diff options
| author |  netblue30 <netblue30@yahoo.com> | 2016-07-11 10:01:45 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@yahoo.com> | 2016-07-11 10:01:45 -0400 |
| commit | 5bef777f30c7d5c2640486d33453b8648beb1eee (patch) | |
| tree | f5cdf663f1a2ba44febaac9fb14588583fa825e8 /src/faudit/pid.c | |
| parent | snap platform (diff) | |
| download | firejail-5bef777f30c7d5c2640486d33453b8648beb1eee.tar.gz firejail-5bef777f30c7d5c2640486d33453b8648beb1eee.tar.zst firejail-5bef777f30c7d5c2640486d33453b8648beb1eee.zip | |
audit work
Diffstat (limited to 'src/faudit/pid.c')
| -rw-r--r-- | src/faudit/pid.c | 21 |
1 files changed, 16 insertions, 5 deletions
diff --git a/src/faudit/pid.c b/src/faudit/pid.c index 2770daece..a0fb1d921 100644 --- a/src/faudit/pid.c +++ b/src/faudit/pid.c | |||
| @@ -31,6 +31,7 @@ void pid_test(void) { | |||
| 31 | int i; | 31 | int i; |
| 32 | 32 | ||
| 33 | // look at the first 10 processes | 33 | // look at the first 10 processes |
| 34 | int not_visible = 1; | ||
| 34 | for (i = 1; i <= 10; i++) { | 35 | for (i = 1; i <= 10; i++) { |
| 35 | struct stat s; | 36 | struct stat s; |
| 36 | char *fname; | 37 | char *fname; |
| @@ -45,7 +46,7 @@ void pid_test(void) { | |||
| 45 | /* coverity[toctou] */ | 46 | /* coverity[toctou] */ |
| 46 | FILE *fp = fopen(fname, "r"); | 47 | FILE *fp = fopen(fname, "r"); |
| 47 | if (!fp) { | 48 | if (!fp) { |
| 48 | fprintf(stderr, "Warning: cannot open %s\n", fname); | 49 | // fprintf(stderr, "Warning: cannot open %s\n", fname); |
| 49 | free(fname); | 50 | free(fname); |
| 50 | continue; | 51 | continue; |
| 51 | } | 52 | } |
| @@ -53,11 +54,13 @@ void pid_test(void) { | |||
| 53 | // read file | 54 | // read file |
| 54 | char buf[100]; | 55 | char buf[100]; |
| 55 | if (fgets(buf, 10, fp) == NULL) { | 56 | if (fgets(buf, 10, fp) == NULL) { |
| 56 | fprintf(stderr, "Warning: cannot read %s\n", fname); | 57 | // fprintf(stderr, "Warning: cannot read %s\n", fname); |
| 57 | fclose(fp); | 58 | fclose(fp); |
| 58 | free(fname); | 59 | free(fname); |
| 59 | continue; | 60 | continue; |
| 60 | } | 61 | } |
| 62 | not_visible = 0; | ||
| 63 | |||
| 61 | // clean /n | 64 | // clean /n |
| 62 | char *ptr; | 65 | char *ptr; |
| 63 | if ((ptr = strchr(buf, '\n')) != NULL) | 66 | if ((ptr = strchr(buf, '\n')) != NULL) |
| @@ -69,7 +72,7 @@ void pid_test(void) { | |||
| 69 | if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) { | 72 | if (strncmp(buf, kern_proc[j], strlen(kern_proc[j])) == 0) { |
| 70 | fclose(fp); | 73 | fclose(fp); |
| 71 | free(fname); | 74 | free(fname); |
| 72 | printf("BAD: Process %d, not running in a PID namespace. ", getpid()); | 75 | printf("BAD: Process %d is not running in a PID namespace. ", getpid()); |
| 73 | printf("Are you sure you're running in a sandbox?\n"); | 76 | printf("Are you sure you're running in a sandbox?\n"); |
| 74 | return; | 77 | return; |
| 75 | } | 78 | } |
| @@ -80,11 +83,19 @@ void pid_test(void) { | |||
| 80 | free(fname); | 83 | free(fname); |
| 81 | } | 84 | } |
| 82 | 85 | ||
| 83 | 86 | pid_t pid = getpid(); | |
| 84 | printf("GOOD: process %d running in a PID namespace.\n", getpid()); | 87 | if (not_visible && pid > 100) |
| 88 | printf("BAD: Process %d is not running in a PID namespace.\n", pid); | ||
| 89 | else | ||
| 90 | printf("GOOD: process %d is running in a PID namespace.\n", pid); | ||
| 85 | 91 | ||
| 86 | // try to guess the type of container/sandbox | 92 | // try to guess the type of container/sandbox |
| 87 | char *str = getenv("container"); | 93 | char *str = getenv("container"); |
| 88 | if (str) | 94 | if (str) |
| 89 | printf("INFO: container/sandbox %s.\n", str); | 95 | printf("INFO: container/sandbox %s.\n", str); |
| 96 | else { | ||
| 97 | str = getenv("SNAP"); | ||
| 98 | if (str) | ||
| 99 | printf("INFO: this is a snap package\n"); | ||
| 100 | } | ||
| 90 | } | 101 | } |