt_noexec; | ||
182 | int privatetmp = cnt_privatetmp; | ||
183 | int privatedev = cnt_privatedev; | ||
184 | int dotlocal = cnt_dotlocal; | ||
185 | int globalsdotlocal = cnt_globalsdotlocal; | ||
186 | int whitelistvar = cnt_whitelistvar; | ||
187 | int ssh = cnt_ssh; | ||
188 | |||
189 | // process file | ||
190 | process_file(argv[i]); | ||
191 | |||
192 | // warnings | ||
193 | if ((caps + 2) <= cnt_caps) { | ||
194 | printf("Warning: multiple caps in %s\n", argv[i]); | ||
195 | cnt_caps = caps + 1; | ||
196 | } | ||
197 | |||
198 | // fix redirections | ||
199 | if (cnt_dotlocal > (dotlocal + 1)) | ||
200 | cnt_dotlocal = dotlocal + 1; | ||
201 | if (cnt_globalsdotlocal > (globalsdotlocal + 1)) | ||
202 | cnt_globalsdotlocal = globalsdotlocal + 1; | ||
203 | |||
204 | if (arg_apparmor && apparmor == cnt_apparmor) | ||
205 | printf("No apparmor found in %s\n", argv[i]); | ||
206 | if (arg_caps && caps == cnt_caps) | ||
207 | printf("No caps found in %s\n", argv[i]); | ||
208 | if (arg_seccomp && seccomp == cnt_seccomp) | ||
209 | printf("No seccomp found in %s\n", argv[i]); | ||
210 | if (arg_noexec && noexec == cnt_noexec) | ||
211 | printf("No include disable-exec.inc found in %s\n", argv[i]); | ||
212 | if (arg_privatedev && privatedev == cnt_privatedev) | ||
213 | printf("No private-dev found in %s\n", argv[i]); | ||
214 | if (arg_privatetmp && privatetmp == cnt_privatetmp) | ||
215 | printf("No private-tmp found in %s\n", argv[i]); | ||
216 | if (arg_whitelistvar && whitelistvar == cnt_whitelistvar) | ||
217 | printf("No include whitelist-var-common.inc found in %s\n", argv[i]); | ||
218 | if (arg_ssh && ssh == cnt_ssh) | ||
219 | printf("No include disable-common.inc found in %s\n", argv[i]); | ||
220 | |||
221 | assert(level == 0); | ||
222 | } | ||
223 | |||
224 | printf("\n"); | ||
225 | printf("Stats:\n"); | ||
226 | printf(" profiles\t\t\t%d\n", cnt_profiles); | ||
227 | printf(" include local profile\t%d (include profile-name.local)\n", cnt_dotlocal); | ||
228 | printf(" include globals\t\t%d (include globals.local)\n", cnt_dotlocal); | ||
229 | printf(" blacklist ~/.ssh\t\t%d (include disable-common.inc)\n", cnt_ssh); | ||
230 | printf(" seccomp\t\t\t%d\n", cnt_seccomp); | ||
231 | printf(" capabilities\t\t%d\n", cnt_caps); | ||
232 | printf(" noexec\t\t\t%d (include disable-exec.inc)\n", cnt_noexec); | ||
233 | printf(" apparmor\t\t\t%d\n", cnt_apparmor); | ||
234 | printf(" private-dev\t\t\t%d\n", cnt_privatedev); | ||
235 | printf(" private-tmp\t\t\t%d\n", cnt_privatetmp); | ||
236 | printf(" whitelist var directory\t%d (include whitelist-var-common.inc)\n", cnt_whitelistvar); | ||
237 | printf(" net none\t\t\t%d\n", cnt_netnone); | ||
238 | printf("\n"); | ||
239 | return 0; | ||
240 | } \ No newline at end of file | ||