retiring --audit (replaced by jailtest)

21 files changed, 5 insertions, 1057 deletions

diff --git a/Makefile.in b/Makefile.in
index b0deee03b..dae2079b4 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -24,7 +24,7 @@ endif
 COMPLETIONDIRS = src/zsh_completion src/bash_completion
 all: all_items mydirs $(MAN_TARGET) filters
 APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats src/jailtest/jailtest
-SBOX_APPS = src/faudit/faudit src/fbuilder/fbuilder src/ftee/ftee
+SBOX_APPS = src/fbuilder/fbuilder src/ftee/ftee
 SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter
 MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS)
 MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
diff --git a/configure b/configure
index 7ef95075e..e5e0dcc0d 100755
--- a/configure
+++ b/configure
@@ -4366,7 +4366,7 @@ fi
 
 ac_config_files="$ac_config_files mkdeb.sh"
 
-ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile src/jailtest/Makefile"
+ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile src/jailtest/Makefile"
 
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
@@ -5090,7 +5090,6 @@ do
     "src/fbuilder/Makefile") CONFIG_FILES="$CONFIG_FILES src/fbuilder/Makefile" ;;
     "src/fsec-print/Makefile") CONFIG_FILES="$CONFIG_FILES src/fsec-print/Makefile" ;;
     "src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;;
-    "src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;;
     "src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;;
     "src/fldd/Makefile") CONFIG_FILES="$CONFIG_FILES src/fldd/Makefile" ;;
     "src/libpostexecseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libpostexecseccomp/Makefile" ;;
diff --git a/configure.ac b/configure.ac
index 2654a2699..e8bd6fb80 100644
--- a/configure.ac
+++ b/configure.ac
@@ -305,7 +305,7 @@ fi
 AC_CONFIG_FILES([mkdeb.sh], [chmod +x mkdeb.sh])
 AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
 src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \
-src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \
+src/ftee/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \
 src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile \
 src/jailtest/Makefile)
 
diff --git a/src/faudit/Makefile.in b/src/faudit/Makefile.in
deleted file mode 100644
index 44c121a4c..000000000
--- a/src/faudit/Makefile.in
+++ /dev/null
@@ -1,14 +0,0 @@
-all: faudit
-
-include ../common.mk
-
-%.o : %.c $(H_FILE_LIST)
-        $(CC) $(CFLAGS) $(EXTRA_CFLAGS) $(INCLUDE) -c $< -o $@
-
-faudit: $(OBJS)
-        $(CC)  $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(EXTRA_LDFLAGS)
-
-clean:; rm -fr *.o faudit *.gcov *.gcda *.gcno *.plist
-
-distclean: clean
-        rm -fr Makefile
diff --git a/src/faudit/caps.c b/src/faudit/caps.c
deleted file mode 100644
index e9547dc8e..000000000
--- a/src/faudit/caps.c
+++ /dev/null
@@ -1,78 +0,0 @@
-/*
- * Copyright (C) 2014-2021 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-
-#include "faudit.h"
-#include <linux/capability.h>
-
-#define MAXBUF 4098
-static int extract_caps(uint64_t *val) {
-        FILE *fp = fopen("/proc/self/status", "r");
-        if (!fp)
-                return 1;
-
-        char buf[MAXBUF];
-        while (fgets(buf, MAXBUF, fp)) {
-                if (strncmp(buf, "CapBnd:\t", 8) == 0) {
-                        char *ptr = buf + 8;
-                        unsigned long long tmp;
-                        sscanf(ptr, "%llx", &tmp);
-                        *val = tmp;
-                        fclose(fp);
-                        return 0;
-                }
-        }
-
-        fclose(fp);
-        return 1;
-}
-
-// return 1 if the capability is in the map
-static int check_capability(uint64_t map, int cap) {
-        int i;
-        uint64_t mask = 1ULL;
-
-        for (i = 0; i < 64; i++, mask <<= 1) {
-                if ((i == cap) && (mask & map))
-                        return 1;
-        }
-
-        return 0;
-}
-
-void caps_test(void) {
-        uint64_t caps_val;
-
-        if (extract_caps(&caps_val)) {
-                printf("SKIP: cannot extract capabilities on this platform.\n");
-                return;
-        }
-
-        if (caps_val) {
-                printf("BAD: the capability map is %llx, it should be all zero. ", (unsigned long long) caps_val);
-                printf("Use \"firejail --caps.drop=all\" to fix it.\n");
-
-                if (check_capability(caps_val, CAP_SYS_ADMIN))
-                        printf("UGLY: CAP_SYS_ADMIN is enabled.\n");
-                if (check_capability(caps_val, CAP_SYS_BOOT))
-                        printf("UGLY: CAP_SYS_BOOT is enabled.\n");
-        }
-        else
-                printf("GOOD: all capabilities are disabled.\n");
-}
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c
deleted file mode 100644
index 389504fb8..000000000
--- a/src/faudit/dbus.c
+++ /dev/null
@@ -1,131 +0,0 @@
-/*
- * Copyright (C) 2014-2021 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "faudit.h"
-#include "../include/rundefs.h"
-#include <stdarg.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-
-// return 0 if the connection is possible
-int check_unix(const char *sockfile) {
-        assert(sockfile);
-        int rv = -1;
-
-        // open socket
-        int sock = socket(AF_UNIX, SOCK_STREAM, 0);
-        if (sock == -1)
-                return rv;
-
-        // connect
-        struct sockaddr_un remote;
-        memset(&remote, 0, sizeof(struct sockaddr_un));
-        remote.sun_family = AF_UNIX;
-        strncpy(remote.sun_path, sockfile, sizeof(remote.sun_path) - 1);
-        int len = strlen(remote.sun_path) + sizeof(remote.sun_family);
-        if (*sockfile == '@')
-                remote.sun_path[0] = '\0';
-        if (connect(sock, (struct sockaddr *)&remote, len) == 0)
-                rv = 0;
-
-        close(sock);
-        return rv;
-}
-
-static char *test_dbus_env(char *env_var_name) {
-        // check the session bus
-        char *str = getenv(env_var_name);
-        char *found = NULL;
-        if (str) {
-                int rv = 0;
-                char *bus = strdup(str);
-                if (!bus)
-                        errExit("strdup");
-                char *sockfile;
-                if ((sockfile = strstr(bus, "unix:abstract=")) != NULL) {
-                        sockfile += 13;
-                        *sockfile = '@';
-                        char *ptr = strchr(sockfile, ',');
-                        if (ptr)
-                                *ptr = '\0';
-                        rv = check_unix(sockfile);
-                        *sockfile = '@';
-                        if (rv == 0)
-                                printf("MAYBE: D-Bus socket %s is available\n", sockfile);
-                        else if (rv == -1)
-                                printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile);
-                }
-                else if ((sockfile = strstr(bus, "unix:path=")) != NULL) {
-                        sockfile += 10;
-                        char *ptr = strchr(sockfile, ',');
-                        if (ptr)
-                                *ptr = '\0';
-                        rv = check_unix(sockfile);
-                        if (rv == 0) {
-                                if (strcmp(RUN_DBUS_USER_SOCKET, sockfile) == 0 ||
-                                        strcmp(RUN_DBUS_SYSTEM_SOCKET, sockfile) == 0) {
-                                        printf("GOOD: D-Bus filtering is active on %s\n", sockfile);
-                                } else {
-                                        printf("MAYBE: D-Bus socket %s is available\n", sockfile);
-                                }
-                        }
-                        else if (rv == -1)
-                                printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile);
-                        found = strdup(sockfile);
-                        if (!found)
-                                errExit("strdup");
-                }
-                else if (strstr(bus, "tcp:host=") != NULL)
-                        printf("UGLY: %s bus configured for TCP communication.\n", env_var_name);
-                else
-                        printf("GOOD: cannot find a %s D-Bus socket\n", env_var_name);
-                free(bus);
-        }
-        else
-                printf("MAYBE: %s environment variable not configured.\n", env_var_name);
-        return found;
-}
-
-static void test_default_socket(const char *found, const char *format, ...) {
-        va_list ap;
-        va_start(ap, format);
-        char *sockfile;
-        if (vasprintf(&sockfile, format, ap) == -1)
-                errExit("vasprintf");
-        va_end(ap);
-        if (found != NULL && strcmp(found, sockfile) == 0)
-                goto end;
-        int rv = check_unix(sockfile);
-        if (rv == 0)
-                printf("MAYBE: D-Bus socket %s is available\n", sockfile);
-end:
-        free(sockfile);
-}
-
-void dbus_test(void) {
-        char *found_user = test_dbus_env("DBUS_SESSION_BUS_ADDRESS");
-        test_default_socket(found_user, "/run/user/%d/bus", (int) getuid());
-        test_default_socket(found_user, "/run/user/%d/dbus/user_bus_socket", (int) getuid());
-        if (found_user != NULL)
-                free(found_user);
-        char *found_system = test_dbus_env("DBUS_SYSTEM_BUS_ADDRESS");
-        test_default_socket(found_system, "/run/dbus/system_bus_socket");
-        if (found_system != NULL)
-                free(found_system);
-}
diff --git a/src/faudit/dev.c b/src/faudit/dev.c
deleted file mode 100644
index 61cb1cabe..000000000
--- a/src/faudit/dev.c
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2014-2021 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "faudit.h"
-#include <dirent.h>
-
-void dev_test(void) {
-        DIR *dir;
-        if (!(dir = opendir("/dev"))) {
-                fprintf(stderr, "Error: cannot open /dev directory\n");
-                return;
-        }
-
-        struct dirent *entry;
-        printf("INFO: files visible in /dev directory: ");
-        int cnt = 0;
-        while ((entry = readdir(dir)) != NULL) {
-                if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
-                        continue;
-
-                printf("%s, ", entry->d_name);
-                cnt++;
-        }
-        printf("\n");
-
-        if (cnt > 20)
-                printf("MAYBE: /dev directory seems to be fully populated. Use --private-dev or --whitelist to restrict the access.\n");
-        else
-                printf("GOOD: Access to /dev directory is restricted.\n");
-        closedir(dir);
-}
diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h
deleted file mode 100644
index cfed1504b..000000000
--- a/src/faudit/faudit.h
+++ /dev/null
@@ -1,68 +0,0 @@
-/*
- * Copyright (C) 2014-2021 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-
-#ifndef FAUDIT_H
-#define FAUDIT_H
-#define _GNU_SOURCE
-#include <stdio.h>
-#include <stdlib.h>
-#include <stdint.h>
-#include <string.h>
-#include <unistd.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/mount.h>
-#include <assert.h>
-
-#define errExit(msg)    do { char msgout[500]; snprintf(msgout, 500, "Error %s:%s(%d)", msg, __FUNCTION__, __LINE__); perror(msgout); exit(1);} while (0)
-
-// main.c
-extern char *prog;
-
-// pid.c
-void pid_test(void);
-
-// caps.c
-void caps_test(void);
-
-// seccomp.c
-void seccomp_test(void);
-
-// syscall.c
-void syscall_helper(int argc, char **argv);
-void syscall_run(const char *name);
-
-// files.c
-void files_test(void);
-
-// network.c
-void network_test(void);
-
-// dbus.c
-int check_unix(const char *sockfile);
-void dbus_test(void);
-
-// dev.c
-void dev_test(void);
-
-// x11.c
-void x11_test(void);
-
-#endif
diff --git a/src/faudit/files.c b/src/faudit/files.c
deleted file mode 100644
index 73e0a387d..000000000
--- a/src/faudit/files.c
+++ /dev/null
@@ -1,75 +0,0 @@
-/*
- * Copyright (C) 2014-2021 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "faudit.h"
-#include <fcntl.h>
-#include <pwd.h>
-
-static char *username = NULL;
-static char *homedir = NULL;
-
-static void check_home_file(const char *name) {
-        assert(homedir);
-
-        char *fname;
-        if (asprintf(&fname, "%s/%s", homedir, name) ==  -1)
-                errExit("asprintf");
-
-        if (access(fname, R_OK) == 0) {
-                printf("UGLY: I can access files in %s directory. ", fname);
-                printf("Use \"firejail --blacklist=%s\" to block it.\n", fname);
-        }
-        else
-                printf("GOOD: I cannot access files in %s directory.\n", fname);
-
-        free(fname);
-}
-
-void files_test(void) {
-        struct passwd *pw = getpwuid(getuid());
-        if (!pw) {
-                fprintf(stderr, "Error: cannot retrieve user account information\n");
-                return;
-        }
-
-        username = strdup(pw->pw_name);
-        if (!username)
-                errExit("strdup");
-        homedir = strdup(pw->pw_dir);
-        if (!homedir)
-                errExit("strdup");
-
-        // check access to .ssh directory
-        check_home_file(".ssh");
-
-        // check access to .gnupg directory
-        check_home_file(".gnupg");
-
-        // check access to Firefox browser directory
-        check_home_file(".mozilla");
-
-        // check access to Chromium browser directory
-        check_home_file(".config/chromium");
-
-        // check access to Debian Icedove directory
-        check_home_file(".icedove");
-
-        // check access to Thunderbird directory
-        check_home_file(".thunderbird");
-}
diff --git a/src/faudit/main.c b/src/faudit/main.c
deleted file mode 100644
index 605d5ff7b..000000000
--- a/src/faudit/main.c
+++ /dev/null
@@ -1,98 +0,0 @@
-/*
- * Copyright (C) 2014-2021 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "faudit.h"
-char *prog;
-
-int main(int argc, char **argv) {
-        // make test-arguments helper
-        if (getenv("FIREJAIL_TEST_ARGUMENTS")) {
-                printf("Arguments:\n");
-
-                int i;
-                for (i = 0; i < argc; i++) {
-                        printf("#%s#\n", argv[i]);
-                }
-
-                return 0;
-        }
-
-
-        if (argc != 1) {
-                int i;
-
-                for (i = 1; i < argc; i++) {
-                        if (strcmp(argv[i], "syscall") == 0) {
-                                syscall_helper(argc, argv);
-                                return 0;
-                        }
-                }
-                return 1;
-        }
-
-        printf("\n---------------- Firejail Audit: the GOOD, the BAD and the UGLY ----------------\n");
-
-        // extract program name
-        prog = realpath(argv[0], NULL);
-        if (prog == NULL) {
-                prog = strdup("faudit");
-                if (!prog)
-                        errExit("strdup");
-        }
-        printf("INFO: starting %s.\n", prog);
-
-
-        // check pid namespace
-        pid_test();
-        printf("\n");
-
-        // check seccomp
-        seccomp_test();
-        printf("\n");
-
-        // check capabilities
-        caps_test();
-        printf("\n");
-
-        // check some well-known problematic files and directories
-        files_test();
-        printf("\n");
-
-        // network
-        network_test();
-        printf("\n");
-
-        // dbus
-        dbus_test();
-        printf("\n");
-
-        // x11 test
-        x11_test();
-        printf("\n");
-
-        // /dev test
-        dev_test();
-        printf("\n");
-
-
-        free(prog);
-        printf("--------------------------------------------------------------------------------\n");
-
-        return 0;
-}
diff --git a/src/faudit/network.c b/src/faudit/network.c
deleted file mode 100644
index 8e799dc19..000000000
--- a/src/faudit/network.c
+++ /dev/null
@@ -1,101 +0,0 @@
-/*
- * Copyright (C) 2014-2021 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "faudit.h"
-#include <sys/socket.h>
-#include <arpa/inet.h>
-#include <linux/netlink.h>
-#include <linux/rtnetlink.h>
-
-static void check_ssh(void) {
-        // open socket
-        int sock = socket(AF_INET, SOCK_STREAM, 0);
-        if (sock == -1) {
-                printf("GOOD: SSH server not available on localhost.\n");
-                return;
-        }
-
-        // connect to localhost
-        struct sockaddr_in server;
-        server.sin_addr.s_addr = inet_addr("127.0.0.1");
-        server.sin_family = AF_INET;
-        server.sin_port = htons(22);
-
-        if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0)
-                printf("GOOD: SSH server not available on localhost.\n");
-        else {
-                printf("MAYBE: an SSH server is accessible on localhost. ");
-                printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
-        }
-
-        close(sock);
-}
-
-static void check_http(void) {
-        // open socket
-        int sock = socket(AF_INET, SOCK_STREAM, 0);
-        if (sock == -1) {
-                printf("GOOD: HTTP server not available on localhost.\n");
-                return;
-        }
-
-        // connect to localhost
-        struct sockaddr_in server;
-        server.sin_addr.s_addr = inet_addr("127.0.0.1");
-        server.sin_family = AF_INET;
-        server.sin_port = htons(80);
-
-        if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0)
-                printf("GOOD: HTTP server not available on localhost.\n");
-        else {
-                printf("MAYBE: an HTTP server is accessible on localhost. ");
-                printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n");
-        }
-
-        close(sock);
-}
-
-void check_netlink(void) {
-        int sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, 0);
-        if (sock == -1) {
-                printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n");
-                return;
-        }
-
-        struct sockaddr_nl local;
-        memset(&local, 0, sizeof(local));
-        local.nl_family = AF_NETLINK;
-        local.nl_groups = 0; //subscriptions;
-
-        if (bind(sock, (struct sockaddr*)&local, sizeof(local)) < 0) {
-                printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n");
-                close(sock);
-                return;
-        }
-
-        close(sock);
-        printf("MAYBE: I can connect to netlink socket. Network utilities such as iproute2 will work fine in the sandbox. ");
-        printf("You can use \"--protocol\" to disable the socket.\n");
-}
-
-void network_test(void) {
-        check_ssh();
-        check_http();
-        check_netlink();
-}
diff --git a/src/faudit/pid.c b/src/faudit/pid.c
deleted file mode 100644
index ec8c37dc7..000000000
--- a/src/faudit/pid.c
+++ /dev/null
@@ -1,99 +0,0 @@
-/*
- * Copyright (C) 2014-2021 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "faudit.h"
-
-void pid_test(void) {
-        static char *kern_proc[] = {
-                "kthreadd",
-                "ksoftirqd",
-                "kworker",
-                "rcu_sched",
-                "rcu_bh",
-                NULL    // NULL terminated list
-        };
-        int i;
-
-        // look at the first 10 processes
-        int not_visible = 1;
-        for (i = 1; i <= 10; i++) {
-                struct stat s;
-                char *fname;
-                if (asprintf(&fname, "/proc/%d/comm", i) == -1)
-                        errExit("asprintf");
-                if (stat(fname, &s) == -1) {
-                        free(fname);
-                        continue;
-                }
-
-                // open file
-                /* coverity[toctou] */
-                FILE *fp = fopen(fname, "r");
-                if (!fp) {
-                        free(fname);
-                        continue;
-                }
-
-                // read file
-                char buf[100];
-                if (fgets(buf, 10, fp) == NULL) {
-                        fclose(fp);
-                        free(fname);
-                        continue;
-                }
-                not_visible = 0;
-
-                // clean /n
-                char *ptr;
-                if ((ptr = strchr(buf, '\n')) != NULL)
-                        *ptr = '\0';
-
-                // check process name against the kernel list
-                int j = 0;
-                while (kern_proc[j] != NULL) {
-                        if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) {
-                                fclose(fp);
-                                free(fname);
-                                printf("BAD: Process %d is not running in a PID namespace. ", getpid());
-                                printf("Are you sure you're running in a sandbox?\n");
-                                return;
-                        }
-                        j++;
-                }
-
-                fclose(fp);
-                free(fname);
-        }
-
-        pid_t pid = getpid();
-        if (not_visible && pid > 100)
-                printf("BAD: Process %d is not running in a PID namespace.\n", pid);
-        else
-                printf("GOOD: process %d is running in a PID namespace.\n", pid);
-
-        // try to guess the type of container/sandbox
-        char *str = getenv("container");
-        if (str)
-                printf("INFO: container/sandbox %s.\n", str);
-        else {
-                str = getenv("SNAP");
-                if (str)
-                        printf("INFO: this is a snap package\n");
-        }
-}
diff --git a/src/faudit/seccomp.c b/src/faudit/seccomp.c
deleted file mode 100644
index d8acee160..000000000
--- a/src/faudit/seccomp.c
+++ /dev/null
@@ -1,101 +0,0 @@
-/*
- * Copyright (C) 2014-2021 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "faudit.h"
-
-#define MAXBUF 4098
-static int extract_seccomp(int *val) {
-        FILE *fp = fopen("/proc/self/status", "r");
-        if (!fp)
-                return 1;
-
-        char buf[MAXBUF];
-        while (fgets(buf, MAXBUF, fp)) {
-                if (strncmp(buf, "Seccomp:\t", 9) == 0) {
-                        char *ptr = buf + 9;
-                        int tmp;
-                        sscanf(ptr, "%d", &tmp);
-                        *val = tmp;
-                        fclose(fp);
-                        return 0;
-                }
-        }
-
-        fclose(fp);
-        return 1;
-}
-
-void seccomp_test(void) {
-        int seccomp_status;
-        int rv = extract_seccomp(&seccomp_status);
-
-        if (rv) {
-                printf("INFO: cannot extract seccomp configuration on this platform.\n");
-                return;
-        }
-
-        if (seccomp_status == 0) {
-                printf("BAD: seccomp disabled. Use \"firejail --seccomp\" to enable it.\n");
-        }
-        else if (seccomp_status == 1)
-                printf("GOOD: seccomp strict mode - only  read, write, _exit, and sigreturn are allowed.\n");
-        else if (seccomp_status == 2) {
-                printf("GOOD: seccomp BPF enabled.\n");
-
-                printf("checking syscalls: "); fflush(0);
-                printf("mount... "); fflush(0);
-                syscall_run("mount");
-
-                printf("umount2... "); fflush(0);
-                syscall_run("umount2");
-
-                printf("ptrace... "); fflush(0);
-                syscall_run("ptrace");
-
-                printf("swapon... "); fflush(0);
-                syscall_run("swapon");
-
-                printf("swapoff... "); fflush(0);
-                syscall_run("swapoff");
-
-                printf("init_module... "); fflush(0);
-                syscall_run("init_module");
-
-                printf("delete_module... "); fflush(0);
-                syscall_run("delete_module");
-
-                printf("chroot... "); fflush(0);
-                syscall_run("chroot");
-
-                printf("pivot_root... "); fflush(0);
-                syscall_run("pivot_root");
-
-#if defined(__i386__) || defined(__x86_64__)
-                printf("iopl... "); fflush(0);
-                syscall_run("iopl");
-
-                printf("ioperm... "); fflush(0);
-                syscall_run("ioperm");
-#endif
-                printf("\n");
-        }
-        else
-                fprintf(stderr, "Error: unrecognized seccomp mode\n");
-
-}
diff --git a/src/faudit/syscall.c b/src/faudit/syscall.c
deleted file mode 100644
index 11e83a0f5..000000000
--- a/src/faudit/syscall.c
+++ /dev/null
@@ -1,105 +0,0 @@
-/*
- * Copyright (C) 2014-2021 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "faudit.h"
-#include <sys/ptrace.h>
-#include <sys/swap.h>
-#if defined(__i386__) || defined(__x86_64__)
-#include <sys/io.h>
-#endif
-#include <sys/wait.h>
-extern int init_module(void *module_image, unsigned long len,
-                       const char *param_values);
-extern int finit_module(int fd, const char *param_values,
-                        int flags);
-extern int delete_module(const char *name, int flags);
-extern int pivot_root(const char *new_root, const char *put_old);
-
-void syscall_helper(int argc, char **argv) {
-        (void) argc;
-
-        if (argc < 3)
-                return;
-
-        if (strcmp(argv[2], "mount") == 0) {
-                int rv = mount(NULL, NULL, NULL, 0, NULL);
-                (void) rv;
-                printf("\nUGLY: mount syscall permitted.\n");
-        }
-        else if (strcmp(argv[2], "umount2") == 0) {
-                umount2(NULL, 0);
-                printf("\nUGLY: umount2 syscall permitted.\n");
-        }
-        else if (strcmp(argv[2], "ptrace") == 0) {
-                ptrace(0, 0, NULL, NULL);
-                printf("\nUGLY: ptrace syscall permitted.\n");
-        }
-        else if (strcmp(argv[2], "swapon") == 0) {
-                swapon(NULL, 0);
-                printf("\nUGLY: swapon syscall permitted.\n");
-        }
-        else if (strcmp(argv[2], "swapoff") == 0) {
-                swapoff(NULL);
-                printf("\nUGLY: swapoff syscall permitted.\n");
-        }
-        else if (strcmp(argv[2], "init_module") == 0) {
-                init_module(NULL, 0, NULL);
-                printf("\nUGLY: init_module syscall permitted.\n");
-        }
-        else if (strcmp(argv[2], "delete_module") == 0) {
-                delete_module(NULL, 0);
-                printf("\nUGLY: delete_module syscall permitted.\n");
-        }
-        else if (strcmp(argv[2], "chroot") == 0) {
-                int rv = chroot("/blablabla-57281292");
-                (void) rv;
-                printf("\nUGLY: chroot syscall permitted.\n");
-        }
-        else if (strcmp(argv[2], "pivot_root") == 0) {
-                pivot_root(NULL, NULL);
-                printf("\nUGLY: pivot_root syscall permitted.\n");
-        }
-#if defined(__i386__) || defined(__x86_64__)
-        else if (strcmp(argv[2], "iopl") == 0) {
-                iopl(0L);
-                printf("\nUGLY: iopl syscall permitted.\n");
-        }
-        else if (strcmp(argv[2], "ioperm") == 0) {
-                ioperm(0, 0, 0);
-                printf("\nUGLY: ioperm syscall permitted.\n");
-        }
-#endif
-        exit(0);
-}
-
-void syscall_run(const char *name) {
-        assert(prog);
-
-        pid_t child = fork();
-        if (child < 0)
-                errExit("fork");
-        if (child == 0) {
-                execl(prog, prog, "syscall", name, NULL);
-                perror("execl");
-                _exit(1);
-        }
-
-        // wait for the child to finish
-        waitpid(child, NULL, 0);
-}
diff --git a/src/faudit/x11.c b/src/faudit/x11.c
deleted file mode 100644
index 2ffd7bac7..000000000
--- a/src/faudit/x11.c
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
- * Copyright (C) 2014-2021 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "faudit.h"
-#include <sys/socket.h>
-#include <dirent.h>
-
-
-void x11_test(void) {
-        // check regular display 0 sockets
-        if (check_unix("/tmp/.X11-unix/X0") == 0)
-                printf("MAYBE: X11 socket /tmp/.X11-unix/X0 is available\n");
-
-        if (check_unix("@/tmp/.X11-unix/X0") == 0)
-                printf("MAYBE: X11 socket @/tmp/.X11-unix/X0 is available\n");
-
-        // check all unix sockets in /tmp/.X11-unix directory
-        DIR *dir;
-        if (!(dir = opendir("/tmp/.X11-unix"))) {
-                // sleep 2 seconds and try again
-                sleep(2);
-                if (!(dir = opendir("/tmp/.X11-unix"))) {
-                        ;
-                }
-        }
-
-        if (dir == NULL)
-                printf("GOOD: cannot open /tmp/.X11-unix directory\n");
-        else {
-                struct dirent *entry;
-                while ((entry = readdir(dir)) != NULL) {
-                        if (strcmp(entry->d_name, "X0") == 0)
-                                continue;
-                        if (strcmp(entry->d_name, ".") == 0)
-                                continue;
-                        if (strcmp(entry->d_name, "..") == 0)
-                                continue;
-                        char *name;
-                        if (asprintf(&name, "/tmp/.X11-unix/%s", entry->d_name) == -1)
-                                errExit("asprintf");
-                        if (check_unix(name) == 0)
-                                printf("MAYBE: X11 socket %s is available\n", name);
-                        free(name);
-                }
-                closedir(dir);
-        }
-}
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index c8080f778..b21b5bef6 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -328,8 +328,6 @@ extern int arg_keep_var_tmp; // don't overwrite /var/tmp
 extern int arg_writable_run_user;       // writable /run/user
 extern int arg_writable_var_log; // writable /var/log
 extern int arg_appimage;        // appimage
-extern int arg_audit;           // audit
-extern char *arg_audit_prog;    // audit
 extern int arg_apparmor;        // apparmor
 extern int arg_allow_debuggers; // allow debuggers
 extern int arg_x11_block;       // block X11
diff --git a/src/firejail/join.c b/src/firejail/join.c
index a8011aa14..1575a7469 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -411,7 +411,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
         extract_x11_display(parent);
 
         int shfd = -1;
-        if (!arg_shell_none && !arg_audit)
+        if (!arg_shell_none)
                 shfd = open_shell();
 
         EUID_ROOT();
diff --git a/src/firejail/main.c b/src/firejail/main.c
index fe806dcdb..9705c2436 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -130,8 +130,6 @@ int arg_keep_var_tmp = 0;                       // don't overwrite /var/tmp
 int arg_writable_run_user = 0;                  // writable /run/user
 int arg_writable_var_log = 0;           // writable /var/log
 int arg_appimage = 0;                           // appimage
-int arg_audit = 0;                              // audit
-char *arg_audit_prog = NULL;                    // audit
 int arg_apparmor = 0;                           // apparmor
 int arg_allow_debuggers = 0;                    // allow debuggers
 int arg_x11_block = 0;                          // block X11
@@ -2608,28 +2606,6 @@ int main(int argc, char **argv, char **envp) {
                 //*************************************
                 else if (strncmp(argv[i], "--timeout=", 10) == 0)
                         cfg.timeout = extract_timeout(argv[i] + 10);
-                else if (strcmp(argv[i], "--audit") == 0) {
-                        arg_audit_prog = LIBDIR "/firejail/faudit";
-                        profile_add_ignore("shell none");
-                        arg_audit = 1;
-                }
-                else if (strncmp(argv[i], "--audit=", 8) == 0) {
-                        if (strlen(argv[i] + 8) == 0) {
-                                fprintf(stderr, "Error: invalid audit program\n");
-                                exit(1);
-                        }
-                        arg_audit_prog = strdup(argv[i] + 8);
-                        if (!arg_audit_prog)
-                                errExit("strdup");
-
-                        struct stat s;
-                        if (stat(arg_audit_prog, &s) != 0) {
-                                fprintf(stderr, "Error: cannot find the audit program %s\n", arg_audit_prog);
-                                exit(1);
-                        }
-                        profile_add_ignore("shell none");
-                        arg_audit = 1;
-                }
                 else if (strcmp(argv[i], "--appimage") == 0)
                         arg_appimage = 1;
                 else if (strcmp(argv[i], "--shell=none") == 0) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index f1ab895db..a04551ed4 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -475,23 +475,9 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
         }
 
         //****************************************
-        // audit
-        //****************************************
-        if (arg_audit) {
-                assert(arg_audit_prog);
-
-#ifdef HAVE_GCOV
-                __gcov_dump();
-#endif
-                seccomp_install_filters();
-                if (set_sandbox_status)
-                        *set_sandbox_status = SANDBOX_DONE;
-                execl(arg_audit_prog, arg_audit_prog, NULL);
-        }
-        //****************************************
         // start the program without using a shell
         //****************************************
-        else if (arg_shell_none) {
+        if (arg_shell_none) {
                 if (arg_debug) {
                         int i;
                         for (i = cfg.original_program_index; i < cfg.original_argc; i++) {
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index adba5da40..8f9cc065f 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -33,7 +33,6 @@ static char *usage_str =
         "    --apparmor - enable AppArmor confinement.\n"
         "    --apparmor.print=name|pid - print apparmor status.\n"
         "    --appimage - sandbox an AppImage application.\n"
-        "    --audit[=test-program] - audit the sandbox.\n"
 #ifdef HAVE_NETWORK
         "    --bandwidth=name|pid - set bandwidth limits.\n"
 #endif
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 639b171cd..f9111ae7b 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -155,12 +155,6 @@ $ firejail --appimage --private krita-3.0-x86_64.appimage
 $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage
 #endif
 .TP
-\fB\-\-audit
-Audit the sandbox, see \fBAUDIT\fR section for more details.
-.TP
-\fB\-\-audit=test-program
-Audit the sandbox, see \fBAUDIT\fR section for more details.
-.TP
 \fB\-\-bandwidth=name|pid
 Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details.
 .TP
@@ -2972,30 +2966,6 @@ To enable AppArmor confinement on top of your current Firejail security features
 $ firejail --apparmor firefox
 #endif
 
-.SH AUDIT
-Audit feature allows the user to point out gaps in security profiles. The
-implementation replaces the program to be sandboxed with a test program. By
-default, we use faudit program distributed with Firejail. A custom test program
-can also be supplied by the user. Examples:
-
-Running the default audit program:
-.br
-        $ firejail --audit transmission-gtk
-
-Running a custom audit program:
-.br
-        $ firejail --audit=~/sandbox-test transmission-gtk
-
-In the examples above, the sandbox configures transmission-gtk profile and
-starts the test program. The real program, transmission-gtk, will not be
-started.
-
-You can also audit a specific profile without specifying a program.
-.br
-        $ firejail --audit --profile=/etc/firejail/zoom.profile
-
-Limitations: audit feature is not implemented for --x11 commands.
-
 .SH DESKTOP INTEGRATION
 A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox.
 The symbolic link should be placed in the first $PATH position. On most systems, a good place