diff options
| author |  netblue30 <netblue30@yahoo.com> | 2016-07-05 07:24:10 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2016-07-05 07:24:10 -0400 |
| commit | 3f8d6787b7ccff3ed7ff77a3b474856ae1be6a9b (patch) | |
| tree | 15b9f2e7810b0812eaa9827a4ee668ee29b6551f /src/faudit/network.c | |
| parent | src/faudit/dbus.c (diff) | |
| download | firejail-3f8d6787b7ccff3ed7ff77a3b474856ae1be6a9b.tar.gz firejail-3f8d6787b7ccff3ed7ff77a3b474856ae1be6a9b.tar.zst firejail-3f8d6787b7ccff3ed7ff77a3b474856ae1be6a9b.zip | |
faudit: dbus
Diffstat (limited to 'src/faudit/network.c')
| -rw-r--r-- | src/faudit/network.c | 35 |
1 files changed, 30 insertions, 5 deletions
diff --git a/src/faudit/network.c b/src/faudit/network.c index 697b1d1fb..bb3116c3b 100644 --- a/src/faudit/network.c +++ b/src/faudit/network.c | |||
| @@ -20,14 +20,14 @@ | |||
| 20 | #include "faudit.h" | 20 | #include "faudit.h" |
| 21 | #include <sys/socket.h> | 21 | #include <sys/socket.h> |
| 22 | #include <arpa/inet.h> | 22 | #include <arpa/inet.h> |
| 23 | #include <linux/netlink.h> | ||
| 24 | #include <linux/rtnetlink.h> | ||
| 23 | 25 | ||
| 24 | void check_ssh(void) { | 26 | void check_ssh(void) { |
| 25 | printf("INFO: looking for ssh servers running on localhost\n"); | ||
| 26 | |||
| 27 | // open socket | 27 | // open socket |
| 28 | int sock = socket(AF_INET, SOCK_STREAM, 0); | 28 | int sock = socket(AF_INET, SOCK_STREAM, 0); |
| 29 | if (sock == -1) { | 29 | if (sock == -1) { |
| 30 | printf("Error: cannot create an IPv4 socket\n"); | 30 | printf("GOOD: SSH server not available on localhost.\n"); |
| 31 | return; | 31 | return; |
| 32 | } | 32 | } |
| 33 | 33 | ||
| @@ -38,15 +38,40 @@ void check_ssh(void) { | |||
| 38 | server.sin_port = htons(22); | 38 | server.sin_port = htons(22); |
| 39 | 39 | ||
| 40 | if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) | 40 | if (connect(sock , (struct sockaddr *)&server , sizeof(server)) < 0) |
| 41 | printf("GOOD: SSH server not available on localhost\n"); | 41 | printf("GOOD: SSH server not available on localhost.\n"); |
| 42 | else { | 42 | else { |
| 43 | printf("MAYBE: an SSH server is accessible on localhost\n"); | 43 | printf("MAYBE: An SSH server is accessible on localhost. "); |
| 44 | printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); | 44 | printf("It could be a good idea to create a new network namespace using \"--net=none\" or \"--net=eth0\".\n"); |
| 45 | } | 45 | } |
| 46 | 46 | ||
| 47 | close(sock); | 47 | close(sock); |
| 48 | } | 48 | } |
| 49 | |||
| 50 | void check_netlink(void) { | ||
| 51 | socklen_t addr_len; | ||
| 52 | int sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, 0); | ||
| 53 | if (sock == -1) { | ||
| 54 | printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n"); | ||
| 55 | return; | ||
| 56 | } | ||
| 57 | |||
| 58 | struct sockaddr_nl local; | ||
| 59 | memset(&local, 0, sizeof(local)); | ||
| 60 | local.nl_family = AF_NETLINK; | ||
| 61 | local.nl_groups = 0; //subscriptions; | ||
| 62 | |||
| 63 | if (bind(sock, (struct sockaddr*)&local, sizeof(local)) < 0) { | ||
| 64 | printf("GOOD: I cannot connect to netlink socket. Network utilities such as iproute2 will not work in the sandbox.\n"); | ||
| 65 | close(sock); | ||
| 66 | return; | ||
| 67 | } | ||
| 68 | |||
| 69 | close(sock); | ||
| 70 | printf("MAYBE: I can connect to netlink socket. Network utilities such as iproute2 will work fine in the sandbox. "); | ||
| 71 | printf("You can use \"--protocol\" to disable the socket.\n"); | ||
| 72 | } | ||
| 49 | 73 | ||
| 50 | void network_test(void) { | 74 | void network_test(void) { |
| 51 | check_ssh(); | 75 | check_ssh(); |
| 76 | check_netlink(); | ||
| 52 | } | 77 | } |