diff options
| author |  netblue30 <netblue30@yahoo.com> | 2016-10-01 09:36:22 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2016-10-01 09:36:22 -0400 |
| commit | 74ad73c808ecbd4e0ccdfb1d6893b65c68647c62 (patch) | |
| tree | 44dd0ad9ea6802292f7a5ac4a3e228fa65c61c82 | |
| parent | gimp and inkscape profiles (diff) | |
| download | firejail-74ad73c808ecbd4e0ccdfb1d6893b65c68647c62.tar.gz firejail-74ad73c808ecbd4e0ccdfb1d6893b65c68647c62.tar.zst firejail-74ad73c808ecbd4e0ccdfb1d6893b65c68647c62.zip | |
x11 detection support for --audit
| -rw-r--r-- | src/faudit/dbus.c | 59 | ||||
| -rw-r--r-- | src/faudit/faudit.h | 1 | ||||
| -rw-r--r-- | src/faudit/main.c | 5 | ||||
| -rw-r--r-- | src/faudit/x11.c | 62 | ||||
| -rw-r--r-- | todo | 14 |
5 files changed, 123 insertions, 18 deletions
diff --git a/src/faudit/dbus.c b/src/faudit/dbus.c index 64f5d8ae4..d17d3922a 100644 --- a/src/faudit/dbus.c +++ b/src/faudit/dbus.c | |||
| @@ -21,15 +21,15 @@ | |||
| 21 | #include <sys/socket.h> | 21 | #include <sys/socket.h> |
| 22 | #include <sys/un.h> | 22 | #include <sys/un.h> |
| 23 | 23 | ||
| 24 | void check_session_bus(const char *sockfile) { | 24 | // return 0 if the connection is possible |
| 25 | int check_unix(const char *sockfile) { | ||
| 25 | assert(sockfile); | 26 | assert(sockfile); |
| 26 | 27 | int rv = -1; | |
| 28 | |||
| 27 | // open socket | 29 | // open socket |
| 28 | int sock = socket(AF_UNIX, SOCK_STREAM, 0); | 30 | int sock = socket(AF_UNIX, SOCK_STREAM, 0); |
| 29 | if (sock == -1) { | 31 | if (sock == -1) |
| 30 | printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n"); | 32 | return rv; |
| 31 | return; | ||
| 32 | } | ||
| 33 | 33 | ||
| 34 | // connect | 34 | // connect |
| 35 | struct sockaddr_un remote; | 35 | struct sockaddr_un remote; |
| @@ -37,35 +37,60 @@ void check_session_bus(const char *sockfile) { | |||
| 37 | remote.sun_family = AF_UNIX; | 37 | remote.sun_family = AF_UNIX; |
| 38 | strcpy(remote.sun_path, sockfile); | 38 | strcpy(remote.sun_path, sockfile); |
| 39 | int len = strlen(remote.sun_path) + sizeof(remote.sun_family); | 39 | int len = strlen(remote.sun_path) + sizeof(remote.sun_family); |
| 40 | remote.sun_path[0] = '\0'; | 40 | if (*sockfile == '@') |
| 41 | if (connect(sock, (struct sockaddr *)&remote, len) == -1) { | 41 | remote.sun_path[0] = '\0'; |
| 42 | printf("GOOD: I cannot connect to session bus. If the application misbehaves, please log a bug with the application developer.\n"); | 42 | if (connect(sock, (struct sockaddr *)&remote, len) == 0) |
| 43 | } | 43 | rv = 0; |
| 44 | else { | 44 | |
| 45 | printf("MAYBE: I can connect to session bus. It could be a good idea to disable it by creating a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); | ||
| 46 | } | ||
| 47 | |||
| 48 | close(sock); | 45 | close(sock); |
| 46 | return rv; | ||
| 49 | } | 47 | } |
| 50 | 48 | ||
| 51 | void dbus_test(void) { | 49 | void dbus_test(void) { |
| 52 | // check the session bus | 50 | // check the session bus |
| 53 | char *str = getenv("DBUS_SESSION_BUS_ADDRESS"); | 51 | char *str = getenv("DBUS_SESSION_BUS_ADDRESS"); |
| 54 | if (str) { | 52 | if (str) { |
| 53 | int rv = 0; | ||
| 55 | char *bus = strdup(str); | 54 | char *bus = strdup(str); |
| 56 | if (!bus) | 55 | if (!bus) |
| 57 | errExit("strdup"); | 56 | errExit("strdup"); |
| 58 | char *sockfile = strstr(bus, "unix:abstract="); | 57 | char *sockfile; |
| 59 | if (sockfile) { | 58 | if ((sockfile = strstr(bus, "unix:abstract=")) != NULL) { |
| 60 | sockfile += 13; | 59 | sockfile += 13; |
| 61 | *sockfile = '@'; | 60 | *sockfile = '@'; |
| 62 | char *ptr = strchr(sockfile, ','); | 61 | char *ptr = strchr(sockfile, ','); |
| 63 | if (ptr) | 62 | if (ptr) |
| 64 | *ptr = '\0'; | 63 | *ptr = '\0'; |
| 65 | check_session_bus(sockfile); | 64 | rv = check_unix(sockfile); |
| 65 | *sockfile = '@'; | ||
| 66 | if (rv == 0) | ||
| 67 | printf("MAYBE: D-Bus socket %s is available\n", sockfile); | ||
| 68 | else if (rv == -1) | ||
| 69 | printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile); | ||
| 70 | } | ||
| 71 | else if ((sockfile = strstr(bus, "unix:path=")) != NULL) { | ||
| 72 | sockfile += 10; | ||
| 73 | char *ptr = strchr(sockfile, ','); | ||
| 74 | if (ptr) | ||
| 75 | *ptr = '\0'; | ||
| 76 | rv = check_unix(sockfile); | ||
| 77 | if (rv == 0) | ||
| 78 | printf("MAYBE: D-Bus socket %s is available\n", sockfile); | ||
| 79 | else if (rv == -1) | ||
| 80 | printf("GOOD: cannot connect to D-Bus socket %s\n", sockfile); | ||
| 81 | } | ||
| 82 | else if ((sockfile = strstr(bus, "tcp:host=")) != NULL) { | ||
| 83 | printf("UGLY: session bus configured for TCPcommunication.\n"); | ||
| 84 | rv = -2; | ||
| 66 | } | 85 | } |
| 86 | else | ||
| 87 | printf("GOOD: cannot find a D-Bus socket\n"); | ||
| 88 | |||
| 89 | |||
| 67 | free(bus); | 90 | free(bus); |
| 68 | } | 91 | } |
| 92 | else | ||
| 93 | printf("GOOD: DBUS_SESSION_BUS_ADDRESS environment variable not configured."); | ||
| 69 | } | 94 | } |
| 70 | 95 | ||
| 71 | 96 | ||
diff --git a/src/faudit/faudit.h b/src/faudit/faudit.h index 93fb4b709..3fddbf1f5 100644 --- a/src/faudit/faudit.h +++ b/src/faudit/faudit.h | |||
| @@ -56,6 +56,7 @@ void files_test(void); | |||
| 56 | void network_test(void); | 56 | void network_test(void); |
| 57 | 57 | ||
| 58 | // dbus.c | 58 | // dbus.c |
| 59 | int check_unix(const char *sockfile); | ||
| 59 | void dbus_test(void); | 60 | void dbus_test(void); |
| 60 | 61 | ||
| 61 | // dev.c | 62 | // dev.c |
diff --git a/src/faudit/main.c b/src/faudit/main.c index 6ff938d98..61005945d 100644 --- a/src/faudit/main.c +++ b/src/faudit/main.c | |||
| @@ -69,10 +69,15 @@ int main(int argc, char **argv) { | |||
| 69 | dbus_test(); | 69 | dbus_test(); |
| 70 | printf("\n"); | 70 | printf("\n"); |
| 71 | 71 | ||
| 72 | // x11 test | ||
| 73 | x11_test(); | ||
| 74 | printf("\n"); | ||
| 75 | |||
| 72 | // /dev test | 76 | // /dev test |
| 73 | dev_test(); | 77 | dev_test(); |
| 74 | printf("\n"); | 78 | printf("\n"); |
| 75 | 79 | ||
| 80 | |||
| 76 | free(prog); | 81 | free(prog); |
| 77 | printf("--------------------------------------------------------------------------------\n"); | 82 | printf("--------------------------------------------------------------------------------\n"); |
| 78 | 83 | ||
diff --git a/src/faudit/x11.c b/src/faudit/x11.c new file mode 100644 index 000000000..e1a4bf66e --- /dev/null +++ b/src/faudit/x11.c | |||
| @@ -0,0 +1,62 @@ | |||
| 1 | /* | ||
| 2 | * Copyright (C) 2014-2016 Firejail Authors | ||
| 3 | * | ||
| 4 | * This file is part of firejail project | ||
| 5 | * | ||
| 6 | * This program is free software; you can redistribute it and/or modify | ||
| 7 | * it under the terms of the GNU General Public License as published by | ||
| 8 | * the Free Software Foundation; either version 2 of the License, or | ||
| 9 | * (at your option) any later version. | ||
| 10 | * | ||
| 11 | * This program is distributed in the hope that it will be useful, | ||
| 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
| 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
| 14 | * GNU General Public License for more details. | ||
| 15 | * | ||
| 16 | * You should have received a copy of the GNU General Public License along | ||
| 17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
| 18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
| 19 | */ | ||
| 20 | #include "faudit.h" | ||
| 21 | #include <sys/socket.h> | ||
| 22 | #include <dirent.h> | ||
| 23 | |||
| 24 | |||
| 25 | void x11_test(void) { | ||
| 26 | // check regular display 0 sockets | ||
| 27 | if (check_unix("/tmp/.X11-unix/X0") == 0) | ||
| 28 | printf("MAYBE: X11 socket /tmp/.X11-unix/X0 is available\n"); | ||
| 29 | |||
| 30 | if (check_unix("@/tmp/.X11-unix/X0") == 0) | ||
| 31 | printf("MAYBE: X11 socket @/tmp/.X11-unix/X0 is available\n"); | ||
| 32 | |||
| 33 | // check all unix sockets in /tmp/.X11-unix directory | ||
| 34 | DIR *dir; | ||
| 35 | if (!(dir = opendir("/tmp/.X11-unix"))) { | ||
| 36 | // sleep 2 seconds and try again | ||
| 37 | sleep(2); | ||
| 38 | if (!(dir = opendir("/tmp/.X11-unix"))) | ||
| 39 | ; | ||
| 40 | } | ||
| 41 | |||
| 42 | if (dir == NULL) | ||
| 43 | printf("GOOD: cannot open /tmp/.X11-unix directory\n"); | ||
| 44 | else { | ||
| 45 | struct dirent *entry; | ||
| 46 | while ((entry = readdir(dir)) != NULL) { | ||
| 47 | if (strcmp(entry->d_name, "X0") == 0) | ||
| 48 | continue; | ||
| 49 | if (strcmp(entry->d_name, ".") == 0) | ||
| 50 | continue; | ||
| 51 | if (strcmp(entry->d_name, "..") == 0) | ||
| 52 | continue; | ||
| 53 | char *name; | ||
| 54 | if (asprintf(&name, "/tmp/.X11-unix/%s", entry->d_name) == -1) | ||
| 55 | errExit("asprintf"); | ||
| 56 | if (check_unix(name) == 0) | ||
| 57 | printf("MAYBE: X11 socket %s is available\n", name); | ||
| 58 | free(name); | ||
| 59 | } | ||
| 60 | closedir(dir); | ||
| 61 | } | ||
| 62 | } | ||
| @@ -273,4 +273,16 @@ dm-crypt+LUKS – dm-crypt is a transparent disk encryption subsystem in | |||
| 273 | Linux kernel v2.6+ and later and DragonFly BSD. It can encrypt whole disks, | 273 | Linux kernel v2.6+ and later and DragonFly BSD. It can encrypt whole disks, |
| 274 | removable media, partitions, software RAID volumes, logical volumes, and files. | 274 | removable media, partitions, software RAID volumes, logical volumes, and files. |
| 275 | 275 | ||
| 276 | 28. add support for whitelisting /mtn | 276 | 28. Merge --dbus=none from https://github.com/Sidnioulz/firejail |
| 277 | |||
| 278 | // block dbus session bus the hard way if necessary | ||
| 279 | if (cfg.dbus == 0) { | ||
| 280 | char *dbus_path; | ||
| 281 | if (asprintf(&dbus_path, "/run/user/%d/bus", getuid()) == -1) | ||
| 282 | errExit("asprintf"); | ||
| 283 | fs_blacklist_file(dbus_path); | ||
| 284 | free(dbus_path); | ||
| 285 | } | ||
| 286 | |||
| 287 | |||
| 288 | |||