diff options
author | netblue30 <netblue30@yahoo.com> | 2016-07-11 10:01:45 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2016-07-11 10:01:45 -0400 |
commit | 5bef777f30c7d5c2640486d33453b8648beb1eee (patch) | |
tree | f5cdf663f1a2ba44febaac9fb14588583fa825e8 /src/faudit/pid.c | |
parent | snap platform (diff) | |
download | firejail-5bef777f30c7d5c2640486d33453b8648beb1eee.tar.gz firejail-5bef777f30c7d5c2640486d33453b8648beb1eee.tar.zst firejail-5bef777f30c7d5c2640486d33453b8648beb1eee.zip |
audit work
Diffstat (limited to 'src/faudit/pid.c')
-rw-r--r-- | src/faudit/pid.c | 21 |
1 files changed, 16 insertions, 5 deletions
diff --git a/src/faudit/pid.c b/src/faudit/pid.c index 2770daece..a0fb1d921 100644 --- a/src/faudit/pid.c +++ b/src/faudit/pid.c | |||
@@ -31,6 +31,7 @@ void pid_test(void) { | |||
31 | int i; | 31 | int i; |
32 | 32 | ||
33 | // look at the first 10 processes | 33 | // look at the first 10 processes |
34 | int not_visible = 1; | ||
34 | for (i = 1; i <= 10; i++) { | 35 | for (i = 1; i <= 10; i++) { |
35 | struct stat s; | 36 | struct stat s; |
36 | char *fname; | 37 | char *fname; |
@@ -45,7 +46,7 @@ void pid_test(void) { | |||
45 | /* coverity[toctou] */ | 46 | /* coverity[toctou] */ |
46 | FILE *fp = fopen(fname, "r"); | 47 | FILE *fp = fopen(fname, "r"); |
47 | if (!fp) { | 48 | if (!fp) { |
48 | fprintf(stderr, "Warning: cannot open %s\n", fname); | 49 | // fprintf(stderr, "Warning: cannot open %s\n", fname); |
49 | free(fname); | 50 | free(fname); |
50 | continue; | 51 | continue; |
51 | } | 52 | } |
@@ -53,11 +54,13 @@ void pid_test(void) { | |||
53 | // read file | 54 | // read file |
54 | char buf[100]; | 55 | char buf[100]; |
55 | if (fgets(buf, 10, fp) == NULL) { | 56 | if (fgets(buf, 10, fp) == NULL) { |
56 | fprintf(stderr, "Warning: cannot read %s\n", fname); | 57 | // fprintf(stderr, "Warning: cannot read %s\n", fname); |
57 | fclose(fp); | 58 | fclose(fp); |
58 | free(fname); | 59 | free(fname); |
59 | continue; | 60 | continue; |
60 | } | 61 | } |
62 | not_visible = 0; | ||
63 | |||
61 | // clean /n | 64 | // clean /n |
62 | char *ptr; | 65 | char *ptr; |
63 | if ((ptr = strchr(buf, '\n')) != NULL) | 66 | if ((ptr = strchr(buf, '\n')) != NULL) |
@@ -69,7 +72,7 @@ void pid_test(void) { | |||
69 | if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) { | 72 | if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) { |
70 | fclose(fp); | 73 | fclose(fp); |
71 | free(fname); | 74 | free(fname); |
72 | printf("BAD: Process %d, not running in a PID namespace. ", getpid()); | 75 | printf("BAD: Process %d is not running in a PID namespace. ", getpid()); |
73 | printf("Are you sure you're running in a sandbox?\n"); | 76 | printf("Are you sure you're running in a sandbox?\n"); |
74 | return; | 77 | return; |
75 | } | 78 | } |
@@ -80,11 +83,19 @@ void pid_test(void) { | |||
80 | free(fname); | 83 | free(fname); |
81 | } | 84 | } |
82 | 85 | ||
83 | 86 | pid_t pid = getpid(); | |
84 | printf("GOOD: process %d running in a PID namespace.\n", getpid()); | 87 | if (not_visible && pid > 100) |
88 | printf("BAD: Process %d is not running in a PID namespace.\n", pid); | ||
89 | else | ||
90 | printf("GOOD: process %d is running in a PID namespace.\n", pid); | ||
85 | 91 | ||
86 | // try to guess the type of container/sandbox | 92 | // try to guess the type of container/sandbox |
87 | char *str = getenv("container"); | 93 | char *str = getenv("container"); |
88 | if (str) | 94 | if (str) |
89 | printf("INFO: container/sandbox %s.\n", str); | 95 | printf("INFO: container/sandbox %s.\n", str); |
96 | else { | ||
97 | str = getenv("SNAP"); | ||
98 | if (str) | ||
99 | printf("INFO: this is a snap package\n"); | ||
100 | } | ||
90 | } | 101 | } |