aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2020-10-02 12:43:56 -0400
committerLibravatar netblue30 <netblue30@yahoo.com>2020-10-02 12:43:56 -0400
commit2b0fe9759501818b10e0654e7f83383bb4b8e8a4 (patch)
tree998e9a852ca75eba18c145f1f9e27bb50d4d829a
parentsplitting up media players whitelists in whitelist-players.inc - relnotes (diff)
downloadfirejail-2b0fe9759501818b10e0654e7f83383bb4b8e8a4.tar.gz
firejail-2b0fe9759501818b10e0654e7f83383bb4b8e8a4.tar.zst
firejail-2b0fe9759501818b10e0654e7f83383bb4b8e8a4.zip
profstats - add count for whitelisted home dir, dbus-user none
Diffstat
-rw-r--r--README.md38
-rw-r--r--src/profstats/main.c22
2 files changed, 42 insertions, 18 deletions
diff --git a/README.md b/README.md
index 19024eea6..7213225fb 100644
--- a/README.md
+++ b/README.md
@@ -166,25 +166,27 @@ $ ./profstats *.profile
166Warning: multiple caps in transmission-daemon.profile 166Warning: multiple caps in transmission-daemon.profile
167 167
168Stats: 168Stats:
169 profiles 1025 169 profiles 1029
170 include local profile 1025 (include profile-name.local) 170 include local profile 1029 (include profile-name.local)
171 include globals 1025 (include globals.local) 171 include globals 1029 (include globals.local)
172 blacklist ~/.ssh 1001 (include disable-common.inc) 172 blacklist ~/.ssh 1005 (include disable-common.inc)
173 seccomp 971 173 seccomp 975
174 capabilities 1024 174 capabilities 1028
175 noexec 895 (include disable-exec.inc) 175 noexec 899 (include disable-exec.inc)
176 memory-deny-write-execute 217 176 memory-deny-write-execute 220
177 apparmor 546 177 apparmor 549
178 private-bin 537 178 private-bin 542
179 private-dev 893 179 private-dev 897
180 private-etc 426 180 private-etc 431
181 private-tmp 780 181 private-tmp 784
182 whitelist var 691 (include whitelist-var-common.inc) 182 whitelist home directory 469
183 whitelist run/user 329 (include whitelist-runuser-common.inc 183 whitelist var 695 (include whitelist-var-common.inc)
184 whitelist run/user 334 (include whitelist-runuser-common.inc
184 or blacklist ${RUNUSER}) 185 or blacklist ${RUNUSER})
185 whitelist usr/share 349 (include whitelist-usr-share-common.inc 186 whitelist usr/share 354 (include whitelist-usr-share-common.inc
186 net none 329 187 net none 332
187 dbus-system none 624 188 dbus-user none 523
189 dbus-system none 627
188````` 190`````
189 191
190### New profiles: 192### New profiles:
diff --git a/src/profstats/main.c b/src/profstats/main.c
index 194cb210a..4c1221464 100644
--- a/src/profstats/main.c
+++ b/src/profstats/main.c
@@ -29,6 +29,7 @@ static int cnt_apparmor = 0;
29static int cnt_seccomp = 0; 29static int cnt_seccomp = 0;
30static int cnt_caps = 0; 30static int cnt_caps = 0;
31static int cnt_dbus_system_none = 0; 31static int cnt_dbus_system_none = 0;
32static int cnt_dbus_user_none = 0;
32static int cnt_dotlocal = 0; 33static int cnt_dotlocal = 0;
33static int cnt_globalsdotlocal = 0; 34static int cnt_globalsdotlocal = 0;
34static int cnt_netnone = 0; 35static int cnt_netnone = 0;
@@ -42,6 +43,7 @@ static int cnt_whitelistrunuser = 0; // include whitelist-runuser-common.inc
42static int cnt_whitelistusrshare = 0; // include whitelist-usr-share-common.inc 43static int cnt_whitelistusrshare = 0; // include whitelist-usr-share-common.inc
43static int cnt_ssh = 0; 44static int cnt_ssh = 0;
44static int cnt_mdwx = 0; 45static int cnt_mdwx = 0;
46static int cnt_whitelisthome = 0;
45 47
46static int level = 0; 48static int level = 0;
47static int arg_debug = 0; 49static int arg_debug = 0;
@@ -59,6 +61,8 @@ static int arg_whitelistusrshare = 0;
59static int arg_ssh = 0; 61static int arg_ssh = 0;
60static int arg_mdwx = 0; 62static int arg_mdwx = 0;
61static int arg_dbus_system_none = 0; 63static int arg_dbus_system_none = 0;
64static int arg_dbus_user_none = 0;
65static int arg_whitelisthome = 0;
62 66
63 67
64static char *profile = NULL; 68static char *profile = NULL;
@@ -71,6 +75,7 @@ static void usage(void) {
71 printf(" --apparmor - print profiles without apparmor\n"); 75 printf(" --apparmor - print profiles without apparmor\n");
72 printf(" --caps - print profiles without caps\n"); 76 printf(" --caps - print profiles without caps\n");
73 printf(" --dbus-system-none - profiles without \"dbus-system none\"\n"); 77 printf(" --dbus-system-none - profiles without \"dbus-system none\"\n");
78 printf(" --dbus-user-none - profiles without \"dbus-user none\"\n");
74 printf(" --ssh - print profiles without \"include disable-common.inc\"\n"); 79 printf(" --ssh - print profiles without \"include disable-common.inc\"\n");
75 printf(" --noexec - print profiles without \"include disable-exec.inc\"\n"); 80 printf(" --noexec - print profiles without \"include disable-exec.inc\"\n");
76 printf(" --private-bin - print profiles without private-bin\n"); 81 printf(" --private-bin - print profiles without private-bin\n");
@@ -79,6 +84,7 @@ static void usage(void) {
79 printf(" --private-tmp - print profiles without private-tmp\n"); 84 printf(" --private-tmp - print profiles without private-tmp\n");
80 printf(" --seccomp - print profiles without seccomp\n"); 85 printf(" --seccomp - print profiles without seccomp\n");
81 printf(" --memory-deny-write-execute - profile without \"memory-deny-write-execute\"\n"); 86 printf(" --memory-deny-write-execute - profile without \"memory-deny-write-execute\"\n");
87 printf(" --whitelist-home - print profiles whitelisting home directory\n");
82 printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n"); 88 printf(" --whitelist-var - print profiles without \"include whitelist-var-common.inc\"\n");
83 printf(" --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n"); 89 printf(" --whitelist-runuser - print profiles without \"include whitelist-runuser-common.inc\" or \"blacklist ${RUNUSER}\"\n");
84 printf(" --whitelist-usrshare - print profiles without \"include whitelist-usr-share-common.inc\"\n"); 90 printf(" --whitelist-usrshare - print profiles without \"include whitelist-usr-share-common.inc\"\n");
@@ -124,6 +130,8 @@ void process_file(const char *fname) {
124 else if (strncmp(ptr, "include whitelist-runuser-common.inc", 36) == 0 || 130 else if (strncmp(ptr, "include whitelist-runuser-common.inc", 36) == 0 ||
125 strncmp(ptr, "blacklist ${RUNUSER}", 20) == 0) 131 strncmp(ptr, "blacklist ${RUNUSER}", 20) == 0)
126 cnt_whitelistrunuser++; 132 cnt_whitelistrunuser++;
133 else if (strncmp(ptr, "include whitelist-common.inc", 28) == 0)
134 cnt_whitelisthome++;
127 else if (strncmp(ptr, "include whitelist-usr-share-common.inc", 38) == 0) 135 else if (strncmp(ptr, "include whitelist-usr-share-common.inc", 38) == 0)
128 cnt_whitelistusrshare++; 136 cnt_whitelistusrshare++;
129 else if (strncmp(ptr, "include disable-common.inc", 26) == 0) 137 else if (strncmp(ptr, "include disable-common.inc", 26) == 0)
@@ -144,6 +152,8 @@ void process_file(const char *fname) {
144 cnt_privateetc++; 152 cnt_privateetc++;
145 else if (strncmp(ptr, "dbus-system none", 16) == 0) 153 else if (strncmp(ptr, "dbus-system none", 16) == 0)
146 cnt_dbus_system_none++; 154 cnt_dbus_system_none++;
155 else if (strncmp(ptr, "dbus-user none", 14) == 0)
156 cnt_dbus_user_none++;
147 else if (strncmp(ptr, "include ", 8) == 0) { 157 else if (strncmp(ptr, "include ", 8) == 0) {
148 // not processing .local files 158 // not processing .local files
149 if (strstr(ptr, ".local")) { 159 if (strstr(ptr, ".local")) {
@@ -200,6 +210,8 @@ int main(int argc, char **argv) {
200 arg_privatetmp = 1; 210 arg_privatetmp = 1;
201 else if (strcmp(argv[i], "--private-etc") == 0) 211 else if (strcmp(argv[i], "--private-etc") == 0)
202 arg_privateetc = 1; 212 arg_privateetc = 1;
213 else if (strcmp(argv[i], "--whitelist-home") == 0)
214 arg_whitelisthome = 1;
203 else if (strcmp(argv[i], "--whitelist-var") == 0) 215 else if (strcmp(argv[i], "--whitelist-var") == 0)
204 arg_whitelistvar = 1; 216 arg_whitelistvar = 1;
205 else if (strcmp(argv[i], "--whitelist-runuser") == 0) 217 else if (strcmp(argv[i], "--whitelist-runuser") == 0)
@@ -210,6 +222,8 @@ int main(int argc, char **argv) {
210 arg_ssh = 1; 222 arg_ssh = 1;
211 else if (strcmp(argv[i], "--dbus-system-none") == 0) 223 else if (strcmp(argv[i], "--dbus-system-none") == 0)
212 arg_dbus_system_none = 1; 224 arg_dbus_system_none = 1;
225 else if (strcmp(argv[i], "--dbus-user-none") == 0)
226 arg_dbus_user_none = 1;
213 else if (*argv[i] == '-') { 227 else if (*argv[i] == '-') {
214 fprintf(stderr, "Error: invalid option %s\n", argv[i]); 228 fprintf(stderr, "Error: invalid option %s\n", argv[i]);
215 return 1; 229 return 1;
@@ -238,10 +252,12 @@ int main(int argc, char **argv) {
238 int privateetc = cnt_privateetc; 252 int privateetc = cnt_privateetc;
239 int dotlocal = cnt_dotlocal; 253 int dotlocal = cnt_dotlocal;
240 int globalsdotlocal = cnt_globalsdotlocal; 254 int globalsdotlocal = cnt_globalsdotlocal;
255 int whitelisthome = cnt_whitelisthome;
241 int whitelistvar = cnt_whitelistvar; 256 int whitelistvar = cnt_whitelistvar;
242 int whitelistrunuser = cnt_whitelistrunuser; 257 int whitelistrunuser = cnt_whitelistrunuser;
243 int whitelistusrshare = cnt_whitelistusrshare; 258 int whitelistusrshare = cnt_whitelistusrshare;
244 int dbussystemnone = cnt_dbus_system_none; 259 int dbussystemnone = cnt_dbus_system_none;
260 int dbususernone = cnt_dbus_user_none;
245 int ssh = cnt_ssh; 261 int ssh = cnt_ssh;
246 int mdwx = cnt_mdwx; 262 int mdwx = cnt_mdwx;
247 263
@@ -265,6 +281,8 @@ int main(int argc, char **argv) {
265 281
266 if (arg_dbus_system_none && dbussystemnone == cnt_dbus_system_none) 282 if (arg_dbus_system_none && dbussystemnone == cnt_dbus_system_none)
267 printf("No dbus-system none found in %s\n", argv[i]); 283 printf("No dbus-system none found in %s\n", argv[i]);
284 if (arg_dbus_user_none && dbususernone == cnt_dbus_user_none)
285 printf("No dbus-user none found in %s\n", argv[i]);
268 if (arg_apparmor && apparmor == cnt_apparmor) 286 if (arg_apparmor && apparmor == cnt_apparmor)
269 printf("No apparmor found in %s\n", argv[i]); 287 printf("No apparmor found in %s\n", argv[i]);
270 if (arg_caps && caps == cnt_caps) 288 if (arg_caps && caps == cnt_caps)
@@ -281,6 +299,8 @@ int main(int argc, char **argv) {
281 printf("No private-tmp found in %s\n", argv[i]); 299 printf("No private-tmp found in %s\n", argv[i]);
282 if (arg_privateetc && privateetc == cnt_privateetc) 300 if (arg_privateetc && privateetc == cnt_privateetc)
283 printf("No private-etc found in %s\n", argv[i]); 301 printf("No private-etc found in %s\n", argv[i]);
302 if (arg_whitelisthome && whitelisthome == cnt_whitelisthome)
303 printf("Home directory not whitelisted in %s\n", argv[i]);
284 if (arg_whitelistvar && whitelistvar == cnt_whitelistvar) 304 if (arg_whitelistvar && whitelistvar == cnt_whitelistvar)
285 printf("No include whitelist-var-common.inc found in %s\n", argv[i]); 305 printf("No include whitelist-var-common.inc found in %s\n", argv[i]);
286 if (arg_whitelistrunuser && whitelistrunuser == cnt_whitelistrunuser) 306 if (arg_whitelistrunuser && whitelistrunuser == cnt_whitelistrunuser)
@@ -310,11 +330,13 @@ int main(int argc, char **argv) {
310 printf(" private-dev\t\t\t%d\n", cnt_privatedev); 330 printf(" private-dev\t\t\t%d\n", cnt_privatedev);
311 printf(" private-etc\t\t\t%d\n", cnt_privateetc); 331 printf(" private-etc\t\t\t%d\n", cnt_privateetc);
312 printf(" private-tmp\t\t\t%d\n", cnt_privatetmp); 332 printf(" private-tmp\t\t\t%d\n", cnt_privatetmp);
333 printf(" whitelist home directory\t%d\n", cnt_whitelisthome);
313 printf(" whitelist var\t\t%d (include whitelist-var-common.inc)\n", cnt_whitelistvar); 334 printf(" whitelist var\t\t%d (include whitelist-var-common.inc)\n", cnt_whitelistvar);
314 printf(" whitelist run/user\t\t%d (include whitelist-runuser-common.inc\n", cnt_whitelistrunuser); 335 printf(" whitelist run/user\t\t%d (include whitelist-runuser-common.inc\n", cnt_whitelistrunuser);
315 printf("\t\t\t\t\tor blacklist ${RUNUSER})\n"); 336 printf("\t\t\t\t\tor blacklist ${RUNUSER})\n");
316 printf(" whitelist usr/share\t\t%d (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare); 337 printf(" whitelist usr/share\t\t%d (include whitelist-usr-share-common.inc\n", cnt_whitelistusrshare);
317 printf(" net none\t\t\t%d\n", cnt_netnone); 338 printf(" net none\t\t\t%d\n", cnt_netnone);
339 printf(" dbus-user none \t\t%d\n", cnt_dbus_user_none);
318 printf(" dbus-system none \t\t%d\n", cnt_dbus_system_none); 340 printf(" dbus-system none \t\t%d\n", cnt_dbus_system_none);
319 printf("\n"); 341 printf("\n");
320 return 0; 342 return 0;
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-18 12:31:57 +0000